[PATCH] selinux: kfree cleanup
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71
72 #include "avc.h"
73 #include "objsec.h"
74 #include "netif.h"
75
76 #define XATTR_SELINUX_SUFFIX "selinux"
77 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
78
79 extern unsigned int policydb_loaded_version;
80 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
81
82 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
83 int selinux_enforcing = 0;
84
85 static int __init enforcing_setup(char *str)
86 {
87         selinux_enforcing = simple_strtol(str,NULL,0);
88         return 1;
89 }
90 __setup("enforcing=", enforcing_setup);
91 #endif
92
93 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
94 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
95
96 static int __init selinux_enabled_setup(char *str)
97 {
98         selinux_enabled = simple_strtol(str, NULL, 0);
99         return 1;
100 }
101 __setup("selinux=", selinux_enabled_setup);
102 #endif
103
104 /* Original (dummy) security module. */
105 static struct security_operations *original_ops = NULL;
106
107 /* Minimal support for a secondary security module,
108    just to allow the use of the dummy or capability modules.
109    The owlsm module can alternatively be used as a secondary
110    module as long as CONFIG_OWLSM_FD is not enabled. */
111 static struct security_operations *secondary_ops = NULL;
112
113 /* Lists of inode and superblock security structures initialized
114    before the policy was loaded. */
115 static LIST_HEAD(superblock_security_head);
116 static DEFINE_SPINLOCK(sb_security_lock);
117
118 /* Allocate and free functions for each kind of security blob. */
119
120 static int task_alloc_security(struct task_struct *task)
121 {
122         struct task_security_struct *tsec;
123
124         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
125         if (!tsec)
126                 return -ENOMEM;
127
128         memset(tsec, 0, sizeof(struct task_security_struct));
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         memset(isec, 0, sizeof(struct inode_security_struct));
158         init_MUTEX(&isec->sem);
159         INIT_LIST_HEAD(&isec->list);
160         isec->magic = SELINUX_MAGIC;
161         isec->inode = inode;
162         isec->sid = SECINITSID_UNLABELED;
163         isec->sclass = SECCLASS_FILE;
164         if (tsec && tsec->magic == SELINUX_MAGIC)
165                 isec->task_sid = tsec->sid;
166         else
167                 isec->task_sid = SECINITSID_UNLABELED;
168         inode->i_security = isec;
169
170         return 0;
171 }
172
173 static void inode_free_security(struct inode *inode)
174 {
175         struct inode_security_struct *isec = inode->i_security;
176         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
177
178         if (!isec || isec->magic != SELINUX_MAGIC)
179                 return;
180
181         spin_lock(&sbsec->isec_lock);
182         if (!list_empty(&isec->list))
183                 list_del_init(&isec->list);
184         spin_unlock(&sbsec->isec_lock);
185
186         inode->i_security = NULL;
187         kfree(isec);
188 }
189
190 static int file_alloc_security(struct file *file)
191 {
192         struct task_security_struct *tsec = current->security;
193         struct file_security_struct *fsec;
194
195         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
196         if (!fsec)
197                 return -ENOMEM;
198
199         memset(fsec, 0, sizeof(struct file_security_struct));
200         fsec->magic = SELINUX_MAGIC;
201         fsec->file = file;
202         if (tsec && tsec->magic == SELINUX_MAGIC) {
203                 fsec->sid = tsec->sid;
204                 fsec->fown_sid = tsec->sid;
205         } else {
206                 fsec->sid = SECINITSID_UNLABELED;
207                 fsec->fown_sid = SECINITSID_UNLABELED;
208         }
209         file->f_security = fsec;
210
211         return 0;
212 }
213
214 static void file_free_security(struct file *file)
215 {
216         struct file_security_struct *fsec = file->f_security;
217
218         if (!fsec || fsec->magic != SELINUX_MAGIC)
219                 return;
220
221         file->f_security = NULL;
222         kfree(fsec);
223 }
224
225 static int superblock_alloc_security(struct super_block *sb)
226 {
227         struct superblock_security_struct *sbsec;
228
229         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
230         if (!sbsec)
231                 return -ENOMEM;
232
233         memset(sbsec, 0, sizeof(struct superblock_security_struct));
234         init_MUTEX(&sbsec->sem);
235         INIT_LIST_HEAD(&sbsec->list);
236         INIT_LIST_HEAD(&sbsec->isec_head);
237         spin_lock_init(&sbsec->isec_lock);
238         sbsec->magic = SELINUX_MAGIC;
239         sbsec->sb = sb;
240         sbsec->sid = SECINITSID_UNLABELED;
241         sbsec->def_sid = SECINITSID_FILE;
242         sb->s_security = sbsec;
243
244         return 0;
245 }
246
247 static void superblock_free_security(struct super_block *sb)
248 {
249         struct superblock_security_struct *sbsec = sb->s_security;
250
251         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
252                 return;
253
254         spin_lock(&sb_security_lock);
255         if (!list_empty(&sbsec->list))
256                 list_del_init(&sbsec->list);
257         spin_unlock(&sb_security_lock);
258
259         sb->s_security = NULL;
260         kfree(sbsec);
261 }
262
263 #ifdef CONFIG_SECURITY_NETWORK
264 static int sk_alloc_security(struct sock *sk, int family, int priority)
265 {
266         struct sk_security_struct *ssec;
267
268         if (family != PF_UNIX)
269                 return 0;
270
271         ssec = kmalloc(sizeof(*ssec), priority);
272         if (!ssec)
273                 return -ENOMEM;
274
275         memset(ssec, 0, sizeof(*ssec));
276         ssec->magic = SELINUX_MAGIC;
277         ssec->sk = sk;
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         return 0;
282 }
283
284 static void sk_free_security(struct sock *sk)
285 {
286         struct sk_security_struct *ssec = sk->sk_security;
287
288         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
289                 return;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294 #endif  /* CONFIG_SECURITY_NETWORK */
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328 };
329
330 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
331
332 static int try_context_mount(struct super_block *sb, void *data)
333 {
334         char *context = NULL, *defcontext = NULL;
335         const char *name;
336         u32 sid;
337         int alloc = 0, rc = 0, seen = 0;
338         struct task_security_struct *tsec = current->security;
339         struct superblock_security_struct *sbsec = sb->s_security;
340
341         if (!data)
342                 goto out;
343
344         name = sb->s_type->name;
345
346         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348                 /* NFS we understand. */
349                 if (!strcmp(name, "nfs")) {
350                         struct nfs_mount_data *d = data;
351
352                         if (d->version <  NFS_MOUNT_VERSION)
353                                 goto out;
354
355                         if (d->context[0]) {
356                                 context = d->context;
357                                 seen |= Opt_context;
358                         }
359                 } else
360                         goto out;
361
362         } else {
363                 /* Standard string-based options. */
364                 char *p, *options = data;
365
366                 while ((p = strsep(&options, ",")) != NULL) {
367                         int token;
368                         substring_t args[MAX_OPT_ARGS];
369
370                         if (!*p)
371                                 continue;
372
373                         token = match_token(p, tokens, args);
374
375                         switch (token) {
376                         case Opt_context:
377                                 if (seen) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380                                         goto out_free;
381                                 }
382                                 context = match_strdup(&args[0]);
383                                 if (!context) {
384                                         rc = -ENOMEM;
385                                         goto out_free;
386                                 }
387                                 if (!alloc)
388                                         alloc = 1;
389                                 seen |= Opt_context;
390                                 break;
391
392                         case Opt_fscontext:
393                                 if (seen & (Opt_context|Opt_fscontext)) {
394                                         rc = -EINVAL;
395                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396                                         goto out_free;
397                                 }
398                                 context = match_strdup(&args[0]);
399                                 if (!context) {
400                                         rc = -ENOMEM;
401                                         goto out_free;
402                                 }
403                                 if (!alloc)
404                                         alloc = 1;
405                                 seen |= Opt_fscontext;
406                                 break;
407
408                         case Opt_defcontext:
409                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410                                         rc = -EINVAL;
411                                         printk(KERN_WARNING "SELinux:  "
412                                                "defcontext option is invalid "
413                                                "for this filesystem type\n");
414                                         goto out_free;
415                                 }
416                                 if (seen & (Opt_context|Opt_defcontext)) {
417                                         rc = -EINVAL;
418                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419                                         goto out_free;
420                                 }
421                                 defcontext = match_strdup(&args[0]);
422                                 if (!defcontext) {
423                                         rc = -ENOMEM;
424                                         goto out_free;
425                                 }
426                                 if (!alloc)
427                                         alloc = 1;
428                                 seen |= Opt_defcontext;
429                                 break;
430
431                         default:
432                                 rc = -EINVAL;
433                                 printk(KERN_WARNING "SELinux:  unknown mount "
434                                        "option\n");
435                                 goto out_free;
436
437                         }
438                 }
439         }
440
441         if (!seen)
442                 goto out;
443
444         if (context) {
445                 rc = security_context_to_sid(context, strlen(context), &sid);
446                 if (rc) {
447                         printk(KERN_WARNING "SELinux: security_context_to_sid"
448                                "(%s) failed for (dev %s, type %s) errno=%d\n",
449                                context, sb->s_id, name, rc);
450                         goto out_free;
451                 }
452
453                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454                                   FILESYSTEM__RELABELFROM, NULL);
455                 if (rc)
456                         goto out_free;
457
458                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459                                   FILESYSTEM__RELABELTO, NULL);
460                 if (rc)
461                         goto out_free;
462
463                 sbsec->sid = sid;
464
465                 if (seen & Opt_context)
466                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467         }
468
469         if (defcontext) {
470                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471                 if (rc) {
472                         printk(KERN_WARNING "SELinux: security_context_to_sid"
473                                "(%s) failed for (dev %s, type %s) errno=%d\n",
474                                defcontext, sb->s_id, name, rc);
475                         goto out_free;
476                 }
477
478                 if (sid == sbsec->def_sid)
479                         goto out_free;
480
481                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482                                   FILESYSTEM__RELABELFROM, NULL);
483                 if (rc)
484                         goto out_free;
485
486                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487                                   FILESYSTEM__ASSOCIATE, NULL);
488                 if (rc)
489                         goto out_free;
490
491                 sbsec->def_sid = sid;
492         }
493
494 out_free:
495         if (alloc) {
496                 kfree(context);
497                 kfree(defcontext);
498         }
499 out:
500         return rc;
501 }
502
503 static int superblock_doinit(struct super_block *sb, void *data)
504 {
505         struct superblock_security_struct *sbsec = sb->s_security;
506         struct dentry *root = sb->s_root;
507         struct inode *inode = root->d_inode;
508         int rc = 0;
509
510         down(&sbsec->sem);
511         if (sbsec->initialized)
512                 goto out;
513
514         if (!ss_initialized) {
515                 /* Defer initialization until selinux_complete_init,
516                    after the initial policy is loaded and the security
517                    server is ready to handle calls. */
518                 spin_lock(&sb_security_lock);
519                 if (list_empty(&sbsec->list))
520                         list_add(&sbsec->list, &superblock_security_head);
521                 spin_unlock(&sb_security_lock);
522                 goto out;
523         }
524
525         /* Determine the labeling behavior to use for this filesystem type. */
526         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527         if (rc) {
528                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
529                        __FUNCTION__, sb->s_type->name, rc);
530                 goto out;
531         }
532
533         rc = try_context_mount(sb, data);
534         if (rc)
535                 goto out;
536
537         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538                 /* Make sure that the xattr handler exists and that no
539                    error other than -ENODATA is returned by getxattr on
540                    the root directory.  -ENODATA is ok, as this may be
541                    the first boot of the SELinux kernel before we have
542                    assigned xattr values to the filesystem. */
543                 if (!inode->i_op->getxattr) {
544                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545                                "xattr support\n", sb->s_id, sb->s_type->name);
546                         rc = -EOPNOTSUPP;
547                         goto out;
548                 }
549                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550                 if (rc < 0 && rc != -ENODATA) {
551                         if (rc == -EOPNOTSUPP)
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) has no security xattr handler\n",
554                                        sb->s_id, sb->s_type->name);
555                         else
556                                 printk(KERN_WARNING "SELinux: (dev %s, type "
557                                        "%s) getxattr errno %d\n", sb->s_id,
558                                        sb->s_type->name, -rc);
559                         goto out;
560                 }
561         }
562
563         if (strcmp(sb->s_type->name, "proc") == 0)
564                 sbsec->proc = 1;
565
566         sbsec->initialized = 1;
567
568         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570                        sb->s_id, sb->s_type->name);
571         }
572         else {
573                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574                        sb->s_id, sb->s_type->name,
575                        labeling_behaviors[sbsec->behavior-1]);
576         }
577
578         /* Initialize the root inode. */
579         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581         /* Initialize any other inodes associated with the superblock, e.g.
582            inodes created prior to initial policy load or inodes created
583            during get_sb by a pseudo filesystem that directly
584            populates itself. */
585         spin_lock(&sbsec->isec_lock);
586 next_inode:
587         if (!list_empty(&sbsec->isec_head)) {
588                 struct inode_security_struct *isec =
589                                 list_entry(sbsec->isec_head.next,
590                                            struct inode_security_struct, list);
591                 struct inode *inode = isec->inode;
592                 spin_unlock(&sbsec->isec_lock);
593                 inode = igrab(inode);
594                 if (inode) {
595                         if (!IS_PRIVATE (inode))
596                                 inode_doinit(inode);
597                         iput(inode);
598                 }
599                 spin_lock(&sbsec->isec_lock);
600                 list_del_init(&isec->list);
601                 goto next_inode;
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         up(&sbsec->sem);
606         return rc;
607 }
608
609 static inline u16 inode_mode_to_security_class(umode_t mode)
610 {
611         switch (mode & S_IFMT) {
612         case S_IFSOCK:
613                 return SECCLASS_SOCK_FILE;
614         case S_IFLNK:
615                 return SECCLASS_LNK_FILE;
616         case S_IFREG:
617                 return SECCLASS_FILE;
618         case S_IFBLK:
619                 return SECCLASS_BLK_FILE;
620         case S_IFDIR:
621                 return SECCLASS_DIR;
622         case S_IFCHR:
623                 return SECCLASS_CHR_FILE;
624         case S_IFIFO:
625                 return SECCLASS_FIFO_FILE;
626
627         }
628
629         return SECCLASS_FILE;
630 }
631
632 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
633 {
634         switch (family) {
635         case PF_UNIX:
636                 switch (type) {
637                 case SOCK_STREAM:
638                 case SOCK_SEQPACKET:
639                         return SECCLASS_UNIX_STREAM_SOCKET;
640                 case SOCK_DGRAM:
641                         return SECCLASS_UNIX_DGRAM_SOCKET;
642                 }
643                 break;
644         case PF_INET:
645         case PF_INET6:
646                 switch (type) {
647                 case SOCK_STREAM:
648                         return SECCLASS_TCP_SOCKET;
649                 case SOCK_DGRAM:
650                         return SECCLASS_UDP_SOCKET;
651                 case SOCK_RAW:
652                         return SECCLASS_RAWIP_SOCKET;
653                 }
654                 break;
655         case PF_NETLINK:
656                 switch (protocol) {
657                 case NETLINK_ROUTE:
658                         return SECCLASS_NETLINK_ROUTE_SOCKET;
659                 case NETLINK_FIREWALL:
660                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
661                 case NETLINK_TCPDIAG:
662                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
663                 case NETLINK_NFLOG:
664                         return SECCLASS_NETLINK_NFLOG_SOCKET;
665                 case NETLINK_XFRM:
666                         return SECCLASS_NETLINK_XFRM_SOCKET;
667                 case NETLINK_SELINUX:
668                         return SECCLASS_NETLINK_SELINUX_SOCKET;
669                 case NETLINK_AUDIT:
670                         return SECCLASS_NETLINK_AUDIT_SOCKET;
671                 case NETLINK_IP6_FW:
672                         return SECCLASS_NETLINK_IP6FW_SOCKET;
673                 case NETLINK_DNRTMSG:
674                         return SECCLASS_NETLINK_DNRT_SOCKET;
675                 case NETLINK_KOBJECT_UEVENT:
676                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
677                 default:
678                         return SECCLASS_NETLINK_SOCKET;
679                 }
680         case PF_PACKET:
681                 return SECCLASS_PACKET_SOCKET;
682         case PF_KEY:
683                 return SECCLASS_KEY_SOCKET;
684         }
685
686         return SECCLASS_SOCKET;
687 }
688
689 #ifdef CONFIG_PROC_FS
690 static int selinux_proc_get_sid(struct proc_dir_entry *de,
691                                 u16 tclass,
692                                 u32 *sid)
693 {
694         int buflen, rc;
695         char *buffer, *path, *end;
696
697         buffer = (char*)__get_free_page(GFP_KERNEL);
698         if (!buffer)
699                 return -ENOMEM;
700
701         buflen = PAGE_SIZE;
702         end = buffer+buflen;
703         *--end = '\0';
704         buflen--;
705         path = end-1;
706         *path = '/';
707         while (de && de != de->parent) {
708                 buflen -= de->namelen + 1;
709                 if (buflen < 0)
710                         break;
711                 end -= de->namelen;
712                 memcpy(end, de->name, de->namelen);
713                 *--end = '/';
714                 path = end;
715                 de = de->parent;
716         }
717         rc = security_genfs_sid("proc", path, tclass, sid);
718         free_page((unsigned long)buffer);
719         return rc;
720 }
721 #else
722 static int selinux_proc_get_sid(struct proc_dir_entry *de,
723                                 u16 tclass,
724                                 u32 *sid)
725 {
726         return -EINVAL;
727 }
728 #endif
729
730 /* The inode's security attributes must be initialized before first use. */
731 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
732 {
733         struct superblock_security_struct *sbsec = NULL;
734         struct inode_security_struct *isec = inode->i_security;
735         u32 sid;
736         struct dentry *dentry;
737 #define INITCONTEXTLEN 255
738         char *context = NULL;
739         unsigned len = 0;
740         int rc = 0;
741         int hold_sem = 0;
742
743         if (isec->initialized)
744                 goto out;
745
746         down(&isec->sem);
747         hold_sem = 1;
748         if (isec->initialized)
749                 goto out;
750
751         sbsec = inode->i_sb->s_security;
752         if (!sbsec->initialized) {
753                 /* Defer initialization until selinux_complete_init,
754                    after the initial policy is loaded and the security
755                    server is ready to handle calls. */
756                 spin_lock(&sbsec->isec_lock);
757                 if (list_empty(&isec->list))
758                         list_add(&isec->list, &sbsec->isec_head);
759                 spin_unlock(&sbsec->isec_lock);
760                 goto out;
761         }
762
763         switch (sbsec->behavior) {
764         case SECURITY_FS_USE_XATTR:
765                 if (!inode->i_op->getxattr) {
766                         isec->sid = sbsec->def_sid;
767                         break;
768                 }
769
770                 /* Need a dentry, since the xattr API requires one.
