selinux: handle files opened with flags 3 by checking ioctl permission
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec = sb->s_security;
370         struct dentry *root = sb->s_root;
371         struct inode *root_inode = root->d_inode;
372         int rc = 0;
373
374         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375                 /* Make sure that the xattr handler exists and that no
376                    error other than -ENODATA is returned by getxattr on
377                    the root directory.  -ENODATA is ok, as this may be
378                    the first boot of the SELinux kernel before we have
379                    assigned xattr values to the filesystem. */
380                 if (!root_inode->i_op->getxattr) {
381                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382                                "xattr support\n", sb->s_id, sb->s_type->name);
383                         rc = -EOPNOTSUPP;
384                         goto out;
385                 }
386                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387                 if (rc < 0 && rc != -ENODATA) {
388                         if (rc == -EOPNOTSUPP)
389                                 printk(KERN_WARNING "SELinux: (dev %s, type "
390                                        "%s) has no security xattr handler\n",
391                                        sb->s_id, sb->s_type->name);
392                         else
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) getxattr errno %d\n", sb->s_id,
395                                        sb->s_type->name, -rc);
396                         goto out;
397                 }
398         }
399
400         sbsec->initialized = 1;
401
402         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404                        sb->s_id, sb->s_type->name);
405         else
406                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407                        sb->s_id, sb->s_type->name,
408                        labeling_behaviors[sbsec->behavior-1]);
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!sbsec->initialized)
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         /*
463          * if we ever use sbsec flags for anything other than tracking mount
464          * settings this is going to need a mask
465          */
466         tmp = sbsec->flags;
467         /* count the number of mount options for this sb */
468         for (i = 0; i < 8; i++) {
469                 if (tmp & 0x01)
470                         opts->num_mnt_opts++;
471                 tmp >>= 1;
472         }
473
474         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475         if (!opts->mnt_opts) {
476                 rc = -ENOMEM;
477                 goto out_free;
478         }
479
480         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481         if (!opts->mnt_opts_flags) {
482                 rc = -ENOMEM;
483                 goto out_free;
484         }
485
486         i = 0;
487         if (sbsec->flags & FSCONTEXT_MNT) {
488                 rc = security_sid_to_context(sbsec->sid, &context, &len);
489                 if (rc)
490                         goto out_free;
491                 opts->mnt_opts[i] = context;
492                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493         }
494         if (sbsec->flags & CONTEXT_MNT) {
495                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496                 if (rc)
497                         goto out_free;
498                 opts->mnt_opts[i] = context;
499                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500         }
501         if (sbsec->flags & DEFCONTEXT_MNT) {
502                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503                 if (rc)
504                         goto out_free;
505                 opts->mnt_opts[i] = context;
506                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507         }
508         if (sbsec->flags & ROOTCONTEXT_MNT) {
509                 struct inode *root = sbsec->sb->s_root->d_inode;
510                 struct inode_security_struct *isec = root->i_security;
511
512                 rc = security_sid_to_context(isec->sid, &context, &len);
513                 if (rc)
514                         goto out_free;
515                 opts->mnt_opts[i] = context;
516                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517         }
518
519         BUG_ON(i != opts->num_mnt_opts);
520
521         return 0;
522
523 out_free:
524         security_free_mnt_opts(opts);
525         return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529                       u32 old_sid, u32 new_sid)
530 {
531         /* check if the old mount command had the same options */
532         if (sbsec->initialized)
533                 if (!(sbsec->flags & flag) ||
534                     (old_sid != new_sid))
535                         return 1;
536
537         /* check if we were passed the same options twice,
538          * aka someone passed context=a,context=b
539          */
540         if (!sbsec->initialized)
541                 if (sbsec->flags & flag)
542                         return 1;
543         return 0;
544 }
545
546 /*
547  * Allow filesystems with binary mount data to explicitly set mount point
548  * labeling information.
549  */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551                                 struct security_mnt_opts *opts)
552 {
553         int rc = 0, i;
554         struct task_security_struct *tsec = current->security;
555         struct superblock_security_struct *sbsec = sb->s_security;
556         const char *name = sb->s_type->name;
557         struct inode *inode = sbsec->sb->s_root->d_inode;
558         struct inode_security_struct *root_isec = inode->i_security;
559         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560         u32 defcontext_sid = 0;
561         char **mount_options = opts->mnt_opts;
562         int *flags = opts->mnt_opts_flags;
563         int num_opts = opts->num_mnt_opts;
564
565         mutex_lock(&sbsec->lock);
566
567         if (!ss_initialized) {
568                 if (!num_opts) {
569                         /* Defer initialization until selinux_complete_init,
570                            after the initial policy is loaded and the security
571                            server is ready to handle calls. */
572                         spin_lock(&sb_security_lock);
573                         if (list_empty(&sbsec->list))
574                                 list_add(&sbsec->list, &superblock_security_head);
575                         spin_unlock(&sb_security_lock);
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "Unable to set superblock options before "
580                        "the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->initialized) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if (sbsec->flags && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->proc = 1;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __FUNCTION__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680
681                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682                 if (rc)
683                         goto out;
684
685                 sbsec->sid = fscontext_sid;
686         }
687
688         /*
689          * Switch to using mount point labeling behavior.
690          * sets the label used on all file below the mountpoint, and will set
691          * the superblock context if not already set.
692          */
693         if (context_sid) {
694                 if (!fscontext_sid) {
695                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701                         if (rc)
702                                 goto out;
703                 }
704                 if (!rootcontext_sid)
705                         rootcontext_sid = context_sid;
706
707                 sbsec->mntpoint_sid = context_sid;
708                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709         }
710
711         if (rootcontext_sid) {
712                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713                 if (rc)
714                         goto out;
715
716                 root_isec->sid = rootcontext_sid;
717                 root_isec->initialized = 1;
718         }
719
720         if (defcontext_sid) {
721                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722                         rc = -EINVAL;
723                         printk(KERN_WARNING "SELinux: defcontext option is "
724                                "invalid for this filesystem type\n");
725                         goto out;
726                 }
727
728                 if (defcontext_sid != sbsec->def_sid) {
729                         rc = may_context_mount_inode_relabel(defcontext_sid,
730                                                              sbsec, tsec);
731                         if (rc)
732                                 goto out;
733                 }
734
735                 sbsec->def_sid = defcontext_sid;
736         }
737
738         rc = sb_finish_set_opts(sb);
739 out:
740         mutex_unlock(&sbsec->lock);
741         return rc;
742 out_double_mount:
743         rc = -EINVAL;
744         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
745                "security settings for (dev %s, type %s)\n", sb->s_id, name);
746         goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750                                         struct super_block *newsb)
751 {
752         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753         struct superblock_security_struct *newsbsec = newsb->s_security;
754
755         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
756         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
757         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759         /* we can't error, we can't save the info, this shouldn't get called
760          * this early in the boot process. */
761         BUG_ON(!ss_initialized);
762
763         /* this might go away sometime down the line if there is a new user
764          * of clone, but for now, nfs better not get here... */
765         BUG_ON(newsbsec->initialized);
766
767         /* how can we clone if the old one wasn't set up?? */
768         BUG_ON(!oldsbsec->initialized);
769
770         mutex_lock(&newsbsec->lock);
771
772         newsbsec->flags = oldsbsec->flags;
773
774         newsbsec->sid = oldsbsec->sid;
775         newsbsec->def_sid = oldsbsec->def_sid;
776         newsbsec->behavior = oldsbsec->behavior;
777
778         if (set_context) {
779                 u32 sid = oldsbsec->mntpoint_sid;
780
781                 if (!set_fscontext)
782                         newsbsec->sid = sid;
783                 if (!set_rootcontext) {
784                         struct inode *newinode = newsb->s_root->d_inode;
785                         struct inode_security_struct *newisec = newinode->i_security;
786                         newisec->sid = sid;
787                 }
788                 newsbsec->mntpoint_sid = sid;
789         }
790         if (set_rootcontext) {
791                 const struct inode *oldinode = oldsb->s_root->d_inode;
792                 const struct inode_security_struct *oldisec = oldinode->i_security;
793                 struct inode *newinode = newsb->s_root->d_inode;
794                 struct inode_security_struct *newisec = newinode->i_security;
795
796                 newisec->sid = oldisec->sid;
797         }
798
799         sb_finish_set_opts(newsb);
800         mutex_unlock(&newsbsec->lock);
801 }
802
803 static int selinux_parse_opts_str(char *options,
804                                   struct security_mnt_opts *opts)
805 {
806         char *p;
807         char *context = NULL, *defcontext = NULL;
808         char *fscontext = NULL, *rootcontext = NULL;
809         int rc, num_mnt_opts = 0;
810
811         opts->num_mnt_opts = 0;
812
813         /* Standard string-based options. */
814         while ((p = strsep(&options, "|")) != NULL) {
815                 int token;
816                 substring_t args[MAX_OPT_ARGS];
817
818                 if (!*p)
819                         continue;
820
821                 token = match_token(p, tokens, args);
822
823                 switch (token) {
824                 case Opt_context:
825                         if (context || defcontext) {
826                                 rc = -EINVAL;
827                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828                                 goto out_err;
829                         }
830                         context = match_strdup(&args[0]);
831                         if (!context) {
832                                 rc = -ENOMEM;
833                                 goto out_err;
834                         }
835                         break;
836
837                 case Opt_fscontext:
838                         if (fscontext) {
839                                 rc = -EINVAL;
840                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841                                 goto out_err;
842                         }
843                         fscontext = match_strdup(&args[0]);
844                         if (!fscontext) {
845                                 rc = -ENOMEM;
846                                 goto out_err;
847                         }
848                         break;
849
850                 case Opt_rootcontext:
851                         if (rootcontext) {
852                                 rc = -EINVAL;
853                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854                                 goto out_err;
855                         }
856                         rootcontext = match_strdup(&args[0]);
857                         if (!rootcontext) {
858                                 rc = -ENOMEM;
859                                 goto out_err;
860                         }
861                         break;
862
863                 case Opt_defcontext:
864                         if (context || defcontext) {
865                                 rc = -EINVAL;
866                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867                                 goto out_err;
868                         }
869                         defcontext = match_strdup(&args[0]);
870                         if (!defcontext) {
871                                 rc = -ENOMEM;
872                                 goto out_err;
873                         }
874                         break;
875
876                 default:
877                         rc = -EINVAL;
878                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
879                         goto out_err;
880
881                 }
882         }
883
884         rc = -ENOMEM;
885         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886         if (!opts->mnt_opts)
887                 goto out_err;
888
889         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890         if (!opts->mnt_opts_flags) {
891                 kfree(opts->mnt_opts);
892                 goto out_err;
893         }
894
895         if (fscontext) {
896                 opts->mnt_opts[num_mnt_opts] = fscontext;
897                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
898         }
899         if (context) {
900                 opts->mnt_opts[num_mnt_opts] = context;
901                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
902         }
903         if (rootcontext) {
904                 opts->mnt_opts[num_mnt_opts] = rootcontext;
905                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
906         }
907         if (defcontext) {
908                 opts->mnt_opts[num_mnt_opts] = defcontext;
909                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
910         }
911
912         opts->num_mnt_opts = num_mnt_opts;
913         return 0;
914
915 out_err:
916         kfree(context);
917         kfree(defcontext);
918         kfree(fscontext);
919         kfree(rootcontext);
920         return rc;
921 }
922 /*
923  * string mount options parsing and call set the sbsec
924  */
925 static int superblock_doinit(struct super_block *sb, void *data)
926 {
927         int rc = 0;
928         char *options = data;
929         struct security_mnt_opts opts;
930
931         security_init_mnt_opts(&opts);
932
933         if (!data)
934                 goto out;
935
936         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
937
938         rc = selinux_parse_opts_str(options, &opts);
939         if (rc)
940                 goto out_err;
941
942 out:
943         rc = selinux_set_mnt_opts(sb, &opts);
944
945 out_err:
946         security_free_mnt_opts(&opts);
947         return rc;
948 }
949
950 static inline u16 inode_mode_to_security_class(umode_t mode)
951 {
952         switch (mode & S_IFMT) {
953         case S_IFSOCK:
954                 return SECCLASS_SOCK_FILE;
955         case S_IFLNK:
956                 return SECCLASS_LNK_FILE;
957         case S_IFREG:
958                 return SECCLASS_FILE;
959         case S_IFBLK:
960                 return SECCLASS_BLK_FILE;
961         case S_IFDIR:
962                 return SECCLASS_DIR;
963         case S_IFCHR:
964                 return SECCLASS_CHR_FILE;
965         case S_IFIFO:
966                 return SECCLASS_FIFO_FILE;
967
968         }
969
970         return SECCLASS_FILE;
971 }
972
973 static inline int default_protocol_stream(int protocol)
974 {
975         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976 }
977
978 static inline int default_protocol_dgram(int protocol)
979 {
980         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981 }
982
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
984 {
985         switch (family) {
986         case PF_UNIX:
987                 switch (type) {
988                 case SOCK_STREAM:
989                 case SOCK_SEQPACKET:
990                         return SECCLASS_UNIX_STREAM_SOCKET;
991                 case SOCK_DGRAM:
992                         return SECCLASS_UNIX_DGRAM_SOCKET;
993                 }
994                 break;
995         case PF_INET:
996         case PF_INET6:
997                 switch (type) {
998                 case SOCK_STREAM:
999                         if (default_protocol_stream(protocol))
1000                                 return SECCLASS_TCP_SOCKET;
1001                         else
1002                                 return SECCLASS_RAWIP_SOCKET;
1003                 case SOCK_DGRAM:
1004                         if (default_protocol_dgram(protocol))
1005                                 return SECCLASS_UDP_SOCKET;
1006                         else
1007                                 return SECCLASS_RAWIP_SOCKET;
1008                 case SOCK_DCCP:
1009                         return SECCLASS_DCCP_SOCKET;
1010                 default:
1011                         return SECCLASS_RAWIP_SOCKET;
1012                 }
1013                 break;
1014         case PF_NETLINK:
1015                 switch (protocol) {
1016                 case NETLINK_ROUTE:
1017                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1018                 case NETLINK_FIREWALL:
1019                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020                 case NETLINK_INET_DIAG:
1021                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022                 case NETLINK_NFLOG:
1023                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1024                 case NETLINK_XFRM:
1025                         return SECCLASS_NETLINK_XFRM_SOCKET;
1026                 case NETLINK_SELINUX:
1027                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1028                 case NETLINK_AUDIT:
1029                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1030                 case NETLINK_IP6_FW:
1031                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1032                 case NETLINK_DNRTMSG:
1033                         return SECCLASS_NETLINK_DNRT_SOCKET;
1034                 case NETLINK_KOBJECT_UEVENT:
1035                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1036                 default:
1037                         return SECCLASS_NETLINK_SOCKET;
1038                 }
1039         case PF_PACKET:
1040                 return SECCLASS_PACKET_SOCKET;
1041         case PF_KEY:
1042                 return SECCLASS_KEY_SOCKET;
1043         case PF_APPLETALK:
1044                 return SECCLASS_APPLETALK_SOCKET;
1045         }
1046
1047         return SECCLASS_SOCKET;
1048 }
1049
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052                                 u16 tclass,
1053                                 u32 *sid)
1054 {
1055         int buflen, rc;
1056         char *buffer, *path, *end;
1057
1058         buffer = (char*)__get_free_page(GFP_KERNEL);
1059         if (!buffer)
1060                 return -ENOMEM;
1061
1062         buflen = PAGE_SIZE;
1063         end = buffer+buflen;
1064         *--end = '\0';
1065         buflen--;
1066         path = end-1;
1067         *path = '/';
1068         while (de && de != de->parent) {
1069                 buflen -= de->namelen + 1;
1070                 if (buflen < 0)
1071                         break;
1072                 end -= de->namelen;
1073                 memcpy(end, de->name, de->namelen);
1074                 *--end = '/';
1075                 path = end;
1076                 de = de->parent;
1077         }
1078         rc = security_genfs_sid("proc", path, tclass, sid);
1079         free_page((unsigned long)buffer);
1080         return rc;
1081 }
1082 #else
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084                                 u16 tclass,
1085                                 u32 *sid)
1086 {
1087         return -EINVAL;
1088 }
1089 #endif
1090
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1093 {
1094         struct superblock_security_struct *sbsec = NULL;
1095         struct inode_security_struct *isec = inode->i_security;
1096         u32 sid;
1097         struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099         char *context = NULL;
1100         unsigned len = 0;
1101         int rc = 0;
1102
1103         if (isec->initialized)
1104                 goto out;
1105
1106         mutex_lock(&isec->lock);
1107         if (isec->initialized)
1108                 goto out_unlock;
1109
1110         sbsec = inode->i_sb->s_security;
1111         if (!sbsec->initialized) {
1112                 /* Defer initialization until selinux_complete_init,
1113                    after the initial policy is loaded and the security
1114                    server is ready to handle calls. */
1115                 spin_lock(&sbsec->isec_lock);
1116                 if (list_empty(&isec->list))
1117                         list_add(&isec->list, &sbsec->isec_head);
1118                 spin_unlock(&sbsec->isec_lock);
1119                 goto out_unlock;
1120         }
1121
1122         switch (sbsec->behavior) {
1123         case SECURITY_FS_USE_XATTR:
1124                 if (!inode->i_op->getxattr) {
1125                         isec->sid = sbsec->def_sid;
1126                         break;
1127                 }
1128
1129                 /* Need a dentry, since the xattr API requires one.
