LSM/SELinux: show LSM mount options in /proc/mounts
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/ptrace.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 /* Original (dummy) security module. */
130 static struct security_operations *original_ops;
131
132 /* Minimal support for a secondary security module,
133    just to allow the use of the dummy or capability modules.
134    The owlsm module can alternatively be used as a secondary
135    module as long as CONFIG_OWLSM_FD is not enabled. */
136 static struct security_operations *secondary_ops;
137
138 /* Lists of inode and superblock security structures initialized
139    before the policy was loaded. */
140 static LIST_HEAD(superblock_security_head);
141 static DEFINE_SPINLOCK(sb_security_lock);
142
143 static struct kmem_cache *sel_inode_cache;
144
145 /**
146  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
147  *
148  * Description:
149  * This function checks the SECMARK reference counter to see if any SECMARK
150  * targets are currently configured, if the reference counter is greater than
151  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
152  * enabled, false (0) if SECMARK is disabled.
153  *
154  */
155 static int selinux_secmark_enabled(void)
156 {
157         return (atomic_read(&selinux_secmark_refcount) > 0);
158 }
159
160 /* Allocate and free functions for each kind of security blob. */
161
162 static int task_alloc_security(struct task_struct *task)
163 {
164         struct task_security_struct *tsec;
165
166         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
167         if (!tsec)
168                 return -ENOMEM;
169
170         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
171         task->security = tsec;
172
173         return 0;
174 }
175
176 static void task_free_security(struct task_struct *task)
177 {
178         struct task_security_struct *tsec = task->security;
179         task->security = NULL;
180         kfree(tsec);
181 }
182
183 static int inode_alloc_security(struct inode *inode)
184 {
185         struct task_security_struct *tsec = current->security;
186         struct inode_security_struct *isec;
187
188         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
189         if (!isec)
190                 return -ENOMEM;
191
192         mutex_init(&isec->lock);
193         INIT_LIST_HEAD(&isec->list);
194         isec->inode = inode;
195         isec->sid = SECINITSID_UNLABELED;
196         isec->sclass = SECCLASS_FILE;
197         isec->task_sid = tsec->sid;
198         inode->i_security = isec;
199
200         return 0;
201 }
202
203 static void inode_free_security(struct inode *inode)
204 {
205         struct inode_security_struct *isec = inode->i_security;
206         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
207
208         spin_lock(&sbsec->isec_lock);
209         if (!list_empty(&isec->list))
210                 list_del_init(&isec->list);
211         spin_unlock(&sbsec->isec_lock);
212
213         inode->i_security = NULL;
214         kmem_cache_free(sel_inode_cache, isec);
215 }
216
217 static int file_alloc_security(struct file *file)
218 {
219         struct task_security_struct *tsec = current->security;
220         struct file_security_struct *fsec;
221
222         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
223         if (!fsec)
224                 return -ENOMEM;
225
226         fsec->sid = tsec->sid;
227         fsec->fown_sid = tsec->sid;
228         file->f_security = fsec;
229
230         return 0;
231 }
232
233 static void file_free_security(struct file *file)
234 {
235         struct file_security_struct *fsec = file->f_security;
236         file->f_security = NULL;
237         kfree(fsec);
238 }
239
240 static int superblock_alloc_security(struct super_block *sb)
241 {
242         struct superblock_security_struct *sbsec;
243
244         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
245         if (!sbsec)
246                 return -ENOMEM;
247
248         mutex_init(&sbsec->lock);
249         INIT_LIST_HEAD(&sbsec->list);
250         INIT_LIST_HEAD(&sbsec->isec_head);
251         spin_lock_init(&sbsec->isec_lock);
252         sbsec->sb = sb;
253         sbsec->sid = SECINITSID_UNLABELED;
254         sbsec->def_sid = SECINITSID_FILE;
255         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
256         sb->s_security = sbsec;
257
258         return 0;
259 }
260
261 static void superblock_free_security(struct super_block *sb)
262 {
263         struct superblock_security_struct *sbsec = sb->s_security;
264
265         spin_lock(&sb_security_lock);
266         if (!list_empty(&sbsec->list))
267                 list_del_init(&sbsec->list);
268         spin_unlock(&sb_security_lock);
269
270         sb->s_security = NULL;
271         kfree(sbsec);
272 }
273
274 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
275 {
276         struct sk_security_struct *ssec;
277
278         ssec = kzalloc(sizeof(*ssec), priority);
279         if (!ssec)
280                 return -ENOMEM;
281
282         ssec->peer_sid = SECINITSID_UNLABELED;
283         ssec->sid = SECINITSID_UNLABELED;
284         sk->sk_security = ssec;
285
286         selinux_netlbl_sk_security_reset(ssec, family);
287
288         return 0;
289 }
290
291 static void sk_free_security(struct sock *sk)
292 {
293         struct sk_security_struct *ssec = sk->sk_security;
294
295         sk->sk_security = NULL;
296         kfree(ssec);
297 }
298
299 /* The security server must be initialized before
300    any labeling or access decisions can be provided. */
301 extern int ss_initialized;
302
303 /* The file system's label must be initialized prior to use. */
304
305 static char *labeling_behaviors[6] = {
306         "uses xattr",
307         "uses transition SIDs",
308         "uses task SIDs",
309         "uses genfs_contexts",
310         "not configured for labeling",
311         "uses mountpoint labeling",
312 };
313
314 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
315
316 static inline int inode_doinit(struct inode *inode)
317 {
318         return inode_doinit_with_dentry(inode, NULL);
319 }
320
321 enum {
322         Opt_error = -1,
323         Opt_context = 1,
324         Opt_fscontext = 2,
325         Opt_defcontext = 3,
326         Opt_rootcontext = 4,
327 };
328
329 static match_table_t tokens = {
330         {Opt_context, CONTEXT_STR "%s"},
331         {Opt_fscontext, FSCONTEXT_STR "%s"},
332         {Opt_defcontext, DEFCONTEXT_STR "%s"},
333         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
334         {Opt_error, NULL},
335 };
336
337 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
338
339 static int may_context_mount_sb_relabel(u32 sid,
340                         struct superblock_security_struct *sbsec,
341                         struct task_security_struct *tsec)
342 {
343         int rc;
344
345         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELFROM, NULL);
347         if (rc)
348                 return rc;
349
350         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
351                           FILESYSTEM__RELABELTO, NULL);
352         return rc;
353 }
354
355 static int may_context_mount_inode_relabel(u32 sid,
356                         struct superblock_security_struct *sbsec,
357                         struct task_security_struct *tsec)
358 {
359         int rc;
360         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
361                           FILESYSTEM__RELABELFROM, NULL);
362         if (rc)
363                 return rc;
364
365         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
366                           FILESYSTEM__ASSOCIATE, NULL);
367         return rc;
368 }
369
370 static int sb_finish_set_opts(struct super_block *sb)
371 {
372         struct superblock_security_struct *sbsec = sb->s_security;
373         struct dentry *root = sb->s_root;
374         struct inode *root_inode = root->d_inode;
375         int rc = 0;
376
377         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
378                 /* Make sure that the xattr handler exists and that no
379                    error other than -ENODATA is returned by getxattr on
380                    the root directory.  -ENODATA is ok, as this may be
381                    the first boot of the SELinux kernel before we have
382                    assigned xattr values to the filesystem. */
383                 if (!root_inode->i_op->getxattr) {
384                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
385                                "xattr support\n", sb->s_id, sb->s_type->name);
386                         rc = -EOPNOTSUPP;
387                         goto out;
388                 }
389                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
390                 if (rc < 0 && rc != -ENODATA) {
391                         if (rc == -EOPNOTSUPP)
392                                 printk(KERN_WARNING "SELinux: (dev %s, type "
393                                        "%s) has no security xattr handler\n",
394                                        sb->s_id, sb->s_type->name);
395                         else
396                                 printk(KERN_WARNING "SELinux: (dev %s, type "
397                                        "%s) getxattr errno %d\n", sb->s_id,
398                                        sb->s_type->name, -rc);
399                         goto out;
400                 }
401         }
402
403         sbsec->initialized = 1;
404
405         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
406                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
407                        sb->s_id, sb->s_type->name);
408         else
409                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
410                        sb->s_id, sb->s_type->name,
411                        labeling_behaviors[sbsec->behavior-1]);
412
413         /* Initialize the root inode. */
414         rc = inode_doinit_with_dentry(root_inode, root);
415
416         /* Initialize any other inodes associated with the superblock, e.g.
417            inodes created prior to initial policy load or inodes created
418            during get_sb by a pseudo filesystem that directly
419            populates itself. */
420         spin_lock(&sbsec->isec_lock);
421 next_inode:
422         if (!list_empty(&sbsec->isec_head)) {
423                 struct inode_security_struct *isec =
424                                 list_entry(sbsec->isec_head.next,
425                                            struct inode_security_struct, list);
426                 struct inode *inode = isec->inode;
427                 spin_unlock(&sbsec->isec_lock);
428                 inode = igrab(inode);
429                 if (inode) {
430                         if (!IS_PRIVATE(inode))
431                                 inode_doinit(inode);
432                         iput(inode);
433                 }
434                 spin_lock(&sbsec->isec_lock);
435                 list_del_init(&isec->list);
436                 goto next_inode;
437         }
438         spin_unlock(&sbsec->isec_lock);
439 out:
440         return rc;
441 }
442
443 /*
444  * This function should allow an FS to ask what it's mount security
445  * options were so it can use those later for submounts, displaying
446  * mount options, or whatever.
447  */
448 static int selinux_get_mnt_opts(const struct super_block *sb,
449                                 struct security_mnt_opts *opts)
450 {
451         int rc = 0, i;
452         struct superblock_security_struct *sbsec = sb->s_security;
453         char *context = NULL;
454         u32 len;
455         char tmp;
456
457         security_init_mnt_opts(opts);
458
459         if (!sbsec->initialized)
460                 return -EINVAL;
461
462         if (!ss_initialized)
463                 return -EINVAL;
464
465         /*
466          * if we ever use sbsec flags for anything other than tracking mount
467          * settings this is going to need a mask
468          */
469         tmp = sbsec->flags;
470         /* count the number of mount options for this sb */
471         for (i = 0; i < 8; i++) {
472                 if (tmp & 0x01)
473                         opts->num_mnt_opts++;
474                 tmp >>= 1;
475         }
476
477         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
478         if (!opts->mnt_opts) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
484         if (!opts->mnt_opts_flags) {
485                 rc = -ENOMEM;
486                 goto out_free;
487         }
488
489         i = 0;
490         if (sbsec->flags & FSCONTEXT_MNT) {
491                 rc = security_sid_to_context(sbsec->sid, &context, &len);
492                 if (rc)
493                         goto out_free;
494                 opts->mnt_opts[i] = context;
495                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
496         }
497         if (sbsec->flags & CONTEXT_MNT) {
498                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
499                 if (rc)
500                         goto out_free;
501                 opts->mnt_opts[i] = context;
502                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
503         }
504         if (sbsec->flags & DEFCONTEXT_MNT) {
505                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
506                 if (rc)
507                         goto out_free;
508                 opts->mnt_opts[i] = context;
509                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
510         }
511         if (sbsec->flags & ROOTCONTEXT_MNT) {
512                 struct inode *root = sbsec->sb->s_root->d_inode;
513                 struct inode_security_struct *isec = root->i_security;
514
515                 rc = security_sid_to_context(isec->sid, &context, &len);
516                 if (rc)
517                         goto out_free;
518                 opts->mnt_opts[i] = context;
519                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
520         }
521
522         BUG_ON(i != opts->num_mnt_opts);
523
524         return 0;
525
526 out_free:
527         security_free_mnt_opts(opts);
528         return rc;
529 }
530
531 static int bad_option(struct superblock_security_struct *sbsec, char flag,
532                       u32 old_sid, u32 new_sid)
533 {
534         /* check if the old mount command had the same options */
535         if (sbsec->initialized)
536                 if (!(sbsec->flags & flag) ||
537                     (old_sid != new_sid))
538                         return 1;
539
540         /* check if we were passed the same options twice,
541          * aka someone passed context=a,context=b
542          */
543         if (!sbsec->initialized)
544                 if (sbsec->flags & flag)
545                         return 1;
546         return 0;
547 }
548
549 /*
550  * Allow filesystems with binary mount data to explicitly set mount point
551  * labeling information.
552  */
553 static int selinux_set_mnt_opts(struct super_block *sb,
554                                 struct security_mnt_opts *opts)
555 {
556         int rc = 0, i;
557         struct task_security_struct *tsec = current->security;
558         struct superblock_security_struct *sbsec = sb->s_security;
559         const char *name = sb->s_type->name;
560         struct dentry *root = sb->s_root;
561         struct inode *root_inode = root->d_inode;
562         struct inode_security_struct *root_isec = root_inode->i_security;
563         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564         u32 defcontext_sid = 0;
565         char **mount_options = opts->mnt_opts;
566         int *flags = opts->mnt_opts_flags;
567         int num_opts = opts->num_mnt_opts;
568         bool can_xattr = false;
569
570         mutex_lock(&sbsec->lock);
571
572         if (!ss_initialized) {
573                 if (!num_opts) {
574                         /* Defer initialization until selinux_complete_init,
575                            after the initial policy is loaded and the security
576                            server is ready to handle calls. */
577                         spin_lock(&sb_security_lock);
578                         if (list_empty(&sbsec->list))
579                                 list_add(&sbsec->list, &superblock_security_head);
580                         spin_unlock(&sb_security_lock);
581                         goto out;
582                 }
583                 rc = -EINVAL;
584                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
585                         "before the security server is initialized\n");
586                 goto out;
587         }
588
589         /*
590          * Binary mount data FS will come through this function twice.  Once
591          * from an explicit call and once from the generic calls from the vfs.
592          * Since the generic VFS calls will not contain any security mount data
593          * we need to skip the double mount verification.
594          *
595          * This does open a hole in which we will not notice if the first
596          * mount using this sb set explict options and a second mount using
597          * this sb does not set any security options.  (The first options
598          * will be used for both mounts)
599          */
600         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
601             && (num_opts == 0))
602                 goto out;
603
604         /*
605          * parse the mount options, check if they are valid sids.
606          * also check if someone is trying to mount the same sb more
607          * than once with different security options.
608          */
609         for (i = 0; i < num_opts; i++) {
610                 u32 sid;
611                 rc = security_context_to_sid(mount_options[i],
612                                              strlen(mount_options[i]), &sid);
613                 if (rc) {
614                         printk(KERN_WARNING "SELinux: security_context_to_sid"
615                                "(%s) failed for (dev %s, type %s) errno=%d\n",
616                                mount_options[i], sb->s_id, name, rc);
617                         goto out;
618                 }
619                 switch (flags[i]) {
620                 case FSCONTEXT_MNT:
621                         fscontext_sid = sid;
622
623                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
624                                         fscontext_sid))
625                                 goto out_double_mount;
626
627                         sbsec->flags |= FSCONTEXT_MNT;
628                         break;
629                 case CONTEXT_MNT:
630                         context_sid = sid;
631
632                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
633                                         context_sid))
634                                 goto out_double_mount;
635
636                         sbsec->flags |= CONTEXT_MNT;
637                         break;
638                 case ROOTCONTEXT_MNT:
639                         rootcontext_sid = sid;
640
641                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
642                                         rootcontext_sid))
643                                 goto out_double_mount;
644
645                         sbsec->flags |= ROOTCONTEXT_MNT;
646
647                         break;
648                 case DEFCONTEXT_MNT:
649                         defcontext_sid = sid;
650
651                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
652                                         defcontext_sid))
653                                 goto out_double_mount;
654
655                         sbsec->flags |= DEFCONTEXT_MNT;
656
657                         break;
658                 default:
659                         rc = -EINVAL;
660                         goto out;
661                 }
662         }
663
664         if (sbsec->initialized) {
665                 /* previously mounted with options, but not on this attempt? */
666                 if (sbsec->flags && !num_opts)
667                         goto out_double_mount;
668                 rc = 0;
669                 goto out;
670         }
671
672         if (strcmp(name, "proc") == 0)
673                 sbsec->proc = 1;
674
675         /*
676          * test if the fs supports xattrs, fs_use might make use of this if the
677          * fs has no definition in policy.
678          */
679         if (root_inode->i_op->getxattr) {
680                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
681                 if (rc >= 0 || rc == -ENODATA)
682                         can_xattr = true;
683         }
684
685         /* Determine the labeling behavior to use for this filesystem type. */
686         rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
687         if (rc) {
688                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
689                        __func__, name, rc);
690                 goto out;
691         }
692
693         /* sets the context of the superblock for the fs being mounted. */
694         if (fscontext_sid) {
695
696                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
697                 if (rc)
698                         goto out;
699
700                 sbsec->sid = fscontext_sid;
701         }
702
703         /*
704          * Switch to using mount point labeling behavior.
705          * sets the label used on all file below the mountpoint, and will set
706          * the superblock context if not already set.
