[PATCH] SELinux: convert to kzalloc
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         init_MUTEX(&isec->sem);
158         INIT_LIST_HEAD(&isec->list);
159         isec->magic = SELINUX_MAGIC;
160         isec->inode = inode;
161         isec->sid = SECINITSID_UNLABELED;
162         isec->sclass = SECCLASS_FILE;
163         if (tsec && tsec->magic == SELINUX_MAGIC)
164                 isec->task_sid = tsec->sid;
165         else
166                 isec->task_sid = SECINITSID_UNLABELED;
167         inode->i_security = isec;
168
169         return 0;
170 }
171
172 static void inode_free_security(struct inode *inode)
173 {
174         struct inode_security_struct *isec = inode->i_security;
175         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
176
177         if (!isec || isec->magic != SELINUX_MAGIC)
178                 return;
179
180         spin_lock(&sbsec->isec_lock);
181         if (!list_empty(&isec->list))
182                 list_del_init(&isec->list);
183         spin_unlock(&sbsec->isec_lock);
184
185         inode->i_security = NULL;
186         kfree(isec);
187 }
188
189 static int file_alloc_security(struct file *file)
190 {
191         struct task_security_struct *tsec = current->security;
192         struct file_security_struct *fsec;
193
194         fsec = kzalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
195         if (!fsec)
196                 return -ENOMEM;
197
198         fsec->magic = SELINUX_MAGIC;
199         fsec->file = file;
200         if (tsec && tsec->magic == SELINUX_MAGIC) {
201                 fsec->sid = tsec->sid;
202                 fsec->fown_sid = tsec->sid;
203         } else {
204                 fsec->sid = SECINITSID_UNLABELED;
205                 fsec->fown_sid = SECINITSID_UNLABELED;
206         }
207         file->f_security = fsec;
208
209         return 0;
210 }
211
212 static void file_free_security(struct file *file)
213 {
214         struct file_security_struct *fsec = file->f_security;
215
216         if (!fsec || fsec->magic != SELINUX_MAGIC)
217                 return;
218
219         file->f_security = NULL;
220         kfree(fsec);
221 }
222
223 static int superblock_alloc_security(struct super_block *sb)
224 {
225         struct superblock_security_struct *sbsec;
226
227         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
228         if (!sbsec)
229                 return -ENOMEM;
230
231         init_MUTEX(&sbsec->sem);
232         INIT_LIST_HEAD(&sbsec->list);
233         INIT_LIST_HEAD(&sbsec->isec_head);
234         spin_lock_init(&sbsec->isec_lock);
235         sbsec->magic = SELINUX_MAGIC;
236         sbsec->sb = sb;
237         sbsec->sid = SECINITSID_UNLABELED;
238         sbsec->def_sid = SECINITSID_FILE;
239         sb->s_security = sbsec;
240
241         return 0;
242 }
243
244 static void superblock_free_security(struct super_block *sb)
245 {
246         struct superblock_security_struct *sbsec = sb->s_security;
247
248         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
249                 return;
250
251         spin_lock(&sb_security_lock);
252         if (!list_empty(&sbsec->list))
253                 list_del_init(&sbsec->list);
254         spin_unlock(&sb_security_lock);
255
256         sb->s_security = NULL;
257         kfree(sbsec);
258 }
259
260 #ifdef CONFIG_SECURITY_NETWORK
261 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
262 {
263         struct sk_security_struct *ssec;
264
265         if (family != PF_UNIX)
266                 return 0;
267
268         ssec = kzalloc(sizeof(*ssec), priority);
269         if (!ssec)
270                 return -ENOMEM;
271
272         ssec->magic = SELINUX_MAGIC;
273         ssec->sk = sk;
274         ssec->peer_sid = SECINITSID_UNLABELED;
275         sk->sk_security = ssec;
276
277         return 0;
278 }
279
280 static void sk_free_security(struct sock *sk)
281 {
282         struct sk_security_struct *ssec = sk->sk_security;
283
284         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
285                 return;
286
287         sk->sk_security = NULL;
288         kfree(ssec);
289 }
290 #endif  /* CONFIG_SECURITY_NETWORK */
291
292 /* The security server must be initialized before
293    any labeling or access decisions can be provided. */
294 extern int ss_initialized;
295
296 /* The file system's label must be initialized prior to use. */
297
298 static char *labeling_behaviors[6] = {
299         "uses xattr",
300         "uses transition SIDs",
301         "uses task SIDs",
302         "uses genfs_contexts",
303         "not configured for labeling",
304         "uses mountpoint labeling",
305 };
306
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309 static inline int inode_doinit(struct inode *inode)
310 {
311         return inode_doinit_with_dentry(inode, NULL);
312 }
313
314 enum {
315         Opt_context = 1,
316         Opt_fscontext = 2,
317         Opt_defcontext = 4,
318 };
319
320 static match_table_t tokens = {
321         {Opt_context, "context=%s"},
322         {Opt_fscontext, "fscontext=%s"},
323         {Opt_defcontext, "defcontext=%s"},
324 };
325
326 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
327
328 static int try_context_mount(struct super_block *sb, void *data)
329 {
330         char *context = NULL, *defcontext = NULL;
331         const char *name;
332         u32 sid;
333         int alloc = 0, rc = 0, seen = 0;
334         struct task_security_struct *tsec = current->security;
335         struct superblock_security_struct *sbsec = sb->s_security;
336
337         if (!data)
338                 goto out;
339
340         name = sb->s_type->name;
341
342         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
343
344                 /* NFS we understand. */
345                 if (!strcmp(name, "nfs")) {
346                         struct nfs_mount_data *d = data;
347
348                         if (d->version <  NFS_MOUNT_VERSION)
349                                 goto out;
350
351                         if (d->context[0]) {
352                                 context = d->context;
353                                 seen |= Opt_context;
354                         }
355                 } else
356                         goto out;
357
358         } else {
359                 /* Standard string-based options. */
360                 char *p, *options = data;
361
362                 while ((p = strsep(&options, ",")) != NULL) {
363                         int token;
364                         substring_t args[MAX_OPT_ARGS];
365
366                         if (!*p)
367                                 continue;
368
369                         token = match_token(p, tokens, args);
370
371                         switch (token) {
372                         case Opt_context:
373                                 if (seen) {
374                                         rc = -EINVAL;
375                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
376                                         goto out_free;
377                                 }
378                                 context = match_strdup(&args[0]);
379                                 if (!context) {
380                                         rc = -ENOMEM;
381                                         goto out_free;
382                                 }
383                                 if (!alloc)
384                                         alloc = 1;
385                                 seen |= Opt_context;
386                                 break;
387
388                         case Opt_fscontext:
389                                 if (seen & (Opt_context|Opt_fscontext)) {
390                                         rc = -EINVAL;
391                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
392                                         goto out_free;
393                                 }
394                                 context = match_strdup(&args[0]);
395                                 if (!context) {
396                                         rc = -ENOMEM;
397                                         goto out_free;
398                                 }
399                                 if (!alloc)
400                                         alloc = 1;
401                                 seen |= Opt_fscontext;
402                                 break;
403
404                         case Opt_defcontext:
405                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
406                                         rc = -EINVAL;
407                                         printk(KERN_WARNING "SELinux:  "
408                                                "defcontext option is invalid "
409                                                "for this filesystem type\n");
410                                         goto out_free;
411                                 }
412                                 if (seen & (Opt_context|Opt_defcontext)) {
413                                         rc = -EINVAL;
414                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
415                                         goto out_free;
416                                 }
417                                 defcontext = match_strdup(&args[0]);
418                                 if (!defcontext) {
419                                         rc = -ENOMEM;
420                                         goto out_free;
421                                 }
422                                 if (!alloc)
423                                         alloc = 1;
424                                 seen |= Opt_defcontext;
425                                 break;
426
427                         default:
428                                 rc = -EINVAL;
429                                 printk(KERN_WARNING "SELinux:  unknown mount "
430                                        "option\n");
431                                 goto out_free;
432
433                         }
434                 }
435         }
436
437         if (!seen)
438                 goto out;
439
440         if (context) {
441                 rc = security_context_to_sid(context, strlen(context), &sid);
442                 if (rc) {
443                         printk(KERN_WARNING "SELinux: security_context_to_sid"
444                                "(%s) failed for (dev %s, type %s) errno=%d\n",
445                                context, sb->s_id, name, rc);
446                         goto out_free;
447                 }
448
449                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450                                   FILESYSTEM__RELABELFROM, NULL);
451                 if (rc)
452                         goto out_free;
453
454                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELTO, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 sbsec->sid = sid;
460
461                 if (seen & Opt_context)
462                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
463         }
464
465         if (defcontext) {
466                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
467                 if (rc) {
468                         printk(KERN_WARNING "SELinux: security_context_to_sid"
469                                "(%s) failed for (dev %s, type %s) errno=%d\n",
470                                defcontext, sb->s_id, name, rc);
471                         goto out_free;
472                 }
473
474                 if (sid == sbsec->def_sid)
475                         goto out_free;
476
477                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
478                                   FILESYSTEM__RELABELFROM, NULL);
479                 if (rc)
480                         goto out_free;
481
482                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__ASSOCIATE, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 sbsec->def_sid = sid;
488         }
489
490 out_free:
491         if (alloc) {
492                 kfree(context);
493                 kfree(defcontext);
494         }
495 out:
496         return rc;
497 }
498
499 static int superblock_doinit(struct super_block *sb, void *data)
500 {
501         struct superblock_security_struct *sbsec = sb->s_security;
502         struct dentry *root = sb->s_root;
503         struct inode *inode = root->d_inode;
504         int rc = 0;
505
506         down(&sbsec->sem);
507         if (sbsec->initialized)
508                 goto out;
509
510         if (!ss_initialized) {
511                 /* Defer initialization until selinux_complete_init,
512                    after the initial policy is loaded and the security
513                    server is ready to handle calls. */
514                 spin_lock(&sb_security_lock);
515                 if (list_empty(&sbsec->list))
516                         list_add(&sbsec->list, &superblock_security_head);
517                 spin_unlock(&sb_security_lock);
518                 goto out;
519         }
520
521         /* Determine the labeling behavior to use for this filesystem type. */
522         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
523         if (rc) {
524                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
525                        __FUNCTION__, sb->s_type->name, rc);
526                 goto out;
527         }
528
529         rc = try_context_mount(sb, data);
530         if (rc)
531                 goto out;
532
533         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
534                 /* Make sure that the xattr handler exists and that no
535                    error other than -ENODATA is returned by getxattr on
536                    the root directory.  -ENODATA is ok, as this may be
537                    the first boot of the SELinux kernel before we have
538                    assigned xattr values to the filesystem. */
539                 if (!inode->i_op->getxattr) {
540                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
541                                "xattr support\n", sb->s_id, sb->s_type->name);
542                         rc = -EOPNOTSUPP;
543                         goto out;
544                 }
545                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
546                 if (rc < 0 && rc != -ENODATA) {
547                         if (rc == -EOPNOTSUPP)
548                                 printk(KERN_WARNING "SELinux: (dev %s, type "
549                                        "%s) has no security xattr handler\n",
550                                        sb->s_id, sb->s_type->name);
551                         else
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) getxattr errno %d\n", sb->s_id,
554                                        sb->s_type->name, -rc);
555                         goto out;
556                 }
557         }
558
559         if (strcmp(sb->s_type->name, "proc") == 0)
560                 sbsec->proc = 1;
561
562         sbsec->initialized = 1;
563
564         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
565                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
566                        sb->s_id, sb->s_type->name);
567         }
568         else {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
570                        sb->s_id, sb->s_type->name,
571                        labeling_behaviors[sbsec->behavior-1]);
572         }
573
574         /* Initialize the root inode. */
575         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
576
577         /* Initialize any other inodes associated with the superblock, e.g.
578            inodes created prior to initial policy load or inodes created
579            during get_sb by a pseudo filesystem that directly
580            populates itself. */
581         spin_lock(&sbsec->isec_lock);
582 next_inode:
583         if (!list_empty(&sbsec->isec_head)) {
584                 struct inode_security_struct *isec =
585                                 list_entry(sbsec->isec_head.next,
586                                            struct inode_security_struct, list);
587                 struct inode *inode = isec->inode;
588                 spin_unlock(&sbsec->isec_lock);
589                 inode = igrab(inode);
590                 if (inode) {
591                         if (!IS_PRIVATE (inode))
592                                 inode_doinit(inode);
593                         iput(inode);
594                 }
595                 spin_lock(&sbsec->isec_lock);
596                 list_del_init(&isec->list);
597                 goto next_inode;
598         }
599         spin_unlock(&sbsec->isec_lock);
600 out:
601         up(&sbsec->sem);
602         return rc;
603 }
604
605 static inline u16 inode_mode_to_security_class(umode_t mode)
606 {
607         switch (mode & S_IFMT) {
608         case S_IFSOCK:
609                 return SECCLASS_SOCK_FILE;
610         case S_IFLNK:
611                 return SECCLASS_LNK_FILE;
612         case S_IFREG:
613                 return SECCLASS_FILE;
614         case S_IFBLK:
615                 return SECCLASS_BLK_FILE;
616         case S_IFDIR:
617                 return SECCLASS_DIR;
618         case S_IFCHR:
619                 return SECCLASS_CHR_FILE;
620         case S_IFIFO:
621                 return SECCLASS_FIFO_FILE;
622
623         }
624
625         return SECCLASS_FILE;
626 }
627
628 static inline int default_protocol_stream(int protocol)
629 {
630         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
631 }
632
633 static inline int default_protocol_dgram(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
636 }
637
638 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
639 {
640         switch (family) {
641         case PF_UNIX:
642                 switch (type) {
643                 case SOCK_STREAM:
644                 case SOCK_SEQPACKET:
645                         return SECCLASS_UNIX_STREAM_SOCKET;
646                 case SOCK_DGRAM:
647                         return SECCLASS_UNIX_DGRAM_SOCKET;
648                 }
649                 break;
650         case PF_INET:
651         case PF_INET6:
652                 switch (type) {
653                 case SOCK_STREAM:
654                         if (default_protocol_stream(protocol))
655                                 return SECCLASS_TCP_SOCKET;
656                         else
657                                 return SECCLASS_RAWIP_SOCKET;
658                 case SOCK_DGRAM:
659                         if (default_protocol_dgram(protocol))
660                                 return SECCLASS_UDP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 default:
664                         return SECCLASS_RAWIP_SOCKET;
665                 }
666                 break;
667         case PF_NETLINK:
668                 switch (protocol) {
669                 case NETLINK_ROUTE:
670                         return SECCLASS_NETLINK_ROUTE_SOCKET;
671                 case NETLINK_FIREWALL:
672                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
673                 case NETLINK_INET_DIAG:
674                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
675                 case NETLINK_NFLOG:
676                         return SECCLASS_NETLINK_NFLOG_SOCKET;
677                 case NETLINK_XFRM:
678                         return SECCLASS_NETLINK_XFRM_SOCKET;
679                 case NETLINK_SELINUX:
680                         return SECCLASS_NETLINK_SELINUX_SOCKET;
681                 case NETLINK_AUDIT:
682                         return SECCLASS_NETLINK_AUDIT_SOCKET;
683                 case NETLINK_IP6_FW:
684                         return SECCLASS_NETLINK_IP6FW_SOCKET;
685                 case NETLINK_DNRTMSG:
686                         return SECCLASS_NETLINK_DNRT_SOCKET;
687                 case NETLINK_KOBJECT_UEVENT:
688                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
689                 default:
690                         return SECCLASS_NETLINK_SOCKET;
691                 }
692         case PF_PACKET:
693                 return SECCLASS_PACKET_SOCKET;
694         case PF_KEY:
695                 return SECCLASS_KEY_SOCKET;
696         }
697
698         return SECCLASS_SOCKET;
699 }
700
701 #ifdef CONFIG_PROC_FS
702 static int selinux_proc_get_sid(struct proc_dir_entry *de,
703                                 u16 tclass,
704                                 u32 *sid)
705 {
706         int buflen, rc;
707         char *buffer, *path, *end;
708
709         buffer = (char*)__get_free_page(GFP_KERNEL);
710         if (!buffer)
711                 return -ENOMEM;
712
713         buflen = PAGE_SIZE;
714         end = buffer+buflen;
715         *--end = '\0';
716         buflen--;
717         path = end-1;
718         *path = '/';
719         while (de && de != de->parent) {
720                 buflen -= de->namelen + 1;
721                 if (buflen < 0)
722                         break;
723                 end -= de->namelen;
724                 memcpy(end, de->name, de->namelen);
725                 *--end = '/';
726                 path = end;
727                 de = de->parent;
728         }
729         rc = security_genfs_sid("proc", path, tclass, sid);
730         free_page((unsigned long)buffer);
731         return rc;
732 }
733 #else
734 static int selinux_proc_get_sid(struct proc_dir_entry *de,
735                                 u16 tclass,
736                                 u32 *sid)
737 {
738         return -EINVAL;
739 }
740 #endif
741
742 /* The inode's security attributes must be initialized before first use. */
743 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
744 {
745         struct superblock_security_struct *sbsec = NULL;
746         struct inode_security_struct *isec = inode->i_security;
747         u32 sid;
748         struct dentry *dentry;
749 #define INITCONTEXTLEN 255
750         char *context = NULL;
751         unsigned len = 0;
752         int rc = 0;
753         int hold_sem = 0;
754
755         if (isec->initialized)
756                 goto out;
757
758         down(&isec->sem);
759         hold_sem = 1;
760         if (isec->initialized)
761                 goto out;
762
763         sbsec = inode->i_sb->s_security;
764         if (!sbsec->initialized) {
765                 /* Defer initialization until selinux_complete_init,
766                    after the initial policy is loaded and the security
767                    server is ready to handle calls. */
768                 spin_lock(&sbsec->isec_lock);
769                 if (list_empty(&isec->list))
770                         list_add(&isec->list, &sbsec->isec_head);
771                 spin_unlock(&sbsec->isec_lock);
772                 goto out;
773         }
774
775         switch (sbsec->behavior) {
776         case SECURITY_FS_USE_XATTR:
777                 if (!inode->i_op->getxattr) {
778                         isec->sid = sbsec->def_sid;
779                         break;
780                 }
781
782                 /* Need a dentry, since the xattr API requires one.