771                    Life would be simpler if we could just pass the inode. */
772                 if (opt_dentry) {
773                         /* Called from d_instantiate or d_splice_alias. */
774                         dentry = dget(opt_dentry);
775                 } else {
776                         /* Called from selinux_complete_init, try to find a dentry. */
777                         dentry = d_find_alias(inode);
778                 }
779                 if (!dentry) {
780                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
781                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
782                                inode->i_ino);
783                         goto out;
784                 }
785
786                 len = INITCONTEXTLEN;
787                 context = kmalloc(len, GFP_KERNEL);
788                 if (!context) {
789                         rc = -ENOMEM;
790                         dput(dentry);
791                         goto out;
792                 }
793                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
794                                            context, len);
795                 if (rc == -ERANGE) {
796                         /* Need a larger buffer.  Query for the right size. */
797                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
798                                                    NULL, 0);
799                         if (rc < 0) {
800                                 dput(dentry);
801                                 goto out;
802                         }
803                         kfree(context);
804                         len = rc;
805                         context = kmalloc(len, GFP_KERNEL);
806                         if (!context) {
807                                 rc = -ENOMEM;
808                                 dput(dentry);
809                                 goto out;
810                         }
811                         rc = inode->i_op->getxattr(dentry,
812                                                    XATTR_NAME_SELINUX,
813                                                    context, len);
814                 }
815                 dput(dentry);
816                 if (rc < 0) {
817                         if (rc != -ENODATA) {
818                                 printk(KERN_WARNING "%s:  getxattr returned "
819                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
820                                        -rc, inode->i_sb->s_id, inode->i_ino);
821                                 kfree(context);
822                                 goto out;
823                         }
824                         /* Map ENODATA to the default file SID */
825                         sid = sbsec->def_sid;
826                         rc = 0;
827                 } else {
828                         rc = security_context_to_sid(context, rc, &sid);
829                         if (rc) {
830                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
831                                        "returned %d for dev=%s ino=%ld\n",
832                                        __FUNCTION__, context, -rc,
833                                        inode->i_sb->s_id, inode->i_ino);
834                                 kfree(context);
835                                 /* Leave with the unlabeled SID */
836                                 rc = 0;
837                                 break;
838                         }
839                 }
840                 kfree(context);
841                 isec->sid = sid;
842                 break;
843         case SECURITY_FS_USE_TASK:
844                 isec->sid = isec->task_sid;
845                 break;
846         case SECURITY_FS_USE_TRANS:
847                 /* Default to the fs SID. */
848                 isec->sid = sbsec->sid;
849
850                 /* Try to obtain a transition SID. */
851                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
852                 rc = security_transition_sid(isec->task_sid,
853                                              sbsec->sid,
854                                              isec->sclass,
855                                              &sid);
856                 if (rc)
857                         goto out;
858                 isec->sid = sid;
859                 break;
860         default:
861                 /* Default to the fs SID. */
862                 isec->sid = sbsec->sid;
863
864                 if (sbsec->proc) {
865                         struct proc_inode *proci = PROC_I(inode);
866                         if (proci->pde) {
867                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
868                                 rc = selinux_proc_get_sid(proci->pde,
869                                                           isec->sclass,
870                                                           &sid);
871                                 if (rc)
872                                         goto out;
873                                 isec->sid = sid;
874                         }
875                 }
876                 break;
877         }
878
879         isec->initialized = 1;
880
881 out:
882         if (isec->sclass == SECCLASS_FILE)
883                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
884
885         if (hold_sem)
886                 up(&isec->sem);
887         return rc;
888 }
889
890 /* Convert a Linux signal to an access vector. */
891 static inline u32 signal_to_av(int sig)
892 {
893         u32 perm = 0;
894
895         switch (sig) {
896         case SIGCHLD:
897                 /* Commonly granted from child to parent. */
898                 perm = PROCESS__SIGCHLD;
899                 break;
900         case SIGKILL:
901                 /* Cannot be caught or ignored */
902                 perm = PROCESS__SIGKILL;
903                 break;
904         case SIGSTOP:
905                 /* Cannot be caught or ignored */
906                 perm = PROCESS__SIGSTOP;
907                 break;
908         default:
909                 /* All other signals. */
910                 perm = PROCESS__SIGNAL;
911                 break;
912         }
913
914         return perm;
915 }
916
917 /* Check permission betweeen a pair of tasks, e.g. signal checks,
918    fork check, ptrace check, etc. */
919 static int task_has_perm(struct task_struct *tsk1,
920                          struct task_struct *tsk2,
921                          u32 perms)
922 {
923         struct task_security_struct *tsec1, *tsec2;
924
925         tsec1 = tsk1->security;
926         tsec2 = tsk2->security;
927         return avc_has_perm(tsec1->sid, tsec2->sid,
928                             SECCLASS_PROCESS, perms, NULL);
929 }
930
931 /* Check whether a task is allowed to use a capability. */
932 static int task_has_capability(struct task_struct *tsk,
933                                int cap)
934 {
935         struct task_security_struct *tsec;
936         struct avc_audit_data ad;
937
938         tsec = tsk->security;
939
940         AVC_AUDIT_DATA_INIT(&ad,CAP);
941         ad.tsk = tsk;
942         ad.u.cap = cap;
943
944         return avc_has_perm(tsec->sid, tsec->sid,
945                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
946 }
947
948 /* Check whether a task is allowed to use a system operation. */
949 static int task_has_system(struct task_struct *tsk,
950                            u32 perms)
951 {
952         struct task_security_struct *tsec;
953
954         tsec = tsk->security;
955
956         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
957                             SECCLASS_SYSTEM, perms, NULL);
958 }
959
960 /* Check whether a task has a particular permission to an inode.
961    The 'adp' parameter is optional and allows other audit
962    data to be passed (e.g. the dentry). */
963 static int inode_has_perm(struct task_struct *tsk,
964                           struct inode *inode,
965                           u32 perms,
966                           struct avc_audit_data *adp)
967 {
968         struct task_security_struct *tsec;
969         struct inode_security_struct *isec;
970         struct avc_audit_data ad;
971
972         tsec = tsk->security;
973         isec = inode->i_security;
974
975         if (!adp) {
976                 adp = &ad;
977                 AVC_AUDIT_DATA_INIT(&ad, FS);
978                 ad.u.fs.inode = inode;
979         }
980
981         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
982 }
983
984 /* Same as inode_has_perm, but pass explicit audit data containing
985    the dentry to help the auditing code to more easily generate the
986    pathname if needed. */
987 static inline int dentry_has_perm(struct task_struct *tsk,
988                                   struct vfsmount *mnt,
989                                   struct dentry *dentry,
990                                   u32 av)
991 {
992         struct inode *inode = dentry->d_inode;
993         struct avc_audit_data ad;
994         AVC_AUDIT_DATA_INIT(&ad,FS);
995         ad.u.fs.mnt = mnt;
996         ad.u.fs.dentry = dentry;
997         return inode_has_perm(tsk, inode, av, &ad);
998 }
999
1000 /* Check whether a task can use an open file descriptor to
1001    access an inode in a given way.  Check access to the
1002    descriptor itself, and then use dentry_has_perm to
1003    check a particular permission to the file.
1004    Access to the descriptor is implicitly granted if it
1005    has the same SID as the process.  If av is zero, then
1006    access to the file is not checked, e.g. for cases
1007    where only the descriptor is affected like seek. */
1008 static inline int file_has_perm(struct task_struct *tsk,
1009                                 struct file *file,
1010                                 u32 av)
1011 {
1012         struct task_security_struct *tsec = tsk->security;
1013         struct file_security_struct *fsec = file->f_security;
1014         struct vfsmount *mnt = file->f_vfsmnt;
1015         struct dentry *dentry = file->f_dentry;
1016         struct inode *inode = dentry->d_inode;
1017         struct avc_audit_data ad;
1018         int rc;
1019
1020         AVC_AUDIT_DATA_INIT(&ad, FS);
1021         ad.u.fs.mnt = mnt;
1022         ad.u.fs.dentry = dentry;
1023
1024         if (tsec->sid != fsec->sid) {
1025                 rc = avc_has_perm(tsec->sid, fsec->sid,
1026                                   SECCLASS_FD,
1027                                   FD__USE,
1028                                   &ad);
1029                 if (rc)
1030                         return rc;
1031         }
1032
1033         /* av is zero if only checking access to the descriptor. */
1034         if (av)
1035                 return inode_has_perm(tsk, inode, av, &ad);
1036
1037         return 0;
1038 }
1039
1040 /* Check whether a task can create a file. */
1041 static int may_create(struct inode *dir,
1042                       struct dentry *dentry,
1043                       u16 tclass)
1044 {
1045         struct task_security_struct *tsec;
1046         struct inode_security_struct *dsec;
1047         struct superblock_security_struct *sbsec;
1048         u32 newsid;
1049         struct avc_audit_data ad;
1050         int rc;
1051
1052         tsec = current->security;
1053         dsec = dir->i_security;
1054         sbsec = dir->i_sb->s_security;
1055
1056         AVC_AUDIT_DATA_INIT(&ad, FS);
1057         ad.u.fs.dentry = dentry;
1058
1059         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1060                           DIR__ADD_NAME | DIR__SEARCH,
1061                           &ad);
1062         if (rc)
1063                 return rc;
1064
1065         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1066                 newsid = tsec->create_sid;
1067         } else {
1068                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1069                                              &newsid);
1070                 if (rc)
1071                         return rc;
1072         }
1073
1074         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1075         if (rc)
1076                 return rc;
1077
1078         return avc_has_perm(newsid, sbsec->sid,
1079                             SECCLASS_FILESYSTEM,
1080                             FILESYSTEM__ASSOCIATE, &ad);
1081 }
1082
1083 #define MAY_LINK   0
1084 #define MAY_UNLINK 1
1085 #define MAY_RMDIR  2
1086
1087 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1088 static int may_link(struct inode *dir,
1089                     struct dentry *dentry,
1090                     int kind)
1091
1092 {
1093         struct task_security_struct *tsec;
1094         struct inode_security_struct *dsec, *isec;
1095         struct avc_audit_data ad;
1096         u32 av;
1097         int rc;
1098
1099         tsec = current->security;
1100         dsec = dir->i_security;
1101         isec = dentry->d_inode->i_security;
1102
1103         AVC_AUDIT_DATA_INIT(&ad, FS);
1104         ad.u.fs.dentry = dentry;
1105
1106         av = DIR__SEARCH;
1107         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1108         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1109         if (rc)
1110                 return rc;
1111
1112         switch (kind) {
1113         case MAY_LINK:
1114                 av = FILE__LINK;
1115                 break;
1116         case MAY_UNLINK:
1117                 av = FILE__UNLINK;
1118                 break;
1119         case MAY_RMDIR:
1120                 av = DIR__RMDIR;
1121                 break;
1122         default:
1123                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1124                 return 0;
1125         }
1126
1127         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1128         return rc;
1129 }
1130
1131 static inline int may_rename(struct inode *old_dir,
1132                              struct dentry *old_dentry,
1133                              struct inode *new_dir,
1134                              struct dentry *new_dentry)
1135 {
1136         struct task_security_struct *tsec;
1137         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1138         struct avc_audit_data ad;
1139         u32 av;
1140         int old_is_dir, new_is_dir;
1141         int rc;
1142
1143         tsec = current->security;
1144         old_dsec = old_dir->i_security;
1145         old_isec = old_dentry->d_inode->i_security;
1146         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1147         new_dsec = new_dir->i_security;
1148
1149         AVC_AUDIT_DATA_INIT(&ad, FS);
1150
1151         ad.u.fs.dentry = old_dentry;
1152         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1153                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1154         if (rc)
1155                 return rc;
1156         rc = avc_has_perm(tsec->sid, old_isec->sid,
1157                           old_isec->sclass, FILE__RENAME, &ad);
1158         if (rc)
1159                 return rc;
1160         if (old_is_dir && new_dir != old_dir) {
1161                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1162                                   old_isec->sclass, DIR__REPARENT, &ad);
1163                 if (rc)
1164                         return rc;
1165         }
1166
1167         ad.u.fs.dentry = new_dentry;
1168         av = DIR__ADD_NAME | DIR__SEARCH;
1169         if (new_dentry->d_inode)
1170                 av |= DIR__REMOVE_NAME;
1171         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1172         if (rc)
1173                 return rc;
1174         if (new_dentry->d_inode) {
1175                 new_isec = new_dentry->d_inode->i_security;
1176                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1177                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1178                                   new_isec->sclass,
1179                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1180                 if (rc)
1181                         return rc;
1182         }
1183
1184         return 0;
1185 }
1186
1187 /* Check whether a task can perform a filesystem operation. */
1188 static int superblock_has_perm(struct task_struct *tsk,
1189                                struct super_block *sb,
1190                                u32 perms,
1191                                struct avc_audit_data *ad)
1192 {
1193         struct task_security_struct *tsec;
1194         struct superblock_security_struct *sbsec;
1195
1196         tsec = tsk->security;
1197         sbsec = sb->s_security;
1198         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1199                             perms, ad);
1200 }
1201
1202 /* Convert a Linux mode and permission mask to an access vector. */
1203 static inline u32 file_mask_to_av(int mode, int mask)
1204 {
1205         u32 av = 0;
1206
1207         if ((mode & S_IFMT) != S_IFDIR) {
1208                 if (mask & MAY_EXEC)
1209                         av |= FILE__EXECUTE;
1210                 if (mask & MAY_READ)
1211                         av |= FILE__READ;
1212
1213                 if (mask & MAY_APPEND)
1214                         av |= FILE__APPEND;
1215                 else if (mask & MAY_WRITE)
1216                         av |= FILE__WRITE;
1217
1218         } else {
1219                 if (mask & MAY_EXEC)
1220                         av |= DIR__SEARCH;
1221                 if (mask & MAY_WRITE)
1222                         av |= DIR__WRITE;
1223                 if (mask & MAY_READ)
1224                         av |= DIR__READ;
1225         }
1226
1227         return av;
1228 }
1229
1230 /* Convert a Linux file to an access vector. */
1231 static inline u32 file_to_av(struct file *file)
1232 {
1233         u32 av = 0;
1234
1235         if (file->f_mode & FMODE_READ)
1236                 av |= FILE__READ;
1237         if (file->f_mode & FMODE_WRITE) {
1238                 if (file->f_flags & O_APPEND)
1239                         av |= FILE__APPEND;
1240                 else
1241                         av |= FILE__WRITE;
1242         }
1243
1244         return av;
1245 }
1246
1247 /* Set an inode's SID to a specified value. */
1248 static int inode_security_set_sid(struct inode *inode, u32 sid)
1249 {
1250         struct inode_security_struct *isec = inode->i_security;
1251         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1252
1253         if (!sbsec->initialized) {
1254                 /* Defer initialization to selinux_complete_init. */
1255                 return 0;
1256         }
1257
1258         down(&isec->sem);
1259         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1260         isec->sid = sid;
1261         isec->initialized = 1;
1262         up(&isec->sem);
1263         return 0;
1264 }
1265
1266 /* Set the security attributes on a newly created file. */
1267 static int post_create(struct inode *dir,
1268                        struct dentry *dentry)
1269 {
1270
1271         struct task_security_struct *tsec;
1272         struct inode *inode;
1273         struct inode_security_struct *dsec;
1274         struct superblock_security_struct *sbsec;
1275         u32 newsid;
1276         char *context;
1277         unsigned int len;
1278         int rc;
1279
1280         tsec = current->security;
1281         dsec = dir->i_security;
