selinux: simplify ioctl checking
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *              Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/fdtable.h>
43 #include <linux/namei.h>
44 #include <linux/mount.h>
45 #include <linux/proc_fs.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <net/net_namespace.h>
53 #include <net/netlabel.h>
54 #include <linux/uaccess.h>
55 #include <asm/ioctls.h>
56 #include <asm/atomic.h>
57 #include <linux/bitops.h>
58 #include <linux/interrupt.h>
59 #include <linux/netdevice.h>    /* for network interface checks */
60 #include <linux/netlink.h>
61 #include <linux/tcp.h>
62 #include <linux/udp.h>
63 #include <linux/dccp.h>
64 #include <linux/quota.h>
65 #include <linux/un.h>           /* for Unix socket types */
66 #include <net/af_unix.h>        /* for Unix socket types */
67 #include <linux/parser.h>
68 #include <linux/nfs_mount.h>
69 #include <net/ipv6.h>
70 #include <linux/hugetlb.h>
71 #include <linux/personality.h>
72 #include <linux/sysctl.h>
73 #include <linux/audit.h>
74 #include <linux/string.h>
75 #include <linux/selinux.h>
76 #include <linux/mutex.h>
77
78 #include "avc.h"
79 #include "objsec.h"
80 #include "netif.h"
81 #include "netnode.h"
82 #include "netport.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85 #include "audit.h"
86
87 #define XATTR_SELINUX_SUFFIX "selinux"
88 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89
90 #define NUM_SEL_MNT_OPTS 4
91
92 extern unsigned int policydb_loaded_version;
93 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
94 extern int selinux_compat_net;
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105         unsigned long enforcing;
106         if (!strict_strtoul(str, 0, &enforcing))
107                 selinux_enforcing = enforcing ? 1 : 0;
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118         unsigned long enabled;
119         if (!strict_strtoul(str, 0, &enabled))
120                 selinux_enabled = enabled ? 1 : 0;
121         return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 /* Original (dummy) security module. */
129 static struct security_operations *original_ops;
130
131 /* Minimal support for a secondary security module,
132    just to allow the use of the dummy or capability modules.
133    The owlsm module can alternatively be used as a secondary
134    module as long as CONFIG_OWLSM_FD is not enabled. */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138    before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146  *
147  * Description:
148  * This function checks the SECMARK reference counter to see if any SECMARK
149  * targets are currently configured, if the reference counter is greater than
150  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
151  * enabled, false (0) if SECMARK is disabled.
152  *
153  */
154 static int selinux_secmark_enabled(void)
155 {
156         return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /* Allocate and free functions for each kind of security blob. */
160
161 static int task_alloc_security(struct task_struct *task)
162 {
163         struct task_security_struct *tsec;
164
165         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
166         if (!tsec)
167                 return -ENOMEM;
168
169         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
170         task->security = tsec;
171
172         return 0;
173 }
174
175 static void task_free_security(struct task_struct *task)
176 {
177         struct task_security_struct *tsec = task->security;
178         task->security = NULL;
179         kfree(tsec);
180 }
181
182 static int inode_alloc_security(struct inode *inode)
183 {
184         struct task_security_struct *tsec = current->security;
185         struct inode_security_struct *isec;
186
187         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
188         if (!isec)
189                 return -ENOMEM;
190
191         mutex_init(&isec->lock);
192         INIT_LIST_HEAD(&isec->list);
193         isec->inode = inode;
194         isec->sid = SECINITSID_UNLABELED;
195         isec->sclass = SECCLASS_FILE;
196         isec->task_sid = tsec->sid;
197         inode->i_security = isec;
198
199         return 0;
200 }
201
202 static void inode_free_security(struct inode *inode)
203 {
204         struct inode_security_struct *isec = inode->i_security;
205         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
206
207         spin_lock(&sbsec->isec_lock);
208         if (!list_empty(&isec->list))
209                 list_del_init(&isec->list);
210         spin_unlock(&sbsec->isec_lock);
211
212         inode->i_security = NULL;
213         kmem_cache_free(sel_inode_cache, isec);
214 }
215
216 static int file_alloc_security(struct file *file)
217 {
218         struct task_security_struct *tsec = current->security;
219         struct file_security_struct *fsec;
220
221         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222         if (!fsec)
223                 return -ENOMEM;
224
225         fsec->sid = tsec->sid;
226         fsec->fown_sid = tsec->sid;
227         file->f_security = fsec;
228
229         return 0;
230 }
231
232 static void file_free_security(struct file *file)
233 {
234         struct file_security_struct *fsec = file->f_security;
235         file->f_security = NULL;
236         kfree(fsec);
237 }
238
239 static int superblock_alloc_security(struct super_block *sb)
240 {
241         struct superblock_security_struct *sbsec;
242
243         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
244         if (!sbsec)
245                 return -ENOMEM;
246
247         mutex_init(&sbsec->lock);
248         INIT_LIST_HEAD(&sbsec->list);
249         INIT_LIST_HEAD(&sbsec->isec_head);
250         spin_lock_init(&sbsec->isec_lock);
251         sbsec->sb = sb;
252         sbsec->sid = SECINITSID_UNLABELED;
253         sbsec->def_sid = SECINITSID_FILE;
254         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
255         sb->s_security = sbsec;
256
257         return 0;
258 }
259
260 static void superblock_free_security(struct super_block *sb)
261 {
262         struct superblock_security_struct *sbsec = sb->s_security;
263
264         spin_lock(&sb_security_lock);
265         if (!list_empty(&sbsec->list))
266                 list_del_init(&sbsec->list);
267         spin_unlock(&sb_security_lock);
268
269         sb->s_security = NULL;
270         kfree(sbsec);
271 }
272
273 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
274 {
275         struct sk_security_struct *ssec;
276
277         ssec = kzalloc(sizeof(*ssec), priority);
278         if (!ssec)
279                 return -ENOMEM;
280
281         ssec->peer_sid = SECINITSID_UNLABELED;
282         ssec->sid = SECINITSID_UNLABELED;
283         sk->sk_security = ssec;
284
285         selinux_netlbl_sk_security_reset(ssec, family);
286
287         return 0;
288 }
289
290 static void sk_free_security(struct sock *sk)
291 {
292         struct sk_security_struct *ssec = sk->sk_security;
293
294         sk->sk_security = NULL;
295         kfree(ssec);
296 }
297
298 /* The security server must be initialized before
299    any labeling or access decisions can be provided. */
300 extern int ss_initialized;
301
302 /* The file system's label must be initialized prior to use. */
303
304 static char *labeling_behaviors[6] = {
305         "uses xattr",
306         "uses transition SIDs",
307         "uses task SIDs",
308         "uses genfs_contexts",
309         "not configured for labeling",
310         "uses mountpoint labeling",
311 };
312
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315 static inline int inode_doinit(struct inode *inode)
316 {
317         return inode_doinit_with_dentry(inode, NULL);
318 }
319
320 enum {
321         Opt_error = -1,
322         Opt_context = 1,
323         Opt_fscontext = 2,
324         Opt_defcontext = 3,
325         Opt_rootcontext = 4,
326 };
327
328 static match_table_t tokens = {
329         {Opt_context, CONTEXT_STR "%s"},
330         {Opt_fscontext, FSCONTEXT_STR "%s"},
331         {Opt_defcontext, DEFCONTEXT_STR "%s"},
332         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
333         {Opt_error, NULL},
334 };
335
336 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
337
338 static int may_context_mount_sb_relabel(u32 sid,
339                         struct superblock_security_struct *sbsec,
340                         struct task_security_struct *tsec)
341 {
342         int rc;
343
344         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
345                           FILESYSTEM__RELABELFROM, NULL);
346         if (rc)
347                 return rc;
348
349         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
350                           FILESYSTEM__RELABELTO, NULL);
351         return rc;
352 }
353
354 static int may_context_mount_inode_relabel(u32 sid,
355                         struct superblock_security_struct *sbsec,
356                         struct task_security_struct *tsec)
357 {
358         int rc;
359         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
360                           FILESYSTEM__RELABELFROM, NULL);
361         if (rc)
362                 return rc;
363
364         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
365                           FILESYSTEM__ASSOCIATE, NULL);
366         return rc;
367 }
368
369 static int sb_finish_set_opts(struct super_block *sb)
370 {
371         struct superblock_security_struct *sbsec = sb->s_security;
372         struct dentry *root = sb->s_root;
373         struct inode *root_inode = root->d_inode;
374         int rc = 0;
375
376         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
377                 /* Make sure that the xattr handler exists and that no
378                    error other than -ENODATA is returned by getxattr on
379                    the root directory.  -ENODATA is ok, as this may be
380                    the first boot of the SELinux kernel before we have
381                    assigned xattr values to the filesystem. */
382                 if (!root_inode->i_op->getxattr) {
383                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
384                                "xattr support\n", sb->s_id, sb->s_type->name);
385                         rc = -EOPNOTSUPP;
386                         goto out;
387                 }
388                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
389                 if (rc < 0 && rc != -ENODATA) {
390                         if (rc == -EOPNOTSUPP)
391                                 printk(KERN_WARNING "SELinux: (dev %s, type "
392                                        "%s) has no security xattr handler\n",
393                                        sb->s_id, sb->s_type->name);
394                         else
395                                 printk(KERN_WARNING "SELinux: (dev %s, type "
396                                        "%s) getxattr errno %d\n", sb->s_id,
397                                        sb->s_type->name, -rc);
398                         goto out;
399                 }
400         }
401
402         sbsec->initialized = 1;
403
404         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
405                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
406                        sb->s_id, sb->s_type->name);
407         else
408                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
409                        sb->s_id, sb->s_type->name,
410                        labeling_behaviors[sbsec->behavior-1]);
411
412         /* Initialize the root inode. */
413         rc = inode_doinit_with_dentry(root_inode, root);
414
415         /* Initialize any other inodes associated with the superblock, e.g.
416            inodes created prior to initial policy load or inodes created
417            during get_sb by a pseudo filesystem that directly
418            populates itself. */
419         spin_lock(&sbsec->isec_lock);
420 next_inode:
421         if (!list_empty(&sbsec->isec_head)) {
422                 struct inode_security_struct *isec =
423                                 list_entry(sbsec->isec_head.next,
424                                            struct inode_security_struct, list);
425                 struct inode *inode = isec->inode;
426                 spin_unlock(&sbsec->isec_lock);
427                 inode = igrab(inode);
428                 if (inode) {
429                         if (!IS_PRIVATE(inode))
430                                 inode_doinit(inode);
431                         iput(inode);
432                 }
433                 spin_lock(&sbsec->isec_lock);
434                 list_del_init(&isec->list);
435                 goto next_inode;
436         }
437         spin_unlock(&sbsec->isec_lock);
438 out:
439         return rc;
440 }
441
442 /*
443  * This function should allow an FS to ask what it's mount security
444  * options were so it can use those later for submounts, displaying
445  * mount options, or whatever.
446  */
447 static int selinux_get_mnt_opts(const struct super_block *sb,
448                                 struct security_mnt_opts *opts)
449 {
450         int rc = 0, i;
451         struct superblock_security_struct *sbsec = sb->s_security;
452         char *context = NULL;
453         u32 len;
454         char tmp;
455
456         security_init_mnt_opts(opts);
457
458         if (!sbsec->initialized)
459                 return -EINVAL;
460
461         if (!ss_initialized)
462                 return -EINVAL;
463
464         /*
465          * if we ever use sbsec flags for anything other than tracking mount
466          * settings this is going to need a mask
467          */
468         tmp = sbsec->flags;
469         /* count the number of mount options for this sb */
470         for (i = 0; i < 8; i++) {
471                 if (tmp & 0x01)
472                         opts->num_mnt_opts++;
473                 tmp >>= 1;
474         }
475
476         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
477         if (!opts->mnt_opts) {
478                 rc = -ENOMEM;
479                 goto out_free;
480         }
481
482         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
483         if (!opts->mnt_opts_flags) {
484                 rc = -ENOMEM;
485                 goto out_free;
486         }
487
488         i = 0;
489         if (sbsec->flags & FSCONTEXT_MNT) {
490                 rc = security_sid_to_context(sbsec->sid, &context, &len);
491                 if (rc)
492                         goto out_free;
493                 opts->mnt_opts[i] = context;
494                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
495         }
496         if (sbsec->flags & CONTEXT_MNT) {
497                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
498                 if (rc)
499                         goto out_free;
500                 opts->mnt_opts[i] = context;
501                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
502         }
503         if (sbsec->flags & DEFCONTEXT_MNT) {
504                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
505                 if (rc)
506                         goto out_free;
507                 opts->mnt_opts[i] = context;
508                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
509         }
510         if (sbsec->flags & ROOTCONTEXT_MNT) {
511                 struct inode *root = sbsec->sb->s_root->d_inode;
512                 struct inode_security_struct *isec = root->i_security;
513
514                 rc = security_sid_to_context(isec->sid, &context, &len);
515                 if (rc)
516                         goto out_free;
517                 opts->mnt_opts[i] = context;
518                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
519         }
520
521         BUG_ON(i != opts->num_mnt_opts);
522
523         return 0;
524
525 out_free:
526         security_free_mnt_opts(opts);
527         return rc;
528 }
529
530 static int bad_option(struct superblock_security_struct *sbsec, char flag,
531                       u32 old_sid, u32 new_sid)
532 {
533         /* check if the old mount command had the same options */
534         if (sbsec->initialized)
535                 if (!(sbsec->flags & flag) ||
536                     (old_sid != new_sid))
537                         return 1;
538
539         /* check if we were passed the same options twice,
540          * aka someone passed context=a,context=b
541          */
542         if (!sbsec->initialized)
543                 if (sbsec->flags & flag)
544                         return 1;
545         return 0;
546 }
547
548 /*
549  * Allow filesystems with binary mount data to explicitly set mount point
550  * labeling information.
551  */
552 static int selinux_set_mnt_opts(struct super_block *sb,
553                                 struct security_mnt_opts *opts)
554 {
555         int rc = 0, i;
556         struct task_security_struct *tsec = current->security;
557         struct superblock_security_struct *sbsec = sb->s_security;
558         const char *name = sb->s_type->name;
559         struct inode *inode = sbsec->sb->s_root->d_inode;
560         struct inode_security_struct *root_isec = inode->i_security;
561         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
562         u32 defcontext_sid = 0;
563         char **mount_options = opts->mnt_opts;
564         int *flags = opts->mnt_opts_flags;
565         int num_opts = opts->num_mnt_opts;
566
567         mutex_lock(&sbsec->lock);
568
569         if (!ss_initialized) {
570                 if (!num_opts) {
571                         /* Defer initialization until selinux_complete_init,
572                            after the initial policy is loaded and the security
573                            server is ready to handle calls. */
574                         spin_lock(&sb_security_lock);
575                         if (list_empty(&sbsec->list))
576                                 list_add(&sbsec->list, &superblock_security_head);
577                         spin_unlock(&sb_security_lock);
578                         goto out;
579                 }
580                 rc = -EINVAL;
581                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
582                         "before the security server is initialized\n");
583                 goto out;
584         }
585
586         /*
587          * Binary mount data FS will come through this function twice.  Once
588          * from an explicit call and once from the generic calls from the vfs.
