41a049f50f58f43e131219c2318df9c265d76782
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec = sb->s_security;
370         struct dentry *root = sb->s_root;
371         struct inode *root_inode = root->d_inode;
372         int rc = 0;
373
374         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375                 /* Make sure that the xattr handler exists and that no
376                    error other than -ENODATA is returned by getxattr on
377                    the root directory.  -ENODATA is ok, as this may be
378                    the first boot of the SELinux kernel before we have
379                    assigned xattr values to the filesystem. */
380                 if (!root_inode->i_op->getxattr) {
381                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382                                "xattr support\n", sb->s_id, sb->s_type->name);
383                         rc = -EOPNOTSUPP;
384                         goto out;
385                 }
386                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387                 if (rc < 0 && rc != -ENODATA) {
388                         if (rc == -EOPNOTSUPP)
389                                 printk(KERN_WARNING "SELinux: (dev %s, type "
390                                        "%s) has no security xattr handler\n",
391                                        sb->s_id, sb->s_type->name);
392                         else
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) getxattr errno %d\n", sb->s_id,
395                                        sb->s_type->name, -rc);
396                         goto out;
397                 }
398         }
399
400         sbsec->initialized = 1;
401
402         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404                        sb->s_id, sb->s_type->name);
405         else
406                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407                        sb->s_id, sb->s_type->name,
408                        labeling_behaviors[sbsec->behavior-1]);
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!sbsec->initialized)
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         /*
463          * if we ever use sbsec flags for anything other than tracking mount
464          * settings this is going to need a mask
465          */
466         tmp = sbsec->flags;
467         /* count the number of mount options for this sb */
468         for (i = 0; i < 8; i++) {
469                 if (tmp & 0x01)
470                         opts->num_mnt_opts++;
471                 tmp >>= 1;
472         }
473
474         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475         if (!opts->mnt_opts) {
476                 rc = -ENOMEM;
477                 goto out_free;
478         }
479
480         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481         if (!opts->mnt_opts_flags) {
482                 rc = -ENOMEM;
483                 goto out_free;
484         }
485
486         i = 0;
487         if (sbsec->flags & FSCONTEXT_MNT) {
488                 rc = security_sid_to_context(sbsec->sid, &context, &len);
489                 if (rc)
490                         goto out_free;
491                 opts->mnt_opts[i] = context;
492                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493         }
494         if (sbsec->flags & CONTEXT_MNT) {
495                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496                 if (rc)
497                         goto out_free;
498                 opts->mnt_opts[i] = context;
499                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500         }
501         if (sbsec->flags & DEFCONTEXT_MNT) {
502                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503                 if (rc)
504                         goto out_free;
505                 opts->mnt_opts[i] = context;
506                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507         }
508         if (sbsec->flags & ROOTCONTEXT_MNT) {
509                 struct inode *root = sbsec->sb->s_root->d_inode;
510                 struct inode_security_struct *isec = root->i_security;
511
512                 rc = security_sid_to_context(isec->sid, &context, &len);
513                 if (rc)
514                         goto out_free;
515                 opts->mnt_opts[i] = context;
516                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517         }
518
519         BUG_ON(i != opts->num_mnt_opts);
520
521         return 0;
522
523 out_free:
524         security_free_mnt_opts(opts);
525         return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529                       u32 old_sid, u32 new_sid)
530 {
531         /* check if the old mount command had the same options */
532         if (sbsec->initialized)
533                 if (!(sbsec->flags & flag) ||
534                     (old_sid != new_sid))
535                         return 1;
536
537         /* check if we were passed the same options twice,
538          * aka someone passed context=a,context=b
539          */
540         if (!sbsec->initialized)
541                 if (sbsec->flags & flag)
542                         return 1;
543         return 0;
544 }
545
546 /*
547  * Allow filesystems with binary mount data to explicitly set mount point
548  * labeling information.
549  */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551                                 struct security_mnt_opts *opts)
552 {
553         int rc = 0, i;
554         struct task_security_struct *tsec = current->security;
555         struct superblock_security_struct *sbsec = sb->s_security;
556         const char *name = sb->s_type->name;
557         struct inode *inode = sbsec->sb->s_root->d_inode;
558         struct inode_security_struct *root_isec = inode->i_security;
559         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560         u32 defcontext_sid = 0;
561         char **mount_options = opts->mnt_opts;
562         int *flags = opts->mnt_opts_flags;
563         int num_opts = opts->num_mnt_opts;
564
565         mutex_lock(&sbsec->lock);
566
567         if (!ss_initialized) {
568                 if (!num_opts) {
569                         /* Defer initialization until selinux_complete_init,
570                            after the initial policy is loaded and the security
571                            server is ready to handle calls. */
572                         spin_lock(&sb_security_lock);
573                         if (list_empty(&sbsec->list))
574                                 list_add(&sbsec->list, &superblock_security_head);
575                         spin_unlock(&sb_security_lock);
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "Unable to set superblock options before "
580                        "the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->initialized) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if (sbsec->flags && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->proc = 1;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __FUNCTION__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680
681                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682                 if (rc)
683                         goto out;
684
685                 sbsec->sid = fscontext_sid;
686         }
687
688         /*
689          * Switch to using mount point labeling behavior.
690          * sets the label used on all file below the mountpoint, and will set
691          * the superblock context if not already set.
692          */
693         if (context_sid) {
694                 if (!fscontext_sid) {
695                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701                         if (rc)
702                                 goto out;
703                 }
704                 if (!rootcontext_sid)
705                         rootcontext_sid = context_sid;
706
707                 sbsec->mntpoint_sid = context_sid;
708                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709         }
710
711         if (rootcontext_sid) {
712                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713                 if (rc)
714                         goto out;
715
716                 root_isec->sid = rootcontext_sid;
717                 root_isec->initialized = 1;
718         }
719
720         if (defcontext_sid) {
721                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722                         rc = -EINVAL;
723                         printk(KERN_WARNING "SELinux: defcontext option is "
724                                "invalid for this filesystem type\n");
725                         goto out;
726                 }
727
728                 if (defcontext_sid != sbsec->def_sid) {
729                         rc = may_context_mount_inode_relabel(defcontext_sid,
730                                                              sbsec, tsec);
731                         if (rc)
732                                 goto out;
733                 }
734
735                 sbsec->def_sid = defcontext_sid;
736         }
737
738         rc = sb_finish_set_opts(sb);
739 out:
740         mutex_unlock(&sbsec->lock);
741         return rc;
742 out_double_mount:
743         rc = -EINVAL;
744         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
745                "security settings for (dev %s, type %s)\n", sb->s_id, name);
746         goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750                                         struct super_block *newsb)
751 {
752         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753         struct superblock_security_struct *newsbsec = newsb->s_security;
754
755         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
756         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
757         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759         /* we can't error, we can't save the info, this shouldn't get called
760          * this early in the boot process. */
761         BUG_ON(!ss_initialized);
762
763         /* this might go away sometime down the line if there is a new user
764          * of clone, but for now, nfs better not get here... */
765         BUG_ON(newsbsec->initialized);
766
767         /* how can we clone if the old one wasn't set up?? */
768         BUG_ON(!oldsbsec->initialized);
769
770         mutex_lock(&newsbsec->lock);
771
772         newsbsec->flags = oldsbsec->flags;
773
774         newsbsec->sid = oldsbsec->sid;
775         newsbsec->def_sid = oldsbsec->def_sid;
776         newsbsec->behavior = oldsbsec->behavior;
777
778         if (set_context) {
779                 u32 sid = oldsbsec->mntpoint_sid;
780
781                 if (!set_fscontext)
782                         newsbsec->sid = sid;
783                 if (!set_rootcontext) {
784                         struct inode *newinode = newsb->s_root->d_inode;
785                         struct inode_security_struct *newisec = newinode->i_security;
786                         newisec->sid = sid;
787                 }
788                 newsbsec->mntpoint_sid = sid;
789         }
790         if (set_rootcontext) {
791                 const struct inode *oldinode = oldsb->s_root->d_inode;
792                 const struct inode_security_struct *oldisec = oldinode->i_security;
793                 struct inode *newinode = newsb->s_root->d_inode;
794                 struct inode_security_struct *newisec = newinode->i_security;
795
796                 newisec->sid = oldisec->sid;
797         }
798
799         sb_finish_set_opts(newsb);
800         mutex_unlock(&newsbsec->lock);
801 }
802
803 static int selinux_parse_opts_str(char *options,
804                                   struct security_mnt_opts *opts)
805 {
806         char *p;
807         char *context = NULL, *defcontext = NULL;
808         char *fscontext = NULL, *rootcontext = NULL;
809         int rc, num_mnt_opts = 0;
810
811         opts->num_mnt_opts = 0;
812
813         /* Standard string-based options. */
814         while ((p = strsep(&options, "|")) != NULL) {
815                 int token;
816                 substring_t args[MAX_OPT_ARGS];
817
818                 if (!*p)
819                         continue;
820
821                 token = match_token(p, tokens, args);
822
823                 switch (token) {
824                 case Opt_context:
825                         if (context || defcontext) {
826                                 rc = -EINVAL;
827                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828                                 goto out_err;
829                         }
830                         context = match_strdup(&args[0]);
831                         if (!context) {
832                                 rc = -ENOMEM;
833                                 goto out_err;
834                         }
835                         break;
836
837                 case Opt_fscontext:
838                         if (fscontext) {
839                                 rc = -EINVAL;
840                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841                                 goto out_err;
842                         }
843                         fscontext = match_strdup(&args[0]);
844                         if (!fscontext) {
845                                 rc = -ENOMEM;
846                                 goto out_err;
847                         }
848                         break;
849
850                 case Opt_rootcontext:
851                         if (rootcontext) {
852                                 rc = -EINVAL;
853                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854                                 goto out_err;
855                         }
856                         rootcontext = match_strdup(&args[0]);
857                         if (!rootcontext) {
858                                 rc = -ENOMEM;
859                                 goto out_err;
860                         }
861                         break;
862
863                 case Opt_defcontext:
864                         if (context || defcontext) {
865                                 rc = -EINVAL;
866                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867                                 goto out_err;
868                         }
869                         defcontext = match_strdup(&args[0]);
870                         if (!defcontext) {
871                                 rc = -ENOMEM;
872                                 goto out_err;
873                         }
874                         break;
875
876                 default:
877                         rc = -EINVAL;
878                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
879                         goto out_err;
880
881                 }
882         }
883
884         rc = -ENOMEM;
885         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886         if (!opts->mnt_opts)
887                 goto out_err;
888
889         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890         if (!opts->mnt_opts_flags) {
891                 kfree(opts->mnt_opts);
892                 goto out_err;
893         }
894
895         if (fscontext) {
896                 opts->mnt_opts[num_mnt_opts] = fscontext;
897                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
898         }
899         if (context) {
900                 opts->mnt_opts[num_mnt_opts] = context;
901                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
902         }
903         if (rootcontext) {
904                 opts->mnt_opts[num_mnt_opts] = rootcontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
906         }
907         if (defcontext) {
908                 opts->mnt_opts[num_mnt_opts] = defcontext;
909                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
910         }
911
912         opts->num_mnt_opts = num_mnt_opts;
913         return 0;
914
915 out_err:
916         kfree(context);
917         kfree(defcontext);
918         kfree(fscontext);
919         kfree(rootcontext);
920         return rc;
921 }
922 /*
923  * string mount options parsing and call set the sbsec
924  */
925 static int superblock_doinit(struct super_block *sb, void *data)
926 {
927         int rc = 0;
928         char *options = data;
929         struct security_mnt_opts opts;
930
931         security_init_mnt_opts(&opts);
932
933         if (!data)
934                 goto out;
935
936         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
937
938         rc = selinux_parse_opts_str(options, &opts);
939         if (rc)
940                 goto out_err;
941
942 out:
943         rc = selinux_set_mnt_opts(sb, &opts);
944
945 out_err:
946         security_free_mnt_opts(&opts);
947         return rc;
948 }
949
950 static inline u16 inode_mode_to_security_class(umode_t mode)
951 {
952         switch (mode & S_IFMT) {
953         case S_IFSOCK:
954                 return SECCLASS_SOCK_FILE;
955         case S_IFLNK:
956                 return SECCLASS_LNK_FILE;
957         case S_IFREG:
958                 return SECCLASS_FILE;
959         case S_IFBLK:
960                 return SECCLASS_BLK_FILE;
961         case S_IFDIR:
962                 return SECCLASS_DIR;
963         case S_IFCHR:
964                 return SECCLASS_CHR_FILE;
965         case S_IFIFO:
966                 return SECCLASS_FIFO_FILE;
967
968         }
969
970         return SECCLASS_FILE;
971 }
972
973 static inline int default_protocol_stream(int protocol)
974 {
975         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976 }
977
978 static inline int default_protocol_dgram(int protocol)
979 {
980         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981 }
982
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
984 {
985         switch (family) {
986         case PF_UNIX:
987                 switch (type) {
988                 case SOCK_STREAM:
989                 case SOCK_SEQPACKET:
990                         return SECCLASS_UNIX_STREAM_SOCKET;
991                 case SOCK_DGRAM:
992                         return SECCLASS_UNIX_DGRAM_SOCKET;
993                 }
994                 break;
995         case PF_INET:
996         case PF_INET6:
997                 switch (type) {
998                 case SOCK_STREAM:
999                         if (default_protocol_stream(protocol))
1000                                 return SECCLASS_TCP_SOCKET;
1001                         else
1002                                 return SECCLASS_RAWIP_SOCKET;
1003                 case SOCK_DGRAM:
1004                         if (default_protocol_dgram(protocol))
1005                                 return SECCLASS_UDP_SOCKET;
1006                         else
1007                                 return SECCLASS_RAWIP_SOCKET;
1008                 case SOCK_DCCP:
1009                         return SECCLASS_DCCP_SOCKET;
1010                 default:
1011                         return SECCLASS_RAWIP_SOCKET;
1012                 }
1013                 break;
1014         case PF_NETLINK:
1015                 switch (protocol) {
1016                 case NETLINK_ROUTE:
1017                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1018                 case NETLINK_FIREWALL:
1019                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020                 case NETLINK_INET_DIAG:
1021                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022                 case NETLINK_NFLOG:
1023                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1024                 case NETLINK_XFRM:
1025                         return SECCLASS_NETLINK_XFRM_SOCKET;
1026                 case NETLINK_SELINUX:
1027                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1028                 case NETLINK_AUDIT:
1029                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1030                 case NETLINK_IP6_FW:
1031                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1032                 case NETLINK_DNRTMSG:
1033                         return SECCLASS_NETLINK_DNRT_SOCKET;
1034                 case NETLINK_KOBJECT_UEVENT:
1035                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1036                 default:
1037                         return SECCLASS_NETLINK_SOCKET;
1038                 }
1039         case PF_PACKET:
1040                 return SECCLASS_PACKET_SOCKET;
1041         case PF_KEY:
1042                 return SECCLASS_KEY_SOCKET;
1043         case PF_APPLETALK:
1044                 return SECCLASS_APPLETALK_SOCKET;
1045         }
1046
1047         return SECCLASS_SOCKET;
1048 }
1049
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052                                 u16 tclass,
1053                                 u32 *sid)
1054 {
1055         int buflen, rc;
1056         char *buffer, *path, *end;
1057
1058         buffer = (char*)__get_free_page(GFP_KERNEL);
1059         if (!buffer)
1060                 return -ENOMEM;
1061
1062         buflen = PAGE_SIZE;
1063         end = buffer+buflen;
1064         *--end = '\0';
1065         buflen--;
1066         path = end-1;
1067         *path = '/';
1068         while (de && de != de->parent) {
1069                 buflen -= de->namelen + 1;
1070                 if (buflen < 0)
1071                         break;
1072                 end -= de->namelen;
1073                 memcpy(end, de->name, de->namelen);
1074                 *--end = '/';
1075                 path = end;
1076                 de = de->parent;
1077         }
1078         rc = security_genfs_sid("proc", path, tclass, sid);
1079         free_page((unsigned long)buffer);
1080         return rc;
1081 }
1082 #else
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084                                 u16 tclass,
1085                                 u32 *sid)
1086 {
1087         return -EINVAL;
1088 }
1089 #endif
1090
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1093 {
1094         struct superblock_security_struct *sbsec = NULL;
1095         struct inode_security_struct *isec = inode->i_security;
1096         u32 sid;
1097         struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099         char *context = NULL;
1100         unsigned len = 0;
1101         int rc = 0;
1102
1103         if (isec->initialized)
1104                 goto out;
1105
1106         mutex_lock(&isec->lock);
1107         if (isec->initialized)
1108                 goto out_unlock;
1109
1110         sbsec = inode->i_sb->s_security;
1111         if (!sbsec->initialized) {
1112                 /* Defer initialization until selinux_complete_init,
1113                    after the initial policy is loaded and the security
1114                    server is ready to handle calls. */
1115                 spin_lock(&sbsec->isec_lock);
1116                 if (list_empty(&isec->list))
1117                         list_add(&isec->list, &sbsec->isec_head);
1118                 spin_unlock(&sbsec->isec_lock);
1119                 goto out_unlock;
1120         }
1121
1122         switch (sbsec->behavior) {
1123         case SECURITY_FS_USE_XATTR:
1124                 if (!inode->i_op->getxattr) {
1125                         isec->sid = sbsec->def_sid;
1126                         break;
1127                 }
1128
1129                 /* Need a dentry, since the xattr API requires one.