783                    Life would be simpler if we could just pass the inode. */
784                 if (opt_dentry) {
785                         /* Called from d_instantiate or d_splice_alias. */
786                         dentry = dget(opt_dentry);
787                 } else {
788                         /* Called from selinux_complete_init, try to find a dentry. */
789                         dentry = d_find_alias(inode);
790                 }
791                 if (!dentry) {
792                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
793                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
794                                inode->i_ino);
795                         goto out;
796                 }
797
798                 len = INITCONTEXTLEN;
799                 context = kmalloc(len, GFP_KERNEL);
800                 if (!context) {
801                         rc = -ENOMEM;
802                         dput(dentry);
803                         goto out;
804                 }
805                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
806                                            context, len);
807                 if (rc == -ERANGE) {
808                         /* Need a larger buffer.  Query for the right size. */
809                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
810                                                    NULL, 0);
811                         if (rc < 0) {
812                                 dput(dentry);
813                                 goto out;
814                         }
815                         kfree(context);
816                         len = rc;
817                         context = kmalloc(len, GFP_KERNEL);
818                         if (!context) {
819                                 rc = -ENOMEM;
820                                 dput(dentry);
821                                 goto out;
822                         }
823                         rc = inode->i_op->getxattr(dentry,
824                                                    XATTR_NAME_SELINUX,
825                                                    context, len);
826                 }
827                 dput(dentry);
828                 if (rc < 0) {
829                         if (rc != -ENODATA) {
830                                 printk(KERN_WARNING "%s:  getxattr returned "
831                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
832                                        -rc, inode->i_sb->s_id, inode->i_ino);
833                                 kfree(context);
834                                 goto out;
835                         }
836                         /* Map ENODATA to the default file SID */
837                         sid = sbsec->def_sid;
838                         rc = 0;
839                 } else {
840                         rc = security_context_to_sid_default(context, rc, &sid,
841                                                              sbsec->def_sid);
842                         if (rc) {
843                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
844                                        "returned %d for dev=%s ino=%ld\n",
845                                        __FUNCTION__, context, -rc,
846                                        inode->i_sb->s_id, inode->i_ino);
847                                 kfree(context);
848                                 /* Leave with the unlabeled SID */
849                                 rc = 0;
850                                 break;
851                         }
852                 }
853                 kfree(context);
854                 isec->sid = sid;
855                 break;
856         case SECURITY_FS_USE_TASK:
857                 isec->sid = isec->task_sid;
858                 break;
859         case SECURITY_FS_USE_TRANS:
860                 /* Default to the fs SID. */
861                 isec->sid = sbsec->sid;
862
863                 /* Try to obtain a transition SID. */
864                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
865                 rc = security_transition_sid(isec->task_sid,
866                                              sbsec->sid,
867                                              isec->sclass,
868                                              &sid);
869                 if (rc)
870                         goto out;
871                 isec->sid = sid;
872                 break;
873         default:
874                 /* Default to the fs SID. */
875                 isec->sid = sbsec->sid;
876
877                 if (sbsec->proc) {
878                         struct proc_inode *proci = PROC_I(inode);
879                         if (proci->pde) {
880                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
881                                 rc = selinux_proc_get_sid(proci->pde,
882                                                           isec->sclass,
883                                                           &sid);
884                                 if (rc)
885                                         goto out;
886                                 isec->sid = sid;
887                         }
888                 }
889                 break;
890         }
891
892         isec->initialized = 1;
893
894 out:
895         if (isec->sclass == SECCLASS_FILE)
896                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
897
898         if (hold_sem)
899                 up(&isec->sem);
900         return rc;
901 }
902
903 /* Convert a Linux signal to an access vector. */
904 static inline u32 signal_to_av(int sig)
905 {
906         u32 perm = 0;
907
908         switch (sig) {
909         case SIGCHLD:
910                 /* Commonly granted from child to parent. */
911                 perm = PROCESS__SIGCHLD;
912                 break;
913         case SIGKILL:
914                 /* Cannot be caught or ignored */
915                 perm = PROCESS__SIGKILL;
916                 break;
917         case SIGSTOP:
918                 /* Cannot be caught or ignored */
919                 perm = PROCESS__SIGSTOP;
920                 break;
921         default:
922                 /* All other signals. */
923                 perm = PROCESS__SIGNAL;
924                 break;
925         }
926
927         return perm;
928 }
929
930 /* Check permission betweeen a pair of tasks, e.g. signal checks,
931    fork check, ptrace check, etc. */
932 static int task_has_perm(struct task_struct *tsk1,
933                          struct task_struct *tsk2,
934                          u32 perms)
935 {
936         struct task_security_struct *tsec1, *tsec2;
937
938         tsec1 = tsk1->security;
939         tsec2 = tsk2->security;
940         return avc_has_perm(tsec1->sid, tsec2->sid,
941                             SECCLASS_PROCESS, perms, NULL);
942 }
943
944 /* Check whether a task is allowed to use a capability. */
945 static int task_has_capability(struct task_struct *tsk,
946                                int cap)
947 {
948         struct task_security_struct *tsec;
949         struct avc_audit_data ad;
950
951         tsec = tsk->security;
952
953         AVC_AUDIT_DATA_INIT(&ad,CAP);
954         ad.tsk = tsk;
955         ad.u.cap = cap;
956
957         return avc_has_perm(tsec->sid, tsec->sid,
958                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
959 }
960
961 /* Check whether a task is allowed to use a system operation. */
962 static int task_has_system(struct task_struct *tsk,
963                            u32 perms)
964 {
965         struct task_security_struct *tsec;
966
967         tsec = tsk->security;
968
969         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
970                             SECCLASS_SYSTEM, perms, NULL);
971 }
972
973 /* Check whether a task has a particular permission to an inode.
974    The 'adp' parameter is optional and allows other audit
975    data to be passed (e.g. the dentry). */
976 static int inode_has_perm(struct task_struct *tsk,
977                           struct inode *inode,
978                           u32 perms,
979                           struct avc_audit_data *adp)
980 {
981         struct task_security_struct *tsec;
982         struct inode_security_struct *isec;
983         struct avc_audit_data ad;
984
985         tsec = tsk->security;
986         isec = inode->i_security;
987
988         if (!adp) {
989                 adp = &ad;
990                 AVC_AUDIT_DATA_INIT(&ad, FS);
991                 ad.u.fs.inode = inode;
992         }
993
994         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
995 }
996
997 /* Same as inode_has_perm, but pass explicit audit data containing
998    the dentry to help the auditing code to more easily generate the
999    pathname if needed. */
1000 static inline int dentry_has_perm(struct task_struct *tsk,
1001                                   struct vfsmount *mnt,
1002                                   struct dentry *dentry,
1003                                   u32 av)
1004 {
1005         struct inode *inode = dentry->d_inode;
1006         struct avc_audit_data ad;
1007         AVC_AUDIT_DATA_INIT(&ad,FS);
1008         ad.u.fs.mnt = mnt;
1009         ad.u.fs.dentry = dentry;
1010         return inode_has_perm(tsk, inode, av, &ad);
1011 }
1012
1013 /* Check whether a task can use an open file descriptor to
1014    access an inode in a given way.  Check access to the
1015    descriptor itself, and then use dentry_has_perm to
1016    check a particular permission to the file.
1017    Access to the descriptor is implicitly granted if it
1018    has the same SID as the process.  If av is zero, then
1019    access to the file is not checked, e.g. for cases
1020    where only the descriptor is affected like seek. */
1021 static inline int file_has_perm(struct task_struct *tsk,
1022                                 struct file *file,
1023                                 u32 av)
1024 {
1025         struct task_security_struct *tsec = tsk->security;
1026         struct file_security_struct *fsec = file->f_security;
1027         struct vfsmount *mnt = file->f_vfsmnt;
1028         struct dentry *dentry = file->f_dentry;
1029         struct inode *inode = dentry->d_inode;
1030         struct avc_audit_data ad;
1031         int rc;
1032
1033         AVC_AUDIT_DATA_INIT(&ad, FS);
1034         ad.u.fs.mnt = mnt;
1035         ad.u.fs.dentry = dentry;
1036
1037         if (tsec->sid != fsec->sid) {
1038                 rc = avc_has_perm(tsec->sid, fsec->sid,
1039                                   SECCLASS_FD,
1040                                   FD__USE,
1041                                   &ad);
1042                 if (rc)
1043                         return rc;
1044         }
1045
1046         /* av is zero if only checking access to the descriptor. */
1047         if (av)
1048                 return inode_has_perm(tsk, inode, av, &ad);
1049
1050         return 0;
1051 }
1052
1053 /* Check whether a task can create a file. */
1054 static int may_create(struct inode *dir,
1055                       struct dentry *dentry,
1056                       u16 tclass)
1057 {
1058         struct task_security_struct *tsec;
1059         struct inode_security_struct *dsec;
1060         struct superblock_security_struct *sbsec;
1061         u32 newsid;
1062         struct avc_audit_data ad;
1063         int rc;
1064
1065         tsec = current->security;
1066         dsec = dir->i_security;
1067         sbsec = dir->i_sb->s_security;
1068
1069         AVC_AUDIT_DATA_INIT(&ad, FS);
1070         ad.u.fs.dentry = dentry;
1071
1072         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1073                           DIR__ADD_NAME | DIR__SEARCH,
1074                           &ad);
1075         if (rc)
1076                 return rc;
1077
1078         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1079                 newsid = tsec->create_sid;
1080         } else {
1081                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1082                                              &newsid);
1083                 if (rc)
1084                         return rc;
1085         }
1086
1087         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1088         if (rc)
1089                 return rc;
1090
1091         return avc_has_perm(newsid, sbsec->sid,
1092                             SECCLASS_FILESYSTEM,
1093                             FILESYSTEM__ASSOCIATE, &ad);
1094 }
1095
1096 #define MAY_LINK   0
1097 #define MAY_UNLINK 1
1098 #define MAY_RMDIR  2
1099
1100 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1101 static int may_link(struct inode *dir,
1102                     struct dentry *dentry,
1103                     int kind)
1104
1105 {
1106         struct task_security_struct *tsec;
1107         struct inode_security_struct *dsec, *isec;
1108         struct avc_audit_data ad;
1109         u32 av;
1110         int rc;
1111
1112         tsec = current->security;
1113         dsec = dir->i_security;
1114         isec = dentry->d_inode->i_security;
1115
1116         AVC_AUDIT_DATA_INIT(&ad, FS);
1117         ad.u.fs.dentry = dentry;
1118
1119         av = DIR__SEARCH;
1120         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1121         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1122         if (rc)
1123                 return rc;
1124
1125         switch (kind) {
1126         case MAY_LINK:
1127                 av = FILE__LINK;
1128                 break;
1129         case MAY_UNLINK:
1130                 av = FILE__UNLINK;
1131                 break;
1132         case MAY_RMDIR:
1133                 av = DIR__RMDIR;
1134                 break;
1135         default:
1136                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1137                 return 0;
1138         }
1139
1140         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1141         return rc;
1142 }
1143
1144 static inline int may_rename(struct inode *old_dir,
1145                              struct dentry *old_dentry,
1146                              struct inode *new_dir,
1147                              struct dentry *new_dentry)
1148 {
1149         struct task_security_struct *tsec;
1150         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1151         struct avc_audit_data ad;
1152         u32 av;
1153         int old_is_dir, new_is_dir;
1154         int rc;
1155
1156         tsec = current->security;
1157         old_dsec = old_dir->i_security;
1158         old_isec = old_dentry->d_inode->i_security;
1159         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1160         new_dsec = new_dir->i_security;
1161
1162         AVC_AUDIT_DATA_INIT(&ad, FS);
1163
1164         ad.u.fs.dentry = old_dentry;
1165         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1166                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1167         if (rc)
1168                 return rc;
1169         rc = avc_has_perm(tsec->sid, old_isec->sid,
1170                           old_isec->sclass, FILE__RENAME, &ad);
1171         if (rc)
1172                 return rc;
1173         if (old_is_dir && new_dir != old_dir) {
1174                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1175                                   old_isec->sclass, DIR__REPARENT, &ad);
1176                 if (rc)
1177                         return rc;
1178         }
1179
1180         ad.u.fs.dentry = new_dentry;
1181         av = DIR__ADD_NAME | DIR__SEARCH;
1182         if (new_dentry->d_inode)
1183                 av |= DIR__REMOVE_NAME;
1184         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1185         if (rc)
1186                 return rc;
1187         if (new_dentry->d_inode) {
1188                 new_isec = new_dentry->d_inode->i_security;
1189                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1190                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1191                                   new_isec->sclass,
1192                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1193                 if (rc)
1194                         return rc;
1195         }
1196
1197         return 0;
1198 }
1199
1200 /* Check whether a task can perform a filesystem operation. */
1201 static int superblock_has_perm(struct task_struct *tsk,
1202                                struct super_block *sb,
1203                                u32 perms,
1204                                struct avc_audit_data *ad)
1205 {
1206         struct task_security_struct *tsec;
1207         struct superblock_security_struct *sbsec;
1208
1209         tsec = tsk->security;
1210         sbsec = sb->s_security;
1211         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1212                             perms, ad);
1213 }
1214
1215 /* Convert a Linux mode and permission mask to an access vector. */
1216 static inline u32 file_mask_to_av(int mode, int mask)
1217 {
1218         u32 av = 0;
1219
1220         if ((mode & S_IFMT) != S_IFDIR) {
1221                 if (mask & MAY_EXEC)
1222                         av |= FILE__EXECUTE;
1223                 if (mask & MAY_READ)
1224                         av |= FILE__READ;
1225
1226                 if (mask & MAY_APPEND)
1227                         av |= FILE__APPEND;
1228                 else if (mask & MAY_WRITE)
1229                         av |= FILE__WRITE;
1230
1231         } else {
1232                 if (mask & MAY_EXEC)
1233                         av |= DIR__SEARCH;
1234                 if (mask & MAY_WRITE)
1235                         av |= DIR__WRITE;
1236                 if (mask & MAY_READ)
1237                         av |= DIR__READ;
1238         }
1239
1240         return av;
1241 }
1242
1243 /* Convert a Linux file to an access vector. */
1244 static inline u32 file_to_av(struct file *file)
1245 {
1246         u32 av = 0;
1247
1248         if (file->f_mode & FMODE_READ)
1249                 av |= FILE__READ;
1250         if (file->f_mode & FMODE_WRITE) {
1251                 if (file->f_flags & O_APPEND)
1252                         av |= FILE__APPEND;
1253                 else
1254                         av |= FILE__WRITE;
1255         }
1256
1257         return av;
1258 }
1259
1260 /* Set an inode's SID to a specified value. */
1261 static int inode_security_set_sid(struct inode *inode, u32 sid)
1262 {
1263         struct inode_security_struct *isec = inode->i_security;
1264         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1265
1266         if (!sbsec->initialized) {
1267                 /* Defer initialization to selinux_complete_init. */
1268                 return 0;
1269         }
1270
1271         down(&isec->sem);
1272         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1273         isec->sid = sid;
1274         isec->initialized = 1;
1275         up(&isec->sem);
1276         return 0;
1277 }
1278
1279 /* Hook functions begin here. */
1280
1281 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1282 {
1283         struct task_security_struct *psec = parent->security;
1284         struct task_security_struct *csec = child->security;
1285         int rc;
1286
1287         rc = secondary_ops->ptrace(parent,child);
1288         if (rc)
1289                 return rc;
1290
1291         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1292         /* Save the SID of the tracing process for later use in apply_creds. */
1293         if (!rc)
1294                 csec->ptrace_sid = psec->sid;
1295         return rc;
1296 }
1297