589          * Since the generic VFS calls will not contain any security mount data
590          * we need to skip the double mount verification.
591          *
592          * This does open a hole in which we will not notice if the first
593          * mount using this sb set explict options and a second mount using
594          * this sb does not set any security options.  (The first options
595          * will be used for both mounts)
596          */
597         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
598             && (num_opts == 0))
599                 goto out;
600
601         /*
602          * parse the mount options, check if they are valid sids.
603          * also check if someone is trying to mount the same sb more
604          * than once with different security options.
605          */
606         for (i = 0; i < num_opts; i++) {
607                 u32 sid;
608                 rc = security_context_to_sid(mount_options[i],
609                                              strlen(mount_options[i]), &sid);
610                 if (rc) {
611                         printk(KERN_WARNING "SELinux: security_context_to_sid"
612                                "(%s) failed for (dev %s, type %s) errno=%d\n",
613                                mount_options[i], sb->s_id, name, rc);
614                         goto out;
615                 }
616                 switch (flags[i]) {
617                 case FSCONTEXT_MNT:
618                         fscontext_sid = sid;
619
620                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
621                                         fscontext_sid))
622                                 goto out_double_mount;
623
624                         sbsec->flags |= FSCONTEXT_MNT;
625                         break;
626                 case CONTEXT_MNT:
627                         context_sid = sid;
628
629                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
630                                         context_sid))
631                                 goto out_double_mount;
632
633                         sbsec->flags |= CONTEXT_MNT;
634                         break;
635                 case ROOTCONTEXT_MNT:
636                         rootcontext_sid = sid;
637
638                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
639                                         rootcontext_sid))
640                                 goto out_double_mount;
641
642                         sbsec->flags |= ROOTCONTEXT_MNT;
643
644                         break;
645                 case DEFCONTEXT_MNT:
646                         defcontext_sid = sid;
647
648                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
649                                         defcontext_sid))
650                                 goto out_double_mount;
651
652                         sbsec->flags |= DEFCONTEXT_MNT;
653
654                         break;
655                 default:
656                         rc = -EINVAL;
657                         goto out;
658                 }
659         }
660
661         if (sbsec->initialized) {
662                 /* previously mounted with options, but not on this attempt? */
663                 if (sbsec->flags && !num_opts)
664                         goto out_double_mount;
665                 rc = 0;
666                 goto out;
667         }
668
669         if (strcmp(sb->s_type->name, "proc") == 0)
670                 sbsec->proc = 1;
671
672         /* Determine the labeling behavior to use for this filesystem type. */
673         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
674         if (rc) {
675                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
676                        __func__, sb->s_type->name, rc);
677                 goto out;
678         }
679
680         /* sets the context of the superblock for the fs being mounted. */
681         if (fscontext_sid) {
682
683                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
684                 if (rc)
685                         goto out;
686
687                 sbsec->sid = fscontext_sid;
688         }
689
690         /*
691          * Switch to using mount point labeling behavior.
692          * sets the label used on all file below the mountpoint, and will set
693          * the superblock context if not already set.
694          */
695         if (context_sid) {
696                 if (!fscontext_sid) {
697                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
698                         if (rc)
699                                 goto out;
700                         sbsec->sid = context_sid;
701                 } else {
702                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
703                         if (rc)
704                                 goto out;
705                 }
706                 if (!rootcontext_sid)
707                         rootcontext_sid = context_sid;
708
709                 sbsec->mntpoint_sid = context_sid;
710                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
711         }
712
713         if (rootcontext_sid) {
714                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
715                 if (rc)
716                         goto out;
717
718                 root_isec->sid = rootcontext_sid;
719                 root_isec->initialized = 1;
720         }
721
722         if (defcontext_sid) {
723                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
724                         rc = -EINVAL;
725                         printk(KERN_WARNING "SELinux: defcontext option is "
726                                "invalid for this filesystem type\n");
727                         goto out;
728                 }
729
730                 if (defcontext_sid != sbsec->def_sid) {
731                         rc = may_context_mount_inode_relabel(defcontext_sid,
732                                                              sbsec, tsec);
733                         if (rc)
734                                 goto out;
735                 }
736
737                 sbsec->def_sid = defcontext_sid;
738         }
739
740         rc = sb_finish_set_opts(sb);
741 out:
742         mutex_unlock(&sbsec->lock);
743         return rc;
744 out_double_mount:
745         rc = -EINVAL;
746         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
747                "security settings for (dev %s, type %s)\n", sb->s_id, name);
748         goto out;
749 }
750
751 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
752                                         struct super_block *newsb)
753 {
754         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
755         struct superblock_security_struct *newsbsec = newsb->s_security;
756
757         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
758         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
759         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
760
761         /*
762          * if the parent was able to be mounted it clearly had no special lsm
763          * mount options.  thus we can safely put this sb on the list and deal
764          * with it later
765          */
766         if (!ss_initialized) {
767                 spin_lock(&sb_security_lock);
768                 if (list_empty(&newsbsec->list))
769                         list_add(&newsbsec->list, &superblock_security_head);
770                 spin_unlock(&sb_security_lock);
771                 return;
772         }
773
774         /* how can we clone if the old one wasn't set up?? */
775         BUG_ON(!oldsbsec->initialized);
776
777         /* if fs is reusing a sb, just let its options stand... */
778         if (newsbsec->initialized)
779                 return;
780
781         mutex_lock(&newsbsec->lock);
782
783         newsbsec->flags = oldsbsec->flags;
784
785         newsbsec->sid = oldsbsec->sid;
786         newsbsec->def_sid = oldsbsec->def_sid;
787         newsbsec->behavior = oldsbsec->behavior;
788
789         if (set_context) {
790                 u32 sid = oldsbsec->mntpoint_sid;
791
792                 if (!set_fscontext)
793                         newsbsec->sid = sid;
794                 if (!set_rootcontext) {
795                         struct inode *newinode = newsb->s_root->d_inode;
796                         struct inode_security_struct *newisec = newinode->i_security;
797                         newisec->sid = sid;
798                 }
799                 newsbsec->mntpoint_sid = sid;
800         }
801         if (set_rootcontext) {
802                 const struct inode *oldinode = oldsb->s_root->d_inode;
803                 const struct inode_security_struct *oldisec = oldinode->i_security;
804                 struct inode *newinode = newsb->s_root->d_inode;
805                 struct inode_security_struct *newisec = newinode->i_security;
806
807                 newisec->sid = oldisec->sid;
808         }
809
810         sb_finish_set_opts(newsb);
811         mutex_unlock(&newsbsec->lock);
812 }
813
814 static int selinux_parse_opts_str(char *options,
815                                   struct security_mnt_opts *opts)
816 {
817         char *p;
818         char *context = NULL, *defcontext = NULL;
819         char *fscontext = NULL, *rootcontext = NULL;
820         int rc, num_mnt_opts = 0;
821
822         opts->num_mnt_opts = 0;
823
824         /* Standard string-based options. */
825         while ((p = strsep(&options, "|")) != NULL) {
826                 int token;
827                 substring_t args[MAX_OPT_ARGS];
828
829                 if (!*p)
830                         continue;
831
832                 token = match_token(p, tokens, args);
833
834                 switch (token) {
835                 case Opt_context:
836                         if (context || defcontext) {
837                                 rc = -EINVAL;
838                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
839                                 goto out_err;
840                         }
841                         context = match_strdup(&args[0]);
842                         if (!context) {
843                                 rc = -ENOMEM;
844                                 goto out_err;
845                         }
846                         break;
847
848                 case Opt_fscontext:
849                         if (fscontext) {
850                                 rc = -EINVAL;
851                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
852                                 goto out_err;
853                         }
854                         fscontext = match_strdup(&args[0]);
855                         if (!fscontext) {
856                                 rc = -ENOMEM;
857                                 goto out_err;
858                         }
859                         break;
860
861                 case Opt_rootcontext:
862                         if (rootcontext) {
863                                 rc = -EINVAL;
864                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
865                                 goto out_err;
866                         }
867                         rootcontext = match_strdup(&args[0]);
868                         if (!rootcontext) {
869                                 rc = -ENOMEM;
870                                 goto out_err;
871                         }
872                         break;
873
874                 case Opt_defcontext:
875                         if (context || defcontext) {
876                                 rc = -EINVAL;
877                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
878                                 goto out_err;
879                         }
880                         defcontext = match_strdup(&args[0]);
881                         if (!defcontext) {
882                                 rc = -ENOMEM;
883                                 goto out_err;
884                         }
885                         break;
886
887                 default:
888                         rc = -EINVAL;
889                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
890                         goto out_err;
891
892                 }
893         }
894
895         rc = -ENOMEM;
896         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
897         if (!opts->mnt_opts)
898                 goto out_err;
899
900         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
901         if (!opts->mnt_opts_flags) {
902                 kfree(opts->mnt_opts);
903                 goto out_err;
904         }
905
906         if (fscontext) {
907                 opts->mnt_opts[num_mnt_opts] = fscontext;
908                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
909         }
910         if (context) {
911                 opts->mnt_opts[num_mnt_opts] = context;
912                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
913         }
914         if (rootcontext) {
915                 opts->mnt_opts[num_mnt_opts] = rootcontext;
916                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
917         }
918         if (defcontext) {
919                 opts->mnt_opts[num_mnt_opts] = defcontext;
920                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
921         }
922
923         opts->num_mnt_opts = num_mnt_opts;
924         return 0;
925
926 out_err:
927         kfree(context);
928         kfree(defcontext);
929         kfree(fscontext);
930         kfree(rootcontext);
931         return rc;
932 }
933 /*
934  * string mount options parsing and call set the sbsec
935  */
936 static int superblock_doinit(struct super_block *sb, void *data)
937 {
938         int rc = 0;
939         char *options = data;
940         struct security_mnt_opts opts;
941
942         security_init_mnt_opts(&opts);
943
944         if (!data)
945                 goto out;
946
947         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
948
949         rc = selinux_parse_opts_str(options, &opts);
950         if (rc)
951                 goto out_err;
952
953 out:
954         rc = selinux_set_mnt_opts(sb, &opts);
955
956 out_err:
957         security_free_mnt_opts(&opts);
958         return rc;
959 }
960
961 static inline u16 inode_mode_to_security_class(umode_t mode)
962 {
963         switch (mode & S_IFMT) {
964         case S_IFSOCK:
965                 return SECCLASS_SOCK_FILE;
966         case S_IFLNK:
967                 return SECCLASS_LNK_FILE;
968         case S_IFREG:
969                 return SECCLASS_FILE;
970         case S_IFBLK:
971                 return SECCLASS_BLK_FILE;
972         case S_IFDIR:
973                 return SECCLASS_DIR;
974         case S_IFCHR:
975                 return SECCLASS_CHR_FILE;
976         case S_IFIFO:
977                 return SECCLASS_FIFO_FILE;
978
979         }
980
981         return SECCLASS_FILE;
982 }
983
984 static inline int default_protocol_stream(int protocol)
985 {
986         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
987 }
988
989 static inline int default_protocol_dgram(int protocol)
990 {
991         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
992 }
993
994 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
995 {
996         switch (family) {
997         case PF_UNIX:
998                 switch (type) {
999                 case SOCK_STREAM:
1000                 case SOCK_SEQPACKET:
1001                         return SECCLASS_UNIX_STREAM_SOCKET;
1002                 case SOCK_DGRAM:
1003                         return SECCLASS_UNIX_DGRAM_SOCKET;
1004                 }
1005                 break;
1006         case PF_INET:
1007         case PF_INET6:
1008                 switch (type) {
1009                 case SOCK_STREAM:
1010                         if (default_protocol_stream(protocol))
1011                                 return SECCLASS_TCP_SOCKET;
1012                         else
1013                                 return SECCLASS_RAWIP_SOCKET;
1014                 case SOCK_DGRAM:
1015                         if (default_protocol_dgram(protocol))
1016                                 return SECCLASS_UDP_SOCKET;
1017                         else
1018                                 return SECCLASS_RAWIP_SOCKET;
1019                 case SOCK_DCCP:
1020                         return SECCLASS_DCCP_SOCKET;
1021                 default:
1022                         return SECCLASS_RAWIP_SOCKET;
1023                 }
1024                 break;
1025         case PF_NETLINK:
1026                 switch (protocol) {
1027                 case NETLINK_ROUTE:
1028                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1029                 case NETLINK_FIREWALL:
1030                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1031                 case NETLINK_INET_DIAG:
1032                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1033                 case NETLINK_NFLOG:
1034                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1035                 case NETLINK_XFRM:
1036                         return SECCLASS_NETLINK_XFRM_SOCKET;
1037                 case NETLINK_SELINUX:
1038                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1039                 case NETLINK_AUDIT:
1040                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1041                 case NETLINK_IP6_FW:
1042                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1043                 case NETLINK_DNRTMSG:
1044                         return SECCLASS_NETLINK_DNRT_SOCKET;
1045                 case NETLINK_KOBJECT_UEVENT:
1046                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1047                 default:
1048                         return SECCLASS_NETLINK_SOCKET;
1049                 }
1050         case PF_PACKET:
1051                 return SECCLASS_PACKET_SOCKET;
1052         case PF_KEY:
1053                 return SECCLASS_KEY_SOCKET;
1054         case PF_APPLETALK:
1055                 return SECCLASS_APPLETALK_SOCKET;
1056         }
1057
1058         return SECCLASS_SOCKET;
1059 }
1060
1061 #ifdef CONFIG_PROC_FS
1062 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1063                                 u16 tclass,
1064                                 u32 *sid)
1065 {
1066         int buflen, rc;
1067         char *buffer, *path, *end;
1068
1069         buffer = (char *)__get_free_page(GFP_KERNEL);
1070         if (!buffer)
1071                 return -ENOMEM;
1072
1073         buflen = PAGE_SIZE;
1074         end = buffer+buflen;
1075         *--end = '\0';
1076         buflen--;
1077         path = end-1;
1078         *path = '/';
1079         while (de && de != de->parent) {
1080                 buflen -= de->namelen + 1;
1081                 if (buflen < 0)
1082                         break;
1083                 end -= de->namelen;
1084                 memcpy(end, de->name, de->namelen);
1085                 *--end = '/';
1086                 path = end;
1087                 de = de->parent;
1088         }
1089         rc = security_genfs_sid("proc", path, tclass, sid);
1090         free_page((unsigned long)buffer);
1091         return rc;
1092 }
1093 #else
1094 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1095                                 u16 tclass,
1096                                 u32 *sid)
1097 {
1098         return -EINVAL;
1099 }
1100 #endif
1101
1102 /* The inode's security attributes must be initialized before first use. */
1103 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1104 {
1105         struct superblock_security_struct *sbsec = NULL;
1106         struct inode_security_struct *isec = inode->i_security;
1107         u32 sid;
1108         struct dentry *dentry;
1109 #define INITCONTEXTLEN 255
1110         char *context = NULL;
1111         unsigned len = 0;
1112         int rc = 0;
1113
1114         if (isec->initialized)
1115                 goto out;
1116
1117         mutex_lock(&isec->lock);
1118         if (isec->initialized)
1119                 goto out_unlock;
1120
1121         sbsec = inode->i_sb->s_security;
1122         if (!sbsec->initialized) {
1123                 /* Defer initialization until selinux_complete_init,
1124                    after the initial policy is loaded and the security
1125                    server is ready to handle calls. */
1126                 spin_lock(&sbsec->isec_lock);
1127                 if (list_empty(&isec->list))
1128                         list_add(&isec->list, &sbsec->isec_head);
1129                 spin_unlock(&sbsec->isec_lock);
1130                 goto out_unlock;
1131         }
1132
1133         switch (sbsec->behavior) {
1134         case SECURITY_FS_USE_XATTR:
1135                 if (!inode->i_op->getxattr) {
1136                         isec->sid = sbsec->def_sid;
1137                         break;
1138                 }
1139
1140                 /* Need a dentry, since the xattr API requires one.