1130                    Life would be simpler if we could just pass the inode. */
1131                 if (opt_dentry) {
1132                         /* Called from d_instantiate or d_splice_alias. */
1133                         dentry = dget(opt_dentry);
1134                 } else {
1135                         /* Called from selinux_complete_init, try to find a dentry. */
1136                         dentry = d_find_alias(inode);
1137                 }
1138                 if (!dentry) {
1139                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1140                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141                                inode->i_ino);
1142                         goto out_unlock;
1143                 }
1144
1145                 len = INITCONTEXTLEN;
1146                 context = kmalloc(len, GFP_KERNEL);
1147                 if (!context) {
1148                         rc = -ENOMEM;
1149                         dput(dentry);
1150                         goto out_unlock;
1151                 }
1152                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153                                            context, len);
1154                 if (rc == -ERANGE) {
1155                         /* Need a larger buffer.  Query for the right size. */
1156                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157                                                    NULL, 0);
1158                         if (rc < 0) {
1159                                 dput(dentry);
1160                                 goto out_unlock;
1161                         }
1162                         kfree(context);
1163                         len = rc;
1164                         context = kmalloc(len, GFP_KERNEL);
1165                         if (!context) {
1166                                 rc = -ENOMEM;
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         rc = inode->i_op->getxattr(dentry,
1171                                                    XATTR_NAME_SELINUX,
1172                                                    context, len);
1173                 }
1174                 dput(dentry);
1175                 if (rc < 0) {
1176                         if (rc != -ENODATA) {
1177                                 printk(KERN_WARNING "%s:  getxattr returned "
1178                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179                                        -rc, inode->i_sb->s_id, inode->i_ino);
1180                                 kfree(context);
1181                                 goto out_unlock;
1182                         }
1183                         /* Map ENODATA to the default file SID */
1184                         sid = sbsec->def_sid;
1185                         rc = 0;
1186                 } else {
1187                         rc = security_context_to_sid_default(context, rc, &sid,
1188                                                              sbsec->def_sid);
1189                         if (rc) {
1190                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1191                                        "returned %d for dev=%s ino=%ld\n",
1192                                        __FUNCTION__, context, -rc,
1193                                        inode->i_sb->s_id, inode->i_ino);
1194                                 kfree(context);
1195                                 /* Leave with the unlabeled SID */
1196                                 rc = 0;
1197                                 break;
1198                         }
1199                 }
1200                 kfree(context);
1201                 isec->sid = sid;
1202                 break;
1203         case SECURITY_FS_USE_TASK:
1204                 isec->sid = isec->task_sid;
1205                 break;
1206         case SECURITY_FS_USE_TRANS:
1207                 /* Default to the fs SID. */
1208                 isec->sid = sbsec->sid;
1209
1210                 /* Try to obtain a transition SID. */
1211                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212                 rc = security_transition_sid(isec->task_sid,
1213                                              sbsec->sid,
1214                                              isec->sclass,
1215                                              &sid);
1216                 if (rc)
1217                         goto out_unlock;
1218                 isec->sid = sid;
1219                 break;
1220         case SECURITY_FS_USE_MNTPOINT:
1221                 isec->sid = sbsec->mntpoint_sid;
1222                 break;
1223         default:
1224                 /* Default to the fs superblock SID. */
1225                 isec->sid = sbsec->sid;
1226
1227                 if (sbsec->proc) {
1228                         struct proc_inode *proci = PROC_I(inode);
1229                         if (proci->pde) {
1230                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231                                 rc = selinux_proc_get_sid(proci->pde,
1232                                                           isec->sclass,
1233                                                           &sid);
1234                                 if (rc)
1235                                         goto out_unlock;
1236                                 isec->sid = sid;
1237                         }
1238                 }
1239                 break;
1240         }
1241
1242         isec->initialized = 1;
1243
1244 out_unlock:
1245         mutex_unlock(&isec->lock);
1246 out:
1247         if (isec->sclass == SECCLASS_FILE)
1248                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1249         return rc;
1250 }
1251
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32 signal_to_av(int sig)
1254 {
1255         u32 perm = 0;
1256
1257         switch (sig) {
1258         case SIGCHLD:
1259                 /* Commonly granted from child to parent. */
1260                 perm = PROCESS__SIGCHLD;
1261                 break;
1262         case SIGKILL:
1263                 /* Cannot be caught or ignored */
1264                 perm = PROCESS__SIGKILL;
1265                 break;
1266         case SIGSTOP:
1267                 /* Cannot be caught or ignored */
1268                 perm = PROCESS__SIGSTOP;
1269                 break;
1270         default:
1271                 /* All other signals. */
1272                 perm = PROCESS__SIGNAL;
1273                 break;
1274         }
1275
1276         return perm;
1277 }
1278
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280    fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct *tsk1,
1282                          struct task_struct *tsk2,
1283                          u32 perms)
1284 {
1285         struct task_security_struct *tsec1, *tsec2;
1286
1287         tsec1 = tsk1->security;
1288         tsec2 = tsk2->security;
1289         return avc_has_perm(tsec1->sid, tsec2->sid,
1290                             SECCLASS_PROCESS, perms, NULL);
1291 }
1292
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1295 #endif
1296
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct *tsk,
1299                                int cap)
1300 {
1301         struct task_security_struct *tsec;
1302         struct avc_audit_data ad;
1303         u16 sclass;
1304         u32 av = CAP_TO_MASK(cap);
1305
1306         tsec = tsk->security;
1307
1308         AVC_AUDIT_DATA_INIT(&ad,CAP);
1309         ad.tsk = tsk;
1310         ad.u.cap = cap;
1311
1312         switch (CAP_TO_INDEX(cap)) {
1313         case 0:
1314                 sclass = SECCLASS_CAPABILITY;
1315                 break;
1316         case 1:
1317                 sclass = SECCLASS_CAPABILITY2;
1318                 break;
1319         default:
1320                 printk(KERN_ERR
1321                        "SELinux:  out of range capability %d\n", cap);
1322                 BUG();
1323         }
1324         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1325 }
1326
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct *tsk,
1329                            u32 perms)
1330 {
1331         struct task_security_struct *tsec;
1332
1333         tsec = tsk->security;
1334
1335         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336                             SECCLASS_SYSTEM, perms, NULL);
1337 }
1338
1339 /* Check whether a task has a particular permission to an inode.
1340    The 'adp' parameter is optional and allows other audit
1341    data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct *tsk,
1343                           struct inode *inode,
1344                           u32 perms,
1345                           struct avc_audit_data *adp)
1346 {
1347         struct task_security_struct *tsec;
1348         struct inode_security_struct *isec;
1349         struct avc_audit_data ad;
1350
1351         if (unlikely (IS_PRIVATE (inode)))
1352                 return 0;
1353
1354         tsec = tsk->security;
1355         isec = inode->i_security;
1356
1357         if (!adp) {
1358                 adp = &ad;
1359                 AVC_AUDIT_DATA_INIT(&ad, FS);
1360                 ad.u.fs.inode = inode;
1361         }
1362
1363         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364 }
1365
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367    the dentry to help the auditing code to more easily generate the
1368    pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct *tsk,
1370                                   struct vfsmount *mnt,
1371                                   struct dentry *dentry,
1372                                   u32 av)
1373 {
1374         struct inode *inode = dentry->d_inode;
1375         struct avc_audit_data ad;
1376         AVC_AUDIT_DATA_INIT(&ad,FS);
1377         ad.u.fs.path.mnt = mnt;
1378         ad.u.fs.path.dentry = dentry;
1379         return inode_has_perm(tsk, inode, av, &ad);
1380 }
1381
1382 /* Check whether a task can use an open file descriptor to
1383    access an inode in a given way.  Check access to the
1384    descriptor itself, and then use dentry_has_perm to
1385    check a particular permission to the file.
1386    Access to the descriptor is implicitly granted if it
1387    has the same SID as the process.  If av is zero, then
1388    access to the file is not checked, e.g. for cases
1389    where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct *tsk,
1391                                 struct file *file,
1392                                 u32 av)
1393 {
1394         struct task_security_struct *tsec = tsk->security;
1395         struct file_security_struct *fsec = file->f_security;
1396         struct inode *inode = file->f_path.dentry->d_inode;
1397         struct avc_audit_data ad;
1398         int rc;
1399
1400         AVC_AUDIT_DATA_INIT(&ad, FS);
1401         ad.u.fs.path = file->f_path;
1402
1403         if (tsec->sid != fsec->sid) {
1404                 rc = avc_has_perm(tsec->sid, fsec->sid,
1405                                   SECCLASS_FD,
1406                                   FD__USE,
1407                                   &ad);
1408                 if (rc)
1409                         return rc;
1410         }
1411
1412         /* av is zero if only checking access to the descriptor. */
1413         if (av)
1414                 return inode_has_perm(tsk, inode, av, &ad);
1415
1416         return 0;
1417 }
1418
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode *dir,
1421                       struct dentry *dentry,
1422                       u16 tclass)
1423 {
1424         struct task_security_struct *tsec;
1425         struct inode_security_struct *dsec;
1426         struct superblock_security_struct *sbsec;
1427         u32 newsid;
1428         struct avc_audit_data ad;
1429         int rc;
1430
1431         tsec = current->security;
1432         dsec = dir->i_security;
1433         sbsec = dir->i_sb->s_security;
1434
1435         AVC_AUDIT_DATA_INIT(&ad, FS);
1436         ad.u.fs.path.dentry = dentry;
1437
1438         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439                           DIR__ADD_NAME | DIR__SEARCH,
1440                           &ad);
1441         if (rc)
1442                 return rc;
1443
1444         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445                 newsid = tsec->create_sid;
1446         } else {
1447                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448                                              &newsid);
1449                 if (rc)
1450                         return rc;
1451         }
1452
1453         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454         if (rc)
1455                 return rc;
1456
1457         return avc_has_perm(newsid, sbsec->sid,
1458                             SECCLASS_FILESYSTEM,
1459                             FILESYSTEM__ASSOCIATE, &ad);
1460 }
1461
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid,
1464                           struct task_struct *ctx)
1465 {
1466         struct task_security_struct *tsec;
1467
1468         tsec = ctx->security;
1469
1470         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471 }
1472
1473 #define MAY_LINK   0
1474 #define MAY_UNLINK 1
1475 #define MAY_RMDIR  2
1476
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode *dir,
1479                     struct dentry *dentry,
1480                     int kind)
1481
1482 {
1483         struct task_security_struct *tsec;
1484         struct inode_security_struct *dsec, *isec;
1485         struct avc_audit_data ad;
1486         u32 av;
1487         int rc;
1488
1489         tsec = current->security;
1490         dsec = dir->i_security;
1491         isec = dentry->d_inode->i_security;
1492
1493         AVC_AUDIT_DATA_INIT(&ad, FS);
1494         ad.u.fs.path.dentry = dentry;
1495
1496         av = DIR__SEARCH;
1497         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499         if (rc)
1500                 return rc;
1501
1502         switch (kind) {
1503         case MAY_LINK:
1504                 av = FILE__LINK;
1505                 break;
1506         case MAY_UNLINK:
1507                 av = FILE__UNLINK;
1508                 break;
1509         case MAY_RMDIR:
1510                 av = DIR__RMDIR;
1511                 break;
1512         default:
1513                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1514                 return 0;
1515         }
1516
1517         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518         return rc;
1519 }
1520
1521 static inline int may_rename(struct inode *old_dir,
1522                              struct dentry *old_dentry,
1523                              struct inode *new_dir,
1524                              struct dentry *new_dentry)
1525 {
1526         struct task_security_struct *tsec;
1527         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528         struct avc_audit_data ad;
1529         u32 av;
1530         int old_is_dir, new_is_dir;
1531         int rc;
1532
1533         tsec = current->security;
1534         old_dsec = old_dir->i_security;
1535         old_isec = old_dentry->d_inode->i_security;
1536         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537         new_dsec = new_dir->i_security;
1538
1539         AVC_AUDIT_DATA_INIT(&ad, FS);
1540
1541         ad.u.fs.path.dentry = old_dentry;
1542         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544         if (rc)
1545                 return rc;
1546         rc = avc_has_perm(tsec->sid, old_isec->sid,
1547                           old_isec->sclass, FILE__RENAME, &ad);
1548         if (rc)
1549                 return rc;
1550         if (old_is_dir && new_dir != old_dir) {
1551                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552                                   old_isec->sclass, DIR__REPARENT, &ad);
1553                 if (rc)
1554                         return rc;
1555         }
1556
1557         ad.u.fs.path.dentry = new_dentry;
1558         av = DIR__ADD_NAME | DIR__SEARCH;
1559         if (new_dentry->d_inode)
1560                 av |= DIR__REMOVE_NAME;
1561         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562         if (rc)
1563                 return rc;
1564         if (new_dentry->d_inode) {
1565                 new_isec = new_dentry->d_inode->i_security;
1566                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568                                   new_isec->sclass,
1569                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570                 if (rc)
1571                         return rc;
1572         }
1573
1574         return 0;
1575 }
1576
1577 /* Check whether a task can perform a filesystem operation. */
1578 static int superblock_has_perm(struct task_struct *tsk,
1579                                struct super_block *sb,
1580                                u32 perms,
1581                                struct avc_audit_data *ad)
1582 {
1583         struct task_security_struct *tsec;
1584         struct superblock_security_struct *sbsec;
1585
1586         tsec = tsk->security;
1587         sbsec = sb->s_security;
1588         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589                             perms, ad);
1590 }
1591
1592 /* Convert a Linux mode and permission mask to an access vector. */
1593 static inline u32 file_mask_to_av(int mode, int mask)
1594 {
1595         u32 av = 0;
1596
1597         if ((mode & S_IFMT) != S_IFDIR) {
1598                 if (mask & MAY_EXEC)
1599                         av |= FILE__EXECUTE;
1600                 if (mask & MAY_READ)
1601                         av |= FILE__READ;
1602
1603                 if (mask & MAY_APPEND)
1604                         av |= FILE__APPEND;
1605                 else if (mask & MAY_WRITE)
1606                         av |= FILE__WRITE;
1607
1608         } else {
1609                 if (mask & MAY_EXEC)
1610                         av |= DIR__SEARCH;
1611                 if (mask & MAY_WRITE)
1612                         av |= DIR__WRITE;
1613                 if (mask & MAY_READ)
1614                         av |= DIR__READ;
1615         }
1616
1617         return av;
1618 }
1619
1620 /* Convert a Linux file to an access vector. */
1621 static inline u32 file_to_av(struct file *file)
1622 {
1623         u32 av = 0;
1624
1625         if (file->f_mode & FMODE_READ)
1626                 av |= FILE__READ;
1627         if (file->f_mode & FMODE_WRITE) {
1628                 if (file->f_flags & O_APPEND)
1629                         av |= FILE__APPEND;
1630                 else
1631                         av |= FILE__WRITE;
1632         }
1633
1634         return av;
1635 }
1636
1637 /* Hook functions begin here. */
1638
1639 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1640 {
1641         struct task_security_struct *psec = parent->security;
1642         struct task_security_struct *csec = child->security;
1643         int rc;
1644
1645         rc = secondary_ops->ptrace(parent,child);
1646         if (rc)
1647                 return rc;
1648
1649         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1650         /* Save the SID of the tracing process for later use in apply_creds. */
1651         if (!(child->ptrace & PT_PTRACED) && !rc)
1652                 csec->ptrace_sid = psec->sid;
1653         return rc;
1654 }
1655
1656 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1657                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1658 {
1659         int error;
1660
1661         error = task_has_perm(current, target, PROCESS__GETCAP);
1662         if (error)
1663                 return error;
1664
1665         return secondary_ops->capget(target, effective, inheritable, permitted);
1666 }
1667
1668 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1669                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1670 {
1671         int error;
1672
1673         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1674         if (error)
1675                 return error;
1676
1677         return task_has_perm(current, target, PROCESS__SETCAP);
1678 }
1679
1680 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1681                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1682 {
1683         secondary_ops->capset_set(target, effective, inheritable, permitted);
1684 }
1685
1686 static int selinux_capable(struct task_struct *tsk, int cap)
1687 {
1688         int rc;
1689
1690         rc = secondary_ops->capable(tsk, cap);
1691         if (rc)
1692                 return rc;
1693
1694         return task_has_capability(tsk,cap);
1695 }
1696
1697 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1698 {
1699         int buflen, rc;
1700         char *buffer, *path, *end;
1701
1702         rc = -ENOMEM;
1703         buffer = (char*)__get_free_page(GFP_KERNEL);
1704         if (!buffer)
1705                 goto out;
1706
1707         buflen = PAGE_SIZE;
1708         end = buffer+buflen;
1709         *--end = '\0';
1710         buflen--;
1711         path = end-1;
1712         *path = '/';
1713         while (table) {
1714                 const char *name = table->procname;
1715                 size_t namelen = strlen(name);
1716                 buflen -= namelen + 1;
1717                 if (buflen < 0)
1718                         goto out_free;
1719                 end -= namelen;
1720                 memcpy(end, name, namelen);
1721                 *--end = '/';
1722                 path = end;
1723                 table = table->parent;
1724         }
1725         buflen -= 4;
1726         if (buflen < 0)
1727                 goto out_free;
1728         end -= 4;
1729         memcpy(end, "/sys", 4);
1730         path = end;
1731         rc = security_genfs_sid("proc", path, tclass, sid);
1732 out_free:
1733         free_page((unsigned long)buffer);
1734 out:
1735         return rc;
1736 }
1737
1738 static int selinux_sysctl(ctl_table *table, int op)
1739 {
1740         int error = 0;
1741         u32 av;
1742         struct task_security_struct *tsec;
1743         u32 tsid;
1744         int rc;
1745
1746         rc = secondary_ops->sysctl(table, op);
1747         if (rc)
1748                 return rc;
1749
1750         tsec = current->security;
1751
1752         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1753                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1754         if (rc) {
1755                 /* Default to the well-defined sysctl SID. */
1756                 tsid = SECINITSID_SYSCTL;
1757         }
1758
1759         /* The op values are "defined" in sysctl.c, thereby creating
1760          * a bad coupling between this module and sysctl.c */
1761         if(op == 001) {
1762                 error = avc_has_perm(tsec->sid, tsid,
1763                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1764         } else {
1765                 av = 0;
1766                 if (op & 004)
1767                         av |= FILE__READ;
1768                 if (op & 002)
1769                         av |= FILE__WRITE;
1770                 if (av)
1771                         error = avc_has_perm(tsec->sid, tsid,
1772                                              SECCLASS_FILE, av, NULL);
1773         }
1774
1775         return error;
1776 }
1777
1778 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1779 {
1780         int rc = 0;
1781
1782         if (!sb)
1783                 return 0;
1784
1785         switch (cmds) {
1786                 case Q_SYNC:
1787                 case Q_QUOTAON:
1788                 case Q_QUOTAOFF:
1789                 case Q_SETINFO:
1790                 case Q_SETQUOTA:
1791                         rc = superblock_has_perm(current,
1792                                                  sb,
1793                                                  FILESYSTEM__QUOTAMOD, NULL);
1794                         break;
1795                 case Q_GETFMT:
1796                 case Q_GETINFO:
1797                 case Q_GETQUOTA:
1798                         rc = superblock_has_perm(current,
1799                                                  sb,
1800                                                  FILESYSTEM__QUOTAGET, NULL);
1801                         break;
1802                 default:
1803                         rc = 0;  /* let the kernel handle invalid cmds */
1804                         break;
1805         }
1806         return rc;
1807 }
1808
1809 static int selinux_quota_on(struct dentry *dentry)
1810 {
1811         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1812 }
1813
1814 static int selinux_syslog(int type)
1815 {
1816         int rc;
1817
1818         rc = secondary_ops->syslog(type);
1819         if (rc)
1820                 return rc;
1821
1822         switch (type) {
1823                 case 3:         /* Read last kernel messages */
1824                 case 10:        /* Return size of the log buffer */
1825                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1826                         break;
1827                 case 6:         /* Disable logging to console */
1828                 case 7:         /* Enable logging to console */
1829                 case 8:         /* Set level of messages printed to console */
1830                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1831                         break;
1832                 case 0:         /* Close log */
1833                 case 1:         /* Open log */
1834                 case 2:         /* Read from log */
1835                 case 4:         /* Read/clear last kernel messages */
1836                 case 5:         /* Clear ring buffer */
1837                 default:
1838                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1839                         break;
1840         }
1841         return rc;
1842 }
1843
1844 /*
1845  * Check that a process has enough memory to allocate a new virtual
1846  * mapping. 0 means there is enough memory for the allocation to
1847  * succeed and -ENOMEM implies there is not.