1130                    Life would be simpler if we could just pass the inode. */
1131                 if (opt_dentry) {
1132                         /* Called from d_instantiate or d_splice_alias. */
1133                         dentry = dget(opt_dentry);
1134                 } else {
1135                         /* Called from selinux_complete_init, try to find a dentry. */
1136                         dentry = d_find_alias(inode);
1137                 }
1138                 if (!dentry) {
1139                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1140                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141                                inode->i_ino);
1142                         goto out_unlock;
1143                 }
1144
1145                 len = INITCONTEXTLEN;
1146                 context = kmalloc(len, GFP_KERNEL);
1147                 if (!context) {
1148                         rc = -ENOMEM;
1149                         dput(dentry);
1150                         goto out_unlock;
1151                 }
1152                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153                                            context, len);
1154                 if (rc == -ERANGE) {
1155                         /* Need a larger buffer.  Query for the right size. */
1156                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157                                                    NULL, 0);
1158                         if (rc < 0) {
1159                                 dput(dentry);
1160                                 goto out_unlock;
1161                         }
1162                         kfree(context);
1163                         len = rc;
1164                         context = kmalloc(len, GFP_KERNEL);
1165                         if (!context) {
1166                                 rc = -ENOMEM;
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         rc = inode->i_op->getxattr(dentry,
1171                                                    XATTR_NAME_SELINUX,
1172                                                    context, len);
1173                 }
1174                 dput(dentry);
1175                 if (rc < 0) {
1176                         if (rc != -ENODATA) {
1177                                 printk(KERN_WARNING "%s:  getxattr returned "
1178                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179                                        -rc, inode->i_sb->s_id, inode->i_ino);
1180                                 kfree(context);
1181                                 goto out_unlock;
1182                         }
1183                         /* Map ENODATA to the default file SID */
1184                         sid = sbsec->def_sid;
1185                         rc = 0;
1186                 } else {
1187                         rc = security_context_to_sid_default(context, rc, &sid,
1188                                                              sbsec->def_sid);
1189                         if (rc) {
1190                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1191                                        "returned %d for dev=%s ino=%ld\n",
1192                                        __FUNCTION__, context, -rc,
1193                                        inode->i_sb->s_id, inode->i_ino);
1194                                 kfree(context);
1195                                 /* Leave with the unlabeled SID */
1196                                 rc = 0;
1197                                 break;
1198                         }
1199                 }
1200                 kfree(context);
1201                 isec->sid = sid;
1202                 break;
1203         case SECURITY_FS_USE_TASK:
1204                 isec->sid = isec->task_sid;
1205                 break;
1206         case SECURITY_FS_USE_TRANS:
1207                 /* Default to the fs SID. */
1208                 isec->sid = sbsec->sid;
1209
1210                 /* Try to obtain a transition SID. */
1211                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212                 rc = security_transition_sid(isec->task_sid,
1213                                              sbsec->sid,
1214                                              isec->sclass,
1215                                              &sid);
1216                 if (rc)
1217                         goto out_unlock;
1218                 isec->sid = sid;
1219                 break;
1220         case SECURITY_FS_USE_MNTPOINT:
1221                 isec->sid = sbsec->mntpoint_sid;
1222                 break;
1223         default:
1224                 /* Default to the fs superblock SID. */
1225                 isec->sid = sbsec->sid;
1226
1227                 if (sbsec->proc) {
1228                         struct proc_inode *proci = PROC_I(inode);
1229                         if (proci->pde) {
1230                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231                                 rc = selinux_proc_get_sid(proci->pde,
1232                                                           isec->sclass,
1233                                                           &sid);
1234                                 if (rc)
1235                                         goto out_unlock;
1236                                 isec->sid = sid;
1237                         }
1238                 }
1239                 break;
1240         }
1241
1242         isec->initialized = 1;
1243
1244 out_unlock:
1245         mutex_unlock(&isec->lock);
1246 out:
1247         if (isec->sclass == SECCLASS_FILE)
1248                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1249         return rc;
1250 }
1251
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32 signal_to_av(int sig)
1254 {
1255         u32 perm = 0;
1256
1257         switch (sig) {
1258         case SIGCHLD:
1259                 /* Commonly granted from child to parent. */
1260                 perm = PROCESS__SIGCHLD;
1261                 break;
1262         case SIGKILL:
1263                 /* Cannot be caught or ignored */
1264                 perm = PROCESS__SIGKILL;
1265                 break;
1266         case SIGSTOP:
1267                 /* Cannot be caught or ignored */
1268                 perm = PROCESS__SIGSTOP;
1269                 break;
1270         default:
1271                 /* All other signals. */
1272                 perm = PROCESS__SIGNAL;
1273                 break;
1274         }
1275
1276         return perm;
1277 }
1278
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280    fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct *tsk1,
1282                          struct task_struct *tsk2,
1283                          u32 perms)
1284 {
1285         struct task_security_struct *tsec1, *tsec2;
1286
1287         tsec1 = tsk1->security;
1288         tsec2 = tsk2->security;
1289         return avc_has_perm(tsec1->sid, tsec2->sid,
1290                             SECCLASS_PROCESS, perms, NULL);
1291 }
1292
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1295 #endif
1296
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct *tsk,
1299                                int cap)
1300 {
1301         struct task_security_struct *tsec;
1302         struct avc_audit_data ad;
1303         u16 sclass;
1304         u32 av = CAP_TO_MASK(cap);
1305
1306         tsec = tsk->security;
1307
1308         AVC_AUDIT_DATA_INIT(&ad,CAP);
1309         ad.tsk = tsk;
1310         ad.u.cap = cap;
1311
1312         switch (CAP_TO_INDEX(cap)) {
1313         case 0:
1314                 sclass = SECCLASS_CAPABILITY;
1315                 break;
1316         case 1:
1317                 sclass = SECCLASS_CAPABILITY2;
1318                 break;
1319         default:
1320                 printk(KERN_ERR
1321                        "SELinux:  out of range capability %d\n", cap);
1322                 BUG();
1323         }
1324         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1325 }
1326
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct *tsk,
1329                            u32 perms)
1330 {
1331         struct task_security_struct *tsec;
1332
1333         tsec = tsk->security;
1334
1335         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336                             SECCLASS_SYSTEM, perms, NULL);
1337 }
1338
1339 /* Check whether a task has a particular permission to an inode.
1340    The 'adp' parameter is optional and allows other audit
1341    data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct *tsk,
1343                           struct inode *inode,
1344                           u32 perms,
1345                           struct avc_audit_data *adp)
1346 {
1347         struct task_security_struct *tsec;
1348         struct inode_security_struct *isec;
1349         struct avc_audit_data ad;
1350
1351         if (unlikely (IS_PRIVATE (inode)))
1352                 return 0;
1353
1354         tsec = tsk->security;
1355         isec = inode->i_security;
1356
1357         if (!adp) {
1358                 adp = &ad;
1359                 AVC_AUDIT_DATA_INIT(&ad, FS);
1360                 ad.u.fs.inode = inode;
1361         }
1362
1363         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1364 }
1365
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367    the dentry to help the auditing code to more easily generate the
1368    pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct *tsk,
1370                                   struct vfsmount *mnt,
1371                                   struct dentry *dentry,
1372                                   u32 av)
1373 {
1374         struct inode *inode = dentry->d_inode;
1375         struct avc_audit_data ad;
1376         AVC_AUDIT_DATA_INIT(&ad,FS);
1377         ad.u.fs.path.mnt = mnt;
1378         ad.u.fs.path.dentry = dentry;
1379         return inode_has_perm(tsk, inode, av, &ad);
1380 }
1381
1382 /* Check whether a task can use an open file descriptor to
1383    access an inode in a given way.  Check access to the
1384    descriptor itself, and then use dentry_has_perm to
1385    check a particular permission to the file.
1386    Access to the descriptor is implicitly granted if it
1387    has the same SID as the process.  If av is zero, then
1388    access to the file is not checked, e.g. for cases
1389    where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct *tsk,
1391                                 struct file *file,
1392                                 u32 av)
1393 {
1394         struct task_security_struct *tsec = tsk->security;
1395         struct file_security_struct *fsec = file->f_security;
1396         struct inode *inode = file->f_path.dentry->d_inode;
1397         struct avc_audit_data ad;
1398         int rc;
1399
1400         AVC_AUDIT_DATA_INIT(&ad, FS);
1401         ad.u.fs.path = file->f_path;
1402
1403         if (tsec->sid != fsec->sid) {
1404                 rc = avc_has_perm(tsec->sid, fsec->sid,
1405                                   SECCLASS_FD,
1406                                   FD__USE,
1407                                   &ad);
1408                 if (rc)
1409                         return rc;
1410         }
1411
1412         /* av is zero if only checking access to the descriptor. */
1413         if (av)
1414                 return inode_has_perm(tsk, inode, av, &ad);
1415
1416         return 0;
1417 }
1418
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode *dir,
1421                       struct dentry *dentry,
1422                       u16 tclass)
1423 {
1424         struct task_security_struct *tsec;
1425         struct inode_security_struct *dsec;
1426         struct superblock_security_struct *sbsec;
1427         u32 newsid;
1428         struct avc_audit_data ad;
1429         int rc;
1430
1431         tsec = current->security;
1432         dsec = dir->i_security;
1433         sbsec = dir->i_sb->s_security;
1434
1435         AVC_AUDIT_DATA_INIT(&ad, FS);
1436         ad.u.fs.path.dentry = dentry;
1437
1438         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439                           DIR__ADD_NAME | DIR__SEARCH,
1440                           &ad);
1441         if (rc)
1442                 return rc;
1443
1444         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445                 newsid = tsec->create_sid;
1446         } else {
1447                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448                                              &newsid);
1449                 if (rc)
1450                         return rc;
1451         }
1452
1453         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454         if (rc)
1455                 return rc;
1456
1457         return avc_has_perm(newsid, sbsec->sid,
1458                             SECCLASS_FILESYSTEM,
1459                             FILESYSTEM__ASSOCIATE, &ad);
1460 }
1461
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid,
1464                           struct task_struct *ctx)
1465 {
1466         struct task_security_struct *tsec;
1467
1468         tsec = ctx->security;
1469
1470         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1471 }
1472
1473 #define MAY_LINK   0
1474 #define MAY_UNLINK 1
1475 #define MAY_RMDIR  2
1476
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode *dir,
1479                     struct dentry *dentry,
1480                     int kind)
1481
1482 {
1483         struct task_security_struct *tsec;
1484         struct inode_security_struct *dsec, *isec;
1485         struct avc_audit_data ad;
1486         u32 av;
1487         int rc;
1488
1489         tsec = current->security;
1490         dsec = dir->i_security;
1491         isec = dentry->d_inode->i_security;
1492
1493         AVC_AUDIT_DATA_INIT(&ad, FS);
1494         ad.u.fs.path.dentry = dentry;
1495
1496         av = DIR__SEARCH;
1497         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499         if (rc)
1500                 return rc;
1501
1502         switch (kind) {
1503         case MAY_LINK:
1504                 av = FILE__LINK;
1505                 break;
1506         case MAY_UNLINK:
1507                 av = FILE__UNLINK;
1508                 break;
1509         case MAY_RMDIR:
1510                 av = DIR__RMDIR;
1511                 break;
1512         default:
1513                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1514                 return 0;
1515         }
1516
1517         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518         return rc;
1519 }
1520
1521 static inline int may_rename(struct inode *old_dir,
1522                              struct dentry *old_dentry,
1523                              struct inode *new_dir,
1524                              struct dentry *new_dentry)
1525 {
1526         struct task_security_struct *tsec;
1527         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528         struct avc_audit_data ad;
1529         u32 av;
1530         int old_is_dir, new_is_dir;
1531         int rc;
1532
1533         tsec = current->security;
1534         old_dsec = old_dir->i_security;
1535         old_isec = old_dentry->d_inode->i_security;
1536         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537         new_dsec = new_dir->i_security;
1538
1539         AVC_AUDIT_DATA_INIT(&ad, FS);
1540
1541         ad.u.fs.path.dentry = old_dentry;
1542         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544         if (rc)
1545                 return rc;
1546         rc = avc_has_perm(tsec->sid, old_isec->sid,
1547                           old_isec->sclass, FILE__RENAME, &ad);
1548         if (rc)
1549                 return rc;
1550         if (old_is_dir && new_dir != old_dir) {
1551                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552                                   old_isec->sclass, DIR__REPARENT, &ad);
1553                 if (rc)
1554                         return rc;
1555         }
1556
1557         ad.u.fs.path.dentry = new_dentry;
1558         av = DIR__ADD_NAME | DIR__SEARCH;
1559         if (new_dentry->d_inode)
1560                 av |= DIR__REMOVE_NAME;
1561         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562         if (rc)
1563                 return rc;
1564         if (new_dentry->d_inode) {
1565                 new_isec = new_dentry->d_inode->i_security;
1566                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568                                   new_isec->sclass,
1569                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570                 if (rc)
1571                         return rc;
1572         }
1573
1574         return 0;
1575 }
1576
1577 /* Check whether a task can perform a filesystem operation. */
1578 static int superblock_has_perm(struct task_struct *tsk,
1579                                struct super_block *sb,
1580                                u32 perms,
1581                                struct avc_audit_data *ad)
1582 {
1583         struct task_security_struct *tsec;
1584         struct superblock_security_struct *sbsec;
1585
1586         tsec = tsk->security;
1587         sbsec = sb->s_security;
1588         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589                             perms, ad);
1590 }
1591
1592 /* Convert a Linux mode and permission mask to an access vector. */
1593 static inline u32 file_mask_to_av(int mode, int mask)
1594 {
1595         u32 av = 0;
1596
1597         if ((mode & S_IFMT) != S_IFDIR) {
1598                 if (mask & MAY_EXEC)
1599                         av |= FILE__EXECUTE;
1600                 if (mask & MAY_READ)
1601                         av |= FILE__READ;
1602
1603                 if (mask & MAY_APPEND)
1604                         av |= FILE__APPEND;
1605                 else if (mask & MAY_WRITE)
1606                         av |= FILE__WRITE;
1607
1608         } else {
1609                 if (mask & MAY_EXEC)
1610                         av |= DIR__SEARCH;
1611                 if (mask & MAY_WRITE)
1612                         av |= DIR__WRITE;
1613                 if (mask & MAY_READ)
1614                         av |= DIR__READ;
1615         }
1616
1617         return av;
1618 }
1619
1620 /* Convert a Linux file to an access vector. */
1621 static inline u32 file_to_av(struct file *file)
1622 {
1623         u32 av = 0;
1624
1625         if (file->f_mode & FMODE_READ)
1626                 av |= FILE__READ;
1627         if (file->f_mode & FMODE_WRITE) {
1628                 if (file->f_flags & O_APPEND)
1629                         av |= FILE__APPEND;
1630                 else
1631                         av |= FILE__WRITE;
1632         }
1633         if (!av) {
1634                 /*
1635                  * Special file opened with flags 3 for ioctl-only use.
1636                  */
1637                 av = FILE__IOCTL;
1638         }
1639
1640         return av;
1641 }
1642
1643 /* Hook functions begin here. */
1644
1645 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1646 {
1647         struct task_security_struct *psec = parent->security;
1648         struct task_security_struct *csec = child->security;
1649         int rc;
1650
1651         rc = secondary_ops->ptrace(parent,child);
1652         if (rc)
1653                 return rc;
1654
1655         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1656         /* Save the SID of the tracing process for later use in apply_creds. */
1657         if (!(child->ptrace & PT_PTRACED) && !rc)
1658                 csec->ptrace_sid = psec->sid;
1659         return rc;
1660 }
1661
1662 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1663                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1664 {
1665         int error;
1666
1667         error = task_has_perm(current, target, PROCESS__GETCAP);
1668         if (error)
1669                 return error;
1670
1671         return secondary_ops->capget(target, effective, inheritable, permitted);
1672 }
1673
1674 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1675                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1676 {
1677         int error;
1678
1679         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1680         if (error)
1681                 return error;
1682
1683         return task_has_perm(current, target, PROCESS__SETCAP);
1684 }
1685
1686 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1687                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1688 {
1689         secondary_ops->capset_set(target, effective, inheritable, permitted);
1690 }
1691
1692 static int selinux_capable(struct task_struct *tsk, int cap)
1693 {
1694         int rc;
1695
1696         rc = secondary_ops->capable(tsk, cap);
1697         if (rc)
1698                 return rc;
1699
1700         return task_has_capability(tsk,cap);
1701 }
1702
1703 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1704 {
1705         int buflen, rc;
1706         char *buffer, *path, *end;
1707
1708         rc = -ENOMEM;
1709         buffer = (char*)__get_free_page(GFP_KERNEL);
1710         if (!buffer)
1711                 goto out;
1712
1713         buflen = PAGE_SIZE;
1714         end = buffer+buflen;
1715         *--end = '\0';
1716         buflen--;
1717         path = end-1;
1718         *path = '/';
1719         while (table) {
1720                 const char *name = table->procname;
1721                 size_t namelen = strlen(name);
1722                 buflen -= namelen + 1;
1723                 if (buflen < 0)
1724                         goto out_free;
1725                 end -= namelen;
1726                 memcpy(end, name, namelen);
1727                 *--end = '/';
1728                 path = end;
1729                 table = table->parent;
1730         }
1731         buflen -= 4;
1732         if (buflen < 0)
1733                 goto out_free;
1734         end -= 4;
1735         memcpy(end, "/sys", 4);
1736         path = end;
1737         rc = security_genfs_sid("proc", path, tclass, sid);
1738 out_free:
1739         free_page((unsigned long)buffer);
1740 out:
1741         return rc;
1742 }
1743
1744 static int selinux_sysctl(ctl_table *table, int op)
1745 {
1746         int error = 0;
1747         u32 av;
1748         struct task_security_struct *tsec;
1749         u32 tsid;
1750         int rc;
1751
1752         rc = secondary_ops->sysctl(table, op);
1753         if (rc)
1754                 return rc;
1755
1756         tsec = current->security;
1757
1758         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1759                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1760         if (rc) {
1761                 /* Default to the well-defined sysctl SID. */
1762                 tsid = SECINITSID_SYSCTL;
1763         }
1764
1765         /* The op values are "defined" in sysctl.c, thereby creating
1766          * a bad coupling between this module and sysctl.c */
1767         if(op == 001) {
1768                 error = avc_has_perm(tsec->sid, tsid,
1769                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1770         } else {
1771                 av = 0;
1772                 if (op & 004)
1773                         av |= FILE__READ;
1774                 if (op & 002)
1775                         av |= FILE__WRITE;
1776                 if (av)
1777                         error = avc_has_perm(tsec->sid, tsid,
1778                                              SECCLASS_FILE, av, NULL);
1779         }
1780
1781         return error;
1782 }
1783
1784 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1785 {
1786         int rc = 0;
1787
1788         if (!sb)
1789                 return 0;
1790
1791         switch (cmds) {
1792                 case Q_SYNC:
1793                 case Q_QUOTAON:
1794                 case Q_QUOTAOFF:
1795                 case Q_SETINFO:
1796                 case Q_SETQUOTA:
1797                         rc = superblock_has_perm(current,
1798                                                  sb,
1799                                                  FILESYSTEM__QUOTAMOD, NULL);
1800                         break;
1801                 case Q_GETFMT:
1802                 case Q_GETINFO:
1803                 case Q_GETQUOTA:
1804                         rc = superblock_has_perm(current,
1805                                                  sb,
1806                                                  FILESYSTEM__QUOTAGET, NULL);
1807                         break;
1808                 default:
1809                         rc = 0;  /* let the kernel handle invalid cmds */
1810                         break;
1811         }
1812         return rc;
1813 }
1814
1815 static int selinux_quota_on(struct dentry *dentry)
1816 {
1817         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1818 }
1819
1820 static int selinux_syslog(int type)
1821 {
1822         int rc;
1823
1824         rc = secondary_ops->syslog(type);
1825         if (rc)
1826                 return rc;
1827
1828         switch (type) {
1829                 case 3:         /* Read last kernel messages */
1830                 case 10:        /* Return size of the log buffer */
1831                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1832                         break;
1833                 case 6:         /* Disable logging to console */
1834                 case 7:         /* Enable logging to console */
1835                 case 8:         /* Set level of messages printed to console */
1836                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1837                         break;
1838                 case 0:         /* Close log */
1839                 case 1:         /* Open log */
1840                 case 2:         /* Read from log */
1841                 case 4:         /* Read/clear last kernel messages */
1842                 case 5:         /* Clear ring buffer */
1843                 default:
1844                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1845                         break;
1846         }
1847         return rc;
1848 }
1849
1850 /*
1851  * Check that a process has enough memory to allocate a new virtual
1852  * mapping. 0 means there is enough memory for the allocation to
1853  * succeed and -ENOMEM implies there is not.