1141                    Life would be simpler if we could just pass the inode. */
1142                 if (opt_dentry) {
1143                         /* Called from d_instantiate or d_splice_alias. */
1144                         dentry = dget(opt_dentry);
1145                 } else {
1146                         /* Called from selinux_complete_init, try to find a dentry. */
1147                         dentry = d_find_alias(inode);
1148                 }
1149                 if (!dentry) {
1150                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1151                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1152                                inode->i_ino);
1153                         goto out_unlock;
1154                 }
1155
1156                 len = INITCONTEXTLEN;
1157                 context = kmalloc(len, GFP_NOFS);
1158                 if (!context) {
1159                         rc = -ENOMEM;
1160                         dput(dentry);
1161                         goto out_unlock;
1162                 }
1163                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1164                                            context, len);
1165                 if (rc == -ERANGE) {
1166                         /* Need a larger buffer.  Query for the right size. */
1167                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1168                                                    NULL, 0);
1169                         if (rc < 0) {
1170                                 dput(dentry);
1171                                 goto out_unlock;
1172                         }
1173                         kfree(context);
1174                         len = rc;
1175                         context = kmalloc(len, GFP_NOFS);
1176                         if (!context) {
1177                                 rc = -ENOMEM;
1178                                 dput(dentry);
1179                                 goto out_unlock;
1180                         }
1181                         rc = inode->i_op->getxattr(dentry,
1182                                                    XATTR_NAME_SELINUX,
1183                                                    context, len);
1184                 }
1185                 dput(dentry);
1186                 if (rc < 0) {
1187                         if (rc != -ENODATA) {
1188                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1189                                        "%d for dev=%s ino=%ld\n", __func__,
1190                                        -rc, inode->i_sb->s_id, inode->i_ino);
1191                                 kfree(context);
1192                                 goto out_unlock;
1193                         }
1194                         /* Map ENODATA to the default file SID */
1195                         sid = sbsec->def_sid;
1196                         rc = 0;
1197                 } else {
1198                         rc = security_context_to_sid_default(context, rc, &sid,
1199                                                              sbsec->def_sid,
1200                                                              GFP_NOFS);
1201                         if (rc) {
1202                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1203                                        "returned %d for dev=%s ino=%ld\n",
1204                                        __func__, context, -rc,
1205                                        inode->i_sb->s_id, inode->i_ino);
1206                                 kfree(context);
1207                                 /* Leave with the unlabeled SID */
1208                                 rc = 0;
1209                                 break;
1210                         }
1211                 }
1212                 kfree(context);
1213                 isec->sid = sid;
1214                 break;
1215         case SECURITY_FS_USE_TASK:
1216                 isec->sid = isec->task_sid;
1217                 break;
1218         case SECURITY_FS_USE_TRANS:
1219                 /* Default to the fs SID. */
1220                 isec->sid = sbsec->sid;
1221
1222                 /* Try to obtain a transition SID. */
1223                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1224                 rc = security_transition_sid(isec->task_sid,
1225                                              sbsec->sid,
1226                                              isec->sclass,
1227                                              &sid);
1228                 if (rc)
1229                         goto out_unlock;
1230                 isec->sid = sid;
1231                 break;
1232         case SECURITY_FS_USE_MNTPOINT:
1233                 isec->sid = sbsec->mntpoint_sid;
1234                 break;
1235         default:
1236                 /* Default to the fs superblock SID. */
1237                 isec->sid = sbsec->sid;
1238
1239                 if (sbsec->proc) {
1240                         struct proc_inode *proci = PROC_I(inode);
1241                         if (proci->pde) {
1242                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1243                                 rc = selinux_proc_get_sid(proci->pde,
1244                                                           isec->sclass,
1245                                                           &sid);
1246                                 if (rc)
1247                                         goto out_unlock;
1248                                 isec->sid = sid;
1249                         }
1250                 }
1251                 break;
1252         }
1253
1254         isec->initialized = 1;
1255
1256 out_unlock:
1257         mutex_unlock(&isec->lock);
1258 out:
1259         if (isec->sclass == SECCLASS_FILE)
1260                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1261         return rc;
1262 }
1263
1264 /* Convert a Linux signal to an access vector. */
1265 static inline u32 signal_to_av(int sig)
1266 {
1267         u32 perm = 0;
1268
1269         switch (sig) {
1270         case SIGCHLD:
1271                 /* Commonly granted from child to parent. */
1272                 perm = PROCESS__SIGCHLD;
1273                 break;
1274         case SIGKILL:
1275                 /* Cannot be caught or ignored */
1276                 perm = PROCESS__SIGKILL;
1277                 break;
1278         case SIGSTOP:
1279                 /* Cannot be caught or ignored */
1280                 perm = PROCESS__SIGSTOP;
1281                 break;
1282         default:
1283                 /* All other signals. */
1284                 perm = PROCESS__SIGNAL;
1285                 break;
1286         }
1287
1288         return perm;
1289 }
1290
1291 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1292    fork check, ptrace check, etc. */
1293 static int task_has_perm(struct task_struct *tsk1,
1294                          struct task_struct *tsk2,
1295                          u32 perms)
1296 {
1297         struct task_security_struct *tsec1, *tsec2;
1298
1299         tsec1 = tsk1->security;
1300         tsec2 = tsk2->security;
1301         return avc_has_perm(tsec1->sid, tsec2->sid,
1302                             SECCLASS_PROCESS, perms, NULL);
1303 }
1304
1305 #if CAP_LAST_CAP > 63
1306 #error Fix SELinux to handle capabilities > 63.
1307 #endif
1308
1309 /* Check whether a task is allowed to use a capability. */
1310 static int task_has_capability(struct task_struct *tsk,
1311                                int cap)
1312 {
1313         struct task_security_struct *tsec;
1314         struct avc_audit_data ad;
1315         u16 sclass;
1316         u32 av = CAP_TO_MASK(cap);
1317
1318         tsec = tsk->security;
1319
1320         AVC_AUDIT_DATA_INIT(&ad, CAP);
1321         ad.tsk = tsk;
1322         ad.u.cap = cap;
1323
1324         switch (CAP_TO_INDEX(cap)) {
1325         case 0:
1326                 sclass = SECCLASS_CAPABILITY;
1327                 break;
1328         case 1:
1329                 sclass = SECCLASS_CAPABILITY2;
1330                 break;
1331         default:
1332                 printk(KERN_ERR
1333                        "SELinux:  out of range capability %d\n", cap);
1334                 BUG();
1335         }
1336         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1337 }
1338
1339 /* Check whether a task is allowed to use a system operation. */
1340 static int task_has_system(struct task_struct *tsk,
1341                            u32 perms)
1342 {
1343         struct task_security_struct *tsec;
1344
1345         tsec = tsk->security;
1346
1347         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1348                             SECCLASS_SYSTEM, perms, NULL);
1349 }
1350
1351 /* Check whether a task has a particular permission to an inode.
1352    The 'adp' parameter is optional and allows other audit
1353    data to be passed (e.g. the dentry). */
1354 static int inode_has_perm(struct task_struct *tsk,
1355                           struct inode *inode,
1356                           u32 perms,
1357                           struct avc_audit_data *adp)
1358 {
1359         struct task_security_struct *tsec;
1360         struct inode_security_struct *isec;
1361         struct avc_audit_data ad;
1362
1363         if (unlikely(IS_PRIVATE(inode)))
1364                 return 0;
1365
1366         tsec = tsk->security;
1367         isec = inode->i_security;
1368
1369         if (!adp) {
1370                 adp = &ad;
1371                 AVC_AUDIT_DATA_INIT(&ad, FS);
1372                 ad.u.fs.inode = inode;
1373         }
1374
1375         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1376 }
1377
1378 /* Same as inode_has_perm, but pass explicit audit data containing
1379    the dentry to help the auditing code to more easily generate the
1380    pathname if needed. */
1381 static inline int dentry_has_perm(struct task_struct *tsk,
1382                                   struct vfsmount *mnt,
1383                                   struct dentry *dentry,
1384                                   u32 av)
1385 {
1386         struct inode *inode = dentry->d_inode;
1387         struct avc_audit_data ad;
1388         AVC_AUDIT_DATA_INIT(&ad, FS);
1389         ad.u.fs.path.mnt = mnt;
1390         ad.u.fs.path.dentry = dentry;
1391         return inode_has_perm(tsk, inode, av, &ad);
1392 }
1393
1394 /* Check whether a task can use an open file descriptor to
1395    access an inode in a given way.  Check access to the
1396    descriptor itself, and then use dentry_has_perm to
1397    check a particular permission to the file.
1398    Access to the descriptor is implicitly granted if it
1399    has the same SID as the process.  If av is zero, then
1400    access to the file is not checked, e.g. for cases
1401    where only the descriptor is affected like seek. */
1402 static int file_has_perm(struct task_struct *tsk,
1403                                 struct file *file,
1404                                 u32 av)
1405 {
1406         struct task_security_struct *tsec = tsk->security;
1407         struct file_security_struct *fsec = file->f_security;
1408         struct inode *inode = file->f_path.dentry->d_inode;
1409         struct avc_audit_data ad;
1410         int rc;
1411
1412         AVC_AUDIT_DATA_INIT(&ad, FS);
1413         ad.u.fs.path = file->f_path;
1414
1415         if (tsec->sid != fsec->sid) {
1416                 rc = avc_has_perm(tsec->sid, fsec->sid,
1417                                   SECCLASS_FD,
1418                                   FD__USE,
1419                                   &ad);
1420                 if (rc)
1421                         return rc;
1422         }
1423
1424         /* av is zero if only checking access to the descriptor. */
1425         if (av)
1426                 return inode_has_perm(tsk, inode, av, &ad);
1427
1428         return 0;
1429 }
1430
1431 /* Check whether a task can create a file. */
1432 static int may_create(struct inode *dir,
1433                       struct dentry *dentry,
1434                       u16 tclass)
1435 {
1436         struct task_security_struct *tsec;
1437         struct inode_security_struct *dsec;
1438         struct superblock_security_struct *sbsec;
1439         u32 newsid;
1440         struct avc_audit_data ad;
1441         int rc;
1442
1443         tsec = current->security;
1444         dsec = dir->i_security;
1445         sbsec = dir->i_sb->s_security;
1446
1447         AVC_AUDIT_DATA_INIT(&ad, FS);
1448         ad.u.fs.path.dentry = dentry;
1449
1450         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1451                           DIR__ADD_NAME | DIR__SEARCH,
1452                           &ad);
1453         if (rc)
1454                 return rc;
1455
1456         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1457                 newsid = tsec->create_sid;
1458         } else {
1459                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1460                                              &newsid);
1461                 if (rc)
1462                         return rc;
1463         }
1464
1465         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1466         if (rc)
1467                 return rc;
1468
1469         return avc_has_perm(newsid, sbsec->sid,
1470                             SECCLASS_FILESYSTEM,
1471                             FILESYSTEM__ASSOCIATE, &ad);
1472 }
1473
1474 /* Check whether a task can create a key. */
1475 static int may_create_key(u32 ksid,
1476                           struct task_struct *ctx)
1477 {
1478         struct task_security_struct *tsec;
1479
1480         tsec = ctx->security;
1481
1482         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1483 }
1484
1485 #define MAY_LINK        0
1486 #define MAY_UNLINK      1
1487 #define MAY_RMDIR       2
1488
1489 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1490 static int may_link(struct inode *dir,
1491                     struct dentry *dentry,
1492                     int kind)
1493
1494 {
1495         struct task_security_struct *tsec;
1496         struct inode_security_struct *dsec, *isec;
1497         struct avc_audit_data ad;
1498         u32 av;
1499         int rc;
1500
1501         tsec = current->security;
1502         dsec = dir->i_security;
1503         isec = dentry->d_inode->i_security;
1504
1505         AVC_AUDIT_DATA_INIT(&ad, FS);
1506         ad.u.fs.path.dentry = dentry;
1507
1508         av = DIR__SEARCH;
1509         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1510         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1511         if (rc)
1512                 return rc;
1513
1514         switch (kind) {
1515         case MAY_LINK:
1516                 av = FILE__LINK;
1517                 break;
1518         case MAY_UNLINK:
1519                 av = FILE__UNLINK;
1520                 break;
1521         case MAY_RMDIR:
1522                 av = DIR__RMDIR;
1523                 break;
1524         default:
1525                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1526                         __func__, kind);
1527                 return 0;
1528         }
1529
1530         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1531         return rc;
1532 }
1533
1534 static inline int may_rename(struct inode *old_dir,
1535                              struct dentry *old_dentry,
1536                              struct inode *new_dir,
1537                              struct dentry *new_dentry)
1538 {
1539         struct task_security_struct *tsec;
1540         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1541         struct avc_audit_data ad;
1542         u32 av;
1543         int old_is_dir, new_is_dir;
1544         int rc;
1545
1546         tsec = current->security;
1547         old_dsec = old_dir->i_security;
1548         old_isec = old_dentry->d_inode->i_security;
1549         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1550         new_dsec = new_dir->i_security;
1551
1552         AVC_AUDIT_DATA_INIT(&ad, FS);
1553
1554         ad.u.fs.path.dentry = old_dentry;
1555         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1556                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1557         if (rc)
1558                 return rc;
1559         rc = avc_has_perm(tsec->sid, old_isec->sid,
1560                           old_isec->sclass, FILE__RENAME, &ad);
1561         if (rc)
1562                 return rc;
1563         if (old_is_dir && new_dir != old_dir) {
1564                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1565                                   old_isec->sclass, DIR__REPARENT, &ad);
1566                 if (rc)
1567                         return rc;
1568         }
1569
1570         ad.u.fs.path.dentry = new_dentry;
1571         av = DIR__ADD_NAME | DIR__SEARCH;
1572         if (new_dentry->d_inode)
1573                 av |= DIR__REMOVE_NAME;
1574         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1575         if (rc)
1576                 return rc;
1577         if (new_dentry->d_inode) {
1578                 new_isec = new_dentry->d_inode->i_security;
1579                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1580                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1581                                   new_isec->sclass,
1582                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1583                 if (rc)
1584                         return rc;
1585         }
1586
1587         return 0;
1588 }
1589
1590 /* Check whether a task can perform a filesystem operation. */
1591 static int superblock_has_perm(struct task_struct *tsk,
1592                                struct super_block *sb,
1593                                u32 perms,
1594                                struct avc_audit_data *ad)
1595 {
1596         struct task_security_struct *tsec;
1597         struct superblock_security_struct *sbsec;
1598
1599         tsec = tsk->security;
1600         sbsec = sb->s_security;
1601         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1602                             perms, ad);
1603 }
1604
1605 /* Convert a Linux mode and permission mask to an access vector. */
1606 static inline u32 file_mask_to_av(int mode, int mask)
1607 {
1608         u32 av = 0;
1609
1610         if ((mode & S_IFMT) != S_IFDIR) {
1611                 if (mask & MAY_EXEC)
1612                         av |= FILE__EXECUTE;
1613                 if (mask & MAY_READ)
1614                         av |= FILE__READ;
1615
1616                 if (mask & MAY_APPEND)
1617                         av |= FILE__APPEND;
1618                 else if (mask & MAY_WRITE)
1619                         av |= FILE__WRITE;
1620
1621         } else {
1622                 if (mask & MAY_EXEC)
1623                         av |= DIR__SEARCH;
1624                 if (mask & MAY_WRITE)
1625                         av |= DIR__WRITE;
1626                 if (mask & MAY_READ)
1627                         av |= DIR__READ;
1628         }
1629
1630         return av;
1631 }
1632
1633 /*
1634  * Convert a file mask to an access vector and include the correct open
1635  * open permission.