1848  *
1849  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1850  * if the capability is granted, but __vm_enough_memory requires 1 if
1851  * the capability is granted.
1852  *
1853  * Do not audit the selinux permission check, as this is applied to all
1854  * processes that allocate mappings.
1855  */
1856 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1857 {
1858         int rc, cap_sys_admin = 0;
1859         struct task_security_struct *tsec = current->security;
1860
1861         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1862         if (rc == 0)
1863                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1864                                           SECCLASS_CAPABILITY,
1865                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1866                                           0,
1867                                           NULL);
1868
1869         if (rc == 0)
1870                 cap_sys_admin = 1;
1871
1872         return __vm_enough_memory(mm, pages, cap_sys_admin);
1873 }
1874
1875 /* binprm security operations */
1876
1877 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1878 {
1879         struct bprm_security_struct *bsec;
1880
1881         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1882         if (!bsec)
1883                 return -ENOMEM;
1884
1885         bsec->bprm = bprm;
1886         bsec->sid = SECINITSID_UNLABELED;
1887         bsec->set = 0;
1888
1889         bprm->security = bsec;
1890         return 0;
1891 }
1892
1893 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1894 {
1895         struct task_security_struct *tsec;
1896         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1897         struct inode_security_struct *isec;
1898         struct bprm_security_struct *bsec;
1899         u32 newsid;
1900         struct avc_audit_data ad;
1901         int rc;
1902
1903         rc = secondary_ops->bprm_set_security(bprm);
1904         if (rc)
1905                 return rc;
1906
1907         bsec = bprm->security;
1908
1909         if (bsec->set)
1910                 return 0;
1911
1912         tsec = current->security;
1913         isec = inode->i_security;
1914
1915         /* Default to the current task SID. */
1916         bsec->sid = tsec->sid;
1917
1918         /* Reset fs, key, and sock SIDs on execve. */
1919         tsec->create_sid = 0;
1920         tsec->keycreate_sid = 0;
1921         tsec->sockcreate_sid = 0;
1922
1923         if (tsec->exec_sid) {
1924                 newsid = tsec->exec_sid;
1925                 /* Reset exec SID on execve. */
1926                 tsec->exec_sid = 0;
1927         } else {
1928                 /* Check for a default transition on this program. */
1929                 rc = security_transition_sid(tsec->sid, isec->sid,
1930                                              SECCLASS_PROCESS, &newsid);
1931                 if (rc)
1932                         return rc;
1933         }
1934
1935         AVC_AUDIT_DATA_INIT(&ad, FS);
1936         ad.u.fs.path = bprm->file->f_path;
1937
1938         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1939                 newsid = tsec->sid;
1940
1941         if (tsec->sid == newsid) {
1942                 rc = avc_has_perm(tsec->sid, isec->sid,
1943                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1944                 if (rc)
1945                         return rc;
1946         } else {
1947                 /* Check permissions for the transition. */
1948                 rc = avc_has_perm(tsec->sid, newsid,
1949                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1950                 if (rc)
1951                         return rc;
1952
1953                 rc = avc_has_perm(newsid, isec->sid,
1954                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1955                 if (rc)
1956                         return rc;
1957
1958                 /* Clear any possibly unsafe personality bits on exec: */
1959                 current->personality &= ~PER_CLEAR_ON_SETID;
1960
1961                 /* Set the security field to the new SID. */
1962                 bsec->sid = newsid;
1963         }
1964
1965         bsec->set = 1;
1966         return 0;
1967 }
1968
1969 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1970 {
1971         return secondary_ops->bprm_check_security(bprm);
1972 }
1973
1974
1975 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1976 {
1977         struct task_security_struct *tsec = current->security;
1978         int atsecure = 0;
1979
1980         if (tsec->osid != tsec->sid) {
1981                 /* Enable secure mode for SIDs transitions unless
1982                    the noatsecure permission is granted between
1983                    the two SIDs, i.e. ahp returns 0. */
1984                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1985                                          SECCLASS_PROCESS,
1986                                          PROCESS__NOATSECURE, NULL);
1987         }
1988
1989         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1990 }
1991
1992 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1993 {
1994         kfree(bprm->security);
1995         bprm->security = NULL;
1996 }
1997
1998 extern struct vfsmount *selinuxfs_mount;
1999 extern struct dentry *selinux_null;
2000
2001 /* Derived from fs/exec.c:flush_old_files. */
2002 static inline void flush_unauthorized_files(struct files_struct * files)
2003 {
2004         struct avc_audit_data ad;
2005         struct file *file, *devnull = NULL;
2006         struct tty_struct *tty;
2007         struct fdtable *fdt;
2008         long j = -1;
2009         int drop_tty = 0;
2010
2011         mutex_lock(&tty_mutex);
2012         tty = get_current_tty();
2013         if (tty) {
2014                 file_list_lock();
2015                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2016                 if (file) {
2017                         /* Revalidate access to controlling tty.
2018                            Use inode_has_perm on the tty inode directly rather
2019                            than using file_has_perm, as this particular open
2020                            file may belong to another process and we are only
2021                            interested in the inode-based check here. */
2022                         struct inode *inode = file->f_path.dentry->d_inode;
2023                         if (inode_has_perm(current, inode,
2024                                            FILE__READ | FILE__WRITE, NULL)) {
2025                                 drop_tty = 1;
2026                         }
2027                 }
2028                 file_list_unlock();
2029         }
2030         mutex_unlock(&tty_mutex);
2031         /* Reset controlling tty. */
2032         if (drop_tty)
2033                 no_tty();
2034
2035         /* Revalidate access to inherited open files. */
2036
2037         AVC_AUDIT_DATA_INIT(&ad,FS);
2038
2039         spin_lock(&files->file_lock);
2040         for (;;) {
2041                 unsigned long set, i;
2042                 int fd;
2043
2044                 j++;
2045                 i = j * __NFDBITS;
2046                 fdt = files_fdtable(files);
2047                 if (i >= fdt->max_fds)
2048                         break;
2049                 set = fdt->open_fds->fds_bits[j];
2050                 if (!set)
2051                         continue;
2052                 spin_unlock(&files->file_lock);
2053                 for ( ; set ; i++,set >>= 1) {
2054                         if (set & 1) {
2055                                 file = fget(i);
2056                                 if (!file)
2057                                         continue;
2058                                 if (file_has_perm(current,
2059                                                   file,
2060                                                   file_to_av(file))) {
2061                                         sys_close(i);
2062                                         fd = get_unused_fd();
2063                                         if (fd != i) {
2064                                                 if (fd >= 0)
2065                                                         put_unused_fd(fd);
2066                                                 fput(file);
2067                                                 continue;
2068                                         }
2069                                         if (devnull) {
2070                                                 get_file(devnull);
2071                                         } else {
2072                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2073                                                 if (IS_ERR(devnull)) {
2074                                                         devnull = NULL;
2075                                                         put_unused_fd(fd);
2076                                                         fput(file);
2077                                                         continue;
2078                                                 }
2079                                         }
2080                                         fd_install(fd, devnull);
2081                                 }
2082                                 fput(file);
2083                         }
2084                 }
2085                 spin_lock(&files->file_lock);
2086
2087         }
2088         spin_unlock(&files->file_lock);
2089 }
2090
2091 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2092 {
2093         struct task_security_struct *tsec;
2094         struct bprm_security_struct *bsec;
2095         u32 sid;
2096         int rc;
2097
2098         secondary_ops->bprm_apply_creds(bprm, unsafe);
2099
2100         tsec = current->security;
2101
2102         bsec = bprm->security;
2103         sid = bsec->sid;
2104
2105         tsec->osid = tsec->sid;
2106         bsec->unsafe = 0;
2107         if (tsec->sid != sid) {
2108                 /* Check for shared state.  If not ok, leave SID
2109                    unchanged and kill. */
2110                 if (unsafe & LSM_UNSAFE_SHARE) {
2111                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2112                                         PROCESS__SHARE, NULL);
2113                         if (rc) {
2114                                 bsec->unsafe = 1;
2115                                 return;
2116                         }
2117                 }
2118
2119                 /* Check for ptracing, and update the task SID if ok.
2120                    Otherwise, leave SID unchanged and kill. */
2121                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2122                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2123                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2124                                           NULL);
2125                         if (rc) {
2126                                 bsec->unsafe = 1;
2127                                 return;
2128                         }
2129                 }
2130                 tsec->sid = sid;
2131         }
2132 }
2133
2134 /*
2135  * called after apply_creds without the task lock held
2136  */
2137 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2138 {
2139         struct task_security_struct *tsec;
2140         struct rlimit *rlim, *initrlim;
2141         struct itimerval itimer;
2142         struct bprm_security_struct *bsec;
2143         int rc, i;
2144
2145         tsec = current->security;
2146         bsec = bprm->security;
2147
2148         if (bsec->unsafe) {
2149                 force_sig_specific(SIGKILL, current);
2150                 return;
2151         }
2152         if (tsec->osid == tsec->sid)
2153                 return;
2154
2155         /* Close files for which the new task SID is not authorized. */
2156         flush_unauthorized_files(current->files);
2157
2158         /* Check whether the new SID can inherit signal state
2159            from the old SID.  If not, clear itimers to avoid
2160            subsequent signal generation and flush and unblock
2161            signals. This must occur _after_ the task SID has
2162           been updated so that any kill done after the flush
2163           will be checked against the new SID. */
2164         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2165                           PROCESS__SIGINH, NULL);
2166         if (rc) {
2167                 memset(&itimer, 0, sizeof itimer);
2168                 for (i = 0; i < 3; i++)
2169                         do_setitimer(i, &itimer, NULL);
2170                 flush_signals(current);
2171                 spin_lock_irq(&current->sighand->siglock);
2172                 flush_signal_handlers(current, 1);
2173                 sigemptyset(&current->blocked);
2174                 recalc_sigpending();
2175                 spin_unlock_irq(&current->sighand->siglock);
2176         }
2177
2178         /* Always clear parent death signal on SID transitions. */
2179         current->pdeath_signal = 0;
2180
2181         /* Check whether the new SID can inherit resource limits
2182            from the old SID.  If not, reset all soft limits to
2183            the lower of the current task's hard limit and the init
2184            task's soft limit.  Note that the setting of hard limits
2185            (even to lower them) can be controlled by the setrlimit
2186            check. The inclusion of the init task's soft limit into
2187            the computation is to avoid resetting soft limits higher
2188            than the default soft limit for cases where the default
2189            is lower than the hard limit, e.g. RLIMIT_CORE or
2190            RLIMIT_STACK.*/
2191         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2192                           PROCESS__RLIMITINH, NULL);
2193         if (rc) {
2194                 for (i = 0; i < RLIM_NLIMITS; i++) {
2195                         rlim = current->signal->rlim + i;
2196                         initrlim = init_task.signal->rlim+i;
2197                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2198                 }
2199                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2200                         /*
2201                          * This will cause RLIMIT_CPU calculations
2202                          * to be refigured.
2203                          */
2204                         current->it_prof_expires = jiffies_to_cputime(1);
2205                 }
2206         }
2207
2208         /* Wake up the parent if it is waiting so that it can
2209            recheck wait permission to the new task SID. */
2210         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2211 }
2212
2213 /* superblock security operations */
2214
2215 static int selinux_sb_alloc_security(struct super_block *sb)
2216 {
2217         return superblock_alloc_security(sb);
2218 }
2219
2220 static void selinux_sb_free_security(struct super_block *sb)
2221 {
2222         superblock_free_security(sb);
2223 }
2224
2225 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2226 {
2227         if (plen > olen)
2228                 return 0;
2229
2230         return !memcmp(prefix, option, plen);
2231 }
2232
2233 static inline int selinux_option(char *option, int len)
2234 {
2235         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2236                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2237                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2238                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2239 }
2240
2241 static inline void take_option(char **to, char *from, int *first, int len)
2242 {
2243         if (!*first) {
2244                 **to = ',';
2245                 *to += 1;
2246         } else
2247                 *first = 0;
2248         memcpy(*to, from, len);
2249         *to += len;
2250 }
2251
2252 static inline void take_selinux_option(char **to, char *from, int *first, 
2253                                        int len)
2254 {
2255         int current_size = 0;
2256
2257         if (!*first) {
2258                 **to = '|';
2259                 *to += 1;
2260         }
2261         else
2262                 *first = 0;
2263
2264         while (current_size < len) {
2265                 if (*from != '"') {
2266                         **to = *from;
2267                         *to += 1;
2268                 }
2269                 from += 1;
2270                 current_size += 1;
2271         }
2272 }
2273
2274 static int selinux_sb_copy_data(char *orig, char *copy)
2275 {
2276         int fnosec, fsec, rc = 0;
2277         char *in_save, *in_curr, *in_end;
2278         char *sec_curr, *nosec_save, *nosec;
2279         int open_quote = 0;
2280
2281         in_curr = orig;
2282         sec_curr = copy;
2283
2284         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2285         if (!nosec) {
2286                 rc = -ENOMEM;
2287                 goto out;
2288         }
2289
2290         nosec_save = nosec;
2291         fnosec = fsec = 1;
2292         in_save = in_end = orig;
2293
2294         do {
2295                 if (*in_end == '"')
2296                         open_quote = !open_quote;
2297                 if ((*in_end == ',' && open_quote == 0) ||
2298                                 *in_end == '\0') {
2299                         int len = in_end - in_curr;
2300
2301                         if (selinux_option(in_curr, len))
2302                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2303                         else
2304                                 take_option(&nosec, in_curr, &fnosec, len);
2305
2306                         in_curr = in_end + 1;
2307                 }
2308         } while (*in_end++);
2309
2310         strcpy(in_save, nosec_save);
2311         free_page((unsigned long)nosec_save);
2312 out:
2313         return rc;
2314 }
2315
2316 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2317 {
2318         struct avc_audit_data ad;
2319         int rc;
2320
2321         rc = superblock_doinit(sb, data);
2322         if (rc)
2323                 return rc;
2324
2325         AVC_AUDIT_DATA_INIT(&ad,FS);
2326         ad.u.fs.path.dentry = sb->s_root;
2327         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2328 }
2329
2330 static int selinux_sb_statfs(struct dentry *dentry)
2331 {
2332         struct avc_audit_data ad;
2333
2334         AVC_AUDIT_DATA_INIT(&ad,FS);
2335         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2336         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2337 }
2338
2339 static int selinux_mount(char * dev_name,
2340                          struct nameidata *nd,
2341                          char * type,
2342                          unsigned long flags,
2343                          void * data)
2344 {
2345         int rc;
2346
2347         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2348         if (rc)
2349                 return rc;
2350
2351         if (flags & MS_REMOUNT)
2352                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2353                                            FILESYSTEM__REMOUNT, NULL);
2354         else
2355                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2356                                        FILE__MOUNTON);
2357 }
2358
2359 static int selinux_umount(struct vfsmount *mnt, int flags)
2360 {
2361         int rc;
2362
2363         rc = secondary_ops->sb_umount(mnt, flags);
2364         if (rc)
2365                 return rc;
2366
2367         return superblock_has_perm(current,mnt->mnt_sb,
2368                                    FILESYSTEM__UNMOUNT,NULL);
2369 }
2370
2371 /* inode security operations */
2372
2373 static int selinux_inode_alloc_security(struct inode *inode)
2374 {
2375         return inode_alloc_security(inode);
2376 }
2377
2378 static void selinux_inode_free_security(struct inode *inode)
2379 {
2380         inode_free_security(inode);
2381 }
2382
2383 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2384                                        char **name, void **value,
2385                                        size_t *len)
2386 {
2387         struct task_security_struct *tsec;
2388         struct inode_security_struct *dsec;
2389         struct superblock_security_struct *sbsec;
2390         u32 newsid, clen;
2391         int rc;
2392         char *namep = NULL, *context;
2393
2394         tsec = current->security;
2395         dsec = dir->i_security;
2396         sbsec = dir->i_sb->s_security;
2397
2398         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2399                 newsid = tsec->create_sid;
2400         } else {
2401                 rc = security_transition_sid(tsec->sid, dsec->sid,
2402                                              inode_mode_to_security_class(inode->i_mode),
2403                                              &newsid);
2404                 if (rc) {
2405                         printk(KERN_WARNING "%s:  "
2406                                "security_transition_sid failed, rc=%d (dev=%s "
2407                                "ino=%ld)\n",
2408                                __FUNCTION__,
2409                                -rc, inode->i_sb->s_id, inode->i_ino);
2410                         return rc;
2411                 }
2412         }
2413
2414         /* Possibly defer initialization to selinux_complete_init. */
2415         if (sbsec->initialized) {
2416                 struct inode_security_struct *isec = inode->i_security;
2417                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2418                 isec->sid = newsid;
2419                 isec->initialized = 1;
2420         }
2421
2422         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2423                 return -EOPNOTSUPP;
2424
2425         if (name) {
2426                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2427                 if (!namep)
2428                         return -ENOMEM;
2429                 *name = namep;
2430         }
2431
2432         if (value && len) {
2433                 rc = security_sid_to_context(newsid, &context, &clen);
2434                 if (rc) {
2435                         kfree(namep);
2436                         return rc;
2437                 }
2438                 *value = context;
2439                 *len = clen;
2440         }
2441
2442         return 0;
2443 }
2444
2445 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2446 {
2447         return may_create(dir, dentry, SECCLASS_FILE);
2448 }
2449
2450 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2451 {
2452         int rc;
2453
2454         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2455         if (rc)
2456                 return rc;
2457         return may_link(dir, old_dentry, MAY_LINK);
2458 }
2459
2460 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2461 {
2462         int rc;
2463
2464         rc = secondary_ops->inode_unlink(dir, dentry);
2465         if (rc)
2466                 return rc;
2467         return may_link(dir, dentry, MAY_UNLINK);
2468 }
2469
2470 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2471 {
2472         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2473 }
2474
2475 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2476 {
2477         return may_create(dir, dentry, SECCLASS_DIR);
2478 }
2479
2480 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2481 {
2482         return may_link(dir, dentry, MAY_RMDIR);
2483 }
2484
2485 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2486 {
2487         int rc;
2488
2489         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2490         if (rc)
2491                 return rc;
2492
2493         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2494 }
2495
2496 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2497                                 struct inode *new_inode, struct dentry *new_dentry)
2498 {
2499         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2500 }
2501
2502 static int selinux_inode_readlink(struct dentry *dentry)
2503 {
2504         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2505 }
2506
2507 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2508 {
2509         int rc;
2510
2511         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2512         if (rc)
2513                 return rc;
2514         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2515 }
2516
2517 static int selinux_inode_permission(struct inode *inode, int mask,
2518                                     struct nameidata *nd)
2519 {
2520         int rc;
2521
2522         rc = secondary_ops->inode_permission(inode, mask, nd);
2523         if (rc)
2524                 return rc;
2525
2526         if (!mask) {
2527                 /* No permission to check.  Existence test. */
2528                 return 0;
2529         }
2530
2531         return inode_has_perm(current, inode,
2532                                file_mask_to_av(inode->i_mode, mask), NULL);
2533 }
2534
2535 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2536 {
2537         int rc;
2538
2539         rc = secondary_ops->inode_setattr(dentry, iattr);
2540         if (rc)
2541                 return rc;
2542
2543         if (iattr->ia_valid & ATTR_FORCE)
2544                 return 0;
2545
2546         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2547                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2548                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2549
2550         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2551 }
2552
2553 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2554 {
2555         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2556 }
2557
2558 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2559 {
2560         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2561                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2562                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2563                         if (!capable(CAP_SETFCAP))
2564                                 return -EPERM;
2565                 } else if (!capable(CAP_SYS_ADMIN)) {
2566                         /* A different attribute in the security namespace.