707          */
708         if (context_sid) {
709                 if (!fscontext_sid) {
710                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
711                         if (rc)
712                                 goto out;
713                         sbsec->sid = context_sid;
714                 } else {
715                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
716                         if (rc)
717                                 goto out;
718                 }
719                 if (!rootcontext_sid)
720                         rootcontext_sid = context_sid;
721
722                 sbsec->mntpoint_sid = context_sid;
723                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
724         }
725
726         if (rootcontext_sid) {
727                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
728                 if (rc)
729                         goto out;
730
731                 root_isec->sid = rootcontext_sid;
732                 root_isec->initialized = 1;
733         }
734
735         if (defcontext_sid) {
736                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
737                         rc = -EINVAL;
738                         printk(KERN_WARNING "SELinux: defcontext option is "
739                                "invalid for this filesystem type\n");
740                         goto out;
741                 }
742
743                 if (defcontext_sid != sbsec->def_sid) {
744                         rc = may_context_mount_inode_relabel(defcontext_sid,
745                                                              sbsec, tsec);
746                         if (rc)
747                                 goto out;
748                 }
749
750                 sbsec->def_sid = defcontext_sid;
751         }
752
753         rc = sb_finish_set_opts(sb);
754 out:
755         mutex_unlock(&sbsec->lock);
756         return rc;
757 out_double_mount:
758         rc = -EINVAL;
759         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
760                "security settings for (dev %s, type %s)\n", sb->s_id, name);
761         goto out;
762 }
763
764 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
765                                         struct super_block *newsb)
766 {
767         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
768         struct superblock_security_struct *newsbsec = newsb->s_security;
769
770         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
771         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
772         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
773
774         /*
775          * if the parent was able to be mounted it clearly had no special lsm
776          * mount options.  thus we can safely put this sb on the list and deal
777          * with it later
778          */
779         if (!ss_initialized) {
780                 spin_lock(&sb_security_lock);
781                 if (list_empty(&newsbsec->list))
782                         list_add(&newsbsec->list, &superblock_security_head);
783                 spin_unlock(&sb_security_lock);
784                 return;
785         }
786
787         /* how can we clone if the old one wasn't set up?? */
788         BUG_ON(!oldsbsec->initialized);
789
790         /* if fs is reusing a sb, just let its options stand... */
791         if (newsbsec->initialized)
792                 return;
793
794         mutex_lock(&newsbsec->lock);
795
796         newsbsec->flags = oldsbsec->flags;
797
798         newsbsec->sid = oldsbsec->sid;
799         newsbsec->def_sid = oldsbsec->def_sid;
800         newsbsec->behavior = oldsbsec->behavior;
801
802         if (set_context) {
803                 u32 sid = oldsbsec->mntpoint_sid;
804
805                 if (!set_fscontext)
806                         newsbsec->sid = sid;
807                 if (!set_rootcontext) {
808                         struct inode *newinode = newsb->s_root->d_inode;
809                         struct inode_security_struct *newisec = newinode->i_security;
810                         newisec->sid = sid;
811                 }
812                 newsbsec->mntpoint_sid = sid;
813         }
814         if (set_rootcontext) {
815                 const struct inode *oldinode = oldsb->s_root->d_inode;
816                 const struct inode_security_struct *oldisec = oldinode->i_security;
817                 struct inode *newinode = newsb->s_root->d_inode;
818                 struct inode_security_struct *newisec = newinode->i_security;
819
820                 newisec->sid = oldisec->sid;
821         }
822
823         sb_finish_set_opts(newsb);
824         mutex_unlock(&newsbsec->lock);
825 }
826
827 static int selinux_parse_opts_str(char *options,
828                                   struct security_mnt_opts *opts)
829 {
830         char *p;
831         char *context = NULL, *defcontext = NULL;
832         char *fscontext = NULL, *rootcontext = NULL;
833         int rc, num_mnt_opts = 0;
834
835         opts->num_mnt_opts = 0;
836
837         /* Standard string-based options. */
838         while ((p = strsep(&options, "|")) != NULL) {
839                 int token;
840                 substring_t args[MAX_OPT_ARGS];
841
842                 if (!*p)
843                         continue;
844
845                 token = match_token(p, tokens, args);
846
847                 switch (token) {
848                 case Opt_context:
849                         if (context || defcontext) {
850                                 rc = -EINVAL;
851                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
852                                 goto out_err;
853                         }
854                         context = match_strdup(&args[0]);
855                         if (!context) {
856                                 rc = -ENOMEM;
857                                 goto out_err;
858                         }
859                         break;
860
861                 case Opt_fscontext:
862                         if (fscontext) {
863                                 rc = -EINVAL;
864                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
865                                 goto out_err;
866                         }
867                         fscontext = match_strdup(&args[0]);
868                         if (!fscontext) {
869                                 rc = -ENOMEM;
870                                 goto out_err;
871                         }
872                         break;
873
874                 case Opt_rootcontext:
875                         if (rootcontext) {
876                                 rc = -EINVAL;
877                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
878                                 goto out_err;
879                         }
880                         rootcontext = match_strdup(&args[0]);
881                         if (!rootcontext) {
882                                 rc = -ENOMEM;
883                                 goto out_err;
884                         }
885                         break;
886
887                 case Opt_defcontext:
888                         if (context || defcontext) {
889                                 rc = -EINVAL;
890                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
891                                 goto out_err;
892                         }
893                         defcontext = match_strdup(&args[0]);
894                         if (!defcontext) {
895                                 rc = -ENOMEM;
896                                 goto out_err;
897                         }
898                         break;
899
900                 default:
901                         rc = -EINVAL;
902                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
903                         goto out_err;
904
905                 }
906         }
907
908         rc = -ENOMEM;
909         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
910         if (!opts->mnt_opts)
911                 goto out_err;
912
913         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
914         if (!opts->mnt_opts_flags) {
915                 kfree(opts->mnt_opts);
916                 goto out_err;
917         }
918
919         if (fscontext) {
920                 opts->mnt_opts[num_mnt_opts] = fscontext;
921                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
922         }
923         if (context) {
924                 opts->mnt_opts[num_mnt_opts] = context;
925                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
926         }
927         if (rootcontext) {
928                 opts->mnt_opts[num_mnt_opts] = rootcontext;
929                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
930         }
931         if (defcontext) {
932                 opts->mnt_opts[num_mnt_opts] = defcontext;
933                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
934         }
935
936         opts->num_mnt_opts = num_mnt_opts;
937         return 0;
938
939 out_err:
940         kfree(context);
941         kfree(defcontext);
942         kfree(fscontext);
943         kfree(rootcontext);
944         return rc;
945 }
946 /*
947  * string mount options parsing and call set the sbsec
948  */
949 static int superblock_doinit(struct super_block *sb, void *data)
950 {
951         int rc = 0;
952         char *options = data;
953         struct security_mnt_opts opts;
954
955         security_init_mnt_opts(&opts);
956
957         if (!data)
958                 goto out;
959
960         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
961
962         rc = selinux_parse_opts_str(options, &opts);
963         if (rc)
964                 goto out_err;
965
966 out:
967         rc = selinux_set_mnt_opts(sb, &opts);
968
969 out_err:
970         security_free_mnt_opts(&opts);
971         return rc;
972 }
973
974 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
975 {
976         int i;
977         char *prefix;
978
979         for (i = 0; i < opts->num_mnt_opts; i++) {
980                 char *has_comma = strchr(opts->mnt_opts[i], ',');
981
982                 switch (opts->mnt_opts_flags[i]) {
983                 case CONTEXT_MNT:
984                         prefix = CONTEXT_STR;
985                         break;
986                 case FSCONTEXT_MNT:
987                         prefix = FSCONTEXT_STR;
988                         break;
989                 case ROOTCONTEXT_MNT:
990                         prefix = ROOTCONTEXT_STR;
991                         break;
992                 case DEFCONTEXT_MNT:
993                         prefix = DEFCONTEXT_STR;
994                         break;
995                 default:
996                         BUG();
997                 };
998                 /* we need a comma before each option */
999                 seq_putc(m, ',');
1000                 seq_puts(m, prefix);
1001                 if (has_comma)
1002                         seq_putc(m, '\"');
1003                 seq_puts(m, opts->mnt_opts[i]);
1004                 if (has_comma)
1005                         seq_putc(m, '\"');
1006         }
1007 }
1008
1009 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1010 {
1011         struct security_mnt_opts opts;
1012         int rc;
1013
1014         rc = selinux_get_mnt_opts(sb, &opts);
1015         if (rc)
1016                 return rc;
1017
1018         selinux_write_opts(m, &opts);
1019
1020         security_free_mnt_opts(&opts);
1021
1022         return rc;
1023 }
1024
1025 static inline u16 inode_mode_to_security_class(umode_t mode)
1026 {
1027         switch (mode & S_IFMT) {
1028         case S_IFSOCK:
1029                 return SECCLASS_SOCK_FILE;
1030         case S_IFLNK:
1031                 return SECCLASS_LNK_FILE;
1032         case S_IFREG:
1033                 return SECCLASS_FILE;
1034         case S_IFBLK:
1035                 return SECCLASS_BLK_FILE;
1036         case S_IFDIR:
1037                 return SECCLASS_DIR;
1038         case S_IFCHR:
1039                 return SECCLASS_CHR_FILE;
1040         case S_IFIFO:
1041                 return SECCLASS_FIFO_FILE;
1042
1043         }
1044
1045         return SECCLASS_FILE;
1046 }
1047
1048 static inline int default_protocol_stream(int protocol)
1049 {
1050         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1051 }
1052
1053 static inline int default_protocol_dgram(int protocol)
1054 {
1055         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1056 }
1057
1058 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1059 {
1060         switch (family) {
1061         case PF_UNIX:
1062                 switch (type) {
1063                 case SOCK_STREAM:
1064                 case SOCK_SEQPACKET:
1065                         return SECCLASS_UNIX_STREAM_SOCKET;
1066                 case SOCK_DGRAM:
1067                         return SECCLASS_UNIX_DGRAM_SOCKET;
1068                 }
1069                 break;
1070         case PF_INET:
1071         case PF_INET6:
1072                 switch (type) {
1073                 case SOCK_STREAM:
1074                         if (default_protocol_stream(protocol))
1075                                 return SECCLASS_TCP_SOCKET;
1076                         else
1077                                 return SECCLASS_RAWIP_SOCKET;
1078                 case SOCK_DGRAM:
1079                         if (default_protocol_dgram(protocol))
1080                                 return SECCLASS_UDP_SOCKET;
1081                         else
1082                                 return SECCLASS_RAWIP_SOCKET;
1083                 case SOCK_DCCP:
1084                         return SECCLASS_DCCP_SOCKET;
1085                 default:
1086                         return SECCLASS_RAWIP_SOCKET;
1087                 }
1088                 break;
1089         case PF_NETLINK:
1090                 switch (protocol) {
1091                 case NETLINK_ROUTE:
1092                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1093                 case NETLINK_FIREWALL:
1094                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095                 case NETLINK_INET_DIAG:
1096                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097                 case NETLINK_NFLOG:
1098                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1099                 case NETLINK_XFRM:
1100                         return SECCLASS_NETLINK_XFRM_SOCKET;
1101                 case NETLINK_SELINUX:
1102                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1103                 case NETLINK_AUDIT:
1104                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1105                 case NETLINK_IP6_FW:
1106                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1107                 case NETLINK_DNRTMSG:
1108                         return SECCLASS_NETLINK_DNRT_SOCKET;
1109                 case NETLINK_KOBJECT_UEVENT:
1110                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111                 default:
1112                         return SECCLASS_NETLINK_SOCKET;
1113                 }
1114         case PF_PACKET:
1115                 return SECCLASS_PACKET_SOCKET;
1116         case PF_KEY:
1117                 return SECCLASS_KEY_SOCKET;
1118         case PF_APPLETALK:
1119                 return SECCLASS_APPLETALK_SOCKET;
1120         }
1121
1122         return SECCLASS_SOCKET;
1123 }
1124
1125 #ifdef CONFIG_PROC_FS
1126 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1127                                 u16 tclass,
1128                                 u32 *sid)
1129 {
1130         int buflen, rc;
1131         char *buffer, *path, *end;
1132
1133         buffer = (char *)__get_free_page(GFP_KERNEL);
1134         if (!buffer)
1135                 return -ENOMEM;
1136
1137         buflen = PAGE_SIZE;
1138         end = buffer+buflen;
1139         *--end = '\0';
1140         buflen--;
1141         path = end-1;
1142         *path = '/';
1143         while (de && de != de->parent) {
1144                 buflen -= de->namelen + 1;
1145                 if (buflen < 0)
1146                         break;
1147                 end -= de->namelen;
1148                 memcpy(end, de->name, de->namelen);
1149                 *--end = '/';
1150                 path = end;
1151                 de = de->parent;
1152         }
1153         rc = security_genfs_sid("proc", path, tclass, sid);
1154         free_page((unsigned long)buffer);
1155         return rc;
1156 }
1157 #else
1158 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1159                                 u16 tclass,
1160                                 u32 *sid)
1161 {
1162         return -EINVAL;
1163 }
1164 #endif
1165
1166 /* The inode's security attributes must be initialized before first use. */
1167 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1168 {
1169         struct superblock_security_struct *sbsec = NULL;
1170         struct inode_security_struct *isec = inode->i_security;
1171         u32 sid;
1172         struct dentry *dentry;
1173 #define INITCONTEXTLEN 255
1174         char *context = NULL;
1175         unsigned len = 0;
1176         int rc = 0;
1177
1178         if (isec->initialized)
1179                 goto out;
1180
1181         mutex_lock(&isec->lock);
1182         if (isec->initialized)
1183                 goto out_unlock;
1184
1185         sbsec = inode->i_sb->s_security;
1186         if (!sbsec->initialized) {
1187                 /* Defer initialization until selinux_complete_init,
1188                    after the initial policy is loaded and the security
1189                    server is ready to handle calls. */
1190                 spin_lock(&sbsec->isec_lock);
1191                 if (list_empty(&isec->list))
1192                         list_add(&isec->list, &sbsec->isec_head);
1193                 spin_unlock(&sbsec->isec_lock);
1194                 goto out_unlock;
1195         }
1196
1197         switch (sbsec->behavior) {
1198         case SECURITY_FS_USE_XATTR:
1199                 if (!inode->i_op->getxattr) {
1200                         isec->sid = sbsec->def_sid;
1201                         break;
1202                 }
1203
1204                 /* Need a dentry, since the xattr API requires one.
1205                    Life would be simpler if we could just pass the inode. */
1206                 if (opt_dentry) {
1207                         /* Called from d_instantiate or d_splice_alias. */
1208                         dentry = dget(opt_dentry);
1209                 } else {
1210                         /* Called from selinux_complete_init, try to find a dentry. */
1211                         dentry = d_find_alias(inode);
1212                 }
1213                 if (!dentry) {
1214                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1215                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1216                                inode->i_ino);
1217                         goto out_unlock;
1218                 }
1219
1220                 len = INITCONTEXTLEN;
1221                 context = kmalloc(len, GFP_NOFS);
1222                 if (!context) {
1223                         rc = -ENOMEM;
1224                         dput(dentry);
1225                         goto out_unlock;
1226                 }
1227                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1228                                            context, len);
1229                 if (rc == -ERANGE) {
1230                         /* Need a larger buffer.  Query for the right size. */
1231                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1232                                                    NULL, 0);
1233                         if (rc < 0) {
1234                                 dput(dentry);
1235                                 goto out_unlock;
1236                         }
1237                         kfree(context);
1238                         len = rc;
1239                         context = kmalloc(len, GFP_NOFS);
1240                         if (!context) {
1241                                 rc = -ENOMEM;
1242                                 dput(dentry);
1243                                 goto out_unlock;
1244                         }
1245                         rc = inode->i_op->getxattr(dentry,
1246                                                    XATTR_NAME_SELINUX,
1247                                                    context, len);
1248                 }
1249                 dput(dentry);
1250                 if (rc < 0) {
1251                         if (rc != -ENODATA) {
1252                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1253                                        "%d for dev=%s ino=%ld\n", __func__,
1254                                        -rc, inode->i_sb->s_id, inode->i_ino);
1255                                 kfree(context);
1256                                 goto out_unlock;
1257                         }
1258                         /* Map ENODATA to the default file SID */
1259                         sid = sbsec->def_sid;
1260                         rc = 0;
1261                 } else {
1262                         rc = security_context_to_sid_default(context, rc, &sid,
1263                                                              sbsec->def_sid,
1264                                                              GFP_NOFS);
1265                         if (rc) {
1266                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1267                                        "returned %d for dev=%s ino=%ld\n",
1268                                        __func__, context, -rc,
1269                                        inode->i_sb->s_id, inode->i_ino);
1270                                 kfree(context);
1271                                 /* Leave with the unlabeled SID */
1272                                 rc = 0;
1273                                 break;
1274                         }
1275                 }
1276                 kfree(context);
1277                 isec->sid = sid;
1278                 break;
1279         case SECURITY_FS_USE_TASK:
1280                 isec->sid = isec->task_sid;
1281                 break;
1282         case SECURITY_FS_USE_TRANS:
1283                 /* Default to the fs SID. */
1284                 isec->sid = sbsec->sid;
1285
1286                 /* Try to obtain a transition SID. */
1287                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1288                 rc = security_transition_sid(isec->task_sid,
1289                                              sbsec->sid,
1290                                              isec->sclass,
1291                                              &sid);
1292                 if (rc)
1293                         goto out_unlock;
1294                 isec->sid = sid;
1295                 break;
1296         case SECURITY_FS_USE_MNTPOINT:
1297                 isec->sid = sbsec->mntpoint_sid;
1298                 break;
1299         default:
1300                 /* Default to the fs superblock SID. */
1301                 isec->sid = sbsec->sid;
1302
1303                 if (sbsec->proc) {
1304                         struct proc_inode *proci = PROC_I(inode);
1305                         if (proci->pde) {
1306                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1307                                 rc = selinux_proc_get_sid(proci->pde,
1308                                                           isec->sclass,
1309                                                           &sid);
1310                                 if (rc)
1311                                         goto out_unlock;
1312                                 isec->sid = sid;
1313                         }
1314                 }
1315                 break;
1316         }
1317
1318         isec->initialized = 1;
1319
1320 out_unlock:
1321         mutex_unlock(&isec->lock);
1322 out:
1323         if (isec->sclass == SECCLASS_FILE)
1324                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1325         return rc;
1326 }
1327
1328 /* Convert a Linux signal to an access vector. */
1329 static inline u32 signal_to_av(int sig)
1330 {
1331         u32 perm = 0;
1332
1333         switch (sig) {
1334         case SIGCHLD:
1335                 /* Commonly granted from child to parent. */
1336                 perm = PROCESS__SIGCHLD;
1337                 break;
1338         case SIGKILL:
1339                 /* Cannot be caught or ignored */
1340                 perm = PROCESS__SIGKILL;
1341                 break;
1342         case SIGSTOP:
1343                 /* Cannot be caught or ignored */
1344                 perm = PROCESS__SIGSTOP;
1345                 break;
1346         default:
1347                 /* All other signals. */
1348                 perm = PROCESS__SIGNAL;
1349                 break;
1350         }
1351
1352         return perm;
1353 }
1354
1355 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1356    fork check, ptrace check, etc. */
1357 static int task_has_perm(struct task_struct *tsk1,
1358                          struct task_struct *tsk2,
1359                          u32 perms)
1360 {
1361         struct task_security_struct *tsec1, *tsec2;
1362
1363         tsec1 = tsk1->security;
1364         tsec2 = tsk2->security;
1365         return avc_has_perm(tsec1->sid, tsec2->sid,
1366                             SECCLASS_PROCESS, perms, NULL);
1367 }
1368
1369 #if CAP_LAST_CAP > 63
1370 #error Fix SELinux to handle capabilities > 63.
1371 #endif
1372
1373 /* Check whether a task is allowed to use a capability. */
1374 static int task_has_capability(struct task_struct *tsk,
1375                                int cap)
1376 {
1377         struct task_security_struct *tsec;
1378         struct avc_audit_data ad;
1379         u16 sclass;
1380         u32 av = CAP_TO_MASK(cap);
1381
1382         tsec = tsk->security;
1383
1384         AVC_AUDIT_DATA_INIT(&ad, CAP);
1385         ad.tsk = tsk;
1386         ad.u.cap = cap;
1387
1388         switch (CAP_TO_INDEX(cap)) {
1389         case 0:
1390                 sclass = SECCLASS_CAPABILITY;
1391                 break;
1392         case 1:
1393                 sclass = SECCLASS_CAPABILITY2;
1394                 break;
1395         default:
1396                 printk(KERN_ERR
1397                        "SELinux:  out of range capability %d\n", cap);
1398                 BUG();
1399         }
1400         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1401 }
1402
1403 /* Check whether a task is allowed to use a system operation. */
1404 static int task_has_system(struct task_struct *tsk,
1405                            u32 perms)
1406 {
1407         struct task_security_struct *tsec;
1408
1409         tsec = tsk->security;
1410
1411         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1412                             SECCLASS_SYSTEM, perms, NULL);
1413 }
1414
1415 /* Check whether a task has a particular permission to an inode.
1416    The 'adp' parameter is optional and allows other audit
1417    data to be passed (e.g. the dentry). */
1418 static int inode_has_perm(struct task_struct *tsk,
1419                           struct inode *inode,
1420                           u32 perms,
1421                           struct avc_audit_data *adp)
1422 {
1423         struct task_security_struct *tsec;
1424         struct inode_security_struct *isec;
1425         struct avc_audit_data ad;
1426
1427         if (unlikely(IS_PRIVATE(inode)))
1428                 return 0;
1429
1430         tsec = tsk->security;
1431         isec = inode->i_security;
1432
1433         if (!adp) {
1434                 adp = &ad;
1435                 AVC_AUDIT_DATA_INIT(&ad, FS);
1436                 ad.u.fs.inode = inode;
1437         }
1438
1439         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1440 }
1441
1442 /* Same as inode_has_perm, but pass explicit audit data containing
1443    the dentry to help the auditing code to more easily generate the
1444    pathname if needed. */
1445 static inline int dentry_has_perm(struct task_struct *tsk,
1446                                   struct vfsmount *mnt,
1447                                   struct dentry *dentry,
1448                                   u32 av)
1449 {
1450         struct inode *inode = dentry->d_inode;
1451         struct avc_audit_data ad;
1452         AVC_AUDIT_DATA_INIT(&ad, FS);
1453         ad.u.fs.path.mnt = mnt;
1454         ad.u.fs.path.dentry = dentry;
1455         return inode_has_perm(tsk, inode, av, &ad);
1456 }
1457
1458 /* Check whether a task can use an open file descriptor to
1459    access an inode in a given way.  Check access to the
1460    descriptor itself, and then use dentry_has_perm to
1461    check a particular permission to the file.