1636  */
1637 static inline u32 open_file_mask_to_av(int mode, int mask)
1638 {
1639         u32 av = file_mask_to_av(mode, mask);
1640
1641         if (selinux_policycap_openperm) {
1642                 /*
1643                  * lnk files and socks do not really have an 'open'
1644                  */
1645                 if (S_ISREG(mode))
1646                         av |= FILE__OPEN;
1647                 else if (S_ISCHR(mode))
1648                         av |= CHR_FILE__OPEN;
1649                 else if (S_ISBLK(mode))
1650                         av |= BLK_FILE__OPEN;
1651                 else if (S_ISFIFO(mode))
1652                         av |= FIFO_FILE__OPEN;
1653                 else if (S_ISDIR(mode))
1654                         av |= DIR__OPEN;
1655                 else
1656                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1657                                 "unknown mode:%x\n", __func__, mode);
1658         }
1659         return av;
1660 }
1661
1662 /* Convert a Linux file to an access vector. */
1663 static inline u32 file_to_av(struct file *file)
1664 {
1665         u32 av = 0;
1666
1667         if (file->f_mode & FMODE_READ)
1668                 av |= FILE__READ;
1669         if (file->f_mode & FMODE_WRITE) {
1670                 if (file->f_flags & O_APPEND)
1671                         av |= FILE__APPEND;
1672                 else
1673                         av |= FILE__WRITE;
1674         }
1675         if (!av) {
1676                 /*
1677                  * Special file opened with flags 3 for ioctl-only use.
1678                  */
1679                 av = FILE__IOCTL;
1680         }
1681
1682         return av;
1683 }
1684
1685 /* Hook functions begin here. */
1686
1687 static int selinux_ptrace(struct task_struct *parent,
1688                           struct task_struct *child,
1689                           unsigned int mode)
1690 {
1691         int rc;
1692
1693         rc = secondary_ops->ptrace(parent, child, mode);
1694         if (rc)
1695                 return rc;
1696
1697         if (mode == PTRACE_MODE_READ) {
1698                 struct task_security_struct *tsec = parent->security;
1699                 struct task_security_struct *csec = child->security;
1700                 return avc_has_perm(tsec->sid, csec->sid,
1701                                     SECCLASS_FILE, FILE__READ, NULL);
1702         }
1703
1704         return task_has_perm(parent, child, PROCESS__PTRACE);
1705 }
1706
1707 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1708                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1709 {
1710         int error;
1711
1712         error = task_has_perm(current, target, PROCESS__GETCAP);
1713         if (error)
1714                 return error;
1715
1716         return secondary_ops->capget(target, effective, inheritable, permitted);
1717 }
1718
1719 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1720                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1721 {
1722         int error;
1723
1724         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1725         if (error)
1726                 return error;
1727
1728         return task_has_perm(current, target, PROCESS__SETCAP);
1729 }
1730
1731 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1732                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1733 {
1734         secondary_ops->capset_set(target, effective, inheritable, permitted);
1735 }
1736
1737 static int selinux_capable(struct task_struct *tsk, int cap)
1738 {
1739         int rc;
1740
1741         rc = secondary_ops->capable(tsk, cap);
1742         if (rc)
1743                 return rc;
1744
1745         return task_has_capability(tsk, cap);
1746 }
1747
1748 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1749 {
1750         int buflen, rc;
1751         char *buffer, *path, *end;
1752
1753         rc = -ENOMEM;
1754         buffer = (char *)__get_free_page(GFP_KERNEL);
1755         if (!buffer)
1756                 goto out;
1757
1758         buflen = PAGE_SIZE;
1759         end = buffer+buflen;
1760         *--end = '\0';
1761         buflen--;
1762         path = end-1;
1763         *path = '/';
1764         while (table) {
1765                 const char *name = table->procname;
1766                 size_t namelen = strlen(name);
1767                 buflen -= namelen + 1;
1768                 if (buflen < 0)
1769                         goto out_free;
1770                 end -= namelen;
1771                 memcpy(end, name, namelen);
1772                 *--end = '/';
1773                 path = end;
1774                 table = table->parent;
1775         }
1776         buflen -= 4;
1777         if (buflen < 0)
1778                 goto out_free;
1779         end -= 4;
1780         memcpy(end, "/sys", 4);
1781         path = end;
1782         rc = security_genfs_sid("proc", path, tclass, sid);
1783 out_free:
1784         free_page((unsigned long)buffer);
1785 out:
1786         return rc;
1787 }
1788
1789 static int selinux_sysctl(ctl_table *table, int op)
1790 {
1791         int error = 0;
1792         u32 av;
1793         struct task_security_struct *tsec;
1794         u32 tsid;
1795         int rc;
1796
1797         rc = secondary_ops->sysctl(table, op);
1798         if (rc)
1799                 return rc;
1800
1801         tsec = current->security;
1802
1803         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1804                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1805         if (rc) {
1806                 /* Default to the well-defined sysctl SID. */
1807                 tsid = SECINITSID_SYSCTL;
1808         }
1809
1810         /* The op values are "defined" in sysctl.c, thereby creating
1811          * a bad coupling between this module and sysctl.c */
1812         if (op == 001) {
1813                 error = avc_has_perm(tsec->sid, tsid,
1814                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1815         } else {
1816                 av = 0;
1817                 if (op & 004)
1818                         av |= FILE__READ;
1819                 if (op & 002)
1820                         av |= FILE__WRITE;
1821                 if (av)
1822                         error = avc_has_perm(tsec->sid, tsid,
1823                                              SECCLASS_FILE, av, NULL);
1824         }
1825
1826         return error;
1827 }
1828
1829 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1830 {
1831         int rc = 0;
1832
1833         if (!sb)
1834                 return 0;
1835
1836         switch (cmds) {
1837         case Q_SYNC:
1838         case Q_QUOTAON:
1839         case Q_QUOTAOFF:
1840         case Q_SETINFO:
1841         case Q_SETQUOTA:
1842                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1843                                          NULL);
1844                 break;
1845         case Q_GETFMT:
1846         case Q_GETINFO:
1847         case Q_GETQUOTA:
1848                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1849                                          NULL);
1850                 break;
1851         default:
1852                 rc = 0;  /* let the kernel handle invalid cmds */
1853                 break;
1854         }
1855         return rc;
1856 }
1857
1858 static int selinux_quota_on(struct dentry *dentry)
1859 {
1860         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1861 }
1862
1863 static int selinux_syslog(int type)
1864 {
1865         int rc;
1866
1867         rc = secondary_ops->syslog(type);
1868         if (rc)
1869                 return rc;
1870
1871         switch (type) {
1872         case 3:         /* Read last kernel messages */
1873         case 10:        /* Return size of the log buffer */
1874                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1875                 break;
1876         case 6:         /* Disable logging to console */
1877         case 7:         /* Enable logging to console */
1878         case 8:         /* Set level of messages printed to console */
1879                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1880                 break;
1881         case 0:         /* Close log */
1882         case 1:         /* Open log */
1883         case 2:         /* Read from log */
1884         case 4:         /* Read/clear last kernel messages */
1885         case 5:         /* Clear ring buffer */
1886         default:
1887                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1888                 break;
1889         }
1890         return rc;
1891 }
1892
1893 /*
1894  * Check that a process has enough memory to allocate a new virtual
1895  * mapping. 0 means there is enough memory for the allocation to
1896  * succeed and -ENOMEM implies there is not.
1897  *
1898  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1899  * if the capability is granted, but __vm_enough_memory requires 1 if
1900  * the capability is granted.
1901  *
1902  * Do not audit the selinux permission check, as this is applied to all
1903  * processes that allocate mappings.
1904  */
1905 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1906 {
1907         int rc, cap_sys_admin = 0;
1908         struct task_security_struct *tsec = current->security;
1909
1910         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1911         if (rc == 0)
1912                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1913                                           SECCLASS_CAPABILITY,
1914                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1915                                           0,
1916                                           NULL);
1917
1918         if (rc == 0)
1919                 cap_sys_admin = 1;
1920
1921         return __vm_enough_memory(mm, pages, cap_sys_admin);
1922 }
1923
1924 /**
1925  * task_tracer_task - return the task that is tracing the given task
1926  * @task:               task to consider
1927  *
1928  * Returns NULL if noone is tracing @task, or the &struct task_struct
1929  * pointer to its tracer.
1930  *
1931  * Must be called under rcu_read_lock().
1932  */
1933 static struct task_struct *task_tracer_task(struct task_struct *task)
1934 {
1935         if (task->ptrace & PT_PTRACED)
1936                 return rcu_dereference(task->parent);
1937         return NULL;
1938 }
1939
1940 /* binprm security operations */
1941
1942 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1943 {
1944         struct bprm_security_struct *bsec;
1945
1946         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1947         if (!bsec)
1948                 return -ENOMEM;
1949
1950         bsec->sid = SECINITSID_UNLABELED;
1951         bsec->set = 0;
1952
1953         bprm->security = bsec;
1954         return 0;
1955 }
1956
1957 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1958 {
1959         struct task_security_struct *tsec;
1960         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1961         struct inode_security_struct *isec;
1962         struct bprm_security_struct *bsec;
1963         u32 newsid;
1964         struct avc_audit_data ad;
1965         int rc;
1966
1967         rc = secondary_ops->bprm_set_security(bprm);
1968         if (rc)
1969                 return rc;
1970
1971         bsec = bprm->security;
1972
1973         if (bsec->set)
1974                 return 0;
1975
1976         tsec = current->security;
1977         isec = inode->i_security;
1978
1979         /* Default to the current task SID. */
1980         bsec->sid = tsec->sid;
1981
1982         /* Reset fs, key, and sock SIDs on execve. */
1983         tsec->create_sid = 0;
1984         tsec->keycreate_sid = 0;
1985         tsec->sockcreate_sid = 0;
1986
1987         if (tsec->exec_sid) {
1988                 newsid = tsec->exec_sid;
1989                 /* Reset exec SID on execve. */
1990                 tsec->exec_sid = 0;
1991         } else {
1992                 /* Check for a default transition on this program. */
1993                 rc = security_transition_sid(tsec->sid, isec->sid,
1994                                              SECCLASS_PROCESS, &newsid);
1995                 if (rc)
1996                         return rc;
1997         }
1998
1999         AVC_AUDIT_DATA_INIT(&ad, FS);
2000         ad.u.fs.path = bprm->file->f_path;
2001
2002         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2003                 newsid = tsec->sid;
2004
2005         if (tsec->sid == newsid) {
2006                 rc = avc_has_perm(tsec->sid, isec->sid,
2007                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2008                 if (rc)
2009                         return rc;
2010         } else {
2011                 /* Check permissions for the transition. */
2012                 rc = avc_has_perm(tsec->sid, newsid,
2013                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2014                 if (rc)
2015                         return rc;
2016
2017                 rc = avc_has_perm(newsid, isec->sid,
2018                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2019                 if (rc)
2020                         return rc;
2021
2022                 /* Clear any possibly unsafe personality bits on exec: */
2023                 current->personality &= ~PER_CLEAR_ON_SETID;
2024
2025                 /* Set the security field to the new SID. */
2026                 bsec->sid = newsid;
2027         }
2028
2029         bsec->set = 1;
2030         return 0;
2031 }
2032
2033 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2034 {
2035         return secondary_ops->bprm_check_security(bprm);
2036 }
2037
2038
2039 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2040 {
2041         struct task_security_struct *tsec = current->security;
2042         int atsecure = 0;
2043
2044         if (tsec->osid != tsec->sid) {
2045                 /* Enable secure mode for SIDs transitions unless
2046                    the noatsecure permission is granted between
2047                    the two SIDs, i.e. ahp returns 0. */
2048                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2049                                          SECCLASS_PROCESS,
2050                                          PROCESS__NOATSECURE, NULL);
2051         }
2052
2053         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2054 }
2055
2056 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2057 {
2058         kfree(bprm->security);
2059         bprm->security = NULL;
2060 }
2061
2062 extern struct vfsmount *selinuxfs_mount;
2063 extern struct dentry *selinux_null;
2064
2065 /* Derived from fs/exec.c:flush_old_files. */
2066 static inline void flush_unauthorized_files(struct files_struct *files)
2067 {
2068         struct avc_audit_data ad;
2069         struct file *file, *devnull = NULL;
2070         struct tty_struct *tty;
2071         struct fdtable *fdt;
2072         long j = -1;
2073         int drop_tty = 0;
2074
2075         mutex_lock(&tty_mutex);
2076         tty = get_current_tty();
2077         if (tty) {
2078                 file_list_lock();
2079                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2080                 if (file) {
2081                         /* Revalidate access to controlling tty.