1854  *
1855  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1856  * if the capability is granted, but __vm_enough_memory requires 1 if
1857  * the capability is granted.
1858  *
1859  * Do not audit the selinux permission check, as this is applied to all
1860  * processes that allocate mappings.
1861  */
1862 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1863 {
1864         int rc, cap_sys_admin = 0;
1865         struct task_security_struct *tsec = current->security;
1866
1867         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1868         if (rc == 0)
1869                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1870                                           SECCLASS_CAPABILITY,
1871                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1872                                           0,
1873                                           NULL);
1874
1875         if (rc == 0)
1876                 cap_sys_admin = 1;
1877
1878         return __vm_enough_memory(mm, pages, cap_sys_admin);
1879 }
1880
1881 /* binprm security operations */
1882
1883 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1884 {
1885         struct bprm_security_struct *bsec;
1886
1887         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1888         if (!bsec)
1889                 return -ENOMEM;
1890
1891         bsec->bprm = bprm;
1892         bsec->sid = SECINITSID_UNLABELED;
1893         bsec->set = 0;
1894
1895         bprm->security = bsec;
1896         return 0;
1897 }
1898
1899 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1900 {
1901         struct task_security_struct *tsec;
1902         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1903         struct inode_security_struct *isec;
1904         struct bprm_security_struct *bsec;
1905         u32 newsid;
1906         struct avc_audit_data ad;
1907         int rc;
1908
1909         rc = secondary_ops->bprm_set_security(bprm);
1910         if (rc)
1911                 return rc;
1912
1913         bsec = bprm->security;
1914
1915         if (bsec->set)
1916                 return 0;
1917
1918         tsec = current->security;
1919         isec = inode->i_security;
1920
1921         /* Default to the current task SID. */
1922         bsec->sid = tsec->sid;
1923
1924         /* Reset fs, key, and sock SIDs on execve. */
1925         tsec->create_sid = 0;
1926         tsec->keycreate_sid = 0;
1927         tsec->sockcreate_sid = 0;
1928
1929         if (tsec->exec_sid) {
1930                 newsid = tsec->exec_sid;
1931                 /* Reset exec SID on execve. */
1932                 tsec->exec_sid = 0;
1933         } else {
1934                 /* Check for a default transition on this program. */
1935                 rc = security_transition_sid(tsec->sid, isec->sid,
1936                                              SECCLASS_PROCESS, &newsid);
1937                 if (rc)
1938                         return rc;
1939         }
1940
1941         AVC_AUDIT_DATA_INIT(&ad, FS);
1942         ad.u.fs.path = bprm->file->f_path;
1943
1944         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1945                 newsid = tsec->sid;
1946
1947         if (tsec->sid == newsid) {
1948                 rc = avc_has_perm(tsec->sid, isec->sid,
1949                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1950                 if (rc)
1951                         return rc;
1952         } else {
1953                 /* Check permissions for the transition. */
1954                 rc = avc_has_perm(tsec->sid, newsid,
1955                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1956                 if (rc)
1957                         return rc;
1958
1959                 rc = avc_has_perm(newsid, isec->sid,
1960                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1961                 if (rc)
1962                         return rc;
1963
1964                 /* Clear any possibly unsafe personality bits on exec: */
1965                 current->personality &= ~PER_CLEAR_ON_SETID;
1966
1967                 /* Set the security field to the new SID. */
1968                 bsec->sid = newsid;
1969         }
1970
1971         bsec->set = 1;
1972         return 0;
1973 }
1974
1975 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1976 {
1977         return secondary_ops->bprm_check_security(bprm);
1978 }
1979
1980
1981 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1982 {
1983         struct task_security_struct *tsec = current->security;
1984         int atsecure = 0;
1985
1986         if (tsec->osid != tsec->sid) {
1987                 /* Enable secure mode for SIDs transitions unless
1988                    the noatsecure permission is granted between
1989                    the two SIDs, i.e. ahp returns 0. */
1990                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1991                                          SECCLASS_PROCESS,
1992                                          PROCESS__NOATSECURE, NULL);
1993         }
1994
1995         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1996 }
1997
1998 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1999 {
2000         kfree(bprm->security);
2001         bprm->security = NULL;
2002 }
2003
2004 extern struct vfsmount *selinuxfs_mount;
2005 extern struct dentry *selinux_null;
2006
2007 /* Derived from fs/exec.c:flush_old_files. */
2008 static inline void flush_unauthorized_files(struct files_struct * files)
2009 {
2010         struct avc_audit_data ad;
2011         struct file *file, *devnull = NULL;
2012         struct tty_struct *tty;
2013         struct fdtable *fdt;
2014         long j = -1;
2015         int drop_tty = 0;
2016
2017         mutex_lock(&tty_mutex);
2018         tty = get_current_tty();
2019         if (tty) {
2020                 file_list_lock();
2021                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2022                 if (file) {
2023                         /* Revalidate access to controlling tty.
2024                            Use inode_has_perm on the tty inode directly rather
2025                            than using file_has_perm, as this particular open
2026                            file may belong to another process and we are only
2027                            interested in the inode-based check here. */
2028                         struct inode *inode = file->f_path.dentry->d_inode;
2029                         if (inode_has_perm(current, inode,
2030                                            FILE__READ | FILE__WRITE, NULL)) {
2031                                 drop_tty = 1;
2032                         }
2033                 }
2034                 file_list_unlock();
2035         }
2036         mutex_unlock(&tty_mutex);
2037         /* Reset controlling tty. */
2038         if (drop_tty)
2039                 no_tty();
2040
2041         /* Revalidate access to inherited open files. */
2042
2043         AVC_AUDIT_DATA_INIT(&ad,FS);
2044
2045         spin_lock(&files->file_lock);
2046         for (;;) {
2047                 unsigned long set, i;
2048                 int fd;
2049
2050                 j++;
2051                 i = j * __NFDBITS;
2052                 fdt = files_fdtable(files);
2053                 if (i >= fdt->max_fds)
2054                         break;
2055                 set = fdt->open_fds->fds_bits[j];
2056                 if (!set)
2057                         continue;
2058                 spin_unlock(&files->file_lock);
2059                 for ( ; set ; i++,set >>= 1) {
2060                         if (set & 1) {
2061                                 file = fget(i);
2062                                 if (!file)
2063                                         continue;
2064                                 if (file_has_perm(current,
2065                                                   file,
2066                                                   file_to_av(file))) {
2067                                         sys_close(i);
2068                                         fd = get_unused_fd();
2069                                         if (fd != i) {
2070                                                 if (fd >= 0)
2071                                                         put_unused_fd(fd);
2072                                                 fput(file);
2073                                                 continue;
2074                                         }
2075                                         if (devnull) {
2076                                                 get_file(devnull);
2077                                         } else {
2078                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2079                                                 if (IS_ERR(devnull)) {
2080                                                         devnull = NULL;
2081                                                         put_unused_fd(fd);
2082                                                         fput(file);
2083                                                         continue;
2084                                                 }
2085                                         }
2086                                         fd_install(fd, devnull);
2087                                 }
2088                                 fput(file);
2089                         }
2090                 }
2091                 spin_lock(&files->file_lock);
2092
2093         }
2094         spin_unlock(&files->file_lock);
2095 }
2096
2097 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2098 {
2099         struct task_security_struct *tsec;
2100         struct bprm_security_struct *bsec;
2101         u32 sid;
2102         int rc;
2103
2104         secondary_ops->bprm_apply_creds(bprm, unsafe);
2105
2106         tsec = current->security;
2107
2108         bsec = bprm->security;
2109         sid = bsec->sid;
2110
2111         tsec->osid = tsec->sid;
2112         bsec->unsafe = 0;
2113         if (tsec->sid != sid) {
2114                 /* Check for shared state.  If not ok, leave SID
2115                    unchanged and kill. */
2116                 if (unsafe & LSM_UNSAFE_SHARE) {
2117                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2118                                         PROCESS__SHARE, NULL);
2119                         if (rc) {
2120                                 bsec->unsafe = 1;
2121                                 return;
2122                         }
2123                 }
2124
2125                 /* Check for ptracing, and update the task SID if ok.
2126                    Otherwise, leave SID unchanged and kill. */
2127                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2129                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2130                                           NULL);
2131                         if (rc) {
2132                                 bsec->unsafe = 1;
2133                                 return;
2134                         }
2135                 }
2136                 tsec->sid = sid;
2137         }
2138 }
2139
2140 /*
2141  * called after apply_creds without the task lock held
2142  */
2143 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2144 {
2145         struct task_security_struct *tsec;
2146         struct rlimit *rlim, *initrlim;
2147         struct itimerval itimer;
2148         struct bprm_security_struct *bsec;
2149         int rc, i;
2150
2151         tsec = current->security;
2152         bsec = bprm->security;
2153
2154         if (bsec->unsafe) {
2155                 force_sig_specific(SIGKILL, current);
2156                 return;
2157         }
2158         if (tsec->osid == tsec->sid)
2159                 return;
2160
2161         /* Close files for which the new task SID is not authorized. */
2162         flush_unauthorized_files(current->files);
2163
2164         /* Check whether the new SID can inherit signal state
2165            from the old SID.  If not, clear itimers to avoid
2166            subsequent signal generation and flush and unblock
2167            signals. This must occur _after_ the task SID has
2168           been updated so that any kill done after the flush
2169           will be checked against the new SID. */
2170         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2171                           PROCESS__SIGINH, NULL);
2172         if (rc) {
2173                 memset(&itimer, 0, sizeof itimer);
2174                 for (i = 0; i < 3; i++)
2175                         do_setitimer(i, &itimer, NULL);
2176                 flush_signals(current);
2177                 spin_lock_irq(&current->sighand->siglock);
2178                 flush_signal_handlers(current, 1);
2179                 sigemptyset(&current->blocked);
2180                 recalc_sigpending();
2181                 spin_unlock_irq(&current->sighand->siglock);
2182         }
2183
2184         /* Always clear parent death signal on SID transitions. */
2185         current->pdeath_signal = 0;
2186
2187         /* Check whether the new SID can inherit resource limits
2188            from the old SID.  If not, reset all soft limits to
2189            the lower of the current task's hard limit and the init
2190            task's soft limit.  Note that the setting of hard limits
2191            (even to lower them) can be controlled by the setrlimit
2192            check. The inclusion of the init task's soft limit into
2193            the computation is to avoid resetting soft limits higher
2194            than the default soft limit for cases where the default
2195            is lower than the hard limit, e.g. RLIMIT_CORE or
2196            RLIMIT_STACK.*/
2197         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2198                           PROCESS__RLIMITINH, NULL);
2199         if (rc) {
2200                 for (i = 0; i < RLIM_NLIMITS; i++) {
2201                         rlim = current->signal->rlim + i;
2202                         initrlim = init_task.signal->rlim+i;
2203                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2204                 }
2205                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2206                         /*
2207                          * This will cause RLIMIT_CPU calculations
2208                          * to be refigured.
2209                          */
2210                         current->it_prof_expires = jiffies_to_cputime(1);
2211                 }
2212         }
2213
2214         /* Wake up the parent if it is waiting so that it can
2215            recheck wait permission to the new task SID. */
2216         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2217 }
2218
2219 /* superblock security operations */
2220
2221 static int selinux_sb_alloc_security(struct super_block *sb)
2222 {
2223         return superblock_alloc_security(sb);
2224 }
2225
2226 static void selinux_sb_free_security(struct super_block *sb)
2227 {
2228         superblock_free_security(sb);
2229 }
2230
2231 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2232 {
2233         if (plen > olen)
2234                 return 0;
2235
2236         return !memcmp(prefix, option, plen);
2237 }
2238
2239 static inline int selinux_option(char *option, int len)
2240 {
2241         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2242                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2243                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2244                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2245 }
2246
2247 static inline void take_option(char **to, char *from, int *first, int len)
2248 {
2249         if (!*first) {
2250                 **to = ',';
2251                 *to += 1;
2252         } else
2253                 *first = 0;
2254         memcpy(*to, from, len);
2255         *to += len;
2256 }
2257
2258 static inline void take_selinux_option(char **to, char *from, int *first, 
2259                                        int len)
2260 {
2261         int current_size = 0;
2262
2263         if (!*first) {
2264                 **to = '|';
2265                 *to += 1;
2266         }
2267         else
2268                 *first = 0;
2269
2270         while (current_size < len) {
2271                 if (*from != '"') {
2272                         **to = *from;
2273                         *to += 1;
2274                 }
2275                 from += 1;
2276                 current_size += 1;
2277         }
2278 }
2279
2280 static int selinux_sb_copy_data(char *orig, char *copy)
2281 {
2282         int fnosec, fsec, rc = 0;
2283         char *in_save, *in_curr, *in_end;
2284         char *sec_curr, *nosec_save, *nosec;
2285         int open_quote = 0;
2286
2287         in_curr = orig;
2288         sec_curr = copy;
2289
2290         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2291         if (!nosec) {
2292                 rc = -ENOMEM;
2293                 goto out;
2294         }
2295
2296         nosec_save = nosec;
2297         fnosec = fsec = 1;
2298         in_save = in_end = orig;
2299
2300         do {
2301                 if (*in_end == '"')
2302                         open_quote = !open_quote;
2303                 if ((*in_end == ',' && open_quote == 0) ||
2304                                 *in_end == '\0') {
2305                         int len = in_end - in_curr;
2306
2307                         if (selinux_option(in_curr, len))
2308                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2309                         else
2310                                 take_option(&nosec, in_curr, &fnosec, len);
2311
2312                         in_curr = in_end + 1;
2313                 }
2314         } while (*in_end++);
2315
2316         strcpy(in_save, nosec_save);
2317         free_page((unsigned long)nosec_save);
2318 out:
2319         return rc;
2320 }
2321
2322 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2323 {
2324         struct avc_audit_data ad;
2325         int rc;
2326
2327         rc = superblock_doinit(sb, data);
2328         if (rc)
2329                 return rc;
2330
2331         AVC_AUDIT_DATA_INIT(&ad,FS);
2332         ad.u.fs.path.dentry = sb->s_root;
2333         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2334 }
2335
2336 static int selinux_sb_statfs(struct dentry *dentry)
2337 {
2338         struct avc_audit_data ad;
2339
2340         AVC_AUDIT_DATA_INIT(&ad,FS);
2341         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2342         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2343 }
2344
2345 static int selinux_mount(char * dev_name,
2346                          struct nameidata *nd,
2347                          char * type,
2348                          unsigned long flags,
2349                          void * data)
2350 {
2351         int rc;
2352
2353         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2354         if (rc)
2355                 return rc;
2356
2357         if (flags & MS_REMOUNT)
2358                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2359                                            FILESYSTEM__REMOUNT, NULL);
2360         else
2361                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2362                                        FILE__MOUNTON);
2363 }
2364
2365 static int selinux_umount(struct vfsmount *mnt, int flags)
2366 {
2367         int rc;
2368
2369         rc = secondary_ops->sb_umount(mnt, flags);
2370         if (rc)
2371                 return rc;
2372
2373         return superblock_has_perm(current,mnt->mnt_sb,
2374                                    FILESYSTEM__UNMOUNT,NULL);
2375 }
2376
2377 /* inode security operations */
2378
2379 static int selinux_inode_alloc_security(struct inode *inode)
2380 {
2381         return inode_alloc_security(inode);
2382 }
2383
2384 static void selinux_inode_free_security(struct inode *inode)
2385 {
2386         inode_free_security(inode);
2387 }
2388
2389 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2390                                        char **name, void **value,
2391                                        size_t *len)
2392 {
2393         struct task_security_struct *tsec;
2394         struct inode_security_struct *dsec;
2395         struct superblock_security_struct *sbsec;
2396         u32 newsid, clen;
2397         int rc;
2398         char *namep = NULL, *context;
2399
2400         tsec = current->security;
2401         dsec = dir->i_security;
2402         sbsec = dir->i_sb->s_security;
2403
2404         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2405                 newsid = tsec->create_sid;
2406         } else {
2407                 rc = security_transition_sid(tsec->sid, dsec->sid,
2408                                              inode_mode_to_security_class(inode->i_mode),
2409                                              &newsid);
2410                 if (rc) {
2411                         printk(KERN_WARNING "%s:  "
2412                                "security_transition_sid failed, rc=%d (dev=%s "
2413                                "ino=%ld)\n",
2414                                __FUNCTION__,
2415                                -rc, inode->i_sb->s_id, inode->i_ino);
2416                         return rc;
2417                 }
2418         }
2419
2420         /* Possibly defer initialization to selinux_complete_init. */
2421         if (sbsec->initialized) {
2422                 struct inode_security_struct *isec = inode->i_security;
2423                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2424                 isec->sid = newsid;
2425                 isec->initialized = 1;
2426         }
2427
2428         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2429                 return -EOPNOTSUPP;
2430
2431         if (name) {
2432                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2433                 if (!namep)
2434                         return -ENOMEM;
2435                 *name = namep;
2436         }
2437
2438         if (value && len) {
2439                 rc = security_sid_to_context(newsid, &context, &clen);
2440                 if (rc) {
2441                         kfree(namep);
2442                         return rc;
2443                 }
2444                 *value = context;
2445                 *len = clen;
2446         }
2447
2448         return 0;
2449 }
2450
2451 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2452 {
2453         return may_create(dir, dentry, SECCLASS_FILE);
2454 }
2455
2456 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2457 {
2458         int rc;
2459
2460         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2461         if (rc)
2462                 return rc;
2463         return may_link(dir, old_dentry, MAY_LINK);
2464 }
2465
2466 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2467 {
2468         int rc;
2469
2470         rc = secondary_ops->inode_unlink(dir, dentry);
2471         if (rc)
2472                 return rc;
2473         return may_link(dir, dentry, MAY_UNLINK);
2474 }
2475
2476 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2477 {
2478         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2479 }
2480
2481 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2482 {
2483         return may_create(dir, dentry, SECCLASS_DIR);
2484 }
2485
2486 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2487 {
2488         return may_link(dir, dentry, MAY_RMDIR);
2489 }
2490
2491 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2492 {
2493         int rc;
2494
2495         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2496         if (rc)
2497                 return rc;
2498
2499         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2500 }
2501
2502 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2503                                 struct inode *new_inode, struct dentry *new_dentry)
2504 {
2505         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2506 }
2507
2508 static int selinux_inode_readlink(struct dentry *dentry)
2509 {
2510         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2511 }
2512
2513 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2514 {
2515         int rc;
2516
2517         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2518         if (rc)
2519                 return rc;
2520         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2521 }
2522
2523 static int selinux_inode_permission(struct inode *inode, int mask,
2524                                     struct nameidata *nd)
2525 {
2526         int rc;
2527
2528         rc = secondary_ops->inode_permission(inode, mask, nd);
2529         if (rc)
2530                 return rc;
2531
2532         if (!mask) {
2533                 /* No permission to check.  Existence test. */
2534                 return 0;
2535         }
2536
2537         return inode_has_perm(current, inode,
2538                                file_mask_to_av(inode->i_mode, mask), NULL);
2539 }
2540
2541 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2542 {
2543         int rc;
2544
2545         rc = secondary_ops->inode_setattr(dentry, iattr);
2546         if (rc)
2547                 return rc;
2548
2549         if (iattr->ia_valid & ATTR_FORCE)
2550                 return 0;
2551
2552         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2553                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2554                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2555
2556         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2557 }
2558
2559 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2560 {
2561         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2562 }
2563
2564 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2565 {
2566         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2567                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2568                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2569                         if (!capable(CAP_SETFCAP))
2570                                 return -EPERM;
2571                 } else if (!capable(CAP_SYS_ADMIN)) {
2572                         /* A different attribute in the security namespace.