2567                            Restrict to administrator. */
2568                         return -EPERM;
2569                 }
2570         }
2571
2572         /* Not an attribute we recognize, so just check the
2573            ordinary setattr permission. */
2574         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2575 }
2576
2577 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2578 {
2579         struct task_security_struct *tsec = current->security;
2580         struct inode *inode = dentry->d_inode;
2581         struct inode_security_struct *isec = inode->i_security;
2582         struct superblock_security_struct *sbsec;
2583         struct avc_audit_data ad;
2584         u32 newsid;
2585         int rc = 0;
2586
2587         if (strcmp(name, XATTR_NAME_SELINUX))
2588                 return selinux_inode_setotherxattr(dentry, name);
2589
2590         sbsec = inode->i_sb->s_security;
2591         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2592                 return -EOPNOTSUPP;
2593
2594         if (!is_owner_or_cap(inode))
2595                 return -EPERM;
2596
2597         AVC_AUDIT_DATA_INIT(&ad,FS);
2598         ad.u.fs.path.dentry = dentry;
2599
2600         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2601                           FILE__RELABELFROM, &ad);
2602         if (rc)
2603                 return rc;
2604
2605         rc = security_context_to_sid(value, size, &newsid);
2606         if (rc)
2607                 return rc;
2608
2609         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2610                           FILE__RELABELTO, &ad);
2611         if (rc)
2612                 return rc;
2613
2614         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2615                                           isec->sclass);
2616         if (rc)
2617                 return rc;
2618
2619         return avc_has_perm(newsid,
2620                             sbsec->sid,
2621                             SECCLASS_FILESYSTEM,
2622                             FILESYSTEM__ASSOCIATE,
2623                             &ad);
2624 }
2625
2626 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2627                                         void *value, size_t size, int flags)
2628 {
2629         struct inode *inode = dentry->d_inode;
2630         struct inode_security_struct *isec = inode->i_security;
2631         u32 newsid;
2632         int rc;
2633
2634         if (strcmp(name, XATTR_NAME_SELINUX)) {
2635                 /* Not an attribute we recognize, so nothing to do. */
2636                 return;
2637         }
2638
2639         rc = security_context_to_sid(value, size, &newsid);
2640         if (rc) {
2641                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2642                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2643                 return;
2644         }
2645
2646         isec->sid = newsid;
2647         return;
2648 }
2649
2650 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2651 {
2652         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2653 }
2654
2655 static int selinux_inode_listxattr (struct dentry *dentry)
2656 {
2657         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2658 }
2659
2660 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2661 {
2662         if (strcmp(name, XATTR_NAME_SELINUX))
2663                 return selinux_inode_setotherxattr(dentry, name);
2664
2665         /* No one is allowed to remove a SELinux security label.
2666            You can change the label, but all data must be labeled. */
2667         return -EACCES;
2668 }
2669
2670 /*
2671  * Copy the in-core inode security context value to the user.  If the
2672  * getxattr() prior to this succeeded, check to see if we need to
2673  * canonicalize the value to be finally returned to the user.
2674  *
2675  * Permission check is handled by selinux_inode_getxattr hook.
2676  */
2677 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2678 {
2679         u32 size;
2680         int error;
2681         char *context = NULL;
2682         struct inode_security_struct *isec = inode->i_security;
2683
2684         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2685                 return -EOPNOTSUPP;
2686
2687         error = security_sid_to_context(isec->sid, &context, &size);
2688         if (error)
2689                 return error;
2690         error = size;
2691         if (alloc) {
2692                 *buffer = context;
2693                 goto out_nofree;
2694         }
2695         kfree(context);
2696 out_nofree:
2697         return error;
2698 }
2699
2700 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2701                                      const void *value, size_t size, int flags)
2702 {
2703         struct inode_security_struct *isec = inode->i_security;
2704         u32 newsid;
2705         int rc;
2706
2707         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2708                 return -EOPNOTSUPP;
2709
2710         if (!value || !size)
2711                 return -EACCES;
2712
2713         rc = security_context_to_sid((void*)value, size, &newsid);
2714         if (rc)
2715                 return rc;
2716
2717         isec->sid = newsid;
2718         return 0;
2719 }
2720
2721 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2722 {
2723         const int len = sizeof(XATTR_NAME_SELINUX);
2724         if (buffer && len <= buffer_size)
2725                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2726         return len;
2727 }
2728
2729 static int selinux_inode_need_killpriv(struct dentry *dentry)
2730 {
2731         return secondary_ops->inode_need_killpriv(dentry);
2732 }
2733
2734 static int selinux_inode_killpriv(struct dentry *dentry)
2735 {
2736         return secondary_ops->inode_killpriv(dentry);
2737 }
2738
2739 /* file security operations */
2740
2741 static int selinux_revalidate_file_permission(struct file *file, int mask)
2742 {
2743         int rc;
2744         struct inode *inode = file->f_path.dentry->d_inode;
2745
2746         if (!mask) {
2747                 /* No permission to check.  Existence test. */
2748                 return 0;
2749         }
2750
2751         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2752         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2753                 mask |= MAY_APPEND;
2754
2755         rc = file_has_perm(current, file,
2756                            file_mask_to_av(inode->i_mode, mask));
2757         if (rc)
2758                 return rc;
2759
2760         return selinux_netlbl_inode_permission(inode, mask);
2761 }
2762
2763 static int selinux_file_permission(struct file *file, int mask)
2764 {
2765         struct inode *inode = file->f_path.dentry->d_inode;
2766         struct task_security_struct *tsec = current->security;
2767         struct file_security_struct *fsec = file->f_security;
2768         struct inode_security_struct *isec = inode->i_security;
2769
2770         if (!mask) {
2771                 /* No permission to check.  Existence test. */
2772                 return 0;
2773         }
2774
2775         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2776             && fsec->pseqno == avc_policy_seqno())
2777                 return selinux_netlbl_inode_permission(inode, mask);
2778
2779         return selinux_revalidate_file_permission(file, mask);
2780 }
2781
2782 static int selinux_file_alloc_security(struct file *file)
2783 {
2784         return file_alloc_security(file);
2785 }
2786
2787 static void selinux_file_free_security(struct file *file)
2788 {
2789         file_free_security(file);
2790 }
2791
2792 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2793                               unsigned long arg)
2794 {
2795         int error = 0;
2796
2797         switch (cmd) {
2798                 case FIONREAD:
2799                 /* fall through */
2800                 case FIBMAP:
2801                 /* fall through */
2802                 case FIGETBSZ:
2803                 /* fall through */
2804                 case EXT2_IOC_GETFLAGS:
2805                 /* fall through */
2806                 case EXT2_IOC_GETVERSION:
2807                         error = file_has_perm(current, file, FILE__GETATTR);
2808                         break;
2809
2810                 case EXT2_IOC_SETFLAGS:
2811                 /* fall through */
2812                 case EXT2_IOC_SETVERSION:
2813                         error = file_has_perm(current, file, FILE__SETATTR);
2814                         break;
2815
2816                 /* sys_ioctl() checks */
2817                 case FIONBIO:
2818                 /* fall through */
2819                 case FIOASYNC:
2820                         error = file_has_perm(current, file, 0);
2821                         break;
2822
2823                 case KDSKBENT:
2824                 case KDSKBSENT:
2825                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2826                         break;
2827
2828                 /* default case assumes that the command will go
2829                  * to the file's ioctl() function.
2830                  */
2831                 default:
2832                         error = file_has_perm(current, file, FILE__IOCTL);
2833
2834         }
2835         return error;
2836 }
2837
2838 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2839 {
2840 #ifndef CONFIG_PPC32
2841         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2842                 /*
2843                  * We are making executable an anonymous mapping or a
2844                  * private file mapping that will also be writable.
2845                  * This has an additional check.
2846                  */
2847                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2848                 if (rc)
2849                         return rc;
2850         }
2851 #endif
2852
2853         if (file) {
2854                 /* read access is always possible with a mapping */
2855                 u32 av = FILE__READ;
2856
2857                 /* write access only matters if the mapping is shared */
2858                 if (shared && (prot & PROT_WRITE))
2859                         av |= FILE__WRITE;
2860
2861                 if (prot & PROT_EXEC)
2862                         av |= FILE__EXECUTE;
2863
2864                 return file_has_perm(current, file, av);
2865         }
2866         return 0;
2867 }
2868
2869 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2870                              unsigned long prot, unsigned long flags,
2871                              unsigned long addr, unsigned long addr_only)
2872 {
2873         int rc = 0;
2874         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2875
2876         if (addr < mmap_min_addr)
2877                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2878                                   MEMPROTECT__MMAP_ZERO, NULL);
2879         if (rc || addr_only)
2880                 return rc;
2881
2882         if (selinux_checkreqprot)
2883                 prot = reqprot;
2884
2885         return file_map_prot_check(file, prot,
2886                                    (flags & MAP_TYPE) == MAP_SHARED);
2887 }
2888
2889 static int selinux_file_mprotect(struct vm_area_struct *vma,
2890                                  unsigned long reqprot,
2891                                  unsigned long prot)
2892 {
2893         int rc;
2894
2895         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2896         if (rc)
2897                 return rc;
2898
2899         if (selinux_checkreqprot)
2900                 prot = reqprot;
2901
2902 #ifndef CONFIG_PPC32
2903         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2904                 rc = 0;
2905                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2906                     vma->vm_end <= vma->vm_mm->brk) {
2907                         rc = task_has_perm(current, current,
2908                                            PROCESS__EXECHEAP);
2909                 } else if (!vma->vm_file &&
2910                            vma->vm_start <= vma->vm_mm->start_stack &&
2911                            vma->vm_end >= vma->vm_mm->start_stack) {
2912                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2913                 } else if (vma->vm_file && vma->anon_vma) {
2914                         /*
2915                          * We are making executable a file mapping that has
2916                          * had some COW done. Since pages might have been
2917                          * written, check ability to execute the possibly
2918                          * modified content.  This typically should only
2919                          * occur for text relocations.
2920                          */
2921                         rc = file_has_perm(current, vma->vm_file,
2922                                            FILE__EXECMOD);
2923                 }
2924                 if (rc)
2925                         return rc;
2926         }
2927 #endif
2928
2929         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2930 }
2931
2932 static int selinux_file_lock(struct file *file, unsigned int cmd)
2933 {
2934         return file_has_perm(current, file, FILE__LOCK);
2935 }
2936
2937 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2938                               unsigned long arg)
2939 {
2940         int err = 0;
2941
2942         switch (cmd) {
2943                 case F_SETFL:
2944                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2945                                 err = -EINVAL;
2946                                 break;
2947                         }
2948
2949                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2950                                 err = file_has_perm(current, file,FILE__WRITE);
2951                                 break;
2952                         }
2953                         /* fall through */
2954                 case F_SETOWN:
2955                 case F_SETSIG:
2956                 case F_GETFL:
2957                 case F_GETOWN:
2958                 case F_GETSIG:
2959                         /* Just check FD__USE permission */
2960                         err = file_has_perm(current, file, 0);
2961                         break;
2962                 case F_GETLK:
2963                 case F_SETLK:
2964                 case F_SETLKW:
2965 #if BITS_PER_LONG == 32
2966                 case F_GETLK64:
2967                 case F_SETLK64:
2968                 case F_SETLKW64:
2969 #endif
2970                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2971                                 err = -EINVAL;
2972                                 break;
2973                         }
2974                         err = file_has_perm(current, file, FILE__LOCK);
2975                         break;
2976         }
2977
2978         return err;
2979 }
2980
2981 static int selinux_file_set_fowner(struct file *file)
2982 {
2983         struct task_security_struct *tsec;
2984         struct file_security_struct *fsec;
2985
2986         tsec = current->security;
2987         fsec = file->f_security;
2988         fsec->fown_sid = tsec->sid;
2989
2990         return 0;
2991 }
2992
2993 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2994                                        struct fown_struct *fown, int signum)
2995 {
2996         struct file *file;
2997         u32 perm;
2998         struct task_security_struct *tsec;
2999         struct file_security_struct *fsec;
3000
3001         /* struct fown_struct is never outside the context of a struct file */
3002         file = container_of(fown, struct file, f_owner);
3003
3004         tsec = tsk->security;
3005         fsec = file->f_security;
3006
3007         if (!signum)
3008                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3009         else
3010                 perm = signal_to_av(signum);
3011
3012         return avc_has_perm(fsec->fown_sid, tsec->sid,
3013                             SECCLASS_PROCESS, perm, NULL);
3014 }
3015
3016 static int selinux_file_receive(struct file *file)
3017 {
3018         return file_has_perm(current, file, file_to_av(file));
3019 }
3020
3021 static int selinux_dentry_open(struct file *file)
3022 {
3023         struct file_security_struct *fsec;
3024         struct inode *inode;
3025         struct inode_security_struct *isec;
3026         inode = file->f_path.dentry->d_inode;
3027         fsec = file->f_security;
3028         isec = inode->i_security;
3029         /*
3030          * Save inode label and policy sequence number
3031          * at open-time so that selinux_file_permission
3032          * can determine whether revalidation is necessary.
3033          * Task label is already saved in the file security
3034          * struct as its SID.
3035          */
3036         fsec->isid = isec->sid;
3037         fsec->pseqno = avc_policy_seqno();
3038         /*
3039          * Since the inode label or policy seqno may have changed
3040          * between the selinux_inode_permission check and the saving
3041          * of state above, recheck that access is still permitted.
3042          * Otherwise, access might never be revalidated against the
3043          * new inode label or new policy.
3044          * This check is not redundant - do not remove.
3045          */
3046         return inode_has_perm(current, inode, file_to_av(file), NULL);
3047 }
3048
3049 /* task security operations */
3050
3051 static int selinux_task_create(unsigned long clone_flags)
3052 {
3053         int rc;
3054
3055         rc = secondary_ops->task_create(clone_flags);
3056         if (rc)
3057                 return rc;
3058
3059         return task_has_perm(current, current, PROCESS__FORK);
3060 }
3061
3062 static int selinux_task_alloc_security(struct task_struct *tsk)
3063 {
3064         struct task_security_struct *tsec1, *tsec2;
3065         int rc;
3066
3067         tsec1 = current->security;
3068
3069         rc = task_alloc_security(tsk);
3070         if (rc)
3071                 return rc;
3072         tsec2 = tsk->security;
3073
3074         tsec2->osid = tsec1->osid;
3075         tsec2->sid = tsec1->sid;
3076
3077         /* Retain the exec, fs, key, and sock SIDs across fork */
3078         tsec2->exec_sid = tsec1->exec_sid;
3079         tsec2->create_sid = tsec1->create_sid;
3080         tsec2->keycreate_sid = tsec1->keycreate_sid;
3081         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3082
3083         /* Retain ptracer SID across fork, if any.