2082                            Use inode_has_perm on the tty inode directly rather
2083                            than using file_has_perm, as this particular open
2084                            file may belong to another process and we are only
2085                            interested in the inode-based check here. */
2086                         struct inode *inode = file->f_path.dentry->d_inode;
2087                         if (inode_has_perm(current, inode,
2088                                            FILE__READ | FILE__WRITE, NULL)) {
2089                                 drop_tty = 1;
2090                         }
2091                 }
2092                 file_list_unlock();
2093         }
2094         mutex_unlock(&tty_mutex);
2095         /* Reset controlling tty. */
2096         if (drop_tty)
2097                 no_tty();
2098
2099         /* Revalidate access to inherited open files. */
2100
2101         AVC_AUDIT_DATA_INIT(&ad, FS);
2102
2103         spin_lock(&files->file_lock);
2104         for (;;) {
2105                 unsigned long set, i;
2106                 int fd;
2107
2108                 j++;
2109                 i = j * __NFDBITS;
2110                 fdt = files_fdtable(files);
2111                 if (i >= fdt->max_fds)
2112                         break;
2113                 set = fdt->open_fds->fds_bits[j];
2114                 if (!set)
2115                         continue;
2116                 spin_unlock(&files->file_lock);
2117                 for ( ; set ; i++, set >>= 1) {
2118                         if (set & 1) {
2119                                 file = fget(i);
2120                                 if (!file)
2121                                         continue;
2122                                 if (file_has_perm(current,
2123                                                   file,
2124                                                   file_to_av(file))) {
2125                                         sys_close(i);
2126                                         fd = get_unused_fd();
2127                                         if (fd != i) {
2128                                                 if (fd >= 0)
2129                                                         put_unused_fd(fd);
2130                                                 fput(file);
2131                                                 continue;
2132                                         }
2133                                         if (devnull) {
2134                                                 get_file(devnull);
2135                                         } else {
2136                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2137                                                 if (IS_ERR(devnull)) {
2138                                                         devnull = NULL;
2139                                                         put_unused_fd(fd);
2140                                                         fput(file);
2141                                                         continue;
2142                                                 }
2143                                         }
2144                                         fd_install(fd, devnull);
2145                                 }
2146                                 fput(file);
2147                         }
2148                 }
2149                 spin_lock(&files->file_lock);
2150
2151         }
2152         spin_unlock(&files->file_lock);
2153 }
2154
2155 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2156 {
2157         struct task_security_struct *tsec;
2158         struct bprm_security_struct *bsec;
2159         u32 sid;
2160         int rc;
2161
2162         secondary_ops->bprm_apply_creds(bprm, unsafe);
2163
2164         tsec = current->security;
2165
2166         bsec = bprm->security;
2167         sid = bsec->sid;
2168
2169         tsec->osid = tsec->sid;
2170         bsec->unsafe = 0;
2171         if (tsec->sid != sid) {
2172                 /* Check for shared state.  If not ok, leave SID
2173                    unchanged and kill. */
2174                 if (unsafe & LSM_UNSAFE_SHARE) {
2175                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2176                                         PROCESS__SHARE, NULL);
2177                         if (rc) {
2178                                 bsec->unsafe = 1;
2179                                 return;
2180                         }
2181                 }
2182
2183                 /* Check for ptracing, and update the task SID if ok.
2184                    Otherwise, leave SID unchanged and kill. */
2185                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2186                         struct task_struct *tracer;
2187                         struct task_security_struct *sec;
2188                         u32 ptsid = 0;
2189
2190                         rcu_read_lock();
2191                         tracer = task_tracer_task(current);
2192                         if (likely(tracer != NULL)) {
2193                                 sec = tracer->security;
2194                                 ptsid = sec->sid;
2195                         }
2196                         rcu_read_unlock();
2197
2198                         if (ptsid != 0) {
2199                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2200                                                   PROCESS__PTRACE, NULL);
2201                                 if (rc) {
2202                                         bsec->unsafe = 1;
2203                                         return;
2204                                 }
2205                         }
2206                 }
2207                 tsec->sid = sid;
2208         }
2209 }
2210
2211 /*
2212  * called after apply_creds without the task lock held
2213  */
2214 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2215 {
2216         struct task_security_struct *tsec;
2217         struct rlimit *rlim, *initrlim;
2218         struct itimerval itimer;
2219         struct bprm_security_struct *bsec;
2220         int rc, i;
2221
2222         tsec = current->security;
2223         bsec = bprm->security;
2224
2225         if (bsec->unsafe) {
2226                 force_sig_specific(SIGKILL, current);
2227                 return;
2228         }
2229         if (tsec->osid == tsec->sid)
2230                 return;
2231
2232         /* Close files for which the new task SID is not authorized. */
2233         flush_unauthorized_files(current->files);
2234
2235         /* Check whether the new SID can inherit signal state
2236            from the old SID.  If not, clear itimers to avoid
2237            subsequent signal generation and flush and unblock
2238            signals. This must occur _after_ the task SID has
2239           been updated so that any kill done after the flush
2240           will be checked against the new SID. */
2241         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2242                           PROCESS__SIGINH, NULL);
2243         if (rc) {
2244                 memset(&itimer, 0, sizeof itimer);
2245                 for (i = 0; i < 3; i++)
2246                         do_setitimer(i, &itimer, NULL);
2247                 flush_signals(current);
2248                 spin_lock_irq(&current->sighand->siglock);
2249                 flush_signal_handlers(current, 1);
2250                 sigemptyset(&current->blocked);
2251                 recalc_sigpending();
2252                 spin_unlock_irq(&current->sighand->siglock);
2253         }
2254
2255         /* Always clear parent death signal on SID transitions. */
2256         current->pdeath_signal = 0;
2257
2258         /* Check whether the new SID can inherit resource limits
2259            from the old SID.  If not, reset all soft limits to
2260            the lower of the current task's hard limit and the init
2261            task's soft limit.  Note that the setting of hard limits
2262            (even to lower them) can be controlled by the setrlimit
2263            check. The inclusion of the init task's soft limit into
2264            the computation is to avoid resetting soft limits higher
2265            than the default soft limit for cases where the default
2266            is lower than the hard limit, e.g. RLIMIT_CORE or
2267            RLIMIT_STACK.*/
2268         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2269                           PROCESS__RLIMITINH, NULL);
2270         if (rc) {
2271                 for (i = 0; i < RLIM_NLIMITS; i++) {
2272                         rlim = current->signal->rlim + i;
2273                         initrlim = init_task.signal->rlim+i;
2274                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2275                 }
2276                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2277                         /*
2278                          * This will cause RLIMIT_CPU calculations
2279                          * to be refigured.
2280                          */
2281                         current->it_prof_expires = jiffies_to_cputime(1);
2282                 }
2283         }
2284
2285         /* Wake up the parent if it is waiting so that it can
2286            recheck wait permission to the new task SID. */
2287         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2288 }
2289
2290 /* superblock security operations */
2291
2292 static int selinux_sb_alloc_security(struct super_block *sb)
2293 {
2294         return superblock_alloc_security(sb);
2295 }
2296
2297 static void selinux_sb_free_security(struct super_block *sb)
2298 {
2299         superblock_free_security(sb);
2300 }
2301
2302 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2303 {
2304         if (plen > olen)
2305                 return 0;
2306
2307         return !memcmp(prefix, option, plen);
2308 }
2309
2310 static inline int selinux_option(char *option, int len)
2311 {
2312         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2313                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2314                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2315                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2316 }
2317
2318 static inline void take_option(char **to, char *from, int *first, int len)
2319 {
2320         if (!*first) {
2321                 **to = ',';
2322                 *to += 1;
2323         } else
2324                 *first = 0;
2325         memcpy(*to, from, len);
2326         *to += len;
2327 }
2328
2329 static inline void take_selinux_option(char **to, char *from, int *first,
2330                                        int len)
2331 {
2332         int current_size = 0;
2333
2334         if (!*first) {
2335                 **to = '|';
2336                 *to += 1;
2337         } else
2338                 *first = 0;
2339
2340         while (current_size < len) {
2341                 if (*from != '"') {
2342                         **to = *from;
2343                         *to += 1;
2344                 }
2345                 from += 1;
2346                 current_size += 1;
2347         }
2348 }
2349
2350 static int selinux_sb_copy_data(char *orig, char *copy)
2351 {
2352         int fnosec, fsec, rc = 0;
2353         char *in_save, *in_curr, *in_end;
2354         char *sec_curr, *nosec_save, *nosec;
2355         int open_quote = 0;
2356
2357         in_curr = orig;
2358         sec_curr = copy;
2359
2360         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2361         if (!nosec) {
2362                 rc = -ENOMEM;
2363                 goto out;
2364         }
2365
2366         nosec_save = nosec;
2367         fnosec = fsec = 1;
2368         in_save = in_end = orig;
2369
2370         do {
2371                 if (*in_end == '"')
2372                         open_quote = !open_quote;
2373                 if ((*in_end == ',' && open_quote == 0) ||
2374                                 *in_end == '\0') {
2375                         int len = in_end - in_curr;
2376
2377                         if (selinux_option(in_curr, len))
2378                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2379                         else
2380                                 take_option(&nosec, in_curr, &fnosec, len);
2381
2382                         in_curr = in_end + 1;
2383                 }
2384         } while (*in_end++);
2385
2386         strcpy(in_save, nosec_save);
2387         free_page((unsigned long)nosec_save);
2388 out:
2389         return rc;
2390 }
2391
2392 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2393 {
2394         struct avc_audit_data ad;
2395         int rc;
2396
2397         rc = superblock_doinit(sb, data);
2398         if (rc)
2399                 return rc;
2400
2401         AVC_AUDIT_DATA_INIT(&ad, FS);
2402         ad.u.fs.path.dentry = sb->s_root;
2403         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2404 }
2405
2406 static int selinux_sb_statfs(struct dentry *dentry)
2407 {
2408         struct avc_audit_data ad;
2409
2410         AVC_AUDIT_DATA_INIT(&ad, FS);
2411         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2412         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2413 }
2414
2415 static int selinux_mount(char *dev_name,
2416                          struct path *path,
2417                          char *type,
2418                          unsigned long flags,
2419                          void *data)
2420 {
2421         int rc;
2422
2423         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2424         if (rc)
2425                 return rc;
2426
2427         if (flags & MS_REMOUNT)
2428                 return superblock_has_perm(current, path->mnt->mnt_sb,
2429                                            FILESYSTEM__REMOUNT, NULL);
2430         else
2431                 return dentry_has_perm(current, path->mnt, path->dentry,
2432                                        FILE__MOUNTON);
2433 }
2434
2435 static int selinux_umount(struct vfsmount *mnt, int flags)
2436 {
2437         int rc;
2438
2439         rc = secondary_ops->sb_umount(mnt, flags);
2440         if (rc)
2441                 return rc;
2442
2443         return superblock_has_perm(current, mnt->mnt_sb,
2444                                    FILESYSTEM__UNMOUNT, NULL);
2445 }
2446
2447 /* inode security operations */
2448
2449 static int selinux_inode_alloc_security(struct inode *inode)
2450 {
2451         return inode_alloc_security(inode);
2452 }
2453
2454 static void selinux_inode_free_security(struct inode *inode)
2455 {
2456         inode_free_security(inode);
2457 }
2458
2459 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2460                                        char **name, void **value,
2461                                        size_t *len)
2462 {
2463         struct task_security_struct *tsec;
2464         struct inode_security_struct *dsec;
2465         struct superblock_security_struct *sbsec;
2466         u32 newsid, clen;
2467         int rc;
2468         char *namep = NULL, *context;
2469
2470         tsec = current->security;
2471         dsec = dir->i_security;
2472         sbsec = dir->i_sb->s_security;
2473
2474         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2475                 newsid = tsec->create_sid;
2476         } else {
2477                 rc = security_transition_sid(tsec->sid, dsec->sid,
2478                                              inode_mode_to_security_class(inode->i_mode),
2479                                              &newsid);
2480                 if (rc) {
2481                         printk(KERN_WARNING "%s:  "
2482                                "security_transition_sid failed, rc=%d (dev=%s "
2483                                "ino=%ld)\n",
2484                                __func__,
2485                                -rc, inode->i_sb->s_id, inode->i_ino);
2486                         return rc;
2487                 }
2488         }
2489
2490         /* Possibly defer initialization to selinux_complete_init. */
2491         if (sbsec->initialized) {
2492                 struct inode_security_struct *isec = inode->i_security;
2493                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2494                 isec->sid = newsid;
2495                 isec->initialized = 1;
2496         }
2497
2498         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2499                 return -EOPNOTSUPP;
2500
2501         if (name) {
2502                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2503                 if (!namep)
2504                         return -ENOMEM;
2505                 *name = namep;
2506         }
2507
2508         if (value && len) {
2509                 rc = security_sid_to_context_force(newsid, &context, &clen);
2510                 if (rc) {
2511                         kfree(namep);
2512                         return rc;
2513                 }
2514                 *value = context;
2515                 *len = clen;
2516         }
2517
2518         return 0;
2519 }
2520
2521 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2522 {
2523         return may_create(dir, dentry, SECCLASS_FILE);
2524 }
2525
2526 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2527 {
2528         int rc;
2529
2530         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2531         if (rc)
2532                 return rc;
2533         return may_link(dir, old_dentry, MAY_LINK);
2534 }
2535
2536 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2537 {
2538         int rc;
2539
2540         rc = secondary_ops->inode_unlink(dir, dentry);
2541         if (rc)
2542                 return rc;
2543         return may_link(dir, dentry, MAY_UNLINK);
2544 }
2545
2546 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2547 {
2548         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2549 }
2550
2551 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2552 {
2553         return may_create(dir, dentry, SECCLASS_DIR);
2554 }
2555
2556 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2557 {
2558         return may_link(dir, dentry, MAY_RMDIR);
2559 }
2560
2561 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2562 {
2563         int rc;
2564
2565         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2566         if (rc)
2567                 return rc;
2568
2569         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2570 }
2571
2572 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2573                                 struct inode *new_inode, struct dentry *new_dentry)
2574 {
2575         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2576 }
2577
2578 static int selinux_inode_readlink(struct dentry *dentry)
2579 {
2580         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2581 }
2582
2583 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2584 {
2585         int rc;
2586
2587         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2588         if (rc)
2589                 return rc;
2590         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2591 }
2592
2593 static int selinux_inode_permission(struct inode *inode, int mask,
2594                                     struct nameidata *nd)
2595 {
2596         int rc;
2597
2598         rc = secondary_ops->inode_permission(inode, mask, nd);
2599         if (rc)
2600                 return rc;
2601
2602         if (!mask) {
2603                 /* No permission to check.  Existence test. */
2604                 return 0;
2605         }
2606
2607         return inode_has_perm(current, inode,
2608                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2609 }
2610
2611 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2612 {
2613         int rc;
2614
2615         rc = secondary_ops->inode_setattr(dentry, iattr);
2616         if (rc)
2617                 return rc;
2618
2619         if (iattr->ia_valid & ATTR_FORCE)
2620                 return 0;
2621
2622         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2623                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2624                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2625
2626         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2627 }
2628
2629 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2630 {
2631         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2632 }
2633
2634 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2635 {
2636         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2637                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2638                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2639                         if (!capable(CAP_SETFCAP))
2640                                 return -EPERM;
2641                 } else if (!capable(CAP_SYS_ADMIN)) {
2642                         /* A different attribute in the security namespace.