2573                            Restrict to administrator. */
2574                         return -EPERM;
2575                 }
2576         }
2577
2578         /* Not an attribute we recognize, so just check the
2579            ordinary setattr permission. */
2580         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2581 }
2582
2583 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2584 {
2585         struct task_security_struct *tsec = current->security;
2586         struct inode *inode = dentry->d_inode;
2587         struct inode_security_struct *isec = inode->i_security;
2588         struct superblock_security_struct *sbsec;
2589         struct avc_audit_data ad;
2590         u32 newsid;
2591         int rc = 0;
2592
2593         if (strcmp(name, XATTR_NAME_SELINUX))
2594                 return selinux_inode_setotherxattr(dentry, name);
2595
2596         sbsec = inode->i_sb->s_security;
2597         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2598                 return -EOPNOTSUPP;
2599
2600         if (!is_owner_or_cap(inode))
2601                 return -EPERM;
2602
2603         AVC_AUDIT_DATA_INIT(&ad,FS);
2604         ad.u.fs.path.dentry = dentry;
2605
2606         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2607                           FILE__RELABELFROM, &ad);
2608         if (rc)
2609                 return rc;
2610
2611         rc = security_context_to_sid(value, size, &newsid);
2612         if (rc)
2613                 return rc;
2614
2615         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2616                           FILE__RELABELTO, &ad);
2617         if (rc)
2618                 return rc;
2619
2620         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2621                                           isec->sclass);
2622         if (rc)
2623                 return rc;
2624
2625         return avc_has_perm(newsid,
2626                             sbsec->sid,
2627                             SECCLASS_FILESYSTEM,
2628                             FILESYSTEM__ASSOCIATE,
2629                             &ad);
2630 }
2631
2632 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2633                                         void *value, size_t size, int flags)
2634 {
2635         struct inode *inode = dentry->d_inode;
2636         struct inode_security_struct *isec = inode->i_security;
2637         u32 newsid;
2638         int rc;
2639
2640         if (strcmp(name, XATTR_NAME_SELINUX)) {
2641                 /* Not an attribute we recognize, so nothing to do. */
2642                 return;
2643         }
2644
2645         rc = security_context_to_sid(value, size, &newsid);
2646         if (rc) {
2647                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2648                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2649                 return;
2650         }
2651
2652         isec->sid = newsid;
2653         return;
2654 }
2655
2656 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2657 {
2658         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2659 }
2660
2661 static int selinux_inode_listxattr (struct dentry *dentry)
2662 {
2663         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2664 }
2665
2666 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2667 {
2668         if (strcmp(name, XATTR_NAME_SELINUX))
2669                 return selinux_inode_setotherxattr(dentry, name);
2670
2671         /* No one is allowed to remove a SELinux security label.
2672            You can change the label, but all data must be labeled. */
2673         return -EACCES;
2674 }
2675
2676 /*
2677  * Copy the in-core inode security context value to the user.  If the
2678  * getxattr() prior to this succeeded, check to see if we need to
2679  * canonicalize the value to be finally returned to the user.
2680  *
2681  * Permission check is handled by selinux_inode_getxattr hook.
2682  */
2683 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2684 {
2685         u32 size;
2686         int error;
2687         char *context = NULL;
2688         struct inode_security_struct *isec = inode->i_security;
2689
2690         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2691                 return -EOPNOTSUPP;
2692
2693         error = security_sid_to_context(isec->sid, &context, &size);
2694         if (error)
2695                 return error;
2696         error = size;
2697         if (alloc) {
2698                 *buffer = context;
2699                 goto out_nofree;
2700         }
2701         kfree(context);
2702 out_nofree:
2703         return error;
2704 }
2705
2706 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2707                                      const void *value, size_t size, int flags)
2708 {
2709         struct inode_security_struct *isec = inode->i_security;
2710         u32 newsid;
2711         int rc;
2712
2713         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2714                 return -EOPNOTSUPP;
2715
2716         if (!value || !size)
2717                 return -EACCES;
2718
2719         rc = security_context_to_sid((void*)value, size, &newsid);
2720         if (rc)
2721                 return rc;
2722
2723         isec->sid = newsid;
2724         return 0;
2725 }
2726
2727 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2728 {
2729         const int len = sizeof(XATTR_NAME_SELINUX);
2730         if (buffer && len <= buffer_size)
2731                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2732         return len;
2733 }
2734
2735 static int selinux_inode_need_killpriv(struct dentry *dentry)
2736 {
2737         return secondary_ops->inode_need_killpriv(dentry);
2738 }
2739
2740 static int selinux_inode_killpriv(struct dentry *dentry)
2741 {
2742         return secondary_ops->inode_killpriv(dentry);
2743 }
2744
2745 /* file security operations */
2746
2747 static int selinux_revalidate_file_permission(struct file *file, int mask)
2748 {
2749         int rc;
2750         struct inode *inode = file->f_path.dentry->d_inode;
2751
2752         if (!mask) {
2753                 /* No permission to check.  Existence test. */
2754                 return 0;
2755         }
2756
2757         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2758         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2759                 mask |= MAY_APPEND;
2760
2761         rc = file_has_perm(current, file,
2762                            file_mask_to_av(inode->i_mode, mask));
2763         if (rc)
2764                 return rc;
2765
2766         return selinux_netlbl_inode_permission(inode, mask);
2767 }
2768
2769 static int selinux_file_permission(struct file *file, int mask)
2770 {
2771         struct inode *inode = file->f_path.dentry->d_inode;
2772         struct task_security_struct *tsec = current->security;
2773         struct file_security_struct *fsec = file->f_security;
2774         struct inode_security_struct *isec = inode->i_security;
2775
2776         if (!mask) {
2777                 /* No permission to check.  Existence test. */
2778                 return 0;
2779         }
2780
2781         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2782             && fsec->pseqno == avc_policy_seqno())
2783                 return selinux_netlbl_inode_permission(inode, mask);
2784
2785         return selinux_revalidate_file_permission(file, mask);
2786 }
2787
2788 static int selinux_file_alloc_security(struct file *file)
2789 {
2790         return file_alloc_security(file);
2791 }
2792
2793 static void selinux_file_free_security(struct file *file)
2794 {
2795         file_free_security(file);
2796 }
2797
2798 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2799                               unsigned long arg)
2800 {
2801         int error = 0;
2802
2803         switch (cmd) {
2804                 case FIONREAD:
2805                 /* fall through */
2806                 case FIBMAP:
2807                 /* fall through */
2808                 case FIGETBSZ:
2809                 /* fall through */
2810                 case EXT2_IOC_GETFLAGS:
2811                 /* fall through */
2812                 case EXT2_IOC_GETVERSION:
2813                         error = file_has_perm(current, file, FILE__GETATTR);
2814                         break;
2815
2816                 case EXT2_IOC_SETFLAGS:
2817                 /* fall through */
2818                 case EXT2_IOC_SETVERSION:
2819                         error = file_has_perm(current, file, FILE__SETATTR);
2820                         break;
2821
2822                 /* sys_ioctl() checks */
2823                 case FIONBIO:
2824                 /* fall through */
2825                 case FIOASYNC:
2826                         error = file_has_perm(current, file, 0);
2827                         break;
2828
2829                 case KDSKBENT:
2830                 case KDSKBSENT:
2831                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2832                         break;
2833
2834                 /* default case assumes that the command will go
2835                  * to the file's ioctl() function.
2836                  */
2837                 default:
2838                         error = file_has_perm(current, file, FILE__IOCTL);
2839
2840         }
2841         return error;
2842 }
2843
2844 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2845 {
2846 #ifndef CONFIG_PPC32
2847         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2848                 /*
2849                  * We are making executable an anonymous mapping or a
2850                  * private file mapping that will also be writable.
2851                  * This has an additional check.
2852                  */
2853                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2854                 if (rc)
2855                         return rc;
2856         }
2857 #endif
2858
2859         if (file) {
2860                 /* read access is always possible with a mapping */
2861                 u32 av = FILE__READ;
2862
2863                 /* write access only matters if the mapping is shared */
2864                 if (shared && (prot & PROT_WRITE))
2865                         av |= FILE__WRITE;
2866
2867                 if (prot & PROT_EXEC)
2868                         av |= FILE__EXECUTE;
2869
2870                 return file_has_perm(current, file, av);
2871         }
2872         return 0;
2873 }
2874
2875 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2876                              unsigned long prot, unsigned long flags,
2877                              unsigned long addr, unsigned long addr_only)
2878 {
2879         int rc = 0;
2880         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2881
2882         if (addr < mmap_min_addr)
2883                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2884                                   MEMPROTECT__MMAP_ZERO, NULL);
2885         if (rc || addr_only)
2886                 return rc;
2887
2888         if (selinux_checkreqprot)
2889                 prot = reqprot;
2890
2891         return file_map_prot_check(file, prot,
2892                                    (flags & MAP_TYPE) == MAP_SHARED);
2893 }
2894
2895 static int selinux_file_mprotect(struct vm_area_struct *vma,
2896                                  unsigned long reqprot,
2897                                  unsigned long prot)
2898 {
2899         int rc;
2900
2901         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2902         if (rc)
2903                 return rc;
2904
2905         if (selinux_checkreqprot)
2906                 prot = reqprot;
2907
2908 #ifndef CONFIG_PPC32
2909         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2910                 rc = 0;
2911                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2912                     vma->vm_end <= vma->vm_mm->brk) {
2913                         rc = task_has_perm(current, current,
2914                                            PROCESS__EXECHEAP);
2915                 } else if (!vma->vm_file &&
2916                            vma->vm_start <= vma->vm_mm->start_stack &&
2917                            vma->vm_end >= vma->vm_mm->start_stack) {
2918                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2919                 } else if (vma->vm_file && vma->anon_vma) {
2920                         /*
2921                          * We are making executable a file mapping that has
2922                          * had some COW done. Since pages might have been
2923                          * written, check ability to execute the possibly
2924                          * modified content.  This typically should only
2925                          * occur for text relocations.
2926                          */
2927                         rc = file_has_perm(current, vma->vm_file,
2928                                            FILE__EXECMOD);
2929                 }
2930                 if (rc)
2931                         return rc;
2932         }
2933 #endif
2934
2935         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2936 }
2937
2938 static int selinux_file_lock(struct file *file, unsigned int cmd)
2939 {
2940         return file_has_perm(current, file, FILE__LOCK);
2941 }
2942
2943 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2944                               unsigned long arg)
2945 {
2946         int err = 0;
2947
2948         switch (cmd) {
2949                 case F_SETFL:
2950                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2951                                 err = -EINVAL;
2952                                 break;
2953                         }
2954
2955                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2956                                 err = file_has_perm(current, file,FILE__WRITE);
2957                                 break;
2958                         }
2959                         /* fall through */
2960                 case F_SETOWN:
2961                 case F_SETSIG:
2962                 case F_GETFL:
2963                 case F_GETOWN:
2964                 case F_GETSIG:
2965                         /* Just check FD__USE permission */
2966                         err = file_has_perm(current, file, 0);
2967                         break;
2968                 case F_GETLK:
2969                 case F_SETLK:
2970                 case F_SETLKW:
2971 #if BITS_PER_LONG == 32
2972                 case F_GETLK64:
2973                 case F_SETLK64:
2974                 case F_SETLKW64:
2975 #endif
2976                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2977                                 err = -EINVAL;
2978                                 break;
2979                         }
2980                         err = file_has_perm(current, file, FILE__LOCK);
2981                         break;
2982         }
2983
2984         return err;
2985 }
2986
2987 static int selinux_file_set_fowner(struct file *file)
2988 {
2989         struct task_security_struct *tsec;
2990         struct file_security_struct *fsec;
2991
2992         tsec = current->security;
2993         fsec = file->f_security;
2994         fsec->fown_sid = tsec->sid;
2995
2996         return 0;
2997 }
2998
2999 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3000                                        struct fown_struct *fown, int signum)
3001 {
3002         struct file *file;
3003         u32 perm;
3004         struct task_security_struct *tsec;
3005         struct file_security_struct *fsec;
3006
3007         /* struct fown_struct is never outside the context of a struct file */
3008         file = container_of(fown, struct file, f_owner);
3009
3010         tsec = tsk->security;
3011         fsec = file->f_security;
3012
3013         if (!signum)
3014                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3015         else
3016                 perm = signal_to_av(signum);
3017
3018         return avc_has_perm(fsec->fown_sid, tsec->sid,
3019                             SECCLASS_PROCESS, perm, NULL);
3020 }
3021
3022 static int selinux_file_receive(struct file *file)
3023 {
3024         return file_has_perm(current, file, file_to_av(file));
3025 }
3026
3027 static int selinux_dentry_open(struct file *file)
3028 {
3029         struct file_security_struct *fsec;
3030         struct inode *inode;
3031         struct inode_security_struct *isec;
3032         inode = file->f_path.dentry->d_inode;
3033         fsec = file->f_security;
3034         isec = inode->i_security;
3035         /*
3036          * Save inode label and policy sequence number
3037          * at open-time so that selinux_file_permission
3038          * can determine whether revalidation is necessary.
3039          * Task label is already saved in the file security
3040          * struct as its SID.
3041          */
3042         fsec->isid = isec->sid;
3043         fsec->pseqno = avc_policy_seqno();
3044         /*
3045          * Since the inode label or policy seqno may have changed
3046          * between the selinux_inode_permission check and the saving
3047          * of state above, recheck that access is still permitted.
3048          * Otherwise, access might never be revalidated against the
3049          * new inode label or new policy.
3050          * This check is not redundant - do not remove.
3051          */
3052         return inode_has_perm(current, inode, file_to_av(file), NULL);
3053 }
3054
3055 /* task security operations */
3056
3057 static int selinux_task_create(unsigned long clone_flags)
3058 {
3059         int rc;
3060
3061         rc = secondary_ops->task_create(clone_flags);
3062         if (rc)
3063                 return rc;
3064
3065         return task_has_perm(current, current, PROCESS__FORK);
3066 }
3067
3068 static int selinux_task_alloc_security(struct task_struct *tsk)
3069 {
3070         struct task_security_struct *tsec1, *tsec2;
3071         int rc;
3072
3073         tsec1 = current->security;
3074
3075         rc = task_alloc_security(tsk);
3076         if (rc)
3077                 return rc;
3078         tsec2 = tsk->security;
3079
3080         tsec2->osid = tsec1->osid;
3081         tsec2->sid = tsec1->sid;
3082
3083         /* Retain the exec, fs, key, and sock SIDs across fork */
3084         tsec2->exec_sid = tsec1->exec_sid;
3085         tsec2->create_sid = tsec1->create_sid;
3086         tsec2->keycreate_sid = tsec1->keycreate_sid;
3087         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3088
3089         /* Retain ptracer SID across fork, if any.