3084            This will be reset by the ptrace hook upon any
3085            subsequent ptrace_attach operations. */
3086         tsec2->ptrace_sid = tsec1->ptrace_sid;
3087
3088         return 0;
3089 }
3090
3091 static void selinux_task_free_security(struct task_struct *tsk)
3092 {
3093         task_free_security(tsk);
3094 }
3095
3096 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3097 {
3098         /* Since setuid only affects the current process, and
3099            since the SELinux controls are not based on the Linux
3100            identity attributes, SELinux does not need to control
3101            this operation.  However, SELinux does control the use
3102            of the CAP_SETUID and CAP_SETGID capabilities using the
3103            capable hook. */
3104         return 0;
3105 }
3106
3107 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3108 {
3109         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3110 }
3111
3112 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3113 {
3114         /* See the comment for setuid above. */
3115         return 0;
3116 }
3117
3118 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3119 {
3120         return task_has_perm(current, p, PROCESS__SETPGID);
3121 }
3122
3123 static int selinux_task_getpgid(struct task_struct *p)
3124 {
3125         return task_has_perm(current, p, PROCESS__GETPGID);
3126 }
3127
3128 static int selinux_task_getsid(struct task_struct *p)
3129 {
3130         return task_has_perm(current, p, PROCESS__GETSESSION);
3131 }
3132
3133 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3134 {
3135         selinux_get_task_sid(p, secid);
3136 }
3137
3138 static int selinux_task_setgroups(struct group_info *group_info)
3139 {
3140         /* See the comment for setuid above. */
3141         return 0;
3142 }
3143
3144 static int selinux_task_setnice(struct task_struct *p, int nice)
3145 {
3146         int rc;
3147
3148         rc = secondary_ops->task_setnice(p, nice);
3149         if (rc)
3150                 return rc;
3151
3152         return task_has_perm(current,p, PROCESS__SETSCHED);
3153 }
3154
3155 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3156 {
3157         int rc;
3158
3159         rc = secondary_ops->task_setioprio(p, ioprio);
3160         if (rc)
3161                 return rc;
3162
3163         return task_has_perm(current, p, PROCESS__SETSCHED);
3164 }
3165
3166 static int selinux_task_getioprio(struct task_struct *p)
3167 {
3168         return task_has_perm(current, p, PROCESS__GETSCHED);
3169 }
3170
3171 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3172 {
3173         struct rlimit *old_rlim = current->signal->rlim + resource;
3174         int rc;
3175
3176         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3177         if (rc)
3178                 return rc;
3179
3180         /* Control the ability to change the hard limit (whether
3181            lowering or raising it), so that the hard limit can
3182            later be used as a safe reset point for the soft limit
3183            upon context transitions. See selinux_bprm_apply_creds. */
3184         if (old_rlim->rlim_max != new_rlim->rlim_max)
3185                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3186
3187         return 0;
3188 }
3189
3190 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3191 {
3192         int rc;
3193
3194         rc = secondary_ops->task_setscheduler(p, policy, lp);
3195         if (rc)
3196                 return rc;
3197
3198         return task_has_perm(current, p, PROCESS__SETSCHED);
3199 }
3200
3201 static int selinux_task_getscheduler(struct task_struct *p)
3202 {
3203         return task_has_perm(current, p, PROCESS__GETSCHED);
3204 }
3205
3206 static int selinux_task_movememory(struct task_struct *p)
3207 {
3208         return task_has_perm(current, p, PROCESS__SETSCHED);
3209 }
3210
3211 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3212                                 int sig, u32 secid)
3213 {
3214         u32 perm;
3215         int rc;
3216         struct task_security_struct *tsec;
3217
3218         rc = secondary_ops->task_kill(p, info, sig, secid);
3219         if (rc)
3220                 return rc;
3221
3222         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3223                 return 0;
3224
3225         if (!sig)
3226                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3227         else
3228                 perm = signal_to_av(sig);
3229         tsec = p->security;
3230         if (secid)
3231                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3232         else
3233                 rc = task_has_perm(current, p, perm);
3234         return rc;
3235 }
3236
3237 static int selinux_task_prctl(int option,
3238                               unsigned long arg2,
3239                               unsigned long arg3,
3240                               unsigned long arg4,
3241                               unsigned long arg5)
3242 {
3243         /* The current prctl operations do not appear to require
3244            any SELinux controls since they merely observe or modify
3245            the state of the current process. */
3246         return 0;
3247 }
3248
3249 static int selinux_task_wait(struct task_struct *p)
3250 {
3251         return task_has_perm(p, current, PROCESS__SIGCHLD);
3252 }
3253
3254 static void selinux_task_reparent_to_init(struct task_struct *p)
3255 {
3256         struct task_security_struct *tsec;
3257
3258         secondary_ops->task_reparent_to_init(p);
3259
3260         tsec = p->security;
3261         tsec->osid = tsec->sid;
3262         tsec->sid = SECINITSID_KERNEL;
3263         return;
3264 }
3265
3266 static void selinux_task_to_inode(struct task_struct *p,
3267                                   struct inode *inode)
3268 {
3269         struct task_security_struct *tsec = p->security;
3270         struct inode_security_struct *isec = inode->i_security;
3271
3272         isec->sid = tsec->sid;
3273         isec->initialized = 1;
3274         return;
3275 }
3276
3277 /* Returns error only if unable to parse addresses */
3278 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3279                         struct avc_audit_data *ad, u8 *proto)
3280 {
3281         int offset, ihlen, ret = -EINVAL;
3282         struct iphdr _iph, *ih;
3283
3284         offset = skb_network_offset(skb);
3285         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3286         if (ih == NULL)
3287                 goto out;
3288
3289         ihlen = ih->ihl * 4;
3290         if (ihlen < sizeof(_iph))
3291                 goto out;
3292
3293         ad->u.net.v4info.saddr = ih->saddr;
3294         ad->u.net.v4info.daddr = ih->daddr;
3295         ret = 0;
3296
3297         if (proto)
3298                 *proto = ih->protocol;
3299
3300         switch (ih->protocol) {
3301         case IPPROTO_TCP: {
3302                 struct tcphdr _tcph, *th;
3303
3304                 if (ntohs(ih->frag_off) & IP_OFFSET)
3305                         break;
3306
3307                 offset += ihlen;
3308                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3309                 if (th == NULL)
3310                         break;
3311
3312                 ad->u.net.sport = th->source;
3313                 ad->u.net.dport = th->dest;
3314                 break;
3315         }
3316         
3317         case IPPROTO_UDP: {
3318                 struct udphdr _udph, *uh;
3319                 
3320                 if (ntohs(ih->frag_off) & IP_OFFSET)
3321                         break;
3322                         
3323                 offset += ihlen;
3324                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3325                 if (uh == NULL)
3326                         break;  
3327
3328                 ad->u.net.sport = uh->source;
3329                 ad->u.net.dport = uh->dest;
3330                 break;
3331         }
3332
3333         case IPPROTO_DCCP: {
3334                 struct dccp_hdr _dccph, *dh;
3335
3336                 if (ntohs(ih->frag_off) & IP_OFFSET)
3337                         break;
3338
3339                 offset += ihlen;
3340                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3341                 if (dh == NULL)
3342                         break;
3343
3344                 ad->u.net.sport = dh->dccph_sport;
3345                 ad->u.net.dport = dh->dccph_dport;
3346                 break;
3347         }
3348
3349         default:
3350                 break;
3351         }
3352 out:
3353         return ret;
3354 }
3355
3356 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3357
3358 /* Returns error only if unable to parse addresses */
3359 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3360                         struct avc_audit_data *ad, u8 *proto)
3361 {
3362         u8 nexthdr;
3363         int ret = -EINVAL, offset;
3364         struct ipv6hdr _ipv6h, *ip6;
3365
3366         offset = skb_network_offset(skb);
3367         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3368         if (ip6 == NULL)
3369                 goto out;
3370
3371         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3372         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3373         ret = 0;
3374
3375         nexthdr = ip6->nexthdr;
3376         offset += sizeof(_ipv6h);
3377         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3378         if (offset < 0)
3379                 goto out;
3380
3381         if (proto)
3382                 *proto = nexthdr;
3383
3384         switch (nexthdr) {
3385         case IPPROTO_TCP: {
3386                 struct tcphdr _tcph, *th;
3387
3388                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3389                 if (th == NULL)
3390                         break;
3391
3392                 ad->u.net.sport = th->source;
3393                 ad->u.net.dport = th->dest;
3394                 break;
3395         }
3396
3397         case IPPROTO_UDP: {
3398                 struct udphdr _udph, *uh;
3399
3400                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3401                 if (uh == NULL)
3402                         break;
3403
3404                 ad->u.net.sport = uh->source;
3405                 ad->u.net.dport = uh->dest;
3406                 break;
3407         }
3408
3409         case IPPROTO_DCCP: {
3410                 struct dccp_hdr _dccph, *dh;
3411
3412                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3413                 if (dh == NULL)
3414                         break;
3415
3416                 ad->u.net.sport = dh->dccph_sport;
3417                 ad->u.net.dport = dh->dccph_dport;
3418                 break;
3419         }
3420
3421         /* includes fragments */
3422         default:
3423                 break;
3424         }
3425 out:
3426         return ret;
3427 }
3428
3429 #endif /* IPV6 */
3430
3431 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3432                              char **addrp, int src, u8 *proto)
3433 {
3434         int ret = 0;
3435
3436         switch (ad->u.net.family) {
3437         case PF_INET:
3438                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3439                 if (ret || !addrp)
3440                         break;
3441                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3442                                         &ad->u.net.v4info.daddr);
3443                 break;
3444
3445 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3446         case PF_INET6:
3447                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3448                 if (ret || !addrp)
3449                         break;
3450                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3451                                         &ad->u.net.v6info.daddr);
3452                 break;
3453 #endif  /* IPV6 */
3454         default:
3455                 break;
3456         }
3457
3458         if (unlikely(ret))
3459                 printk(KERN_WARNING
3460                        "SELinux: failure in selinux_parse_skb(),"
3461                        " unable to parse packet\n");
3462
3463         return ret;
3464 }
3465
3466 /**
3467  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3468  * @skb: the packet
3469  * @family: protocol family
3470  * @sid: the packet's peer label SID
3471  *
3472  * Description:
3473  * Check the various different forms of network peer labeling and determine
3474  * the peer label/SID for the packet; most of the magic actually occurs in
3475  * the security server function security_net_peersid_cmp().  The function
3476  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3477  * or -EACCES if @sid is invalid due to inconsistencies with the different
3478  * peer labels.
3479  *
3480  */
3481 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3482 {
3483         int err;
3484         u32 xfrm_sid;
3485         u32 nlbl_sid;
3486         u32 nlbl_type;
3487
3488         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3489         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3490
3491         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3492         if (unlikely(err)) {
3493                 printk(KERN_WARNING
3494                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3495                        " unable to determine packet's peer label\n");
3496                 return -EACCES;
3497         }
3498
3499         return 0;
3500 }
3501
3502 /* socket security operations */
3503 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3504                            u32 perms)
3505 {
3506         struct inode_security_struct *isec;
3507         struct task_security_struct *tsec;
3508         struct avc_audit_data ad;
3509         int err = 0;
3510
3511         tsec = task->security;
3512         isec = SOCK_INODE(sock)->i_security;
3513
3514         if (isec->sid == SECINITSID_KERNEL)
3515                 goto out;
3516
3517         AVC_AUDIT_DATA_INIT(&ad,NET);
3518         ad.u.net.sk = sock->sk;
3519         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3520
3521 out:
3522         return err;
3523 }
3524
3525 static int selinux_socket_create(int family, int type,
3526                                  int protocol, int kern)
3527 {
3528         int err = 0;
3529         struct task_security_struct *tsec;
3530         u32 newsid;
3531
3532         if (kern)
3533                 goto out;
3534
3535         tsec = current->security;
3536         newsid = tsec->sockcreate_sid ? : tsec->sid;
3537         err = avc_has_perm(tsec->sid, newsid,
3538                            socket_type_to_security_class(family, type,
3539                            protocol), SOCKET__CREATE, NULL);
3540
3541 out:
3542         return err;
3543 }
3544
3545 static int selinux_socket_post_create(struct socket *sock, int family,
3546                                       int type, int protocol, int kern)
3547 {
3548         int err = 0;
3549         struct inode_security_struct *isec;
3550         struct task_security_struct *tsec;
3551         struct sk_security_struct *sksec;
3552         u32 newsid;
3553
3554         isec = SOCK_INODE(sock)->i_security;
3555
3556         tsec = current->security;
3557         newsid = tsec->sockcreate_sid ? : tsec->sid;
3558         isec->sclass = socket_type_to_security_class(family, type, protocol);
3559         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3560         isec->initialized = 1;
3561
3562         if (sock->sk) {
3563                 sksec = sock->sk->sk_security;
3564                 sksec->sid = isec->sid;
3565                 sksec->sclass = isec->sclass;
3566                 err = selinux_netlbl_socket_post_create(sock);
3567         }
3568
3569         return err;
3570 }
3571
3572 /* Range of port numbers used to automatically bind.
3573    Need to determine whether we should perform a name_bind
3574    permission check between the socket and the port number. */
3575
3576 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3577 {
3578         u16 family;
3579         int err;
3580
3581         err = socket_has_perm(current, sock, SOCKET__BIND);
3582         if (err)
3583                 goto out;
3584
3585         /*
3586          * If PF_INET or PF_INET6, check name_bind permission for the port.
3587          * Multiple address binding for SCTP is not supported yet: we just
3588          * check the first address now.
3589          */
3590         family = sock->sk->sk_family;
3591         if (family == PF_INET || family == PF_INET6) {
3592                 char *addrp;
3593                 struct inode_security_struct *isec;
3594                 struct task_security_struct *tsec;
3595                 struct avc_audit_data ad;
3596                 struct sockaddr_in *addr4 = NULL;
3597                 struct sockaddr_in6 *addr6 = NULL;
3598                 unsigned short snum;
3599                 struct sock *sk = sock->sk;
3600                 u32 sid, node_perm, addrlen;
3601
3602                 tsec = current->security;
3603                 isec = SOCK_INODE(sock)->i_security;
3604
3605                 if (family == PF_INET) {
3606                         addr4 = (struct sockaddr_in *)address;
3607                         snum = ntohs(addr4->sin_port);
3608                         addrlen = sizeof(addr4->sin_addr.s_addr);
3609                         addrp = (char *)&addr4->sin_addr.s_addr;
3610                 } else {
3611                         addr6 = (struct sockaddr_in6 *)address;
3612                         snum = ntohs(addr6->sin6_port);
3613                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3614                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3615                 }
3616
3617                 if (snum) {
3618                         int low, high;
3619
3620                         inet_get_local_port_range(&low, &high);
3621
3622                         if (snum < max(PROT_SOCK, low) || snum > high) {
3623                                 err = security_port_sid(sk->sk_family,
3624                                                         sk->sk_type,
3625                                                         sk->sk_protocol, snum,
3626                                                         &sid);
3627                                 if (err)
3628                                         goto out;
3629                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3630                                 ad.u.net.sport = htons(snum);
3631                                 ad.u.net.family = family;
3632                                 err = avc_has_perm(isec->sid, sid,
3633                                                    isec->sclass,
3634                                                    SOCKET__NAME_BIND, &ad);
3635                                 if (err)
3636                                         goto out;
3637                         }
3638                 }
3639                 
3640                 switch(isec->sclass) {
3641                 case SECCLASS_TCP_SOCKET:
3642                         node_perm = TCP_SOCKET__NODE_BIND;
3643                         break;
3644                         
3645                 case SECCLASS_UDP_SOCKET:
3646                         node_perm = UDP_SOCKET__NODE_BIND;
3647                         break;
3648
3649                 case SECCLASS_DCCP_SOCKET:
3650                         node_perm = DCCP_SOCKET__NODE_BIND;
3651                         break;
3652
3653                 default:
3654                         node_perm = RAWIP_SOCKET__NODE_BIND;
3655                         break;
3656                 }
3657                 
3658                 err = sel_netnode_sid(addrp, family, &sid);
3659                 if (err)
3660                         goto out;
3661                 
3662                 AVC_AUDIT_DATA_INIT(&ad,NET);
3663                 ad.u.net.sport = htons(snum);
3664                 ad.u.net.family = family;
3665
3666                 if (family == PF_INET)
3667                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3668                 else
3669                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3670
3671                 err = avc_has_perm(isec->sid, sid,
3672                                    isec->sclass, node_perm, &ad);
3673                 if (err)
3674                         goto out;
3675         }
3676 out:
3677         return err;
3678 }
3679
3680 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3681 {
3682         struct inode_security_struct *isec;
3683         int err;
3684
3685         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3686         if (err)
3687                 return err;
3688
3689         /*
3690          * If a TCP or DCCP socket, check name_connect permission for the port.