1462    Access to the descriptor is implicitly granted if it
1463    has the same SID as the process.  If av is zero, then
1464    access to the file is not checked, e.g. for cases
1465    where only the descriptor is affected like seek. */
1466 static int file_has_perm(struct task_struct *tsk,
1467                                 struct file *file,
1468                                 u32 av)
1469 {
1470         struct task_security_struct *tsec = tsk->security;
1471         struct file_security_struct *fsec = file->f_security;
1472         struct inode *inode = file->f_path.dentry->d_inode;
1473         struct avc_audit_data ad;
1474         int rc;
1475
1476         AVC_AUDIT_DATA_INIT(&ad, FS);
1477         ad.u.fs.path = file->f_path;
1478
1479         if (tsec->sid != fsec->sid) {
1480                 rc = avc_has_perm(tsec->sid, fsec->sid,
1481                                   SECCLASS_FD,
1482                                   FD__USE,
1483                                   &ad);
1484                 if (rc)
1485                         return rc;
1486         }
1487
1488         /* av is zero if only checking access to the descriptor. */
1489         if (av)
1490                 return inode_has_perm(tsk, inode, av, &ad);
1491
1492         return 0;
1493 }
1494
1495 /* Check whether a task can create a file. */
1496 static int may_create(struct inode *dir,
1497                       struct dentry *dentry,
1498                       u16 tclass)
1499 {
1500         struct task_security_struct *tsec;
1501         struct inode_security_struct *dsec;
1502         struct superblock_security_struct *sbsec;
1503         u32 newsid;
1504         struct avc_audit_data ad;
1505         int rc;
1506
1507         tsec = current->security;
1508         dsec = dir->i_security;
1509         sbsec = dir->i_sb->s_security;
1510
1511         AVC_AUDIT_DATA_INIT(&ad, FS);
1512         ad.u.fs.path.dentry = dentry;
1513
1514         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1515                           DIR__ADD_NAME | DIR__SEARCH,
1516                           &ad);
1517         if (rc)
1518                 return rc;
1519
1520         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1521                 newsid = tsec->create_sid;
1522         } else {
1523                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1524                                              &newsid);
1525                 if (rc)
1526                         return rc;
1527         }
1528
1529         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1530         if (rc)
1531                 return rc;
1532
1533         return avc_has_perm(newsid, sbsec->sid,
1534                             SECCLASS_FILESYSTEM,
1535                             FILESYSTEM__ASSOCIATE, &ad);
1536 }
1537
1538 /* Check whether a task can create a key. */
1539 static int may_create_key(u32 ksid,
1540                           struct task_struct *ctx)
1541 {
1542         struct task_security_struct *tsec;
1543
1544         tsec = ctx->security;
1545
1546         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1547 }
1548
1549 #define MAY_LINK        0
1550 #define MAY_UNLINK      1
1551 #define MAY_RMDIR       2
1552
1553 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1554 static int may_link(struct inode *dir,
1555                     struct dentry *dentry,
1556                     int kind)
1557
1558 {
1559         struct task_security_struct *tsec;
1560         struct inode_security_struct *dsec, *isec;
1561         struct avc_audit_data ad;
1562         u32 av;
1563         int rc;
1564
1565         tsec = current->security;
1566         dsec = dir->i_security;
1567         isec = dentry->d_inode->i_security;
1568
1569         AVC_AUDIT_DATA_INIT(&ad, FS);
1570         ad.u.fs.path.dentry = dentry;
1571
1572         av = DIR__SEARCH;
1573         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1574         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1575         if (rc)
1576                 return rc;
1577
1578         switch (kind) {
1579         case MAY_LINK:
1580                 av = FILE__LINK;
1581                 break;
1582         case MAY_UNLINK:
1583                 av = FILE__UNLINK;
1584                 break;
1585         case MAY_RMDIR:
1586                 av = DIR__RMDIR;
1587                 break;
1588         default:
1589                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1590                         __func__, kind);
1591                 return 0;
1592         }
1593
1594         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1595         return rc;
1596 }
1597
1598 static inline int may_rename(struct inode *old_dir,
1599                              struct dentry *old_dentry,
1600                              struct inode *new_dir,
1601                              struct dentry *new_dentry)
1602 {
1603         struct task_security_struct *tsec;
1604         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1605         struct avc_audit_data ad;
1606         u32 av;
1607         int old_is_dir, new_is_dir;
1608         int rc;
1609
1610         tsec = current->security;
1611         old_dsec = old_dir->i_security;
1612         old_isec = old_dentry->d_inode->i_security;
1613         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1614         new_dsec = new_dir->i_security;
1615
1616         AVC_AUDIT_DATA_INIT(&ad, FS);
1617
1618         ad.u.fs.path.dentry = old_dentry;
1619         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1620                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1621         if (rc)
1622                 return rc;
1623         rc = avc_has_perm(tsec->sid, old_isec->sid,
1624                           old_isec->sclass, FILE__RENAME, &ad);
1625         if (rc)
1626                 return rc;
1627         if (old_is_dir && new_dir != old_dir) {
1628                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1629                                   old_isec->sclass, DIR__REPARENT, &ad);
1630                 if (rc)
1631                         return rc;
1632         }
1633
1634         ad.u.fs.path.dentry = new_dentry;
1635         av = DIR__ADD_NAME | DIR__SEARCH;
1636         if (new_dentry->d_inode)
1637                 av |= DIR__REMOVE_NAME;
1638         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1639         if (rc)
1640                 return rc;
1641         if (new_dentry->d_inode) {
1642                 new_isec = new_dentry->d_inode->i_security;
1643                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1644                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1645                                   new_isec->sclass,
1646                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1647                 if (rc)
1648                         return rc;
1649         }
1650
1651         return 0;
1652 }
1653
1654 /* Check whether a task can perform a filesystem operation. */
1655 static int superblock_has_perm(struct task_struct *tsk,
1656                                struct super_block *sb,
1657                                u32 perms,
1658                                struct avc_audit_data *ad)
1659 {
1660         struct task_security_struct *tsec;
1661         struct superblock_security_struct *sbsec;
1662
1663         tsec = tsk->security;
1664         sbsec = sb->s_security;
1665         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1666                             perms, ad);
1667 }
1668
1669 /* Convert a Linux mode and permission mask to an access vector. */
1670 static inline u32 file_mask_to_av(int mode, int mask)
1671 {
1672         u32 av = 0;
1673
1674         if ((mode & S_IFMT) != S_IFDIR) {
1675                 if (mask & MAY_EXEC)
1676                         av |= FILE__EXECUTE;
1677                 if (mask & MAY_READ)
1678                         av |= FILE__READ;
1679
1680                 if (mask & MAY_APPEND)
1681                         av |= FILE__APPEND;
1682                 else if (mask & MAY_WRITE)
1683                         av |= FILE__WRITE;
1684
1685         } else {
1686                 if (mask & MAY_EXEC)
1687                         av |= DIR__SEARCH;
1688                 if (mask & MAY_WRITE)
1689                         av |= DIR__WRITE;
1690                 if (mask & MAY_READ)
1691                         av |= DIR__READ;
1692         }
1693
1694         return av;
1695 }
1696
1697 /*
1698  * Convert a file mask to an access vector and include the correct open
1699  * open permission.
1700  */
1701 static inline u32 open_file_mask_to_av(int mode, int mask)
1702 {
1703         u32 av = file_mask_to_av(mode, mask);
1704
1705         if (selinux_policycap_openperm) {
1706                 /*
1707                  * lnk files and socks do not really have an 'open'
1708                  */
1709                 if (S_ISREG(mode))
1710                         av |= FILE__OPEN;
1711                 else if (S_ISCHR(mode))
1712                         av |= CHR_FILE__OPEN;
1713                 else if (S_ISBLK(mode))
1714                         av |= BLK_FILE__OPEN;
1715                 else if (S_ISFIFO(mode))
1716                         av |= FIFO_FILE__OPEN;
1717                 else if (S_ISDIR(mode))
1718                         av |= DIR__OPEN;
1719                 else
1720                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1721                                 "unknown mode:%x\n", __func__, mode);
1722         }
1723         return av;
1724 }
1725
1726 /* Convert a Linux file to an access vector. */
1727 static inline u32 file_to_av(struct file *file)
1728 {
1729         u32 av = 0;
1730
1731         if (file->f_mode & FMODE_READ)
1732                 av |= FILE__READ;
1733         if (file->f_mode & FMODE_WRITE) {
1734                 if (file->f_flags & O_APPEND)
1735                         av |= FILE__APPEND;
1736                 else
1737                         av |= FILE__WRITE;
1738         }
1739         if (!av) {
1740                 /*
1741                  * Special file opened with flags 3 for ioctl-only use.
1742                  */
1743                 av = FILE__IOCTL;
1744         }
1745
1746         return av;
1747 }
1748
1749 /* Hook functions begin here. */
1750
1751 static int selinux_ptrace(struct task_struct *parent,
1752                           struct task_struct *child,
1753                           unsigned int mode)
1754 {
1755         int rc;
1756
1757         rc = secondary_ops->ptrace(parent, child, mode);
1758         if (rc)
1759                 return rc;
1760
1761         if (mode == PTRACE_MODE_READ) {
1762                 struct task_security_struct *tsec = parent->security;
1763                 struct task_security_struct *csec = child->security;
1764                 return avc_has_perm(tsec->sid, csec->sid,
1765                                     SECCLASS_FILE, FILE__READ, NULL);
1766         }
1767
1768         return task_has_perm(parent, child, PROCESS__PTRACE);
1769 }
1770
1771 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1772                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1773 {
1774         int error;
1775
1776         error = task_has_perm(current, target, PROCESS__GETCAP);
1777         if (error)
1778                 return error;
1779
1780         return secondary_ops->capget(target, effective, inheritable, permitted);
1781 }
1782
1783 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1784                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1785 {
1786         int error;
1787
1788         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1789         if (error)
1790                 return error;
1791
1792         return task_has_perm(current, target, PROCESS__SETCAP);
1793 }
1794
1795 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1796                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1797 {
1798         secondary_ops->capset_set(target, effective, inheritable, permitted);
1799 }
1800
1801 static int selinux_capable(struct task_struct *tsk, int cap)
1802 {
1803         int rc;
1804
1805         rc = secondary_ops->capable(tsk, cap);
1806         if (rc)
1807                 return rc;
1808
1809         return task_has_capability(tsk, cap);
1810 }
1811
1812 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1813 {
1814         int buflen, rc;
1815         char *buffer, *path, *end;
1816
1817         rc = -ENOMEM;
1818         buffer = (char *)__get_free_page(GFP_KERNEL);
1819         if (!buffer)
1820                 goto out;
1821
1822         buflen = PAGE_SIZE;
1823         end = buffer+buflen;
1824         *--end = '\0';
1825         buflen--;
1826         path = end-1;
1827         *path = '/';
1828         while (table) {
1829                 const char *name = table->procname;
1830                 size_t namelen = strlen(name);
1831                 buflen -= namelen + 1;
1832                 if (buflen < 0)
1833                         goto out_free;
1834                 end -= namelen;
1835                 memcpy(end, name, namelen);
1836                 *--end = '/';
1837                 path = end;
1838                 table = table->parent;
1839         }
1840         buflen -= 4;
1841         if (buflen < 0)
1842                 goto out_free;
1843         end -= 4;
1844         memcpy(end, "/sys", 4);
1845         path = end;
1846         rc = security_genfs_sid("proc", path, tclass, sid);
1847 out_free:
1848         free_page((unsigned long)buffer);
1849 out:
1850         return rc;
1851 }
1852
1853 static int selinux_sysctl(ctl_table *table, int op)
1854 {
1855         int error = 0;
1856         u32 av;
1857         struct task_security_struct *tsec;
1858         u32 tsid;
1859         int rc;
1860
1861         rc = secondary_ops->sysctl(table, op);
1862         if (rc)
1863                 return rc;
1864
1865         tsec = current->security;
1866
1867         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1868                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1869         if (rc) {
1870                 /* Default to the well-defined sysctl SID. */
1871                 tsid = SECINITSID_SYSCTL;
1872         }
1873
1874         /* The op values are "defined" in sysctl.c, thereby creating
1875          * a bad coupling between this module and sysctl.c */
1876         if (op == 001) {
1877                 error = avc_has_perm(tsec->sid, tsid,
1878                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1879         } else {
1880                 av = 0;
1881                 if (op & 004)
1882                         av |= FILE__READ;
1883                 if (op & 002)
1884                         av |= FILE__WRITE;
1885                 if (av)
1886                         error = avc_has_perm(tsec->sid, tsid,
1887                                              SECCLASS_FILE, av, NULL);
1888         }
1889
1890         return error;
1891 }
1892
1893 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1894 {
1895         int rc = 0;
1896
1897         if (!sb)
1898                 return 0;
1899
1900         switch (cmds) {
1901         case Q_SYNC:
1902         case Q_QUOTAON:
1903         case Q_QUOTAOFF:
1904         case Q_SETINFO:
1905         case Q_SETQUOTA:
1906                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1907                                          NULL);
1908                 break;
1909         case Q_GETFMT:
1910         case Q_GETINFO:
1911         case Q_GETQUOTA:
1912                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1913                                          NULL);
1914                 break;
1915         default:
1916                 rc = 0;  /* let the kernel handle invalid cmds */
1917                 break;
1918         }
1919         return rc;
1920 }
1921
1922 static int selinux_quota_on(struct dentry *dentry)
1923 {
1924         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1925 }
1926
1927 static int selinux_syslog(int type)
1928 {
1929         int rc;
1930
1931         rc = secondary_ops->syslog(type);
1932         if (rc)
1933                 return rc;
1934
1935         switch (type) {
1936         case 3:         /* Read last kernel messages */
1937         case 10:        /* Return size of the log buffer */
1938                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1939                 break;
1940         case 6:         /* Disable logging to console */
1941         case 7:         /* Enable logging to console */
1942         case 8:         /* Set level of messages printed to console */
1943                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1944                 break;
1945         case 0:         /* Close log */
1946         case 1:         /* Open log */
1947         case 2:         /* Read from log */
1948         case 4:         /* Read/clear last kernel messages */
1949         case 5:         /* Clear ring buffer */
1950         default:
1951                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1952                 break;
1953         }
1954         return rc;
1955 }
1956
1957 /*
1958  * Check that a process has enough memory to allocate a new virtual
1959  * mapping. 0 means there is enough memory for the allocation to
1960  * succeed and -ENOMEM implies there is not.
1961  *
1962  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1963  * if the capability is granted, but __vm_enough_memory requires 1 if
1964  * the capability is granted.
1965  *
1966  * Do not audit the selinux permission check, as this is applied to all
1967  * processes that allocate mappings.
1968  */
1969 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1970 {
1971         int rc, cap_sys_admin = 0;
1972         struct task_security_struct *tsec = current->security;
1973
1974         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1975         if (rc == 0)
1976                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1977                                           SECCLASS_CAPABILITY,
1978                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1979                                           0,
1980                                           NULL);
1981
1982         if (rc == 0)
1983                 cap_sys_admin = 1;
1984
1985         return __vm_enough_memory(mm, pages, cap_sys_admin);
1986 }
1987
1988 /**
1989  * task_tracer_task - return the task that is tracing the given task
1990  * @task:               task to consider
1991  *
1992  * Returns NULL if noone is tracing @task, or the &struct task_struct
1993  * pointer to its tracer.
1994  *
1995  * Must be called under rcu_read_lock().
1996  */
1997 static struct task_struct *task_tracer_task(struct task_struct *task)
1998 {
1999         if (task->ptrace & PT_PTRACED)
2000                 return rcu_dereference(task->parent);
2001         return NULL;
2002 }
2003
2004 /* binprm security operations */
2005
2006 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2007 {
2008         struct bprm_security_struct *bsec;
2009
2010         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2011         if (!bsec)
2012                 return -ENOMEM;
2013
2014         bsec->sid = SECINITSID_UNLABELED;
2015         bsec->set = 0;
2016
2017         bprm->security = bsec;
2018         return 0;
2019 }
2020
2021 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2022 {
2023         struct task_security_struct *tsec;
2024         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2025         struct inode_security_struct *isec;
2026         struct bprm_security_struct *bsec;
2027         u32 newsid;
2028         struct avc_audit_data ad;
2029         int rc;
2030
2031         rc = secondary_ops->bprm_set_security(bprm);
2032         if (rc)
2033                 return rc;
2034
2035         bsec = bprm->security;
2036
2037         if (bsec->set)
2038                 return 0;
2039
2040         tsec = current->security;
2041         isec = inode->i_security;
2042
2043         /* Default to the current task SID. */
2044         bsec->sid = tsec->sid;
2045
2046         /* Reset fs, key, and sock SIDs on execve. */
2047         tsec->create_sid = 0;
2048         tsec->keycreate_sid = 0;
2049         tsec->sockcreate_sid = 0;
2050
2051         if (tsec->exec_sid) {
2052                 newsid = tsec->exec_sid;
2053                 /* Reset exec SID on execve. */
2054                 tsec->exec_sid = 0;
2055         } else {
2056                 /* Check for a default transition on this program. */
2057                 rc = security_transition_sid(tsec->sid, isec->sid,
2058                                              SECCLASS_PROCESS, &newsid);
2059                 if (rc)
2060                         return rc;
2061         }
2062
2063         AVC_AUDIT_DATA_INIT(&ad, FS);
2064         ad.u.fs.path = bprm->file->f_path;
2065
2066         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2067                 newsid = tsec->sid;
2068
2069         if (tsec->sid == newsid) {
2070                 rc = avc_has_perm(tsec->sid, isec->sid,
2071                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2072                 if (rc)
2073                         return rc;
2074         } else {
2075                 /* Check permissions for the transition. */
2076                 rc = avc_has_perm(tsec->sid, newsid,
2077                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2078                 if (rc)
2079                         return rc;
2080
2081                 rc = avc_has_perm(newsid, isec->sid,
2082                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2083                 if (rc)
2084                         return rc;
2085
2086                 /* Clear any possibly unsafe personality bits on exec: */
2087                 current->personality &= ~PER_CLEAR_ON_SETID;
2088
2089                 /* Set the security field to the new SID. */
2090                 bsec->sid = newsid;
2091         }
2092
2093         bsec->set = 1;
2094         return 0;
2095 }
2096
2097 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2098 {
2099         return secondary_ops->bprm_check_security(bprm);
2100 }
2101
2102
2103 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2104 {
2105         struct task_security_struct *tsec = current->security;
2106         int atsecure = 0;
2107
2108         if (tsec->osid != tsec->sid) {
2109                 /* Enable secure mode for SIDs transitions unless
2110                    the noatsecure permission is granted between
2111                    the two SIDs, i.e. ahp returns 0. */
2112                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2113                                          SECCLASS_PROCESS,
2114                                          PROCESS__NOATSECURE, NULL);
2115         }
2116
2117         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2118 }
2119
2120 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2121 {
2122         kfree(bprm->security);
2123         bprm->security = NULL;
2124 }
2125
2126 extern struct vfsmount *selinuxfs_mount;
2127 extern struct dentry *selinux_null;
2128
2129 /* Derived from fs/exec.c:flush_old_files. */
2130 static inline void flush_unauthorized_files(struct files_struct *files)
2131 {
2132         struct avc_audit_data ad;
2133         struct file *file, *devnull = NULL;
2134         struct tty_struct *tty;
2135         struct fdtable *fdt;
2136         long j = -1;
2137         int drop_tty = 0;
2138
2139         mutex_lock(&tty_mutex);
2140         tty = get_current_tty();
2141         if (tty) {
2142                 file_list_lock();
2143                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2144                 if (file) {
2145                         /* Revalidate access to controlling tty.
2146                            Use inode_has_perm on the tty inode directly rather
2147                            than using file_has_perm, as this particular open
2148                            file may belong to another process and we are only
2149                            interested in the inode-based check here. */
2150                         struct inode *inode = file->f_path.dentry->d_inode;
2151                         if (inode_has_perm(current, inode,
2152                                            FILE__READ | FILE__WRITE, NULL)) {
2153                                 drop_tty = 1;
2154                         }
2155                 }
2156                 file_list_unlock();
2157         }
2158         mutex_unlock(&tty_mutex);
2159         /* Reset controlling tty. */
2160         if (drop_tty)
2161                 no_tty();
2162
2163         /* Revalidate access to inherited open files. */
2164
2165         AVC_AUDIT_DATA_INIT(&ad, FS);
2166
2167         spin_lock(&files->file_lock);
2168         for (;;) {
2169                 unsigned long set, i;
2170                 int fd;
2171
2172                 j++;
2173                 i = j * __NFDBITS;
2174                 fdt = files_fdtable(files);
2175                 if (i >= fdt->max_fds)
2176                         break;
2177                 set = fdt->open_fds->fds_bits[j];
2178                 if (!set)
2179                         continue;
2180                 spin_unlock(&files->file_lock);
2181                 for ( ; set ; i++, set >>= 1) {
2182                         if (set & 1) {
2183                                 file = fget(i);
2184                                 if (!file)
2185                                         continue;
2186                                 if (file_has_perm(current,
2187                                                   file,
2188                                                   file_to_av(file))) {
2189                                         sys_close(i);
2190                                         fd = get_unused_fd();
2191                                         if (fd != i) {
2192                                                 if (fd >= 0)
2193                                                         put_unused_fd(fd);
2194                                                 fput(file);
2195                                                 continue;
2196                                         }
2197                                         if (devnull) {
2198                                                 get_file(devnull);
2199                                         } else {
2200                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2201                                                 if (IS_ERR(devnull)) {
2202                                                         devnull = NULL;
2203                                                         put_unused_fd(fd);
2204                                                         fput(file);
2205                                                         continue;
2206                                                 }
2207                                         }
2208                                         fd_install(fd, devnull);
2209                                 }
2210                                 fput(file);
2211                         }
2212                 }
2213                 spin_lock(&files->file_lock);
2214
2215         }
2216         spin_unlock(&files->file_lock);
2217 }
2218
2219 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2220 {
2221         struct task_security_struct *tsec;
2222         struct bprm_security_struct *bsec;
2223         u32 sid;
2224         int rc;
2225
2226         secondary_ops->bprm_apply_creds(bprm, unsafe);
2227
2228         tsec = current->security;
2229
2230         bsec = bprm->security;
2231         sid = bsec->sid;
2232
2233         tsec->osid = tsec->sid;
2234         bsec->unsafe = 0;
2235         if (tsec->sid != sid) {
2236                 /* Check for shared state.  If not ok, leave SID
2237                    unchanged and kill. */
2238                 if (unsafe & LSM_UNSAFE_SHARE) {
2239                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2240                                         PROCESS__SHARE, NULL);
2241                         if (rc) {
2242                                 bsec->unsafe = 1;
2243                                 return;
2244                         }
2245                 }
2246
2247                 /* Check for ptracing, and update the task SID if ok.