3090            This will be reset by the ptrace hook upon any
3091            subsequent ptrace_attach operations. */
3092         tsec2->ptrace_sid = tsec1->ptrace_sid;
3093
3094         return 0;
3095 }
3096
3097 static void selinux_task_free_security(struct task_struct *tsk)
3098 {
3099         task_free_security(tsk);
3100 }
3101
3102 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3103 {
3104         /* Since setuid only affects the current process, and
3105            since the SELinux controls are not based on the Linux
3106            identity attributes, SELinux does not need to control
3107            this operation.  However, SELinux does control the use
3108            of the CAP_SETUID and CAP_SETGID capabilities using the
3109            capable hook. */
3110         return 0;
3111 }
3112
3113 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3114 {
3115         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3116 }
3117
3118 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3119 {
3120         /* See the comment for setuid above. */
3121         return 0;
3122 }
3123
3124 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3125 {
3126         return task_has_perm(current, p, PROCESS__SETPGID);
3127 }
3128
3129 static int selinux_task_getpgid(struct task_struct *p)
3130 {
3131         return task_has_perm(current, p, PROCESS__GETPGID);
3132 }
3133
3134 static int selinux_task_getsid(struct task_struct *p)
3135 {
3136         return task_has_perm(current, p, PROCESS__GETSESSION);
3137 }
3138
3139 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3140 {
3141         selinux_get_task_sid(p, secid);
3142 }
3143
3144 static int selinux_task_setgroups(struct group_info *group_info)
3145 {
3146         /* See the comment for setuid above. */
3147         return 0;
3148 }
3149
3150 static int selinux_task_setnice(struct task_struct *p, int nice)
3151 {
3152         int rc;
3153
3154         rc = secondary_ops->task_setnice(p, nice);
3155         if (rc)
3156                 return rc;
3157
3158         return task_has_perm(current,p, PROCESS__SETSCHED);
3159 }
3160
3161 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3162 {
3163         int rc;
3164
3165         rc = secondary_ops->task_setioprio(p, ioprio);
3166         if (rc)
3167                 return rc;
3168
3169         return task_has_perm(current, p, PROCESS__SETSCHED);
3170 }
3171
3172 static int selinux_task_getioprio(struct task_struct *p)
3173 {
3174         return task_has_perm(current, p, PROCESS__GETSCHED);
3175 }
3176
3177 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3178 {
3179         struct rlimit *old_rlim = current->signal->rlim + resource;
3180         int rc;
3181
3182         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3183         if (rc)
3184                 return rc;
3185
3186         /* Control the ability to change the hard limit (whether
3187            lowering or raising it), so that the hard limit can
3188            later be used as a safe reset point for the soft limit
3189            upon context transitions. See selinux_bprm_apply_creds. */
3190         if (old_rlim->rlim_max != new_rlim->rlim_max)
3191                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3192
3193         return 0;
3194 }
3195
3196 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3197 {
3198         int rc;
3199
3200         rc = secondary_ops->task_setscheduler(p, policy, lp);
3201         if (rc)
3202                 return rc;
3203
3204         return task_has_perm(current, p, PROCESS__SETSCHED);
3205 }
3206
3207 static int selinux_task_getscheduler(struct task_struct *p)
3208 {
3209         return task_has_perm(current, p, PROCESS__GETSCHED);
3210 }
3211
3212 static int selinux_task_movememory(struct task_struct *p)
3213 {
3214         return task_has_perm(current, p, PROCESS__SETSCHED);
3215 }
3216
3217 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3218                                 int sig, u32 secid)
3219 {
3220         u32 perm;
3221         int rc;
3222         struct task_security_struct *tsec;
3223
3224         rc = secondary_ops->task_kill(p, info, sig, secid);
3225         if (rc)
3226                 return rc;
3227
3228         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3229                 return 0;
3230
3231         if (!sig)
3232                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3233         else
3234                 perm = signal_to_av(sig);
3235         tsec = p->security;
3236         if (secid)
3237                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3238         else
3239                 rc = task_has_perm(current, p, perm);
3240         return rc;
3241 }
3242
3243 static int selinux_task_prctl(int option,
3244                               unsigned long arg2,
3245                               unsigned long arg3,
3246                               unsigned long arg4,
3247                               unsigned long arg5)
3248 {
3249         /* The current prctl operations do not appear to require
3250            any SELinux controls since they merely observe or modify
3251            the state of the current process. */
3252         return 0;
3253 }
3254
3255 static int selinux_task_wait(struct task_struct *p)
3256 {
3257         return task_has_perm(p, current, PROCESS__SIGCHLD);
3258 }
3259
3260 static void selinux_task_reparent_to_init(struct task_struct *p)
3261 {
3262         struct task_security_struct *tsec;
3263
3264         secondary_ops->task_reparent_to_init(p);
3265
3266         tsec = p->security;
3267         tsec->osid = tsec->sid;
3268         tsec->sid = SECINITSID_KERNEL;
3269         return;
3270 }
3271
3272 static void selinux_task_to_inode(struct task_struct *p,
3273                                   struct inode *inode)
3274 {
3275         struct task_security_struct *tsec = p->security;
3276         struct inode_security_struct *isec = inode->i_security;
3277
3278         isec->sid = tsec->sid;
3279         isec->initialized = 1;
3280         return;
3281 }
3282
3283 /* Returns error only if unable to parse addresses */
3284 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3285                         struct avc_audit_data *ad, u8 *proto)
3286 {
3287         int offset, ihlen, ret = -EINVAL;
3288         struct iphdr _iph, *ih;
3289
3290         offset = skb_network_offset(skb);
3291         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3292         if (ih == NULL)
3293                 goto out;
3294
3295         ihlen = ih->ihl * 4;
3296         if (ihlen < sizeof(_iph))
3297                 goto out;
3298
3299         ad->u.net.v4info.saddr = ih->saddr;
3300         ad->u.net.v4info.daddr = ih->daddr;
3301         ret = 0;
3302
3303         if (proto)
3304                 *proto = ih->protocol;
3305
3306         switch (ih->protocol) {
3307         case IPPROTO_TCP: {
3308                 struct tcphdr _tcph, *th;
3309
3310                 if (ntohs(ih->frag_off) & IP_OFFSET)
3311                         break;
3312
3313                 offset += ihlen;
3314                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3315                 if (th == NULL)
3316                         break;
3317
3318                 ad->u.net.sport = th->source;
3319                 ad->u.net.dport = th->dest;
3320                 break;
3321         }
3322         
3323         case IPPROTO_UDP: {
3324                 struct udphdr _udph, *uh;
3325                 
3326                 if (ntohs(ih->frag_off) & IP_OFFSET)
3327                         break;
3328                         
3329                 offset += ihlen;
3330                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3331                 if (uh == NULL)
3332                         break;  
3333
3334                 ad->u.net.sport = uh->source;
3335                 ad->u.net.dport = uh->dest;
3336                 break;
3337         }
3338
3339         case IPPROTO_DCCP: {
3340                 struct dccp_hdr _dccph, *dh;
3341
3342                 if (ntohs(ih->frag_off) & IP_OFFSET)
3343                         break;
3344
3345                 offset += ihlen;
3346                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3347                 if (dh == NULL)
3348                         break;
3349
3350                 ad->u.net.sport = dh->dccph_sport;
3351                 ad->u.net.dport = dh->dccph_dport;
3352                 break;
3353         }
3354
3355         default:
3356                 break;
3357         }
3358 out:
3359         return ret;
3360 }
3361
3362 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3363
3364 /* Returns error only if unable to parse addresses */
3365 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3366                         struct avc_audit_data *ad, u8 *proto)
3367 {
3368         u8 nexthdr;
3369         int ret = -EINVAL, offset;
3370         struct ipv6hdr _ipv6h, *ip6;
3371
3372         offset = skb_network_offset(skb);
3373         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3374         if (ip6 == NULL)
3375                 goto out;
3376
3377         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3378         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3379         ret = 0;
3380
3381         nexthdr = ip6->nexthdr;
3382         offset += sizeof(_ipv6h);
3383         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3384         if (offset < 0)
3385                 goto out;
3386
3387         if (proto)
3388                 *proto = nexthdr;
3389
3390         switch (nexthdr) {
3391         case IPPROTO_TCP: {
3392                 struct tcphdr _tcph, *th;
3393
3394                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3395                 if (th == NULL)
3396                         break;
3397
3398                 ad->u.net.sport = th->source;
3399                 ad->u.net.dport = th->dest;
3400                 break;
3401         }
3402
3403         case IPPROTO_UDP: {
3404                 struct udphdr _udph, *uh;
3405
3406                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3407                 if (uh == NULL)
3408                         break;
3409
3410                 ad->u.net.sport = uh->source;
3411                 ad->u.net.dport = uh->dest;
3412                 break;
3413         }
3414
3415         case IPPROTO_DCCP: {
3416                 struct dccp_hdr _dccph, *dh;
3417
3418                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3419                 if (dh == NULL)
3420                         break;
3421
3422                 ad->u.net.sport = dh->dccph_sport;
3423                 ad->u.net.dport = dh->dccph_dport;
3424                 break;
3425         }
3426
3427         /* includes fragments */
3428         default:
3429                 break;
3430         }
3431 out:
3432         return ret;
3433 }
3434
3435 #endif /* IPV6 */
3436
3437 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3438                              char **addrp, int src, u8 *proto)
3439 {
3440         int ret = 0;
3441
3442         switch (ad->u.net.family) {
3443         case PF_INET:
3444                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3445                 if (ret || !addrp)
3446                         break;
3447                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3448                                         &ad->u.net.v4info.daddr);
3449                 break;
3450
3451 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3452         case PF_INET6:
3453                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3454                 if (ret || !addrp)
3455                         break;
3456                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3457                                         &ad->u.net.v6info.daddr);
3458                 break;
3459 #endif  /* IPV6 */
3460         default:
3461                 break;
3462         }
3463
3464         if (unlikely(ret))
3465                 printk(KERN_WARNING
3466                        "SELinux: failure in selinux_parse_skb(),"
3467                        " unable to parse packet\n");
3468
3469         return ret;
3470 }
3471
3472 /**
3473  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3474  * @skb: the packet
3475  * @family: protocol family
3476  * @sid: the packet's peer label SID
3477  *
3478  * Description:
3479  * Check the various different forms of network peer labeling and determine
3480  * the peer label/SID for the packet; most of the magic actually occurs in
3481  * the security server function security_net_peersid_cmp().  The function
3482  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3483  * or -EACCES if @sid is invalid due to inconsistencies with the different
3484  * peer labels.
3485  *
3486  */
3487 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3488 {
3489         int err;
3490         u32 xfrm_sid;
3491         u32 nlbl_sid;
3492         u32 nlbl_type;
3493
3494         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3495         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3496
3497         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3498         if (unlikely(err)) {
3499                 printk(KERN_WARNING
3500                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3501                        " unable to determine packet's peer label\n");
3502                 return -EACCES;
3503         }
3504
3505         return 0;
3506 }
3507
3508 /* socket security operations */
3509 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3510                            u32 perms)
3511 {
3512         struct inode_security_struct *isec;
3513         struct task_security_struct *tsec;
3514         struct avc_audit_data ad;
3515         int err = 0;
3516
3517         tsec = task->security;
3518         isec = SOCK_INODE(sock)->i_security;
3519
3520         if (isec->sid == SECINITSID_KERNEL)
3521                 goto out;
3522
3523         AVC_AUDIT_DATA_INIT(&ad,NET);
3524         ad.u.net.sk = sock->sk;
3525         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3526
3527 out:
3528         return err;
3529 }
3530
3531 static int selinux_socket_create(int family, int type,
3532                                  int protocol, int kern)
3533 {
3534         int err = 0;
3535         struct task_security_struct *tsec;
3536         u32 newsid;
3537
3538         if (kern)
3539                 goto out;
3540
3541         tsec = current->security;
3542         newsid = tsec->sockcreate_sid ? : tsec->sid;
3543         err = avc_has_perm(tsec->sid, newsid,
3544                            socket_type_to_security_class(family, type,
3545                            protocol), SOCKET__CREATE, NULL);
3546
3547 out:
3548         return err;
3549 }
3550
3551 static int selinux_socket_post_create(struct socket *sock, int family,
3552                                       int type, int protocol, int kern)
3553 {
3554         int err = 0;
3555         struct inode_security_struct *isec;
3556         struct task_security_struct *tsec;
3557         struct sk_security_struct *sksec;
3558         u32 newsid;
3559
3560         isec = SOCK_INODE(sock)->i_security;
3561
3562         tsec = current->security;
3563         newsid = tsec->sockcreate_sid ? : tsec->sid;
3564         isec->sclass = socket_type_to_security_class(family, type, protocol);
3565         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3566         isec->initialized = 1;
3567
3568         if (sock->sk) {
3569                 sksec = sock->sk->sk_security;
3570                 sksec->sid = isec->sid;
3571                 sksec->sclass = isec->sclass;
3572                 err = selinux_netlbl_socket_post_create(sock);
3573         }
3574
3575         return err;
3576 }
3577
3578 /* Range of port numbers used to automatically bind.
3579    Need to determine whether we should perform a name_bind
3580    permission check between the socket and the port number. */
3581
3582 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3583 {
3584         u16 family;
3585         int err;
3586
3587         err = socket_has_perm(current, sock, SOCKET__BIND);
3588         if (err)
3589                 goto out;
3590
3591         /*
3592          * If PF_INET or PF_INET6, check name_bind permission for the port.
3593          * Multiple address binding for SCTP is not supported yet: we just
3594          * check the first address now.
3595          */
3596         family = sock->sk->sk_family;
3597         if (family == PF_INET || family == PF_INET6) {
3598                 char *addrp;
3599                 struct inode_security_struct *isec;
3600                 struct task_security_struct *tsec;
3601                 struct avc_audit_data ad;
3602                 struct sockaddr_in *addr4 = NULL;
3603                 struct sockaddr_in6 *addr6 = NULL;
3604                 unsigned short snum;
3605                 struct sock *sk = sock->sk;
3606                 u32 sid, node_perm, addrlen;
3607
3608                 tsec = current->security;
3609                 isec = SOCK_INODE(sock)->i_security;
3610
3611                 if (family == PF_INET) {
3612                         addr4 = (struct sockaddr_in *)address;
3613                         snum = ntohs(addr4->sin_port);
3614                         addrlen = sizeof(addr4->sin_addr.s_addr);
3615                         addrp = (char *)&addr4->sin_addr.s_addr;
3616                 } else {
3617                         addr6 = (struct sockaddr_in6 *)address;
3618                         snum = ntohs(addr6->sin6_port);
3619                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3620                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3621                 }
3622
3623                 if (snum) {
3624                         int low, high;
3625
3626                         inet_get_local_port_range(&low, &high);
3627
3628                         if (snum < max(PROT_SOCK, low) || snum > high) {
3629                                 err = security_port_sid(sk->sk_family,
3630                                                         sk->sk_type,
3631                                                         sk->sk_protocol, snum,
3632                                                         &sid);
3633                                 if (err)
3634                                         goto out;
3635                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3636                                 ad.u.net.sport = htons(snum);
3637                                 ad.u.net.family = family;
3638                                 err = avc_has_perm(isec->sid, sid,
3639                                                    isec->sclass,
3640                                                    SOCKET__NAME_BIND, &ad);
3641                                 if (err)
3642                                         goto out;
3643                         }
3644                 }
3645                 
3646                 switch(isec->sclass) {
3647                 case SECCLASS_TCP_SOCKET:
3648                         node_perm = TCP_SOCKET__NODE_BIND;
3649                         break;
3650                         
3651                 case SECCLASS_UDP_SOCKET:
3652                         node_perm = UDP_SOCKET__NODE_BIND;
3653                         break;
3654
3655                 case SECCLASS_DCCP_SOCKET:
3656                         node_perm = DCCP_SOCKET__NODE_BIND;
3657                         break;
3658
3659                 default:
3660                         node_perm = RAWIP_SOCKET__NODE_BIND;
3661                         break;
3662                 }
3663                 
3664                 err = sel_netnode_sid(addrp, family, &sid);
3665                 if (err)
3666                         goto out;
3667                 
3668                 AVC_AUDIT_DATA_INIT(&ad,NET);
3669                 ad.u.net.sport = htons(snum);
3670                 ad.u.net.family = family;
3671
3672                 if (family == PF_INET)
3673                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3674                 else
3675                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3676
3677                 err = avc_has_perm(isec->sid, sid,
3678                                    isec->sclass, node_perm, &ad);
3679                 if (err)
3680                         goto out;
3681         }
3682 out:
3683         return err;
3684 }
3685
3686 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3687 {
3688         struct inode_security_struct *isec;
3689         int err;
3690
3691         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3692         if (err)
3693                 return err;
3694
3695         /*
3696          * If a TCP or DCCP socket, check name_connect permission for the port.