3691          */
3692         isec = SOCK_INODE(sock)->i_security;
3693         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3694             isec->sclass == SECCLASS_DCCP_SOCKET) {
3695                 struct sock *sk = sock->sk;
3696                 struct avc_audit_data ad;
3697                 struct sockaddr_in *addr4 = NULL;
3698                 struct sockaddr_in6 *addr6 = NULL;
3699                 unsigned short snum;
3700                 u32 sid, perm;
3701
3702                 if (sk->sk_family == PF_INET) {
3703                         addr4 = (struct sockaddr_in *)address;
3704                         if (addrlen < sizeof(struct sockaddr_in))
3705                                 return -EINVAL;
3706                         snum = ntohs(addr4->sin_port);
3707                 } else {
3708                         addr6 = (struct sockaddr_in6 *)address;
3709                         if (addrlen < SIN6_LEN_RFC2133)
3710                                 return -EINVAL;
3711                         snum = ntohs(addr6->sin6_port);
3712                 }
3713
3714                 err = security_port_sid(sk->sk_family, sk->sk_type,
3715                                         sk->sk_protocol, snum, &sid);
3716                 if (err)
3717                         goto out;
3718
3719                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3720                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3721
3722                 AVC_AUDIT_DATA_INIT(&ad,NET);
3723                 ad.u.net.dport = htons(snum);
3724                 ad.u.net.family = sk->sk_family;
3725                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3726                 if (err)
3727                         goto out;
3728         }
3729
3730 out:
3731         return err;
3732 }
3733
3734 static int selinux_socket_listen(struct socket *sock, int backlog)
3735 {
3736         return socket_has_perm(current, sock, SOCKET__LISTEN);
3737 }
3738
3739 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3740 {
3741         int err;
3742         struct inode_security_struct *isec;
3743         struct inode_security_struct *newisec;
3744
3745         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3746         if (err)
3747                 return err;
3748
3749         newisec = SOCK_INODE(newsock)->i_security;
3750
3751         isec = SOCK_INODE(sock)->i_security;
3752         newisec->sclass = isec->sclass;
3753         newisec->sid = isec->sid;
3754         newisec->initialized = 1;
3755
3756         return 0;
3757 }
3758
3759 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3760                                   int size)
3761 {
3762         int rc;
3763
3764         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3765         if (rc)
3766                 return rc;
3767
3768         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3769 }
3770
3771 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3772                                   int size, int flags)
3773 {
3774         return socket_has_perm(current, sock, SOCKET__READ);
3775 }
3776
3777 static int selinux_socket_getsockname(struct socket *sock)
3778 {
3779         return socket_has_perm(current, sock, SOCKET__GETATTR);
3780 }
3781
3782 static int selinux_socket_getpeername(struct socket *sock)
3783 {
3784         return socket_has_perm(current, sock, SOCKET__GETATTR);
3785 }
3786
3787 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3788 {
3789         int err;
3790
3791         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3792         if (err)
3793                 return err;
3794
3795         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3796 }
3797
3798 static int selinux_socket_getsockopt(struct socket *sock, int level,
3799                                      int optname)
3800 {
3801         return socket_has_perm(current, sock, SOCKET__GETOPT);
3802 }
3803
3804 static int selinux_socket_shutdown(struct socket *sock, int how)
3805 {
3806         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3807 }
3808
3809 static int selinux_socket_unix_stream_connect(struct socket *sock,
3810                                               struct socket *other,
3811                                               struct sock *newsk)
3812 {
3813         struct sk_security_struct *ssec;
3814         struct inode_security_struct *isec;
3815         struct inode_security_struct *other_isec;
3816         struct avc_audit_data ad;
3817         int err;
3818
3819         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3820         if (err)
3821                 return err;
3822
3823         isec = SOCK_INODE(sock)->i_security;
3824         other_isec = SOCK_INODE(other)->i_security;
3825
3826         AVC_AUDIT_DATA_INIT(&ad,NET);
3827         ad.u.net.sk = other->sk;
3828
3829         err = avc_has_perm(isec->sid, other_isec->sid,
3830                            isec->sclass,
3831                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3832         if (err)
3833                 return err;
3834
3835         /* connecting socket */
3836         ssec = sock->sk->sk_security;
3837         ssec->peer_sid = other_isec->sid;
3838         
3839         /* server child socket */
3840         ssec = newsk->sk_security;
3841         ssec->peer_sid = isec->sid;
3842         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3843
3844         return err;
3845 }
3846
3847 static int selinux_socket_unix_may_send(struct socket *sock,
3848                                         struct socket *other)
3849 {
3850         struct inode_security_struct *isec;
3851         struct inode_security_struct *other_isec;
3852         struct avc_audit_data ad;
3853         int err;
3854
3855         isec = SOCK_INODE(sock)->i_security;
3856         other_isec = SOCK_INODE(other)->i_security;
3857
3858         AVC_AUDIT_DATA_INIT(&ad,NET);
3859         ad.u.net.sk = other->sk;
3860
3861         err = avc_has_perm(isec->sid, other_isec->sid,
3862                            isec->sclass, SOCKET__SENDTO, &ad);
3863         if (err)
3864                 return err;
3865
3866         return 0;
3867 }
3868
3869 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3870                                     u32 peer_sid,
3871                                     struct avc_audit_data *ad)
3872 {
3873         int err;
3874         u32 if_sid;
3875         u32 node_sid;
3876
3877         err = sel_netif_sid(ifindex, &if_sid);
3878         if (err)
3879                 return err;
3880         err = avc_has_perm(peer_sid, if_sid,
3881                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3882         if (err)
3883                 return err;
3884
3885         err = sel_netnode_sid(addrp, family, &node_sid);
3886         if (err)
3887                 return err;
3888         return avc_has_perm(peer_sid, node_sid,
3889                             SECCLASS_NODE, NODE__RECVFROM, ad);
3890 }
3891
3892 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3893                                                 struct sk_buff *skb,
3894                                                 struct avc_audit_data *ad,
3895                                                 u16 family,
3896                                                 char *addrp)
3897 {
3898         int err;
3899         struct sk_security_struct *sksec = sk->sk_security;
3900         u16 sk_class;
3901         u32 netif_perm, node_perm, recv_perm;
3902         u32 port_sid, node_sid, if_sid, sk_sid;
3903
3904         sk_sid = sksec->sid;
3905         sk_class = sksec->sclass;
3906
3907         switch (sk_class) {
3908         case SECCLASS_UDP_SOCKET:
3909                 netif_perm = NETIF__UDP_RECV;
3910                 node_perm = NODE__UDP_RECV;
3911                 recv_perm = UDP_SOCKET__RECV_MSG;
3912                 break;
3913         case SECCLASS_TCP_SOCKET:
3914                 netif_perm = NETIF__TCP_RECV;
3915                 node_perm = NODE__TCP_RECV;
3916                 recv_perm = TCP_SOCKET__RECV_MSG;
3917                 break;
3918         case SECCLASS_DCCP_SOCKET:
3919                 netif_perm = NETIF__DCCP_RECV;
3920                 node_perm = NODE__DCCP_RECV;
3921                 recv_perm = DCCP_SOCKET__RECV_MSG;
3922                 break;
3923         default:
3924                 netif_perm = NETIF__RAWIP_RECV;
3925                 node_perm = NODE__RAWIP_RECV;
3926                 recv_perm = 0;
3927                 break;
3928         }
3929
3930         err = sel_netif_sid(skb->iif, &if_sid);
3931         if (err)
3932                 return err;
3933         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3934         if (err)
3935                 return err;
3936         
3937         err = sel_netnode_sid(addrp, family, &node_sid);
3938         if (err)
3939                 return err;
3940         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3941         if (err)
3942                 return err;
3943
3944         if (!recv_perm)
3945                 return 0;
3946         err = security_port_sid(sk->sk_family, sk->sk_type,
3947                                 sk->sk_protocol, ntohs(ad->u.net.sport),
3948                                 &port_sid);
3949         if (unlikely(err)) {
3950                 printk(KERN_WARNING
3951                        "SELinux: failure in"
3952                        " selinux_sock_rcv_skb_iptables_compat(),"
3953                        " network port label not found\n");
3954                 return err;
3955         }
3956         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3957 }
3958
3959 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3960                                        struct avc_audit_data *ad,
3961                                        u16 family, char *addrp)
3962 {
3963         int err;
3964         struct sk_security_struct *sksec = sk->sk_security;
3965         u32 peer_sid;
3966         u32 sk_sid = sksec->sid;
3967
3968         if (selinux_compat_net)
3969                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3970                                                            family, addrp);
3971         else
3972                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3973                                    PACKET__RECV, ad);
3974         if (err)
3975                 return err;
3976
3977         if (selinux_policycap_netpeer) {
3978                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3979                 if (err)
3980                         return err;
3981                 err = avc_has_perm(sk_sid, peer_sid,
3982                                    SECCLASS_PEER, PEER__RECV, ad);
3983         } else {
3984                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3985                 if (err)
3986                         return err;
3987                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3988         }
3989
3990         return err;
3991 }
3992
3993 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3994 {
3995         int err;
3996         struct sk_security_struct *sksec = sk->sk_security;
3997         u16 family = sk->sk_family;
3998         u32 sk_sid = sksec->sid;
3999         struct avc_audit_data ad;
4000         char *addrp;
4001
4002         if (family != PF_INET && family != PF_INET6)
4003                 return 0;
4004
4005         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4006         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4007                 family = PF_INET;
4008
4009         AVC_AUDIT_DATA_INIT(&ad, NET);
4010         ad.u.net.netif = skb->iif;
4011         ad.u.net.family = family;
4012         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4013         if (err)
4014                 return err;
4015
4016         /* If any sort of compatibility mode is enabled then handoff processing
4017          * to the selinux_sock_rcv_skb_compat() function to deal with the
4018          * special handling.  We do this in an attempt to keep this function
4019          * as fast and as clean as possible. */
4020         if (selinux_compat_net || !selinux_policycap_netpeer)
4021                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4022                                                    family, addrp);
4023
4024         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4025                 u32 peer_sid;
4026
4027                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4028                 if (err)
4029                         return err;
4030                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4031                                                peer_sid, &ad);
4032                 if (err)
4033                         return err;
4034                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4035                                    PEER__RECV, &ad);
4036         }
4037
4038         if (selinux_secmark_enabled()) {
4039                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4040                                    PACKET__RECV, &ad);
4041                 if (err)
4042                         return err;
4043         }
4044
4045         return err;
4046 }
4047
4048 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4049                                             int __user *optlen, unsigned len)
4050 {
4051         int err = 0;
4052         char *scontext;
4053         u32 scontext_len;
4054         struct sk_security_struct *ssec;
4055         struct inode_security_struct *isec;
4056         u32 peer_sid = SECSID_NULL;
4057
4058         isec = SOCK_INODE(sock)->i_security;
4059
4060         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4061             isec->sclass == SECCLASS_TCP_SOCKET) {
4062                 ssec = sock->sk->sk_security;
4063                 peer_sid = ssec->peer_sid;
4064         }
4065         if (peer_sid == SECSID_NULL) {
4066                 err = -ENOPROTOOPT;
4067                 goto out;
4068         }
4069
4070         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4071
4072         if (err)
4073                 goto out;
4074
4075         if (scontext_len > len) {
4076                 err = -ERANGE;
4077                 goto out_len;
4078         }
4079
4080         if (copy_to_user(optval, scontext, scontext_len))
4081                 err = -EFAULT;
4082
4083 out_len:
4084         if (put_user(scontext_len, optlen))
4085                 err = -EFAULT;
4086
4087         kfree(scontext);
4088 out:    
4089         return err;
4090 }
4091
4092 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4093 {
4094         u32 peer_secid = SECSID_NULL;
4095         u16 family;
4096
4097         if (sock)
4098                 family = sock->sk->sk_family;
4099         else if (skb && skb->sk)
4100                 family = skb->sk->sk_family;
4101         else
4102                 goto out;
4103
4104         if (sock && family == PF_UNIX)
4105                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4106         else if (skb)
4107                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4108
4109 out:
4110         *secid = peer_secid;
4111         if (peer_secid == SECSID_NULL)
4112                 return -EINVAL;
4113         return 0;
4114 }
4115
4116 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4117 {
4118         return sk_alloc_security(sk, family, priority);
4119 }
4120
4121 static void selinux_sk_free_security(struct sock *sk)
4122 {
4123         sk_free_security(sk);
4124 }
4125
4126 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4127 {
4128         struct sk_security_struct *ssec = sk->sk_security;
4129         struct sk_security_struct *newssec = newsk->sk_security;
4130
4131         newssec->sid = ssec->sid;
4132         newssec->peer_sid = ssec->peer_sid;
4133         newssec->sclass = ssec->sclass;
4134
4135         selinux_netlbl_sk_security_clone(ssec, newssec);
4136 }
4137
4138 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4139 {
4140         if (!sk)
4141                 *secid = SECINITSID_ANY_SOCKET;
4142         else {
4143                 struct sk_security_struct *sksec = sk->sk_security;
4144
4145                 *secid = sksec->sid;
4146         }
4147 }
4148
4149 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4150 {
4151         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4152         struct sk_security_struct *sksec = sk->sk_security;
4153
4154         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4155             sk->sk_family == PF_UNIX)
4156                 isec->sid = sksec->sid;
4157         sksec->sclass = isec->sclass;
4158
4159         selinux_netlbl_sock_graft(sk, parent);
4160 }
4161
4162 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4163                                      struct request_sock *req)
4164 {
4165         struct sk_security_struct *sksec = sk->sk_security;
4166         int err;
4167         u32 newsid;
4168         u32 peersid;
4169
4170         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4171         if (err)
4172                 return err;
4173         if (peersid == SECSID_NULL) {
4174                 req->secid = sksec->sid;
4175                 req->peer_secid = SECSID_NULL;
4176                 return 0;
4177         }
4178
4179         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4180         if (err)
4181                 return err;
4182
4183         req->secid = newsid;
4184         req->peer_secid = peersid;
4185         return 0;
4186 }
4187
4188 static void selinux_inet_csk_clone(struct sock *newsk,
4189                                    const struct request_sock *req)
4190 {
4191         struct sk_security_struct *newsksec = newsk->sk_security;
4192
4193         newsksec->sid = req->secid;
4194         newsksec->peer_sid = req->peer_secid;
4195         /* NOTE: Ideally, we should also get the isec->sid for the
4196            new socket in sync, but we don't have the isec available yet.
4197            So we will wait until sock_graft to do it, by which
4198            time it will have been created and available. */
4199
4200         /* We don't need to take any sort of lock here as we are the only
4201          * thread with access to newsksec */
4202         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4203 }
4204
4205 static void selinux_inet_conn_established(struct sock *sk,
4206                                 struct sk_buff *skb)
4207 {
4208         struct sk_security_struct *sksec = sk->sk_security;
4209
4210         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4211 }
4212
4213 static void selinux_req_classify_flow(const struct request_sock *req,
4214                                       struct flowi *fl)
4215 {
4216         fl->secid = req->secid;
4217 }
4218
4219 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4220 {
4221         int err = 0;
4222         u32 perm;
4223         struct nlmsghdr *nlh;
4224         struct socket *sock = sk->sk_socket;
4225         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4226         
4227         if (skb->len < NLMSG_SPACE(0)) {
4228                 err = -EINVAL;
4229                 goto out;
4230         }
4231         nlh = nlmsg_hdr(skb);
4232         
4233         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4234         if (err) {
4235                 if (err == -EINVAL) {
4236                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4237                                   "SELinux:  unrecognized netlink message"
4238                                   " type=%hu for sclass=%hu\n",
4239                                   nlh->nlmsg_type, isec->sclass);
4240                         if (!selinux_enforcing)
4241                                 err = 0;
4242                 }
4243
4244                 /* Ignore */
4245                 if (err == -ENOENT)
4246                         err = 0;
4247                 goto out;
4248         }
4249
4250         err = socket_has_perm(current, sock, perm);
4251 out:
4252         return err;
4253 }
4254
4255 #ifdef CONFIG_NETFILTER
4256
4257 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4258                                        u16 family)
4259 {
4260         char *addrp;
4261         u32 peer_sid;
4262         struct avc_audit_data ad;
4263         u8 secmark_active;
4264         u8 peerlbl_active;
4265
4266         if (!selinux_policycap_netpeer)
4267                 return NF_ACCEPT;
4268
4269         secmark_active = selinux_secmark_enabled();
4270         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4271         if (!secmark_active && !peerlbl_active)
4272                 return NF_ACCEPT;
4273
4274         AVC_AUDIT_DATA_INIT(&ad, NET);
4275         ad.u.net.netif = ifindex;
4276         ad.u.net.family = family;
4277         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4278                 return NF_DROP;
4279
4280         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4281                 return NF_DROP;
4282
4283         if (peerlbl_active)
4284                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4285                                              peer_sid, &ad) != 0)
4286                         return NF_DROP;
4287
4288         if (secmark_active)
4289                 if (avc_has_perm(peer_sid, skb->secmark,
4290                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4291                         return NF_DROP;
4292
4293         return NF_ACCEPT;
4294 }
4295
4296 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4297                                          struct sk_buff *skb,
4298                                          const struct net_device *in,
4299                                          const struct net_device *out,
4300                                          int (*okfn)(struct sk_buff *))
4301 {
4302         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4303 }
4304
4305 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4306 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4307                                          struct sk_buff *skb,
4308                                          const struct net_device *in,
4309                                          const struct net_device *out,
4310                                          int (*okfn)(struct sk_buff *))
4311 {
4312         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4313 }
4314 #endif  /* IPV6 */
4315
4316 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4317                                                 int ifindex,
4318                                                 struct avc_audit_data *ad,
4319                                                 u16 family, char *addrp)
4320 {
4321         int err;
4322         struct sk_security_struct *sksec = sk->sk_security;
4323         u16 sk_class;
4324         u32 netif_perm, node_perm, send_perm;
4325         u32 port_sid, node_sid, if_sid, sk_sid;
4326
4327         sk_sid = sksec->sid;
4328         sk_class = sksec->sclass;
4329
4330         switch (sk_class) {
4331         case SECCLASS_UDP_SOCKET:
4332                 netif_perm = NETIF__UDP_SEND;
4333                 node_perm = NODE__UDP_SEND;
4334                 send_perm = UDP_SOCKET__SEND_MSG;
4335                 break;
4336         case SECCLASS_TCP_SOCKET:
4337                 netif_perm = NETIF__TCP_SEND;
4338                 node_perm = NODE__TCP_SEND;
4339                 send_perm = TCP_SOCKET__SEND_MSG;
4340                 break;
4341         case SECCLASS_DCCP_SOCKET:
4342                 netif_perm = NETIF__DCCP_SEND;
4343                 node_perm = NODE__DCCP_SEND;
4344                 send_perm = DCCP_SOCKET__SEND_MSG;
4345                 break;
4346         default:
4347                 netif_perm = NETIF__RAWIP_SEND;
4348                 node_perm = NODE__RAWIP_SEND;
4349                 send_perm = 0;
4350                 break;
4351         }
4352
4353         err = sel_netif_sid(ifindex, &if_sid);
4354         if (err)
4355                 return err;
4356         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4357                 return err;
4358                 
4359         err = sel_netnode_sid(addrp, family, &node_sid);
4360         if (err)
4361                 return err;
4362         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4363         if (err)
4364                 return err;
4365
4366         if (send_perm != 0)
4367                 return 0;
4368
4369         err = security_port_sid(sk->sk_family, sk->sk_type,
4370                                 sk->sk_protocol, ntohs(ad->u.net.dport),
4371                                 &port_sid);
4372         if (unlikely(err)) {
4373                 printk(KERN_WARNING
4374                        "SELinux: failure in"
4375                        " selinux_ip_postroute_iptables_compat(),"
4376                        " network port label not found\n");
4377                 return err;
4378         }
4379         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4380 }
4381
4382 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4383                                                 int ifindex,
4384                                                 struct avc_audit_data *ad,
4385                                                 u16 family,
4386                                                 char *addrp,
4387                                                 u8 proto)
4388 {
4389         struct sock *sk = skb->sk;
4390         struct sk_security_struct *sksec;
4391
4392         if (sk == NULL)
4393                 return NF_ACCEPT;
4394         sksec = sk->sk_security;
4395
4396         if (selinux_compat_net) {
4397                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4398                                                          ad, family, addrp))
4399                         return NF_DROP;
4400         } else {
4401                 if (avc_has_perm(sksec->sid, skb->secmark,
4402                                  SECCLASS_PACKET, PACKET__SEND, ad))
4403                         return NF_DROP;
4404         }
4405
4406         if (selinux_policycap_netpeer)
4407                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4408                         return NF_DROP;
4409
4410         return NF_ACCEPT;
4411 }
4412
4413 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4414                                          u16 family)
4415 {
4416         u32 secmark_perm;
4417         u32 peer_sid;
4418         struct sock *sk;
4419         struct avc_audit_data ad;
4420         char *addrp;
4421         u8 proto;
4422         u8 secmark_active;
4423         u8 peerlbl_active;
4424
4425         AVC_AUDIT_DATA_INIT(&ad, NET);
4426         ad.u.net.netif = ifindex;
4427         ad.u.net.family = family;
4428         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4429                 return NF_DROP;
4430
4431         /* If any sort of compatibility mode is enabled then handoff processing
4432          * to the selinux_ip_postroute_compat() function to deal with the
4433          * special handling.  We do this in an attempt to keep this function
4434          * as fast and as clean as possible. */
4435         if (selinux_compat_net || !selinux_policycap_netpeer)
4436                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4437                                                    family, addrp, proto);
4438
4439         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4440          * packet transformation so allow the packet to pass without any checks
4441          * since we'll have another chance to perform access control checks
4442          * when the packet is on it's final way out.