2248                    Otherwise, leave SID unchanged and kill. */
2249                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2250                         struct task_struct *tracer;
2251                         struct task_security_struct *sec;
2252                         u32 ptsid = 0;
2253
2254                         rcu_read_lock();
2255                         tracer = task_tracer_task(current);
2256                         if (likely(tracer != NULL)) {
2257                                 sec = tracer->security;
2258                                 ptsid = sec->sid;
2259                         }
2260                         rcu_read_unlock();
2261
2262                         if (ptsid != 0) {
2263                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2264                                                   PROCESS__PTRACE, NULL);
2265                                 if (rc) {
2266                                         bsec->unsafe = 1;
2267                                         return;
2268                                 }
2269                         }
2270                 }
2271                 tsec->sid = sid;
2272         }
2273 }
2274
2275 /*
2276  * called after apply_creds without the task lock held
2277  */
2278 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2279 {
2280         struct task_security_struct *tsec;
2281         struct rlimit *rlim, *initrlim;
2282         struct itimerval itimer;
2283         struct bprm_security_struct *bsec;
2284         int rc, i;
2285
2286         tsec = current->security;
2287         bsec = bprm->security;
2288
2289         if (bsec->unsafe) {
2290                 force_sig_specific(SIGKILL, current);
2291                 return;
2292         }
2293         if (tsec->osid == tsec->sid)
2294                 return;
2295
2296         /* Close files for which the new task SID is not authorized. */
2297         flush_unauthorized_files(current->files);
2298
2299         /* Check whether the new SID can inherit signal state
2300            from the old SID.  If not, clear itimers to avoid
2301            subsequent signal generation and flush and unblock
2302            signals. This must occur _after_ the task SID has
2303           been updated so that any kill done after the flush
2304           will be checked against the new SID. */
2305         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2306                           PROCESS__SIGINH, NULL);
2307         if (rc) {
2308                 memset(&itimer, 0, sizeof itimer);
2309                 for (i = 0; i < 3; i++)
2310                         do_setitimer(i, &itimer, NULL);
2311                 flush_signals(current);
2312                 spin_lock_irq(&current->sighand->siglock);
2313                 flush_signal_handlers(current, 1);
2314                 sigemptyset(&current->blocked);
2315                 recalc_sigpending();
2316                 spin_unlock_irq(&current->sighand->siglock);
2317         }
2318
2319         /* Always clear parent death signal on SID transitions. */
2320         current->pdeath_signal = 0;
2321
2322         /* Check whether the new SID can inherit resource limits
2323            from the old SID.  If not, reset all soft limits to
2324            the lower of the current task's hard limit and the init
2325            task's soft limit.  Note that the setting of hard limits
2326            (even to lower them) can be controlled by the setrlimit
2327            check. The inclusion of the init task's soft limit into
2328            the computation is to avoid resetting soft limits higher
2329            than the default soft limit for cases where the default
2330            is lower than the hard limit, e.g. RLIMIT_CORE or
2331            RLIMIT_STACK.*/
2332         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2333                           PROCESS__RLIMITINH, NULL);
2334         if (rc) {
2335                 for (i = 0; i < RLIM_NLIMITS; i++) {
2336                         rlim = current->signal->rlim + i;
2337                         initrlim = init_task.signal->rlim+i;
2338                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2339                 }
2340                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2341                         /*
2342                          * This will cause RLIMIT_CPU calculations
2343                          * to be refigured.
2344                          */
2345                         current->it_prof_expires = jiffies_to_cputime(1);
2346                 }
2347         }
2348
2349         /* Wake up the parent if it is waiting so that it can
2350            recheck wait permission to the new task SID. */
2351         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2352 }
2353
2354 /* superblock security operations */
2355
2356 static int selinux_sb_alloc_security(struct super_block *sb)
2357 {
2358         return superblock_alloc_security(sb);
2359 }
2360
2361 static void selinux_sb_free_security(struct super_block *sb)
2362 {
2363         superblock_free_security(sb);
2364 }
2365
2366 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2367 {
2368         if (plen > olen)
2369                 return 0;
2370
2371         return !memcmp(prefix, option, plen);
2372 }
2373
2374 static inline int selinux_option(char *option, int len)
2375 {
2376         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2377                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2378                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2379                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2380 }
2381
2382 static inline void take_option(char **to, char *from, int *first, int len)
2383 {
2384         if (!*first) {
2385                 **to = ',';
2386                 *to += 1;
2387         } else
2388                 *first = 0;
2389         memcpy(*to, from, len);
2390         *to += len;
2391 }
2392
2393 static inline void take_selinux_option(char **to, char *from, int *first,
2394                                        int len)
2395 {
2396         int current_size = 0;
2397
2398         if (!*first) {
2399                 **to = '|';
2400                 *to += 1;
2401         } else
2402                 *first = 0;
2403
2404         while (current_size < len) {
2405                 if (*from != '"') {
2406                         **to = *from;
2407                         *to += 1;
2408                 }
2409                 from += 1;
2410                 current_size += 1;
2411         }
2412 }
2413
2414 static int selinux_sb_copy_data(char *orig, char *copy)
2415 {
2416         int fnosec, fsec, rc = 0;
2417         char *in_save, *in_curr, *in_end;
2418         char *sec_curr, *nosec_save, *nosec;
2419         int open_quote = 0;
2420
2421         in_curr = orig;
2422         sec_curr = copy;
2423
2424         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2425         if (!nosec) {
2426                 rc = -ENOMEM;
2427                 goto out;
2428         }
2429
2430         nosec_save = nosec;
2431         fnosec = fsec = 1;
2432         in_save = in_end = orig;
2433
2434         do {
2435                 if (*in_end == '"')
2436                         open_quote = !open_quote;
2437                 if ((*in_end == ',' && open_quote == 0) ||
2438                                 *in_end == '\0') {
2439                         int len = in_end - in_curr;
2440
2441                         if (selinux_option(in_curr, len))
2442                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2443                         else
2444                                 take_option(&nosec, in_curr, &fnosec, len);
2445
2446                         in_curr = in_end + 1;
2447                 }
2448         } while (*in_end++);
2449
2450         strcpy(in_save, nosec_save);
2451         free_page((unsigned long)nosec_save);
2452 out:
2453         return rc;
2454 }
2455
2456 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2457 {
2458         struct avc_audit_data ad;
2459         int rc;
2460
2461         rc = superblock_doinit(sb, data);
2462         if (rc)
2463                 return rc;
2464
2465         AVC_AUDIT_DATA_INIT(&ad, FS);
2466         ad.u.fs.path.dentry = sb->s_root;
2467         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2468 }
2469
2470 static int selinux_sb_statfs(struct dentry *dentry)
2471 {
2472         struct avc_audit_data ad;
2473
2474         AVC_AUDIT_DATA_INIT(&ad, FS);
2475         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2476         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2477 }
2478
2479 static int selinux_mount(char *dev_name,
2480                          struct path *path,
2481                          char *type,
2482                          unsigned long flags,
2483                          void *data)
2484 {
2485         int rc;
2486
2487         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2488         if (rc)
2489                 return rc;
2490
2491         if (flags & MS_REMOUNT)
2492                 return superblock_has_perm(current, path->mnt->mnt_sb,
2493                                            FILESYSTEM__REMOUNT, NULL);
2494         else
2495                 return dentry_has_perm(current, path->mnt, path->dentry,
2496                                        FILE__MOUNTON);
2497 }
2498
2499 static int selinux_umount(struct vfsmount *mnt, int flags)
2500 {
2501         int rc;
2502
2503         rc = secondary_ops->sb_umount(mnt, flags);
2504         if (rc)
2505                 return rc;
2506
2507         return superblock_has_perm(current, mnt->mnt_sb,
2508                                    FILESYSTEM__UNMOUNT, NULL);
2509 }
2510
2511 /* inode security operations */
2512
2513 static int selinux_inode_alloc_security(struct inode *inode)
2514 {
2515         return inode_alloc_security(inode);
2516 }
2517
2518 static void selinux_inode_free_security(struct inode *inode)
2519 {
2520         inode_free_security(inode);
2521 }
2522
2523 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2524                                        char **name, void **value,
2525                                        size_t *len)
2526 {
2527         struct task_security_struct *tsec;
2528         struct inode_security_struct *dsec;
2529         struct superblock_security_struct *sbsec;
2530         u32 newsid, clen;
2531         int rc;
2532         char *namep = NULL, *context;
2533
2534         tsec = current->security;
2535         dsec = dir->i_security;
2536         sbsec = dir->i_sb->s_security;
2537
2538         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2539                 newsid = tsec->create_sid;
2540         } else {
2541                 rc = security_transition_sid(tsec->sid, dsec->sid,
2542                                              inode_mode_to_security_class(inode->i_mode),
2543                                              &newsid);
2544                 if (rc) {
2545                         printk(KERN_WARNING "%s:  "
2546                                "security_transition_sid failed, rc=%d (dev=%s "
2547                                "ino=%ld)\n",
2548                                __func__,
2549                                -rc, inode->i_sb->s_id, inode->i_ino);
2550                         return rc;
2551                 }
2552         }
2553
2554         /* Possibly defer initialization to selinux_complete_init. */
2555         if (sbsec->initialized) {
2556                 struct inode_security_struct *isec = inode->i_security;
2557                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2558                 isec->sid = newsid;
2559                 isec->initialized = 1;
2560         }
2561
2562         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2563                 return -EOPNOTSUPP;
2564
2565         if (name) {
2566                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2567                 if (!namep)
2568                         return -ENOMEM;
2569                 *name = namep;
2570         }
2571
2572         if (value && len) {
2573                 rc = security_sid_to_context_force(newsid, &context, &clen);
2574                 if (rc) {
2575                         kfree(namep);
2576                         return rc;
2577                 }
2578                 *value = context;
2579                 *len = clen;
2580         }
2581
2582         return 0;
2583 }
2584
2585 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2586 {
2587         return may_create(dir, dentry, SECCLASS_FILE);
2588 }
2589
2590 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2591 {
2592         int rc;
2593
2594         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2595         if (rc)
2596                 return rc;
2597         return may_link(dir, old_dentry, MAY_LINK);
2598 }
2599
2600 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2601 {
2602         int rc;
2603
2604         rc = secondary_ops->inode_unlink(dir, dentry);
2605         if (rc)
2606                 return rc;
2607         return may_link(dir, dentry, MAY_UNLINK);
2608 }
2609
2610 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2611 {
2612         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2613 }
2614
2615 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2616 {
2617         return may_create(dir, dentry, SECCLASS_DIR);
2618 }
2619
2620 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2621 {
2622         return may_link(dir, dentry, MAY_RMDIR);
2623 }
2624
2625 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2626 {
2627         int rc;
2628
2629         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2630         if (rc)
2631                 return rc;
2632
2633         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2634 }
2635
2636 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2637                                 struct inode *new_inode, struct dentry *new_dentry)
2638 {
2639         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2640 }
2641
2642 static int selinux_inode_readlink(struct dentry *dentry)
2643 {
2644         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2645 }
2646
2647 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2648 {
2649         int rc;
2650
2651         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2652         if (rc)
2653                 return rc;
2654         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2655 }
2656
2657 static int selinux_inode_permission(struct inode *inode, int mask,
2658                                     struct nameidata *nd)
2659 {
2660         int rc;
2661
2662         rc = secondary_ops->inode_permission(inode, mask, nd);
2663         if (rc)
2664                 return rc;
2665
2666         if (!mask) {
2667                 /* No permission to check.  Existence test. */
2668                 return 0;
2669         }
2670
2671         return inode_has_perm(current, inode,
2672                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2673 }
2674
2675 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2676 {
2677         int rc;
2678
2679         rc = secondary_ops->inode_setattr(dentry, iattr);
2680         if (rc)
2681                 return rc;
2682
2683         if (iattr->ia_valid & ATTR_FORCE)
2684                 return 0;
2685
2686         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2687                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2688                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2689
2690         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2691 }
2692
2693 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2694 {
2695         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2696 }
2697
2698 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2699 {
2700         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2701                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2702                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2703                         if (!capable(CAP_SETFCAP))
2704                                 return -EPERM;
2705                 } else if (!capable(CAP_SYS_ADMIN)) {
2706                         /* A different attribute in the security namespace.
2707                            Restrict to administrator. */
2708                         return -EPERM;
2709                 }
2710         }
2711
2712         /* Not an attribute we recognize, so just check the
2713            ordinary setattr permission. */
2714         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2715 }
2716
2717 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2718                                   const void *value, size_t size, int flags)
2719 {
2720         struct task_security_struct *tsec = current->security;
2721         struct inode *inode = dentry->d_inode;
2722         struct inode_security_struct *isec = inode->i_security;
2723         struct superblock_security_struct *sbsec;
2724         struct avc_audit_data ad;
2725         u32 newsid;
2726         int rc = 0;
2727
2728         if (strcmp(name, XATTR_NAME_SELINUX))
2729                 return selinux_inode_setotherxattr(dentry, name);
2730
2731         sbsec = inode->i_sb->s_security;
2732         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2733                 return -EOPNOTSUPP;
2734
2735         if (!is_owner_or_cap(inode))
2736                 return -EPERM;
2737
2738         AVC_AUDIT_DATA_INIT(&ad, FS);
2739         ad.u.fs.path.dentry = dentry;
2740
2741         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2742                           FILE__RELABELFROM, &ad);
2743         if (rc)
2744                 return rc;
2745
2746         rc = security_context_to_sid(value, size, &newsid);
2747         if (rc == -EINVAL) {
2748                 if (!capable(CAP_MAC_ADMIN))
2749                         return rc;
2750                 rc = security_context_to_sid_force(value, size, &newsid);
2751         }
2752         if (rc)
2753                 return rc;
2754
2755         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2756                           FILE__RELABELTO, &ad);
2757         if (rc)
2758                 return rc;
2759
2760         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2761                                           isec->sclass);
2762         if (rc)
2763                 return rc;
2764
2765         return avc_has_perm(newsid,
2766                             sbsec->sid,
2767                             SECCLASS_FILESYSTEM,
2768                             FILESYSTEM__ASSOCIATE,
2769                             &ad);
2770 }
2771
2772 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2773                                         const void *value, size_t size,
2774                                         int flags)
2775 {
2776         struct inode *inode = dentry->d_inode;
2777         struct inode_security_struct *isec = inode->i_security;
2778         u32 newsid;
2779         int rc;
2780
2781         if (strcmp(name, XATTR_NAME_SELINUX)) {
2782                 /* Not an attribute we recognize, so nothing to do. */
2783                 return;
2784         }
2785
2786         rc = security_context_to_sid_force(value, size, &newsid);
2787         if (rc) {
2788                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2789                        "for (%s, %lu), rc=%d\n",
2790                        inode->i_sb->s_id, inode->i_ino, -rc);
2791                 return;
2792         }
2793
2794         isec->sid = newsid;
2795         return;
2796 }
2797
2798 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2799 {
2800         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2801 }
2802
2803 static int selinux_inode_listxattr(struct dentry *dentry)
2804 {
2805         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2806 }
2807
2808 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2809 {
2810         if (strcmp(name, XATTR_NAME_SELINUX))
2811                 return selinux_inode_setotherxattr(dentry, name);
2812
2813         /* No one is allowed to remove a SELinux security label.
2814            You can change the label, but all data must be labeled. */
2815         return -EACCES;
2816 }
2817
2818 /*
2819  * Copy the inode security context value to the user.
2820  *
2821  * Permission check is handled by selinux_inode_getxattr hook.
2822  */
2823 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2824 {
2825         u32 size;
2826         int error;
2827         char *context = NULL;
2828         struct task_security_struct *tsec = current->security;
2829         struct inode_security_struct *isec = inode->i_security;
2830
2831         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2832                 return -EOPNOTSUPP;
2833
2834         /*
2835          * If the caller has CAP_MAC_ADMIN, then get the raw context
2836          * value even if it is not defined by current policy; otherwise,
2837          * use the in-core value under current policy.
2838          * Use the non-auditing forms of the permission checks since
2839          * getxattr may be called by unprivileged processes commonly
2840          * and lack of permission just means that we fall back to the
2841          * in-core context value, not a denial.
2842          */
2843         error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2844         if (!error)
2845                 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2846                                              SECCLASS_CAPABILITY2,
2847                                              CAPABILITY2__MAC_ADMIN,
2848                                              0,
2849                                              NULL);
2850         if (!error)
2851                 error = security_sid_to_context_force(isec->sid, &context,
2852                                                       &size);
2853         else
2854                 error = security_sid_to_context(isec->sid, &context, &size);
2855         if (error)
2856                 return error;
2857         error = size;
2858         if (alloc) {
2859                 *buffer = context;
2860                 goto out_nofree;
2861         }
2862         kfree(context);
2863 out_nofree:
2864         return error;
2865 }
2866
2867 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2868                                      const void *value, size_t size, int flags)
2869 {
2870         struct inode_security_struct *isec = inode->i_security;
2871         u32 newsid;
2872         int rc;
2873
2874         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2875                 return -EOPNOTSUPP;
2876
2877         if (!value || !size)
2878                 return -EACCES;
2879
2880         rc = security_context_to_sid((void *)value, size, &newsid);
2881         if (rc)
2882                 return rc;
2883
2884         isec->sid = newsid;
2885         return 0;
2886 }
2887
2888 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2889 {
2890         const int len = sizeof(XATTR_NAME_SELINUX);
2891         if (buffer && len <= buffer_size)
2892                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2893         return len;
2894 }
2895
2896 static int selinux_inode_need_killpriv(struct dentry *dentry)
2897 {
2898         return secondary_ops->inode_need_killpriv(dentry);
2899 }
2900
2901 static int selinux_inode_killpriv(struct dentry *dentry)
2902 {
2903         return secondary_ops->inode_killpriv(dentry);
2904 }
2905
2906 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2907 {
2908         struct inode_security_struct *isec = inode->i_security;
2909         *secid = isec->sid;
2910 }
2911
2912 /* file security operations */
2913
2914 static int selinux_revalidate_file_permission(struct file *file, int mask)
2915 {
2916         int rc;
2917         struct inode *inode = file->f_path.dentry->d_inode;
2918
2919         if (!mask) {
2920                 /* No permission to check.  Existence test. */
2921                 return 0;
2922         }
2923
2924         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2925         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2926                 mask |= MAY_APPEND;
2927
2928         rc = file_has_perm(current, file,
2929                            file_mask_to_av(inode->i_mode, mask));
2930         if (rc)
2931                 return rc;
2932
2933         return selinux_netlbl_inode_permission(inode, mask);
2934 }
2935
2936 static int selinux_file_permission(struct file *file, int mask)
2937 {
2938         struct inode *inode = file->f_path.dentry->d_inode;
2939         struct task_security_struct *tsec = current->security;
2940         struct file_security_struct *fsec = file->f_security;
2941         struct inode_security_struct *isec = inode->i_security;
2942
2943         if (!mask) {
2944                 /* No permission to check.  Existence test. */
2945                 return 0;
2946         }
2947
2948         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2949             && fsec->pseqno == avc_policy_seqno())
2950                 return selinux_netlbl_inode_permission(inode, mask);
2951
2952         return selinux_revalidate_file_permission(file, mask);
2953 }
2954
2955 static int selinux_file_alloc_security(struct file *file)
2956 {
2957         return file_alloc_security(file);
2958 }
2959
2960 static void selinux_file_free_security(struct file *file)
2961 {
2962         file_free_security(file);
2963 }
2964
2965 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2966                               unsigned long arg)
2967 {
2968         u32 av = 0;
2969
2970         if (_IOC_DIR(cmd) & _IOC_WRITE)
2971                 av |= FILE__WRITE;
2972         if (_IOC_DIR(cmd) & _IOC_READ)
2973                 av |= FILE__READ;
2974         if (!av)
2975                 av = FILE__IOCTL;
2976
2977         return file_has_perm(current, file, av);
2978 }
2979
2980 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2981 {
2982 #ifndef CONFIG_PPC32
2983         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2984                 /*
2985                  * We are making executable an anonymous mapping or a
2986                  * private file mapping that will also be writable.
2987                  * This has an additional check.