1298 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1299                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1300 {
1301         int error;
1302
1303         error = task_has_perm(current, target, PROCESS__GETCAP);
1304         if (error)
1305                 return error;
1306
1307         return secondary_ops->capget(target, effective, inheritable, permitted);
1308 }
1309
1310 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1311                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1312 {
1313         int error;
1314
1315         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1316         if (error)
1317                 return error;
1318
1319         return task_has_perm(current, target, PROCESS__SETCAP);
1320 }
1321
1322 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1323                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1324 {
1325         secondary_ops->capset_set(target, effective, inheritable, permitted);
1326 }
1327
1328 static int selinux_capable(struct task_struct *tsk, int cap)
1329 {
1330         int rc;
1331
1332         rc = secondary_ops->capable(tsk, cap);
1333         if (rc)
1334                 return rc;
1335
1336         return task_has_capability(tsk,cap);
1337 }
1338
1339 static int selinux_sysctl(ctl_table *table, int op)
1340 {
1341         int error = 0;
1342         u32 av;
1343         struct task_security_struct *tsec;
1344         u32 tsid;
1345         int rc;
1346
1347         rc = secondary_ops->sysctl(table, op);
1348         if (rc)
1349                 return rc;
1350
1351         tsec = current->security;
1352
1353         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1354                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1355         if (rc) {
1356                 /* Default to the well-defined sysctl SID. */
1357                 tsid = SECINITSID_SYSCTL;
1358         }
1359
1360         /* The op values are "defined" in sysctl.c, thereby creating
1361          * a bad coupling between this module and sysctl.c */
1362         if(op == 001) {
1363                 error = avc_has_perm(tsec->sid, tsid,
1364                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1365         } else {
1366                 av = 0;
1367                 if (op & 004)
1368                         av |= FILE__READ;
1369                 if (op & 002)
1370                         av |= FILE__WRITE;
1371                 if (av)
1372                         error = avc_has_perm(tsec->sid, tsid,
1373                                              SECCLASS_FILE, av, NULL);
1374         }
1375
1376         return error;
1377 }
1378
1379 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1380 {
1381         int rc = 0;
1382
1383         if (!sb)
1384                 return 0;
1385
1386         switch (cmds) {
1387                 case Q_SYNC:
1388                 case Q_QUOTAON:
1389                 case Q_QUOTAOFF:
1390                 case Q_SETINFO:
1391                 case Q_SETQUOTA:
1392                         rc = superblock_has_perm(current,
1393                                                  sb,
1394                                                  FILESYSTEM__QUOTAMOD, NULL);
1395                         break;
1396                 case Q_GETFMT:
1397                 case Q_GETINFO:
1398                 case Q_GETQUOTA:
1399                         rc = superblock_has_perm(current,
1400                                                  sb,
1401                                                  FILESYSTEM__QUOTAGET, NULL);
1402                         break;
1403                 default:
1404                         rc = 0;  /* let the kernel handle invalid cmds */
1405                         break;
1406         }
1407         return rc;
1408 }
1409
1410 static int selinux_quota_on(struct dentry *dentry)
1411 {
1412         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1413 }
1414
1415 static int selinux_syslog(int type)
1416 {
1417         int rc;
1418
1419         rc = secondary_ops->syslog(type);
1420         if (rc)
1421                 return rc;
1422
1423         switch (type) {
1424                 case 3:         /* Read last kernel messages */
1425                 case 10:        /* Return size of the log buffer */
1426                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1427                         break;
1428                 case 6:         /* Disable logging to console */
1429                 case 7:         /* Enable logging to console */
1430                 case 8:         /* Set level of messages printed to console */
1431                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1432                         break;
1433                 case 0:         /* Close log */
1434                 case 1:         /* Open log */
1435                 case 2:         /* Read from log */
1436                 case 4:         /* Read/clear last kernel messages */
1437                 case 5:         /* Clear ring buffer */
1438                 default:
1439                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1440                         break;
1441         }
1442         return rc;
1443 }
1444
1445 /*
1446  * Check that a process has enough memory to allocate a new virtual
1447  * mapping. 0 means there is enough memory for the allocation to
1448  * succeed and -ENOMEM implies there is not.
1449  *
1450  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1451  * if the capability is granted, but __vm_enough_memory requires 1 if
1452  * the capability is granted.
1453  *
1454  * Do not audit the selinux permission check, as this is applied to all
1455  * processes that allocate mappings.
1456  */
1457 static int selinux_vm_enough_memory(long pages)
1458 {
1459         int rc, cap_sys_admin = 0;
1460         struct task_security_struct *tsec = current->security;
1461
1462         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1463         if (rc == 0)
1464                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1465                                         SECCLASS_CAPABILITY,
1466                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1467                                         NULL);
1468
1469         if (rc == 0)
1470                 cap_sys_admin = 1;
1471
1472         return __vm_enough_memory(pages, cap_sys_admin);
1473 }
1474
1475 /* binprm security operations */
1476
1477 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1478 {
1479         struct bprm_security_struct *bsec;
1480
1481         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1482         if (!bsec)
1483                 return -ENOMEM;
1484
1485         bsec->magic = SELINUX_MAGIC;
1486         bsec->bprm = bprm;
1487         bsec->sid = SECINITSID_UNLABELED;
1488         bsec->set = 0;
1489
1490         bprm->security = bsec;
1491         return 0;
1492 }
1493
1494 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1495 {
1496         struct task_security_struct *tsec;
1497         struct inode *inode = bprm->file->f_dentry->d_inode;
1498         struct inode_security_struct *isec;
1499         struct bprm_security_struct *bsec;
1500         u32 newsid;
1501         struct avc_audit_data ad;
1502         int rc;
1503
1504         rc = secondary_ops->bprm_set_security(bprm);
1505         if (rc)
1506                 return rc;
1507
1508         bsec = bprm->security;
1509
1510         if (bsec->set)
1511                 return 0;
1512
1513         tsec = current->security;
1514         isec = inode->i_security;
1515
1516         /* Default to the current task SID. */
1517         bsec->sid = tsec->sid;
1518
1519         /* Reset create SID on execve. */
1520         tsec->create_sid = 0;
1521
1522         if (tsec->exec_sid) {
1523                 newsid = tsec->exec_sid;
1524                 /* Reset exec SID on execve. */
1525                 tsec->exec_sid = 0;
1526         } else {
1527                 /* Check for a default transition on this program. */
1528                 rc = security_transition_sid(tsec->sid, isec->sid,
1529                                              SECCLASS_PROCESS, &newsid);
1530                 if (rc)
1531                         return rc;
1532         }
1533
1534         AVC_AUDIT_DATA_INIT(&ad, FS);
1535         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1536         ad.u.fs.dentry = bprm->file->f_dentry;
1537
1538         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1539                 newsid = tsec->sid;
1540
1541         if (tsec->sid == newsid) {
1542                 rc = avc_has_perm(tsec->sid, isec->sid,
1543                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1544                 if (rc)
1545                         return rc;
1546         } else {
1547                 /* Check permissions for the transition. */
1548                 rc = avc_has_perm(tsec->sid, newsid,
1549                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1550                 if (rc)
1551                         return rc;
1552
1553                 rc = avc_has_perm(newsid, isec->sid,
1554                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1555                 if (rc)
1556                         return rc;
1557
1558                 /* Clear any possibly unsafe personality bits on exec: */
1559                 current->personality &= ~PER_CLEAR_ON_SETID;
1560
1561                 /* Set the security field to the new SID. */
1562                 bsec->sid = newsid;
1563         }
1564
1565         bsec->set = 1;
1566         return 0;
1567 }
1568
1569 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1570 {
1571         return secondary_ops->bprm_check_security(bprm);
1572 }
1573
1574
1575 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1576 {
1577         struct task_security_struct *tsec = current->security;
1578         int atsecure = 0;
1579
1580         if (tsec->osid != tsec->sid) {
1581                 /* Enable secure mode for SIDs transitions unless
1582                    the noatsecure permission is granted between
1583                    the two SIDs, i.e. ahp returns 0. */
1584                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1585                                          SECCLASS_PROCESS,
1586                                          PROCESS__NOATSECURE, NULL);
1587         }
1588
1589         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1590 }
1591
1592 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1593 {
1594         kfree(bprm->security);
1595         bprm->security = NULL;
1596 }
1597
1598 extern struct vfsmount *selinuxfs_mount;
1599 extern struct dentry *selinux_null;
1600
1601 /* Derived from fs/exec.c:flush_old_files. */
1602 static inline void flush_unauthorized_files(struct files_struct * files)
1603 {
1604         struct avc_audit_data ad;
1605         struct file *file, *devnull = NULL;
1606         struct tty_struct *tty = current->signal->tty;
1607         struct fdtable *fdt;
1608         long j = -1;
1609
1610         if (tty) {
1611                 file_list_lock();
1612                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1613                 if (file) {
1614                         /* Revalidate access to controlling tty.
1615                            Use inode_has_perm on the tty inode directly rather
1616                            than using file_has_perm, as this particular open
1617                            file may belong to another process and we are only
1618                            interested in the inode-based check here. */
1619                         struct inode *inode = file->f_dentry->d_inode;
1620                         if (inode_has_perm(current, inode,
1621                                            FILE__READ | FILE__WRITE, NULL)) {
1622                                 /* Reset controlling tty. */
1623                                 current->signal->tty = NULL;
1624                                 current->signal->tty_old_pgrp = 0;
1625                         }
1626                 }
1627                 file_list_unlock();
1628         }
1629
1630         /* Revalidate access to inherited open files. */
1631
1632         AVC_AUDIT_DATA_INIT(&ad,FS);
1633
1634         spin_lock(&files->file_lock);
1635         for (;;) {
1636                 unsigned long set, i;
1637                 int fd;
1638
1639                 j++;
1640                 i = j * __NFDBITS;
1641                 fdt = files_fdtable(files);
1642                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1643                         break;
1644                 set = fdt->open_fds->fds_bits[j];
1645                 if (!set)
1646                         continue;
1647                 spin_unlock(&files->file_lock);
1648                 for ( ; set ; i++,set >>= 1) {
1649                         if (set & 1) {
1650                                 file = fget(i);
1651                                 if (!file)
1652                                         continue;
1653                                 if (file_has_perm(current,
1654                                                   file,
1655                                                   file_to_av(file))) {
1656                                         sys_close(i);
1657                                         fd = get_unused_fd();
1658                                         if (fd != i) {
1659                                                 if (fd >= 0)
1660                                                         put_unused_fd(fd);
1661                                                 fput(file);
1662                                                 continue;
1663                                         }
1664                                         if (devnull) {
1665                                                 rcuref_inc(&devnull->f_count);
1666                                         } else {
1667                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1668                                                 if (!devnull) {
1669                                                         put_unused_fd(fd);
1670                                                         fput(file);
1671                                                         continue;
1672                                                 }
1673                                         }
1674                                         fd_install(fd, devnull);
1675                                 }
1676                                 fput(file);
1677                         }
1678                 }
1679                 spin_lock(&files->file_lock);
1680
1681         }
1682         spin_unlock(&files->file_lock);
1683 }
1684
1685 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1686 {
1687         struct task_security_struct *tsec;
1688         struct bprm_security_struct *bsec;
1689         u32 sid;
1690         int rc;
1691
1692         secondary_ops->bprm_apply_creds(bprm, unsafe);
1693
1694         tsec = current->security;
1695
1696         bsec = bprm->security;
1697         sid = bsec->sid;
1698
1699         tsec->osid = tsec->sid;
1700         bsec->unsafe = 0;
1701         if (tsec->sid != sid) {
1702                 /* Check for shared state.  If not ok, leave SID
1703                    unchanged and kill. */
1704                 if (unsafe & LSM_UNSAFE_SHARE) {
1705                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1706                                         PROCESS__SHARE, NULL);
1707                         if (rc) {
1708                                 bsec->unsafe = 1;
1709                                 return;
1710                         }
1711                 }
1712
1713                 /* Check for ptracing, and update the task SID if ok.
1714                    Otherwise, leave SID unchanged and kill. */
1715                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1716                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1717                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1718                                           NULL);
1719                         if (rc) {
1720                                 bsec->unsafe = 1;
1721                                 return;
1722                         }
1723                 }
1724                 tsec->sid = sid;
1725         }
1726 }
1727
1728 /*
1729  * called after apply_creds without the task lock held
1730  */
1731 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1732 {
1733         struct task_security_struct *tsec;
1734         struct rlimit *rlim, *initrlim;
1735         struct itimerval itimer;
1736         struct bprm_security_struct *bsec;
1737         int rc, i;
1738
1739         tsec = current->security;
1740         bsec = bprm->security;
1741
1742         if (bsec->unsafe) {
1743                 force_sig_specific(SIGKILL, current);
1744                 return;
1745         }
1746         if (tsec->osid == tsec->sid)
1747                 return;
1748
1749         /* Close files for which the new task SID is not authorized. */
1750         flush_unauthorized_files(current->files);
1751
1752         /* Check whether the new SID can inherit signal state
1753            from the old SID.  If not, clear itimers to avoid
1754            subsequent signal generation and flush and unblock
1755            signals. This must occur _after_ the task SID has
1756           been updated so that any kill done after the flush
1757           will be checked against the new SID. */
1758         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1759                           PROCESS__SIGINH, NULL);
1760         if (rc) {
1761                 memset(&itimer, 0, sizeof itimer);
1762                 for (i = 0; i < 3; i++)
1763                         do_setitimer(i, &itimer, NULL);
1764                 flush_signals(current);
1765                 spin_lock_irq(&current->sighand->siglock);
1766                 flush_signal_handlers(current, 1);
1767                 sigemptyset(&current->blocked);
1768                 recalc_sigpending();
1769                 spin_unlock_irq(&current->sighand->siglock);
1770         }
1771
1772         /* Check whether the new SID can inherit resource limits
1773            from the old SID.  If not, reset all soft limits to
1774            the lower of the current task's hard limit and the init
1775            task's soft limit.  Note that the setting of hard limits
1776            (even to lower them) can be controlled by the setrlimit
1777            check. The inclusion of the init task's soft limit into
1778            the computation is to avoid resetting soft limits higher
1779            than the default soft limit for cases where the default
1780            is lower than the hard limit, e.g. RLIMIT_CORE or
1781            RLIMIT_STACK.*/
1782         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1783                           PROCESS__RLIMITINH, NULL);
1784         if (rc) {
1785                 for (i = 0; i < RLIM_NLIMITS; i++) {
1786                         rlim = current->signal->rlim + i;
1787                         initrlim = init_task.signal->rlim+i;
1788                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1789                 }
1790                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1791                         /*
1792                          * This will cause RLIMIT_CPU calculations
1793                          * to be refigured.