1282         sbsec = dir->i_sb->s_security;
1283
1284         inode = dentry->d_inode;
1285         if (!inode) {
1286                 /* Some file system types (e.g. NFS) may not instantiate
1287                    a dentry for all create operations (e.g. symlink),
1288                    so we have to check to see if the inode is non-NULL. */
1289                 printk(KERN_WARNING "post_create:  no inode, dir (dev=%s, "
1290                        "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1291                 return 0;
1292         }
1293
1294         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1295                 newsid = tsec->create_sid;
1296         } else {
1297                 rc = security_transition_sid(tsec->sid, dsec->sid,
1298                                              inode_mode_to_security_class(inode->i_mode),
1299                                              &newsid);
1300                 if (rc) {
1301                         printk(KERN_WARNING "post_create:  "
1302                                "security_transition_sid failed, rc=%d (dev=%s "
1303                                "ino=%ld)\n",
1304                                -rc, inode->i_sb->s_id, inode->i_ino);
1305                         return rc;
1306                 }
1307         }
1308
1309         rc = inode_security_set_sid(inode, newsid);
1310         if (rc) {
1311                 printk(KERN_WARNING "post_create:  inode_security_set_sid "
1312                        "failed, rc=%d (dev=%s ino=%ld)\n",
1313                        -rc, inode->i_sb->s_id, inode->i_ino);
1314                 return rc;
1315         }
1316
1317         if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1318             inode->i_op->setxattr) {
1319                 /* Use extended attributes. */
1320                 rc = security_sid_to_context(newsid, &context, &len);
1321                 if (rc) {
1322                         printk(KERN_WARNING "post_create:  sid_to_context "
1323                                "failed, rc=%d (dev=%s ino=%ld)\n",
1324                                -rc, inode->i_sb->s_id, inode->i_ino);
1325                         return rc;
1326                 }
1327                 down(&inode->i_sem);
1328                 rc = inode->i_op->setxattr(dentry,
1329                                            XATTR_NAME_SELINUX,
1330                                            context, len, 0);
1331                 up(&inode->i_sem);
1332                 kfree(context);
1333                 if (rc < 0) {
1334                         printk(KERN_WARNING "post_create:  setxattr failed, "
1335                                "rc=%d (dev=%s ino=%ld)\n",
1336                                -rc, inode->i_sb->s_id, inode->i_ino);
1337                         return rc;
1338                 }
1339         }
1340
1341         return 0;
1342 }
1343
1344
1345 /* Hook functions begin here. */
1346
1347 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1348 {
1349         struct task_security_struct *psec = parent->security;
1350         struct task_security_struct *csec = child->security;
1351         int rc;
1352
1353         rc = secondary_ops->ptrace(parent,child);
1354         if (rc)
1355                 return rc;
1356
1357         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1358         /* Save the SID of the tracing process for later use in apply_creds. */
1359         if (!rc)
1360                 csec->ptrace_sid = psec->sid;
1361         return rc;
1362 }
1363
1364 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1365                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1366 {
1367         int error;
1368
1369         error = task_has_perm(current, target, PROCESS__GETCAP);
1370         if (error)
1371                 return error;
1372
1373         return secondary_ops->capget(target, effective, inheritable, permitted);
1374 }
1375
1376 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1377                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1378 {
1379         int error;
1380
1381         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1382         if (error)
1383                 return error;
1384
1385         return task_has_perm(current, target, PROCESS__SETCAP);
1386 }
1387
1388 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1389                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1390 {
1391         secondary_ops->capset_set(target, effective, inheritable, permitted);
1392 }
1393
1394 static int selinux_capable(struct task_struct *tsk, int cap)
1395 {
1396         int rc;
1397
1398         rc = secondary_ops->capable(tsk, cap);
1399         if (rc)
1400                 return rc;
1401
1402         return task_has_capability(tsk,cap);
1403 }
1404
1405 static int selinux_sysctl(ctl_table *table, int op)
1406 {
1407         int error = 0;
1408         u32 av;
1409         struct task_security_struct *tsec;
1410         u32 tsid;
1411         int rc;
1412
1413         rc = secondary_ops->sysctl(table, op);
1414         if (rc)
1415                 return rc;
1416
1417         tsec = current->security;
1418
1419         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1420                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1421         if (rc) {
1422                 /* Default to the well-defined sysctl SID. */
1423                 tsid = SECINITSID_SYSCTL;
1424         }
1425
1426         /* The op values are "defined" in sysctl.c, thereby creating
1427          * a bad coupling between this module and sysctl.c */
1428         if(op == 001) {
1429                 error = avc_has_perm(tsec->sid, tsid,
1430                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1431         } else {
1432                 av = 0;
1433                 if (op & 004)
1434                         av |= FILE__READ;
1435                 if (op & 002)
1436                         av |= FILE__WRITE;
1437                 if (av)
1438                         error = avc_has_perm(tsec->sid, tsid,
1439                                              SECCLASS_FILE, av, NULL);
1440         }
1441
1442         return error;
1443 }
1444
1445 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1446 {
1447         int rc = 0;
1448
1449         if (!sb)
1450                 return 0;
1451
1452         switch (cmds) {
1453                 case Q_SYNC:
1454                 case Q_QUOTAON:
1455                 case Q_QUOTAOFF:
1456                 case Q_SETINFO:
1457                 case Q_SETQUOTA:
1458                         rc = superblock_has_perm(current,
1459                                                  sb,
1460                                                  FILESYSTEM__QUOTAMOD, NULL);
1461                         break;
1462                 case Q_GETFMT:
1463                 case Q_GETINFO:
1464                 case Q_GETQUOTA:
1465                         rc = superblock_has_perm(current,
1466                                                  sb,
1467                                                  FILESYSTEM__QUOTAGET, NULL);
1468                         break;
1469                 default:
1470                         rc = 0;  /* let the kernel handle invalid cmds */
1471                         break;
1472         }
1473         return rc;
1474 }
1475
1476 static int selinux_quota_on(struct dentry *dentry)
1477 {
1478         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1479 }
1480
1481 static int selinux_syslog(int type)
1482 {
1483         int rc;
1484
1485         rc = secondary_ops->syslog(type);
1486         if (rc)
1487                 return rc;
1488
1489         switch (type) {
1490                 case 3:         /* Read last kernel messages */
1491                 case 10:        /* Return size of the log buffer */
1492                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1493                         break;
1494                 case 6:         /* Disable logging to console */
1495                 case 7:         /* Enable logging to console */
1496                 case 8:         /* Set level of messages printed to console */
1497                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1498                         break;
1499                 case 0:         /* Close log */
1500                 case 1:         /* Open log */
1501                 case 2:         /* Read from log */
1502                 case 4:         /* Read/clear last kernel messages */
1503                 case 5:         /* Clear ring buffer */
1504                 default:
1505                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1506                         break;
1507         }
1508         return rc;
1509 }
1510
1511 /*
1512  * Check that a process has enough memory to allocate a new virtual
1513  * mapping. 0 means there is enough memory for the allocation to
1514  * succeed and -ENOMEM implies there is not.
1515  *
1516  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1517  * if the capability is granted, but __vm_enough_memory requires 1 if
1518  * the capability is granted.
1519  *
1520  * Do not audit the selinux permission check, as this is applied to all
1521  * processes that allocate mappings.
1522  */
1523 static int selinux_vm_enough_memory(long pages)
1524 {
1525         int rc, cap_sys_admin = 0;
1526         struct task_security_struct *tsec = current->security;
1527
1528         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1529         if (rc == 0)
1530                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1531                                         SECCLASS_CAPABILITY,
1532                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1533                                         NULL);
1534
1535         if (rc == 0)
1536                 cap_sys_admin = 1;
1537
1538         return __vm_enough_memory(pages, cap_sys_admin);
1539 }
1540
1541 /* binprm security operations */
1542
1543 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1544 {
1545         struct bprm_security_struct *bsec;
1546
1547         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1548         if (!bsec)
1549                 return -ENOMEM;
1550
1551         memset(bsec, 0, sizeof *bsec);
1552         bsec->magic = SELINUX_MAGIC;
1553         bsec->bprm = bprm;
1554         bsec->sid = SECINITSID_UNLABELED;
1555         bsec->set = 0;
1556
1557         bprm->security = bsec;
1558         return 0;
1559 }
1560
1561 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1562 {
1563         struct task_security_struct *tsec;
1564         struct inode *inode = bprm->file->f_dentry->d_inode;
1565         struct inode_security_struct *isec;
1566         struct bprm_security_struct *bsec;
1567         u32 newsid;
1568         struct avc_audit_data ad;
1569         int rc;
1570
1571         rc = secondary_ops->bprm_set_security(bprm);
1572         if (rc)
1573                 return rc;
1574
1575         bsec = bprm->security;
1576
1577         if (bsec->set)
1578                 return 0;
1579
1580         tsec = current->security;
1581         isec = inode->i_security;
1582
1583         /* Default to the current task SID. */
1584         bsec->sid = tsec->sid;
1585
1586         /* Reset create SID on execve. */
1587         tsec->create_sid = 0;
1588
1589         if (tsec->exec_sid) {
1590                 newsid = tsec->exec_sid;
1591                 /* Reset exec SID on execve. */
1592                 tsec->exec_sid = 0;
1593         } else {
1594                 /* Check for a default transition on this program. */
1595                 rc = security_transition_sid(tsec->sid, isec->sid,
1596                                              SECCLASS_PROCESS, &newsid);
1597                 if (rc)
1598                         return rc;
1599         }
1600
1601         AVC_AUDIT_DATA_INIT(&ad, FS);
1602         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1603         ad.u.fs.dentry = bprm->file->f_dentry;
1604
1605         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1606                 newsid = tsec->sid;
1607
1608         if (tsec->sid == newsid) {
1609                 rc = avc_has_perm(tsec->sid, isec->sid,
1610                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1611                 if (rc)
1612                         return rc;
1613         } else {
1614                 /* Check permissions for the transition. */
1615                 rc = avc_has_perm(tsec->sid, newsid,
1616                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1617                 if (rc)
1618                         return rc;
1619
1620                 rc = avc_has_perm(newsid, isec->sid,
1621                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1622                 if (rc)
1623                         return rc;
1624
1625                 /* Clear any possibly unsafe personality bits on exec: */
1626                 current->personality &= ~PER_CLEAR_ON_SETID;
1627
1628                 /* Set the security field to the new SID. */
1629                 bsec->sid = newsid;
1630         }
1631
1632         bsec->set = 1;
1633         return 0;
1634 }
1635
1636 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1637 {
1638         return secondary_ops->bprm_check_security(bprm);
1639 }
1640
1641
1642 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1643 {
1644         struct task_security_struct *tsec = current->security;
1645         int atsecure = 0;
1646
1647         if (tsec->osid != tsec->sid) {
1648                 /* Enable secure mode for SIDs transitions unless
1649                    the noatsecure permission is granted between
1650                    the two SIDs, i.e. ahp returns 0. */
1651                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1652                                          SECCLASS_PROCESS,
1653                                          PROCESS__NOATSECURE, NULL);
1654         }
1655
1656         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1657 }
1658
1659 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1660 {
1661         kfree(bprm->security);
1662         bprm->security = NULL;
1663 }
1664
1665 extern struct vfsmount *selinuxfs_mount;
1666 extern struct dentry *selinux_null;
1667
1668 /* Derived from fs/exec.c:flush_old_files. */
1669 static inline void flush_unauthorized_files(struct files_struct * files)
1670 {
1671         struct avc_audit_data ad;
1672         struct file *file, *devnull = NULL;
1673         struct tty_struct *tty = current->signal->tty;
1674         long j = -1;
1675
1676         if (tty) {
1677                 file_list_lock();
1678                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1679                 if (file) {
1680                         /* Revalidate access to controlling tty.
1681                            Use inode_has_perm on the tty inode directly rather
1682                            than using file_has_perm, as this particular open
1683                            file may belong to another process and we are only
1684                            interested in the inode-based check here. */
1685                         struct inode *inode = file->f_dentry->d_inode;
1686                         if (inode_has_perm(current, inode,
1687                                            FILE__READ | FILE__WRITE, NULL)) {
1688                                 /* Reset controlling tty. */
1689                                 current->signal->tty = NULL;
1690                                 current->signal->tty_old_pgrp = 0;
1691                         }
1692                 }
1693                 file_list_unlock();
1694         }
1695
1696         /* Revalidate access to inherited open files. */
1697
1698         AVC_AUDIT_DATA_INIT(&ad,FS);
1699
1700         spin_lock(&files->file_lock);
1701         for (;;) {
1702                 unsigned long set, i;
1703                 int fd;
1704
1705                 j++;
1706                 i = j * __NFDBITS;
1707                 if (i >= files->max_fds || i >= files->max_fdset)
1708                         break;
1709                 set = files->open_fds->fds_bits[j];
1710                 if (!set)
1711                         continue;
1712                 spin_unlock(&files->file_lock);
1713                 for ( ; set ; i++,set >>= 1) {
1714                         if (set & 1) {
1715                                 file = fget(i);
1716                                 if (!file)
1717                                         continue;
1718                                 if (file_has_perm(current,
1719                                                   file,
1720                                                   file_to_av(file))) {
1721                                         sys_close(i);
1722                                         fd = get_unused_fd();
1723                                         if (fd != i) {
1724                                                 if (fd >= 0)
1725                                                         put_unused_fd(fd);
1726                                                 fput(file);
1727                                                 continue;
1728                                         }
1729                                         if (devnull) {
1730                                                 atomic_inc(&devnull->f_count);
1731                                         } else {
1732                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1733                                                 if (!devnull) {
1734                                                         put_unused_fd(fd);
1735                                                         fput(file);
1736                                                         continue;
1737                                                 }
1738                                         }
1739                                         fd_install(fd, devnull);
1740                                 }
1741                                 fput(file);
1742                         }
1743                 }
1744                 spin_lock(&files->file_lock);
1745
1746         }
1747         spin_unlock(&files->file_lock);
1748 }
1749
1750 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1751 {
1752         struct task_security_struct *tsec;
1753         struct bprm_security_struct *bsec;
1754         u32 sid;
1755         int rc;
1756
1757         secondary_ops->bprm_apply_creds(bprm, unsafe);
1758
1759         tsec = current->security;
1760
1761         bsec = bprm->security;
1762         sid = bsec->sid;
1763
1764         tsec->osid = tsec->sid;
1765         bsec->unsafe = 0;
1766         if (tsec->sid != sid) {
1767                 /* Check for shared state.  If not ok, leave SID
1768                    unchanged and kill. */
1769                 if (unsafe & LSM_UNSAFE_SHARE) {
1770                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1771                                         PROCESS__SHARE, NULL);
1772                         if (rc) {
1773                                 bsec->unsafe = 1;
1774                                 return;
1775                         }
1776                 }
1777
1778                 /* Check for ptracing, and update the task SID if ok.