2988                  */
2989                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2990                 if (rc)
2991                         return rc;
2992         }
2993 #endif
2994
2995         if (file) {
2996                 /* read access is always possible with a mapping */
2997                 u32 av = FILE__READ;
2998
2999                 /* write access only matters if the mapping is shared */
3000                 if (shared && (prot & PROT_WRITE))
3001                         av |= FILE__WRITE;
3002
3003                 if (prot & PROT_EXEC)
3004                         av |= FILE__EXECUTE;
3005
3006                 return file_has_perm(current, file, av);
3007         }
3008         return 0;
3009 }
3010
3011 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3012                              unsigned long prot, unsigned long flags,
3013                              unsigned long addr, unsigned long addr_only)
3014 {
3015         int rc = 0;
3016         u32 sid = ((struct task_security_struct *)(current->security))->sid;
3017
3018         if (addr < mmap_min_addr)
3019                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3020                                   MEMPROTECT__MMAP_ZERO, NULL);
3021         if (rc || addr_only)
3022                 return rc;
3023
3024         if (selinux_checkreqprot)
3025                 prot = reqprot;
3026
3027         return file_map_prot_check(file, prot,
3028                                    (flags & MAP_TYPE) == MAP_SHARED);
3029 }
3030
3031 static int selinux_file_mprotect(struct vm_area_struct *vma,
3032                                  unsigned long reqprot,
3033                                  unsigned long prot)
3034 {
3035         int rc;
3036
3037         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3038         if (rc)
3039                 return rc;
3040
3041         if (selinux_checkreqprot)
3042                 prot = reqprot;
3043
3044 #ifndef CONFIG_PPC32
3045         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3046                 rc = 0;
3047                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3048                     vma->vm_end <= vma->vm_mm->brk) {
3049                         rc = task_has_perm(current, current,
3050                                            PROCESS__EXECHEAP);
3051                 } else if (!vma->vm_file &&
3052                            vma->vm_start <= vma->vm_mm->start_stack &&
3053                            vma->vm_end >= vma->vm_mm->start_stack) {
3054                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3055                 } else if (vma->vm_file && vma->anon_vma) {
3056                         /*
3057                          * We are making executable a file mapping that has
3058                          * had some COW done. Since pages might have been
3059                          * written, check ability to execute the possibly
3060                          * modified content.  This typically should only
3061                          * occur for text relocations.
3062                          */
3063                         rc = file_has_perm(current, vma->vm_file,
3064                                            FILE__EXECMOD);
3065                 }
3066                 if (rc)
3067                         return rc;
3068         }
3069 #endif
3070
3071         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3072 }
3073
3074 static int selinux_file_lock(struct file *file, unsigned int cmd)
3075 {
3076         return file_has_perm(current, file, FILE__LOCK);
3077 }
3078
3079 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3080                               unsigned long arg)
3081 {
3082         int err = 0;
3083
3084         switch (cmd) {
3085         case F_SETFL:
3086                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3087                         err = -EINVAL;
3088                         break;
3089                 }
3090
3091                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3092                         err = file_has_perm(current, file, FILE__WRITE);
3093                         break;
3094                 }
3095                 /* fall through */
3096         case F_SETOWN:
3097         case F_SETSIG:
3098         case F_GETFL:
3099         case F_GETOWN:
3100         case F_GETSIG:
3101                 /* Just check FD__USE permission */
3102                 err = file_has_perm(current, file, 0);
3103                 break;
3104         case F_GETLK:
3105         case F_SETLK:
3106         case F_SETLKW:
3107 #if BITS_PER_LONG == 32
3108         case F_GETLK64:
3109         case F_SETLK64:
3110         case F_SETLKW64:
3111 #endif
3112                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3113                         err = -EINVAL;
3114                         break;
3115                 }
3116                 err = file_has_perm(current, file, FILE__LOCK);
3117                 break;
3118         }
3119
3120         return err;
3121 }
3122
3123 static int selinux_file_set_fowner(struct file *file)
3124 {
3125         struct task_security_struct *tsec;
3126         struct file_security_struct *fsec;
3127
3128         tsec = current->security;
3129         fsec = file->f_security;
3130         fsec->fown_sid = tsec->sid;
3131
3132         return 0;
3133 }
3134
3135 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3136                                        struct fown_struct *fown, int signum)
3137 {
3138         struct file *file;
3139         u32 perm;
3140         struct task_security_struct *tsec;
3141         struct file_security_struct *fsec;
3142
3143         /* struct fown_struct is never outside the context of a struct file */
3144         file = container_of(fown, struct file, f_owner);
3145
3146         tsec = tsk->security;
3147         fsec = file->f_security;
3148
3149         if (!signum)
3150                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3151         else
3152                 perm = signal_to_av(signum);
3153
3154         return avc_has_perm(fsec->fown_sid, tsec->sid,
3155                             SECCLASS_PROCESS, perm, NULL);
3156 }
3157
3158 static int selinux_file_receive(struct file *file)
3159 {
3160         return file_has_perm(current, file, file_to_av(file));
3161 }
3162
3163 static int selinux_dentry_open(struct file *file)
3164 {
3165         struct file_security_struct *fsec;
3166         struct inode *inode;
3167         struct inode_security_struct *isec;
3168         inode = file->f_path.dentry->d_inode;
3169         fsec = file->f_security;
3170         isec = inode->i_security;
3171         /*
3172          * Save inode label and policy sequence number
3173          * at open-time so that selinux_file_permission
3174          * can determine whether revalidation is necessary.
3175          * Task label is already saved in the file security
3176          * struct as its SID.
3177          */
3178         fsec->isid = isec->sid;
3179         fsec->pseqno = avc_policy_seqno();
3180         /*
3181          * Since the inode label or policy seqno may have changed
3182          * between the selinux_inode_permission check and the saving
3183          * of state above, recheck that access is still permitted.
3184          * Otherwise, access might never be revalidated against the
3185          * new inode label or new policy.
3186          * This check is not redundant - do not remove.
3187          */
3188         return inode_has_perm(current, inode, file_to_av(file), NULL);
3189 }
3190
3191 /* task security operations */
3192
3193 static int selinux_task_create(unsigned long clone_flags)
3194 {
3195         int rc;
3196
3197         rc = secondary_ops->task_create(clone_flags);
3198         if (rc)
3199                 return rc;
3200
3201         return task_has_perm(current, current, PROCESS__FORK);
3202 }
3203
3204 static int selinux_task_alloc_security(struct task_struct *tsk)
3205 {
3206         struct task_security_struct *tsec1, *tsec2;
3207         int rc;
3208
3209         tsec1 = current->security;
3210
3211         rc = task_alloc_security(tsk);
3212         if (rc)
3213                 return rc;
3214         tsec2 = tsk->security;
3215
3216         tsec2->osid = tsec1->osid;
3217         tsec2->sid = tsec1->sid;
3218
3219         /* Retain the exec, fs, key, and sock SIDs across fork */
3220         tsec2->exec_sid = tsec1->exec_sid;
3221         tsec2->create_sid = tsec1->create_sid;
3222         tsec2->keycreate_sid = tsec1->keycreate_sid;
3223         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3224
3225         return 0;
3226 }
3227
3228 static void selinux_task_free_security(struct task_struct *tsk)
3229 {
3230         task_free_security(tsk);
3231 }
3232
3233 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3234 {
3235         /* Since setuid only affects the current process, and
3236            since the SELinux controls are not based on the Linux
3237            identity attributes, SELinux does not need to control
3238            this operation.  However, SELinux does control the use
3239            of the CAP_SETUID and CAP_SETGID capabilities using the
3240            capable hook. */
3241         return 0;
3242 }
3243
3244 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3245 {
3246         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3247 }
3248
3249 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3250 {
3251         /* See the comment for setuid above. */
3252         return 0;
3253 }
3254
3255 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3256 {
3257         return task_has_perm(current, p, PROCESS__SETPGID);
3258 }
3259
3260 static int selinux_task_getpgid(struct task_struct *p)
3261 {
3262         return task_has_perm(current, p, PROCESS__GETPGID);
3263 }
3264
3265 static int selinux_task_getsid(struct task_struct *p)
3266 {
3267         return task_has_perm(current, p, PROCESS__GETSESSION);
3268 }
3269
3270 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3271 {
3272         struct task_security_struct *tsec = p->security;
3273         *secid = tsec->sid;
3274 }
3275
3276 static int selinux_task_setgroups(struct group_info *group_info)
3277 {
3278         /* See the comment for setuid above. */
3279         return 0;
3280 }
3281
3282 static int selinux_task_setnice(struct task_struct *p, int nice)
3283 {
3284         int rc;
3285
3286         rc = secondary_ops->task_setnice(p, nice);
3287         if (rc)
3288                 return rc;
3289
3290         return task_has_perm(current, p, PROCESS__SETSCHED);
3291 }
3292
3293 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3294 {
3295         int rc;
3296
3297         rc = secondary_ops->task_setioprio(p, ioprio);
3298         if (rc)
3299                 return rc;
3300
3301         return task_has_perm(current, p, PROCESS__SETSCHED);
3302 }
3303
3304 static int selinux_task_getioprio(struct task_struct *p)
3305 {
3306         return task_has_perm(current, p, PROCESS__GETSCHED);
3307 }
3308
3309 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3310 {
3311         struct rlimit *old_rlim = current->signal->rlim + resource;
3312         int rc;
3313
3314         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3315         if (rc)
3316                 return rc;
3317
3318         /* Control the ability to change the hard limit (whether
3319            lowering or raising it), so that the hard limit can
3320            later be used as a safe reset point for the soft limit
3321            upon context transitions. See selinux_bprm_apply_creds. */
3322         if (old_rlim->rlim_max != new_rlim->rlim_max)
3323                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3324
3325         return 0;
3326 }
3327
3328 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3329 {
3330         int rc;
3331
3332         rc = secondary_ops->task_setscheduler(p, policy, lp);
3333         if (rc)
3334                 return rc;
3335
3336         return task_has_perm(current, p, PROCESS__SETSCHED);
3337 }
3338
3339 static int selinux_task_getscheduler(struct task_struct *p)
3340 {
3341         return task_has_perm(current, p, PROCESS__GETSCHED);
3342 }
3343
3344 static int selinux_task_movememory(struct task_struct *p)
3345 {
3346         return task_has_perm(current, p, PROCESS__SETSCHED);
3347 }
3348
3349 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3350                                 int sig, u32 secid)
3351 {
3352         u32 perm;
3353         int rc;
3354         struct task_security_struct *tsec;
3355
3356         rc = secondary_ops->task_kill(p, info, sig, secid);
3357         if (rc)
3358                 return rc;
3359
3360         if (!sig)
3361                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3362         else
3363                 perm = signal_to_av(sig);
3364         tsec = p->security;
3365         if (secid)
3366                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3367         else
3368                 rc = task_has_perm(current, p, perm);
3369         return rc;
3370 }
3371
3372 static int selinux_task_prctl(int option,
3373                               unsigned long arg2,
3374                               unsigned long arg3,
3375                               unsigned long arg4,
3376                               unsigned long arg5,
3377                               long *rc_p)
3378 {
3379         /* The current prctl operations do not appear to require
3380            any SELinux controls since they merely observe or modify
3381            the state of the current process. */
3382         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3383 }
3384
3385 static int selinux_task_wait(struct task_struct *p)
3386 {
3387         return task_has_perm(p, current, PROCESS__SIGCHLD);
3388 }
3389
3390 static void selinux_task_reparent_to_init(struct task_struct *p)
3391 {
3392         struct task_security_struct *tsec;
3393
3394         secondary_ops->task_reparent_to_init(p);
3395
3396         tsec = p->security;
3397         tsec->osid = tsec->sid;
3398         tsec->sid = SECINITSID_KERNEL;
3399         return;
3400 }
3401
3402 static void selinux_task_to_inode(struct task_struct *p,
3403                                   struct inode *inode)
3404 {
3405         struct task_security_struct *tsec = p->security;
3406         struct inode_security_struct *isec = inode->i_security;
3407
3408         isec->sid = tsec->sid;
3409         isec->initialized = 1;
3410         return;
3411 }
3412
3413 /* Returns error only if unable to parse addresses */
3414 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3415                         struct avc_audit_data *ad, u8 *proto)
3416 {
3417         int offset, ihlen, ret = -EINVAL;
3418         struct iphdr _iph, *ih;
3419
3420         offset = skb_network_offset(skb);
3421         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3422         if (ih == NULL)
3423                 goto out;
3424
3425         ihlen = ih->ihl * 4;
3426         if (ihlen < sizeof(_iph))
3427                 goto out;
3428
3429         ad->u.net.v4info.saddr = ih->saddr;
3430         ad->u.net.v4info.daddr = ih->daddr;
3431         ret = 0;
3432
3433         if (proto)
3434                 *proto = ih->protocol;
3435
3436         switch (ih->protocol) {
3437         case IPPROTO_TCP: {
3438                 struct tcphdr _tcph, *th;
3439
3440                 if (ntohs(ih->frag_off) & IP_OFFSET)
3441                         break;
3442
3443                 offset += ihlen;
3444                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3445                 if (th == NULL)
3446                         break;
3447
3448                 ad->u.net.sport = th->source;
3449                 ad->u.net.dport = th->dest;
3450                 break;
3451         }
3452
3453         case IPPROTO_UDP: {
3454                 struct udphdr _udph, *uh;
3455
3456                 if (ntohs(ih->frag_off) & IP_OFFSET)
3457                         break;
3458
3459                 offset += ihlen;
3460                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3461                 if (uh == NULL)
3462                         break;
3463
3464                 ad->u.net.sport = uh->source;
3465                 ad->u.net.dport = uh->dest;
3466                 break;
3467         }
3468
3469         case IPPROTO_DCCP: {
3470                 struct dccp_hdr _dccph, *dh;
3471
3472                 if (ntohs(ih->frag_off) & IP_OFFSET)
3473                         break;
3474
3475                 offset += ihlen;
3476                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3477                 if (dh == NULL)
3478                         break;
3479
3480                 ad->u.net.sport = dh->dccph_sport;
3481                 ad->u.net.dport = dh->dccph_dport;
3482                 break;
3483         }
3484
3485         default:
3486                 break;
3487         }
3488 out:
3489         return ret;
3490 }
3491
3492 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3493
3494 /* Returns error only if unable to parse addresses */
3495 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3496                         struct avc_audit_data *ad, u8 *proto)
3497 {
3498         u8 nexthdr;
3499         int ret = -EINVAL, offset;
3500         struct ipv6hdr _ipv6h, *ip6;
3501
3502         offset = skb_network_offset(skb);
3503         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3504         if (ip6 == NULL)
3505                 goto out;
3506
3507         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3508         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3509         ret = 0;
3510
3511         nexthdr = ip6->nexthdr;
3512         offset += sizeof(_ipv6h);
3513         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3514         if (offset < 0)
3515                 goto out;
3516
3517         if (proto)
3518                 *proto = nexthdr;
3519
3520         switch (nexthdr) {
3521         case IPPROTO_TCP: {
3522                 struct tcphdr _tcph, *th;
3523
3524                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3525                 if (th == NULL)
3526                         break;
3527
3528                 ad->u.net.sport = th->source;
3529                 ad->u.net.dport = th->dest;
3530                 break;
3531         }
3532
3533         case IPPROTO_UDP: {
3534                 struct udphdr _udph, *uh;
3535
3536                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3537                 if (uh == NULL)
3538                         break;
3539
3540                 ad->u.net.sport = uh->source;
3541                 ad->u.net.dport = uh->dest;
3542                 break;
3543         }
3544
3545         case IPPROTO_DCCP: {
3546                 struct dccp_hdr _dccph, *dh;
3547
3548                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3549                 if (dh == NULL)
3550                         break;
3551
3552                 ad->u.net.sport = dh->dccph_sport;
3553                 ad->u.net.dport = dh->dccph_dport;
3554                 break;
3555         }
3556
3557         /* includes fragments */
3558         default:
3559                 break;
3560         }
3561 out:
3562         return ret;
3563 }
3564
3565 #endif /* IPV6 */
3566
3567 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3568                              char **addrp, int src, u8 *proto)
3569 {
3570         int ret = 0;
3571
3572         switch (ad->u.net.family) {
3573         case PF_INET:
3574                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3575                 if (ret || !addrp)
3576                         break;
3577                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3578                                         &ad->u.net.v4info.daddr);
3579                 break;
3580
3581 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3582         case PF_INET6:
3583                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3584                 if (ret || !addrp)
3585                         break;
3586                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3587                                         &ad->u.net.v6info.daddr);
3588                 break;
3589 #endif  /* IPV6 */
3590         default:
3591                 break;
3592         }
3593
3594         if (unlikely(ret))
3595                 printk(KERN_WARNING
3596                        "SELinux: failure in selinux_parse_skb(),"
3597                        " unable to parse packet\n");
3598
3599         return ret;
3600 }
3601
3602 /**
3603  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3604  * @skb: the packet
3605  * @family: protocol family
3606  * @sid: the packet's peer label SID
3607  *
3608  * Description:
3609  * Check the various different forms of network peer labeling and determine
3610  * the peer label/SID for the packet; most of the magic actually occurs in
3611  * the security server function security_net_peersid_cmp().  The function
3612  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3613  * or -EACCES if @sid is invalid due to inconsistencies with the different
3614  * peer labels.
3615  *
3616  */
3617 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3618 {
3619         int err;
3620         u32 xfrm_sid;
3621         u32 nlbl_sid;
3622         u32 nlbl_type;
3623
3624         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3625         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3626
3627         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3628         if (unlikely(err)) {
3629                 printk(KERN_WARNING
3630                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3631                        " unable to determine packet's peer label\n");
3632                 return -EACCES;
3633         }
3634
3635         return 0;
3636 }
3637
3638 /* socket security operations */
3639 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3640                            u32 perms)
3641 {
3642         struct inode_security_struct *isec;
3643         struct task_security_struct *tsec;
3644         struct avc_audit_data ad;
3645         int err = 0;
3646
3647         tsec = task->security;
3648         isec = SOCK_INODE(sock)->i_security;
3649
3650         if (isec->sid == SECINITSID_KERNEL)
3651                 goto out;
3652
3653         AVC_AUDIT_DATA_INIT(&ad, NET);
3654         ad.u.net.sk = sock->sk;
3655         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3656
3657 out:
3658         return err;
3659 }
3660
3661 static int selinux_socket_create(int family, int type,
3662                                  int protocol, int kern)
3663 {
3664         int err = 0;
3665         struct task_security_struct *tsec;
3666         u32 newsid;
3667
3668         if (kern)
3669                 goto out;
3670
3671         tsec = current->security;
3672         newsid = tsec->sockcreate_sid ? : tsec->sid;
3673         err = avc_has_perm(tsec->sid, newsid,
3674                            socket_type_to_security_class(family, type,
3675                            protocol), SOCKET__CREATE, NULL);
3676
3677 out:
3678         return err;
3679 }
3680
3681 static int selinux_socket_post_create(struct socket *sock, int family,
3682                                       int type, int protocol, int kern)
3683 {
3684         int err = 0;
3685         struct inode_security_struct *isec;
3686         struct task_security_struct *tsec;
3687         struct sk_security_struct *sksec;
3688         u32 newsid;
3689
3690         isec = SOCK_INODE(sock)->i_security;
3691
3692         tsec = current->security;
3693         newsid = tsec->sockcreate_sid ? : tsec->sid;
3694         isec->sclass = socket_type_to_security_class(family, type, protocol);
3695         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3696         isec->initialized = 1;
3697
3698         if (sock->sk) {
3699                 sksec = sock->sk->sk_security;
3700                 sksec->sid = isec->sid;
3701                 sksec->sclass = isec->sclass;
3702                 err = selinux_netlbl_socket_post_create(sock);
3703         }
3704
3705         return err;
3706 }
3707
3708 /* Range of port numbers used to automatically bind.
3709    Need to determine whether we should perform a name_bind
3710    permission check between the socket and the port number. */
3711
3712 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3713 {
3714         u16 family;
3715         int err;
3716
3717         err = socket_has_perm(current, sock, SOCKET__BIND);
3718         if (err)
3719                 goto out;
3720
3721         /*
3722          * If PF_INET or PF_INET6, check name_bind permission for the port.
3723          * Multiple address binding for SCTP is not supported yet: we just
3724          * check the first address now.