4443          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4444          *       is NULL, in this case go ahead and apply access control. */
4445         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4446                 return NF_ACCEPT;
4447
4448         secmark_active = selinux_secmark_enabled();
4449         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4450         if (!secmark_active && !peerlbl_active)
4451                 return NF_ACCEPT;
4452
4453         /* if the packet is locally generated (skb->sk != NULL) then use the
4454          * socket's label as the peer label, otherwise the packet is being
4455          * forwarded through this system and we need to fetch the peer label
4456          * directly from the packet */
4457         sk = skb->sk;
4458         if (sk) {
4459                 struct sk_security_struct *sksec = sk->sk_security;
4460                 peer_sid = sksec->sid;
4461                 secmark_perm = PACKET__SEND;
4462         } else {
4463                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4464                                 return NF_DROP;
4465                 secmark_perm = PACKET__FORWARD_OUT;
4466         }
4467
4468         if (secmark_active)
4469                 if (avc_has_perm(peer_sid, skb->secmark,
4470                                  SECCLASS_PACKET, secmark_perm, &ad))
4471                         return NF_DROP;
4472
4473         if (peerlbl_active) {
4474                 u32 if_sid;
4475                 u32 node_sid;
4476
4477                 if (sel_netif_sid(ifindex, &if_sid))
4478                         return NF_DROP;
4479                 if (avc_has_perm(peer_sid, if_sid,
4480                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4481                         return NF_DROP;
4482
4483                 if (sel_netnode_sid(addrp, family, &node_sid))
4484                         return NF_DROP;
4485                 if (avc_has_perm(peer_sid, node_sid,
4486                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4487                         return NF_DROP;
4488         }
4489
4490         return NF_ACCEPT;
4491 }
4492
4493 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4494                                            struct sk_buff *skb,
4495                                            const struct net_device *in,
4496                                            const struct net_device *out,
4497                                            int (*okfn)(struct sk_buff *))
4498 {
4499         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4500 }
4501
4502 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4503 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4504                                            struct sk_buff *skb,
4505                                            const struct net_device *in,
4506                                            const struct net_device *out,
4507                                            int (*okfn)(struct sk_buff *))
4508 {
4509         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4510 }
4511 #endif  /* IPV6 */
4512
4513 #endif  /* CONFIG_NETFILTER */
4514
4515 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4516 {
4517         int err;
4518
4519         err = secondary_ops->netlink_send(sk, skb);
4520         if (err)
4521                 return err;
4522
4523         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4524                 err = selinux_nlmsg_perm(sk, skb);
4525
4526         return err;
4527 }
4528
4529 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4530 {
4531         int err;
4532         struct avc_audit_data ad;
4533
4534         err = secondary_ops->netlink_recv(skb, capability);
4535         if (err)
4536                 return err;
4537
4538         AVC_AUDIT_DATA_INIT(&ad, CAP);
4539         ad.u.cap = capability;
4540
4541         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4542                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4543 }
4544
4545 static int ipc_alloc_security(struct task_struct *task,
4546                               struct kern_ipc_perm *perm,
4547                               u16 sclass)
4548 {
4549         struct task_security_struct *tsec = task->security;
4550         struct ipc_security_struct *isec;
4551
4552         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4553         if (!isec)
4554                 return -ENOMEM;
4555
4556         isec->sclass = sclass;
4557         isec->ipc_perm = perm;
4558         isec->sid = tsec->sid;
4559         perm->security = isec;
4560
4561         return 0;
4562 }
4563
4564 static void ipc_free_security(struct kern_ipc_perm *perm)
4565 {
4566         struct ipc_security_struct *isec = perm->security;
4567         perm->security = NULL;
4568         kfree(isec);
4569 }
4570
4571 static int msg_msg_alloc_security(struct msg_msg *msg)
4572 {
4573         struct msg_security_struct *msec;
4574
4575         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4576         if (!msec)
4577                 return -ENOMEM;
4578
4579         msec->msg = msg;
4580         msec->sid = SECINITSID_UNLABELED;
4581         msg->security = msec;
4582
4583         return 0;
4584 }
4585
4586 static void msg_msg_free_security(struct msg_msg *msg)
4587 {
4588         struct msg_security_struct *msec = msg->security;
4589
4590         msg->security = NULL;
4591         kfree(msec);
4592 }
4593
4594 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4595                         u32 perms)
4596 {
4597         struct task_security_struct *tsec;
4598         struct ipc_security_struct *isec;
4599         struct avc_audit_data ad;
4600
4601         tsec = current->security;
4602         isec = ipc_perms->security;
4603
4604         AVC_AUDIT_DATA_INIT(&ad, IPC);
4605         ad.u.ipc_id = ipc_perms->key;
4606
4607         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4608 }
4609
4610 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4611 {
4612         return msg_msg_alloc_security(msg);
4613 }
4614
4615 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4616 {
4617         msg_msg_free_security(msg);
4618 }
4619
4620 /* message queue security operations */
4621 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4622 {
4623         struct task_security_struct *tsec;
4624         struct ipc_security_struct *isec;
4625         struct avc_audit_data ad;
4626         int rc;
4627
4628         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4629         if (rc)
4630                 return rc;
4631
4632         tsec = current->security;
4633         isec = msq->q_perm.security;
4634
4635         AVC_AUDIT_DATA_INIT(&ad, IPC);
4636         ad.u.ipc_id = msq->q_perm.key;
4637
4638         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4639                           MSGQ__CREATE, &ad);
4640         if (rc) {
4641                 ipc_free_security(&msq->q_perm);
4642                 return rc;
4643         }
4644         return 0;
4645 }
4646
4647 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4648 {
4649         ipc_free_security(&msq->q_perm);
4650 }
4651
4652 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4653 {
4654         struct task_security_struct *tsec;
4655         struct ipc_security_struct *isec;
4656         struct avc_audit_data ad;
4657
4658         tsec = current->security;
4659         isec = msq->q_perm.security;
4660
4661         AVC_AUDIT_DATA_INIT(&ad, IPC);
4662         ad.u.ipc_id = msq->q_perm.key;
4663
4664         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4665                             MSGQ__ASSOCIATE, &ad);
4666 }
4667
4668 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4669 {
4670         int err;
4671         int perms;
4672
4673         switch(cmd) {
4674         case IPC_INFO:
4675         case MSG_INFO:
4676                 /* No specific object, just general system-wide information. */
4677                 return task_has_system(current, SYSTEM__IPC_INFO);
4678         case IPC_STAT:
4679         case MSG_STAT:
4680                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4681                 break;
4682         case IPC_SET:
4683                 perms = MSGQ__SETATTR;
4684                 break;
4685         case IPC_RMID:
4686                 perms = MSGQ__DESTROY;
4687                 break;
4688         default:
4689                 return 0;
4690         }
4691
4692         err = ipc_has_perm(&msq->q_perm, perms);
4693         return err;
4694 }
4695
4696 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4697 {
4698         struct task_security_struct *tsec;
4699         struct ipc_security_struct *isec;
4700         struct msg_security_struct *msec;
4701         struct avc_audit_data ad;
4702         int rc;
4703
4704         tsec = current->security;
4705         isec = msq->q_perm.security;
4706         msec = msg->security;
4707
4708         /*
4709          * First time through, need to assign label to the message
4710          */
4711         if (msec->sid == SECINITSID_UNLABELED) {
4712                 /*
4713                  * Compute new sid based on current process and
4714                  * message queue this message will be stored in
4715                  */
4716                 rc = security_transition_sid(tsec->sid,
4717                                              isec->sid,
4718                                              SECCLASS_MSG,
4719                                              &msec->sid);
4720                 if (rc)
4721                         return rc;
4722         }
4723
4724         AVC_AUDIT_DATA_INIT(&ad, IPC);
4725         ad.u.ipc_id = msq->q_perm.key;
4726
4727         /* Can this process write to the queue? */
4728         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4729                           MSGQ__WRITE, &ad);
4730         if (!rc)
4731                 /* Can this process send the message */
4732                 rc = avc_has_perm(tsec->sid, msec->sid,
4733                                   SECCLASS_MSG, MSG__SEND, &ad);
4734         if (!rc)
4735                 /* Can the message be put in the queue? */
4736                 rc = avc_has_perm(msec->sid, isec->sid,
4737                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4738
4739         return rc;
4740 }
4741
4742 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4743                                     struct task_struct *target,
4744                                     long type, int mode)
4745 {
4746         struct task_security_struct *tsec;
4747         struct ipc_security_struct *isec;
4748         struct msg_security_struct *msec;
4749         struct avc_audit_data ad;
4750         int rc;
4751
4752         tsec = target->security;
4753         isec = msq->q_perm.security;
4754         msec = msg->security;
4755
4756         AVC_AUDIT_DATA_INIT(&ad, IPC);
4757         ad.u.ipc_id = msq->q_perm.key;
4758
4759         rc = avc_has_perm(tsec->sid, isec->sid,
4760                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4761         if (!rc)
4762                 rc = avc_has_perm(tsec->sid, msec->sid,
4763                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4764         return rc;
4765 }
4766
4767 /* Shared Memory security operations */
4768 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4769 {
4770         struct task_security_struct *tsec;
4771         struct ipc_security_struct *isec;
4772         struct avc_audit_data ad;
4773         int rc;
4774
4775         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4776         if (rc)
4777                 return rc;
4778
4779         tsec = current->security;
4780         isec = shp->shm_perm.security;
4781
4782         AVC_AUDIT_DATA_INIT(&ad, IPC);
4783         ad.u.ipc_id = shp->shm_perm.key;
4784
4785         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4786                           SHM__CREATE, &ad);
4787         if (rc) {
4788                 ipc_free_security(&shp->shm_perm);
4789                 return rc;
4790         }
4791         return 0;
4792 }
4793
4794 static void selinux_shm_free_security(struct shmid_kernel *shp)
4795 {
4796         ipc_free_security(&shp->shm_perm);
4797 }
4798
4799 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4800 {
4801         struct task_security_struct *tsec;
4802         struct ipc_security_struct *isec;
4803         struct avc_audit_data ad;
4804
4805         tsec = current->security;
4806         isec = shp->shm_perm.security;
4807
4808         AVC_AUDIT_DATA_INIT(&ad, IPC);
4809         ad.u.ipc_id = shp->shm_perm.key;
4810
4811         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4812                             SHM__ASSOCIATE, &ad);
4813 }
4814
4815 /* Note, at this point, shp is locked down */
4816 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4817 {
4818         int perms;
4819         int err;
4820
4821         switch(cmd) {
4822         case IPC_INFO:
4823         case SHM_INFO:
4824                 /* No specific object, just general system-wide information. */
4825                 return task_has_system(current, SYSTEM__IPC_INFO);
4826         case IPC_STAT:
4827         case SHM_STAT:
4828                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4829                 break;
4830         case IPC_SET:
4831                 perms = SHM__SETATTR;
4832                 break;
4833         case SHM_LOCK:
4834         case SHM_UNLOCK:
4835                 perms = SHM__LOCK;
4836                 break;
4837         case IPC_RMID:
4838                 perms = SHM__DESTROY;
4839                 break;
4840         default:
4841                 return 0;
4842         }
4843
4844         err = ipc_has_perm(&shp->shm_perm, perms);
4845         return err;
4846 }
4847
4848 static int selinux_shm_shmat(struct shmid_kernel *shp,
4849                              char __user *shmaddr, int shmflg)
4850 {
4851         u32 perms;
4852         int rc;
4853
4854         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4855         if (rc)
4856                 return rc;
4857
4858         if (shmflg & SHM_RDONLY)
4859                 perms = SHM__READ;
4860         else
4861                 perms = SHM__READ | SHM__WRITE;
4862
4863         return ipc_has_perm(&shp->shm_perm, perms);
4864 }
4865
4866 /* Semaphore security operations */
4867 static int selinux_sem_alloc_security(struct sem_array *sma)
4868 {
4869         struct task_security_struct *tsec;
4870         struct ipc_security_struct *isec;
4871         struct avc_audit_data ad;
4872         int rc;
4873
4874         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4875         if (rc)
4876                 return rc;
4877
4878         tsec = current->security;
4879         isec = sma->sem_perm.security;
4880
4881         AVC_AUDIT_DATA_INIT(&ad, IPC);
4882         ad.u.ipc_id = sma->sem_perm.key;
4883
4884         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4885                           SEM__CREATE, &ad);
4886         if (rc) {
4887                 ipc_free_security(&sma->sem_perm);
4888                 return rc;
4889         }
4890         return 0;
4891 }
4892
4893 static void selinux_sem_free_security(struct sem_array *sma)
4894 {
4895         ipc_free_security(&sma->sem_perm);
4896 }
4897
4898 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4899 {
4900         struct task_security_struct *tsec;
4901         struct ipc_security_struct *isec;
4902         struct avc_audit_data ad;
4903
4904         tsec = current->security;
4905         isec = sma->sem_perm.security;
4906
4907         AVC_AUDIT_DATA_INIT(&ad, IPC);
4908         ad.u.ipc_id = sma->sem_perm.key;
4909
4910         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4911                             SEM__ASSOCIATE, &ad);
4912 }
4913
4914 /* Note, at this point, sma is locked down */
4915 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4916 {
4917         int err;
4918         u32 perms;
4919
4920         switch(cmd) {
4921         case IPC_INFO:
4922         case SEM_INFO:
4923                 /* No specific object, just general system-wide information. */
4924                 return task_has_system(current, SYSTEM__IPC_INFO);
4925         case GETPID:
4926         case GETNCNT:
4927         case GETZCNT:
4928                 perms = SEM__GETATTR;
4929                 break;
4930         case GETVAL:
4931         case GETALL:
4932                 perms = SEM__READ;
4933                 break;
4934         case SETVAL:
4935         case SETALL:
4936                 perms = SEM__WRITE;
4937                 break;
4938         case IPC_RMID:
4939                 perms = SEM__DESTROY;
4940                 break;
4941         case IPC_SET:
4942                 perms = SEM__SETATTR;
4943                 break;
4944         case IPC_STAT:
4945         case SEM_STAT:
4946                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4947                 break;
4948         default:
4949                 return 0;
4950         }
4951
4952         err = ipc_has_perm(&sma->sem_perm, perms);
4953         return err;
4954 }
4955
4956 static int selinux_sem_semop(struct sem_array *sma,
4957                              struct sembuf *sops, unsigned nsops, int alter)
4958 {
4959         u32 perms;
4960
4961         if (alter)
4962                 perms = SEM__READ | SEM__WRITE;
4963         else
4964                 perms = SEM__READ;
4965
4966         return ipc_has_perm(&sma->sem_perm, perms);
4967 }
4968
4969 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4970 {
4971         u32 av = 0;
4972
4973         av = 0;
4974         if (flag & S_IRUGO)
4975                 av |= IPC__UNIX_READ;
4976         if (flag & S_IWUGO)
4977                 av |= IPC__UNIX_WRITE;
4978
4979         if (av == 0)
4980                 return 0;
4981
4982         return ipc_has_perm(ipcp, av);
4983 }
4984
4985 /* module stacking operations */
4986 static int selinux_register_security (const char *name, struct security_operations *ops)
4987 {
4988         if (secondary_ops != original_ops) {
4989                 printk(KERN_ERR "%s:  There is already a secondary security "
4990                        "module registered.\n", __FUNCTION__);
4991                 return -EINVAL;
4992         }
4993
4994         secondary_ops = ops;
4995
4996         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4997                __FUNCTION__,
4998                name);
4999
5000         return 0;
5001 }
5002
5003 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5004 {
5005         if (inode)
5006                 inode_doinit_with_dentry(inode, dentry);
5007 }
5008
5009 static int selinux_getprocattr(struct task_struct *p,
5010                                char *name, char **value)
5011 {
5012         struct task_security_struct *tsec;
5013         u32 sid;
5014         int error;
5015         unsigned len;
5016
5017         if (current != p) {
5018                 error = task_has_perm(current, p, PROCESS__GETATTR);
5019                 if (error)
5020                         return error;
5021         }
5022
5023         tsec = p->security;
5024
5025         if (!strcmp(name, "current"))
5026                 sid = tsec->sid;
5027         else if (!strcmp(name, "prev"))
5028                 sid = tsec->osid;
5029         else if (!strcmp(name, "exec"))
5030                 sid = tsec->exec_sid;
5031         else if (!strcmp(name, "fscreate"))
5032                 sid = tsec->create_sid;
5033         else if (!strcmp(name, "keycreate"))
5034                 sid = tsec->keycreate_sid;
5035         else if (!strcmp(name, "sockcreate"))
5036                 sid = tsec->sockcreate_sid;
5037         else
5038                 return -EINVAL;
5039
5040         if (!sid)
5041                 return 0;
5042
5043         error = security_sid_to_context(sid, value, &len);
5044         if (error)
5045                 return error;
5046         return len;
5047 }
5048
5049 static int selinux_setprocattr(struct task_struct *p,
5050                                char *name, void *value, size_t size)
5051 {
5052         struct task_security_struct *tsec;
5053         u32 sid = 0;
5054         int error;
5055         char *str = value;
5056
5057         if (current != p) {
5058                 /* SELinux only allows a process to change its own
5059                    security attributes. */
5060                 return -EACCES;
5061         }
5062
5063         /*
5064          * Basic control over ability to set these attributes at all.
5065          * current == p, but we'll pass them separately in case the
5066          * above restriction is ever removed.