3697          */
3698         isec = SOCK_INODE(sock)->i_security;
3699         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3700             isec->sclass == SECCLASS_DCCP_SOCKET) {
3701                 struct sock *sk = sock->sk;
3702                 struct avc_audit_data ad;
3703                 struct sockaddr_in *addr4 = NULL;
3704                 struct sockaddr_in6 *addr6 = NULL;
3705                 unsigned short snum;
3706                 u32 sid, perm;
3707
3708                 if (sk->sk_family == PF_INET) {
3709                         addr4 = (struct sockaddr_in *)address;
3710                         if (addrlen < sizeof(struct sockaddr_in))
3711                                 return -EINVAL;
3712                         snum = ntohs(addr4->sin_port);
3713                 } else {
3714                         addr6 = (struct sockaddr_in6 *)address;
3715                         if (addrlen < SIN6_LEN_RFC2133)
3716                                 return -EINVAL;
3717                         snum = ntohs(addr6->sin6_port);
3718                 }
3719
3720                 err = security_port_sid(sk->sk_family, sk->sk_type,
3721                                         sk->sk_protocol, snum, &sid);
3722                 if (err)
3723                         goto out;
3724
3725                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3726                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3727
3728                 AVC_AUDIT_DATA_INIT(&ad,NET);
3729                 ad.u.net.dport = htons(snum);
3730                 ad.u.net.family = sk->sk_family;
3731                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3732                 if (err)
3733                         goto out;
3734         }
3735
3736 out:
3737         return err;
3738 }
3739
3740 static int selinux_socket_listen(struct socket *sock, int backlog)
3741 {
3742         return socket_has_perm(current, sock, SOCKET__LISTEN);
3743 }
3744
3745 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3746 {
3747         int err;
3748         struct inode_security_struct *isec;
3749         struct inode_security_struct *newisec;
3750
3751         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3752         if (err)
3753                 return err;
3754
3755         newisec = SOCK_INODE(newsock)->i_security;
3756
3757         isec = SOCK_INODE(sock)->i_security;
3758         newisec->sclass = isec->sclass;
3759         newisec->sid = isec->sid;
3760         newisec->initialized = 1;
3761
3762         return 0;
3763 }
3764
3765 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3766                                   int size)
3767 {
3768         int rc;
3769
3770         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3771         if (rc)
3772                 return rc;
3773
3774         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3775 }
3776
3777 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3778                                   int size, int flags)
3779 {
3780         return socket_has_perm(current, sock, SOCKET__READ);
3781 }
3782
3783 static int selinux_socket_getsockname(struct socket *sock)
3784 {
3785         return socket_has_perm(current, sock, SOCKET__GETATTR);
3786 }
3787
3788 static int selinux_socket_getpeername(struct socket *sock)
3789 {
3790         return socket_has_perm(current, sock, SOCKET__GETATTR);
3791 }
3792
3793 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3794 {
3795         int err;
3796
3797         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3798         if (err)
3799                 return err;
3800
3801         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3802 }
3803
3804 static int selinux_socket_getsockopt(struct socket *sock, int level,
3805                                      int optname)
3806 {
3807         return socket_has_perm(current, sock, SOCKET__GETOPT);
3808 }
3809
3810 static int selinux_socket_shutdown(struct socket *sock, int how)
3811 {
3812         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3813 }
3814
3815 static int selinux_socket_unix_stream_connect(struct socket *sock,
3816                                               struct socket *other,
3817                                               struct sock *newsk)
3818 {
3819         struct sk_security_struct *ssec;
3820         struct inode_security_struct *isec;
3821         struct inode_security_struct *other_isec;
3822         struct avc_audit_data ad;
3823         int err;
3824
3825         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3826         if (err)
3827                 return err;
3828
3829         isec = SOCK_INODE(sock)->i_security;
3830         other_isec = SOCK_INODE(other)->i_security;
3831
3832         AVC_AUDIT_DATA_INIT(&ad,NET);
3833         ad.u.net.sk = other->sk;
3834
3835         err = avc_has_perm(isec->sid, other_isec->sid,
3836                            isec->sclass,
3837                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3838         if (err)
3839                 return err;
3840
3841         /* connecting socket */
3842         ssec = sock->sk->sk_security;
3843         ssec->peer_sid = other_isec->sid;
3844         
3845         /* server child socket */
3846         ssec = newsk->sk_security;
3847         ssec->peer_sid = isec->sid;
3848         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3849
3850         return err;
3851 }
3852
3853 static int selinux_socket_unix_may_send(struct socket *sock,
3854                                         struct socket *other)
3855 {
3856         struct inode_security_struct *isec;
3857         struct inode_security_struct *other_isec;
3858         struct avc_audit_data ad;
3859         int err;
3860
3861         isec = SOCK_INODE(sock)->i_security;
3862         other_isec = SOCK_INODE(other)->i_security;
3863
3864         AVC_AUDIT_DATA_INIT(&ad,NET);
3865         ad.u.net.sk = other->sk;
3866
3867         err = avc_has_perm(isec->sid, other_isec->sid,
3868                            isec->sclass, SOCKET__SENDTO, &ad);
3869         if (err)
3870                 return err;
3871
3872         return 0;
3873 }
3874
3875 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3876                                     u32 peer_sid,
3877                                     struct avc_audit_data *ad)
3878 {
3879         int err;
3880         u32 if_sid;
3881         u32 node_sid;
3882
3883         err = sel_netif_sid(ifindex, &if_sid);
3884         if (err)
3885                 return err;
3886         err = avc_has_perm(peer_sid, if_sid,
3887                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3888         if (err)
3889                 return err;
3890
3891         err = sel_netnode_sid(addrp, family, &node_sid);
3892         if (err)
3893                 return err;
3894         return avc_has_perm(peer_sid, node_sid,
3895                             SECCLASS_NODE, NODE__RECVFROM, ad);
3896 }
3897
3898 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3899                                                 struct sk_buff *skb,
3900                                                 struct avc_audit_data *ad,
3901                                                 u16 family,
3902                                                 char *addrp)
3903 {
3904         int err;
3905         struct sk_security_struct *sksec = sk->sk_security;
3906         u16 sk_class;
3907         u32 netif_perm, node_perm, recv_perm;
3908         u32 port_sid, node_sid, if_sid, sk_sid;
3909
3910         sk_sid = sksec->sid;
3911         sk_class = sksec->sclass;
3912
3913         switch (sk_class) {
3914         case SECCLASS_UDP_SOCKET:
3915                 netif_perm = NETIF__UDP_RECV;
3916                 node_perm = NODE__UDP_RECV;
3917                 recv_perm = UDP_SOCKET__RECV_MSG;
3918                 break;
3919         case SECCLASS_TCP_SOCKET:
3920                 netif_perm = NETIF__TCP_RECV;
3921                 node_perm = NODE__TCP_RECV;
3922                 recv_perm = TCP_SOCKET__RECV_MSG;
3923                 break;
3924         case SECCLASS_DCCP_SOCKET:
3925                 netif_perm = NETIF__DCCP_RECV;
3926                 node_perm = NODE__DCCP_RECV;
3927                 recv_perm = DCCP_SOCKET__RECV_MSG;
3928                 break;
3929         default:
3930                 netif_perm = NETIF__RAWIP_RECV;
3931                 node_perm = NODE__RAWIP_RECV;
3932                 recv_perm = 0;
3933                 break;
3934         }
3935
3936         err = sel_netif_sid(skb->iif, &if_sid);
3937         if (err)
3938                 return err;
3939         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3940         if (err)
3941                 return err;
3942         
3943         err = sel_netnode_sid(addrp, family, &node_sid);
3944         if (err)
3945                 return err;
3946         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3947         if (err)
3948                 return err;
3949
3950         if (!recv_perm)
3951                 return 0;
3952         err = security_port_sid(sk->sk_family, sk->sk_type,
3953                                 sk->sk_protocol, ntohs(ad->u.net.sport),
3954                                 &port_sid);
3955         if (unlikely(err)) {
3956                 printk(KERN_WARNING
3957                        "SELinux: failure in"
3958                        " selinux_sock_rcv_skb_iptables_compat(),"
3959                        " network port label not found\n");
3960                 return err;
3961         }
3962         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3963 }
3964
3965 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3966                                        struct avc_audit_data *ad,
3967                                        u16 family, char *addrp)
3968 {
3969         int err;
3970         struct sk_security_struct *sksec = sk->sk_security;
3971         u32 peer_sid;
3972         u32 sk_sid = sksec->sid;
3973
3974         if (selinux_compat_net)
3975                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3976                                                            family, addrp);
3977         else
3978                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3979                                    PACKET__RECV, ad);
3980         if (err)
3981                 return err;
3982
3983         if (selinux_policycap_netpeer) {
3984                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3985                 if (err)
3986                         return err;
3987                 err = avc_has_perm(sk_sid, peer_sid,
3988                                    SECCLASS_PEER, PEER__RECV, ad);
3989         } else {
3990                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3991                 if (err)
3992                         return err;
3993                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3994         }
3995
3996         return err;
3997 }
3998
3999 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4000 {
4001         int err;
4002         struct sk_security_struct *sksec = sk->sk_security;
4003         u16 family = sk->sk_family;
4004         u32 sk_sid = sksec->sid;
4005         struct avc_audit_data ad;
4006         char *addrp;
4007
4008         if (family != PF_INET && family != PF_INET6)
4009                 return 0;
4010
4011         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4012         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4013                 family = PF_INET;
4014
4015         AVC_AUDIT_DATA_INIT(&ad, NET);
4016         ad.u.net.netif = skb->iif;
4017         ad.u.net.family = family;
4018         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4019         if (err)
4020                 return err;
4021
4022         /* If any sort of compatibility mode is enabled then handoff processing
4023          * to the selinux_sock_rcv_skb_compat() function to deal with the
4024          * special handling.  We do this in an attempt to keep this function
4025          * as fast and as clean as possible. */
4026         if (selinux_compat_net || !selinux_policycap_netpeer)
4027                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4028                                                    family, addrp);
4029
4030         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4031                 u32 peer_sid;
4032
4033                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4034                 if (err)
4035                         return err;
4036                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4037                                                peer_sid, &ad);
4038                 if (err)
4039                         return err;
4040                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4041                                    PEER__RECV, &ad);
4042         }
4043
4044         if (selinux_secmark_enabled()) {
4045                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4046                                    PACKET__RECV, &ad);
4047                 if (err)
4048                         return err;
4049         }
4050
4051         return err;
4052 }
4053
4054 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4055                                             int __user *optlen, unsigned len)
4056 {
4057         int err = 0;
4058         char *scontext;
4059         u32 scontext_len;
4060         struct sk_security_struct *ssec;
4061         struct inode_security_struct *isec;
4062         u32 peer_sid = SECSID_NULL;
4063
4064         isec = SOCK_INODE(sock)->i_security;
4065
4066         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4067             isec->sclass == SECCLASS_TCP_SOCKET) {
4068                 ssec = sock->sk->sk_security;
4069                 peer_sid = ssec->peer_sid;
4070         }
4071         if (peer_sid == SECSID_NULL) {
4072                 err = -ENOPROTOOPT;
4073                 goto out;
4074         }
4075
4076         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4077
4078         if (err)
4079                 goto out;
4080
4081         if (scontext_len > len) {
4082                 err = -ERANGE;
4083                 goto out_len;
4084         }
4085
4086         if (copy_to_user(optval, scontext, scontext_len))
4087                 err = -EFAULT;
4088
4089 out_len:
4090         if (put_user(scontext_len, optlen))
4091                 err = -EFAULT;
4092
4093         kfree(scontext);
4094 out:    
4095         return err;
4096 }
4097
4098 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4099 {
4100         u32 peer_secid = SECSID_NULL;
4101         u16 family;
4102
4103         if (sock)
4104                 family = sock->sk->sk_family;
4105         else if (skb && skb->sk)
4106                 family = skb->sk->sk_family;
4107         else
4108                 goto out;
4109
4110         if (sock && family == PF_UNIX)
4111                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4112         else if (skb)
4113                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4114
4115 out:
4116         *secid = peer_secid;
4117         if (peer_secid == SECSID_NULL)
4118                 return -EINVAL;
4119         return 0;
4120 }
4121
4122 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4123 {
4124         return sk_alloc_security(sk, family, priority);
4125 }
4126
4127 static void selinux_sk_free_security(struct sock *sk)
4128 {
4129         sk_free_security(sk);
4130 }
4131
4132 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4133 {
4134         struct sk_security_struct *ssec = sk->sk_security;
4135         struct sk_security_struct *newssec = newsk->sk_security;
4136
4137         newssec->sid = ssec->sid;
4138         newssec->peer_sid = ssec->peer_sid;
4139         newssec->sclass = ssec->sclass;
4140
4141         selinux_netlbl_sk_security_clone(ssec, newssec);
4142 }
4143
4144 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4145 {
4146         if (!sk)
4147                 *secid = SECINITSID_ANY_SOCKET;
4148         else {
4149                 struct sk_security_struct *sksec = sk->sk_security;
4150
4151                 *secid = sksec->sid;
4152         }
4153 }
4154
4155 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4156 {
4157         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4158         struct sk_security_struct *sksec = sk->sk_security;
4159
4160         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4161             sk->sk_family == PF_UNIX)
4162                 isec->sid = sksec->sid;
4163         sksec->sclass = isec->sclass;
4164
4165         selinux_netlbl_sock_graft(sk, parent);
4166 }
4167
4168 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4169                                      struct request_sock *req)
4170 {
4171         struct sk_security_struct *sksec = sk->sk_security;
4172         int err;
4173         u32 newsid;
4174         u32 peersid;
4175
4176         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4177         if (err)
4178                 return err;
4179         if (peersid == SECSID_NULL) {
4180                 req->secid = sksec->sid;
4181                 req->peer_secid = SECSID_NULL;
4182                 return 0;
4183         }
4184
4185         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4186         if (err)
4187                 return err;
4188
4189         req->secid = newsid;
4190         req->peer_secid = peersid;
4191         return 0;
4192 }
4193
4194 static void selinux_inet_csk_clone(struct sock *newsk,
4195                                    const struct request_sock *req)
4196 {
4197         struct sk_security_struct *newsksec = newsk->sk_security;
4198
4199         newsksec->sid = req->secid;
4200         newsksec->peer_sid = req->peer_secid;
4201         /* NOTE: Ideally, we should also get the isec->sid for the
4202            new socket in sync, but we don't have the isec available yet.
4203            So we will wait until sock_graft to do it, by which
4204            time it will have been created and available. */
4205
4206         /* We don't need to take any sort of lock here as we are the only
4207          * thread with access to newsksec */
4208         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4209 }
4210
4211 static void selinux_inet_conn_established(struct sock *sk,
4212                                 struct sk_buff *skb)
4213 {
4214         struct sk_security_struct *sksec = sk->sk_security;
4215
4216         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4217 }
4218
4219 static void selinux_req_classify_flow(const struct request_sock *req,
4220                                       struct flowi *fl)
4221 {
4222         fl->secid = req->secid;
4223 }
4224
4225 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4226 {
4227         int err = 0;
4228         u32 perm;
4229         struct nlmsghdr *nlh;
4230         struct socket *sock = sk->sk_socket;
4231         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4232         
4233         if (skb->len < NLMSG_SPACE(0)) {
4234                 err = -EINVAL;
4235                 goto out;
4236         }
4237         nlh = nlmsg_hdr(skb);
4238         
4239         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4240         if (err) {
4241                 if (err == -EINVAL) {
4242                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4243                                   "SELinux:  unrecognized netlink message"
4244                                   " type=%hu for sclass=%hu\n",
4245                                   nlh->nlmsg_type, isec->sclass);
4246                         if (!selinux_enforcing)
4247                                 err = 0;
4248                 }
4249
4250                 /* Ignore */
4251                 if (err == -ENOENT)
4252                         err = 0;
4253                 goto out;
4254         }
4255
4256         err = socket_has_perm(current, sock, perm);
4257 out:
4258         return err;
4259 }
4260
4261 #ifdef CONFIG_NETFILTER
4262
4263 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4264                                        u16 family)
4265 {
4266         char *addrp;
4267         u32 peer_sid;
4268         struct avc_audit_data ad;
4269         u8 secmark_active;
4270         u8 peerlbl_active;
4271
4272         if (!selinux_policycap_netpeer)
4273                 return NF_ACCEPT;
4274
4275         secmark_active = selinux_secmark_enabled();
4276         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4277         if (!secmark_active && !peerlbl_active)
4278                 return NF_ACCEPT;
4279
4280         AVC_AUDIT_DATA_INIT(&ad, NET);
4281         ad.u.net.netif = ifindex;
4282         ad.u.net.family = family;
4283         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4284                 return NF_DROP;
4285
4286         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4287                 return NF_DROP;
4288
4289         if (peerlbl_active)
4290                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4291                                              peer_sid, &ad) != 0)
4292                         return NF_DROP;
4293
4294         if (secmark_active)
4295                 if (avc_has_perm(peer_sid, skb->secmark,
4296                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4297                         return NF_DROP;
4298
4299         return NF_ACCEPT;
4300 }
4301
4302 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4303                                          struct sk_buff *skb,
4304                                          const struct net_device *in,
4305                                          const struct net_device *out,
4306                                          int (*okfn)(struct sk_buff *))
4307 {
4308         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4309 }
4310
4311 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4312 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4313                                          struct sk_buff *skb,
4314                                          const struct net_device *in,
4315                                          const struct net_device *out,
4316                                          int (*okfn)(struct sk_buff *))
4317 {
4318         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4319 }
4320 #endif  /* IPV6 */
4321
4322 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4323                                                 int ifindex,
4324                                                 struct avc_audit_data *ad,
4325                                                 u16 family, char *addrp)
4326 {
4327         int err;
4328         struct sk_security_struct *sksec = sk->sk_security;
4329         u16 sk_class;
4330         u32 netif_perm, node_perm, send_perm;
4331         u32 port_sid, node_sid, if_sid, sk_sid;
4332
4333         sk_sid = sksec->sid;
4334         sk_class = sksec->sclass;
4335
4336         switch (sk_class) {
4337         case SECCLASS_UDP_SOCKET:
4338                 netif_perm = NETIF__UDP_SEND;
4339                 node_perm = NODE__UDP_SEND;
4340                 send_perm = UDP_SOCKET__SEND_MSG;
4341                 break;
4342         case SECCLASS_TCP_SOCKET:
4343                 netif_perm = NETIF__TCP_SEND;
4344                 node_perm = NODE__TCP_SEND;
4345                 send_perm = TCP_SOCKET__SEND_MSG;
4346                 break;
4347         case SECCLASS_DCCP_SOCKET:
4348                 netif_perm = NETIF__DCCP_SEND;
4349                 node_perm = NODE__DCCP_SEND;
4350                 send_perm = DCCP_SOCKET__SEND_MSG;
4351                 break;
4352         default:
4353                 netif_perm = NETIF__RAWIP_SEND;
4354                 node_perm = NODE__RAWIP_SEND;
4355                 send_perm = 0;
4356                 break;
4357         }
4358
4359         err = sel_netif_sid(ifindex, &if_sid);
4360         if (err)
4361                 return err;
4362         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4363                 return err;
4364                 
4365         err = sel_netnode_sid(addrp, family, &node_sid);
4366         if (err)
4367                 return err;
4368         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4369         if (err)
4370                 return err;
4371
4372         if (send_perm != 0)
4373                 return 0;
4374
4375         err = security_port_sid(sk->sk_family, sk->sk_type,
4376                                 sk->sk_protocol, ntohs(ad->u.net.dport),
4377                                 &port_sid);
4378         if (unlikely(err)) {
4379                 printk(KERN_WARNING
4380                        "SELinux: failure in"
4381                        " selinux_ip_postroute_iptables_compat(),"
4382                        " network port label not found\n");
4383                 return err;
4384         }
4385         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4386 }
4387
4388 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4389                                                 int ifindex,
4390                                                 struct avc_audit_data *ad,
4391                                                 u16 family,
4392                                                 char *addrp,
4393                                                 u8 proto)
4394 {
4395         struct sock *sk = skb->sk;
4396         struct sk_security_struct *sksec;
4397
4398         if (sk == NULL)
4399                 return NF_ACCEPT;
4400         sksec = sk->sk_security;
4401
4402         if (selinux_compat_net) {
4403                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4404                                                          ad, family, addrp))
4405                         return NF_DROP;
4406         } else {
4407                 if (avc_has_perm(sksec->sid, skb->secmark,
4408                                  SECCLASS_PACKET, PACKET__SEND, ad))
4409                         return NF_DROP;
4410         }
4411
4412         if (selinux_policycap_netpeer)
4413                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4414                         return NF_DROP;
4415
4416         return NF_ACCEPT;
4417 }
4418
4419 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4420                                          u16 family)
4421 {
4422         u32 secmark_perm;
4423         u32 peer_sid;
4424         struct sock *sk;
4425         struct avc_audit_data ad;
4426         char *addrp;
4427         u8 proto;
4428         u8 secmark_active;
4429         u8 peerlbl_active;
4430
4431         AVC_AUDIT_DATA_INIT(&ad, NET);
4432         ad.u.net.netif = ifindex;
4433         ad.u.net.family = family;
4434         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4435                 return NF_DROP;
4436
4437         /* If any sort of compatibility mode is enabled then handoff processing
4438          * to the selinux_ip_postroute_compat() function to deal with the
4439          * special handling.  We do this in an attempt to keep this function
4440          * as fast and as clean as possible. */
4441         if (selinux_compat_net || !selinux_policycap_netpeer)
4442                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4443                                                    family, addrp, proto);
4444
4445         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4446          * packet transformation so allow the packet to pass without any checks
4447          * since we'll have another chance to perform access control checks
4448          * when the packet is on it's final way out.