1779                    Otherwise, leave SID unchanged and kill. */
1780                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1781                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1782                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1783                                           NULL);
1784                         if (rc) {
1785                                 bsec->unsafe = 1;
1786                                 return;
1787                         }
1788                 }
1789                 tsec->sid = sid;
1790         }
1791 }
1792
1793 /*
1794  * called after apply_creds without the task lock held
1795  */
1796 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1797 {
1798         struct task_security_struct *tsec;
1799         struct rlimit *rlim, *initrlim;
1800         struct itimerval itimer;
1801         struct bprm_security_struct *bsec;
1802         int rc, i;
1803
1804         tsec = current->security;
1805         bsec = bprm->security;
1806
1807         if (bsec->unsafe) {
1808                 force_sig_specific(SIGKILL, current);
1809                 return;
1810         }
1811         if (tsec->osid == tsec->sid)
1812                 return;
1813
1814         /* Close files for which the new task SID is not authorized. */
1815         flush_unauthorized_files(current->files);
1816
1817         /* Check whether the new SID can inherit signal state
1818            from the old SID.  If not, clear itimers to avoid
1819            subsequent signal generation and flush and unblock
1820            signals. This must occur _after_ the task SID has
1821           been updated so that any kill done after the flush
1822           will be checked against the new SID. */
1823         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1824                           PROCESS__SIGINH, NULL);
1825         if (rc) {
1826                 memset(&itimer, 0, sizeof itimer);
1827                 for (i = 0; i < 3; i++)
1828                         do_setitimer(i, &itimer, NULL);
1829                 flush_signals(current);
1830                 spin_lock_irq(&current->sighand->siglock);
1831                 flush_signal_handlers(current, 1);
1832                 sigemptyset(&current->blocked);
1833                 recalc_sigpending();
1834                 spin_unlock_irq(&current->sighand->siglock);
1835         }
1836
1837         /* Check whether the new SID can inherit resource limits
1838            from the old SID.  If not, reset all soft limits to
1839            the lower of the current task's hard limit and the init
1840            task's soft limit.  Note that the setting of hard limits
1841            (even to lower them) can be controlled by the setrlimit
1842            check. The inclusion of the init task's soft limit into
1843            the computation is to avoid resetting soft limits higher
1844            than the default soft limit for cases where the default
1845            is lower than the hard limit, e.g. RLIMIT_CORE or
1846            RLIMIT_STACK.*/
1847         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1848                           PROCESS__RLIMITINH, NULL);
1849         if (rc) {
1850                 for (i = 0; i < RLIM_NLIMITS; i++) {
1851                         rlim = current->signal->rlim + i;
1852                         initrlim = init_task.signal->rlim+i;
1853                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1854                 }
1855                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1856                         /*
1857                          * This will cause RLIMIT_CPU calculations
1858                          * to be refigured.
1859                          */
1860                         current->it_prof_expires = jiffies_to_cputime(1);
1861                 }
1862         }
1863
1864         /* Wake up the parent if it is waiting so that it can
1865            recheck wait permission to the new task SID. */
1866         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1867 }
1868
1869 /* superblock security operations */
1870
1871 static int selinux_sb_alloc_security(struct super_block *sb)
1872 {
1873         return superblock_alloc_security(sb);
1874 }
1875
1876 static void selinux_sb_free_security(struct super_block *sb)
1877 {
1878         superblock_free_security(sb);
1879 }
1880
1881 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1882 {
1883         if (plen > olen)
1884                 return 0;
1885
1886         return !memcmp(prefix, option, plen);
1887 }
1888
1889 static inline int selinux_option(char *option, int len)
1890 {
1891         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1892                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1893                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1894 }
1895
1896 static inline void take_option(char **to, char *from, int *first, int len)
1897 {
1898         if (!*first) {
1899                 **to = ',';
1900                 *to += 1;
1901         }
1902         else
1903                 *first = 0;
1904         memcpy(*to, from, len);
1905         *to += len;
1906 }
1907
1908 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1909 {
1910         int fnosec, fsec, rc = 0;
1911         char *in_save, *in_curr, *in_end;
1912         char *sec_curr, *nosec_save, *nosec;
1913
1914         in_curr = orig;
1915         sec_curr = copy;
1916
1917         /* Binary mount data: just copy */
1918         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1919                 copy_page(sec_curr, in_curr);
1920                 goto out;
1921         }
1922
1923         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1924         if (!nosec) {
1925                 rc = -ENOMEM;
1926                 goto out;
1927         }
1928
1929         nosec_save = nosec;
1930         fnosec = fsec = 1;
1931         in_save = in_end = orig;
1932
1933         do {
1934                 if (*in_end == ',' || *in_end == '\0') {
1935                         int len = in_end - in_curr;
1936
1937                         if (selinux_option(in_curr, len))
1938                                 take_option(&sec_curr, in_curr, &fsec, len);
1939                         else
1940                                 take_option(&nosec, in_curr, &fnosec, len);
1941
1942                         in_curr = in_end + 1;
1943                 }
1944         } while (*in_end++);
1945
1946         copy_page(in_save, nosec_save);
1947         free_page((unsigned long)nosec_save);
1948 out:
1949         return rc;
1950 }
1951
1952 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1953 {
1954         struct avc_audit_data ad;
1955         int rc;
1956
1957         rc = superblock_doinit(sb, data);
1958         if (rc)
1959                 return rc;
1960
1961         AVC_AUDIT_DATA_INIT(&ad,FS);
1962         ad.u.fs.dentry = sb->s_root;
1963         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1964 }
1965
1966 static int selinux_sb_statfs(struct super_block *sb)
1967 {
1968         struct avc_audit_data ad;
1969
1970         AVC_AUDIT_DATA_INIT(&ad,FS);
1971         ad.u.fs.dentry = sb->s_root;
1972         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1973 }
1974
1975 static int selinux_mount(char * dev_name,
1976                          struct nameidata *nd,
1977                          char * type,
1978                          unsigned long flags,
1979                          void * data)
1980 {
1981         int rc;
1982
1983         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1984         if (rc)
1985                 return rc;
1986
1987         if (flags & MS_REMOUNT)
1988                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1989                                            FILESYSTEM__REMOUNT, NULL);
1990         else
1991                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1992                                        FILE__MOUNTON);
1993 }
1994
1995 static int selinux_umount(struct vfsmount *mnt, int flags)
1996 {
1997         int rc;
1998
1999         rc = secondary_ops->sb_umount(mnt, flags);
2000         if (rc)
2001                 return rc;
2002
2003         return superblock_has_perm(current,mnt->mnt_sb,
2004                                    FILESYSTEM__UNMOUNT,NULL);
2005 }
2006
2007 /* inode security operations */
2008
2009 static int selinux_inode_alloc_security(struct inode *inode)
2010 {
2011         return inode_alloc_security(inode);
2012 }
2013
2014 static void selinux_inode_free_security(struct inode *inode)
2015 {
2016         inode_free_security(inode);
2017 }
2018
2019 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2020 {
2021         return may_create(dir, dentry, SECCLASS_FILE);
2022 }
2023
2024 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2025 {
2026         post_create(dir, dentry);
2027 }
2028
2029 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2030 {
2031         int rc;
2032
2033         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2034         if (rc)
2035                 return rc;
2036         return may_link(dir, old_dentry, MAY_LINK);
2037 }
2038
2039 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2040 {
2041         return;
2042 }
2043
2044 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2045 {
2046         int rc;
2047
2048         rc = secondary_ops->inode_unlink(dir, dentry);
2049         if (rc)
2050                 return rc;
2051         return may_link(dir, dentry, MAY_UNLINK);
2052 }
2053
2054 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2055 {
2056         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2057 }
2058
2059 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2060 {
2061         post_create(dir, dentry);
2062 }
2063
2064 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2065 {
2066         return may_create(dir, dentry, SECCLASS_DIR);
2067 }
2068
2069 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2070 {
2071         post_create(dir, dentry);
2072 }
2073
2074 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2075 {
2076         return may_link(dir, dentry, MAY_RMDIR);
2077 }
2078
2079 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2080 {
2081         int rc;
2082
2083         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2084         if (rc)
2085                 return rc;
2086
2087         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2088 }
2089
2090 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2091 {
2092         post_create(dir, dentry);
2093 }
2094
2095 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2096                                 struct inode *new_inode, struct dentry *new_dentry)
2097 {
2098         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2099 }
2100
2101 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2102                                       struct inode *new_inode, struct dentry *new_dentry)
2103 {
2104         return;
2105 }
2106
2107 static int selinux_inode_readlink(struct dentry *dentry)
2108 {
2109         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2110 }
2111
2112 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2113 {
2114         int rc;
2115
2116         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2117         if (rc)
2118                 return rc;
2119         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2120 }
2121
2122 static int selinux_inode_permission(struct inode *inode, int mask,
2123                                     struct nameidata *nd)
2124 {
2125         int rc;
2126
2127         rc = secondary_ops->inode_permission(inode, mask, nd);
2128         if (rc)
2129                 return rc;
2130
2131         if (!mask) {
2132                 /* No permission to check.  Existence test. */
2133                 return 0;
2134         }
2135
2136         return inode_has_perm(current, inode,
2137                                file_mask_to_av(inode->i_mode, mask), NULL);
2138 }
2139
2140 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2141 {
2142         int rc;
2143
2144         rc = secondary_ops->inode_setattr(dentry, iattr);
2145         if (rc)
2146                 return rc;
2147
2148         if (iattr->ia_valid & ATTR_FORCE)
2149                 return 0;
2150
2151         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2152                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2153                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2154
2155         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2156 }
2157
2158 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2159 {
2160         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2161 }
2162
2163 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2164 {
2165         struct task_security_struct *tsec = current->security;
2166         struct inode *inode = dentry->d_inode;
2167         struct inode_security_struct *isec = inode->i_security;
2168         struct superblock_security_struct *sbsec;
2169         struct avc_audit_data ad;
2170         u32 newsid;
2171         int rc = 0;
2172
2173         if (strcmp(name, XATTR_NAME_SELINUX)) {
2174                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2175                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2176                     !capable(CAP_SYS_ADMIN)) {
2177                         /* A different attribute in the security namespace.
2178                            Restrict to administrator. */
2179                         return -EPERM;
2180                 }
2181
2182                 /* Not an attribute we recognize, so just check the
2183                    ordinary setattr permission. */
2184                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2185         }
2186
2187         sbsec = inode->i_sb->s_security;
2188         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2189                 return -EOPNOTSUPP;
2190
2191         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2192                 return -EPERM;
2193
2194         AVC_AUDIT_DATA_INIT(&ad,FS);
2195         ad.u.fs.dentry = dentry;
2196
2197         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2198                           FILE__RELABELFROM, &ad);
2199         if (rc)
2200                 return rc;
2201
2202         rc = security_context_to_sid(value, size, &newsid);
2203         if (rc)
2204                 return rc;
2205
2206         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2207                           FILE__RELABELTO, &ad);
2208         if (rc)
2209                 return rc;
2210
2211         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2212                                           isec->sclass);
2213         if (rc)
2214                 return rc;
2215
2216         return avc_has_perm(newsid,
2217                             sbsec->sid,
2218                             SECCLASS_FILESYSTEM,
2219                             FILESYSTEM__ASSOCIATE,
2220                             &ad);
2221 }
2222
2223 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2224                                         void *value, size_t size, int flags)
2225 {
2226         struct inode *inode = dentry->d_inode;
2227         struct inode_security_struct *isec = inode->i_security;
2228         u32 newsid;
2229         int rc;
2230
2231         if (strcmp(name, XATTR_NAME_SELINUX)) {
2232                 /* Not an attribute we recognize, so nothing to do. */
2233                 return;
2234         }
2235
2236         rc = security_context_to_sid(value, size, &newsid);
2237         if (rc) {
2238                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2239                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2240                 return;
2241         }
2242
2243         isec->sid = newsid;
2244         return;
2245 }
2246
2247 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2248 {
2249         struct inode *inode = dentry->d_inode;
2250         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2251
2252         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2253                 return -EOPNOTSUPP;
2254
2255         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2256 }
2257
2258 static int selinux_inode_listxattr (struct dentry *dentry)
2259 {
2260         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2261 }
2262
2263 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2264 {
2265         if (strcmp(name, XATTR_NAME_SELINUX)) {
2266                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2267                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2268                     !capable(CAP_SYS_ADMIN)) {
2269                         /* A different attribute in the security namespace.
2270                            Restrict to administrator. */
2271                         return -EPERM;
2272                 }
2273
2274                 /* Not an attribute we recognize, so just check the
2275                    ordinary setattr permission. Might want a separate
2276                    permission for removexattr. */
2277                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2278         }
2279
2280         /* No one is allowed to remove a SELinux security label.
2281            You can change the label, but all data must be labeled. */
2282         return -EACCES;
2283 }
2284
2285 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2286 {
2287         struct inode_security_struct *isec = inode->i_security;
2288         char *context;
2289         unsigned len;
2290         int rc;
2291
2292         /* Permission check handled by selinux_inode_getxattr hook.*/
2293
2294         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2295                 return -EOPNOTSUPP;
2296
2297         rc = security_sid_to_context(isec->sid, &context, &len);
2298         if (rc)
2299                 return rc;
2300
2301         if (!buffer || !size) {
2302                 kfree(context);
2303                 return len;
2304         }
2305         if (size < len) {
2306                 kfree(context);
2307                 return -ERANGE;
2308         }
2309         memcpy(buffer, context, len);
2310         kfree(context);
2311         return len;
2312 }
2313
2314 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2315                                      const void *value, size_t size, int flags)
2316 {
2317         struct inode_security_struct *isec = inode->i_security;
2318         u32 newsid;
2319         int rc;
2320
2321         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2322                 return -EOPNOTSUPP;
2323
2324         if (!value || !size)
2325                 return -EACCES;
2326
2327         rc = security_context_to_sid((void*)value, size, &newsid);
2328         if (rc)
2329                 return rc;
2330
2331         isec->sid = newsid;
2332         return 0;
2333 }
2334
2335 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2336 {
2337         const int len = sizeof(XATTR_NAME_SELINUX);
2338         if (buffer && len <= buffer_size)
2339                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2340         return len;
2341 }
2342
2343 /* file security operations */
2344
2345 static int selinux_file_permission(struct file *file, int mask)
2346 {
2347         struct inode *inode = file->f_dentry->d_inode;
2348
2349         if (!mask) {
2350                 /* No permission to check.  Existence test. */
2351                 return 0;
2352         }
2353
2354         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2355         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2356                 mask |= MAY_APPEND;
2357
2358         return file_has_perm(current, file,
2359                              file_mask_to_av(inode->i_mode, mask));
2360 }
2361
2362 static int selinux_file_alloc_security(struct file *file)
2363 {
2364         return file_alloc_security(file);
2365 }
2366
2367 static void selinux_file_free_security(struct file *file)
2368 {
2369         file_free_security(file);
2370 }
2371
2372 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2373                               unsigned long arg)
2374 {
2375         int error = 0;
2376
2377         switch (cmd) {
2378                 case FIONREAD:
2379                 /* fall through */
2380                 case FIBMAP:
2381                 /* fall through */
2382                 case FIGETBSZ:
2383                 /* fall through */
2384                 case EXT2_IOC_GETFLAGS:
2385                 /* fall through */
2386                 case EXT2_IOC_GETVERSION:
2387                         error = file_has_perm(current, file, FILE__GETATTR);
2388                         break;
2389
2390                 case EXT2_IOC_SETFLAGS:
2391                 /* fall through */
2392                 case EXT2_IOC_SETVERSION:
2393                         error = file_has_perm(current, file, FILE__SETATTR);
2394                         break;
2395
2396                 /* sys_ioctl() checks */
2397                 case FIONBIO:
2398                 /* fall through */
2399                 case FIOASYNC:
2400                         error = file_has_perm(current, file, 0);
2401                         break;
2402
2403                 case KDSKBENT:
2404                 case KDSKBSENT:
2405                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2406                         break;
2407
2408                 /* default case assumes that the command will go
2409                  * to the file's ioctl() function.