1794                          */
1795                         current->it_prof_expires = jiffies_to_cputime(1);
1796                 }
1797         }
1798
1799         /* Wake up the parent if it is waiting so that it can
1800            recheck wait permission to the new task SID. */
1801         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1802 }
1803
1804 /* superblock security operations */
1805
1806 static int selinux_sb_alloc_security(struct super_block *sb)
1807 {
1808         return superblock_alloc_security(sb);
1809 }
1810
1811 static void selinux_sb_free_security(struct super_block *sb)
1812 {
1813         superblock_free_security(sb);
1814 }
1815
1816 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1817 {
1818         if (plen > olen)
1819                 return 0;
1820
1821         return !memcmp(prefix, option, plen);
1822 }
1823
1824 static inline int selinux_option(char *option, int len)
1825 {
1826         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1827                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1828                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1829 }
1830
1831 static inline void take_option(char **to, char *from, int *first, int len)
1832 {
1833         if (!*first) {
1834                 **to = ',';
1835                 *to += 1;
1836         }
1837         else
1838                 *first = 0;
1839         memcpy(*to, from, len);
1840         *to += len;
1841 }
1842
1843 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1844 {
1845         int fnosec, fsec, rc = 0;
1846         char *in_save, *in_curr, *in_end;
1847         char *sec_curr, *nosec_save, *nosec;
1848
1849         in_curr = orig;
1850         sec_curr = copy;
1851
1852         /* Binary mount data: just copy */
1853         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1854                 copy_page(sec_curr, in_curr);
1855                 goto out;
1856         }
1857
1858         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1859         if (!nosec) {
1860                 rc = -ENOMEM;
1861                 goto out;
1862         }
1863
1864         nosec_save = nosec;
1865         fnosec = fsec = 1;
1866         in_save = in_end = orig;
1867
1868         do {
1869                 if (*in_end == ',' || *in_end == '\0') {
1870                         int len = in_end - in_curr;
1871
1872                         if (selinux_option(in_curr, len))
1873                                 take_option(&sec_curr, in_curr, &fsec, len);
1874                         else
1875                                 take_option(&nosec, in_curr, &fnosec, len);
1876
1877                         in_curr = in_end + 1;
1878                 }
1879         } while (*in_end++);
1880
1881         strcpy(in_save, nosec_save);
1882         free_page((unsigned long)nosec_save);
1883 out:
1884         return rc;
1885 }
1886
1887 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1888 {
1889         struct avc_audit_data ad;
1890         int rc;
1891
1892         rc = superblock_doinit(sb, data);
1893         if (rc)
1894                 return rc;
1895
1896         AVC_AUDIT_DATA_INIT(&ad,FS);
1897         ad.u.fs.dentry = sb->s_root;
1898         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1899 }
1900
1901 static int selinux_sb_statfs(struct super_block *sb)
1902 {
1903         struct avc_audit_data ad;
1904
1905         AVC_AUDIT_DATA_INIT(&ad,FS);
1906         ad.u.fs.dentry = sb->s_root;
1907         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1908 }
1909
1910 static int selinux_mount(char * dev_name,
1911                          struct nameidata *nd,
1912                          char * type,
1913                          unsigned long flags,
1914                          void * data)
1915 {
1916         int rc;
1917
1918         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1919         if (rc)
1920                 return rc;
1921
1922         if (flags & MS_REMOUNT)
1923                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1924                                            FILESYSTEM__REMOUNT, NULL);
1925         else
1926                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1927                                        FILE__MOUNTON);
1928 }
1929
1930 static int selinux_umount(struct vfsmount *mnt, int flags)
1931 {
1932         int rc;
1933
1934         rc = secondary_ops->sb_umount(mnt, flags);
1935         if (rc)
1936                 return rc;
1937
1938         return superblock_has_perm(current,mnt->mnt_sb,
1939                                    FILESYSTEM__UNMOUNT,NULL);
1940 }
1941
1942 /* inode security operations */
1943
1944 static int selinux_inode_alloc_security(struct inode *inode)
1945 {
1946         return inode_alloc_security(inode);
1947 }
1948
1949 static void selinux_inode_free_security(struct inode *inode)
1950 {
1951         inode_free_security(inode);
1952 }
1953
1954 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1955                                        char **name, void **value,
1956                                        size_t *len)
1957 {
1958         struct task_security_struct *tsec;
1959         struct inode_security_struct *dsec;
1960         struct superblock_security_struct *sbsec;
1961         struct inode_security_struct *isec;
1962         u32 newsid, clen;
1963         int rc;
1964         char *namep = NULL, *context;
1965
1966         tsec = current->security;
1967         dsec = dir->i_security;
1968         sbsec = dir->i_sb->s_security;
1969         isec = inode->i_security;
1970
1971         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1972                 newsid = tsec->create_sid;
1973         } else {
1974                 rc = security_transition_sid(tsec->sid, dsec->sid,
1975                                              inode_mode_to_security_class(inode->i_mode),
1976                                              &newsid);
1977                 if (rc) {
1978                         printk(KERN_WARNING "%s:  "
1979                                "security_transition_sid failed, rc=%d (dev=%s "
1980                                "ino=%ld)\n",
1981                                __FUNCTION__,
1982                                -rc, inode->i_sb->s_id, inode->i_ino);
1983                         return rc;
1984                 }
1985         }
1986
1987         inode_security_set_sid(inode, newsid);
1988
1989         if (name) {
1990                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1991                 if (!namep)
1992                         return -ENOMEM;
1993                 *name = namep;
1994         }
1995
1996         if (value && len) {
1997                 rc = security_sid_to_context(newsid, &context, &clen);
1998                 if (rc) {
1999                         kfree(namep);
2000                         return rc;
2001                 }
2002                 *value = context;
2003                 *len = clen;
2004         }
2005
2006         return 0;
2007 }
2008
2009 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2010 {
2011         return may_create(dir, dentry, SECCLASS_FILE);
2012 }
2013
2014 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2015 {
2016         int rc;
2017
2018         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2019         if (rc)
2020                 return rc;
2021         return may_link(dir, old_dentry, MAY_LINK);
2022 }
2023
2024 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2025 {
2026         int rc;
2027
2028         rc = secondary_ops->inode_unlink(dir, dentry);
2029         if (rc)
2030                 return rc;
2031         return may_link(dir, dentry, MAY_UNLINK);
2032 }
2033
2034 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2035 {
2036         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2037 }
2038
2039 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2040 {
2041         return may_create(dir, dentry, SECCLASS_DIR);
2042 }
2043
2044 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2045 {
2046         return may_link(dir, dentry, MAY_RMDIR);
2047 }
2048
2049 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2050 {
2051         int rc;
2052
2053         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2054         if (rc)
2055                 return rc;
2056
2057         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2058 }
2059
2060 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2061                                 struct inode *new_inode, struct dentry *new_dentry)
2062 {
2063         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2064 }
2065
2066 static int selinux_inode_readlink(struct dentry *dentry)
2067 {
2068         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2069 }
2070
2071 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2072 {
2073         int rc;
2074
2075         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2076         if (rc)
2077                 return rc;
2078         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2079 }
2080
2081 static int selinux_inode_permission(struct inode *inode, int mask,
2082                                     struct nameidata *nd)
2083 {
2084         int rc;
2085
2086         rc = secondary_ops->inode_permission(inode, mask, nd);
2087         if (rc)
2088                 return rc;
2089
2090         if (!mask) {
2091                 /* No permission to check.  Existence test. */
2092                 return 0;
2093         }
2094
2095         return inode_has_perm(current, inode,
2096                                file_mask_to_av(inode->i_mode, mask), NULL);
2097 }
2098
2099 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2100 {
2101         int rc;
2102
2103         rc = secondary_ops->inode_setattr(dentry, iattr);
2104         if (rc)
2105                 return rc;
2106
2107         if (iattr->ia_valid & ATTR_FORCE)
2108                 return 0;
2109
2110         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2111                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2112                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2113
2114         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2115 }
2116
2117 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2118 {
2119         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2120 }
2121
2122 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2123 {
2124         struct task_security_struct *tsec = current->security;
2125         struct inode *inode = dentry->d_inode;
2126         struct inode_security_struct *isec = inode->i_security;
2127         struct superblock_security_struct *sbsec;
2128         struct avc_audit_data ad;
2129         u32 newsid;
2130         int rc = 0;
2131
2132         if (strcmp(name, XATTR_NAME_SELINUX)) {
2133                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2134                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2135                     !capable(CAP_SYS_ADMIN)) {
2136                         /* A different attribute in the security namespace.
2137                            Restrict to administrator. */
2138                         return -EPERM;
2139                 }
2140
2141                 /* Not an attribute we recognize, so just check the
2142                    ordinary setattr permission. */
2143                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2144         }
2145
2146         sbsec = inode->i_sb->s_security;
2147         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2148                 return -EOPNOTSUPP;
2149
2150         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2151                 return -EPERM;
2152
2153         AVC_AUDIT_DATA_INIT(&ad,FS);
2154         ad.u.fs.dentry = dentry;
2155
2156         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2157                           FILE__RELABELFROM, &ad);
2158         if (rc)
2159                 return rc;
2160
2161         rc = security_context_to_sid(value, size, &newsid);
2162         if (rc)
2163                 return rc;
2164
2165         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2166                           FILE__RELABELTO, &ad);
2167         if (rc)
2168                 return rc;
2169
2170         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2171                                           isec->sclass);
2172         if (rc)
2173                 return rc;
2174
2175         return avc_has_perm(newsid,
2176                             sbsec->sid,
2177                             SECCLASS_FILESYSTEM,
2178                             FILESYSTEM__ASSOCIATE,
2179                             &ad);
2180 }
2181
2182 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2183                                         void *value, size_t size, int flags)
2184 {
2185         struct inode *inode = dentry->d_inode;
2186         struct inode_security_struct *isec = inode->i_security;
2187         u32 newsid;
2188         int rc;
2189
2190         if (strcmp(name, XATTR_NAME_SELINUX)) {
2191                 /* Not an attribute we recognize, so nothing to do. */
2192                 return;
2193         }
2194
2195         rc = security_context_to_sid(value, size, &newsid);
2196         if (rc) {
2197                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2198                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2199                 return;
2200         }
2201
2202         isec->sid = newsid;
2203         return;
2204 }
2205
2206 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2207 {
2208         struct inode *inode = dentry->d_inode;
2209         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2210
2211         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2212                 return -EOPNOTSUPP;
2213
2214         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2215 }
2216
2217 static int selinux_inode_listxattr (struct dentry *dentry)
2218 {
2219         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2220 }
2221
2222 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2223 {
2224         if (strcmp(name, XATTR_NAME_SELINUX)) {
2225                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2226                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2227                     !capable(CAP_SYS_ADMIN)) {
2228                         /* A different attribute in the security namespace.
2229                            Restrict to administrator. */
2230                         return -EPERM;
2231                 }
2232
2233                 /* Not an attribute we recognize, so just check the
2234                    ordinary setattr permission. Might want a separate
2235                    permission for removexattr. */
2236                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2237         }
2238
2239         /* No one is allowed to remove a SELinux security label.
2240            You can change the label, but all data must be labeled. */
2241         return -EACCES;
2242 }
2243
2244 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2245 {
2246         struct inode_security_struct *isec = inode->i_security;
2247         char *context;
2248         unsigned len;
2249         int rc;
2250
2251         /* Permission check handled by selinux_inode_getxattr hook.*/
2252
2253         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2254                 return -EOPNOTSUPP;
2255
2256         rc = security_sid_to_context(isec->sid, &context, &len);
2257         if (rc)
2258                 return rc;
2259
2260         if (!buffer || !size) {
2261                 kfree(context);
2262                 return len;
2263         }
2264         if (size < len) {
2265                 kfree(context);
2266                 return -ERANGE;
2267         }
2268         memcpy(buffer, context, len);
2269         kfree(context);
2270         return len;
2271 }
2272
2273 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2274                                      const void *value, size_t size, int flags)
2275 {
2276         struct inode_security_struct *isec = inode->i_security;
2277         u32 newsid;
2278         int rc;
2279
2280         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2281                 return -EOPNOTSUPP;
2282
2283         if (!value || !size)
2284                 return -EACCES;
2285
2286         rc = security_context_to_sid((void*)value, size, &newsid);
2287         if (rc)
2288                 return rc;
2289
2290         isec->sid = newsid;
2291         return 0;
2292 }
2293
2294 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2295 {
2296         const int len = sizeof(XATTR_NAME_SELINUX);
2297         if (buffer && len <= buffer_size)
2298                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2299         return len;
2300 }
2301
2302 /* file security operations */
2303
2304 static int selinux_file_permission(struct file *file, int mask)
2305 {
2306         struct inode *inode = file->f_dentry->d_inode;
2307
2308         if (!mask) {
2309                 /* No permission to check.  Existence test. */
2310                 return 0;
2311         }
2312
2313         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2314         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2315                 mask |= MAY_APPEND;
2316
2317         return file_has_perm(current, file,
2318                              file_mask_to_av(inode->i_mode, mask));
2319 }
2320
2321 static int selinux_file_alloc_security(struct file *file)
2322 {
2323         return file_alloc_security(file);
2324 }
2325
2326 static void selinux_file_free_security(struct file *file)
2327 {
2328         file_free_security(file);
2329 }
2330
2331 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2332                               unsigned long arg)
2333 {
2334         int error = 0;
2335
2336         switch (cmd) {
2337                 case FIONREAD:
2338                 /* fall through */
2339                 case FIBMAP:
2340                 /* fall through */
2341                 case FIGETBSZ:
2342                 /* fall through */
2343                 case EXT2_IOC_GETFLAGS:
2344                 /* fall through */
2345                 case EXT2_IOC_GETVERSION:
2346                         error = file_has_perm(current, file, FILE__GETATTR);
2347                         break;
2348
2349                 case EXT2_IOC_SETFLAGS:
2350                 /* fall through */
2351                 case EXT2_IOC_SETVERSION:
2352                         error = file_has_perm(current, file, FILE__SETATTR);
2353                         break;
2354
2355                 /* sys_ioctl() checks */
2356                 case FIONBIO:
2357                 /* fall through */
2358                 case FIOASYNC:
2359                         error = file_has_perm(current, file, 0);
2360                         break;
2361
2362                 case KDSKBENT:
2363                 case KDSKBSENT:
2364                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2365                         break;
2366
2367                 /* default case assumes that the command will go
2368                  * to the file's ioctl() function.
2369                  */
2370                 default:
2371                         error = file_has_perm(current, file, FILE__IOCTL);
2372
2373         }
2374         return error;
2375 }
2376
2377 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2378 {
2379 #ifndef CONFIG_PPC32
2380         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2381                 /*
2382                  * We are making executable an anonymous mapping or a
2383                  * private file mapping that will also be writable.
2384                  * This has an additional check.