4449          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4450          *       is NULL, in this case go ahead and apply access control. */
4451         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4452                 return NF_ACCEPT;
4453
4454         secmark_active = selinux_secmark_enabled();
4455         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4456         if (!secmark_active && !peerlbl_active)
4457                 return NF_ACCEPT;
4458
4459         /* if the packet is locally generated (skb->sk != NULL) then use the
4460          * socket's label as the peer label, otherwise the packet is being
4461          * forwarded through this system and we need to fetch the peer label
4462          * directly from the packet */
4463         sk = skb->sk;
4464         if (sk) {
4465                 struct sk_security_struct *sksec = sk->sk_security;
4466                 peer_sid = sksec->sid;
4467                 secmark_perm = PACKET__SEND;
4468         } else {
4469                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4470                                 return NF_DROP;
4471                 secmark_perm = PACKET__FORWARD_OUT;
4472         }
4473
4474         if (secmark_active)
4475                 if (avc_has_perm(peer_sid, skb->secmark,
4476                                  SECCLASS_PACKET, secmark_perm, &ad))
4477                         return NF_DROP;
4478
4479         if (peerlbl_active) {
4480                 u32 if_sid;
4481                 u32 node_sid;
4482
4483                 if (sel_netif_sid(ifindex, &if_sid))
4484                         return NF_DROP;
4485                 if (avc_has_perm(peer_sid, if_sid,
4486                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4487                         return NF_DROP;
4488
4489                 if (sel_netnode_sid(addrp, family, &node_sid))
4490                         return NF_DROP;
4491                 if (avc_has_perm(peer_sid, node_sid,
4492                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4493                         return NF_DROP;
4494         }
4495
4496         return NF_ACCEPT;
4497 }
4498
4499 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4500                                            struct sk_buff *skb,
4501                                            const struct net_device *in,
4502                                            const struct net_device *out,
4503                                            int (*okfn)(struct sk_buff *))
4504 {
4505         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4506 }
4507
4508 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4509 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4510                                            struct sk_buff *skb,
4511                                            const struct net_device *in,
4512                                            const struct net_device *out,
4513                                            int (*okfn)(struct sk_buff *))
4514 {
4515         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4516 }
4517 #endif  /* IPV6 */
4518
4519 #endif  /* CONFIG_NETFILTER */
4520
4521 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4522 {
4523         int err;
4524
4525         err = secondary_ops->netlink_send(sk, skb);
4526         if (err)
4527                 return err;
4528
4529         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4530                 err = selinux_nlmsg_perm(sk, skb);
4531
4532         return err;
4533 }
4534
4535 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4536 {
4537         int err;
4538         struct avc_audit_data ad;
4539
4540         err = secondary_ops->netlink_recv(skb, capability);
4541         if (err)
4542                 return err;
4543
4544         AVC_AUDIT_DATA_INIT(&ad, CAP);
4545         ad.u.cap = capability;
4546
4547         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4548                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4549 }
4550
4551 static int ipc_alloc_security(struct task_struct *task,
4552                               struct kern_ipc_perm *perm,
4553                               u16 sclass)
4554 {
4555         struct task_security_struct *tsec = task->security;
4556         struct ipc_security_struct *isec;
4557
4558         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4559         if (!isec)
4560                 return -ENOMEM;
4561
4562         isec->sclass = sclass;
4563         isec->ipc_perm = perm;
4564         isec->sid = tsec->sid;
4565         perm->security = isec;
4566
4567         return 0;
4568 }
4569
4570 static void ipc_free_security(struct kern_ipc_perm *perm)
4571 {
4572         struct ipc_security_struct *isec = perm->security;
4573         perm->security = NULL;
4574         kfree(isec);
4575 }
4576
4577 static int msg_msg_alloc_security(struct msg_msg *msg)
4578 {
4579         struct msg_security_struct *msec;
4580
4581         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4582         if (!msec)
4583                 return -ENOMEM;
4584
4585         msec->msg = msg;
4586         msec->sid = SECINITSID_UNLABELED;
4587         msg->security = msec;
4588
4589         return 0;
4590 }
4591
4592 static void msg_msg_free_security(struct msg_msg *msg)
4593 {
4594         struct msg_security_struct *msec = msg->security;
4595
4596         msg->security = NULL;
4597         kfree(msec);
4598 }
4599
4600 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4601                         u32 perms)
4602 {
4603         struct task_security_struct *tsec;
4604         struct ipc_security_struct *isec;
4605         struct avc_audit_data ad;
4606
4607         tsec = current->security;
4608         isec = ipc_perms->security;
4609
4610         AVC_AUDIT_DATA_INIT(&ad, IPC);
4611         ad.u.ipc_id = ipc_perms->key;
4612
4613         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4614 }
4615
4616 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4617 {
4618         return msg_msg_alloc_security(msg);
4619 }
4620
4621 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4622 {
4623         msg_msg_free_security(msg);
4624 }
4625
4626 /* message queue security operations */
4627 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4628 {
4629         struct task_security_struct *tsec;
4630         struct ipc_security_struct *isec;
4631         struct avc_audit_data ad;
4632         int rc;
4633
4634         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4635         if (rc)
4636                 return rc;
4637
4638         tsec = current->security;
4639         isec = msq->q_perm.security;
4640
4641         AVC_AUDIT_DATA_INIT(&ad, IPC);
4642         ad.u.ipc_id = msq->q_perm.key;
4643
4644         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4645                           MSGQ__CREATE, &ad);
4646         if (rc) {
4647                 ipc_free_security(&msq->q_perm);
4648                 return rc;
4649         }
4650         return 0;
4651 }
4652
4653 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4654 {
4655         ipc_free_security(&msq->q_perm);
4656 }
4657
4658 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4659 {
4660         struct task_security_struct *tsec;
4661         struct ipc_security_struct *isec;
4662         struct avc_audit_data ad;
4663
4664         tsec = current->security;
4665         isec = msq->q_perm.security;
4666
4667         AVC_AUDIT_DATA_INIT(&ad, IPC);
4668         ad.u.ipc_id = msq->q_perm.key;
4669
4670         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4671                             MSGQ__ASSOCIATE, &ad);
4672 }
4673
4674 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4675 {
4676         int err;
4677         int perms;
4678
4679         switch(cmd) {
4680         case IPC_INFO:
4681         case MSG_INFO:
4682                 /* No specific object, just general system-wide information. */
4683                 return task_has_system(current, SYSTEM__IPC_INFO);
4684         case IPC_STAT:
4685         case MSG_STAT:
4686                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4687                 break;
4688         case IPC_SET:
4689                 perms = MSGQ__SETATTR;
4690                 break;
4691         case IPC_RMID:
4692                 perms = MSGQ__DESTROY;
4693                 break;
4694         default:
4695                 return 0;
4696         }
4697
4698         err = ipc_has_perm(&msq->q_perm, perms);
4699         return err;
4700 }
4701
4702 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4703 {
4704         struct task_security_struct *tsec;
4705         struct ipc_security_struct *isec;
4706         struct msg_security_struct *msec;
4707         struct avc_audit_data ad;
4708         int rc;
4709
4710         tsec = current->security;
4711         isec = msq->q_perm.security;
4712         msec = msg->security;
4713
4714         /*
4715          * First time through, need to assign label to the message
4716          */
4717         if (msec->sid == SECINITSID_UNLABELED) {
4718                 /*
4719                  * Compute new sid based on current process and
4720                  * message queue this message will be stored in
4721                  */
4722                 rc = security_transition_sid(tsec->sid,
4723                                              isec->sid,
4724                                              SECCLASS_MSG,
4725                                              &msec->sid);
4726                 if (rc)
4727                         return rc;
4728         }
4729
4730         AVC_AUDIT_DATA_INIT(&ad, IPC);
4731         ad.u.ipc_id = msq->q_perm.key;
4732
4733         /* Can this process write to the queue? */
4734         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4735                           MSGQ__WRITE, &ad);
4736         if (!rc)
4737                 /* Can this process send the message */
4738                 rc = avc_has_perm(tsec->sid, msec->sid,
4739                                   SECCLASS_MSG, MSG__SEND, &ad);
4740         if (!rc)
4741                 /* Can the message be put in the queue? */
4742                 rc = avc_has_perm(msec->sid, isec->sid,
4743                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4744
4745         return rc;
4746 }
4747
4748 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4749                                     struct task_struct *target,
4750                                     long type, int mode)
4751 {
4752         struct task_security_struct *tsec;
4753         struct ipc_security_struct *isec;
4754         struct msg_security_struct *msec;
4755         struct avc_audit_data ad;
4756         int rc;
4757
4758         tsec = target->security;
4759         isec = msq->q_perm.security;
4760         msec = msg->security;
4761
4762         AVC_AUDIT_DATA_INIT(&ad, IPC);
4763         ad.u.ipc_id = msq->q_perm.key;
4764
4765         rc = avc_has_perm(tsec->sid, isec->sid,
4766                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4767         if (!rc)
4768                 rc = avc_has_perm(tsec->sid, msec->sid,
4769                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4770         return rc;
4771 }
4772
4773 /* Shared Memory security operations */
4774 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4775 {
4776         struct task_security_struct *tsec;
4777         struct ipc_security_struct *isec;
4778         struct avc_audit_data ad;
4779         int rc;
4780
4781         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4782         if (rc)
4783                 return rc;
4784
4785         tsec = current->security;
4786         isec = shp->shm_perm.security;
4787
4788         AVC_AUDIT_DATA_INIT(&ad, IPC);
4789         ad.u.ipc_id = shp->shm_perm.key;
4790
4791         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4792                           SHM__CREATE, &ad);
4793         if (rc) {
4794                 ipc_free_security(&shp->shm_perm);
4795                 return rc;
4796         }
4797         return 0;
4798 }
4799
4800 static void selinux_shm_free_security(struct shmid_kernel *shp)
4801 {
4802         ipc_free_security(&shp->shm_perm);
4803 }
4804
4805 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4806 {
4807         struct task_security_struct *tsec;
4808         struct ipc_security_struct *isec;
4809         struct avc_audit_data ad;
4810
4811         tsec = current->security;
4812         isec = shp->shm_perm.security;
4813
4814         AVC_AUDIT_DATA_INIT(&ad, IPC);
4815         ad.u.ipc_id = shp->shm_perm.key;
4816
4817         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4818                             SHM__ASSOCIATE, &ad);
4819 }
4820
4821 /* Note, at this point, shp is locked down */
4822 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4823 {
4824         int perms;
4825         int err;
4826
4827         switch(cmd) {
4828         case IPC_INFO:
4829         case SHM_INFO:
4830                 /* No specific object, just general system-wide information. */
4831                 return task_has_system(current, SYSTEM__IPC_INFO);
4832         case IPC_STAT:
4833         case SHM_STAT:
4834                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4835                 break;
4836         case IPC_SET:
4837                 perms = SHM__SETATTR;
4838                 break;
4839         case SHM_LOCK:
4840         case SHM_UNLOCK:
4841                 perms = SHM__LOCK;
4842                 break;
4843         case IPC_RMID:
4844                 perms = SHM__DESTROY;
4845                 break;
4846         default:
4847                 return 0;
4848         }
4849
4850         err = ipc_has_perm(&shp->shm_perm, perms);
4851         return err;
4852 }
4853
4854 static int selinux_shm_shmat(struct shmid_kernel *shp,
4855                              char __user *shmaddr, int shmflg)
4856 {
4857         u32 perms;
4858         int rc;
4859
4860         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4861         if (rc)
4862                 return rc;
4863
4864         if (shmflg & SHM_RDONLY)
4865                 perms = SHM__READ;
4866         else
4867                 perms = SHM__READ | SHM__WRITE;
4868
4869         return ipc_has_perm(&shp->shm_perm, perms);
4870 }
4871
4872 /* Semaphore security operations */
4873 static int selinux_sem_alloc_security(struct sem_array *sma)
4874 {
4875         struct task_security_struct *tsec;
4876         struct ipc_security_struct *isec;
4877         struct avc_audit_data ad;
4878         int rc;
4879
4880         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4881         if (rc)
4882                 return rc;
4883
4884         tsec = current->security;
4885         isec = sma->sem_perm.security;
4886
4887         AVC_AUDIT_DATA_INIT(&ad, IPC);
4888         ad.u.ipc_id = sma->sem_perm.key;
4889
4890         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4891                           SEM__CREATE, &ad);
4892         if (rc) {
4893                 ipc_free_security(&sma->sem_perm);
4894                 return rc;
4895         }
4896         return 0;
4897 }
4898
4899 static void selinux_sem_free_security(struct sem_array *sma)
4900 {
4901         ipc_free_security(&sma->sem_perm);
4902 }
4903
4904 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4905 {
4906         struct task_security_struct *tsec;
4907         struct ipc_security_struct *isec;
4908         struct avc_audit_data ad;
4909
4910         tsec = current->security;
4911         isec = sma->sem_perm.security;
4912
4913         AVC_AUDIT_DATA_INIT(&ad, IPC);
4914         ad.u.ipc_id = sma->sem_perm.key;
4915
4916         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4917                             SEM__ASSOCIATE, &ad);
4918 }
4919
4920 /* Note, at this point, sma is locked down */
4921 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4922 {
4923         int err;
4924         u32 perms;
4925
4926         switch(cmd) {
4927         case IPC_INFO:
4928         case SEM_INFO:
4929                 /* No specific object, just general system-wide information. */
4930                 return task_has_system(current, SYSTEM__IPC_INFO);
4931         case GETPID:
4932         case GETNCNT:
4933         case GETZCNT:
4934                 perms = SEM__GETATTR;
4935                 break;
4936         case GETVAL:
4937         case GETALL:
4938                 perms = SEM__READ;
4939                 break;
4940         case SETVAL:
4941         case SETALL:
4942                 perms = SEM__WRITE;
4943                 break;
4944         case IPC_RMID:
4945                 perms = SEM__DESTROY;
4946                 break;
4947         case IPC_SET:
4948                 perms = SEM__SETATTR;
4949                 break;
4950         case IPC_STAT:
4951         case SEM_STAT:
4952                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4953                 break;
4954         default:
4955                 return 0;
4956         }
4957
4958         err = ipc_has_perm(&sma->sem_perm, perms);
4959         return err;
4960 }
4961
4962 static int selinux_sem_semop(struct sem_array *sma,
4963                              struct sembuf *sops, unsigned nsops, int alter)
4964 {
4965         u32 perms;
4966
4967         if (alter)
4968                 perms = SEM__READ | SEM__WRITE;
4969         else
4970                 perms = SEM__READ;
4971
4972         return ipc_has_perm(&sma->sem_perm, perms);
4973 }
4974
4975 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4976 {
4977         u32 av = 0;
4978
4979         av = 0;
4980         if (flag & S_IRUGO)
4981                 av |= IPC__UNIX_READ;
4982         if (flag & S_IWUGO)
4983                 av |= IPC__UNIX_WRITE;
4984
4985         if (av == 0)
4986                 return 0;
4987
4988         return ipc_has_perm(ipcp, av);
4989 }
4990
4991 /* module stacking operations */
4992 static int selinux_register_security (const char *name, struct security_operations *ops)
4993 {
4994         if (secondary_ops != original_ops) {
4995                 printk(KERN_ERR "%s:  There is already a secondary security "
4996                        "module registered.\n", __FUNCTION__);
4997                 return -EINVAL;
4998         }
4999
5000         secondary_ops = ops;
5001
5002         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5003                __FUNCTION__,
5004                name);
5005
5006         return 0;
5007 }
5008
5009 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5010 {
5011         if (inode)
5012                 inode_doinit_with_dentry(inode, dentry);
5013 }
5014
5015 static int selinux_getprocattr(struct task_struct *p,
5016                                char *name, char **value)
5017 {
5018         struct task_security_struct *tsec;
5019         u32 sid;
5020         int error;
5021         unsigned len;
5022
5023         if (current != p) {
5024                 error = task_has_perm(current, p, PROCESS__GETATTR);
5025                 if (error)
5026                         return error;
5027         }
5028
5029         tsec = p->security;
5030
5031         if (!strcmp(name, "current"))
5032                 sid = tsec->sid;
5033         else if (!strcmp(name, "prev"))
5034                 sid = tsec->osid;
5035         else if (!strcmp(name, "exec"))
5036                 sid = tsec->exec_sid;
5037         else if (!strcmp(name, "fscreate"))
5038                 sid = tsec->create_sid;
5039         else if (!strcmp(name, "keycreate"))
5040                 sid = tsec->keycreate_sid;
5041         else if (!strcmp(name, "sockcreate"))
5042                 sid = tsec->sockcreate_sid;
5043         else
5044                 return -EINVAL;
5045
5046         if (!sid)
5047                 return 0;
5048
5049         error = security_sid_to_context(sid, value, &len);
5050         if (error)
5051                 return error;
5052         return len;
5053 }
5054
5055 static int selinux_setprocattr(struct task_struct *p,
5056                                char *name, void *value, size_t size)
5057 {
5058         struct task_security_struct *tsec;
5059         u32 sid = 0;
5060         int error;
5061         char *str = value;
5062
5063         if (current != p) {
5064                 /* SELinux only allows a process to change its own
5065                    security attributes. */
5066                 return -EACCES;
5067         }
5068
5069         /*
5070          * Basic control over ability to set these attributes at all.
5071          * current == p, but we'll pass them separately in case the
5072          * above restriction is ever removed.