2410                  */
2411                 default:
2412                         error = file_has_perm(current, file, FILE__IOCTL);
2413
2414         }
2415         return error;
2416 }
2417
2418 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2419 {
2420 #ifndef CONFIG_PPC32
2421         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2422                 /*
2423                  * We are making executable an anonymous mapping or a
2424                  * private file mapping that will also be writable.
2425                  * This has an additional check.
2426                  */
2427                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2428                 if (rc)
2429                         return rc;
2430         }
2431 #endif
2432
2433         if (file) {
2434                 /* read access is always possible with a mapping */
2435                 u32 av = FILE__READ;
2436
2437                 /* write access only matters if the mapping is shared */
2438                 if (shared && (prot & PROT_WRITE))
2439                         av |= FILE__WRITE;
2440
2441                 if (prot & PROT_EXEC)
2442                         av |= FILE__EXECUTE;
2443
2444                 return file_has_perm(current, file, av);
2445         }
2446         return 0;
2447 }
2448
2449 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2450                              unsigned long prot, unsigned long flags)
2451 {
2452         int rc;
2453
2454         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2455         if (rc)
2456                 return rc;
2457
2458         if (selinux_checkreqprot)
2459                 prot = reqprot;
2460
2461         return file_map_prot_check(file, prot,
2462                                    (flags & MAP_TYPE) == MAP_SHARED);
2463 }
2464
2465 static int selinux_file_mprotect(struct vm_area_struct *vma,
2466                                  unsigned long reqprot,
2467                                  unsigned long prot)
2468 {
2469         int rc;
2470
2471         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2472         if (rc)
2473                 return rc;
2474
2475         if (selinux_checkreqprot)
2476                 prot = reqprot;
2477
2478 #ifndef CONFIG_PPC32
2479         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2480            (vma->vm_start >= vma->vm_mm->start_brk &&
2481             vma->vm_end <= vma->vm_mm->brk)) {
2482                 /*
2483                  * We are making an executable mapping in the brk region.
2484                  * This has an additional execheap check.
2485                  */
2486                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2487                 if (rc)
2488                         return rc;
2489         }
2490         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2491                 /*
2492                  * We are making executable a file mapping that has
2493                  * had some COW done. Since pages might have been written,
2494                  * check ability to execute the possibly modified content.
2495                  * This typically should only occur for text relocations.
2496                  */
2497                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2498                 if (rc)
2499                         return rc;
2500         }
2501         if (!vma->vm_file && (prot & PROT_EXEC) &&
2502                 vma->vm_start <= vma->vm_mm->start_stack &&
2503                 vma->vm_end >= vma->vm_mm->start_stack) {
2504                 /* Attempt to make the process stack executable.
2505                  * This has an additional execstack check.
2506                  */
2507                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2508                 if (rc)
2509                         return rc;
2510         }
2511 #endif
2512
2513         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2514 }
2515
2516 static int selinux_file_lock(struct file *file, unsigned int cmd)
2517 {
2518         return file_has_perm(current, file, FILE__LOCK);
2519 }
2520
2521 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2522                               unsigned long arg)
2523 {
2524         int err = 0;
2525
2526         switch (cmd) {
2527                 case F_SETFL:
2528                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2529                                 err = -EINVAL;
2530                                 break;
2531                         }
2532
2533                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2534                                 err = file_has_perm(current, file,FILE__WRITE);
2535                                 break;
2536                         }
2537                         /* fall through */
2538                 case F_SETOWN:
2539                 case F_SETSIG:
2540                 case F_GETFL:
2541                 case F_GETOWN:
2542                 case F_GETSIG:
2543                         /* Just check FD__USE permission */
2544                         err = file_has_perm(current, file, 0);
2545                         break;
2546                 case F_GETLK:
2547                 case F_SETLK:
2548                 case F_SETLKW:
2549 #if BITS_PER_LONG == 32
2550                 case F_GETLK64:
2551                 case F_SETLK64:
2552                 case F_SETLKW64:
2553 #endif
2554                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2555                                 err = -EINVAL;
2556                                 break;
2557                         }
2558                         err = file_has_perm(current, file, FILE__LOCK);
2559                         break;
2560         }
2561
2562         return err;
2563 }
2564
2565 static int selinux_file_set_fowner(struct file *file)
2566 {
2567         struct task_security_struct *tsec;
2568         struct file_security_struct *fsec;
2569
2570         tsec = current->security;
2571         fsec = file->f_security;
2572         fsec->fown_sid = tsec->sid;
2573
2574         return 0;
2575 }
2576
2577 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2578                                        struct fown_struct *fown, int signum)
2579 {
2580         struct file *file;
2581         u32 perm;
2582         struct task_security_struct *tsec;
2583         struct file_security_struct *fsec;
2584
2585         /* struct fown_struct is never outside the context of a struct file */
2586         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2587
2588         tsec = tsk->security;
2589         fsec = file->f_security;
2590
2591         if (!signum)
2592                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2593         else
2594                 perm = signal_to_av(signum);
2595
2596         return avc_has_perm(fsec->fown_sid, tsec->sid,
2597                             SECCLASS_PROCESS, perm, NULL);
2598 }
2599
2600 static int selinux_file_receive(struct file *file)
2601 {
2602         return file_has_perm(current, file, file_to_av(file));
2603 }
2604
2605 /* task security operations */
2606
2607 static int selinux_task_create(unsigned long clone_flags)
2608 {
2609         int rc;
2610
2611         rc = secondary_ops->task_create(clone_flags);
2612         if (rc)
2613                 return rc;
2614
2615         return task_has_perm(current, current, PROCESS__FORK);
2616 }
2617
2618 static int selinux_task_alloc_security(struct task_struct *tsk)
2619 {
2620         struct task_security_struct *tsec1, *tsec2;
2621         int rc;
2622
2623         tsec1 = current->security;
2624
2625         rc = task_alloc_security(tsk);
2626         if (rc)
2627                 return rc;
2628         tsec2 = tsk->security;
2629
2630         tsec2->osid = tsec1->osid;
2631         tsec2->sid = tsec1->sid;
2632
2633         /* Retain the exec and create SIDs across fork */
2634         tsec2->exec_sid = tsec1->exec_sid;
2635         tsec2->create_sid = tsec1->create_sid;
2636
2637         /* Retain ptracer SID across fork, if any.
2638            This will be reset by the ptrace hook upon any
2639            subsequent ptrace_attach operations. */
2640         tsec2->ptrace_sid = tsec1->ptrace_sid;
2641
2642         return 0;
2643 }
2644
2645 static void selinux_task_free_security(struct task_struct *tsk)
2646 {
2647         task_free_security(tsk);
2648 }
2649
2650 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2651 {
2652         /* Since setuid only affects the current process, and
2653            since the SELinux controls are not based on the Linux
2654            identity attributes, SELinux does not need to control
2655            this operation.  However, SELinux does control the use
2656            of the CAP_SETUID and CAP_SETGID capabilities using the
2657            capable hook. */
2658         return 0;
2659 }
2660
2661 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2662 {
2663         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2664 }
2665
2666 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2667 {
2668         /* See the comment for setuid above. */
2669         return 0;
2670 }
2671
2672 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2673 {
2674         return task_has_perm(current, p, PROCESS__SETPGID);
2675 }
2676
2677 static int selinux_task_getpgid(struct task_struct *p)
2678 {
2679         return task_has_perm(current, p, PROCESS__GETPGID);
2680 }
2681
2682 static int selinux_task_getsid(struct task_struct *p)
2683 {
2684         return task_has_perm(current, p, PROCESS__GETSESSION);
2685 }
2686
2687 static int selinux_task_setgroups(struct group_info *group_info)
2688 {
2689         /* See the comment for setuid above. */
2690         return 0;
2691 }
2692
2693 static int selinux_task_setnice(struct task_struct *p, int nice)
2694 {
2695         int rc;
2696
2697         rc = secondary_ops->task_setnice(p, nice);
2698         if (rc)
2699                 return rc;
2700
2701         return task_has_perm(current,p, PROCESS__SETSCHED);
2702 }
2703
2704 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2705 {
2706         struct rlimit *old_rlim = current->signal->rlim + resource;
2707         int rc;
2708
2709         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2710         if (rc)
2711                 return rc;
2712
2713         /* Control the ability to change the hard limit (whether
2714            lowering or raising it), so that the hard limit can
2715            later be used as a safe reset point for the soft limit
2716            upon context transitions. See selinux_bprm_apply_creds. */
2717         if (old_rlim->rlim_max != new_rlim->rlim_max)
2718                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2719
2720         return 0;
2721 }
2722
2723 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2724 {
2725         return task_has_perm(current, p, PROCESS__SETSCHED);
2726 }
2727
2728 static int selinux_task_getscheduler(struct task_struct *p)
2729 {
2730         return task_has_perm(current, p, PROCESS__GETSCHED);
2731 }
2732
2733 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2734 {
2735         u32 perm;
2736         int rc;
2737
2738         rc = secondary_ops->task_kill(p, info, sig);
2739         if (rc)
2740                 return rc;
2741
2742         if (info && ((unsigned long)info == 1 ||
2743                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2744                 return 0;
2745
2746         if (!sig)
2747                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2748         else
2749                 perm = signal_to_av(sig);
2750
2751         return task_has_perm(current, p, perm);
2752 }
2753
2754 static int selinux_task_prctl(int option,
2755                               unsigned long arg2,
2756                               unsigned long arg3,
2757                               unsigned long arg4,
2758                               unsigned long arg5)
2759 {
2760         /* The current prctl operations do not appear to require
2761            any SELinux controls since they merely observe or modify
2762            the state of the current process. */
2763         return 0;
2764 }
2765
2766 static int selinux_task_wait(struct task_struct *p)
2767 {
2768         u32 perm;
2769
2770         perm = signal_to_av(p->exit_signal);
2771
2772         return task_has_perm(p, current, perm);
2773 }
2774
2775 static void selinux_task_reparent_to_init(struct task_struct *p)
2776 {
2777         struct task_security_struct *tsec;
2778
2779         secondary_ops->task_reparent_to_init(p);
2780
2781         tsec = p->security;
2782         tsec->osid = tsec->sid;
2783         tsec->sid = SECINITSID_KERNEL;
2784         return;
2785 }
2786
2787 static void selinux_task_to_inode(struct task_struct *p,
2788                                   struct inode *inode)
2789 {
2790         struct task_security_struct *tsec = p->security;
2791         struct inode_security_struct *isec = inode->i_security;
2792
2793         isec->sid = tsec->sid;
2794         isec->initialized = 1;
2795         return;
2796 }
2797
2798 #ifdef CONFIG_SECURITY_NETWORK
2799
2800 /* Returns error only if unable to parse addresses */
2801 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2802 {
2803         int offset, ihlen, ret = -EINVAL;
2804         struct iphdr _iph, *ih;
2805
2806         offset = skb->nh.raw - skb->data;
2807         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2808         if (ih == NULL)
2809                 goto out;
2810
2811         ihlen = ih->ihl * 4;
2812         if (ihlen < sizeof(_iph))
2813                 goto out;
2814
2815         ad->u.net.v4info.saddr = ih->saddr;
2816         ad->u.net.v4info.daddr = ih->daddr;
2817         ret = 0;
2818
2819         switch (ih->protocol) {
2820         case IPPROTO_TCP: {
2821                 struct tcphdr _tcph, *th;
2822
2823                 if (ntohs(ih->frag_off) & IP_OFFSET)
2824                         break;
2825
2826                 offset += ihlen;
2827                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2828                 if (th == NULL)
2829                         break;
2830
2831                 ad->u.net.sport = th->source;
2832                 ad->u.net.dport = th->dest;
2833                 break;
2834         }
2835         
2836         case IPPROTO_UDP: {
2837                 struct udphdr _udph, *uh;
2838                 
2839                 if (ntohs(ih->frag_off) & IP_OFFSET)
2840                         break;
2841                         
2842                 offset += ihlen;
2843                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2844                 if (uh == NULL)
2845                         break;  
2846
2847                 ad->u.net.sport = uh->source;
2848                 ad->u.net.dport = uh->dest;
2849                 break;
2850         }
2851
2852         default:
2853                 break;
2854         }
2855 out:
2856         return ret;
2857 }
2858
2859 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2860
2861 /* Returns error only if unable to parse addresses */
2862 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2863 {
2864         u8 nexthdr;
2865         int ret = -EINVAL, offset;
2866         struct ipv6hdr _ipv6h, *ip6;
2867
2868         offset = skb->nh.raw - skb->data;
2869         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2870         if (ip6 == NULL)
2871                 goto out;
2872
2873         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2874         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2875         ret = 0;
2876
2877         nexthdr = ip6->nexthdr;
2878         offset += sizeof(_ipv6h);
2879         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2880         if (offset < 0)
2881                 goto out;
2882
2883         switch (nexthdr) {
2884         case IPPROTO_TCP: {
2885                 struct tcphdr _tcph, *th;
2886
2887                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2888                 if (th == NULL)
2889                         break;
2890
2891                 ad->u.net.sport = th->source;
2892                 ad->u.net.dport = th->dest;
2893                 break;
2894         }
2895
2896         case IPPROTO_UDP: {
2897                 struct udphdr _udph, *uh;
2898
2899                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2900                 if (uh == NULL)
2901                         break;
2902
2903                 ad->u.net.sport = uh->source;
2904                 ad->u.net.dport = uh->dest;
2905                 break;
2906         }
2907
2908         /* includes fragments */
2909         default:
2910                 break;
2911         }
2912 out:
2913         return ret;
2914 }
2915
2916 #endif /* IPV6 */
2917
2918 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2919                              char **addrp, int *len, int src)
2920 {
2921         int ret = 0;
2922
2923         switch (ad->u.net.family) {
2924         case PF_INET:
2925                 ret = selinux_parse_skb_ipv4(skb, ad);
2926                 if (ret || !addrp)
2927                         break;
2928                 *len = 4;
2929                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2930                                         &ad->u.net.v4info.daddr);
2931                 break;
2932
2933 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2934         case PF_INET6:
2935                 ret = selinux_parse_skb_ipv6(skb, ad);
2936                 if (ret || !addrp)
2937                         break;
2938                 *len = 16;
2939                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2940                                         &ad->u.net.v6info.daddr);
2941                 break;
2942 #endif  /* IPV6 */
2943         default:
2944                 break;
2945         }
2946
2947         return ret;
2948 }
2949
2950 /* socket security operations */
2951 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2952                            u32 perms)
2953 {
2954         struct inode_security_struct *isec;
2955         struct task_security_struct *tsec;
2956         struct avc_audit_data ad;
2957         int err = 0;
2958
2959         tsec = task->security;
2960         isec = SOCK_INODE(sock)->i_security;
2961
2962         if (isec->sid == SECINITSID_KERNEL)
2963                 goto out;
2964
2965         AVC_AUDIT_DATA_INIT(&ad,NET);
2966         ad.u.net.sk = sock->sk;
2967         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2968
2969 out:
2970         return err;
2971 }
2972
2973 static int selinux_socket_create(int family, int type,
2974                                  int protocol, int kern)
2975 {
2976         int err = 0;
2977         struct task_security_struct *tsec;
2978
2979         if (kern)
2980                 goto out;
2981
2982         tsec = current->security;
2983         err = avc_has_perm(tsec->sid, tsec->sid,
2984                            socket_type_to_security_class(family, type,
2985                            protocol), SOCKET__CREATE, NULL);
2986
2987 out:
2988         return err;
2989 }
2990
2991 static void selinux_socket_post_create(struct socket *sock, int family,
2992                                        int type, int protocol, int kern)
2993 {
2994         struct inode_security_struct *isec;
2995         struct task_security_struct *tsec;
2996
2997         isec = SOCK_INODE(sock)->i_security;
2998
2999         tsec = current->security;
3000         isec->sclass = socket_type_to_security_class(family, type, protocol);
3001         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
3002         isec->initialized = 1;
3003
3004         return;
3005 }
3006
3007 /* Range of port numbers used to automatically bind.