2385                  */
2386                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2387                 if (rc)
2388                         return rc;
2389         }
2390 #endif
2391
2392         if (file) {
2393                 /* read access is always possible with a mapping */
2394                 u32 av = FILE__READ;
2395
2396                 /* write access only matters if the mapping is shared */
2397                 if (shared && (prot & PROT_WRITE))
2398                         av |= FILE__WRITE;
2399
2400                 if (prot & PROT_EXEC)
2401                         av |= FILE__EXECUTE;
2402
2403                 return file_has_perm(current, file, av);
2404         }
2405         return 0;
2406 }
2407
2408 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2409                              unsigned long prot, unsigned long flags)
2410 {
2411         int rc;
2412
2413         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2414         if (rc)
2415                 return rc;
2416
2417         if (selinux_checkreqprot)
2418                 prot = reqprot;
2419
2420         return file_map_prot_check(file, prot,
2421                                    (flags & MAP_TYPE) == MAP_SHARED);
2422 }
2423
2424 static int selinux_file_mprotect(struct vm_area_struct *vma,
2425                                  unsigned long reqprot,
2426                                  unsigned long prot)
2427 {
2428         int rc;
2429
2430         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2431         if (rc)
2432                 return rc;
2433
2434         if (selinux_checkreqprot)
2435                 prot = reqprot;
2436
2437 #ifndef CONFIG_PPC32
2438         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2439            (vma->vm_start >= vma->vm_mm->start_brk &&
2440             vma->vm_end <= vma->vm_mm->brk)) {
2441                 /*
2442                  * We are making an executable mapping in the brk region.
2443                  * This has an additional execheap check.
2444                  */
2445                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2446                 if (rc)
2447                         return rc;
2448         }
2449         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2450                 /*
2451                  * We are making executable a file mapping that has
2452                  * had some COW done. Since pages might have been written,
2453                  * check ability to execute the possibly modified content.
2454                  * This typically should only occur for text relocations.
2455                  */
2456                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2457                 if (rc)
2458                         return rc;
2459         }
2460         if (!vma->vm_file && (prot & PROT_EXEC) &&
2461                 vma->vm_start <= vma->vm_mm->start_stack &&
2462                 vma->vm_end >= vma->vm_mm->start_stack) {
2463                 /* Attempt to make the process stack executable.
2464                  * This has an additional execstack check.
2465                  */
2466                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2467                 if (rc)
2468                         return rc;
2469         }
2470 #endif
2471
2472         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2473 }
2474
2475 static int selinux_file_lock(struct file *file, unsigned int cmd)
2476 {
2477         return file_has_perm(current, file, FILE__LOCK);
2478 }
2479
2480 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2481                               unsigned long arg)
2482 {
2483         int err = 0;
2484
2485         switch (cmd) {
2486                 case F_SETFL:
2487                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2488                                 err = -EINVAL;
2489                                 break;
2490                         }
2491
2492                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2493                                 err = file_has_perm(current, file,FILE__WRITE);
2494                                 break;
2495                         }
2496                         /* fall through */
2497                 case F_SETOWN:
2498                 case F_SETSIG:
2499                 case F_GETFL:
2500                 case F_GETOWN:
2501                 case F_GETSIG:
2502                         /* Just check FD__USE permission */
2503                         err = file_has_perm(current, file, 0);
2504                         break;
2505                 case F_GETLK:
2506                 case F_SETLK:
2507                 case F_SETLKW:
2508 #if BITS_PER_LONG == 32
2509                 case F_GETLK64:
2510                 case F_SETLK64:
2511                 case F_SETLKW64:
2512 #endif
2513                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2514                                 err = -EINVAL;
2515                                 break;
2516                         }
2517                         err = file_has_perm(current, file, FILE__LOCK);
2518                         break;
2519         }
2520
2521         return err;
2522 }
2523
2524 static int selinux_file_set_fowner(struct file *file)
2525 {
2526         struct task_security_struct *tsec;
2527         struct file_security_struct *fsec;
2528
2529         tsec = current->security;
2530         fsec = file->f_security;
2531         fsec->fown_sid = tsec->sid;
2532
2533         return 0;
2534 }
2535
2536 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2537                                        struct fown_struct *fown, int signum)
2538 {
2539         struct file *file;
2540         u32 perm;
2541         struct task_security_struct *tsec;
2542         struct file_security_struct *fsec;
2543
2544         /* struct fown_struct is never outside the context of a struct file */
2545         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2546
2547         tsec = tsk->security;
2548         fsec = file->f_security;
2549
2550         if (!signum)
2551                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2552         else
2553                 perm = signal_to_av(signum);
2554
2555         return avc_has_perm(fsec->fown_sid, tsec->sid,
2556                             SECCLASS_PROCESS, perm, NULL);
2557 }
2558
2559 static int selinux_file_receive(struct file *file)
2560 {
2561         return file_has_perm(current, file, file_to_av(file));
2562 }
2563
2564 /* task security operations */
2565
2566 static int selinux_task_create(unsigned long clone_flags)
2567 {
2568         int rc;
2569
2570         rc = secondary_ops->task_create(clone_flags);
2571         if (rc)
2572                 return rc;
2573
2574         return task_has_perm(current, current, PROCESS__FORK);
2575 }
2576
2577 static int selinux_task_alloc_security(struct task_struct *tsk)
2578 {
2579         struct task_security_struct *tsec1, *tsec2;
2580         int rc;
2581
2582         tsec1 = current->security;
2583
2584         rc = task_alloc_security(tsk);
2585         if (rc)
2586                 return rc;
2587         tsec2 = tsk->security;
2588
2589         tsec2->osid = tsec1->osid;
2590         tsec2->sid = tsec1->sid;
2591
2592         /* Retain the exec and create SIDs across fork */
2593         tsec2->exec_sid = tsec1->exec_sid;
2594         tsec2->create_sid = tsec1->create_sid;
2595
2596         /* Retain ptracer SID across fork, if any.
2597            This will be reset by the ptrace hook upon any
2598            subsequent ptrace_attach operations. */
2599         tsec2->ptrace_sid = tsec1->ptrace_sid;
2600
2601         return 0;
2602 }
2603
2604 static void selinux_task_free_security(struct task_struct *tsk)
2605 {
2606         task_free_security(tsk);
2607 }
2608
2609 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2610 {
2611         /* Since setuid only affects the current process, and
2612            since the SELinux controls are not based on the Linux
2613            identity attributes, SELinux does not need to control
2614            this operation.  However, SELinux does control the use
2615            of the CAP_SETUID and CAP_SETGID capabilities using the
2616            capable hook. */
2617         return 0;
2618 }
2619
2620 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2621 {
2622         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2623 }
2624
2625 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2626 {
2627         /* See the comment for setuid above. */
2628         return 0;
2629 }
2630
2631 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2632 {
2633         return task_has_perm(current, p, PROCESS__SETPGID);
2634 }
2635
2636 static int selinux_task_getpgid(struct task_struct *p)
2637 {
2638         return task_has_perm(current, p, PROCESS__GETPGID);
2639 }
2640
2641 static int selinux_task_getsid(struct task_struct *p)
2642 {
2643         return task_has_perm(current, p, PROCESS__GETSESSION);
2644 }
2645
2646 static int selinux_task_setgroups(struct group_info *group_info)
2647 {
2648         /* See the comment for setuid above. */
2649         return 0;
2650 }
2651
2652 static int selinux_task_setnice(struct task_struct *p, int nice)
2653 {
2654         int rc;
2655
2656         rc = secondary_ops->task_setnice(p, nice);
2657         if (rc)
2658                 return rc;
2659
2660         return task_has_perm(current,p, PROCESS__SETSCHED);
2661 }
2662
2663 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2664 {
2665         struct rlimit *old_rlim = current->signal->rlim + resource;
2666         int rc;
2667
2668         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2669         if (rc)
2670                 return rc;
2671
2672         /* Control the ability to change the hard limit (whether
2673            lowering or raising it), so that the hard limit can
2674            later be used as a safe reset point for the soft limit
2675            upon context transitions. See selinux_bprm_apply_creds. */
2676         if (old_rlim->rlim_max != new_rlim->rlim_max)
2677                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2678
2679         return 0;
2680 }
2681
2682 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2683 {
2684         return task_has_perm(current, p, PROCESS__SETSCHED);
2685 }
2686
2687 static int selinux_task_getscheduler(struct task_struct *p)
2688 {
2689         return task_has_perm(current, p, PROCESS__GETSCHED);
2690 }
2691
2692 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2693 {
2694         u32 perm;
2695         int rc;
2696
2697         rc = secondary_ops->task_kill(p, info, sig);
2698         if (rc)
2699                 return rc;
2700
2701         if (info && ((unsigned long)info == 1 ||
2702                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2703                 return 0;
2704
2705         if (!sig)
2706                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2707         else
2708                 perm = signal_to_av(sig);
2709
2710         return task_has_perm(current, p, perm);
2711 }
2712
2713 static int selinux_task_prctl(int option,
2714                               unsigned long arg2,
2715                               unsigned long arg3,
2716                               unsigned long arg4,
2717                               unsigned long arg5)
2718 {
2719         /* The current prctl operations do not appear to require
2720            any SELinux controls since they merely observe or modify
2721            the state of the current process. */
2722         return 0;
2723 }
2724
2725 static int selinux_task_wait(struct task_struct *p)
2726 {
2727         u32 perm;
2728
2729         perm = signal_to_av(p->exit_signal);
2730
2731         return task_has_perm(p, current, perm);
2732 }
2733
2734 static void selinux_task_reparent_to_init(struct task_struct *p)
2735 {
2736         struct task_security_struct *tsec;
2737
2738         secondary_ops->task_reparent_to_init(p);
2739
2740         tsec = p->security;
2741         tsec->osid = tsec->sid;
2742         tsec->sid = SECINITSID_KERNEL;
2743         return;
2744 }
2745
2746 static void selinux_task_to_inode(struct task_struct *p,
2747                                   struct inode *inode)
2748 {
2749         struct task_security_struct *tsec = p->security;
2750         struct inode_security_struct *isec = inode->i_security;
2751
2752         isec->sid = tsec->sid;
2753         isec->initialized = 1;
2754         return;
2755 }
2756
2757 #ifdef CONFIG_SECURITY_NETWORK
2758
2759 /* Returns error only if unable to parse addresses */
2760 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2761 {
2762         int offset, ihlen, ret = -EINVAL;
2763         struct iphdr _iph, *ih;
2764
2765         offset = skb->nh.raw - skb->data;
2766         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2767         if (ih == NULL)
2768                 goto out;
2769
2770         ihlen = ih->ihl * 4;
2771         if (ihlen < sizeof(_iph))
2772                 goto out;
2773
2774         ad->u.net.v4info.saddr = ih->saddr;
2775         ad->u.net.v4info.daddr = ih->daddr;
2776         ret = 0;
2777
2778         switch (ih->protocol) {
2779         case IPPROTO_TCP: {
2780                 struct tcphdr _tcph, *th;
2781
2782                 if (ntohs(ih->frag_off) & IP_OFFSET)
2783                         break;
2784
2785                 offset += ihlen;
2786                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2787                 if (th == NULL)
2788                         break;
2789
2790                 ad->u.net.sport = th->source;
2791                 ad->u.net.dport = th->dest;
2792                 break;
2793         }
2794         
2795         case IPPROTO_UDP: {
2796                 struct udphdr _udph, *uh;
2797                 
2798                 if (ntohs(ih->frag_off) & IP_OFFSET)
2799                         break;
2800                         
2801                 offset += ihlen;
2802                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2803                 if (uh == NULL)
2804                         break;  
2805
2806                 ad->u.net.sport = uh->source;
2807                 ad->u.net.dport = uh->dest;
2808                 break;
2809         }
2810
2811         default:
2812                 break;
2813         }
2814 out:
2815         return ret;
2816 }
2817
2818 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2819
2820 /* Returns error only if unable to parse addresses */
2821 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2822 {
2823         u8 nexthdr;
2824         int ret = -EINVAL, offset;
2825         struct ipv6hdr _ipv6h, *ip6;
2826
2827         offset = skb->nh.raw - skb->data;
2828         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2829         if (ip6 == NULL)
2830                 goto out;
2831
2832         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2833         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2834         ret = 0;
2835
2836         nexthdr = ip6->nexthdr;
2837         offset += sizeof(_ipv6h);
2838         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2839         if (offset < 0)
2840                 goto out;
2841
2842         switch (nexthdr) {
2843         case IPPROTO_TCP: {
2844                 struct tcphdr _tcph, *th;
2845
2846                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2847                 if (th == NULL)
2848                         break;
2849
2850                 ad->u.net.sport = th->source;
2851                 ad->u.net.dport = th->dest;
2852                 break;
2853         }
2854
2855         case IPPROTO_UDP: {
2856                 struct udphdr _udph, *uh;
2857
2858                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2859                 if (uh == NULL)
2860                         break;
2861
2862                 ad->u.net.sport = uh->source;
2863                 ad->u.net.dport = uh->dest;
2864                 break;
2865         }
2866
2867         /* includes fragments */
2868         default:
2869                 break;
2870         }
2871 out:
2872         return ret;
2873 }
2874
2875 #endif /* IPV6 */
2876
2877 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2878                              char **addrp, int *len, int src)
2879 {
2880         int ret = 0;
2881
2882         switch (ad->u.net.family) {
2883         case PF_INET:
2884                 ret = selinux_parse_skb_ipv4(skb, ad);
2885                 if (ret || !addrp)
2886                         break;
2887                 *len = 4;
2888                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2889                                         &ad->u.net.v4info.daddr);
2890                 break;
2891
2892 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2893         case PF_INET6:
2894                 ret = selinux_parse_skb_ipv6(skb, ad);
2895                 if (ret || !addrp)
2896                         break;
2897                 *len = 16;
2898                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2899                                         &ad->u.net.v6info.daddr);
2900                 break;
2901 #endif  /* IPV6 */
2902         default:
2903                 break;
2904         }
2905
2906         return ret;
2907 }
2908
2909 /* socket security operations */
2910 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2911                            u32 perms)
2912 {
2913         struct inode_security_struct *isec;
2914         struct task_security_struct *tsec;
2915         struct avc_audit_data ad;
2916         int err = 0;
2917
2918         tsec = task->security;
2919         isec = SOCK_INODE(sock)->i_security;
2920
2921         if (isec->sid == SECINITSID_KERNEL)
2922                 goto out;
2923
2924         AVC_AUDIT_DATA_INIT(&ad,NET);
2925         ad.u.net.sk = sock->sk;
2926         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2927
2928 out:
2929         return err;
2930 }
2931
2932 static int selinux_socket_create(int family, int type,
2933                                  int protocol, int kern)
2934 {
2935         int err = 0;
2936         struct task_security_struct *tsec;
2937
2938         if (kern)
2939                 goto out;
2940
2941         tsec = current->security;
2942         err = avc_has_perm(tsec->sid, tsec->sid,
2943                            socket_type_to_security_class(family, type,
2944                            protocol), SOCKET__CREATE, NULL);
2945
2946 out:
2947         return err;
2948 }
2949
2950 static void selinux_socket_post_create(struct socket *sock, int family,
2951                                        int type, int protocol, int kern)
2952 {
2953         struct inode_security_struct *isec;
2954         struct task_security_struct *tsec;
2955
2956         isec = SOCK_INODE(sock)->i_security;
2957
2958         tsec = current->security;
2959         isec->sclass = socket_type_to_security_class(family, type, protocol);
2960         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2961         isec->initialized = 1;
2962
2963         return;
2964 }
2965
2966 /* Range of port numbers used to automatically bind.
2967    Need to determine whether we should perform a name_bind
2968    permission check between the socket and the port number. */
2969 #define ip_local_port_range_0 sysctl_local_port_range[0]
2970 #define ip_local_port_range_1 sysctl_local_port_range[1]
2971
2972 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2973 {
2974         u16 family;
2975         int err;
2976
2977         err = socket_has_perm(current, sock, SOCKET__BIND);
2978         if (err)
2979                 goto out;
2980
2981         /*
2982          * If PF_INET or PF_INET6, check name_bind permission for the port.