3725          */
3726         family = sock->sk->sk_family;
3727         if (family == PF_INET || family == PF_INET6) {
3728                 char *addrp;
3729                 struct inode_security_struct *isec;
3730                 struct task_security_struct *tsec;
3731                 struct avc_audit_data ad;
3732                 struct sockaddr_in *addr4 = NULL;
3733                 struct sockaddr_in6 *addr6 = NULL;
3734                 unsigned short snum;
3735                 struct sock *sk = sock->sk;
3736                 u32 sid, node_perm;
3737
3738                 tsec = current->security;
3739                 isec = SOCK_INODE(sock)->i_security;
3740
3741                 if (family == PF_INET) {
3742                         addr4 = (struct sockaddr_in *)address;
3743                         snum = ntohs(addr4->sin_port);
3744                         addrp = (char *)&addr4->sin_addr.s_addr;
3745                 } else {
3746                         addr6 = (struct sockaddr_in6 *)address;
3747                         snum = ntohs(addr6->sin6_port);
3748                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3749                 }
3750
3751                 if (snum) {
3752                         int low, high;
3753
3754                         inet_get_local_port_range(&low, &high);
3755
3756                         if (snum < max(PROT_SOCK, low) || snum > high) {
3757                                 err = sel_netport_sid(sk->sk_protocol,
3758                                                       snum, &sid);
3759                                 if (err)
3760                                         goto out;
3761                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3762                                 ad.u.net.sport = htons(snum);
3763                                 ad.u.net.family = family;
3764                                 err = avc_has_perm(isec->sid, sid,
3765                                                    isec->sclass,
3766                                                    SOCKET__NAME_BIND, &ad);
3767                                 if (err)
3768                                         goto out;
3769                         }
3770                 }
3771
3772                 switch (isec->sclass) {
3773                 case SECCLASS_TCP_SOCKET:
3774                         node_perm = TCP_SOCKET__NODE_BIND;
3775                         break;
3776
3777                 case SECCLASS_UDP_SOCKET:
3778                         node_perm = UDP_SOCKET__NODE_BIND;
3779                         break;
3780
3781                 case SECCLASS_DCCP_SOCKET:
3782                         node_perm = DCCP_SOCKET__NODE_BIND;
3783                         break;
3784
3785                 default:
3786                         node_perm = RAWIP_SOCKET__NODE_BIND;
3787                         break;
3788                 }
3789
3790                 err = sel_netnode_sid(addrp, family, &sid);
3791                 if (err)
3792                         goto out;
3793
3794                 AVC_AUDIT_DATA_INIT(&ad, NET);
3795                 ad.u.net.sport = htons(snum);
3796                 ad.u.net.family = family;
3797
3798                 if (family == PF_INET)
3799                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3800                 else
3801                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3802
3803                 err = avc_has_perm(isec->sid, sid,
3804                                    isec->sclass, node_perm, &ad);
3805                 if (err)
3806                         goto out;
3807         }
3808 out:
3809         return err;
3810 }
3811
3812 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3813 {
3814         struct inode_security_struct *isec;
3815         int err;
3816
3817         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3818         if (err)
3819                 return err;
3820
3821         /*
3822          * If a TCP or DCCP socket, check name_connect permission for the port.
3823          */
3824         isec = SOCK_INODE(sock)->i_security;
3825         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3826             isec->sclass == SECCLASS_DCCP_SOCKET) {
3827                 struct sock *sk = sock->sk;
3828                 struct avc_audit_data ad;
3829                 struct sockaddr_in *addr4 = NULL;
3830                 struct sockaddr_in6 *addr6 = NULL;
3831                 unsigned short snum;
3832                 u32 sid, perm;
3833
3834                 if (sk->sk_family == PF_INET) {
3835                         addr4 = (struct sockaddr_in *)address;
3836                         if (addrlen < sizeof(struct sockaddr_in))
3837                                 return -EINVAL;
3838                         snum = ntohs(addr4->sin_port);
3839                 } else {
3840                         addr6 = (struct sockaddr_in6 *)address;
3841                         if (addrlen < SIN6_LEN_RFC2133)
3842                                 return -EINVAL;
3843                         snum = ntohs(addr6->sin6_port);
3844                 }
3845
3846                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3847                 if (err)
3848                         goto out;
3849
3850                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3851                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3852
3853                 AVC_AUDIT_DATA_INIT(&ad, NET);
3854                 ad.u.net.dport = htons(snum);
3855                 ad.u.net.family = sk->sk_family;
3856                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3857                 if (err)
3858                         goto out;
3859         }
3860
3861 out:
3862         return err;
3863 }
3864
3865 static int selinux_socket_listen(struct socket *sock, int backlog)
3866 {
3867         return socket_has_perm(current, sock, SOCKET__LISTEN);
3868 }
3869
3870 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3871 {
3872         int err;
3873         struct inode_security_struct *isec;
3874         struct inode_security_struct *newisec;
3875
3876         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3877         if (err)
3878                 return err;
3879
3880         newisec = SOCK_INODE(newsock)->i_security;
3881
3882         isec = SOCK_INODE(sock)->i_security;
3883         newisec->sclass = isec->sclass;
3884         newisec->sid = isec->sid;
3885         newisec->initialized = 1;
3886
3887         return 0;
3888 }
3889
3890 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3891                                   int size)
3892 {
3893         int rc;
3894
3895         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3896         if (rc)
3897                 return rc;
3898
3899         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3900 }
3901
3902 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3903                                   int size, int flags)
3904 {
3905         return socket_has_perm(current, sock, SOCKET__READ);
3906 }
3907
3908 static int selinux_socket_getsockname(struct socket *sock)
3909 {
3910         return socket_has_perm(current, sock, SOCKET__GETATTR);
3911 }
3912
3913 static int selinux_socket_getpeername(struct socket *sock)
3914 {
3915         return socket_has_perm(current, sock, SOCKET__GETATTR);
3916 }
3917
3918 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3919 {
3920         int err;
3921
3922         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3923         if (err)
3924                 return err;
3925
3926         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3927 }
3928
3929 static int selinux_socket_getsockopt(struct socket *sock, int level,
3930                                      int optname)
3931 {
3932         return socket_has_perm(current, sock, SOCKET__GETOPT);
3933 }
3934
3935 static int selinux_socket_shutdown(struct socket *sock, int how)
3936 {
3937         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3938 }
3939
3940 static int selinux_socket_unix_stream_connect(struct socket *sock,
3941                                               struct socket *other,
3942                                               struct sock *newsk)
3943 {
3944         struct sk_security_struct *ssec;
3945         struct inode_security_struct *isec;
3946         struct inode_security_struct *other_isec;
3947         struct avc_audit_data ad;
3948         int err;
3949
3950         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3951         if (err)
3952                 return err;
3953
3954         isec = SOCK_INODE(sock)->i_security;
3955         other_isec = SOCK_INODE(other)->i_security;
3956
3957         AVC_AUDIT_DATA_INIT(&ad, NET);
3958         ad.u.net.sk = other->sk;
3959
3960         err = avc_has_perm(isec->sid, other_isec->sid,
3961                            isec->sclass,
3962                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3963         if (err)
3964                 return err;
3965
3966         /* connecting socket */
3967         ssec = sock->sk->sk_security;
3968         ssec->peer_sid = other_isec->sid;
3969
3970         /* server child socket */
3971         ssec = newsk->sk_security;
3972         ssec->peer_sid = isec->sid;
3973         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3974
3975         return err;
3976 }
3977
3978 static int selinux_socket_unix_may_send(struct socket *sock,
3979                                         struct socket *other)
3980 {
3981         struct inode_security_struct *isec;
3982         struct inode_security_struct *other_isec;
3983         struct avc_audit_data ad;
3984         int err;
3985
3986         isec = SOCK_INODE(sock)->i_security;
3987         other_isec = SOCK_INODE(other)->i_security;
3988
3989         AVC_AUDIT_DATA_INIT(&ad, NET);
3990         ad.u.net.sk = other->sk;
3991
3992         err = avc_has_perm(isec->sid, other_isec->sid,
3993                            isec->sclass, SOCKET__SENDTO, &ad);
3994         if (err)
3995                 return err;
3996
3997         return 0;
3998 }
3999
4000 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4001                                     u32 peer_sid,
4002                                     struct avc_audit_data *ad)
4003 {
4004         int err;
4005         u32 if_sid;
4006         u32 node_sid;
4007
4008         err = sel_netif_sid(ifindex, &if_sid);
4009         if (err)
4010                 return err;
4011         err = avc_has_perm(peer_sid, if_sid,
4012                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4013         if (err)
4014                 return err;
4015
4016         err = sel_netnode_sid(addrp, family, &node_sid);
4017         if (err)
4018                 return err;
4019         return avc_has_perm(peer_sid, node_sid,
4020                             SECCLASS_NODE, NODE__RECVFROM, ad);
4021 }
4022
4023 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4024                                                 struct sk_buff *skb,
4025                                                 struct avc_audit_data *ad,
4026                                                 u16 family,
4027                                                 char *addrp)
4028 {
4029         int err;
4030         struct sk_security_struct *sksec = sk->sk_security;
4031         u16 sk_class;
4032         u32 netif_perm, node_perm, recv_perm;
4033         u32 port_sid, node_sid, if_sid, sk_sid;
4034
4035         sk_sid = sksec->sid;
4036         sk_class = sksec->sclass;
4037
4038         switch (sk_class) {
4039         case SECCLASS_UDP_SOCKET:
4040                 netif_perm = NETIF__UDP_RECV;
4041                 node_perm = NODE__UDP_RECV;
4042                 recv_perm = UDP_SOCKET__RECV_MSG;
4043                 break;
4044         case SECCLASS_TCP_SOCKET:
4045                 netif_perm = NETIF__TCP_RECV;
4046                 node_perm = NODE__TCP_RECV;
4047                 recv_perm = TCP_SOCKET__RECV_MSG;
4048                 break;
4049         case SECCLASS_DCCP_SOCKET:
4050                 netif_perm = NETIF__DCCP_RECV;
4051                 node_perm = NODE__DCCP_RECV;
4052                 recv_perm = DCCP_SOCKET__RECV_MSG;
4053                 break;
4054         default:
4055                 netif_perm = NETIF__RAWIP_RECV;
4056                 node_perm = NODE__RAWIP_RECV;
4057                 recv_perm = 0;
4058                 break;
4059         }
4060
4061         err = sel_netif_sid(skb->iif, &if_sid);
4062         if (err)
4063                 return err;
4064         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4065         if (err)
4066                 return err;
4067
4068         err = sel_netnode_sid(addrp, family, &node_sid);
4069         if (err)
4070                 return err;
4071         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4072         if (err)
4073                 return err;
4074
4075         if (!recv_perm)
4076                 return 0;
4077         err = sel_netport_sid(sk->sk_protocol,
4078                               ntohs(ad->u.net.sport), &port_sid);
4079         if (unlikely(err)) {
4080                 printk(KERN_WARNING
4081                        "SELinux: failure in"
4082                        " selinux_sock_rcv_skb_iptables_compat(),"
4083                        " network port label not found\n");
4084                 return err;
4085         }
4086         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4087 }
4088
4089 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4090                                        struct avc_audit_data *ad,
4091                                        u16 family, char *addrp)
4092 {
4093         int err;
4094         struct sk_security_struct *sksec = sk->sk_security;
4095         u32 peer_sid;
4096         u32 sk_sid = sksec->sid;
4097
4098         if (selinux_compat_net)
4099                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4100                                                            family, addrp);
4101         else
4102                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4103                                    PACKET__RECV, ad);
4104         if (err)
4105                 return err;
4106
4107         if (selinux_policycap_netpeer) {
4108                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4109                 if (err)
4110                         return err;
4111                 err = avc_has_perm(sk_sid, peer_sid,
4112                                    SECCLASS_PEER, PEER__RECV, ad);
4113         } else {
4114                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4115                 if (err)
4116                         return err;
4117                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4118         }
4119
4120         return err;
4121 }
4122
4123 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4124 {
4125         int err;
4126         struct sk_security_struct *sksec = sk->sk_security;
4127         u16 family = sk->sk_family;
4128         u32 sk_sid = sksec->sid;
4129         struct avc_audit_data ad;
4130         char *addrp;
4131
4132         if (family != PF_INET && family != PF_INET6)
4133                 return 0;
4134
4135         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4136         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4137                 family = PF_INET;
4138
4139         AVC_AUDIT_DATA_INIT(&ad, NET);
4140         ad.u.net.netif = skb->iif;
4141         ad.u.net.family = family;
4142         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4143         if (err)
4144                 return err;
4145
4146         /* If any sort of compatibility mode is enabled then handoff processing
4147          * to the selinux_sock_rcv_skb_compat() function to deal with the
4148          * special handling.  We do this in an attempt to keep this function
4149          * as fast and as clean as possible. */
4150         if (selinux_compat_net || !selinux_policycap_netpeer)
4151                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4152                                                    family, addrp);
4153
4154         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4155                 u32 peer_sid;
4156
4157                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4158                 if (err)
4159                         return err;
4160                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4161                                                peer_sid, &ad);
4162                 if (err)
4163                         return err;
4164                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4165                                    PEER__RECV, &ad);
4166         }
4167
4168         if (selinux_secmark_enabled()) {
4169                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4170                                    PACKET__RECV, &ad);
4171                 if (err)
4172                         return err;
4173         }
4174
4175         return err;
4176 }
4177
4178 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4179                                             int __user *optlen, unsigned len)
4180 {
4181         int err = 0;
4182         char *scontext;
4183         u32 scontext_len;
4184         struct sk_security_struct *ssec;
4185         struct inode_security_struct *isec;
4186         u32 peer_sid = SECSID_NULL;
4187
4188         isec = SOCK_INODE(sock)->i_security;
4189
4190         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4191             isec->sclass == SECCLASS_TCP_SOCKET) {
4192                 ssec = sock->sk->sk_security;
4193                 peer_sid = ssec->peer_sid;
4194         }
4195         if (peer_sid == SECSID_NULL) {
4196                 err = -ENOPROTOOPT;
4197                 goto out;
4198         }
4199
4200         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4201
4202         if (err)
4203                 goto out;
4204
4205         if (scontext_len > len) {
4206                 err = -ERANGE;
4207                 goto out_len;
4208         }
4209
4210         if (copy_to_user(optval, scontext, scontext_len))
4211                 err = -EFAULT;
4212
4213 out_len:
4214         if (put_user(scontext_len, optlen))
4215                 err = -EFAULT;
4216
4217         kfree(scontext);
4218 out:
4219         return err;
4220 }
4221
4222 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4223 {
4224         u32 peer_secid = SECSID_NULL;
4225         u16 family;
4226
4227         if (sock)
4228                 family = sock->sk->sk_family;
4229         else if (skb && skb->sk)
4230                 family = skb->sk->sk_family;
4231         else
4232                 goto out;
4233
4234         if (sock && family == PF_UNIX)
4235                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4236         else if (skb)
4237                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4238
4239 out:
4240         *secid = peer_secid;
4241         if (peer_secid == SECSID_NULL)
4242                 return -EINVAL;
4243         return 0;
4244 }
4245
4246 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4247 {
4248         return sk_alloc_security(sk, family, priority);
4249 }
4250
4251 static void selinux_sk_free_security(struct sock *sk)
4252 {
4253         sk_free_security(sk);
4254 }
4255
4256 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4257 {
4258         struct sk_security_struct *ssec = sk->sk_security;
4259         struct sk_security_struct *newssec = newsk->sk_security;
4260
4261         newssec->sid = ssec->sid;
4262         newssec->peer_sid = ssec->peer_sid;
4263         newssec->sclass = ssec->sclass;
4264
4265         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4266 }
4267
4268 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4269 {
4270         if (!sk)
4271                 *secid = SECINITSID_ANY_SOCKET;
4272         else {
4273                 struct sk_security_struct *sksec = sk->sk_security;
4274
4275                 *secid = sksec->sid;
4276         }
4277 }
4278
4279 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4280 {
4281         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4282         struct sk_security_struct *sksec = sk->sk_security;
4283
4284         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4285             sk->sk_family == PF_UNIX)
4286                 isec->sid = sksec->sid;
4287         sksec->sclass = isec->sclass;
4288
4289         selinux_netlbl_sock_graft(sk, parent);
4290 }
4291
4292 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4293                                      struct request_sock *req)
4294 {
4295         struct sk_security_struct *sksec = sk->sk_security;
4296         int err;
4297         u32 newsid;
4298         u32 peersid;
4299
4300         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4301         if (err)
4302                 return err;
4303         if (peersid == SECSID_NULL) {
4304                 req->secid = sksec->sid;
4305                 req->peer_secid = SECSID_NULL;
4306                 return 0;
4307         }
4308
4309         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4310         if (err)
4311                 return err;
4312
4313         req->secid = newsid;
4314         req->peer_secid = peersid;
4315         return 0;
4316 }
4317
4318 static void selinux_inet_csk_clone(struct sock *newsk,
4319                                    const struct request_sock *req)
4320 {
4321         struct sk_security_struct *newsksec = newsk->sk_security;
4322
4323         newsksec->sid = req->secid;
4324         newsksec->peer_sid = req->peer_secid;
4325         /* NOTE: Ideally, we should also get the isec->sid for the
4326            new socket in sync, but we don't have the isec available yet.
4327            So we will wait until sock_graft to do it, by which
4328            time it will have been created and available. */
4329
4330         /* We don't need to take any sort of lock here as we are the only
4331          * thread with access to newsksec */
4332         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4333 }
4334
4335 static void selinux_inet_conn_established(struct sock *sk,
4336                                 struct sk_buff *skb)
4337 {
4338         struct sk_security_struct *sksec = sk->sk_security;
4339
4340         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4341 }
4342
4343 static void selinux_req_classify_flow(const struct request_sock *req,
4344                                       struct flowi *fl)
4345 {
4346         fl->secid = req->secid;
4347 }
4348
4349 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4350 {
4351         int err = 0;
4352         u32 perm;
4353         struct nlmsghdr *nlh;
4354         struct socket *sock = sk->sk_socket;
4355         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4356
4357         if (skb->len < NLMSG_SPACE(0)) {
4358                 err = -EINVAL;
4359                 goto out;
4360         }
4361         nlh = nlmsg_hdr(skb);
4362
4363         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4364         if (err) {
4365                 if (err == -EINVAL) {
4366                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4367                                   "SELinux:  unrecognized netlink message"
4368                                   " type=%hu for sclass=%hu\n",
4369                                   nlh->nlmsg_type, isec->sclass);
4370                         if (!selinux_enforcing)
4371                                 err = 0;
4372                 }
4373
4374                 /* Ignore */
4375                 if (err == -ENOENT)
4376                         err = 0;
4377                 goto out;
4378         }
4379
4380         err = socket_has_perm(current, sock, perm);
4381 out:
4382         return err;
4383 }
4384
4385 #ifdef CONFIG_NETFILTER
4386
4387 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4388                                        u16 family)
4389 {
4390         char *addrp;
4391         u32 peer_sid;
4392         struct avc_audit_data ad;
4393         u8 secmark_active;
4394         u8 peerlbl_active;
4395
4396         if (!selinux_policycap_netpeer)
4397                 return NF_ACCEPT;
4398
4399         secmark_active = selinux_secmark_enabled();
4400         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4401         if (!secmark_active && !peerlbl_active)
4402                 return NF_ACCEPT;
4403
4404         AVC_AUDIT_DATA_INIT(&ad, NET);
4405         ad.u.net.netif = ifindex;
4406         ad.u.net.family = family;
4407         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4408                 return NF_DROP;
4409
4410         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4411                 return NF_DROP;
4412
4413         if (peerlbl_active)
4414                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4415                                              peer_sid, &ad) != 0)
4416                         return NF_DROP;
4417
4418         if (secmark_active)
4419                 if (avc_has_perm(peer_sid, skb->secmark,
4420                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4421                         return NF_DROP;
4422
4423         return NF_ACCEPT;
4424 }
4425
4426 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4427                                          struct sk_buff *skb,
4428                                          const struct net_device *in,
4429                                          const struct net_device *out,
4430                                          int (*okfn)(struct sk_buff *))
4431 {
4432         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4433 }
4434
4435 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4436 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4437                                          struct sk_buff *skb,
4438                                          const struct net_device *in,
4439                                          const struct net_device *out,
4440                                          int (*okfn)(struct sk_buff *))
4441 {
4442         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4443 }
4444 #endif  /* IPV6 */
4445
4446 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4447                                                 int ifindex,
4448                                                 struct avc_audit_data *ad,
4449                                                 u16 family, char *addrp)
4450 {
4451         int err;
4452         struct sk_security_struct *sksec = sk->sk_security;
4453         u16 sk_class;
4454         u32 netif_perm, node_perm, send_perm;
4455         u32 port_sid, node_sid, if_sid, sk_sid;
4456
4457         sk_sid = sksec->sid;
4458         sk_class = sksec->sclass;
4459
4460         switch (sk_class) {
4461         case SECCLASS_UDP_SOCKET:
4462                 netif_perm = NETIF__UDP_SEND;
4463                 node_perm = NODE__UDP_SEND;
4464                 send_perm = UDP_SOCKET__SEND_MSG;
4465                 break;
4466         case SECCLASS_TCP_SOCKET:
4467                 netif_perm = NETIF__TCP_SEND;
4468                 node_perm = NODE__TCP_SEND;
4469                 send_perm = TCP_SOCKET__SEND_MSG;
4470                 break;
4471         case SECCLASS_DCCP_SOCKET:
4472                 netif_perm = NETIF__DCCP_SEND;
4473                 node_perm = NODE__DCCP_SEND;
4474                 send_perm = DCCP_SOCKET__SEND_MSG;
4475                 break;
4476         default:
4477                 netif_perm = NETIF__RAWIP_SEND;
4478                 node_perm = NODE__RAWIP_SEND;
4479                 send_perm = 0;
4480                 break;
4481         }
4482
4483         err = sel_netif_sid(ifindex, &if_sid);
4484         if (err)
4485                 return err;
4486         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4487                 return err;
4488
4489         err = sel_netnode_sid(addrp, family, &node_sid);
4490         if (err)
4491                 return err;
4492         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4493         if (err)
4494                 return err;
4495
4496         if (send_perm != 0)
4497                 return 0;
4498
4499         err = sel_netport_sid(sk->sk_protocol,
4500                               ntohs(ad->u.net.dport), &port_sid);
4501         if (unlikely(err)) {
4502                 printk(KERN_WARNING
4503                        "SELinux: failure in"
4504                        " selinux_ip_postroute_iptables_compat(),"
4505                        " network port label not found\n");
4506                 return err;
4507         }
4508         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4509 }
4510
4511 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4512                                                 int ifindex,
4513                                                 struct avc_audit_data *ad,
4514                                                 u16 family,
4515                                                 char *addrp,
4516                                                 u8 proto)
4517 {
4518         struct sock *sk = skb->sk;
4519         struct sk_security_struct *sksec;
4520
4521         if (sk == NULL)
4522                 return NF_ACCEPT;
4523         sksec = sk->sk_security;
4524
4525         if (selinux_compat_net) {
4526                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4527                                                          ad, family, addrp))
4528                         return NF_DROP;
4529         } else {
4530                 if (avc_has_perm(sksec->sid, skb->secmark,
4531                                  SECCLASS_PACKET, PACKET__SEND, ad))
4532                         return NF_DROP;
4533         }
4534
4535         if (selinux_policycap_netpeer)
4536                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4537                         return NF_DROP;
4538
4539         return NF_ACCEPT;
4540 }
4541
4542 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4543                                          u16 family)
4544 {
4545         u32 secmark_perm;
4546         u32 peer_sid;
4547         struct sock *sk;
4548         struct avc_audit_data ad;
4549         char *addrp;
4550         u8 proto;
4551         u8 secmark_active;
4552         u8 peerlbl_active;
4553
4554         AVC_AUDIT_DATA_INIT(&ad, NET);
4555         ad.u.net.netif = ifindex;
4556         ad.u.net.family = family;
4557         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4558                 return NF_DROP;
4559
4560         /* If any sort of compatibility mode is enabled then handoff processing
4561          * to the selinux_ip_postroute_compat() function to deal with the
4562          * special handling.  We do this in an attempt to keep this function
4563          * as fast and as clean as possible. */
4564         if (selinux_compat_net || !selinux_policycap_netpeer)
4565                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4566                                                    family, addrp, proto);
4567
4568         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4569          * packet transformation so allow the packet to pass without any checks
4570          * since we'll have another chance to perform access control checks
4571          * when the packet is on it's final way out.