3008    Need to determine whether we should perform a name_bind
3009    permission check between the socket and the port number. */
3010 #define ip_local_port_range_0 sysctl_local_port_range[0]
3011 #define ip_local_port_range_1 sysctl_local_port_range[1]
3012
3013 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3014 {
3015         u16 family;
3016         int err;
3017
3018         err = socket_has_perm(current, sock, SOCKET__BIND);
3019         if (err)
3020                 goto out;
3021
3022         /*
3023          * If PF_INET or PF_INET6, check name_bind permission for the port.
3024          */
3025         family = sock->sk->sk_family;
3026         if (family == PF_INET || family == PF_INET6) {
3027                 char *addrp;
3028                 struct inode_security_struct *isec;
3029                 struct task_security_struct *tsec;
3030                 struct avc_audit_data ad;
3031                 struct sockaddr_in *addr4 = NULL;
3032                 struct sockaddr_in6 *addr6 = NULL;
3033                 unsigned short snum;
3034                 struct sock *sk = sock->sk;
3035                 u32 sid, node_perm, addrlen;
3036
3037                 tsec = current->security;
3038                 isec = SOCK_INODE(sock)->i_security;
3039
3040                 if (family == PF_INET) {
3041                         addr4 = (struct sockaddr_in *)address;
3042                         snum = ntohs(addr4->sin_port);
3043                         addrlen = sizeof(addr4->sin_addr.s_addr);
3044                         addrp = (char *)&addr4->sin_addr.s_addr;
3045                 } else {
3046                         addr6 = (struct sockaddr_in6 *)address;
3047                         snum = ntohs(addr6->sin6_port);
3048                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3049                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3050                 }
3051
3052                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3053                            snum > ip_local_port_range_1)) {
3054                         err = security_port_sid(sk->sk_family, sk->sk_type,
3055                                                 sk->sk_protocol, snum, &sid);
3056                         if (err)
3057                                 goto out;
3058                         AVC_AUDIT_DATA_INIT(&ad,NET);
3059                         ad.u.net.sport = htons(snum);
3060                         ad.u.net.family = family;
3061                         err = avc_has_perm(isec->sid, sid,
3062                                            isec->sclass,
3063                                            SOCKET__NAME_BIND, &ad);
3064                         if (err)
3065                                 goto out;
3066                 }
3067                 
3068                 switch(sk->sk_protocol) {
3069                 case IPPROTO_TCP:
3070                         node_perm = TCP_SOCKET__NODE_BIND;
3071                         break;
3072                         
3073                 case IPPROTO_UDP:
3074                         node_perm = UDP_SOCKET__NODE_BIND;
3075                         break;
3076                         
3077                 default:
3078                         node_perm = RAWIP_SOCKET__NODE_BIND;
3079                         break;
3080                 }
3081                 
3082                 err = security_node_sid(family, addrp, addrlen, &sid);
3083                 if (err)
3084                         goto out;
3085                 
3086                 AVC_AUDIT_DATA_INIT(&ad,NET);
3087                 ad.u.net.sport = htons(snum);
3088                 ad.u.net.family = family;
3089
3090                 if (family == PF_INET)
3091                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3092                 else
3093                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3094
3095                 err = avc_has_perm(isec->sid, sid,
3096                                    isec->sclass, node_perm, &ad);
3097                 if (err)
3098                         goto out;
3099         }
3100 out:
3101         return err;
3102 }
3103
3104 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3105 {
3106         struct inode_security_struct *isec;
3107         int err;
3108
3109         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3110         if (err)
3111                 return err;
3112
3113         /*
3114          * If a TCP socket, check name_connect permission for the port.
3115          */
3116         isec = SOCK_INODE(sock)->i_security;
3117         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3118                 struct sock *sk = sock->sk;
3119                 struct avc_audit_data ad;
3120                 struct sockaddr_in *addr4 = NULL;
3121                 struct sockaddr_in6 *addr6 = NULL;
3122                 unsigned short snum;
3123                 u32 sid;
3124
3125                 if (sk->sk_family == PF_INET) {
3126                         addr4 = (struct sockaddr_in *)address;
3127                         if (addrlen != sizeof(struct sockaddr_in))
3128                                 return -EINVAL;
3129                         snum = ntohs(addr4->sin_port);
3130                 } else {
3131                         addr6 = (struct sockaddr_in6 *)address;
3132                         if (addrlen != sizeof(struct sockaddr_in6))
3133                                 return -EINVAL;
3134                         snum = ntohs(addr6->sin6_port);
3135                 }
3136
3137                 err = security_port_sid(sk->sk_family, sk->sk_type,
3138                                         sk->sk_protocol, snum, &sid);
3139                 if (err)
3140                         goto out;
3141
3142                 AVC_AUDIT_DATA_INIT(&ad,NET);
3143                 ad.u.net.dport = htons(snum);
3144                 ad.u.net.family = sk->sk_family;
3145                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3146                                    TCP_SOCKET__NAME_CONNECT, &ad);
3147                 if (err)
3148                         goto out;
3149         }
3150
3151 out:
3152         return err;
3153 }
3154
3155 static int selinux_socket_listen(struct socket *sock, int backlog)
3156 {
3157         return socket_has_perm(current, sock, SOCKET__LISTEN);
3158 }
3159
3160 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3161 {
3162         int err;
3163         struct inode_security_struct *isec;
3164         struct inode_security_struct *newisec;
3165
3166         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3167         if (err)
3168                 return err;
3169
3170         newisec = SOCK_INODE(newsock)->i_security;
3171
3172         isec = SOCK_INODE(sock)->i_security;
3173         newisec->sclass = isec->sclass;
3174         newisec->sid = isec->sid;
3175         newisec->initialized = 1;
3176
3177         return 0;
3178 }
3179
3180 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3181                                   int size)
3182 {
3183         return socket_has_perm(current, sock, SOCKET__WRITE);
3184 }
3185
3186 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3187                                   int size, int flags)
3188 {
3189         return socket_has_perm(current, sock, SOCKET__READ);
3190 }
3191
3192 static int selinux_socket_getsockname(struct socket *sock)
3193 {
3194         return socket_has_perm(current, sock, SOCKET__GETATTR);
3195 }
3196
3197 static int selinux_socket_getpeername(struct socket *sock)
3198 {
3199         return socket_has_perm(current, sock, SOCKET__GETATTR);
3200 }
3201
3202 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3203 {
3204         return socket_has_perm(current, sock, SOCKET__SETOPT);
3205 }
3206
3207 static int selinux_socket_getsockopt(struct socket *sock, int level,
3208                                      int optname)
3209 {
3210         return socket_has_perm(current, sock, SOCKET__GETOPT);
3211 }
3212
3213 static int selinux_socket_shutdown(struct socket *sock, int how)
3214 {
3215         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3216 }
3217
3218 static int selinux_socket_unix_stream_connect(struct socket *sock,
3219                                               struct socket *other,
3220                                               struct sock *newsk)
3221 {
3222         struct sk_security_struct *ssec;
3223         struct inode_security_struct *isec;
3224         struct inode_security_struct *other_isec;
3225         struct avc_audit_data ad;
3226         int err;
3227
3228         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3229         if (err)
3230                 return err;
3231
3232         isec = SOCK_INODE(sock)->i_security;
3233         other_isec = SOCK_INODE(other)->i_security;
3234
3235         AVC_AUDIT_DATA_INIT(&ad,NET);
3236         ad.u.net.sk = other->sk;
3237
3238         err = avc_has_perm(isec->sid, other_isec->sid,
3239                            isec->sclass,
3240                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3241         if (err)
3242                 return err;
3243
3244         /* connecting socket */
3245         ssec = sock->sk->sk_security;
3246         ssec->peer_sid = other_isec->sid;
3247         
3248         /* server child socket */
3249         ssec = newsk->sk_security;
3250         ssec->peer_sid = isec->sid;
3251         
3252         return 0;
3253 }
3254
3255 static int selinux_socket_unix_may_send(struct socket *sock,
3256                                         struct socket *other)
3257 {
3258         struct inode_security_struct *isec;
3259         struct inode_security_struct *other_isec;
3260         struct avc_audit_data ad;
3261         int err;
3262
3263         isec = SOCK_INODE(sock)->i_security;
3264         other_isec = SOCK_INODE(other)->i_security;
3265
3266         AVC_AUDIT_DATA_INIT(&ad,NET);
3267         ad.u.net.sk = other->sk;
3268
3269         err = avc_has_perm(isec->sid, other_isec->sid,
3270                            isec->sclass, SOCKET__SENDTO, &ad);
3271         if (err)
3272                 return err;
3273
3274         return 0;
3275 }
3276
3277 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3278 {
3279         u16 family;
3280         char *addrp;
3281         int len, err = 0;
3282         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3283         u32 sock_sid = 0;
3284         u16 sock_class = 0;
3285         struct socket *sock;
3286         struct net_device *dev;
3287         struct avc_audit_data ad;
3288
3289         family = sk->sk_family;
3290         if (family != PF_INET && family != PF_INET6)
3291                 goto out;
3292
3293         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3294         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3295                 family = PF_INET;
3296
3297         read_lock_bh(&sk->sk_callback_lock);
3298         sock = sk->sk_socket;
3299         if (sock) {
3300                 struct inode *inode;
3301                 inode = SOCK_INODE(sock);
3302                 if (inode) {
3303                         struct inode_security_struct *isec;
3304                         isec = inode->i_security;
3305                         sock_sid = isec->sid;
3306                         sock_class = isec->sclass;
3307                 }
3308         }
3309         read_unlock_bh(&sk->sk_callback_lock);
3310         if (!sock_sid)
3311                 goto out;
3312
3313         dev = skb->dev;
3314         if (!dev)
3315                 goto out;
3316
3317         err = sel_netif_sids(dev, &if_sid, NULL);
3318         if (err)
3319                 goto out;
3320
3321         switch (sock_class) {
3322         case SECCLASS_UDP_SOCKET:
3323                 netif_perm = NETIF__UDP_RECV;
3324                 node_perm = NODE__UDP_RECV;
3325                 recv_perm = UDP_SOCKET__RECV_MSG;
3326                 break;
3327         
3328         case SECCLASS_TCP_SOCKET:
3329                 netif_perm = NETIF__TCP_RECV;
3330                 node_perm = NODE__TCP_RECV;
3331                 recv_perm = TCP_SOCKET__RECV_MSG;
3332                 break;
3333         
3334         default:
3335                 netif_perm = NETIF__RAWIP_RECV;
3336                 node_perm = NODE__RAWIP_RECV;
3337                 break;
3338         }
3339
3340         AVC_AUDIT_DATA_INIT(&ad, NET);
3341         ad.u.net.netif = dev->name;
3342         ad.u.net.family = family;
3343
3344         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3345         if (err)
3346                 goto out;
3347
3348         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3349         if (err)
3350                 goto out;
3351         
3352         /* Fixme: this lookup is inefficient */
3353         err = security_node_sid(family, addrp, len, &node_sid);
3354         if (err)
3355                 goto out;
3356         
3357         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3358         if (err)
3359                 goto out;
3360
3361         if (recv_perm) {
3362                 u32 port_sid;
3363
3364                 /* Fixme: make this more efficient */
3365                 err = security_port_sid(sk->sk_family, sk->sk_type,
3366                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3367                                         &port_sid);
3368                 if (err)
3369                         goto out;
3370
3371                 err = avc_has_perm(sock_sid, port_sid,
3372                                    sock_class, recv_perm, &ad);
3373         }
3374 out:    
3375         return err;
3376 }
3377
3378 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3379                                      int __user *optlen, unsigned len)
3380 {
3381         int err = 0;
3382         char *scontext;
3383         u32 scontext_len;
3384         struct sk_security_struct *ssec;
3385         struct inode_security_struct *isec;
3386
3387         isec = SOCK_INODE(sock)->i_security;
3388         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3389                 err = -ENOPROTOOPT;
3390                 goto out;
3391         }
3392
3393         ssec = sock->sk->sk_security;
3394         
3395         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3396         if (err)
3397                 goto out;
3398
3399         if (scontext_len > len) {
3400                 err = -ERANGE;
3401                 goto out_len;
3402         }
3403
3404         if (copy_to_user(optval, scontext, scontext_len))
3405                 err = -EFAULT;
3406
3407 out_len:
3408         if (put_user(scontext_len, optlen))
3409                 err = -EFAULT;
3410
3411         kfree(scontext);
3412 out:    
3413         return err;
3414 }
3415
3416 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3417 {
3418         return sk_alloc_security(sk, family, priority);
3419 }
3420
3421 static void selinux_sk_free_security(struct sock *sk)
3422 {
3423         sk_free_security(sk);
3424 }
3425
3426 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3427 {
3428         int err = 0;
3429         u32 perm;
3430         struct nlmsghdr *nlh;
3431         struct socket *sock = sk->sk_socket;
3432         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3433         
3434         if (skb->len < NLMSG_SPACE(0)) {
3435                 err = -EINVAL;
3436                 goto out;
3437         }
3438         nlh = (struct nlmsghdr *)skb->data;
3439         
3440         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3441         if (err) {
3442                 if (err == -EINVAL) {
3443                         audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3444                                   "SELinux:  unrecognized netlink message"
3445                                   " type=%hu for sclass=%hu\n",
3446                                   nlh->nlmsg_type, isec->sclass);
3447                         if (!selinux_enforcing)
3448                                 err = 0;
3449                 }
3450
3451                 /* Ignore */
3452                 if (err == -ENOENT)
3453                         err = 0;
3454                 goto out;
3455         }
3456
3457         err = socket_has_perm(current, sock, perm);
3458 out:
3459         return err;
3460 }
3461
3462 #ifdef CONFIG_NETFILTER
3463
3464 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3465                                               struct sk_buff **pskb,
3466                                               const struct net_device *in,
3467                                               const struct net_device *out,
3468                                               int (*okfn)(struct sk_buff *),
3469                                               u16 family)
3470 {
3471         char *addrp;
3472         int len, err = NF_ACCEPT;
3473         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3474         struct sock *sk;
3475         struct socket *sock;
3476         struct inode *inode;
3477         struct sk_buff *skb = *pskb;
3478         struct inode_security_struct *isec;
3479         struct avc_audit_data ad;
3480         struct net_device *dev = (struct net_device *)out;
3481         
3482         sk = skb->sk;
3483         if (!sk)
3484                 goto out;
3485                 
3486         sock = sk->sk_socket;
3487         if (!sock)
3488                 goto out;
3489                 
3490         inode = SOCK_INODE(sock);
3491         if (!inode)
3492                 goto out;
3493
3494         err = sel_netif_sids(dev, &if_sid, NULL);
3495         if (err)
3496                 goto out;
3497
3498         isec = inode->i_security;
3499         
3500         switch (isec->sclass) {
3501         case SECCLASS_UDP_SOCKET:
3502                 netif_perm = NETIF__UDP_SEND;
3503                 node_perm = NODE__UDP_SEND;
3504                 send_perm = UDP_SOCKET__SEND_MSG;
3505                 break;
3506         
3507         case SECCLASS_TCP_SOCKET:
3508                 netif_perm = NETIF__TCP_SEND;
3509                 node_perm = NODE__TCP_SEND;
3510                 send_perm = TCP_SOCKET__SEND_MSG;
3511                 break;
3512         
3513         default:
3514                 netif_perm = NETIF__RAWIP_SEND;
3515                 node_perm = NODE__RAWIP_SEND;
3516                 break;
3517         }
3518
3519
3520         AVC_AUDIT_DATA_INIT(&ad, NET);
3521         ad.u.net.netif = dev->name;
3522         ad.u.net.family = family;
3523
3524         err = selinux_parse_skb(skb, &ad, &addrp,
3525                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3526         if (err != NF_ACCEPT)
3527                 goto out;
3528
3529         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3530                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3531         if (err != NF_ACCEPT)
3532                 goto out;
3533                 
3534         /* Fixme: this lookup is inefficient */
3535         err = security_node_sid(family, addrp, len,
3536                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3537         if (err != NF_ACCEPT)
3538                 goto out;
3539         
3540         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3541                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3542         if (err != NF_ACCEPT)
3543                 goto out;
3544
3545         if (send_perm) {
3546                 u32 port_sid;
3547                 
3548                 /* Fixme: make this more efficient */
3549                 err = security_port_sid(sk->sk_family,
3550                                         sk->sk_type,
3551                                         sk->sk_protocol,
3552                                         ntohs(ad.u.net.dport),
3553                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3554                 if (err != NF_ACCEPT)