2983          * Multiple address binding for SCTP is not supported yet: we just
2984          * check the first address now.
2985          */
2986         family = sock->sk->sk_family;
2987         if (family == PF_INET || family == PF_INET6) {
2988                 char *addrp;
2989                 struct inode_security_struct *isec;
2990                 struct task_security_struct *tsec;
2991                 struct avc_audit_data ad;
2992                 struct sockaddr_in *addr4 = NULL;
2993                 struct sockaddr_in6 *addr6 = NULL;
2994                 unsigned short snum;
2995                 struct sock *sk = sock->sk;
2996                 u32 sid, node_perm, addrlen;
2997
2998                 tsec = current->security;
2999                 isec = SOCK_INODE(sock)->i_security;
3000
3001                 if (family == PF_INET) {
3002                         addr4 = (struct sockaddr_in *)address;
3003                         snum = ntohs(addr4->sin_port);
3004                         addrlen = sizeof(addr4->sin_addr.s_addr);
3005                         addrp = (char *)&addr4->sin_addr.s_addr;
3006                 } else {
3007                         addr6 = (struct sockaddr_in6 *)address;
3008                         snum = ntohs(addr6->sin6_port);
3009                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3010                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3011                 }
3012
3013                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3014                            snum > ip_local_port_range_1)) {
3015                         err = security_port_sid(sk->sk_family, sk->sk_type,
3016                                                 sk->sk_protocol, snum, &sid);
3017                         if (err)
3018                                 goto out;
3019                         AVC_AUDIT_DATA_INIT(&ad,NET);
3020                         ad.u.net.sport = htons(snum);
3021                         ad.u.net.family = family;
3022                         err = avc_has_perm(isec->sid, sid,
3023                                            isec->sclass,
3024                                            SOCKET__NAME_BIND, &ad);
3025                         if (err)
3026                                 goto out;
3027                 }
3028                 
3029                 switch(isec->sclass) {
3030                 case SECCLASS_TCP_SOCKET:
3031                         node_perm = TCP_SOCKET__NODE_BIND;
3032                         break;
3033                         
3034                 case SECCLASS_UDP_SOCKET:
3035                         node_perm = UDP_SOCKET__NODE_BIND;
3036                         break;
3037                         
3038                 default:
3039                         node_perm = RAWIP_SOCKET__NODE_BIND;
3040                         break;
3041                 }
3042                 
3043                 err = security_node_sid(family, addrp, addrlen, &sid);
3044                 if (err)
3045                         goto out;
3046                 
3047                 AVC_AUDIT_DATA_INIT(&ad,NET);
3048                 ad.u.net.sport = htons(snum);
3049                 ad.u.net.family = family;
3050
3051                 if (family == PF_INET)
3052                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3053                 else
3054                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3055
3056                 err = avc_has_perm(isec->sid, sid,
3057                                    isec->sclass, node_perm, &ad);
3058                 if (err)
3059                         goto out;
3060         }
3061 out:
3062         return err;
3063 }
3064
3065 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3066 {
3067         struct inode_security_struct *isec;
3068         int err;
3069
3070         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3071         if (err)
3072                 return err;
3073
3074         /*
3075          * If a TCP socket, check name_connect permission for the port.
3076          */
3077         isec = SOCK_INODE(sock)->i_security;
3078         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3079                 struct sock *sk = sock->sk;
3080                 struct avc_audit_data ad;
3081                 struct sockaddr_in *addr4 = NULL;
3082                 struct sockaddr_in6 *addr6 = NULL;
3083                 unsigned short snum;
3084                 u32 sid;
3085
3086                 if (sk->sk_family == PF_INET) {
3087                         addr4 = (struct sockaddr_in *)address;
3088                         if (addrlen < sizeof(struct sockaddr_in))
3089                                 return -EINVAL;
3090                         snum = ntohs(addr4->sin_port);
3091                 } else {
3092                         addr6 = (struct sockaddr_in6 *)address;
3093                         if (addrlen < SIN6_LEN_RFC2133)
3094                                 return -EINVAL;
3095                         snum = ntohs(addr6->sin6_port);
3096                 }
3097
3098                 err = security_port_sid(sk->sk_family, sk->sk_type,
3099                                         sk->sk_protocol, snum, &sid);
3100                 if (err)
3101                         goto out;
3102
3103                 AVC_AUDIT_DATA_INIT(&ad,NET);
3104                 ad.u.net.dport = htons(snum);
3105                 ad.u.net.family = sk->sk_family;
3106                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3107                                    TCP_SOCKET__NAME_CONNECT, &ad);
3108                 if (err)
3109                         goto out;
3110         }
3111
3112 out:
3113         return err;
3114 }
3115
3116 static int selinux_socket_listen(struct socket *sock, int backlog)
3117 {
3118         return socket_has_perm(current, sock, SOCKET__LISTEN);
3119 }
3120
3121 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3122 {
3123         int err;
3124         struct inode_security_struct *isec;
3125         struct inode_security_struct *newisec;
3126
3127         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3128         if (err)
3129                 return err;
3130
3131         newisec = SOCK_INODE(newsock)->i_security;
3132
3133         isec = SOCK_INODE(sock)->i_security;
3134         newisec->sclass = isec->sclass;
3135         newisec->sid = isec->sid;
3136         newisec->initialized = 1;
3137
3138         return 0;
3139 }
3140
3141 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3142                                   int size)
3143 {
3144         return socket_has_perm(current, sock, SOCKET__WRITE);
3145 }
3146
3147 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3148                                   int size, int flags)
3149 {
3150         return socket_has_perm(current, sock, SOCKET__READ);
3151 }
3152
3153 static int selinux_socket_getsockname(struct socket *sock)
3154 {
3155         return socket_has_perm(current, sock, SOCKET__GETATTR);
3156 }
3157
3158 static int selinux_socket_getpeername(struct socket *sock)
3159 {
3160         return socket_has_perm(current, sock, SOCKET__GETATTR);
3161 }
3162
3163 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3164 {
3165         return socket_has_perm(current, sock, SOCKET__SETOPT);
3166 }
3167
3168 static int selinux_socket_getsockopt(struct socket *sock, int level,
3169                                      int optname)
3170 {
3171         return socket_has_perm(current, sock, SOCKET__GETOPT);
3172 }
3173
3174 static int selinux_socket_shutdown(struct socket *sock, int how)
3175 {
3176         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3177 }
3178
3179 static int selinux_socket_unix_stream_connect(struct socket *sock,
3180                                               struct socket *other,
3181                                               struct sock *newsk)
3182 {
3183         struct sk_security_struct *ssec;
3184         struct inode_security_struct *isec;
3185         struct inode_security_struct *other_isec;
3186         struct avc_audit_data ad;
3187         int err;
3188
3189         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3190         if (err)
3191                 return err;
3192
3193         isec = SOCK_INODE(sock)->i_security;
3194         other_isec = SOCK_INODE(other)->i_security;
3195
3196         AVC_AUDIT_DATA_INIT(&ad,NET);
3197         ad.u.net.sk = other->sk;
3198
3199         err = avc_has_perm(isec->sid, other_isec->sid,
3200                            isec->sclass,
3201                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3202         if (err)
3203                 return err;
3204
3205         /* connecting socket */
3206         ssec = sock->sk->sk_security;
3207         ssec->peer_sid = other_isec->sid;
3208         
3209         /* server child socket */
3210         ssec = newsk->sk_security;
3211         ssec->peer_sid = isec->sid;
3212         
3213         return 0;
3214 }
3215
3216 static int selinux_socket_unix_may_send(struct socket *sock,
3217                                         struct socket *other)
3218 {
3219         struct inode_security_struct *isec;
3220         struct inode_security_struct *other_isec;
3221         struct avc_audit_data ad;
3222         int err;
3223
3224         isec = SOCK_INODE(sock)->i_security;
3225         other_isec = SOCK_INODE(other)->i_security;
3226
3227         AVC_AUDIT_DATA_INIT(&ad,NET);
3228         ad.u.net.sk = other->sk;
3229
3230         err = avc_has_perm(isec->sid, other_isec->sid,
3231                            isec->sclass, SOCKET__SENDTO, &ad);
3232         if (err)
3233                 return err;
3234
3235         return 0;
3236 }
3237
3238 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3239 {
3240         u16 family;
3241         char *addrp;
3242         int len, err = 0;
3243         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3244         u32 sock_sid = 0;
3245         u16 sock_class = 0;
3246         struct socket *sock;
3247         struct net_device *dev;
3248         struct avc_audit_data ad;
3249
3250         family = sk->sk_family;
3251         if (family != PF_INET && family != PF_INET6)
3252                 goto out;
3253
3254         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3255         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3256                 family = PF_INET;
3257
3258         read_lock_bh(&sk->sk_callback_lock);
3259         sock = sk->sk_socket;
3260         if (sock) {
3261                 struct inode *inode;
3262                 inode = SOCK_INODE(sock);
3263                 if (inode) {
3264                         struct inode_security_struct *isec;
3265                         isec = inode->i_security;
3266                         sock_sid = isec->sid;
3267                         sock_class = isec->sclass;
3268                 }
3269         }
3270         read_unlock_bh(&sk->sk_callback_lock);
3271         if (!sock_sid)
3272                 goto out;
3273
3274         dev = skb->dev;
3275         if (!dev)
3276                 goto out;
3277
3278         err = sel_netif_sids(dev, &if_sid, NULL);
3279         if (err)
3280                 goto out;
3281
3282         switch (sock_class) {
3283         case SECCLASS_UDP_SOCKET:
3284                 netif_perm = NETIF__UDP_RECV;
3285                 node_perm = NODE__UDP_RECV;
3286                 recv_perm = UDP_SOCKET__RECV_MSG;
3287                 break;
3288         
3289         case SECCLASS_TCP_SOCKET:
3290                 netif_perm = NETIF__TCP_RECV;
3291                 node_perm = NODE__TCP_RECV;
3292                 recv_perm = TCP_SOCKET__RECV_MSG;
3293                 break;
3294         
3295         default:
3296                 netif_perm = NETIF__RAWIP_RECV;
3297                 node_perm = NODE__RAWIP_RECV;
3298                 break;
3299         }
3300
3301         AVC_AUDIT_DATA_INIT(&ad, NET);
3302         ad.u.net.netif = dev->name;
3303         ad.u.net.family = family;
3304
3305         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3306         if (err)
3307                 goto out;
3308
3309         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3310         if (err)
3311                 goto out;
3312         
3313         /* Fixme: this lookup is inefficient */
3314         err = security_node_sid(family, addrp, len, &node_sid);
3315         if (err)
3316                 goto out;
3317         
3318         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3319         if (err)
3320                 goto out;
3321
3322         if (recv_perm) {
3323                 u32 port_sid;
3324
3325                 /* Fixme: make this more efficient */
3326                 err = security_port_sid(sk->sk_family, sk->sk_type,
3327                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3328                                         &port_sid);
3329                 if (err)
3330                         goto out;
3331
3332                 err = avc_has_perm(sock_sid, port_sid,
3333                                    sock_class, recv_perm, &ad);
3334         }
3335 out:    
3336         return err;
3337 }
3338
3339 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3340                                      int __user *optlen, unsigned len)
3341 {
3342         int err = 0;
3343         char *scontext;
3344         u32 scontext_len;
3345         struct sk_security_struct *ssec;
3346         struct inode_security_struct *isec;
3347
3348         isec = SOCK_INODE(sock)->i_security;
3349         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3350                 err = -ENOPROTOOPT;
3351                 goto out;
3352         }
3353
3354         ssec = sock->sk->sk_security;
3355         
3356         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3357         if (err)
3358                 goto out;
3359
3360         if (scontext_len > len) {
3361                 err = -ERANGE;
3362                 goto out_len;
3363         }
3364
3365         if (copy_to_user(optval, scontext, scontext_len))
3366                 err = -EFAULT;
3367
3368 out_len:
3369         if (put_user(scontext_len, optlen))
3370                 err = -EFAULT;
3371
3372         kfree(scontext);
3373 out:    
3374         return err;
3375 }
3376
3377 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3378 {
3379         return sk_alloc_security(sk, family, priority);
3380 }
3381
3382 static void selinux_sk_free_security(struct sock *sk)
3383 {
3384         sk_free_security(sk);
3385 }
3386
3387 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3388 {
3389         int err = 0;
3390         u32 perm;
3391         struct nlmsghdr *nlh;
3392         struct socket *sock = sk->sk_socket;
3393         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3394         
3395         if (skb->len < NLMSG_SPACE(0)) {
3396                 err = -EINVAL;
3397                 goto out;
3398         }
3399         nlh = (struct nlmsghdr *)skb->data;
3400         
3401         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3402         if (err) {
3403                 if (err == -EINVAL) {
3404                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3405                                   "SELinux:  unrecognized netlink message"
3406                                   " type=%hu for sclass=%hu\n",
3407                                   nlh->nlmsg_type, isec->sclass);
3408                         if (!selinux_enforcing)
3409                                 err = 0;
3410                 }
3411
3412                 /* Ignore */
3413                 if (err == -ENOENT)
3414                         err = 0;
3415                 goto out;
3416         }
3417
3418         err = socket_has_perm(current, sock, perm);
3419 out:
3420         return err;
3421 }
3422
3423 #ifdef CONFIG_NETFILTER
3424
3425 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3426                                               struct sk_buff **pskb,
3427                                               const struct net_device *in,
3428                                               const struct net_device *out,
3429                                               int (*okfn)(struct sk_buff *),
3430                                               u16 family)
3431 {
3432         char *addrp;
3433         int len, err = NF_ACCEPT;
3434         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3435         struct sock *sk;
3436         struct socket *sock;
3437         struct inode *inode;
3438         struct sk_buff *skb = *pskb;
3439         struct inode_security_struct *isec;
3440         struct avc_audit_data ad;
3441         struct net_device *dev = (struct net_device *)out;
3442         
3443         sk = skb->sk;
3444         if (!sk)
3445                 goto out;
3446                 
3447         sock = sk->sk_socket;
3448         if (!sock)
3449                 goto out;
3450                 
3451         inode = SOCK_INODE(sock);
3452         if (!inode)
3453                 goto out;
3454
3455         err = sel_netif_sids(dev, &if_sid, NULL);
3456         if (err)
3457                 goto out;
3458
3459         isec = inode->i_security;
3460         
3461         switch (isec->sclass) {
3462         case SECCLASS_UDP_SOCKET:
3463                 netif_perm = NETIF__UDP_SEND;
3464                 node_perm = NODE__UDP_SEND;
3465                 send_perm = UDP_SOCKET__SEND_MSG;
3466                 break;
3467         
3468         case SECCLASS_TCP_SOCKET:
3469                 netif_perm = NETIF__TCP_SEND;
3470                 node_perm = NODE__TCP_SEND;
3471                 send_perm = TCP_SOCKET__SEND_MSG;
3472                 break;
3473         
3474         default:
3475                 netif_perm = NETIF__RAWIP_SEND;
3476                 node_perm = NODE__RAWIP_SEND;
3477                 break;
3478         }
3479
3480
3481         AVC_AUDIT_DATA_INIT(&ad, NET);
3482         ad.u.net.netif = dev->name;
3483         ad.u.net.family = family;
3484
3485         err = selinux_parse_skb(skb, &ad, &addrp,
3486                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3487         if (err != NF_ACCEPT)
3488                 goto out;
3489
3490         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3491                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3492         if (err != NF_ACCEPT)
3493                 goto out;
3494                 
3495         /* Fixme: this lookup is inefficient */
3496         err = security_node_sid(family, addrp, len,
3497                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3498         if (err != NF_ACCEPT)
3499                 goto out;
3500         
3501         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3502                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3503         if (err != NF_ACCEPT)
3504                 goto out;
3505
3506         if (send_perm) {
3507                 u32 port_sid;
3508                 
3509                 /* Fixme: make this more efficient */
3510                 err = security_port_sid(sk->sk_family,
3511                                         sk->sk_type,
3512                                         sk->sk_protocol,
3513                                         ntohs(ad.u.net.dport),
3514                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3515                 if (err != NF_ACCEPT)
3516                         goto out;
3517
3518                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3519                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3520         }