2643                            Restrict to administrator. */
2644                         return -EPERM;
2645                 }
2646         }
2647
2648         /* Not an attribute we recognize, so just check the
2649            ordinary setattr permission. */
2650         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2651 }
2652
2653 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2654                                   const void *value, size_t size, int flags)
2655 {
2656         struct task_security_struct *tsec = current->security;
2657         struct inode *inode = dentry->d_inode;
2658         struct inode_security_struct *isec = inode->i_security;
2659         struct superblock_security_struct *sbsec;
2660         struct avc_audit_data ad;
2661         u32 newsid;
2662         int rc = 0;
2663
2664         if (strcmp(name, XATTR_NAME_SELINUX))
2665                 return selinux_inode_setotherxattr(dentry, name);
2666
2667         sbsec = inode->i_sb->s_security;
2668         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2669                 return -EOPNOTSUPP;
2670
2671         if (!is_owner_or_cap(inode))
2672                 return -EPERM;
2673
2674         AVC_AUDIT_DATA_INIT(&ad, FS);
2675         ad.u.fs.path.dentry = dentry;
2676
2677         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2678                           FILE__RELABELFROM, &ad);
2679         if (rc)
2680                 return rc;
2681
2682         rc = security_context_to_sid(value, size, &newsid);
2683         if (rc == -EINVAL) {
2684                 if (!capable(CAP_MAC_ADMIN))
2685                         return rc;
2686                 rc = security_context_to_sid_force(value, size, &newsid);
2687         }
2688         if (rc)
2689                 return rc;
2690
2691         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2692                           FILE__RELABELTO, &ad);
2693         if (rc)
2694                 return rc;
2695
2696         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2697                                           isec->sclass);
2698         if (rc)
2699                 return rc;
2700
2701         return avc_has_perm(newsid,
2702                             sbsec->sid,
2703                             SECCLASS_FILESYSTEM,
2704                             FILESYSTEM__ASSOCIATE,
2705                             &ad);
2706 }
2707
2708 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2709                                         const void *value, size_t size,
2710                                         int flags)
2711 {
2712         struct inode *inode = dentry->d_inode;
2713         struct inode_security_struct *isec = inode->i_security;
2714         u32 newsid;
2715         int rc;
2716
2717         if (strcmp(name, XATTR_NAME_SELINUX)) {
2718                 /* Not an attribute we recognize, so nothing to do. */
2719                 return;
2720         }
2721
2722         rc = security_context_to_sid_force(value, size, &newsid);
2723         if (rc) {
2724                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2725                        "for (%s, %lu), rc=%d\n",
2726                        inode->i_sb->s_id, inode->i_ino, -rc);
2727                 return;
2728         }
2729
2730         isec->sid = newsid;
2731         return;
2732 }
2733
2734 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2735 {
2736         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2737 }
2738
2739 static int selinux_inode_listxattr(struct dentry *dentry)
2740 {
2741         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2742 }
2743
2744 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2745 {
2746         if (strcmp(name, XATTR_NAME_SELINUX))
2747                 return selinux_inode_setotherxattr(dentry, name);
2748
2749         /* No one is allowed to remove a SELinux security label.
2750            You can change the label, but all data must be labeled. */
2751         return -EACCES;
2752 }
2753
2754 /*
2755  * Copy the inode security context value to the user.
2756  *
2757  * Permission check is handled by selinux_inode_getxattr hook.
2758  */
2759 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2760 {
2761         u32 size;
2762         int error;
2763         char *context = NULL;
2764         struct task_security_struct *tsec = current->security;
2765         struct inode_security_struct *isec = inode->i_security;
2766
2767         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2768                 return -EOPNOTSUPP;
2769
2770         /*
2771          * If the caller has CAP_MAC_ADMIN, then get the raw context
2772          * value even if it is not defined by current policy; otherwise,
2773          * use the in-core value under current policy.
2774          * Use the non-auditing forms of the permission checks since
2775          * getxattr may be called by unprivileged processes commonly
2776          * and lack of permission just means that we fall back to the
2777          * in-core context value, not a denial.
2778          */
2779         error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2780         if (!error)
2781                 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2782                                              SECCLASS_CAPABILITY2,
2783                                              CAPABILITY2__MAC_ADMIN,
2784                                              0,
2785                                              NULL);
2786         if (!error)
2787                 error = security_sid_to_context_force(isec->sid, &context,
2788                                                       &size);
2789         else
2790                 error = security_sid_to_context(isec->sid, &context, &size);
2791         if (error)
2792                 return error;
2793         error = size;
2794         if (alloc) {
2795                 *buffer = context;
2796                 goto out_nofree;
2797         }
2798         kfree(context);
2799 out_nofree:
2800         return error;
2801 }
2802
2803 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2804                                      const void *value, size_t size, int flags)
2805 {
2806         struct inode_security_struct *isec = inode->i_security;
2807         u32 newsid;
2808         int rc;
2809
2810         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2811                 return -EOPNOTSUPP;
2812
2813         if (!value || !size)
2814                 return -EACCES;
2815
2816         rc = security_context_to_sid((void *)value, size, &newsid);
2817         if (rc)
2818                 return rc;
2819
2820         isec->sid = newsid;
2821         return 0;
2822 }
2823
2824 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2825 {
2826         const int len = sizeof(XATTR_NAME_SELINUX);
2827         if (buffer && len <= buffer_size)
2828                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2829         return len;
2830 }
2831
2832 static int selinux_inode_need_killpriv(struct dentry *dentry)
2833 {
2834         return secondary_ops->inode_need_killpriv(dentry);
2835 }
2836
2837 static int selinux_inode_killpriv(struct dentry *dentry)
2838 {
2839         return secondary_ops->inode_killpriv(dentry);
2840 }
2841
2842 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2843 {
2844         struct inode_security_struct *isec = inode->i_security;
2845         *secid = isec->sid;
2846 }
2847
2848 /* file security operations */
2849
2850 static int selinux_revalidate_file_permission(struct file *file, int mask)
2851 {
2852         int rc;
2853         struct inode *inode = file->f_path.dentry->d_inode;
2854
2855         if (!mask) {
2856                 /* No permission to check.  Existence test. */
2857                 return 0;
2858         }
2859
2860         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2861         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2862                 mask |= MAY_APPEND;
2863
2864         rc = file_has_perm(current, file,
2865                            file_mask_to_av(inode->i_mode, mask));
2866         if (rc)
2867                 return rc;
2868
2869         return selinux_netlbl_inode_permission(inode, mask);
2870 }
2871
2872 static int selinux_file_permission(struct file *file, int mask)
2873 {
2874         struct inode *inode = file->f_path.dentry->d_inode;
2875         struct task_security_struct *tsec = current->security;
2876         struct file_security_struct *fsec = file->f_security;
2877         struct inode_security_struct *isec = inode->i_security;
2878
2879         if (!mask) {
2880                 /* No permission to check.  Existence test. */
2881                 return 0;
2882         }
2883
2884         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2885             && fsec->pseqno == avc_policy_seqno())
2886                 return selinux_netlbl_inode_permission(inode, mask);
2887
2888         return selinux_revalidate_file_permission(file, mask);
2889 }
2890
2891 static int selinux_file_alloc_security(struct file *file)
2892 {
2893         return file_alloc_security(file);
2894 }
2895
2896 static void selinux_file_free_security(struct file *file)
2897 {
2898         file_free_security(file);
2899 }
2900
2901 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2902                               unsigned long arg)
2903 {
2904         u32 av = 0;
2905
2906         if (_IOC_DIR(cmd) & _IOC_WRITE)
2907                 av |= FILE__WRITE;
2908         if (_IOC_DIR(cmd) & _IOC_READ)
2909                 av |= FILE__READ;
2910         if (!av)
2911                 av = FILE__IOCTL;
2912
2913         return file_has_perm(current, file, av);
2914 }
2915
2916 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2917 {
2918 #ifndef CONFIG_PPC32
2919         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2920                 /*
2921                  * We are making executable an anonymous mapping or a
2922                  * private file mapping that will also be writable.
2923                  * This has an additional check.
2924                  */
2925                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2926                 if (rc)
2927                         return rc;
2928         }
2929 #endif
2930
2931         if (file) {
2932                 /* read access is always possible with a mapping */
2933                 u32 av = FILE__READ;
2934
2935                 /* write access only matters if the mapping is shared */
2936                 if (shared && (prot & PROT_WRITE))
2937                         av |= FILE__WRITE;
2938
2939                 if (prot & PROT_EXEC)
2940                         av |= FILE__EXECUTE;
2941
2942                 return file_has_perm(current, file, av);
2943         }
2944         return 0;
2945 }
2946
2947 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2948                              unsigned long prot, unsigned long flags,
2949                              unsigned long addr, unsigned long addr_only)
2950 {
2951         int rc = 0;
2952         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2953
2954         if (addr < mmap_min_addr)
2955                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2956                                   MEMPROTECT__MMAP_ZERO, NULL);
2957         if (rc || addr_only)
2958                 return rc;
2959
2960         if (selinux_checkreqprot)
2961                 prot = reqprot;
2962
2963         return file_map_prot_check(file, prot,
2964                                    (flags & MAP_TYPE) == MAP_SHARED);
2965 }
2966
2967 static int selinux_file_mprotect(struct vm_area_struct *vma,
2968                                  unsigned long reqprot,
2969                                  unsigned long prot)
2970 {
2971         int rc;
2972
2973         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2974         if (rc)
2975                 return rc;
2976
2977         if (selinux_checkreqprot)
2978                 prot = reqprot;
2979
2980 #ifndef CONFIG_PPC32
2981         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2982                 rc = 0;
2983                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2984                     vma->vm_end <= vma->vm_mm->brk) {
2985                         rc = task_has_perm(current, current,
2986                                            PROCESS__EXECHEAP);
2987                 } else if (!vma->vm_file &&
2988                            vma->vm_start <= vma->vm_mm->start_stack &&
2989                            vma->vm_end >= vma->vm_mm->start_stack) {
2990                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2991                 } else if (vma->vm_file && vma->anon_vma) {
2992                         /*
2993                          * We are making executable a file mapping that has
2994                          * had some COW done. Since pages might have been
2995                          * written, check ability to execute the possibly
2996                          * modified content.  This typically should only
2997                          * occur for text relocations.
2998                          */
2999                         rc = file_has_perm(current, vma->vm_file,
3000                                            FILE__EXECMOD);
3001                 }
3002                 if (rc)
3003                         return rc;
3004         }
3005 #endif
3006
3007         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3008 }
3009
3010 static int selinux_file_lock(struct file *file, unsigned int cmd)
3011 {
3012         return file_has_perm(current, file, FILE__LOCK);
3013 }
3014
3015 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3016                               unsigned long arg)
3017 {
3018         int err = 0;
3019
3020         switch (cmd) {
3021         case F_SETFL:
3022                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3023                         err = -EINVAL;
3024                         break;
3025                 }
3026
3027                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3028                         err = file_has_perm(current, file, FILE__WRITE);
3029                         break;
3030                 }
3031                 /* fall through */
3032         case F_SETOWN:
3033         case F_SETSIG:
3034         case F_GETFL:
3035         case F_GETOWN:
3036         case F_GETSIG:
3037                 /* Just check FD__USE permission */
3038                 err = file_has_perm(current, file, 0);
3039                 break;
3040         case F_GETLK:
3041         case F_SETLK:
3042         case F_SETLKW:
3043 #if BITS_PER_LONG == 32
3044         case F_GETLK64:
3045         case F_SETLK64:
3046         case F_SETLKW64:
3047 #endif
3048                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3049                         err = -EINVAL;
3050                         break;
3051                 }
3052                 err = file_has_perm(current, file, FILE__LOCK);
3053                 break;
3054         }
3055
3056         return err;
3057 }
3058
3059 static int selinux_file_set_fowner(struct file *file)
3060 {
3061         struct task_security_struct *tsec;
3062         struct file_security_struct *fsec;
3063
3064         tsec = current->security;
3065         fsec = file->f_security;
3066         fsec->fown_sid = tsec->sid;
3067
3068         return 0;
3069 }
3070
3071 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3072                                        struct fown_struct *fown, int signum)
3073 {
3074         struct file *file;
3075         u32 perm;
3076         struct task_security_struct *tsec;
3077         struct file_security_struct *fsec;
3078
3079         /* struct fown_struct is never outside the context of a struct file */
3080         file = container_of(fown, struct file, f_owner);
3081
3082         tsec = tsk->security;
3083         fsec = file->f_security;
3084
3085         if (!signum)
3086                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3087         else
3088                 perm = signal_to_av(signum);
3089
3090         return avc_has_perm(fsec->fown_sid, tsec->sid,
3091                             SECCLASS_PROCESS, perm, NULL);
3092 }
3093
3094 static int selinux_file_receive(struct file *file)
3095 {
3096         return file_has_perm(current, file, file_to_av(file));
3097 }
3098
3099 static int selinux_dentry_open(struct file *file)
3100 {
3101         struct file_security_struct *fsec;
3102         struct inode *inode;
3103         struct inode_security_struct *isec;
3104         inode = file->f_path.dentry->d_inode;
3105         fsec = file->f_security;
3106         isec = inode->i_security;
3107         /*
3108          * Save inode label and policy sequence number
3109          * at open-time so that selinux_file_permission
3110          * can determine whether revalidation is necessary.
3111          * Task label is already saved in the file security
3112          * struct as its SID.
3113          */
3114         fsec->isid = isec->sid;
3115         fsec->pseqno = avc_policy_seqno();
3116         /*
3117          * Since the inode label or policy seqno may have changed
3118          * between the selinux_inode_permission check and the saving
3119          * of state above, recheck that access is still permitted.
3120          * Otherwise, access might never be revalidated against the
3121          * new inode label or new policy.
3122          * This check is not redundant - do not remove.