3555                         goto out;
3556
3557                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3558                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3559         }
3560
3561 out:
3562         return err;
3563 }
3564
3565 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3566                                                 struct sk_buff **pskb,
3567                                                 const struct net_device *in,
3568                                                 const struct net_device *out,
3569                                                 int (*okfn)(struct sk_buff *))
3570 {
3571         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3572 }
3573
3574 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3575
3576 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3577                                                 struct sk_buff **pskb,
3578                                                 const struct net_device *in,
3579                                                 const struct net_device *out,
3580                                                 int (*okfn)(struct sk_buff *))
3581 {
3582         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3583 }
3584
3585 #endif  /* IPV6 */
3586
3587 #endif  /* CONFIG_NETFILTER */
3588
3589 #else
3590
3591 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3592 {
3593         return 0;
3594 }
3595
3596 #endif  /* CONFIG_SECURITY_NETWORK */
3597
3598 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3599 {
3600         struct task_security_struct *tsec;
3601         struct av_decision avd;
3602         int err;
3603
3604         err = secondary_ops->netlink_send(sk, skb);
3605         if (err)
3606                 return err;
3607
3608         tsec = current->security;
3609
3610         avd.allowed = 0;
3611         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3612                                 SECCLASS_CAPABILITY, ~0, &avd);
3613         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3614
3615         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3616                 err = selinux_nlmsg_perm(sk, skb);
3617
3618         return err;
3619 }
3620
3621 static int selinux_netlink_recv(struct sk_buff *skb)
3622 {
3623         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3624                 return -EPERM;
3625         return 0;
3626 }
3627
3628 static int ipc_alloc_security(struct task_struct *task,
3629                               struct kern_ipc_perm *perm,
3630                               u16 sclass)
3631 {
3632         struct task_security_struct *tsec = task->security;
3633         struct ipc_security_struct *isec;
3634
3635         isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3636         if (!isec)
3637                 return -ENOMEM;
3638
3639         memset(isec, 0, sizeof(struct ipc_security_struct));
3640         isec->magic = SELINUX_MAGIC;
3641         isec->sclass = sclass;
3642         isec->ipc_perm = perm;
3643         if (tsec) {
3644                 isec->sid = tsec->sid;
3645         } else {
3646                 isec->sid = SECINITSID_UNLABELED;
3647         }
3648         perm->security = isec;
3649
3650         return 0;
3651 }
3652
3653 static void ipc_free_security(struct kern_ipc_perm *perm)
3654 {
3655         struct ipc_security_struct *isec = perm->security;
3656         if (!isec || isec->magic != SELINUX_MAGIC)
3657                 return;
3658
3659         perm->security = NULL;
3660         kfree(isec);
3661 }
3662
3663 static int msg_msg_alloc_security(struct msg_msg *msg)
3664 {
3665         struct msg_security_struct *msec;
3666
3667         msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3668         if (!msec)
3669                 return -ENOMEM;
3670
3671         memset(msec, 0, sizeof(struct msg_security_struct));
3672         msec->magic = SELINUX_MAGIC;
3673         msec->msg = msg;
3674         msec->sid = SECINITSID_UNLABELED;
3675         msg->security = msec;
3676
3677         return 0;
3678 }
3679
3680 static void msg_msg_free_security(struct msg_msg *msg)
3681 {
3682         struct msg_security_struct *msec = msg->security;
3683         if (!msec || msec->magic != SELINUX_MAGIC)
3684                 return;
3685
3686         msg->security = NULL;
3687         kfree(msec);
3688 }
3689
3690 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3691                         u32 perms)
3692 {
3693         struct task_security_struct *tsec;
3694         struct ipc_security_struct *isec;
3695         struct avc_audit_data ad;
3696
3697         tsec = current->security;
3698         isec = ipc_perms->security;
3699
3700         AVC_AUDIT_DATA_INIT(&ad, IPC);
3701         ad.u.ipc_id = ipc_perms->key;
3702
3703         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3704 }
3705
3706 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3707 {
3708         return msg_msg_alloc_security(msg);
3709 }
3710
3711 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3712 {
3713         msg_msg_free_security(msg);
3714 }
3715
3716 /* message queue security operations */
3717 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3718 {
3719         struct task_security_struct *tsec;
3720         struct ipc_security_struct *isec;
3721         struct avc_audit_data ad;
3722         int rc;
3723
3724         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3725         if (rc)
3726                 return rc;
3727
3728         tsec = current->security;
3729         isec = msq->q_perm.security;
3730
3731         AVC_AUDIT_DATA_INIT(&ad, IPC);
3732         ad.u.ipc_id = msq->q_perm.key;
3733
3734         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3735                           MSGQ__CREATE, &ad);
3736         if (rc) {
3737                 ipc_free_security(&msq->q_perm);
3738                 return rc;
3739         }
3740         return 0;
3741 }
3742
3743 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3744 {
3745         ipc_free_security(&msq->q_perm);
3746 }
3747
3748 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3749 {
3750         struct task_security_struct *tsec;
3751         struct ipc_security_struct *isec;
3752         struct avc_audit_data ad;
3753
3754         tsec = current->security;
3755         isec = msq->q_perm.security;
3756
3757         AVC_AUDIT_DATA_INIT(&ad, IPC);
3758         ad.u.ipc_id = msq->q_perm.key;
3759
3760         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3761                             MSGQ__ASSOCIATE, &ad);
3762 }
3763
3764 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3765 {
3766         int err;
3767         int perms;
3768
3769         switch(cmd) {
3770         case IPC_INFO:
3771         case MSG_INFO:
3772                 /* No specific object, just general system-wide information. */
3773                 return task_has_system(current, SYSTEM__IPC_INFO);
3774         case IPC_STAT:
3775         case MSG_STAT:
3776                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3777                 break;
3778         case IPC_SET:
3779                 perms = MSGQ__SETATTR;
3780                 break;
3781         case IPC_RMID:
3782                 perms = MSGQ__DESTROY;
3783                 break;
3784         default:
3785                 return 0;
3786         }
3787
3788         err = ipc_has_perm(&msq->q_perm, perms);
3789         return err;
3790 }
3791
3792 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3793 {
3794         struct task_security_struct *tsec;
3795         struct ipc_security_struct *isec;
3796         struct msg_security_struct *msec;
3797         struct avc_audit_data ad;
3798         int rc;
3799
3800         tsec = current->security;
3801         isec = msq->q_perm.security;
3802         msec = msg->security;
3803
3804         /*
3805          * First time through, need to assign label to the message
3806          */
3807         if (msec->sid == SECINITSID_UNLABELED) {
3808                 /*
3809                  * Compute new sid based on current process and
3810                  * message queue this message will be stored in
3811                  */
3812                 rc = security_transition_sid(tsec->sid,
3813                                              isec->sid,
3814                                              SECCLASS_MSG,
3815                                              &msec->sid);
3816                 if (rc)
3817                         return rc;
3818         }
3819
3820         AVC_AUDIT_DATA_INIT(&ad, IPC);
3821         ad.u.ipc_id = msq->q_perm.key;
3822
3823         /* Can this process write to the queue? */
3824         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3825                           MSGQ__WRITE, &ad);
3826         if (!rc)
3827                 /* Can this process send the message */
3828                 rc = avc_has_perm(tsec->sid, msec->sid,
3829                                   SECCLASS_MSG, MSG__SEND, &ad);
3830         if (!rc)
3831                 /* Can the message be put in the queue? */
3832                 rc = avc_has_perm(msec->sid, isec->sid,
3833                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3834
3835         return rc;
3836 }
3837
3838 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3839                                     struct task_struct *target,
3840                                     long type, int mode)
3841 {
3842         struct task_security_struct *tsec;
3843         struct ipc_security_struct *isec;
3844         struct msg_security_struct *msec;
3845         struct avc_audit_data ad;
3846         int rc;
3847
3848         tsec = target->security;
3849         isec = msq->q_perm.security;
3850         msec = msg->security;
3851
3852         AVC_AUDIT_DATA_INIT(&ad, IPC);
3853         ad.u.ipc_id = msq->q_perm.key;
3854
3855         rc = avc_has_perm(tsec->sid, isec->sid,
3856                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3857         if (!rc)
3858                 rc = avc_has_perm(tsec->sid, msec->sid,
3859                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3860         return rc;
3861 }
3862
3863 /* Shared Memory security operations */
3864 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3865 {
3866         struct task_security_struct *tsec;
3867         struct ipc_security_struct *isec;
3868         struct avc_audit_data ad;
3869         int rc;
3870
3871         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3872         if (rc)
3873                 return rc;
3874
3875         tsec = current->security;
3876         isec = shp->shm_perm.security;
3877
3878         AVC_AUDIT_DATA_INIT(&ad, IPC);
3879         ad.u.ipc_id = shp->shm_perm.key;
3880
3881         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3882                           SHM__CREATE, &ad);
3883         if (rc) {
3884                 ipc_free_security(&shp->shm_perm);
3885                 return rc;
3886         }
3887         return 0;
3888 }
3889
3890 static void selinux_shm_free_security(struct shmid_kernel *shp)
3891 {
3892         ipc_free_security(&shp->shm_perm);
3893 }
3894
3895 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3896 {
3897         struct task_security_struct *tsec;
3898         struct ipc_security_struct *isec;
3899         struct avc_audit_data ad;
3900
3901         tsec = current->security;
3902         isec = shp->shm_perm.security;
3903
3904         AVC_AUDIT_DATA_INIT(&ad, IPC);
3905         ad.u.ipc_id = shp->shm_perm.key;
3906
3907         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3908                             SHM__ASSOCIATE, &ad);
3909 }
3910
3911 /* Note, at this point, shp is locked down */
3912 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3913 {
3914         int perms;
3915         int err;
3916
3917         switch(cmd) {
3918         case IPC_INFO:
3919         case SHM_INFO:
3920                 /* No specific object, just general system-wide information. */
3921                 return task_has_system(current, SYSTEM__IPC_INFO);
3922         case IPC_STAT:
3923         case SHM_STAT:
3924                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3925                 break;
3926         case IPC_SET:
3927                 perms = SHM__SETATTR;
3928                 break;
3929         case SHM_LOCK:
3930         case SHM_UNLOCK:
3931                 perms = SHM__LOCK;
3932                 break;
3933         case IPC_RMID:
3934                 perms = SHM__DESTROY;
3935                 break;
3936         default:
3937                 return 0;
3938         }
3939
3940         err = ipc_has_perm(&shp->shm_perm, perms);
3941         return err;
3942 }
3943
3944 static int selinux_shm_shmat(struct shmid_kernel *shp,
3945                              char __user *shmaddr, int shmflg)
3946 {
3947         u32 perms;
3948         int rc;
3949
3950         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3951         if (rc)
3952                 return rc;
3953
3954         if (shmflg & SHM_RDONLY)
3955                 perms = SHM__READ;
3956         else
3957                 perms = SHM__READ | SHM__WRITE;
3958
3959         return ipc_has_perm(&shp->shm_perm, perms);
3960 }
3961
3962 /* Semaphore security operations */
3963 static int selinux_sem_alloc_security(struct sem_array *sma)
3964 {
3965         struct task_security_struct *tsec;
3966         struct ipc_security_struct *isec;
3967         struct avc_audit_data ad;
3968         int rc;
3969
3970         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3971         if (rc)
3972                 return rc;
3973
3974         tsec = current->security;
3975         isec = sma->sem_perm.security;
3976
3977         AVC_AUDIT_DATA_INIT(&ad, IPC);
3978         ad.u.ipc_id = sma->sem_perm.key;
3979
3980         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3981                           SEM__CREATE, &ad);
3982         if (rc) {
3983                 ipc_free_security(&sma->sem_perm);
3984                 return rc;
3985         }
3986         return 0;
3987 }
3988
3989 static void selinux_sem_free_security(struct sem_array *sma)
3990 {
3991         ipc_free_security(&sma->sem_perm);
3992 }
3993
3994 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3995 {
3996         struct task_security_struct *tsec;
3997         struct ipc_security_struct *isec;
3998         struct avc_audit_data ad;
3999
4000         tsec = current->security;
4001         isec = sma->sem_perm.security;
4002
4003         AVC_AUDIT_DATA_INIT(&ad, IPC);
4004         ad.u.ipc_id = sma->sem_perm.key;
4005
4006         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4007                             SEM__ASSOCIATE, &ad);
4008 }
4009
4010 /* Note, at this point, sma is locked down */
4011 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4012 {
4013         int err;
4014         u32 perms;
4015
4016         switch(cmd) {
4017         case IPC_INFO:
4018         case SEM_INFO:
4019                 /* No specific object, just general system-wide information. */
4020                 return task_has_system(current, SYSTEM__IPC_INFO);
4021         case GETPID:
4022         case GETNCNT:
4023         case GETZCNT:
4024                 perms = SEM__GETATTR;
4025                 break;
4026         case GETVAL:
4027         case GETALL:
4028                 perms = SEM__READ;
4029                 break;
4030         case SETVAL:
4031         case SETALL:
4032                 perms = SEM__WRITE;
4033                 break;
4034         case IPC_RMID:
4035                 perms = SEM__DESTROY;
4036                 break;
4037         case IPC_SET:
4038                 perms = SEM__SETATTR;
4039                 break;
4040         case IPC_STAT:
4041         case SEM_STAT:
4042                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4043                 break;
4044         default:
4045                 return 0;
4046         }
4047
4048         err = ipc_has_perm(&sma->sem_perm, perms);
4049         return err;
4050 }
4051
4052 static int selinux_sem_semop(struct sem_array *sma,
4053                              struct sembuf *sops, unsigned nsops, int alter)
4054 {
4055         u32 perms;
4056
4057         if (alter)
4058                 perms = SEM__READ | SEM__WRITE;
4059         else
4060                 perms = SEM__READ;
4061
4062         return ipc_has_perm(&sma->sem_perm, perms);
4063 }
4064
4065 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4066 {
4067         u32 av = 0;
4068
4069         av = 0;
4070         if (flag & S_IRUGO)
4071                 av |= IPC__UNIX_READ;
4072         if (flag & S_IWUGO)
4073                 av |= IPC__UNIX_WRITE;
4074
4075         if (av == 0)
4076                 return 0;
4077
4078         return ipc_has_perm(ipcp, av);
4079 }
4080
4081 /* module stacking operations */
4082 static int selinux_register_security (const char *name, struct security_operations *ops)
4083 {
4084         if (secondary_ops != original_ops) {
4085                 printk(KERN_INFO "%s:  There is already a secondary security "
4086                        "module registered.\n", __FUNCTION__);
4087                 return -EINVAL;
4088         }
4089
4090         secondary_ops = ops;
4091
4092         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4093                __FUNCTION__,
4094                name);
4095
4096         return 0;
4097 }
4098
4099 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4100 {
4101         if (ops != secondary_ops) {
4102                 printk (KERN_INFO "%s:  trying to unregister a security module "
4103                         "that is not registered.\n", __FUNCTION__);
4104                 return -EINVAL;
4105         }
4106
4107         secondary_ops = original_ops;
4108
4109         return 0;
4110 }
4111
4112 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4113 {
4114         if (inode)
4115                 inode_doinit_with_dentry(inode, dentry);
4116 }
4117
4118 static int selinux_getprocattr(struct task_struct *p,
4119                                char *name, void *value, size_t size)
4120 {
4121         struct task_security_struct *tsec;
4122         u32 sid, len;
4123         char *context;
4124         int error;
4125
4126         if (current != p) {
4127                 error = task_has_perm(current, p, PROCESS__GETATTR);
4128                 if (error)
4129                         return error;
4130         }
4131
4132         if (!size)
4133                 return -ERANGE;
4134
4135         tsec = p->security;
4136
4137         if (!strcmp(name, "current"))
4138                 sid = tsec->sid;
4139         else if (!strcmp(name, "prev"))
4140                 sid = tsec->osid;
4141         else if (!strcmp(name, "exec"))
4142                 sid = tsec->exec_sid;
4143         else if (!strcmp(name, "fscreate"))
4144                 sid = tsec->create_sid;
4145         else
4146                 return -EINVAL;
4147
4148         if (!sid)
4149                 return 0;
4150
4151         error = security_sid_to_context(sid, &context, &len);
4152         if (error)
4153                 return error;
4154         if (len > size) {
4155                 kfree(context);
4156                 return -ERANGE;
4157         }
4158         memcpy(value, context, len);
4159         kfree(context);
4160         return len;
4161 }
4162
4163 static int selinux_setprocattr(struct task_struct *p,
4164                                char *name, void *value, size_t size)
4165 {
4166         struct task_security_struct *tsec;
4167         u32 sid = 0;
4168         int error;
4169         char *str = value;
4170
4171         if (current != p) {
4172                 /* SELinux only allows a process to change its own
4173                    security attributes. */
4174                 return -EACCES;
4175         }
4176
4177         /*
4178          * Basic control over ability to set these attributes at all.