3521
3522 out:
3523         return err;
3524 }
3525
3526 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3527                                                 struct sk_buff **pskb,
3528                                                 const struct net_device *in,
3529                                                 const struct net_device *out,
3530                                                 int (*okfn)(struct sk_buff *))
3531 {
3532         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3533 }
3534
3535 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3536
3537 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3538                                                 struct sk_buff **pskb,
3539                                                 const struct net_device *in,
3540                                                 const struct net_device *out,
3541                                                 int (*okfn)(struct sk_buff *))
3542 {
3543         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3544 }
3545
3546 #endif  /* IPV6 */
3547
3548 #endif  /* CONFIG_NETFILTER */
3549
3550 #else
3551
3552 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3553 {
3554         return 0;
3555 }
3556
3557 #endif  /* CONFIG_SECURITY_NETWORK */
3558
3559 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3560 {
3561         struct task_security_struct *tsec;
3562         struct av_decision avd;
3563         int err;
3564
3565         err = secondary_ops->netlink_send(sk, skb);
3566         if (err)
3567                 return err;
3568
3569         tsec = current->security;
3570
3571         avd.allowed = 0;
3572         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3573                                 SECCLASS_CAPABILITY, ~0, &avd);
3574         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3575
3576         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3577                 err = selinux_nlmsg_perm(sk, skb);
3578
3579         return err;
3580 }
3581
3582 static int selinux_netlink_recv(struct sk_buff *skb)
3583 {
3584         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3585                 return -EPERM;
3586         return 0;
3587 }
3588
3589 static int ipc_alloc_security(struct task_struct *task,
3590                               struct kern_ipc_perm *perm,
3591                               u16 sclass)
3592 {
3593         struct task_security_struct *tsec = task->security;
3594         struct ipc_security_struct *isec;
3595
3596         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3597         if (!isec)
3598                 return -ENOMEM;
3599
3600         isec->magic = SELINUX_MAGIC;
3601         isec->sclass = sclass;
3602         isec->ipc_perm = perm;
3603         if (tsec) {
3604                 isec->sid = tsec->sid;
3605         } else {
3606                 isec->sid = SECINITSID_UNLABELED;
3607         }
3608         perm->security = isec;
3609
3610         return 0;
3611 }
3612
3613 static void ipc_free_security(struct kern_ipc_perm *perm)
3614 {
3615         struct ipc_security_struct *isec = perm->security;
3616         if (!isec || isec->magic != SELINUX_MAGIC)
3617                 return;
3618
3619         perm->security = NULL;
3620         kfree(isec);
3621 }
3622
3623 static int msg_msg_alloc_security(struct msg_msg *msg)
3624 {
3625         struct msg_security_struct *msec;
3626
3627         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3628         if (!msec)
3629                 return -ENOMEM;
3630
3631         msec->magic = SELINUX_MAGIC;
3632         msec->msg = msg;
3633         msec->sid = SECINITSID_UNLABELED;
3634         msg->security = msec;
3635
3636         return 0;
3637 }
3638
3639 static void msg_msg_free_security(struct msg_msg *msg)
3640 {
3641         struct msg_security_struct *msec = msg->security;
3642         if (!msec || msec->magic != SELINUX_MAGIC)
3643                 return;
3644
3645         msg->security = NULL;
3646         kfree(msec);
3647 }
3648
3649 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3650                         u32 perms)
3651 {
3652         struct task_security_struct *tsec;
3653         struct ipc_security_struct *isec;
3654         struct avc_audit_data ad;
3655
3656         tsec = current->security;
3657         isec = ipc_perms->security;
3658
3659         AVC_AUDIT_DATA_INIT(&ad, IPC);
3660         ad.u.ipc_id = ipc_perms->key;
3661
3662         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3663 }
3664
3665 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3666 {
3667         return msg_msg_alloc_security(msg);
3668 }
3669
3670 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3671 {
3672         msg_msg_free_security(msg);
3673 }
3674
3675 /* message queue security operations */
3676 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3677 {
3678         struct task_security_struct *tsec;
3679         struct ipc_security_struct *isec;
3680         struct avc_audit_data ad;
3681         int rc;
3682
3683         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3684         if (rc)
3685                 return rc;
3686
3687         tsec = current->security;
3688         isec = msq->q_perm.security;
3689
3690         AVC_AUDIT_DATA_INIT(&ad, IPC);
3691         ad.u.ipc_id = msq->q_perm.key;
3692
3693         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3694                           MSGQ__CREATE, &ad);
3695         if (rc) {
3696                 ipc_free_security(&msq->q_perm);
3697                 return rc;
3698         }
3699         return 0;
3700 }
3701
3702 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3703 {
3704         ipc_free_security(&msq->q_perm);
3705 }
3706
3707 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3708 {
3709         struct task_security_struct *tsec;
3710         struct ipc_security_struct *isec;
3711         struct avc_audit_data ad;
3712
3713         tsec = current->security;
3714         isec = msq->q_perm.security;
3715
3716         AVC_AUDIT_DATA_INIT(&ad, IPC);
3717         ad.u.ipc_id = msq->q_perm.key;
3718
3719         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3720                             MSGQ__ASSOCIATE, &ad);
3721 }
3722
3723 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3724 {
3725         int err;
3726         int perms;
3727
3728         switch(cmd) {
3729         case IPC_INFO:
3730         case MSG_INFO:
3731                 /* No specific object, just general system-wide information. */
3732                 return task_has_system(current, SYSTEM__IPC_INFO);
3733         case IPC_STAT:
3734         case MSG_STAT:
3735                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3736                 break;
3737         case IPC_SET:
3738                 perms = MSGQ__SETATTR;
3739                 break;
3740         case IPC_RMID:
3741                 perms = MSGQ__DESTROY;
3742                 break;
3743         default:
3744                 return 0;
3745         }
3746
3747         err = ipc_has_perm(&msq->q_perm, perms);
3748         return err;
3749 }
3750
3751 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3752 {
3753         struct task_security_struct *tsec;
3754         struct ipc_security_struct *isec;
3755         struct msg_security_struct *msec;
3756         struct avc_audit_data ad;
3757         int rc;
3758
3759         tsec = current->security;
3760         isec = msq->q_perm.security;
3761         msec = msg->security;
3762
3763         /*
3764          * First time through, need to assign label to the message
3765          */
3766         if (msec->sid == SECINITSID_UNLABELED) {
3767                 /*
3768                  * Compute new sid based on current process and
3769                  * message queue this message will be stored in
3770                  */
3771                 rc = security_transition_sid(tsec->sid,
3772                                              isec->sid,
3773                                              SECCLASS_MSG,
3774                                              &msec->sid);
3775                 if (rc)
3776                         return rc;
3777         }
3778
3779         AVC_AUDIT_DATA_INIT(&ad, IPC);
3780         ad.u.ipc_id = msq->q_perm.key;
3781
3782         /* Can this process write to the queue? */
3783         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3784                           MSGQ__WRITE, &ad);
3785         if (!rc)
3786                 /* Can this process send the message */
3787                 rc = avc_has_perm(tsec->sid, msec->sid,
3788                                   SECCLASS_MSG, MSG__SEND, &ad);
3789         if (!rc)
3790                 /* Can the message be put in the queue? */
3791                 rc = avc_has_perm(msec->sid, isec->sid,
3792                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3793
3794         return rc;
3795 }
3796
3797 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3798                                     struct task_struct *target,
3799                                     long type, int mode)
3800 {
3801         struct task_security_struct *tsec;
3802         struct ipc_security_struct *isec;
3803         struct msg_security_struct *msec;
3804         struct avc_audit_data ad;
3805         int rc;
3806
3807         tsec = target->security;
3808         isec = msq->q_perm.security;
3809         msec = msg->security;
3810
3811         AVC_AUDIT_DATA_INIT(&ad, IPC);
3812         ad.u.ipc_id = msq->q_perm.key;
3813
3814         rc = avc_has_perm(tsec->sid, isec->sid,
3815                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3816         if (!rc)
3817                 rc = avc_has_perm(tsec->sid, msec->sid,
3818                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3819         return rc;
3820 }
3821
3822 /* Shared Memory security operations */
3823 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3824 {
3825         struct task_security_struct *tsec;
3826         struct ipc_security_struct *isec;
3827         struct avc_audit_data ad;
3828         int rc;
3829
3830         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3831         if (rc)
3832                 return rc;
3833
3834         tsec = current->security;
3835         isec = shp->shm_perm.security;
3836
3837         AVC_AUDIT_DATA_INIT(&ad, IPC);
3838         ad.u.ipc_id = shp->shm_perm.key;
3839
3840         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3841                           SHM__CREATE, &ad);
3842         if (rc) {
3843                 ipc_free_security(&shp->shm_perm);
3844                 return rc;
3845         }
3846         return 0;
3847 }
3848
3849 static void selinux_shm_free_security(struct shmid_kernel *shp)
3850 {
3851         ipc_free_security(&shp->shm_perm);
3852 }
3853
3854 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3855 {
3856         struct task_security_struct *tsec;
3857         struct ipc_security_struct *isec;
3858         struct avc_audit_data ad;
3859
3860         tsec = current->security;
3861         isec = shp->shm_perm.security;
3862
3863         AVC_AUDIT_DATA_INIT(&ad, IPC);
3864         ad.u.ipc_id = shp->shm_perm.key;
3865
3866         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3867                             SHM__ASSOCIATE, &ad);
3868 }
3869
3870 /* Note, at this point, shp is locked down */
3871 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3872 {
3873         int perms;
3874         int err;
3875
3876         switch(cmd) {
3877         case IPC_INFO:
3878         case SHM_INFO:
3879                 /* No specific object, just general system-wide information. */
3880                 return task_has_system(current, SYSTEM__IPC_INFO);
3881         case IPC_STAT:
3882         case SHM_STAT:
3883                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3884                 break;
3885         case IPC_SET:
3886                 perms = SHM__SETATTR;
3887                 break;
3888         case SHM_LOCK:
3889         case SHM_UNLOCK:
3890                 perms = SHM__LOCK;
3891                 break;
3892         case IPC_RMID:
3893                 perms = SHM__DESTROY;
3894                 break;
3895         default:
3896                 return 0;
3897         }
3898
3899         err = ipc_has_perm(&shp->shm_perm, perms);
3900         return err;
3901 }
3902
3903 static int selinux_shm_shmat(struct shmid_kernel *shp,
3904                              char __user *shmaddr, int shmflg)
3905 {
3906         u32 perms;
3907         int rc;
3908
3909         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3910         if (rc)
3911                 return rc;
3912
3913         if (shmflg & SHM_RDONLY)
3914                 perms = SHM__READ;
3915         else
3916                 perms = SHM__READ | SHM__WRITE;
3917
3918         return ipc_has_perm(&shp->shm_perm, perms);
3919 }
3920
3921 /* Semaphore security operations */
3922 static int selinux_sem_alloc_security(struct sem_array *sma)
3923 {
3924         struct task_security_struct *tsec;
3925         struct ipc_security_struct *isec;
3926         struct avc_audit_data ad;
3927         int rc;
3928
3929         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3930         if (rc)
3931                 return rc;
3932
3933         tsec = current->security;
3934         isec = sma->sem_perm.security;
3935
3936         AVC_AUDIT_DATA_INIT(&ad, IPC);
3937         ad.u.ipc_id = sma->sem_perm.key;
3938
3939         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3940                           SEM__CREATE, &ad);
3941         if (rc) {
3942                 ipc_free_security(&sma->sem_perm);
3943                 return rc;
3944         }
3945         return 0;
3946 }
3947
3948 static void selinux_sem_free_security(struct sem_array *sma)
3949 {
3950         ipc_free_security(&sma->sem_perm);
3951 }
3952
3953 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3954 {
3955         struct task_security_struct *tsec;
3956         struct ipc_security_struct *isec;
3957         struct avc_audit_data ad;
3958
3959         tsec = current->security;
3960         isec = sma->sem_perm.security;
3961
3962         AVC_AUDIT_DATA_INIT(&ad, IPC);
3963         ad.u.ipc_id = sma->sem_perm.key;
3964
3965         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3966                             SEM__ASSOCIATE, &ad);
3967 }
3968
3969 /* Note, at this point, sma is locked down */
3970 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3971 {
3972         int err;
3973         u32 perms;
3974
3975         switch(cmd) {
3976         case IPC_INFO:
3977         case SEM_INFO:
3978                 /* No specific object, just general system-wide information. */
3979                 return task_has_system(current, SYSTEM__IPC_INFO);
3980         case GETPID:
3981         case GETNCNT:
3982         case GETZCNT:
3983                 perms = SEM__GETATTR;
3984                 break;
3985         case GETVAL:
3986         case GETALL:
3987                 perms = SEM__READ;
3988                 break;
3989         case SETVAL:
3990         case SETALL:
3991                 perms = SEM__WRITE;
3992                 break;
3993         case IPC_RMID:
3994                 perms = SEM__DESTROY;
3995                 break;
3996         case IPC_SET:
3997                 perms = SEM__SETATTR;
3998                 break;
3999         case IPC_STAT:
4000         case SEM_STAT:
4001                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4002                 break;
4003         default:
4004                 return 0;
4005         }
4006
4007         err = ipc_has_perm(&sma->sem_perm, perms);
4008         return err;
4009 }
4010
4011 static int selinux_sem_semop(struct sem_array *sma,
4012                              struct sembuf *sops, unsigned nsops, int alter)
4013 {
4014         u32 perms;
4015
4016         if (alter)
4017                 perms = SEM__READ | SEM__WRITE;
4018         else
4019                 perms = SEM__READ;
4020
4021         return ipc_has_perm(&sma->sem_perm, perms);
4022 }
4023
4024 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4025 {
4026         u32 av = 0;
4027
4028         av = 0;
4029         if (flag & S_IRUGO)
4030                 av |= IPC__UNIX_READ;
4031         if (flag & S_IWUGO)
4032                 av |= IPC__UNIX_WRITE;
4033
4034         if (av == 0)
4035                 return 0;
4036
4037         return ipc_has_perm(ipcp, av);
4038 }
4039
4040 /* module stacking operations */
4041 static int selinux_register_security (const char *name, struct security_operations *ops)
4042 {
4043         if (secondary_ops != original_ops) {
4044                 printk(KERN_INFO "%s:  There is already a secondary security "
4045                        "module registered.\n", __FUNCTION__);
4046                 return -EINVAL;
4047         }
4048
4049         secondary_ops = ops;
4050
4051         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4052                __FUNCTION__,
4053                name);
4054
4055         return 0;
4056 }
4057
4058 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4059 {
4060         if (ops != secondary_ops) {
4061                 printk (KERN_INFO "%s:  trying to unregister a security module "
4062                         "that is not registered.\n", __FUNCTION__);
4063                 return -EINVAL;
4064         }
4065
4066         secondary_ops = original_ops;
4067
4068         return 0;
4069 }
4070
4071 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4072 {
4073         if (inode)
4074                 inode_doinit_with_dentry(inode, dentry);
4075 }
4076
4077 static int selinux_getprocattr(struct task_struct *p,
4078                                char *name, void *value, size_t size)
4079 {
4080         struct task_security_struct *tsec;
4081         u32 sid, len;
4082         char *context;
4083         int error;
4084
4085         if (current != p) {
4086                 error = task_has_perm(current, p, PROCESS__GETATTR);
4087                 if (error)
4088                         return error;
4089         }
4090
4091         if (!size)
4092                 return -ERANGE;
4093
4094         tsec = p->security;
4095
4096         if (!strcmp(name, "current"))
4097                 sid = tsec->sid;
4098         else if (!strcmp(name, "prev"))
4099                 sid = tsec->osid;
4100         else if (!strcmp(name, "exec"))
4101                 sid = tsec->exec_sid;
4102         else if (!strcmp(name, "fscreate"))
4103                 sid = tsec->create_sid;
4104         else
4105                 return -EINVAL;
4106
4107         if (!sid)
4108                 return 0;
4109
4110         error = security_sid_to_context(sid, &context, &len);
4111         if (error)
4112                 return error;
4113         if (len > size) {
4114                 kfree(context);
4115                 return -ERANGE;
4116         }
4117         memcpy(value, context, len);
4118         kfree(context);
4119         return len;
4120 }
4121
4122 static int selinux_setprocattr(struct task_struct *p,
4123                                char *name, void *value, size_t size)
4124 {
4125         struct task_security_struct *tsec;
4126         u32 sid = 0;
4127         int error;
4128         char *str = value;
4129
4130         if (current != p) {
4131                 /* SELinux only allows a process to change its own
4132                    security attributes. */
4133                 return -EACCES;
4134         }
4135
4136         /*
4137          * Basic control over ability to set these attributes at all.