5073          */
5074         if (!strcmp(name, "exec"))
5075                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5076         else if (!strcmp(name, "fscreate"))
5077                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5078         else if (!strcmp(name, "keycreate"))
5079                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5080         else if (!strcmp(name, "sockcreate"))
5081                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5082         else if (!strcmp(name, "current"))
5083                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5084         else
5085                 error = -EINVAL;
5086         if (error)
5087                 return error;
5088
5089         /* Obtain a SID for the context, if one was specified. */
5090         if (size && str[1] && str[1] != '\n') {
5091                 if (str[size-1] == '\n') {
5092                         str[size-1] = 0;
5093                         size--;
5094                 }
5095                 error = security_context_to_sid(value, size, &sid);
5096                 if (error)
5097                         return error;
5098         }
5099
5100         /* Permission checking based on the specified context is
5101            performed during the actual operation (execve,
5102            open/mkdir/...), when we know the full context of the
5103            operation.  See selinux_bprm_set_security for the execve
5104            checks and may_create for the file creation checks. The
5105            operation will then fail if the context is not permitted. */
5106         tsec = p->security;
5107         if (!strcmp(name, "exec"))
5108                 tsec->exec_sid = sid;
5109         else if (!strcmp(name, "fscreate"))
5110                 tsec->create_sid = sid;
5111         else if (!strcmp(name, "keycreate")) {
5112                 error = may_create_key(sid, p);
5113                 if (error)
5114                         return error;
5115                 tsec->keycreate_sid = sid;
5116         } else if (!strcmp(name, "sockcreate"))
5117                 tsec->sockcreate_sid = sid;
5118         else if (!strcmp(name, "current")) {
5119                 struct av_decision avd;
5120
5121                 if (sid == 0)
5122                         return -EINVAL;
5123
5124                 /* Only allow single threaded processes to change context */
5125                 if (atomic_read(&p->mm->mm_users) != 1) {
5126                         struct task_struct *g, *t;
5127                         struct mm_struct *mm = p->mm;
5128                         read_lock(&tasklist_lock);
5129                         do_each_thread(g, t)
5130                                 if (t->mm == mm && t != p) {
5131                                         read_unlock(&tasklist_lock);
5132                                         return -EPERM;
5133                                 }
5134                         while_each_thread(g, t);
5135                         read_unlock(&tasklist_lock);
5136                 }
5137
5138                 /* Check permissions for the transition. */
5139                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5140                                      PROCESS__DYNTRANSITION, NULL);
5141                 if (error)
5142                         return error;
5143
5144                 /* Check for ptracing, and update the task SID if ok.
5145                    Otherwise, leave SID unchanged and fail. */
5146                 task_lock(p);
5147                 if (p->ptrace & PT_PTRACED) {
5148                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5149                                                      SECCLASS_PROCESS,
5150                                                      PROCESS__PTRACE, 0, &avd);
5151                         if (!error)
5152                                 tsec->sid = sid;
5153                         task_unlock(p);
5154                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5155                                   PROCESS__PTRACE, &avd, error, NULL);
5156                         if (error)
5157                                 return error;
5158                 } else {
5159                         tsec->sid = sid;
5160                         task_unlock(p);
5161                 }
5162         }
5163         else
5164                 return -EINVAL;
5165
5166         return size;
5167 }
5168
5169 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5170 {
5171         return security_sid_to_context(secid, secdata, seclen);
5172 }
5173
5174 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5175 {
5176         return security_context_to_sid(secdata, seclen, secid);
5177 }
5178
5179 static void selinux_release_secctx(char *secdata, u32 seclen)
5180 {
5181         kfree(secdata);
5182 }
5183
5184 #ifdef CONFIG_KEYS
5185
5186 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5187                              unsigned long flags)
5188 {
5189         struct task_security_struct *tsec = tsk->security;
5190         struct key_security_struct *ksec;
5191
5192         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5193         if (!ksec)
5194                 return -ENOMEM;
5195
5196         ksec->obj = k;
5197         if (tsec->keycreate_sid)
5198                 ksec->sid = tsec->keycreate_sid;
5199         else
5200                 ksec->sid = tsec->sid;
5201         k->security = ksec;
5202
5203         return 0;
5204 }
5205
5206 static void selinux_key_free(struct key *k)
5207 {
5208         struct key_security_struct *ksec = k->security;
5209
5210         k->security = NULL;
5211         kfree(ksec);
5212 }
5213
5214 static int selinux_key_permission(key_ref_t key_ref,
5215                             struct task_struct *ctx,
5216                             key_perm_t perm)
5217 {
5218         struct key *key;
5219         struct task_security_struct *tsec;
5220         struct key_security_struct *ksec;
5221
5222         key = key_ref_to_ptr(key_ref);
5223
5224         tsec = ctx->security;
5225         ksec = key->security;
5226
5227         /* if no specific permissions are requested, we skip the
5228            permission check. No serious, additional covert channels
5229            appear to be created. */
5230         if (perm == 0)
5231                 return 0;
5232
5233         return avc_has_perm(tsec->sid, ksec->sid,
5234                             SECCLASS_KEY, perm, NULL);
5235 }
5236
5237 #endif
5238
5239 static struct security_operations selinux_ops = {
5240         .ptrace =                       selinux_ptrace,
5241         .capget =                       selinux_capget,
5242         .capset_check =                 selinux_capset_check,
5243         .capset_set =                   selinux_capset_set,
5244         .sysctl =                       selinux_sysctl,
5245         .capable =                      selinux_capable,
5246         .quotactl =                     selinux_quotactl,
5247         .quota_on =                     selinux_quota_on,
5248         .syslog =                       selinux_syslog,
5249         .vm_enough_memory =             selinux_vm_enough_memory,
5250
5251         .netlink_send =                 selinux_netlink_send,
5252         .netlink_recv =                 selinux_netlink_recv,
5253
5254         .bprm_alloc_security =          selinux_bprm_alloc_security,
5255         .bprm_free_security =           selinux_bprm_free_security,
5256         .bprm_apply_creds =             selinux_bprm_apply_creds,
5257         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5258         .bprm_set_security =            selinux_bprm_set_security,
5259         .bprm_check_security =          selinux_bprm_check_security,
5260         .bprm_secureexec =              selinux_bprm_secureexec,
5261
5262         .sb_alloc_security =            selinux_sb_alloc_security,
5263         .sb_free_security =             selinux_sb_free_security,
5264         .sb_copy_data =                 selinux_sb_copy_data,
5265         .sb_kern_mount =                selinux_sb_kern_mount,
5266         .sb_statfs =                    selinux_sb_statfs,
5267         .sb_mount =                     selinux_mount,
5268         .sb_umount =                    selinux_umount,
5269         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5270         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5271         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5272         .sb_parse_opts_str =            selinux_parse_opts_str,
5273
5274
5275         .inode_alloc_security =         selinux_inode_alloc_security,
5276         .inode_free_security =          selinux_inode_free_security,
5277         .inode_init_security =          selinux_inode_init_security,
5278         .inode_create =                 selinux_inode_create,
5279         .inode_link =                   selinux_inode_link,
5280         .inode_unlink =                 selinux_inode_unlink,
5281         .inode_symlink =                selinux_inode_symlink,
5282         .inode_mkdir =                  selinux_inode_mkdir,
5283         .inode_rmdir =                  selinux_inode_rmdir,
5284         .inode_mknod =                  selinux_inode_mknod,
5285         .inode_rename =                 selinux_inode_rename,
5286         .inode_readlink =               selinux_inode_readlink,
5287         .inode_follow_link =            selinux_inode_follow_link,
5288         .inode_permission =             selinux_inode_permission,
5289         .inode_setattr =                selinux_inode_setattr,
5290         .inode_getattr =                selinux_inode_getattr,
5291         .inode_setxattr =               selinux_inode_setxattr,
5292         .inode_post_setxattr =          selinux_inode_post_setxattr,
5293         .inode_getxattr =               selinux_inode_getxattr,
5294         .inode_listxattr =              selinux_inode_listxattr,
5295         .inode_removexattr =            selinux_inode_removexattr,
5296         .inode_getsecurity =            selinux_inode_getsecurity,
5297         .inode_setsecurity =            selinux_inode_setsecurity,
5298         .inode_listsecurity =           selinux_inode_listsecurity,
5299         .inode_need_killpriv =          selinux_inode_need_killpriv,
5300         .inode_killpriv =               selinux_inode_killpriv,
5301
5302         .file_permission =              selinux_file_permission,
5303         .file_alloc_security =          selinux_file_alloc_security,
5304         .file_free_security =           selinux_file_free_security,
5305         .file_ioctl =                   selinux_file_ioctl,
5306         .file_mmap =                    selinux_file_mmap,
5307         .file_mprotect =                selinux_file_mprotect,
5308         .file_lock =                    selinux_file_lock,
5309         .file_fcntl =                   selinux_file_fcntl,
5310         .file_set_fowner =              selinux_file_set_fowner,
5311         .file_send_sigiotask =          selinux_file_send_sigiotask,
5312         .file_receive =                 selinux_file_receive,
5313
5314         .dentry_open =                  selinux_dentry_open,
5315
5316         .task_create =                  selinux_task_create,
5317         .task_alloc_security =          selinux_task_alloc_security,
5318         .task_free_security =           selinux_task_free_security,
5319         .task_setuid =                  selinux_task_setuid,
5320         .task_post_setuid =             selinux_task_post_setuid,
5321         .task_setgid =                  selinux_task_setgid,
5322         .task_setpgid =                 selinux_task_setpgid,
5323         .task_getpgid =                 selinux_task_getpgid,
5324         .task_getsid =                  selinux_task_getsid,
5325         .task_getsecid =                selinux_task_getsecid,
5326         .task_setgroups =               selinux_task_setgroups,
5327         .task_setnice =                 selinux_task_setnice,
5328         .task_setioprio =               selinux_task_setioprio,
5329         .task_getioprio =               selinux_task_getioprio,
5330         .task_setrlimit =               selinux_task_setrlimit,
5331         .task_setscheduler =            selinux_task_setscheduler,
5332         .task_getscheduler =            selinux_task_getscheduler,
5333         .task_movememory =              selinux_task_movememory,
5334         .task_kill =                    selinux_task_kill,
5335         .task_wait =                    selinux_task_wait,
5336         .task_prctl =                   selinux_task_prctl,
5337         .task_reparent_to_init =        selinux_task_reparent_to_init,
5338         .task_to_inode =                selinux_task_to_inode,
5339
5340         .ipc_permission =               selinux_ipc_permission,
5341
5342         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5343         .msg_msg_free_security =        selinux_msg_msg_free_security,
5344
5345         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5346         .msg_queue_free_security =      selinux_msg_queue_free_security,
5347         .msg_queue_associate =          selinux_msg_queue_associate,
5348         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5349         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5350         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5351
5352         .shm_alloc_security =           selinux_shm_alloc_security,
5353         .shm_free_security =            selinux_shm_free_security,
5354         .shm_associate =                selinux_shm_associate,
5355         .shm_shmctl =                   selinux_shm_shmctl,
5356         .shm_shmat =                    selinux_shm_shmat,
5357
5358         .sem_alloc_security =           selinux_sem_alloc_security,
5359         .sem_free_security =            selinux_sem_free_security,
5360         .sem_associate =                selinux_sem_associate,
5361         .sem_semctl =                   selinux_sem_semctl,
5362         .sem_semop =                    selinux_sem_semop,
5363
5364         .register_security =            selinux_register_security,
5365
5366         .d_instantiate =                selinux_d_instantiate,
5367
5368         .getprocattr =                  selinux_getprocattr,
5369         .setprocattr =                  selinux_setprocattr,
5370
5371         .secid_to_secctx =              selinux_secid_to_secctx,
5372         .secctx_to_secid =              selinux_secctx_to_secid,
5373         .release_secctx =               selinux_release_secctx,
5374
5375         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5376         .unix_may_send =                selinux_socket_unix_may_send,
5377
5378         .socket_create =                selinux_socket_create,
5379         .socket_post_create =           selinux_socket_post_create,
5380         .socket_bind =                  selinux_socket_bind,
5381         .socket_connect =               selinux_socket_connect,
5382         .socket_listen =                selinux_socket_listen,
5383         .socket_accept =                selinux_socket_accept,
5384         .socket_sendmsg =               selinux_socket_sendmsg,
5385         .socket_recvmsg =               selinux_socket_recvmsg,
5386         .socket_getsockname =           selinux_socket_getsockname,
5387         .socket_getpeername =           selinux_socket_getpeername,
5388         .socket_getsockopt =            selinux_socket_getsockopt,
5389         .socket_setsockopt =            selinux_socket_setsockopt,
5390         .socket_shutdown =              selinux_socket_shutdown,
5391         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5392         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5393         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5394         .sk_alloc_security =            selinux_sk_alloc_security,
5395         .sk_free_security =             selinux_sk_free_security,
5396         .sk_clone_security =            selinux_sk_clone_security,
5397         .sk_getsecid =                  selinux_sk_getsecid,
5398         .sock_graft =                   selinux_sock_graft,
5399         .inet_conn_request =            selinux_inet_conn_request,
5400         .inet_csk_clone =               selinux_inet_csk_clone,
5401         .inet_conn_established =        selinux_inet_conn_established,
5402         .req_classify_flow =            selinux_req_classify_flow,
5403
5404 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5405         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5406         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5407         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5408         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5409         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5410         .xfrm_state_free_security =     selinux_xfrm_state_free,
5411         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5412         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5413         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5414         .xfrm_decode_session =          selinux_xfrm_decode_session,
5415 #endif
5416
5417 #ifdef CONFIG_KEYS
5418         .key_alloc =                    selinux_key_alloc,
5419         .key_free =                     selinux_key_free,
5420         .key_permission =               selinux_key_permission,
5421 #endif
5422 };
5423
5424 static __init int selinux_init(void)
5425 {
5426         struct task_security_struct *tsec;
5427
5428         if (!selinux_enabled) {
5429                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5430                 return 0;
5431         }
5432
5433         printk(KERN_INFO "SELinux:  Initializing.\n");
5434
5435         /* Set the security state for the initial task. */
5436         if (task_alloc_security(current))
5437                 panic("SELinux:  Failed to initialize initial task.\n");
5438         tsec = current->security;
5439         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5440
5441         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5442                                             sizeof(struct inode_security_struct),
5443                                             0, SLAB_PANIC, NULL);
5444         avc_init();
5445
5446         original_ops = secondary_ops = security_ops;
5447         if (!secondary_ops)
5448                 panic ("SELinux: No initial security operations\n");
5449         if (register_security (&selinux_ops))
5450                 panic("SELinux: Unable to register with kernel.\n");
5451
5452         if (selinux_enforcing) {
5453                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5454         } else {
5455                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5456         }
5457
5458 #ifdef CONFIG_KEYS
5459         /* Add security information to initial keyrings */
5460         selinux_key_alloc(&root_user_keyring, current,
5461                           KEY_ALLOC_NOT_IN_QUOTA);
5462         selinux_key_alloc(&root_session_keyring, current,
5463                           KEY_ALLOC_NOT_IN_QUOTA);
5464 #endif
5465
5466         return 0;
5467 }
5468
5469 void selinux_complete_init(void)
5470 {
5471         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5472
5473         /* Set up any superblocks initialized prior to the policy load. */
5474         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5475         spin_lock(&sb_lock);
5476         spin_lock(&sb_security_lock);
5477 next_sb:
5478         if (!list_empty(&superblock_security_head)) {
5479                 struct superblock_security_struct *sbsec =
5480                                 list_entry(superblock_security_head.next,
5481                                            struct superblock_security_struct,
5482                                            list);
5483                 struct super_block *sb = sbsec->sb;
5484                 sb->s_count++;
5485                 spin_unlock(&sb_security_lock);
5486                 spin_unlock(&sb_lock);
5487                 down_read(&sb->s_umount);
5488                 if (sb->s_root)
5489                         superblock_doinit(sb, NULL);
5490                 drop_super(sb);
5491                 spin_lock(&sb_lock);
5492                 spin_lock(&sb_security_lock);
5493                 list_del_init(&sbsec->list);
5494                 goto next_sb;
5495         }
5496         spin_unlock(&sb_security_lock);
5497         spin_unlock(&sb_lock);
5498 }
5499
5500 /* SELinux requires early initialization in order to label
5501    all processes and objects when they are created. */
5502 security_initcall(selinux_init);
5503
5504 #if defined(CONFIG_NETFILTER)
5505
5506 static struct nf_hook_ops selinux_ipv4_ops[] = {
5507         {
5508                 .hook =         selinux_ipv4_postroute,
5509                 .owner =        THIS_MODULE,
5510                 .pf =           PF_INET,
5511                 .hooknum =      NF_INET_POST_ROUTING,
5512                 .priority =     NF_IP_PRI_SELINUX_LAST,
5513         },
5514         {
5515                 .hook =         selinux_ipv4_forward,
5516                 .owner =        THIS_MODULE,
5517                 .pf =           PF_INET,
5518                 .hooknum =      NF_INET_FORWARD,
5519                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5520         }
5521 };
5522
5523 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5524
5525 static struct nf_hook_ops selinux_ipv6_ops[] = {
5526         {
5527                 .hook =         selinux_ipv6_postroute,
5528                 .owner =        THIS_MODULE,
5529                 .pf =           PF_INET6,
5530                 .hooknum =      NF_INET_POST_ROUTING,
5531                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5532         },
5533         {
5534                 .hook =         selinux_ipv6_forward,
5535                 .owner =        THIS_MODULE,
5536                 .pf =           PF_INET6,
5537                 .hooknum =      NF_INET_FORWARD,
5538                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5539         }
5540 };
5541
5542 #endif  /* IPV6 */
5543
5544 static int __init selinux_nf_ip_init(void)
5545 {
5546         int err = 0;
5547         u32 iter;
5548
5549         if (!selinux_enabled)
5550                 goto out;
5551
5552         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5553
5554         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5555                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5556                 if (err)
5557                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5558                               err);
5559         }
5560
5561 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5562         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5563                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5564                 if (err)
5565                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5566                               err);
5567         }
5568 #endif  /* IPV6 */
5569
5570 out:
5571         return err;
5572 }
5573
5574 __initcall(selinux_nf_ip_init);
5575
5576 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5577 static void selinux_nf_ip_exit(void)
5578 {
5579         u32 iter;
5580
5581         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5582
5583         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5584                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5585 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5586         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5587                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5588 #endif  /* IPV6 */
5589 }
5590 #endif
5591
5592 #else /* CONFIG_NETFILTER */
5593
5594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5595 #define selinux_nf_ip_exit()
5596 #endif
5597
5598 #endif /* CONFIG_NETFILTER */
5599
5600 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5601 int selinux_disable(void)
5602 {
5603         extern void exit_sel_fs(void);
5604         static int selinux_disabled = 0;
5605
5606         if (ss_initialized) {
5607                 /* Not permitted after initial policy load. */
5608                 return -EINVAL;
5609         }
5610
5611         if (selinux_disabled) {
5612                 /* Only do this once. */
5613                 return -EINVAL;
5614         }
5615
5616         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5617
5618         selinux_disabled = 1;
5619         selinux_enabled = 0;
5620
5621         /* Reset security_ops to the secondary module, dummy or capability. */
5622         security_ops = secondary_ops;
5623
5624         /* Unregister netfilter hooks. */
5625         selinux_nf_ip_exit();
5626
5627         /* Unregister selinuxfs. */
5628         exit_sel_fs();
5629
5630         return 0;
5631 }
5632 #endif
5633
5634