4572          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4573          *       is NULL, in this case go ahead and apply access control. */
4574         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4575                 return NF_ACCEPT;
4576
4577         secmark_active = selinux_secmark_enabled();
4578         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4579         if (!secmark_active && !peerlbl_active)
4580                 return NF_ACCEPT;
4581
4582         /* if the packet is locally generated (skb->sk != NULL) then use the
4583          * socket's label as the peer label, otherwise the packet is being
4584          * forwarded through this system and we need to fetch the peer label
4585          * directly from the packet */
4586         sk = skb->sk;
4587         if (sk) {
4588                 struct sk_security_struct *sksec = sk->sk_security;
4589                 peer_sid = sksec->sid;
4590                 secmark_perm = PACKET__SEND;
4591         } else {
4592                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4593                                 return NF_DROP;
4594                 secmark_perm = PACKET__FORWARD_OUT;
4595         }
4596
4597         if (secmark_active)
4598                 if (avc_has_perm(peer_sid, skb->secmark,
4599                                  SECCLASS_PACKET, secmark_perm, &ad))
4600                         return NF_DROP;
4601
4602         if (peerlbl_active) {
4603                 u32 if_sid;
4604                 u32 node_sid;
4605
4606                 if (sel_netif_sid(ifindex, &if_sid))
4607                         return NF_DROP;
4608                 if (avc_has_perm(peer_sid, if_sid,
4609                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4610                         return NF_DROP;
4611
4612                 if (sel_netnode_sid(addrp, family, &node_sid))
4613                         return NF_DROP;
4614                 if (avc_has_perm(peer_sid, node_sid,
4615                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4616                         return NF_DROP;
4617         }
4618
4619         return NF_ACCEPT;
4620 }
4621
4622 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4623                                            struct sk_buff *skb,
4624                                            const struct net_device *in,
4625                                            const struct net_device *out,
4626                                            int (*okfn)(struct sk_buff *))
4627 {
4628         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4629 }
4630
4631 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4632 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4633                                            struct sk_buff *skb,
4634                                            const struct net_device *in,
4635                                            const struct net_device *out,
4636                                            int (*okfn)(struct sk_buff *))
4637 {
4638         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4639 }
4640 #endif  /* IPV6 */
4641
4642 #endif  /* CONFIG_NETFILTER */
4643
4644 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4645 {
4646         int err;
4647
4648         err = secondary_ops->netlink_send(sk, skb);
4649         if (err)
4650                 return err;
4651
4652         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4653                 err = selinux_nlmsg_perm(sk, skb);
4654
4655         return err;
4656 }
4657
4658 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4659 {
4660         int err;
4661         struct avc_audit_data ad;
4662
4663         err = secondary_ops->netlink_recv(skb, capability);
4664         if (err)
4665                 return err;
4666
4667         AVC_AUDIT_DATA_INIT(&ad, CAP);
4668         ad.u.cap = capability;
4669
4670         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4671                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4672 }
4673
4674 static int ipc_alloc_security(struct task_struct *task,
4675                               struct kern_ipc_perm *perm,
4676                               u16 sclass)
4677 {
4678         struct task_security_struct *tsec = task->security;
4679         struct ipc_security_struct *isec;
4680
4681         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4682         if (!isec)
4683                 return -ENOMEM;
4684
4685         isec->sclass = sclass;
4686         isec->sid = tsec->sid;
4687         perm->security = isec;
4688
4689         return 0;
4690 }
4691
4692 static void ipc_free_security(struct kern_ipc_perm *perm)
4693 {
4694         struct ipc_security_struct *isec = perm->security;
4695         perm->security = NULL;
4696         kfree(isec);
4697 }
4698
4699 static int msg_msg_alloc_security(struct msg_msg *msg)
4700 {
4701         struct msg_security_struct *msec;
4702
4703         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4704         if (!msec)
4705                 return -ENOMEM;
4706
4707         msec->sid = SECINITSID_UNLABELED;
4708         msg->security = msec;
4709
4710         return 0;
4711 }
4712
4713 static void msg_msg_free_security(struct msg_msg *msg)
4714 {
4715         struct msg_security_struct *msec = msg->security;
4716
4717         msg->security = NULL;
4718         kfree(msec);
4719 }
4720
4721 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4722                         u32 perms)
4723 {
4724         struct task_security_struct *tsec;
4725         struct ipc_security_struct *isec;
4726         struct avc_audit_data ad;
4727
4728         tsec = current->security;
4729         isec = ipc_perms->security;
4730
4731         AVC_AUDIT_DATA_INIT(&ad, IPC);
4732         ad.u.ipc_id = ipc_perms->key;
4733
4734         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4735 }
4736
4737 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4738 {
4739         return msg_msg_alloc_security(msg);
4740 }
4741
4742 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4743 {
4744         msg_msg_free_security(msg);
4745 }
4746
4747 /* message queue security operations */
4748 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4749 {
4750         struct task_security_struct *tsec;
4751         struct ipc_security_struct *isec;
4752         struct avc_audit_data ad;
4753         int rc;
4754
4755         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4756         if (rc)
4757                 return rc;
4758
4759         tsec = current->security;
4760         isec = msq->q_perm.security;
4761
4762         AVC_AUDIT_DATA_INIT(&ad, IPC);
4763         ad.u.ipc_id = msq->q_perm.key;
4764
4765         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4766                           MSGQ__CREATE, &ad);
4767         if (rc) {
4768                 ipc_free_security(&msq->q_perm);
4769                 return rc;
4770         }
4771         return 0;
4772 }
4773
4774 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4775 {
4776         ipc_free_security(&msq->q_perm);
4777 }
4778
4779 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4780 {
4781         struct task_security_struct *tsec;
4782         struct ipc_security_struct *isec;
4783         struct avc_audit_data ad;
4784
4785         tsec = current->security;
4786         isec = msq->q_perm.security;
4787
4788         AVC_AUDIT_DATA_INIT(&ad, IPC);
4789         ad.u.ipc_id = msq->q_perm.key;
4790
4791         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4792                             MSGQ__ASSOCIATE, &ad);
4793 }
4794
4795 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4796 {
4797         int err;
4798         int perms;
4799
4800         switch (cmd) {
4801         case IPC_INFO:
4802         case MSG_INFO:
4803                 /* No specific object, just general system-wide information. */
4804                 return task_has_system(current, SYSTEM__IPC_INFO);
4805         case IPC_STAT:
4806         case MSG_STAT:
4807                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4808                 break;
4809         case IPC_SET:
4810                 perms = MSGQ__SETATTR;
4811                 break;
4812         case IPC_RMID:
4813                 perms = MSGQ__DESTROY;
4814                 break;
4815         default:
4816                 return 0;
4817         }
4818
4819         err = ipc_has_perm(&msq->q_perm, perms);
4820         return err;
4821 }
4822
4823 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4824 {
4825         struct task_security_struct *tsec;
4826         struct ipc_security_struct *isec;
4827         struct msg_security_struct *msec;
4828         struct avc_audit_data ad;
4829         int rc;
4830
4831         tsec = current->security;
4832         isec = msq->q_perm.security;
4833         msec = msg->security;
4834
4835         /*
4836          * First time through, need to assign label to the message
4837          */
4838         if (msec->sid == SECINITSID_UNLABELED) {
4839                 /*
4840                  * Compute new sid based on current process and
4841                  * message queue this message will be stored in
4842                  */
4843                 rc = security_transition_sid(tsec->sid,
4844                                              isec->sid,
4845                                              SECCLASS_MSG,
4846                                              &msec->sid);
4847                 if (rc)
4848                         return rc;
4849         }
4850
4851         AVC_AUDIT_DATA_INIT(&ad, IPC);
4852         ad.u.ipc_id = msq->q_perm.key;
4853
4854         /* Can this process write to the queue? */
4855         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4856                           MSGQ__WRITE, &ad);
4857         if (!rc)
4858                 /* Can this process send the message */
4859                 rc = avc_has_perm(tsec->sid, msec->sid,
4860                                   SECCLASS_MSG, MSG__SEND, &ad);
4861         if (!rc)
4862                 /* Can the message be put in the queue? */
4863                 rc = avc_has_perm(msec->sid, isec->sid,
4864                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4865
4866         return rc;
4867 }
4868
4869 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4870                                     struct task_struct *target,
4871                                     long type, int mode)
4872 {
4873         struct task_security_struct *tsec;
4874         struct ipc_security_struct *isec;
4875         struct msg_security_struct *msec;
4876         struct avc_audit_data ad;
4877         int rc;
4878
4879         tsec = target->security;
4880         isec = msq->q_perm.security;
4881         msec = msg->security;
4882
4883         AVC_AUDIT_DATA_INIT(&ad, IPC);
4884         ad.u.ipc_id = msq->q_perm.key;
4885
4886         rc = avc_has_perm(tsec->sid, isec->sid,
4887                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4888         if (!rc)
4889                 rc = avc_has_perm(tsec->sid, msec->sid,
4890                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4891         return rc;
4892 }
4893
4894 /* Shared Memory security operations */
4895 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4896 {
4897         struct task_security_struct *tsec;
4898         struct ipc_security_struct *isec;
4899         struct avc_audit_data ad;
4900         int rc;
4901
4902         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4903         if (rc)
4904                 return rc;
4905
4906         tsec = current->security;
4907         isec = shp->shm_perm.security;
4908
4909         AVC_AUDIT_DATA_INIT(&ad, IPC);
4910         ad.u.ipc_id = shp->shm_perm.key;
4911
4912         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4913                           SHM__CREATE, &ad);
4914         if (rc) {
4915                 ipc_free_security(&shp->shm_perm);
4916                 return rc;
4917         }
4918         return 0;
4919 }
4920
4921 static void selinux_shm_free_security(struct shmid_kernel *shp)
4922 {
4923         ipc_free_security(&shp->shm_perm);
4924 }
4925
4926 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4927 {
4928         struct task_security_struct *tsec;
4929         struct ipc_security_struct *isec;
4930         struct avc_audit_data ad;
4931
4932         tsec = current->security;
4933         isec = shp->shm_perm.security;
4934
4935         AVC_AUDIT_DATA_INIT(&ad, IPC);
4936         ad.u.ipc_id = shp->shm_perm.key;
4937
4938         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4939                             SHM__ASSOCIATE, &ad);
4940 }
4941
4942 /* Note, at this point, shp is locked down */
4943 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4944 {
4945         int perms;
4946         int err;
4947
4948         switch (cmd) {
4949         case IPC_INFO:
4950         case SHM_INFO:
4951                 /* No specific object, just general system-wide information. */
4952                 return task_has_system(current, SYSTEM__IPC_INFO);
4953         case IPC_STAT:
4954         case SHM_STAT:
4955                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4956                 break;
4957         case IPC_SET:
4958                 perms = SHM__SETATTR;
4959                 break;
4960         case SHM_LOCK:
4961         case SHM_UNLOCK:
4962                 perms = SHM__LOCK;
4963                 break;
4964         case IPC_RMID:
4965                 perms = SHM__DESTROY;
4966                 break;
4967         default:
4968                 return 0;
4969         }
4970
4971         err = ipc_has_perm(&shp->shm_perm, perms);
4972         return err;
4973 }
4974
4975 static int selinux_shm_shmat(struct shmid_kernel *shp,
4976                              char __user *shmaddr, int shmflg)
4977 {
4978         u32 perms;
4979         int rc;
4980
4981         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4982         if (rc)
4983                 return rc;
4984
4985         if (shmflg & SHM_RDONLY)
4986                 perms = SHM__READ;
4987         else
4988                 perms = SHM__READ | SHM__WRITE;
4989
4990         return ipc_has_perm(&shp->shm_perm, perms);
4991 }
4992
4993 /* Semaphore security operations */
4994 static int selinux_sem_alloc_security(struct sem_array *sma)
4995 {
4996         struct task_security_struct *tsec;
4997         struct ipc_security_struct *isec;
4998         struct avc_audit_data ad;
4999         int rc;
5000
5001         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5002         if (rc)
5003                 return rc;
5004
5005         tsec = current->security;
5006         isec = sma->sem_perm.security;
5007
5008         AVC_AUDIT_DATA_INIT(&ad, IPC);
5009         ad.u.ipc_id = sma->sem_perm.key;
5010
5011         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5012                           SEM__CREATE, &ad);
5013         if (rc) {
5014                 ipc_free_security(&sma->sem_perm);
5015                 return rc;
5016         }
5017         return 0;
5018 }
5019
5020 static void selinux_sem_free_security(struct sem_array *sma)
5021 {
5022         ipc_free_security(&sma->sem_perm);
5023 }
5024
5025 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5026 {
5027         struct task_security_struct *tsec;
5028         struct ipc_security_struct *isec;
5029         struct avc_audit_data ad;
5030
5031         tsec = current->security;
5032         isec = sma->sem_perm.security;
5033
5034         AVC_AUDIT_DATA_INIT(&ad, IPC);
5035         ad.u.ipc_id = sma->sem_perm.key;
5036
5037         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5038                             SEM__ASSOCIATE, &ad);
5039 }
5040
5041 /* Note, at this point, sma is locked down */
5042 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5043 {
5044         int err;
5045         u32 perms;
5046
5047         switch (cmd) {
5048         case IPC_INFO:
5049         case SEM_INFO:
5050                 /* No specific object, just general system-wide information. */
5051                 return task_has_system(current, SYSTEM__IPC_INFO);
5052         case GETPID:
5053         case GETNCNT:
5054         case GETZCNT:
5055                 perms = SEM__GETATTR;
5056                 break;
5057         case GETVAL:
5058         case GETALL:
5059                 perms = SEM__READ;
5060                 break;
5061         case SETVAL:
5062         case SETALL:
5063                 perms = SEM__WRITE;
5064                 break;
5065         case IPC_RMID:
5066                 perms = SEM__DESTROY;
5067                 break;
5068         case IPC_SET:
5069                 perms = SEM__SETATTR;
5070                 break;
5071         case IPC_STAT:
5072         case SEM_STAT:
5073                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5074                 break;
5075         default:
5076                 return 0;
5077         }
5078
5079         err = ipc_has_perm(&sma->sem_perm, perms);
5080         return err;
5081 }
5082
5083 static int selinux_sem_semop(struct sem_array *sma,
5084                              struct sembuf *sops, unsigned nsops, int alter)
5085 {
5086         u32 perms;
5087
5088         if (alter)
5089                 perms = SEM__READ | SEM__WRITE;
5090         else
5091                 perms = SEM__READ;
5092
5093         return ipc_has_perm(&sma->sem_perm, perms);
5094 }
5095
5096 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5097 {
5098         u32 av = 0;
5099
5100         av = 0;
5101         if (flag & S_IRUGO)
5102                 av |= IPC__UNIX_READ;
5103         if (flag & S_IWUGO)
5104                 av |= IPC__UNIX_WRITE;
5105
5106         if (av == 0)
5107                 return 0;
5108
5109         return ipc_has_perm(ipcp, av);
5110 }
5111
5112 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5113 {
5114         struct ipc_security_struct *isec = ipcp->security;
5115         *secid = isec->sid;
5116 }
5117
5118 /* module stacking operations */
5119 static int selinux_register_security(const char *name, struct security_operations *ops)
5120 {
5121         if (secondary_ops != original_ops) {
5122                 printk(KERN_ERR "%s:  There is already a secondary security "
5123                        "module registered.\n", __func__);
5124                 return -EINVAL;
5125         }
5126
5127         secondary_ops = ops;
5128
5129         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5130                __func__,
5131                name);
5132
5133         return 0;
5134 }
5135
5136 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5137 {
5138         if (inode)
5139                 inode_doinit_with_dentry(inode, dentry);
5140 }
5141
5142 static int selinux_getprocattr(struct task_struct *p,
5143                                char *name, char **value)
5144 {
5145         struct task_security_struct *tsec;
5146         u32 sid;
5147         int error;
5148         unsigned len;
5149
5150         if (current != p) {
5151                 error = task_has_perm(current, p, PROCESS__GETATTR);
5152                 if (error)
5153                         return error;
5154         }
5155
5156         tsec = p->security;
5157
5158         if (!strcmp(name, "current"))
5159                 sid = tsec->sid;
5160         else if (!strcmp(name, "prev"))
5161                 sid = tsec->osid;
5162         else if (!strcmp(name, "exec"))
5163                 sid = tsec->exec_sid;
5164         else if (!strcmp(name, "fscreate"))
5165                 sid = tsec->create_sid;
5166         else if (!strcmp(name, "keycreate"))
5167                 sid = tsec->keycreate_sid;
5168         else if (!strcmp(name, "sockcreate"))
5169                 sid = tsec->sockcreate_sid;
5170         else
5171                 return -EINVAL;
5172
5173         if (!sid)
5174                 return 0;
5175
5176         error = security_sid_to_context(sid, value, &len);
5177         if (error)
5178                 return error;
5179         return len;
5180 }
5181
5182 static int selinux_setprocattr(struct task_struct *p,
5183                                char *name, void *value, size_t size)
5184 {
5185         struct task_security_struct *tsec;
5186         struct task_struct *tracer;
5187         u32 sid = 0;
5188         int error;
5189         char *str = value;
5190
5191         if (current != p) {
5192                 /* SELinux only allows a process to change its own
5193                    security attributes. */
5194                 return -EACCES;
5195         }
5196
5197         /*
5198          * Basic control over ability to set these attributes at all.