4138          * current == p, but we'll pass them separately in case the
4139          * above restriction is ever removed.
4140          */
4141         if (!strcmp(name, "exec"))
4142                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4143         else if (!strcmp(name, "fscreate"))
4144                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4145         else if (!strcmp(name, "current"))
4146                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4147         else
4148                 error = -EINVAL;
4149         if (error)
4150                 return error;
4151
4152         /* Obtain a SID for the context, if one was specified. */
4153         if (size && str[1] && str[1] != '\n') {
4154                 if (str[size-1] == '\n') {
4155                         str[size-1] = 0;
4156                         size--;
4157                 }
4158                 error = security_context_to_sid(value, size, &sid);
4159                 if (error)
4160                         return error;
4161         }
4162
4163         /* Permission checking based on the specified context is
4164            performed during the actual operation (execve,
4165            open/mkdir/...), when we know the full context of the
4166            operation.  See selinux_bprm_set_security for the execve
4167            checks and may_create for the file creation checks. The
4168            operation will then fail if the context is not permitted. */
4169         tsec = p->security;
4170         if (!strcmp(name, "exec"))
4171                 tsec->exec_sid = sid;
4172         else if (!strcmp(name, "fscreate"))
4173                 tsec->create_sid = sid;
4174         else if (!strcmp(name, "current")) {
4175                 struct av_decision avd;
4176
4177                 if (sid == 0)
4178                         return -EINVAL;
4179
4180                 /* Only allow single threaded processes to change context */
4181                 if (atomic_read(&p->mm->mm_users) != 1) {
4182                         struct task_struct *g, *t;
4183                         struct mm_struct *mm = p->mm;
4184                         read_lock(&tasklist_lock);
4185                         do_each_thread(g, t)
4186                                 if (t->mm == mm && t != p) {
4187                                         read_unlock(&tasklist_lock);
4188                                         return -EPERM;
4189                                 }
4190                         while_each_thread(g, t);
4191                         read_unlock(&tasklist_lock);
4192                 }
4193
4194                 /* Check permissions for the transition. */
4195                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4196                                      PROCESS__DYNTRANSITION, NULL);
4197                 if (error)
4198                         return error;
4199
4200                 /* Check for ptracing, and update the task SID if ok.
4201                    Otherwise, leave SID unchanged and fail. */
4202                 task_lock(p);
4203                 if (p->ptrace & PT_PTRACED) {
4204                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4205                                                      SECCLASS_PROCESS,
4206                                                      PROCESS__PTRACE, &avd);
4207                         if (!error)
4208                                 tsec->sid = sid;
4209                         task_unlock(p);
4210                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4211                                   PROCESS__PTRACE, &avd, error, NULL);
4212                         if (error)
4213                                 return error;
4214                 } else {
4215                         tsec->sid = sid;
4216                         task_unlock(p);
4217                 }
4218         }
4219         else
4220                 return -EINVAL;
4221
4222         return size;
4223 }
4224
4225 static struct security_operations selinux_ops = {
4226         .ptrace =                       selinux_ptrace,
4227         .capget =                       selinux_capget,
4228         .capset_check =                 selinux_capset_check,
4229         .capset_set =                   selinux_capset_set,
4230         .sysctl =                       selinux_sysctl,
4231         .capable =                      selinux_capable,
4232         .quotactl =                     selinux_quotactl,
4233         .quota_on =                     selinux_quota_on,
4234         .syslog =                       selinux_syslog,
4235         .vm_enough_memory =             selinux_vm_enough_memory,
4236
4237         .netlink_send =                 selinux_netlink_send,
4238         .netlink_recv =                 selinux_netlink_recv,
4239
4240         .bprm_alloc_security =          selinux_bprm_alloc_security,
4241         .bprm_free_security =           selinux_bprm_free_security,
4242         .bprm_apply_creds =             selinux_bprm_apply_creds,
4243         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4244         .bprm_set_security =            selinux_bprm_set_security,
4245         .bprm_check_security =          selinux_bprm_check_security,
4246         .bprm_secureexec =              selinux_bprm_secureexec,
4247
4248         .sb_alloc_security =            selinux_sb_alloc_security,
4249         .sb_free_security =             selinux_sb_free_security,
4250         .sb_copy_data =                 selinux_sb_copy_data,
4251         .sb_kern_mount =                selinux_sb_kern_mount,
4252         .sb_statfs =                    selinux_sb_statfs,
4253         .sb_mount =                     selinux_mount,
4254         .sb_umount =                    selinux_umount,
4255
4256         .inode_alloc_security =         selinux_inode_alloc_security,
4257         .inode_free_security =          selinux_inode_free_security,
4258         .inode_init_security =          selinux_inode_init_security,
4259         .inode_create =                 selinux_inode_create,
4260         .inode_link =                   selinux_inode_link,
4261         .inode_unlink =                 selinux_inode_unlink,
4262         .inode_symlink =                selinux_inode_symlink,
4263         .inode_mkdir =                  selinux_inode_mkdir,
4264         .inode_rmdir =                  selinux_inode_rmdir,
4265         .inode_mknod =                  selinux_inode_mknod,
4266         .inode_rename =                 selinux_inode_rename,
4267         .inode_readlink =               selinux_inode_readlink,
4268         .inode_follow_link =            selinux_inode_follow_link,
4269         .inode_permission =             selinux_inode_permission,
4270         .inode_setattr =                selinux_inode_setattr,
4271         .inode_getattr =                selinux_inode_getattr,
4272         .inode_setxattr =               selinux_inode_setxattr,
4273         .inode_post_setxattr =          selinux_inode_post_setxattr,
4274         .inode_getxattr =               selinux_inode_getxattr,
4275         .inode_listxattr =              selinux_inode_listxattr,
4276         .inode_removexattr =            selinux_inode_removexattr,
4277         .inode_getsecurity =            selinux_inode_getsecurity,
4278         .inode_setsecurity =            selinux_inode_setsecurity,
4279         .inode_listsecurity =           selinux_inode_listsecurity,
4280
4281         .file_permission =              selinux_file_permission,
4282         .file_alloc_security =          selinux_file_alloc_security,
4283         .file_free_security =           selinux_file_free_security,
4284         .file_ioctl =                   selinux_file_ioctl,
4285         .file_mmap =                    selinux_file_mmap,
4286         .file_mprotect =                selinux_file_mprotect,
4287         .file_lock =                    selinux_file_lock,
4288         .file_fcntl =                   selinux_file_fcntl,
4289         .file_set_fowner =              selinux_file_set_fowner,
4290         .file_send_sigiotask =          selinux_file_send_sigiotask,
4291         .file_receive =                 selinux_file_receive,
4292
4293         .task_create =                  selinux_task_create,
4294         .task_alloc_security =          selinux_task_alloc_security,
4295         .task_free_security =           selinux_task_free_security,
4296         .task_setuid =                  selinux_task_setuid,
4297         .task_post_setuid =             selinux_task_post_setuid,
4298         .task_setgid =                  selinux_task_setgid,
4299         .task_setpgid =                 selinux_task_setpgid,
4300         .task_getpgid =                 selinux_task_getpgid,
4301         .task_getsid =                  selinux_task_getsid,
4302         .task_setgroups =               selinux_task_setgroups,
4303         .task_setnice =                 selinux_task_setnice,
4304         .task_setrlimit =               selinux_task_setrlimit,
4305         .task_setscheduler =            selinux_task_setscheduler,
4306         .task_getscheduler =            selinux_task_getscheduler,
4307         .task_kill =                    selinux_task_kill,
4308         .task_wait =                    selinux_task_wait,
4309         .task_prctl =                   selinux_task_prctl,
4310         .task_reparent_to_init =        selinux_task_reparent_to_init,
4311         .task_to_inode =                selinux_task_to_inode,
4312
4313         .ipc_permission =               selinux_ipc_permission,
4314
4315         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4316         .msg_msg_free_security =        selinux_msg_msg_free_security,
4317
4318         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4319         .msg_queue_free_security =      selinux_msg_queue_free_security,
4320         .msg_queue_associate =          selinux_msg_queue_associate,
4321         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4322         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4323         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4324
4325         .shm_alloc_security =           selinux_shm_alloc_security,
4326         .shm_free_security =            selinux_shm_free_security,
4327         .shm_associate =                selinux_shm_associate,
4328         .shm_shmctl =                   selinux_shm_shmctl,
4329         .shm_shmat =                    selinux_shm_shmat,
4330
4331         .sem_alloc_security =           selinux_sem_alloc_security,
4332         .sem_free_security =            selinux_sem_free_security,
4333         .sem_associate =                selinux_sem_associate,
4334         .sem_semctl =                   selinux_sem_semctl,
4335         .sem_semop =                    selinux_sem_semop,
4336
4337         .register_security =            selinux_register_security,
4338         .unregister_security =          selinux_unregister_security,
4339
4340         .d_instantiate =                selinux_d_instantiate,
4341
4342         .getprocattr =                  selinux_getprocattr,
4343         .setprocattr =                  selinux_setprocattr,
4344
4345 #ifdef CONFIG_SECURITY_NETWORK
4346         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4347         .unix_may_send =                selinux_socket_unix_may_send,
4348
4349         .socket_create =                selinux_socket_create,
4350         .socket_post_create =           selinux_socket_post_create,
4351         .socket_bind =                  selinux_socket_bind,
4352         .socket_connect =               selinux_socket_connect,
4353         .socket_listen =                selinux_socket_listen,
4354         .socket_accept =                selinux_socket_accept,
4355         .socket_sendmsg =               selinux_socket_sendmsg,
4356         .socket_recvmsg =               selinux_socket_recvmsg,
4357         .socket_getsockname =           selinux_socket_getsockname,
4358         .socket_getpeername =           selinux_socket_getpeername,
4359         .socket_getsockopt =            selinux_socket_getsockopt,
4360         .socket_setsockopt =            selinux_socket_setsockopt,
4361         .socket_shutdown =              selinux_socket_shutdown,
4362         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4363         .socket_getpeersec =            selinux_socket_getpeersec,
4364         .sk_alloc_security =            selinux_sk_alloc_security,
4365         .sk_free_security =             selinux_sk_free_security,
4366 #endif
4367 };
4368
4369 static __init int selinux_init(void)
4370 {
4371         struct task_security_struct *tsec;
4372
4373         if (!selinux_enabled) {
4374                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4375                 return 0;
4376         }
4377
4378         printk(KERN_INFO "SELinux:  Initializing.\n");
4379
4380         /* Set the security state for the initial task. */
4381         if (task_alloc_security(current))
4382                 panic("SELinux:  Failed to initialize initial task.\n");
4383         tsec = current->security;
4384         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4385
4386         avc_init();
4387
4388         original_ops = secondary_ops = security_ops;
4389         if (!secondary_ops)
4390                 panic ("SELinux: No initial security operations\n");
4391         if (register_security (&selinux_ops))
4392                 panic("SELinux: Unable to register with kernel.\n");
4393
4394         if (selinux_enforcing) {
4395                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4396         } else {
4397                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4398         }
4399         return 0;
4400 }
4401
4402 void selinux_complete_init(void)
4403 {
4404         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4405
4406         /* Set up any superblocks initialized prior to the policy load. */
4407         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4408         spin_lock(&sb_security_lock);
4409 next_sb:
4410         if (!list_empty(&superblock_security_head)) {
4411                 struct superblock_security_struct *sbsec =
4412                                 list_entry(superblock_security_head.next,
4413                                            struct superblock_security_struct,
4414                                            list);
4415                 struct super_block *sb = sbsec->sb;
4416                 spin_lock(&sb_lock);
4417                 sb->s_count++;
4418                 spin_unlock(&sb_lock);
4419                 spin_unlock(&sb_security_lock);
4420                 down_read(&sb->s_umount);
4421                 if (sb->s_root)
4422                         superblock_doinit(sb, NULL);
4423                 drop_super(sb);
4424                 spin_lock(&sb_security_lock);
4425                 list_del_init(&sbsec->list);
4426                 goto next_sb;
4427         }
4428         spin_unlock(&sb_security_lock);
4429 }
4430
4431 /* SELinux requires early initialization in order to label
4432    all processes and objects when they are created. */
4433 security_initcall(selinux_init);
4434
4435 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4436
4437 static struct nf_hook_ops selinux_ipv4_op = {
4438         .hook =         selinux_ipv4_postroute_last,
4439         .owner =        THIS_MODULE,
4440         .pf =           PF_INET,
4441         .hooknum =      NF_IP_POST_ROUTING,
4442         .priority =     NF_IP_PRI_SELINUX_LAST,
4443 };
4444
4445 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4446
4447 static struct nf_hook_ops selinux_ipv6_op = {
4448         .hook =         selinux_ipv6_postroute_last,
4449         .owner =        THIS_MODULE,
4450         .pf =           PF_INET6,
4451         .hooknum =      NF_IP6_POST_ROUTING,
4452         .priority =     NF_IP6_PRI_SELINUX_LAST,
4453 };
4454
4455 #endif  /* IPV6 */
4456
4457 static int __init selinux_nf_ip_init(void)
4458 {
4459         int err = 0;
4460
4461         if (!selinux_enabled)
4462                 goto out;
4463                 
4464         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4465         
4466         err = nf_register_hook(&selinux_ipv4_op);
4467         if (err)
4468                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4469
4470 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4471
4472         err = nf_register_hook(&selinux_ipv6_op);
4473         if (err)
4474                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4475
4476 #endif  /* IPV6 */
4477 out:
4478         return err;
4479 }
4480
4481 __initcall(selinux_nf_ip_init);
4482
4483 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4484 static void selinux_nf_ip_exit(void)
4485 {
4486         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4487
4488         nf_unregister_hook(&selinux_ipv4_op);
4489 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4490         nf_unregister_hook(&selinux_ipv6_op);
4491 #endif  /* IPV6 */
4492 }
4493 #endif
4494
4495 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4496
4497 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4498 #define selinux_nf_ip_exit()
4499 #endif
4500
4501 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4502
4503 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4504 int selinux_disable(void)
4505 {
4506         extern void exit_sel_fs(void);
4507         static int selinux_disabled = 0;
4508
4509         if (ss_initialized) {
4510                 /* Not permitted after initial policy load. */
4511                 return -EINVAL;
4512         }
4513
4514         if (selinux_disabled) {
4515                 /* Only do this once. */
4516                 return -EINVAL;
4517         }
4518
4519         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4520
4521         selinux_disabled = 1;
4522
4523         /* Reset security_ops to the secondary module, dummy or capability. */
4524         security_ops = secondary_ops;
4525
4526         /* Unregister netfilter hooks. */
4527         selinux_nf_ip_exit();
4528
4529         /* Unregister selinuxfs. */
4530         exit_sel_fs();
4531
4532         return 0;
4533 }
4534 #endif
4535
4536