4179          * current == p, but we'll pass them separately in case the
4180          * above restriction is ever removed.
4181          */
4182         if (!strcmp(name, "exec"))
4183                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4184         else if (!strcmp(name, "fscreate"))
4185                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4186         else if (!strcmp(name, "current"))
4187                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4188         else
4189                 error = -EINVAL;
4190         if (error)
4191                 return error;
4192
4193         /* Obtain a SID for the context, if one was specified. */
4194         if (size && str[1] && str[1] != '\n') {
4195                 if (str[size-1] == '\n') {
4196                         str[size-1] = 0;
4197                         size--;
4198                 }
4199                 error = security_context_to_sid(value, size, &sid);
4200                 if (error)
4201                         return error;
4202         }
4203
4204         /* Permission checking based on the specified context is
4205            performed during the actual operation (execve,
4206            open/mkdir/...), when we know the full context of the
4207            operation.  See selinux_bprm_set_security for the execve
4208            checks and may_create for the file creation checks. The
4209            operation will then fail if the context is not permitted. */
4210         tsec = p->security;
4211         if (!strcmp(name, "exec"))
4212                 tsec->exec_sid = sid;
4213         else if (!strcmp(name, "fscreate"))
4214                 tsec->create_sid = sid;
4215         else if (!strcmp(name, "current")) {
4216                 struct av_decision avd;
4217
4218                 if (sid == 0)
4219                         return -EINVAL;
4220
4221                 /* Only allow single threaded processes to change context */
4222                 if (atomic_read(&p->mm->mm_users) != 1) {
4223                         struct task_struct *g, *t;
4224                         struct mm_struct *mm = p->mm;
4225                         read_lock(&tasklist_lock);
4226                         do_each_thread(g, t)
4227                                 if (t->mm == mm && t != p) {
4228                                         read_unlock(&tasklist_lock);
4229                                         return -EPERM;
4230                                 }
4231                         while_each_thread(g, t);
4232                         read_unlock(&tasklist_lock);
4233                 }
4234
4235                 /* Check permissions for the transition. */
4236                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4237                                      PROCESS__DYNTRANSITION, NULL);
4238                 if (error)
4239                         return error;
4240
4241                 /* Check for ptracing, and update the task SID if ok.
4242                    Otherwise, leave SID unchanged and fail. */
4243                 task_lock(p);
4244                 if (p->ptrace & PT_PTRACED) {
4245                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4246                                                      SECCLASS_PROCESS,
4247                                                      PROCESS__PTRACE, &avd);
4248                         if (!error)
4249                                 tsec->sid = sid;
4250                         task_unlock(p);
4251                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4252                                   PROCESS__PTRACE, &avd, error, NULL);
4253                         if (error)
4254                                 return error;
4255                 } else {
4256                         tsec->sid = sid;
4257                         task_unlock(p);
4258                 }
4259         }
4260         else
4261                 return -EINVAL;
4262
4263         return size;
4264 }
4265
4266 static struct security_operations selinux_ops = {
4267         .ptrace =                       selinux_ptrace,
4268         .capget =                       selinux_capget,
4269         .capset_check =                 selinux_capset_check,
4270         .capset_set =                   selinux_capset_set,
4271         .sysctl =                       selinux_sysctl,
4272         .capable =                      selinux_capable,
4273         .quotactl =                     selinux_quotactl,
4274         .quota_on =                     selinux_quota_on,
4275         .syslog =                       selinux_syslog,
4276         .vm_enough_memory =             selinux_vm_enough_memory,
4277
4278         .netlink_send =                 selinux_netlink_send,
4279         .netlink_recv =                 selinux_netlink_recv,
4280
4281         .bprm_alloc_security =          selinux_bprm_alloc_security,
4282         .bprm_free_security =           selinux_bprm_free_security,
4283         .bprm_apply_creds =             selinux_bprm_apply_creds,
4284         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4285         .bprm_set_security =            selinux_bprm_set_security,
4286         .bprm_check_security =          selinux_bprm_check_security,
4287         .bprm_secureexec =              selinux_bprm_secureexec,
4288
4289         .sb_alloc_security =            selinux_sb_alloc_security,
4290         .sb_free_security =             selinux_sb_free_security,
4291         .sb_copy_data =                 selinux_sb_copy_data,
4292         .sb_kern_mount =                selinux_sb_kern_mount,
4293         .sb_statfs =                    selinux_sb_statfs,
4294         .sb_mount =                     selinux_mount,
4295         .sb_umount =                    selinux_umount,
4296
4297         .inode_alloc_security =         selinux_inode_alloc_security,
4298         .inode_free_security =          selinux_inode_free_security,
4299         .inode_create =                 selinux_inode_create,
4300         .inode_post_create =            selinux_inode_post_create,
4301         .inode_link =                   selinux_inode_link,
4302         .inode_post_link =              selinux_inode_post_link,
4303         .inode_unlink =                 selinux_inode_unlink,
4304         .inode_symlink =                selinux_inode_symlink,
4305         .inode_post_symlink =           selinux_inode_post_symlink,
4306         .inode_mkdir =                  selinux_inode_mkdir,
4307         .inode_post_mkdir =             selinux_inode_post_mkdir,
4308         .inode_rmdir =                  selinux_inode_rmdir,
4309         .inode_mknod =                  selinux_inode_mknod,
4310         .inode_post_mknod =             selinux_inode_post_mknod,
4311         .inode_rename =                 selinux_inode_rename,
4312         .inode_post_rename =            selinux_inode_post_rename,
4313         .inode_readlink =               selinux_inode_readlink,
4314         .inode_follow_link =            selinux_inode_follow_link,
4315         .inode_permission =             selinux_inode_permission,
4316         .inode_setattr =                selinux_inode_setattr,
4317         .inode_getattr =                selinux_inode_getattr,
4318         .inode_setxattr =               selinux_inode_setxattr,
4319         .inode_post_setxattr =          selinux_inode_post_setxattr,
4320         .inode_getxattr =               selinux_inode_getxattr,
4321         .inode_listxattr =              selinux_inode_listxattr,
4322         .inode_removexattr =            selinux_inode_removexattr,
4323         .inode_getsecurity =            selinux_inode_getsecurity,
4324         .inode_setsecurity =            selinux_inode_setsecurity,
4325         .inode_listsecurity =           selinux_inode_listsecurity,
4326
4327         .file_permission =              selinux_file_permission,
4328         .file_alloc_security =          selinux_file_alloc_security,
4329         .file_free_security =           selinux_file_free_security,
4330         .file_ioctl =                   selinux_file_ioctl,
4331         .file_mmap =                    selinux_file_mmap,
4332         .file_mprotect =                selinux_file_mprotect,
4333         .file_lock =                    selinux_file_lock,
4334         .file_fcntl =                   selinux_file_fcntl,
4335         .file_set_fowner =              selinux_file_set_fowner,
4336         .file_send_sigiotask =          selinux_file_send_sigiotask,
4337         .file_receive =                 selinux_file_receive,
4338
4339         .task_create =                  selinux_task_create,
4340         .task_alloc_security =          selinux_task_alloc_security,
4341         .task_free_security =           selinux_task_free_security,
4342         .task_setuid =                  selinux_task_setuid,
4343         .task_post_setuid =             selinux_task_post_setuid,
4344         .task_setgid =                  selinux_task_setgid,
4345         .task_setpgid =                 selinux_task_setpgid,
4346         .task_getpgid =                 selinux_task_getpgid,
4347         .task_getsid =                  selinux_task_getsid,
4348         .task_setgroups =               selinux_task_setgroups,
4349         .task_setnice =                 selinux_task_setnice,
4350         .task_setrlimit =               selinux_task_setrlimit,
4351         .task_setscheduler =            selinux_task_setscheduler,
4352         .task_getscheduler =            selinux_task_getscheduler,
4353         .task_kill =                    selinux_task_kill,
4354         .task_wait =                    selinux_task_wait,
4355         .task_prctl =                   selinux_task_prctl,
4356         .task_reparent_to_init =        selinux_task_reparent_to_init,
4357         .task_to_inode =                selinux_task_to_inode,
4358
4359         .ipc_permission =               selinux_ipc_permission,
4360
4361         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4362         .msg_msg_free_security =        selinux_msg_msg_free_security,
4363
4364         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4365         .msg_queue_free_security =      selinux_msg_queue_free_security,
4366         .msg_queue_associate =          selinux_msg_queue_associate,
4367         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4368         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4369         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4370
4371         .shm_alloc_security =           selinux_shm_alloc_security,
4372         .shm_free_security =            selinux_shm_free_security,
4373         .shm_associate =                selinux_shm_associate,
4374         .shm_shmctl =                   selinux_shm_shmctl,
4375         .shm_shmat =                    selinux_shm_shmat,
4376
4377         .sem_alloc_security =           selinux_sem_alloc_security,
4378         .sem_free_security =            selinux_sem_free_security,
4379         .sem_associate =                selinux_sem_associate,
4380         .sem_semctl =                   selinux_sem_semctl,
4381         .sem_semop =                    selinux_sem_semop,
4382
4383         .register_security =            selinux_register_security,
4384         .unregister_security =          selinux_unregister_security,
4385
4386         .d_instantiate =                selinux_d_instantiate,
4387
4388         .getprocattr =                  selinux_getprocattr,
4389         .setprocattr =                  selinux_setprocattr,
4390
4391 #ifdef CONFIG_SECURITY_NETWORK
4392         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4393         .unix_may_send =                selinux_socket_unix_may_send,
4394
4395         .socket_create =                selinux_socket_create,
4396         .socket_post_create =           selinux_socket_post_create,
4397         .socket_bind =                  selinux_socket_bind,
4398         .socket_connect =               selinux_socket_connect,
4399         .socket_listen =                selinux_socket_listen,
4400         .socket_accept =                selinux_socket_accept,
4401         .socket_sendmsg =               selinux_socket_sendmsg,
4402         .socket_recvmsg =               selinux_socket_recvmsg,
4403         .socket_getsockname =           selinux_socket_getsockname,
4404         .socket_getpeername =           selinux_socket_getpeername,
4405         .socket_getsockopt =            selinux_socket_getsockopt,
4406         .socket_setsockopt =            selinux_socket_setsockopt,
4407         .socket_shutdown =              selinux_socket_shutdown,
4408         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4409         .socket_getpeersec =            selinux_socket_getpeersec,
4410         .sk_alloc_security =            selinux_sk_alloc_security,
4411         .sk_free_security =             selinux_sk_free_security,
4412 #endif
4413 };
4414
4415 static __init int selinux_init(void)
4416 {
4417         struct task_security_struct *tsec;
4418
4419         if (!selinux_enabled) {
4420                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4421                 return 0;
4422         }
4423
4424         printk(KERN_INFO "SELinux:  Initializing.\n");
4425
4426         /* Set the security state for the initial task. */
4427         if (task_alloc_security(current))
4428                 panic("SELinux:  Failed to initialize initial task.\n");
4429         tsec = current->security;
4430         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4431
4432         avc_init();
4433
4434         original_ops = secondary_ops = security_ops;
4435         if (!secondary_ops)
4436                 panic ("SELinux: No initial security operations\n");
4437         if (register_security (&selinux_ops))
4438                 panic("SELinux: Unable to register with kernel.\n");
4439
4440         if (selinux_enforcing) {
4441                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4442         } else {
4443                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4444         }
4445         return 0;
4446 }
4447
4448 void selinux_complete_init(void)
4449 {
4450         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4451
4452         /* Set up any superblocks initialized prior to the policy load. */
4453         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4454         spin_lock(&sb_security_lock);
4455 next_sb:
4456         if (!list_empty(&superblock_security_head)) {
4457                 struct superblock_security_struct *sbsec =
4458                                 list_entry(superblock_security_head.next,
4459                                            struct superblock_security_struct,
4460                                            list);
4461                 struct super_block *sb = sbsec->sb;
4462                 spin_lock(&sb_lock);
4463                 sb->s_count++;
4464                 spin_unlock(&sb_lock);
4465                 spin_unlock(&sb_security_lock);
4466                 down_read(&sb->s_umount);
4467                 if (sb->s_root)
4468                         superblock_doinit(sb, NULL);
4469                 drop_super(sb);
4470                 spin_lock(&sb_security_lock);
4471                 list_del_init(&sbsec->list);
4472                 goto next_sb;
4473         }
4474         spin_unlock(&sb_security_lock);
4475 }
4476
4477 /* SELinux requires early initialization in order to label
4478    all processes and objects when they are created. */
4479 security_initcall(selinux_init);
4480
4481 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4482
4483 static struct nf_hook_ops selinux_ipv4_op = {
4484         .hook =         selinux_ipv4_postroute_last,
4485         .owner =        THIS_MODULE,
4486         .pf =           PF_INET,
4487         .hooknum =      NF_IP_POST_ROUTING,
4488         .priority =     NF_IP_PRI_SELINUX_LAST,
4489 };
4490
4491 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4492
4493 static struct nf_hook_ops selinux_ipv6_op = {
4494         .hook =         selinux_ipv6_postroute_last,
4495         .owner =        THIS_MODULE,
4496         .pf =           PF_INET6,
4497         .hooknum =      NF_IP6_POST_ROUTING,
4498         .priority =     NF_IP6_PRI_SELINUX_LAST,
4499 };
4500
4501 #endif  /* IPV6 */
4502
4503 static int __init selinux_nf_ip_init(void)
4504 {
4505         int err = 0;
4506
4507         if (!selinux_enabled)
4508                 goto out;
4509                 
4510         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4511         
4512         err = nf_register_hook(&selinux_ipv4_op);
4513         if (err)
4514                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4515
4516 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4517
4518         err = nf_register_hook(&selinux_ipv6_op);
4519         if (err)
4520                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4521
4522 #endif  /* IPV6 */
4523 out:
4524         return err;
4525 }
4526
4527 __initcall(selinux_nf_ip_init);
4528
4529 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4530 static void selinux_nf_ip_exit(void)
4531 {
4532         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4533
4534         nf_unregister_hook(&selinux_ipv4_op);
4535 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4536         nf_unregister_hook(&selinux_ipv6_op);
4537 #endif  /* IPV6 */
4538 }
4539 #endif
4540
4541 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4542
4543 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4544 #define selinux_nf_ip_exit()
4545 #endif
4546
4547 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4548
4549 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4550 int selinux_disable(void)
4551 {
4552         extern void exit_sel_fs(void);
4553         static int selinux_disabled = 0;
4554
4555         if (ss_initialized) {
4556                 /* Not permitted after initial policy load. */
4557                 return -EINVAL;
4558         }
4559
4560         if (selinux_disabled) {
4561                 /* Only do this once. */
4562                 return -EINVAL;
4563         }
4564
4565         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4566
4567         selinux_disabled = 1;
4568
4569         /* Reset security_ops to the secondary module, dummy or capability. */
4570         security_ops = secondary_ops;
4571
4572         /* Unregister netfilter hooks. */
4573         selinux_nf_ip_exit();
4574
4575         /* Unregister selinuxfs. */
4576         exit_sel_fs();
4577
4578         return 0;
4579 }
4580 #endif
4581
4582