3123          */
3124         return inode_has_perm(current, inode, file_to_av(file), NULL);
3125 }
3126
3127 /* task security operations */
3128
3129 static int selinux_task_create(unsigned long clone_flags)
3130 {
3131         int rc;
3132
3133         rc = secondary_ops->task_create(clone_flags);
3134         if (rc)
3135                 return rc;
3136
3137         return task_has_perm(current, current, PROCESS__FORK);
3138 }
3139
3140 static int selinux_task_alloc_security(struct task_struct *tsk)
3141 {
3142         struct task_security_struct *tsec1, *tsec2;
3143         int rc;
3144
3145         tsec1 = current->security;
3146
3147         rc = task_alloc_security(tsk);
3148         if (rc)
3149                 return rc;
3150         tsec2 = tsk->security;
3151
3152         tsec2->osid = tsec1->osid;
3153         tsec2->sid = tsec1->sid;
3154
3155         /* Retain the exec, fs, key, and sock SIDs across fork */
3156         tsec2->exec_sid = tsec1->exec_sid;
3157         tsec2->create_sid = tsec1->create_sid;
3158         tsec2->keycreate_sid = tsec1->keycreate_sid;
3159         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3160
3161         return 0;
3162 }
3163
3164 static void selinux_task_free_security(struct task_struct *tsk)
3165 {
3166         task_free_security(tsk);
3167 }
3168
3169 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3170 {
3171         /* Since setuid only affects the current process, and
3172            since the SELinux controls are not based on the Linux
3173            identity attributes, SELinux does not need to control
3174            this operation.  However, SELinux does control the use
3175            of the CAP_SETUID and CAP_SETGID capabilities using the
3176            capable hook. */
3177         return 0;
3178 }
3179
3180 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3181 {
3182         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3183 }
3184
3185 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3186 {
3187         /* See the comment for setuid above. */
3188         return 0;
3189 }
3190
3191 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3192 {
3193         return task_has_perm(current, p, PROCESS__SETPGID);
3194 }
3195
3196 static int selinux_task_getpgid(struct task_struct *p)
3197 {
3198         return task_has_perm(current, p, PROCESS__GETPGID);
3199 }
3200
3201 static int selinux_task_getsid(struct task_struct *p)
3202 {
3203         return task_has_perm(current, p, PROCESS__GETSESSION);
3204 }
3205
3206 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3207 {
3208         struct task_security_struct *tsec = p->security;
3209         *secid = tsec->sid;
3210 }
3211
3212 static int selinux_task_setgroups(struct group_info *group_info)
3213 {
3214         /* See the comment for setuid above. */
3215         return 0;
3216 }
3217
3218 static int selinux_task_setnice(struct task_struct *p, int nice)
3219 {
3220         int rc;
3221
3222         rc = secondary_ops->task_setnice(p, nice);
3223         if (rc)
3224                 return rc;
3225
3226         return task_has_perm(current, p, PROCESS__SETSCHED);
3227 }
3228
3229 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3230 {
3231         int rc;
3232
3233         rc = secondary_ops->task_setioprio(p, ioprio);
3234         if (rc)
3235                 return rc;
3236
3237         return task_has_perm(current, p, PROCESS__SETSCHED);
3238 }
3239
3240 static int selinux_task_getioprio(struct task_struct *p)
3241 {
3242         return task_has_perm(current, p, PROCESS__GETSCHED);
3243 }
3244
3245 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3246 {
3247         struct rlimit *old_rlim = current->signal->rlim + resource;
3248         int rc;
3249
3250         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3251         if (rc)
3252                 return rc;
3253
3254         /* Control the ability to change the hard limit (whether
3255            lowering or raising it), so that the hard limit can
3256            later be used as a safe reset point for the soft limit
3257            upon context transitions. See selinux_bprm_apply_creds. */
3258         if (old_rlim->rlim_max != new_rlim->rlim_max)
3259                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3260
3261         return 0;
3262 }
3263
3264 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3265 {
3266         int rc;
3267
3268         rc = secondary_ops->task_setscheduler(p, policy, lp);
3269         if (rc)
3270                 return rc;
3271
3272         return task_has_perm(current, p, PROCESS__SETSCHED);
3273 }
3274
3275 static int selinux_task_getscheduler(struct task_struct *p)
3276 {
3277         return task_has_perm(current, p, PROCESS__GETSCHED);
3278 }
3279
3280 static int selinux_task_movememory(struct task_struct *p)
3281 {
3282         return task_has_perm(current, p, PROCESS__SETSCHED);
3283 }
3284
3285 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3286                                 int sig, u32 secid)
3287 {
3288         u32 perm;
3289         int rc;
3290         struct task_security_struct *tsec;
3291
3292         rc = secondary_ops->task_kill(p, info, sig, secid);
3293         if (rc)
3294                 return rc;
3295
3296         if (!sig)
3297                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3298         else
3299                 perm = signal_to_av(sig);
3300         tsec = p->security;
3301         if (secid)
3302                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3303         else
3304                 rc = task_has_perm(current, p, perm);
3305         return rc;
3306 }
3307
3308 static int selinux_task_prctl(int option,
3309                               unsigned long arg2,
3310                               unsigned long arg3,
3311                               unsigned long arg4,
3312                               unsigned long arg5,
3313                               long *rc_p)
3314 {
3315         /* The current prctl operations do not appear to require
3316            any SELinux controls since they merely observe or modify
3317            the state of the current process. */
3318         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3319 }
3320
3321 static int selinux_task_wait(struct task_struct *p)
3322 {
3323         return task_has_perm(p, current, PROCESS__SIGCHLD);
3324 }
3325
3326 static void selinux_task_reparent_to_init(struct task_struct *p)
3327 {
3328         struct task_security_struct *tsec;
3329
3330         secondary_ops->task_reparent_to_init(p);
3331
3332         tsec = p->security;
3333         tsec->osid = tsec->sid;
3334         tsec->sid = SECINITSID_KERNEL;
3335         return;
3336 }
3337
3338 static void selinux_task_to_inode(struct task_struct *p,
3339                                   struct inode *inode)
3340 {
3341         struct task_security_struct *tsec = p->security;
3342         struct inode_security_struct *isec = inode->i_security;
3343
3344         isec->sid = tsec->sid;
3345         isec->initialized = 1;
3346         return;
3347 }
3348
3349 /* Returns error only if unable to parse addresses */
3350 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3351                         struct avc_audit_data *ad, u8 *proto)
3352 {
3353         int offset, ihlen, ret = -EINVAL;
3354         struct iphdr _iph, *ih;
3355
3356         offset = skb_network_offset(skb);
3357         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3358         if (ih == NULL)
3359                 goto out;
3360
3361         ihlen = ih->ihl * 4;
3362         if (ihlen < sizeof(_iph))
3363                 goto out;
3364
3365         ad->u.net.v4info.saddr = ih->saddr;
3366         ad->u.net.v4info.daddr = ih->daddr;
3367         ret = 0;
3368
3369         if (proto)
3370                 *proto = ih->protocol;
3371
3372         switch (ih->protocol) {
3373         case IPPROTO_TCP: {
3374                 struct tcphdr _tcph, *th;
3375
3376                 if (ntohs(ih->frag_off) & IP_OFFSET)
3377                         break;
3378
3379                 offset += ihlen;
3380                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3381                 if (th == NULL)
3382                         break;
3383
3384                 ad->u.net.sport = th->source;
3385                 ad->u.net.dport = th->dest;
3386                 break;
3387         }
3388
3389         case IPPROTO_UDP: {
3390                 struct udphdr _udph, *uh;
3391
3392                 if (ntohs(ih->frag_off) & IP_OFFSET)
3393                         break;
3394
3395                 offset += ihlen;
3396                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3397                 if (uh == NULL)
3398                         break;
3399
3400                 ad->u.net.sport = uh->source;
3401                 ad->u.net.dport = uh->dest;
3402                 break;
3403         }
3404
3405         case IPPROTO_DCCP: {
3406                 struct dccp_hdr _dccph, *dh;
3407
3408                 if (ntohs(ih->frag_off) & IP_OFFSET)
3409                         break;
3410
3411                 offset += ihlen;
3412                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3413                 if (dh == NULL)
3414                         break;
3415
3416                 ad->u.net.sport = dh->dccph_sport;
3417                 ad->u.net.dport = dh->dccph_dport;
3418                 break;
3419         }
3420
3421         default:
3422                 break;
3423         }
3424 out:
3425         return ret;
3426 }
3427
3428 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3429
3430 /* Returns error only if unable to parse addresses */
3431 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3432                         struct avc_audit_data *ad, u8 *proto)
3433 {
3434         u8 nexthdr;
3435         int ret = -EINVAL, offset;
3436         struct ipv6hdr _ipv6h, *ip6;
3437
3438         offset = skb_network_offset(skb);
3439         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3440         if (ip6 == NULL)
3441                 goto out;
3442
3443         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3444         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3445         ret = 0;
3446
3447         nexthdr = ip6->nexthdr;
3448         offset += sizeof(_ipv6h);
3449         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3450         if (offset < 0)
3451                 goto out;
3452
3453         if (proto)
3454                 *proto = nexthdr;
3455
3456         switch (nexthdr) {
3457         case IPPROTO_TCP: {
3458                 struct tcphdr _tcph, *th;
3459
3460                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3461                 if (th == NULL)
3462                         break;
3463
3464                 ad->u.net.sport = th->source;
3465                 ad->u.net.dport = th->dest;
3466                 break;
3467         }
3468
3469         case IPPROTO_UDP: {
3470                 struct udphdr _udph, *uh;
3471
3472                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3473                 if (uh == NULL)
3474                         break;
3475
3476                 ad->u.net.sport = uh->source;
3477                 ad->u.net.dport = uh->dest;
3478                 break;
3479         }
3480
3481         case IPPROTO_DCCP: {
3482                 struct dccp_hdr _dccph, *dh;
3483
3484                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3485                 if (dh == NULL)
3486                         break;
3487
3488                 ad->u.net.sport = dh->dccph_sport;
3489                 ad->u.net.dport = dh->dccph_dport;
3490                 break;
3491         }
3492
3493         /* includes fragments */
3494         default:
3495                 break;
3496         }
3497 out:
3498         return ret;
3499 }
3500
3501 #endif /* IPV6 */
3502
3503 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3504                              char **addrp, int src, u8 *proto)
3505 {
3506         int ret = 0;
3507
3508         switch (ad->u.net.family) {
3509         case PF_INET:
3510                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3511                 if (ret || !addrp)
3512                         break;
3513                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3514                                         &ad->u.net.v4info.daddr);
3515                 break;
3516
3517 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3518         case PF_INET6:
3519                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3520                 if (ret || !addrp)
3521                         break;
3522                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3523                                         &ad->u.net.v6info.daddr);
3524                 break;
3525 #endif  /* IPV6 */
3526         default:
3527                 break;
3528         }
3529
3530         if (unlikely(ret))
3531                 printk(KERN_WARNING
3532                        "SELinux: failure in selinux_parse_skb(),"
3533                        " unable to parse packet\n");
3534
3535         return ret;
3536 }
3537
3538 /**
3539  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3540  * @skb: the packet
3541  * @family: protocol family
3542  * @sid: the packet's peer label SID
3543  *
3544  * Description:
3545  * Check the various different forms of network peer labeling and determine
3546  * the peer label/SID for the packet; most of the magic actually occurs in
3547  * the security server function security_net_peersid_cmp().  The function
3548  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3549  * or -EACCES if @sid is invalid due to inconsistencies with the different
3550  * peer labels.
3551  *
3552  */
3553 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3554 {
3555         int err;
3556         u32 xfrm_sid;
3557         u32 nlbl_sid;
3558         u32 nlbl_type;
3559
3560         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3561         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3562
3563         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3564         if (unlikely(err)) {
3565                 printk(KERN_WARNING
3566                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3567                        " unable to determine packet's peer label\n");
3568                 return -EACCES;
3569         }
3570
3571         return 0;
3572 }
3573
3574 /* socket security operations */
3575 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3576                            u32 perms)
3577 {
3578         struct inode_security_struct *isec;
3579         struct task_security_struct *tsec;
3580         struct avc_audit_data ad;
3581         int err = 0;
3582
3583         tsec = task->security;
3584         isec = SOCK_INODE(sock)->i_security;
3585
3586         if (isec->sid == SECINITSID_KERNEL)
3587                 goto out;
3588
3589         AVC_AUDIT_DATA_INIT(&ad, NET);
3590         ad.u.net.sk = sock->sk;
3591         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3592
3593 out:
3594         return err;
3595 }
3596
3597 static int selinux_socket_create(int family, int type,
3598                                  int protocol, int kern)
3599 {
3600         int err = 0;
3601         struct task_security_struct *tsec;
3602         u32 newsid;
3603
3604         if (kern)
3605                 goto out;
3606
3607         tsec = current->security;
3608         newsid = tsec->sockcreate_sid ? : tsec->sid;
3609         err = avc_has_perm(tsec->sid, newsid,
3610                            socket_type_to_security_class(family, type,
3611                            protocol), SOCKET__CREATE, NULL);
3612
3613 out:
3614         return err;
3615 }
3616
3617 static int selinux_socket_post_create(struct socket *sock, int family,
3618                                       int type, int protocol, int kern)
3619 {
3620         int err = 0;
3621         struct inode_security_struct *isec;
3622         struct task_security_struct *tsec;
3623         struct sk_security_struct *sksec;
3624         u32 newsid;
3625
3626         isec = SOCK_INODE(sock)->i_security;
3627
3628         tsec = current->security;
3629         newsid = tsec->sockcreate_sid ? : tsec->sid;
3630         isec->sclass = socket_type_to_security_class(family, type, protocol);
3631         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3632         isec->initialized = 1;
3633
3634         if (sock->sk) {
3635                 sksec = sock->sk->sk_security;
3636                 sksec->sid = isec->sid;
3637                 sksec->sclass = isec->sclass;
3638                 err = selinux_netlbl_socket_post_create(sock);
3639         }
3640
3641         return err;
3642 }
3643
3644 /* Range of port numbers used to automatically bind.
3645    Need to determine whether we should perform a name_bind
3646    permission check between the socket and the port number. */
3647
3648 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3649 {
3650         u16 family;
3651         int err;
3652
3653         err = socket_has_perm(current, sock, SOCKET__BIND);
3654         if (err)
3655                 goto out;
3656
3657         /*
3658          * If PF_INET or PF_INET6, check name_bind permission for the port.
3659          * Multiple address binding for SCTP is not supported yet: we just
3660          * check the first address now.
3661          */
3662         family = sock->sk->sk_family;
3663         if (family == PF_INET || family == PF_INET6) {
3664                 char *addrp;
3665                 struct inode_security_struct *isec;
3666                 struct task_security_struct *tsec;
3667                 struct avc_audit_data ad;
3668                 struct sockaddr_in *addr4 = NULL;
3669                 struct sockaddr_in6 *addr6 = NULL;
3670                 unsigned short snum;
3671                 struct sock *sk = sock->sk;
3672                 u32 sid, node_perm, addrlen;
3673
3674                 tsec = current->security;
3675                 isec = SOCK_INODE(sock)->i_security;
3676
3677                 if (family == PF_INET) {
3678                         addr4 = (struct sockaddr_in *)address;
3679                         snum = ntohs(addr4->sin_port);
3680                         addrlen = sizeof(addr4->sin_addr.s_addr);
3681                         addrp = (char *)&addr4->sin_addr.s_addr;
3682                 } else {
3683                         addr6 = (struct sockaddr_in6 *)address;
3684                         snum = ntohs(addr6->sin6_port);
3685                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3686                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3687                 }
3688
3689                 if (snum) {
3690                         int low, high;
3691
3692                         inet_get_local_port_range(&low, &high);
3693
3694                         if (snum < max(PROT_SOCK, low) || snum > high) {
3695                                 err = sel_netport_sid(sk->sk_protocol,
3696                                                       snum, &sid);
3697                                 if (err)
3698                                         goto out;
3699                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3700                                 ad.u.net.sport = htons(snum);
3701                                 ad.u.net.family = family;
3702                                 err = avc_has_perm(isec->sid, sid,
3703                                                    isec->sclass,
3704                                                    SOCKET__NAME_BIND, &ad);
3705                                 if (err)
3706                                         goto out;
3707                         }
3708                 }
3709
3710                 switch (isec->sclass) {
3711                 case SECCLASS_TCP_SOCKET:
3712                         node_perm = TCP_SOCKET__NODE_BIND;
3713                         break;
3714
3715                 case SECCLASS_UDP_SOCKET:
3716                         node_perm = UDP_SOCKET__NODE_BIND;
3717                         break;
3718
3719                 case SECCLASS_DCCP_SOCKET:
3720                         node_perm = DCCP_SOCKET__NODE_BIND;
3721                         break;
3722
3723                 default:
3724                         node_perm = RAWIP_SOCKET__NODE_BIND;
3725                         break;
3726                 }
3727
3728                 err = sel_netnode_sid(addrp, family, &sid);
3729                 if (err)
3730                         goto out;
3731
3732                 AVC_AUDIT_DATA_INIT(&ad, NET);
3733                 ad.u.net.sport = htons(snum);
3734                 ad.u.net.family = family;
3735
3736                 if (family == PF_INET)
3737                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3738                 else
3739                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3740
3741                 err = avc_has_perm(isec->sid, sid,
3742                                    isec->sclass, node_perm, &ad);
3743                 if (err)
3744                         goto out;
3745         }
3746 out:
3747         return err;
3748 }
3749
3750 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3751 {
3752         struct inode_security_struct *isec;
3753         int err;
3754
3755         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3756         if (err)
3757                 return err;
3758
3759         /*
3760          * If a TCP or DCCP socket, check name_connect permission for the port.