5067          */
5068         if (!strcmp(name, "exec"))
5069                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5070         else if (!strcmp(name, "fscreate"))
5071                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5072         else if (!strcmp(name, "keycreate"))
5073                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5074         else if (!strcmp(name, "sockcreate"))
5075                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5076         else if (!strcmp(name, "current"))
5077                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5078         else
5079                 error = -EINVAL;
5080         if (error)
5081                 return error;
5082
5083         /* Obtain a SID for the context, if one was specified. */
5084         if (size && str[1] && str[1] != '\n') {
5085                 if (str[size-1] == '\n') {
5086                         str[size-1] = 0;
5087                         size--;
5088                 }
5089                 error = security_context_to_sid(value, size, &sid);
5090                 if (error)
5091                         return error;
5092         }
5093
5094         /* Permission checking based on the specified context is
5095            performed during the actual operation (execve,
5096            open/mkdir/...), when we know the full context of the
5097            operation.  See selinux_bprm_set_security for the execve
5098            checks and may_create for the file creation checks. The
5099            operation will then fail if the context is not permitted. */
5100         tsec = p->security;
5101         if (!strcmp(name, "exec"))
5102                 tsec->exec_sid = sid;
5103         else if (!strcmp(name, "fscreate"))
5104                 tsec->create_sid = sid;
5105         else if (!strcmp(name, "keycreate")) {
5106                 error = may_create_key(sid, p);
5107                 if (error)
5108                         return error;
5109                 tsec->keycreate_sid = sid;
5110         } else if (!strcmp(name, "sockcreate"))
5111                 tsec->sockcreate_sid = sid;
5112         else if (!strcmp(name, "current")) {
5113                 struct av_decision avd;
5114
5115                 if (sid == 0)
5116                         return -EINVAL;
5117
5118                 /* Only allow single threaded processes to change context */
5119                 if (atomic_read(&p->mm->mm_users) != 1) {
5120                         struct task_struct *g, *t;
5121                         struct mm_struct *mm = p->mm;
5122                         read_lock(&tasklist_lock);
5123                         do_each_thread(g, t)
5124                                 if (t->mm == mm && t != p) {
5125                                         read_unlock(&tasklist_lock);
5126                                         return -EPERM;
5127                                 }
5128                         while_each_thread(g, t);
5129                         read_unlock(&tasklist_lock);
5130                 }
5131
5132                 /* Check permissions for the transition. */
5133                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5134                                      PROCESS__DYNTRANSITION, NULL);
5135                 if (error)
5136                         return error;
5137
5138                 /* Check for ptracing, and update the task SID if ok.
5139                    Otherwise, leave SID unchanged and fail. */
5140                 task_lock(p);
5141                 if (p->ptrace & PT_PTRACED) {
5142                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5143                                                      SECCLASS_PROCESS,
5144                                                      PROCESS__PTRACE, 0, &avd);
5145                         if (!error)
5146                                 tsec->sid = sid;
5147                         task_unlock(p);
5148                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5149                                   PROCESS__PTRACE, &avd, error, NULL);
5150                         if (error)
5151                                 return error;
5152                 } else {
5153                         tsec->sid = sid;
5154                         task_unlock(p);
5155                 }
5156         }
5157         else
5158                 return -EINVAL;
5159
5160         return size;
5161 }
5162
5163 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5164 {
5165         return security_sid_to_context(secid, secdata, seclen);
5166 }
5167
5168 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5169 {
5170         return security_context_to_sid(secdata, seclen, secid);
5171 }
5172
5173 static void selinux_release_secctx(char *secdata, u32 seclen)
5174 {
5175         kfree(secdata);
5176 }
5177
5178 #ifdef CONFIG_KEYS
5179
5180 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5181                              unsigned long flags)
5182 {
5183         struct task_security_struct *tsec = tsk->security;
5184         struct key_security_struct *ksec;
5185
5186         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5187         if (!ksec)
5188                 return -ENOMEM;
5189
5190         ksec->obj = k;
5191         if (tsec->keycreate_sid)
5192                 ksec->sid = tsec->keycreate_sid;
5193         else
5194                 ksec->sid = tsec->sid;
5195         k->security = ksec;
5196
5197         return 0;
5198 }
5199
5200 static void selinux_key_free(struct key *k)
5201 {
5202         struct key_security_struct *ksec = k->security;
5203
5204         k->security = NULL;
5205         kfree(ksec);
5206 }
5207
5208 static int selinux_key_permission(key_ref_t key_ref,
5209                             struct task_struct *ctx,
5210                             key_perm_t perm)
5211 {
5212         struct key *key;
5213         struct task_security_struct *tsec;
5214         struct key_security_struct *ksec;
5215
5216         key = key_ref_to_ptr(key_ref);
5217
5218         tsec = ctx->security;
5219         ksec = key->security;
5220
5221         /* if no specific permissions are requested, we skip the
5222            permission check. No serious, additional covert channels
5223            appear to be created. */
5224         if (perm == 0)
5225                 return 0;
5226
5227         return avc_has_perm(tsec->sid, ksec->sid,
5228                             SECCLASS_KEY, perm, NULL);
5229 }
5230
5231 #endif
5232
5233 static struct security_operations selinux_ops = {
5234         .ptrace =                       selinux_ptrace,
5235         .capget =                       selinux_capget,
5236         .capset_check =                 selinux_capset_check,
5237         .capset_set =                   selinux_capset_set,
5238         .sysctl =                       selinux_sysctl,
5239         .capable =                      selinux_capable,
5240         .quotactl =                     selinux_quotactl,
5241         .quota_on =                     selinux_quota_on,
5242         .syslog =                       selinux_syslog,
5243         .vm_enough_memory =             selinux_vm_enough_memory,
5244
5245         .netlink_send =                 selinux_netlink_send,
5246         .netlink_recv =                 selinux_netlink_recv,
5247
5248         .bprm_alloc_security =          selinux_bprm_alloc_security,
5249         .bprm_free_security =           selinux_bprm_free_security,
5250         .bprm_apply_creds =             selinux_bprm_apply_creds,
5251         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5252         .bprm_set_security =            selinux_bprm_set_security,
5253         .bprm_check_security =          selinux_bprm_check_security,
5254         .bprm_secureexec =              selinux_bprm_secureexec,
5255
5256         .sb_alloc_security =            selinux_sb_alloc_security,
5257         .sb_free_security =             selinux_sb_free_security,
5258         .sb_copy_data =                 selinux_sb_copy_data,
5259         .sb_kern_mount =                selinux_sb_kern_mount,
5260         .sb_statfs =                    selinux_sb_statfs,
5261         .sb_mount =                     selinux_mount,
5262         .sb_umount =                    selinux_umount,
5263         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5264         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5265         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5266         .sb_parse_opts_str =            selinux_parse_opts_str,
5267
5268
5269         .inode_alloc_security =         selinux_inode_alloc_security,
5270         .inode_free_security =          selinux_inode_free_security,
5271         .inode_init_security =          selinux_inode_init_security,
5272         .inode_create =                 selinux_inode_create,
5273         .inode_link =                   selinux_inode_link,
5274         .inode_unlink =                 selinux_inode_unlink,
5275         .inode_symlink =                selinux_inode_symlink,
5276         .inode_mkdir =                  selinux_inode_mkdir,
5277         .inode_rmdir =                  selinux_inode_rmdir,
5278         .inode_mknod =                  selinux_inode_mknod,
5279         .inode_rename =                 selinux_inode_rename,
5280         .inode_readlink =               selinux_inode_readlink,
5281         .inode_follow_link =            selinux_inode_follow_link,
5282         .inode_permission =             selinux_inode_permission,
5283         .inode_setattr =                selinux_inode_setattr,
5284         .inode_getattr =                selinux_inode_getattr,
5285         .inode_setxattr =               selinux_inode_setxattr,
5286         .inode_post_setxattr =          selinux_inode_post_setxattr,
5287         .inode_getxattr =               selinux_inode_getxattr,
5288         .inode_listxattr =              selinux_inode_listxattr,
5289         .inode_removexattr =            selinux_inode_removexattr,
5290         .inode_getsecurity =            selinux_inode_getsecurity,
5291         .inode_setsecurity =            selinux_inode_setsecurity,
5292         .inode_listsecurity =           selinux_inode_listsecurity,
5293         .inode_need_killpriv =          selinux_inode_need_killpriv,
5294         .inode_killpriv =               selinux_inode_killpriv,
5295
5296         .file_permission =              selinux_file_permission,
5297         .file_alloc_security =          selinux_file_alloc_security,
5298         .file_free_security =           selinux_file_free_security,
5299         .file_ioctl =                   selinux_file_ioctl,
5300         .file_mmap =                    selinux_file_mmap,
5301         .file_mprotect =                selinux_file_mprotect,
5302         .file_lock =                    selinux_file_lock,
5303         .file_fcntl =                   selinux_file_fcntl,
5304         .file_set_fowner =              selinux_file_set_fowner,
5305         .file_send_sigiotask =          selinux_file_send_sigiotask,
5306         .file_receive =                 selinux_file_receive,
5307
5308         .dentry_open =                  selinux_dentry_open,
5309
5310         .task_create =                  selinux_task_create,
5311         .task_alloc_security =          selinux_task_alloc_security,
5312         .task_free_security =           selinux_task_free_security,
5313         .task_setuid =                  selinux_task_setuid,
5314         .task_post_setuid =             selinux_task_post_setuid,
5315         .task_setgid =                  selinux_task_setgid,
5316         .task_setpgid =                 selinux_task_setpgid,
5317         .task_getpgid =                 selinux_task_getpgid,
5318         .task_getsid =                  selinux_task_getsid,
5319         .task_getsecid =                selinux_task_getsecid,
5320         .task_setgroups =               selinux_task_setgroups,
5321         .task_setnice =                 selinux_task_setnice,
5322         .task_setioprio =               selinux_task_setioprio,
5323         .task_getioprio =               selinux_task_getioprio,
5324         .task_setrlimit =               selinux_task_setrlimit,
5325         .task_setscheduler =            selinux_task_setscheduler,
5326         .task_getscheduler =            selinux_task_getscheduler,
5327         .task_movememory =              selinux_task_movememory,
5328         .task_kill =                    selinux_task_kill,
5329         .task_wait =                    selinux_task_wait,
5330         .task_prctl =                   selinux_task_prctl,
5331         .task_reparent_to_init =        selinux_task_reparent_to_init,
5332         .task_to_inode =                selinux_task_to_inode,
5333
5334         .ipc_permission =               selinux_ipc_permission,
5335
5336         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5337         .msg_msg_free_security =        selinux_msg_msg_free_security,
5338
5339         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5340         .msg_queue_free_security =      selinux_msg_queue_free_security,
5341         .msg_queue_associate =          selinux_msg_queue_associate,
5342         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5343         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5344         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5345
5346         .shm_alloc_security =           selinux_shm_alloc_security,
5347         .shm_free_security =            selinux_shm_free_security,
5348         .shm_associate =                selinux_shm_associate,
5349         .shm_shmctl =                   selinux_shm_shmctl,
5350         .shm_shmat =                    selinux_shm_shmat,
5351
5352         .sem_alloc_security =           selinux_sem_alloc_security,
5353         .sem_free_security =            selinux_sem_free_security,
5354         .sem_associate =                selinux_sem_associate,
5355         .sem_semctl =                   selinux_sem_semctl,
5356         .sem_semop =                    selinux_sem_semop,
5357
5358         .register_security =            selinux_register_security,
5359
5360         .d_instantiate =                selinux_d_instantiate,
5361
5362         .getprocattr =                  selinux_getprocattr,
5363         .setprocattr =                  selinux_setprocattr,
5364
5365         .secid_to_secctx =              selinux_secid_to_secctx,
5366         .secctx_to_secid =              selinux_secctx_to_secid,
5367         .release_secctx =               selinux_release_secctx,
5368
5369         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5370         .unix_may_send =                selinux_socket_unix_may_send,
5371
5372         .socket_create =                selinux_socket_create,
5373         .socket_post_create =           selinux_socket_post_create,
5374         .socket_bind =                  selinux_socket_bind,
5375         .socket_connect =               selinux_socket_connect,
5376         .socket_listen =                selinux_socket_listen,
5377         .socket_accept =                selinux_socket_accept,
5378         .socket_sendmsg =               selinux_socket_sendmsg,
5379         .socket_recvmsg =               selinux_socket_recvmsg,
5380         .socket_getsockname =           selinux_socket_getsockname,
5381         .socket_getpeername =           selinux_socket_getpeername,
5382         .socket_getsockopt =            selinux_socket_getsockopt,
5383         .socket_setsockopt =            selinux_socket_setsockopt,
5384         .socket_shutdown =              selinux_socket_shutdown,
5385         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5386         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5387         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5388         .sk_alloc_security =            selinux_sk_alloc_security,
5389         .sk_free_security =             selinux_sk_free_security,
5390         .sk_clone_security =            selinux_sk_clone_security,
5391         .sk_getsecid =                  selinux_sk_getsecid,
5392         .sock_graft =                   selinux_sock_graft,
5393         .inet_conn_request =            selinux_inet_conn_request,
5394         .inet_csk_clone =               selinux_inet_csk_clone,
5395         .inet_conn_established =        selinux_inet_conn_established,
5396         .req_classify_flow =            selinux_req_classify_flow,
5397
5398 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5399         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5400         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5401         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5402         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5403         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5404         .xfrm_state_free_security =     selinux_xfrm_state_free,
5405         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5406         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5407         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5408         .xfrm_decode_session =          selinux_xfrm_decode_session,
5409 #endif
5410
5411 #ifdef CONFIG_KEYS
5412         .key_alloc =                    selinux_key_alloc,
5413         .key_free =                     selinux_key_free,
5414         .key_permission =               selinux_key_permission,
5415 #endif
5416 };
5417
5418 static __init int selinux_init(void)
5419 {
5420         struct task_security_struct *tsec;
5421
5422         if (!selinux_enabled) {
5423                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5424                 return 0;
5425         }
5426
5427         printk(KERN_INFO "SELinux:  Initializing.\n");
5428
5429         /* Set the security state for the initial task. */
5430         if (task_alloc_security(current))
5431                 panic("SELinux:  Failed to initialize initial task.\n");
5432         tsec = current->security;
5433         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5434
5435         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5436                                             sizeof(struct inode_security_struct),
5437                                             0, SLAB_PANIC, NULL);
5438         avc_init();
5439
5440         original_ops = secondary_ops = security_ops;
5441         if (!secondary_ops)
5442                 panic ("SELinux: No initial security operations\n");
5443         if (register_security (&selinux_ops))
5444                 panic("SELinux: Unable to register with kernel.\n");
5445
5446         if (selinux_enforcing) {
5447                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5448         } else {
5449                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5450         }
5451
5452 #ifdef CONFIG_KEYS
5453         /* Add security information to initial keyrings */
5454         selinux_key_alloc(&root_user_keyring, current,
5455                           KEY_ALLOC_NOT_IN_QUOTA);
5456         selinux_key_alloc(&root_session_keyring, current,
5457                           KEY_ALLOC_NOT_IN_QUOTA);
5458 #endif
5459
5460         return 0;
5461 }
5462
5463 void selinux_complete_init(void)
5464 {
5465         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5466
5467         /* Set up any superblocks initialized prior to the policy load. */
5468         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5469         spin_lock(&sb_lock);
5470         spin_lock(&sb_security_lock);
5471 next_sb:
5472         if (!list_empty(&superblock_security_head)) {
5473                 struct superblock_security_struct *sbsec =
5474                                 list_entry(superblock_security_head.next,
5475                                            struct superblock_security_struct,
5476                                            list);
5477                 struct super_block *sb = sbsec->sb;
5478                 sb->s_count++;
5479                 spin_unlock(&sb_security_lock);
5480                 spin_unlock(&sb_lock);
5481                 down_read(&sb->s_umount);
5482                 if (sb->s_root)
5483                         superblock_doinit(sb, NULL);
5484                 drop_super(sb);
5485                 spin_lock(&sb_lock);
5486                 spin_lock(&sb_security_lock);
5487                 list_del_init(&sbsec->list);
5488                 goto next_sb;
5489         }
5490         spin_unlock(&sb_security_lock);
5491         spin_unlock(&sb_lock);
5492 }
5493
5494 /* SELinux requires early initialization in order to label
5495    all processes and objects when they are created. */
5496 security_initcall(selinux_init);
5497
5498 #if defined(CONFIG_NETFILTER)
5499
5500 static struct nf_hook_ops selinux_ipv4_ops[] = {
5501         {
5502                 .hook =         selinux_ipv4_postroute,
5503                 .owner =        THIS_MODULE,
5504                 .pf =           PF_INET,
5505                 .hooknum =      NF_INET_POST_ROUTING,
5506                 .priority =     NF_IP_PRI_SELINUX_LAST,
5507         },
5508         {
5509                 .hook =         selinux_ipv4_forward,
5510                 .owner =        THIS_MODULE,
5511                 .pf =           PF_INET,
5512                 .hooknum =      NF_INET_FORWARD,
5513                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5514         }
5515 };
5516
5517 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5518
5519 static struct nf_hook_ops selinux_ipv6_ops[] = {
5520         {
5521                 .hook =         selinux_ipv6_postroute,
5522                 .owner =        THIS_MODULE,
5523                 .pf =           PF_INET6,
5524                 .hooknum =      NF_INET_POST_ROUTING,
5525                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5526         },
5527         {
5528                 .hook =         selinux_ipv6_forward,
5529                 .owner =        THIS_MODULE,
5530                 .pf =           PF_INET6,
5531                 .hooknum =      NF_INET_FORWARD,
5532                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5533         }
5534 };
5535
5536 #endif  /* IPV6 */
5537
5538 static int __init selinux_nf_ip_init(void)
5539 {
5540         int err = 0;
5541         u32 iter;
5542
5543         if (!selinux_enabled)
5544                 goto out;
5545
5546         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5547
5548         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5549                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5550                 if (err)
5551                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5552                               err);
5553         }
5554
5555 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5556         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5557                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5558                 if (err)
5559                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5560                               err);
5561         }
5562 #endif  /* IPV6 */
5563
5564 out:
5565         return err;
5566 }
5567
5568 __initcall(selinux_nf_ip_init);
5569
5570 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5571 static void selinux_nf_ip_exit(void)
5572 {
5573         u32 iter;
5574
5575         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5576
5577         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5578                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5580         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5581                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5582 #endif  /* IPV6 */
5583 }
5584 #endif
5585
5586 #else /* CONFIG_NETFILTER */
5587
5588 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5589 #define selinux_nf_ip_exit()
5590 #endif
5591
5592 #endif /* CONFIG_NETFILTER */
5593
5594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5595 int selinux_disable(void)
5596 {
5597         extern void exit_sel_fs(void);
5598         static int selinux_disabled = 0;
5599
5600         if (ss_initialized) {
5601                 /* Not permitted after initial policy load. */
5602                 return -EINVAL;
5603         }
5604
5605         if (selinux_disabled) {
5606                 /* Only do this once. */
5607                 return -EINVAL;
5608         }
5609
5610         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5611
5612         selinux_disabled = 1;
5613         selinux_enabled = 0;
5614
5615         /* Reset security_ops to the secondary module, dummy or capability. */
5616         security_ops = secondary_ops;
5617
5618         /* Unregister netfilter hooks. */
5619         selinux_nf_ip_exit();
5620
5621         /* Unregister selinuxfs. */
5622         exit_sel_fs();
5623
5624         return 0;
5625 }
5626 #endif
5627
5628