5199          * current == p, but we'll pass them separately in case the
5200          * above restriction is ever removed.
5201          */
5202         if (!strcmp(name, "exec"))
5203                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5204         else if (!strcmp(name, "fscreate"))
5205                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5206         else if (!strcmp(name, "keycreate"))
5207                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5208         else if (!strcmp(name, "sockcreate"))
5209                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5210         else if (!strcmp(name, "current"))
5211                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5212         else
5213                 error = -EINVAL;
5214         if (error)
5215                 return error;
5216
5217         /* Obtain a SID for the context, if one was specified. */
5218         if (size && str[1] && str[1] != '\n') {
5219                 if (str[size-1] == '\n') {
5220                         str[size-1] = 0;
5221                         size--;
5222                 }
5223                 error = security_context_to_sid(value, size, &sid);
5224                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5225                         if (!capable(CAP_MAC_ADMIN))
5226                                 return error;
5227                         error = security_context_to_sid_force(value, size,
5228                                                               &sid);
5229                 }
5230                 if (error)
5231                         return error;
5232         }
5233
5234         /* Permission checking based on the specified context is
5235            performed during the actual operation (execve,
5236            open/mkdir/...), when we know the full context of the
5237            operation.  See selinux_bprm_set_security for the execve
5238            checks and may_create for the file creation checks. The
5239            operation will then fail if the context is not permitted. */
5240         tsec = p->security;
5241         if (!strcmp(name, "exec"))
5242                 tsec->exec_sid = sid;
5243         else if (!strcmp(name, "fscreate"))
5244                 tsec->create_sid = sid;
5245         else if (!strcmp(name, "keycreate")) {
5246                 error = may_create_key(sid, p);
5247                 if (error)
5248                         return error;
5249                 tsec->keycreate_sid = sid;
5250         } else if (!strcmp(name, "sockcreate"))
5251                 tsec->sockcreate_sid = sid;
5252         else if (!strcmp(name, "current")) {
5253                 struct av_decision avd;
5254
5255                 if (sid == 0)
5256                         return -EINVAL;
5257
5258                 /* Only allow single threaded processes to change context */
5259                 if (atomic_read(&p->mm->mm_users) != 1) {
5260                         struct task_struct *g, *t;
5261                         struct mm_struct *mm = p->mm;
5262                         read_lock(&tasklist_lock);
5263                         do_each_thread(g, t) {
5264                                 if (t->mm == mm && t != p) {
5265                                         read_unlock(&tasklist_lock);
5266                                         return -EPERM;
5267                                 }
5268                         } while_each_thread(g, t);
5269                         read_unlock(&tasklist_lock);
5270                 }
5271
5272                 /* Check permissions for the transition. */
5273                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5274                                      PROCESS__DYNTRANSITION, NULL);
5275                 if (error)
5276                         return error;
5277
5278                 /* Check for ptracing, and update the task SID if ok.
5279                    Otherwise, leave SID unchanged and fail. */
5280                 task_lock(p);
5281                 rcu_read_lock();
5282                 tracer = task_tracer_task(p);
5283                 if (tracer != NULL) {
5284                         struct task_security_struct *ptsec = tracer->security;
5285                         u32 ptsid = ptsec->sid;
5286                         rcu_read_unlock();
5287                         error = avc_has_perm_noaudit(ptsid, sid,
5288                                                      SECCLASS_PROCESS,
5289                                                      PROCESS__PTRACE, 0, &avd);
5290                         if (!error)
5291                                 tsec->sid = sid;
5292                         task_unlock(p);
5293                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5294                                   PROCESS__PTRACE, &avd, error, NULL);
5295                         if (error)
5296                                 return error;
5297                 } else {
5298                         rcu_read_unlock();
5299                         tsec->sid = sid;
5300                         task_unlock(p);
5301                 }
5302         } else
5303                 return -EINVAL;
5304
5305         return size;
5306 }
5307
5308 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5309 {
5310         return security_sid_to_context(secid, secdata, seclen);
5311 }
5312
5313 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5314 {
5315         return security_context_to_sid(secdata, seclen, secid);
5316 }
5317
5318 static void selinux_release_secctx(char *secdata, u32 seclen)
5319 {
5320         kfree(secdata);
5321 }
5322
5323 #ifdef CONFIG_KEYS
5324
5325 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5326                              unsigned long flags)
5327 {
5328         struct task_security_struct *tsec = tsk->security;
5329         struct key_security_struct *ksec;
5330
5331         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5332         if (!ksec)
5333                 return -ENOMEM;
5334
5335         if (tsec->keycreate_sid)
5336                 ksec->sid = tsec->keycreate_sid;
5337         else
5338                 ksec->sid = tsec->sid;
5339         k->security = ksec;
5340
5341         return 0;
5342 }
5343
5344 static void selinux_key_free(struct key *k)
5345 {
5346         struct key_security_struct *ksec = k->security;
5347
5348         k->security = NULL;
5349         kfree(ksec);
5350 }
5351
5352 static int selinux_key_permission(key_ref_t key_ref,
5353                             struct task_struct *ctx,
5354                             key_perm_t perm)
5355 {
5356         struct key *key;
5357         struct task_security_struct *tsec;
5358         struct key_security_struct *ksec;
5359
5360         key = key_ref_to_ptr(key_ref);
5361
5362         tsec = ctx->security;
5363         ksec = key->security;
5364
5365         /* if no specific permissions are requested, we skip the
5366            permission check. No serious, additional covert channels
5367            appear to be created. */
5368         if (perm == 0)
5369                 return 0;
5370
5371         return avc_has_perm(tsec->sid, ksec->sid,
5372                             SECCLASS_KEY, perm, NULL);
5373 }
5374
5375 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5376 {
5377         struct key_security_struct *ksec = key->security;
5378         char *context = NULL;
5379         unsigned len;
5380         int rc;
5381
5382         rc = security_sid_to_context(ksec->sid, &context, &len);
5383         if (!rc)
5384                 rc = len;
5385         *_buffer = context;
5386         return rc;
5387 }
5388
5389 #endif
5390
5391 static struct security_operations selinux_ops = {
5392         .name =                         "selinux",
5393
5394         .ptrace =                       selinux_ptrace,
5395         .capget =                       selinux_capget,
5396         .capset_check =                 selinux_capset_check,
5397         .capset_set =                   selinux_capset_set,
5398         .sysctl =                       selinux_sysctl,
5399         .capable =                      selinux_capable,
5400         .quotactl =                     selinux_quotactl,
5401         .quota_on =                     selinux_quota_on,
5402         .syslog =                       selinux_syslog,
5403         .vm_enough_memory =             selinux_vm_enough_memory,
5404
5405         .netlink_send =                 selinux_netlink_send,
5406         .netlink_recv =                 selinux_netlink_recv,
5407
5408         .bprm_alloc_security =          selinux_bprm_alloc_security,
5409         .bprm_free_security =           selinux_bprm_free_security,
5410         .bprm_apply_creds =             selinux_bprm_apply_creds,
5411         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5412         .bprm_set_security =            selinux_bprm_set_security,
5413         .bprm_check_security =          selinux_bprm_check_security,
5414         .bprm_secureexec =              selinux_bprm_secureexec,
5415
5416         .sb_alloc_security =            selinux_sb_alloc_security,
5417         .sb_free_security =             selinux_sb_free_security,
5418         .sb_copy_data =                 selinux_sb_copy_data,
5419         .sb_kern_mount =                selinux_sb_kern_mount,
5420         .sb_show_options =              selinux_sb_show_options,
5421         .sb_statfs =                    selinux_sb_statfs,
5422         .sb_mount =                     selinux_mount,
5423         .sb_umount =                    selinux_umount,
5424         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5425         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5426         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5427         .sb_parse_opts_str =            selinux_parse_opts_str,
5428
5429
5430         .inode_alloc_security =         selinux_inode_alloc_security,
5431         .inode_free_security =          selinux_inode_free_security,
5432         .inode_init_security =          selinux_inode_init_security,
5433         .inode_create =                 selinux_inode_create,
5434         .inode_link =                   selinux_inode_link,
5435         .inode_unlink =                 selinux_inode_unlink,
5436         .inode_symlink =                selinux_inode_symlink,
5437         .inode_mkdir =                  selinux_inode_mkdir,
5438         .inode_rmdir =                  selinux_inode_rmdir,
5439         .inode_mknod =                  selinux_inode_mknod,
5440         .inode_rename =                 selinux_inode_rename,
5441         .inode_readlink =               selinux_inode_readlink,
5442         .inode_follow_link =            selinux_inode_follow_link,
5443         .inode_permission =             selinux_inode_permission,
5444         .inode_setattr =                selinux_inode_setattr,
5445         .inode_getattr =                selinux_inode_getattr,
5446         .inode_setxattr =               selinux_inode_setxattr,
5447         .inode_post_setxattr =          selinux_inode_post_setxattr,
5448         .inode_getxattr =               selinux_inode_getxattr,
5449         .inode_listxattr =              selinux_inode_listxattr,
5450         .inode_removexattr =            selinux_inode_removexattr,
5451         .inode_getsecurity =            selinux_inode_getsecurity,
5452         .inode_setsecurity =            selinux_inode_setsecurity,
5453         .inode_listsecurity =           selinux_inode_listsecurity,
5454         .inode_need_killpriv =          selinux_inode_need_killpriv,
5455         .inode_killpriv =               selinux_inode_killpriv,
5456         .inode_getsecid =               selinux_inode_getsecid,
5457
5458         .file_permission =              selinux_file_permission,
5459         .file_alloc_security =          selinux_file_alloc_security,
5460         .file_free_security =           selinux_file_free_security,
5461         .file_ioctl =                   selinux_file_ioctl,
5462         .file_mmap =                    selinux_file_mmap,
5463         .file_mprotect =                selinux_file_mprotect,
5464         .file_lock =                    selinux_file_lock,
5465         .file_fcntl =                   selinux_file_fcntl,
5466         .file_set_fowner =              selinux_file_set_fowner,
5467         .file_send_sigiotask =          selinux_file_send_sigiotask,
5468         .file_receive =                 selinux_file_receive,
5469
5470         .dentry_open =                  selinux_dentry_open,
5471
5472         .task_create =                  selinux_task_create,
5473         .task_alloc_security =          selinux_task_alloc_security,
5474         .task_free_security =           selinux_task_free_security,
5475         .task_setuid =                  selinux_task_setuid,
5476         .task_post_setuid =             selinux_task_post_setuid,
5477         .task_setgid =                  selinux_task_setgid,
5478         .task_setpgid =                 selinux_task_setpgid,
5479         .task_getpgid =                 selinux_task_getpgid,
5480         .task_getsid =                  selinux_task_getsid,
5481         .task_getsecid =                selinux_task_getsecid,
5482         .task_setgroups =               selinux_task_setgroups,
5483         .task_setnice =                 selinux_task_setnice,
5484         .task_setioprio =               selinux_task_setioprio,
5485         .task_getioprio =               selinux_task_getioprio,
5486         .task_setrlimit =               selinux_task_setrlimit,
5487         .task_setscheduler =            selinux_task_setscheduler,
5488         .task_getscheduler =            selinux_task_getscheduler,
5489         .task_movememory =              selinux_task_movememory,
5490         .task_kill =                    selinux_task_kill,
5491         .task_wait =                    selinux_task_wait,
5492         .task_prctl =                   selinux_task_prctl,
5493         .task_reparent_to_init =        selinux_task_reparent_to_init,
5494         .task_to_inode =                selinux_task_to_inode,
5495
5496         .ipc_permission =               selinux_ipc_permission,
5497         .ipc_getsecid =                 selinux_ipc_getsecid,
5498
5499         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5500         .msg_msg_free_security =        selinux_msg_msg_free_security,
5501
5502         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5503         .msg_queue_free_security =      selinux_msg_queue_free_security,
5504         .msg_queue_associate =          selinux_msg_queue_associate,
5505         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5506         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5507         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5508
5509         .shm_alloc_security =           selinux_shm_alloc_security,
5510         .shm_free_security =            selinux_shm_free_security,
5511         .shm_associate =                selinux_shm_associate,
5512         .shm_shmctl =                   selinux_shm_shmctl,
5513         .shm_shmat =                    selinux_shm_shmat,
5514
5515         .sem_alloc_security =           selinux_sem_alloc_security,
5516         .sem_free_security =            selinux_sem_free_security,
5517         .sem_associate =                selinux_sem_associate,
5518         .sem_semctl =                   selinux_sem_semctl,
5519         .sem_semop =                    selinux_sem_semop,
5520
5521         .register_security =            selinux_register_security,
5522
5523         .d_instantiate =                selinux_d_instantiate,
5524
5525         .getprocattr =                  selinux_getprocattr,
5526         .setprocattr =                  selinux_setprocattr,
5527
5528         .secid_to_secctx =              selinux_secid_to_secctx,
5529         .secctx_to_secid =              selinux_secctx_to_secid,
5530         .release_secctx =               selinux_release_secctx,
5531
5532         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5533         .unix_may_send =                selinux_socket_unix_may_send,
5534
5535         .socket_create =                selinux_socket_create,
5536         .socket_post_create =           selinux_socket_post_create,
5537         .socket_bind =                  selinux_socket_bind,
5538         .socket_connect =               selinux_socket_connect,
5539         .socket_listen =                selinux_socket_listen,
5540         .socket_accept =                selinux_socket_accept,
5541         .socket_sendmsg =               selinux_socket_sendmsg,
5542         .socket_recvmsg =               selinux_socket_recvmsg,
5543         .socket_getsockname =           selinux_socket_getsockname,
5544         .socket_getpeername =           selinux_socket_getpeername,
5545         .socket_getsockopt =            selinux_socket_getsockopt,
5546         .socket_setsockopt =            selinux_socket_setsockopt,
5547         .socket_shutdown =              selinux_socket_shutdown,
5548         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5549         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5550         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5551         .sk_alloc_security =            selinux_sk_alloc_security,
5552         .sk_free_security =             selinux_sk_free_security,
5553         .sk_clone_security =            selinux_sk_clone_security,
5554         .sk_getsecid =                  selinux_sk_getsecid,
5555         .sock_graft =                   selinux_sock_graft,
5556         .inet_conn_request =            selinux_inet_conn_request,
5557         .inet_csk_clone =               selinux_inet_csk_clone,
5558         .inet_conn_established =        selinux_inet_conn_established,
5559         .req_classify_flow =            selinux_req_classify_flow,
5560
5561 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5562         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5563         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5564         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5565         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5566         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5567         .xfrm_state_free_security =     selinux_xfrm_state_free,
5568         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5569         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5570         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5571         .xfrm_decode_session =          selinux_xfrm_decode_session,
5572 #endif
5573
5574 #ifdef CONFIG_KEYS
5575         .key_alloc =                    selinux_key_alloc,
5576         .key_free =                     selinux_key_free,
5577         .key_permission =               selinux_key_permission,
5578         .key_getsecurity =              selinux_key_getsecurity,
5579 #endif
5580
5581 #ifdef CONFIG_AUDIT
5582         .audit_rule_init =              selinux_audit_rule_init,
5583         .audit_rule_known =             selinux_audit_rule_known,
5584         .audit_rule_match =             selinux_audit_rule_match,
5585         .audit_rule_free =              selinux_audit_rule_free,
5586 #endif
5587 };
5588
5589 static __init int selinux_init(void)
5590 {
5591         struct task_security_struct *tsec;
5592
5593         if (!security_module_enable(&selinux_ops)) {
5594                 selinux_enabled = 0;
5595                 return 0;
5596         }
5597
5598         if (!selinux_enabled) {
5599                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5600                 return 0;
5601         }
5602
5603         printk(KERN_INFO "SELinux:  Initializing.\n");
5604
5605         /* Set the security state for the initial task. */
5606         if (task_alloc_security(current))
5607                 panic("SELinux:  Failed to initialize initial task.\n");
5608         tsec = current->security;
5609         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5610
5611         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5612                                             sizeof(struct inode_security_struct),
5613                                             0, SLAB_PANIC, NULL);
5614         avc_init();
5615
5616         original_ops = secondary_ops = security_ops;
5617         if (!secondary_ops)
5618                 panic("SELinux: No initial security operations\n");
5619         if (register_security(&selinux_ops))
5620                 panic("SELinux: Unable to register with kernel.\n");
5621
5622         if (selinux_enforcing)
5623                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5624         else
5625                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5626
5627         return 0;
5628 }
5629
5630 void selinux_complete_init(void)
5631 {
5632         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5633
5634         /* Set up any superblocks initialized prior to the policy load. */
5635         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5636         spin_lock(&sb_lock);
5637         spin_lock(&sb_security_lock);
5638 next_sb:
5639         if (!list_empty(&superblock_security_head)) {
5640                 struct superblock_security_struct *sbsec =
5641                                 list_entry(superblock_security_head.next,
5642                                            struct superblock_security_struct,
5643                                            list);
5644                 struct super_block *sb = sbsec->sb;
5645                 sb->s_count++;
5646                 spin_unlock(&sb_security_lock);
5647                 spin_unlock(&sb_lock);
5648                 down_read(&sb->s_umount);
5649                 if (sb->s_root)
5650                         superblock_doinit(sb, NULL);
5651                 drop_super(sb);
5652                 spin_lock(&sb_lock);
5653                 spin_lock(&sb_security_lock);
5654                 list_del_init(&sbsec->list);
5655                 goto next_sb;
5656         }
5657         spin_unlock(&sb_security_lock);
5658         spin_unlock(&sb_lock);
5659 }
5660
5661 /* SELinux requires early initialization in order to label
5662    all processes and objects when they are created. */
5663 security_initcall(selinux_init);
5664
5665 #if defined(CONFIG_NETFILTER)
5666
5667 static struct nf_hook_ops selinux_ipv4_ops[] = {
5668         {
5669                 .hook =         selinux_ipv4_postroute,
5670                 .owner =        THIS_MODULE,
5671                 .pf =           PF_INET,
5672                 .hooknum =      NF_INET_POST_ROUTING,
5673                 .priority =     NF_IP_PRI_SELINUX_LAST,
5674         },
5675         {
5676                 .hook =         selinux_ipv4_forward,
5677                 .owner =        THIS_MODULE,
5678                 .pf =           PF_INET,
5679                 .hooknum =      NF_INET_FORWARD,
5680                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5681         }
5682 };
5683
5684 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5685
5686 static struct nf_hook_ops selinux_ipv6_ops[] = {
5687         {
5688                 .hook =         selinux_ipv6_postroute,
5689                 .owner =        THIS_MODULE,
5690                 .pf =           PF_INET6,
5691                 .hooknum =      NF_INET_POST_ROUTING,
5692                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5693         },
5694         {
5695                 .hook =         selinux_ipv6_forward,
5696                 .owner =        THIS_MODULE,
5697                 .pf =           PF_INET6,
5698                 .hooknum =      NF_INET_FORWARD,
5699                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5700         }
5701 };
5702
5703 #endif  /* IPV6 */
5704
5705 static int __init selinux_nf_ip_init(void)
5706 {
5707         int err = 0;
5708         u32 iter;
5709
5710         if (!selinux_enabled)
5711                 goto out;
5712
5713         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5714
5715         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5716                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5717                 if (err)
5718                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5719                               err);
5720         }
5721
5722 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5723         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5724                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5725                 if (err)
5726                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5727                               err);
5728         }
5729 #endif  /* IPV6 */
5730
5731 out:
5732         return err;
5733 }
5734
5735 __initcall(selinux_nf_ip_init);
5736
5737 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5738 static void selinux_nf_ip_exit(void)
5739 {
5740         u32 iter;
5741
5742         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5743
5744         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5745                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5746 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5747         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5748                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5749 #endif  /* IPV6 */
5750 }
5751 #endif
5752
5753 #else /* CONFIG_NETFILTER */
5754
5755 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5756 #define selinux_nf_ip_exit()
5757 #endif
5758
5759 #endif /* CONFIG_NETFILTER */
5760
5761 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5762 static int selinux_disabled;
5763
5764 int selinux_disable(void)
5765 {
5766         extern void exit_sel_fs(void);
5767
5768         if (ss_initialized) {
5769                 /* Not permitted after initial policy load. */
5770                 return -EINVAL;
5771         }
5772
5773         if (selinux_disabled) {
5774                 /* Only do this once. */
5775                 return -EINVAL;
5776         }
5777
5778         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5779
5780         selinux_disabled = 1;
5781         selinux_enabled = 0;
5782
5783         /* Reset security_ops to the secondary module, dummy or capability. */
5784         security_ops = secondary_ops;
5785
5786         /* Unregister netfilter hooks. */
5787         selinux_nf_ip_exit();
5788
5789         /* Unregister selinuxfs. */
5790         exit_sel_fs();
5791
5792         return 0;
5793 }
5794 #endif