3761          */
3762         isec = SOCK_INODE(sock)->i_security;
3763         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3764             isec->sclass == SECCLASS_DCCP_SOCKET) {
3765                 struct sock *sk = sock->sk;
3766                 struct avc_audit_data ad;
3767                 struct sockaddr_in *addr4 = NULL;
3768                 struct sockaddr_in6 *addr6 = NULL;
3769                 unsigned short snum;
3770                 u32 sid, perm;
3771
3772                 if (sk->sk_family == PF_INET) {
3773                         addr4 = (struct sockaddr_in *)address;
3774                         if (addrlen < sizeof(struct sockaddr_in))
3775                                 return -EINVAL;
3776                         snum = ntohs(addr4->sin_port);
3777                 } else {
3778                         addr6 = (struct sockaddr_in6 *)address;
3779                         if (addrlen < SIN6_LEN_RFC2133)
3780                                 return -EINVAL;
3781                         snum = ntohs(addr6->sin6_port);
3782                 }
3783
3784                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3785                 if (err)
3786                         goto out;
3787
3788                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3789                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3790
3791                 AVC_AUDIT_DATA_INIT(&ad, NET);
3792                 ad.u.net.dport = htons(snum);
3793                 ad.u.net.family = sk->sk_family;
3794                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3795                 if (err)
3796                         goto out;
3797         }
3798
3799 out:
3800         return err;
3801 }
3802
3803 static int selinux_socket_listen(struct socket *sock, int backlog)
3804 {
3805         return socket_has_perm(current, sock, SOCKET__LISTEN);
3806 }
3807
3808 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3809 {
3810         int err;
3811         struct inode_security_struct *isec;
3812         struct inode_security_struct *newisec;
3813
3814         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3815         if (err)
3816                 return err;
3817
3818         newisec = SOCK_INODE(newsock)->i_security;
3819
3820         isec = SOCK_INODE(sock)->i_security;
3821         newisec->sclass = isec->sclass;
3822         newisec->sid = isec->sid;
3823         newisec->initialized = 1;
3824
3825         return 0;
3826 }
3827
3828 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3829                                   int size)
3830 {
3831         int rc;
3832
3833         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3834         if (rc)
3835                 return rc;
3836
3837         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3838 }
3839
3840 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3841                                   int size, int flags)
3842 {
3843         return socket_has_perm(current, sock, SOCKET__READ);
3844 }
3845
3846 static int selinux_socket_getsockname(struct socket *sock)
3847 {
3848         return socket_has_perm(current, sock, SOCKET__GETATTR);
3849 }
3850
3851 static int selinux_socket_getpeername(struct socket *sock)
3852 {
3853         return socket_has_perm(current, sock, SOCKET__GETATTR);
3854 }
3855
3856 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3857 {
3858         int err;
3859
3860         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3861         if (err)
3862                 return err;
3863
3864         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3865 }
3866
3867 static int selinux_socket_getsockopt(struct socket *sock, int level,
3868                                      int optname)
3869 {
3870         return socket_has_perm(current, sock, SOCKET__GETOPT);
3871 }
3872
3873 static int selinux_socket_shutdown(struct socket *sock, int how)
3874 {
3875         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3876 }
3877
3878 static int selinux_socket_unix_stream_connect(struct socket *sock,
3879                                               struct socket *other,
3880                                               struct sock *newsk)
3881 {
3882         struct sk_security_struct *ssec;
3883         struct inode_security_struct *isec;
3884         struct inode_security_struct *other_isec;
3885         struct avc_audit_data ad;
3886         int err;
3887
3888         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3889         if (err)
3890                 return err;
3891
3892         isec = SOCK_INODE(sock)->i_security;
3893         other_isec = SOCK_INODE(other)->i_security;
3894
3895         AVC_AUDIT_DATA_INIT(&ad, NET);
3896         ad.u.net.sk = other->sk;
3897
3898         err = avc_has_perm(isec->sid, other_isec->sid,
3899                            isec->sclass,
3900                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3901         if (err)
3902                 return err;
3903
3904         /* connecting socket */
3905         ssec = sock->sk->sk_security;
3906         ssec->peer_sid = other_isec->sid;
3907
3908         /* server child socket */
3909         ssec = newsk->sk_security;
3910         ssec->peer_sid = isec->sid;
3911         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3912
3913         return err;
3914 }
3915
3916 static int selinux_socket_unix_may_send(struct socket *sock,
3917                                         struct socket *other)
3918 {
3919         struct inode_security_struct *isec;
3920         struct inode_security_struct *other_isec;
3921         struct avc_audit_data ad;
3922         int err;
3923
3924         isec = SOCK_INODE(sock)->i_security;
3925         other_isec = SOCK_INODE(other)->i_security;
3926
3927         AVC_AUDIT_DATA_INIT(&ad, NET);
3928         ad.u.net.sk = other->sk;
3929
3930         err = avc_has_perm(isec->sid, other_isec->sid,
3931                            isec->sclass, SOCKET__SENDTO, &ad);
3932         if (err)
3933                 return err;
3934
3935         return 0;
3936 }
3937
3938 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3939                                     u32 peer_sid,
3940                                     struct avc_audit_data *ad)
3941 {
3942         int err;
3943         u32 if_sid;
3944         u32 node_sid;
3945
3946         err = sel_netif_sid(ifindex, &if_sid);
3947         if (err)
3948                 return err;
3949         err = avc_has_perm(peer_sid, if_sid,
3950                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3951         if (err)
3952                 return err;
3953
3954         err = sel_netnode_sid(addrp, family, &node_sid);
3955         if (err)
3956                 return err;
3957         return avc_has_perm(peer_sid, node_sid,
3958                             SECCLASS_NODE, NODE__RECVFROM, ad);
3959 }
3960
3961 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3962                                                 struct sk_buff *skb,
3963                                                 struct avc_audit_data *ad,
3964                                                 u16 family,
3965                                                 char *addrp)
3966 {
3967         int err;
3968         struct sk_security_struct *sksec = sk->sk_security;
3969         u16 sk_class;
3970         u32 netif_perm, node_perm, recv_perm;
3971         u32 port_sid, node_sid, if_sid, sk_sid;
3972
3973         sk_sid = sksec->sid;
3974         sk_class = sksec->sclass;
3975
3976         switch (sk_class) {
3977         case SECCLASS_UDP_SOCKET:
3978                 netif_perm = NETIF__UDP_RECV;
3979                 node_perm = NODE__UDP_RECV;
3980                 recv_perm = UDP_SOCKET__RECV_MSG;
3981                 break;
3982         case SECCLASS_TCP_SOCKET:
3983                 netif_perm = NETIF__TCP_RECV;
3984                 node_perm = NODE__TCP_RECV;
3985                 recv_perm = TCP_SOCKET__RECV_MSG;
3986                 break;
3987         case SECCLASS_DCCP_SOCKET:
3988                 netif_perm = NETIF__DCCP_RECV;
3989                 node_perm = NODE__DCCP_RECV;
3990                 recv_perm = DCCP_SOCKET__RECV_MSG;
3991                 break;
3992         default:
3993                 netif_perm = NETIF__RAWIP_RECV;
3994                 node_perm = NODE__RAWIP_RECV;
3995                 recv_perm = 0;
3996                 break;
3997         }
3998
3999         err = sel_netif_sid(skb->iif, &if_sid);
4000         if (err)
4001                 return err;
4002         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4003         if (err)
4004                 return err;
4005
4006         err = sel_netnode_sid(addrp, family, &node_sid);
4007         if (err)
4008                 return err;
4009         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4010         if (err)
4011                 return err;
4012
4013         if (!recv_perm)
4014                 return 0;
4015         err = sel_netport_sid(sk->sk_protocol,
4016                               ntohs(ad->u.net.sport), &port_sid);
4017         if (unlikely(err)) {
4018                 printk(KERN_WARNING
4019                        "SELinux: failure in"
4020                        " selinux_sock_rcv_skb_iptables_compat(),"
4021                        " network port label not found\n");
4022                 return err;
4023         }
4024         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4025 }
4026
4027 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4028                                        struct avc_audit_data *ad,
4029                                        u16 family, char *addrp)
4030 {
4031         int err;
4032         struct sk_security_struct *sksec = sk->sk_security;
4033         u32 peer_sid;
4034         u32 sk_sid = sksec->sid;
4035
4036         if (selinux_compat_net)
4037                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4038                                                            family, addrp);
4039         else
4040                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4041                                    PACKET__RECV, ad);
4042         if (err)
4043                 return err;
4044
4045         if (selinux_policycap_netpeer) {
4046                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4047                 if (err)
4048                         return err;
4049                 err = avc_has_perm(sk_sid, peer_sid,
4050                                    SECCLASS_PEER, PEER__RECV, ad);
4051         } else {
4052                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4053                 if (err)
4054                         return err;
4055                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4056         }
4057
4058         return err;
4059 }
4060
4061 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4062 {
4063         int err;
4064         struct sk_security_struct *sksec = sk->sk_security;
4065         u16 family = sk->sk_family;
4066         u32 sk_sid = sksec->sid;
4067         struct avc_audit_data ad;
4068         char *addrp;
4069
4070         if (family != PF_INET && family != PF_INET6)
4071                 return 0;
4072
4073         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4074         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4075                 family = PF_INET;
4076
4077         AVC_AUDIT_DATA_INIT(&ad, NET);
4078         ad.u.net.netif = skb->iif;
4079         ad.u.net.family = family;
4080         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4081         if (err)
4082                 return err;
4083
4084         /* If any sort of compatibility mode is enabled then handoff processing
4085          * to the selinux_sock_rcv_skb_compat() function to deal with the
4086          * special handling.  We do this in an attempt to keep this function
4087          * as fast and as clean as possible. */
4088         if (selinux_compat_net || !selinux_policycap_netpeer)
4089                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4090                                                    family, addrp);
4091
4092         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4093                 u32 peer_sid;
4094
4095                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4096                 if (err)
4097                         return err;
4098                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4099                                                peer_sid, &ad);
4100                 if (err)
4101                         return err;
4102                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4103                                    PEER__RECV, &ad);
4104         }
4105
4106         if (selinux_secmark_enabled()) {
4107                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4108                                    PACKET__RECV, &ad);
4109                 if (err)
4110                         return err;
4111         }
4112
4113         return err;
4114 }
4115
4116 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4117                                             int __user *optlen, unsigned len)
4118 {
4119         int err = 0;
4120         char *scontext;
4121         u32 scontext_len;
4122         struct sk_security_struct *ssec;
4123         struct inode_security_struct *isec;
4124         u32 peer_sid = SECSID_NULL;
4125
4126         isec = SOCK_INODE(sock)->i_security;
4127
4128         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4129             isec->sclass == SECCLASS_TCP_SOCKET) {
4130                 ssec = sock->sk->sk_security;
4131                 peer_sid = ssec->peer_sid;
4132         }
4133         if (peer_sid == SECSID_NULL) {
4134                 err = -ENOPROTOOPT;
4135                 goto out;
4136         }
4137
4138         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4139
4140         if (err)
4141                 goto out;
4142
4143         if (scontext_len > len) {
4144                 err = -ERANGE;
4145                 goto out_len;
4146         }
4147
4148         if (copy_to_user(optval, scontext, scontext_len))
4149                 err = -EFAULT;
4150
4151 out_len:
4152         if (put_user(scontext_len, optlen))
4153                 err = -EFAULT;
4154
4155         kfree(scontext);
4156 out:
4157         return err;
4158 }
4159
4160 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4161 {
4162         u32 peer_secid = SECSID_NULL;
4163         u16 family;
4164
4165         if (sock)
4166                 family = sock->sk->sk_family;
4167         else if (skb && skb->sk)
4168                 family = skb->sk->sk_family;
4169         else
4170                 goto out;
4171
4172         if (sock && family == PF_UNIX)
4173                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4174         else if (skb)
4175                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4176
4177 out:
4178         *secid = peer_secid;
4179         if (peer_secid == SECSID_NULL)
4180                 return -EINVAL;
4181         return 0;
4182 }
4183
4184 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4185 {
4186         return sk_alloc_security(sk, family, priority);
4187 }
4188
4189 static void selinux_sk_free_security(struct sock *sk)
4190 {
4191         sk_free_security(sk);
4192 }
4193
4194 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4195 {
4196         struct sk_security_struct *ssec = sk->sk_security;
4197         struct sk_security_struct *newssec = newsk->sk_security;
4198
4199         newssec->sid = ssec->sid;
4200         newssec->peer_sid = ssec->peer_sid;
4201         newssec->sclass = ssec->sclass;
4202
4203         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4204 }
4205
4206 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4207 {
4208         if (!sk)
4209                 *secid = SECINITSID_ANY_SOCKET;
4210         else {
4211                 struct sk_security_struct *sksec = sk->sk_security;
4212
4213                 *secid = sksec->sid;
4214         }
4215 }
4216
4217 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4218 {
4219         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4220         struct sk_security_struct *sksec = sk->sk_security;
4221
4222         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4223             sk->sk_family == PF_UNIX)
4224                 isec->sid = sksec->sid;
4225         sksec->sclass = isec->sclass;
4226
4227         selinux_netlbl_sock_graft(sk, parent);
4228 }
4229
4230 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4231                                      struct request_sock *req)
4232 {
4233         struct sk_security_struct *sksec = sk->sk_security;
4234         int err;
4235         u32 newsid;
4236         u32 peersid;
4237
4238         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4239         if (err)
4240                 return err;
4241         if (peersid == SECSID_NULL) {
4242                 req->secid = sksec->sid;
4243                 req->peer_secid = SECSID_NULL;
4244                 return 0;
4245         }
4246
4247         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4248         if (err)
4249                 return err;
4250
4251         req->secid = newsid;
4252         req->peer_secid = peersid;
4253         return 0;
4254 }
4255
4256 static void selinux_inet_csk_clone(struct sock *newsk,
4257                                    const struct request_sock *req)
4258 {
4259         struct sk_security_struct *newsksec = newsk->sk_security;
4260
4261         newsksec->sid = req->secid;
4262         newsksec->peer_sid = req->peer_secid;
4263         /* NOTE: Ideally, we should also get the isec->sid for the
4264            new socket in sync, but we don't have the isec available yet.
4265            So we will wait until sock_graft to do it, by which
4266            time it will have been created and available. */
4267
4268         /* We don't need to take any sort of lock here as we are the only
4269          * thread with access to newsksec */
4270         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4271 }
4272
4273 static void selinux_inet_conn_established(struct sock *sk,
4274                                 struct sk_buff *skb)
4275 {
4276         struct sk_security_struct *sksec = sk->sk_security;
4277
4278         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4279 }
4280
4281 static void selinux_req_classify_flow(const struct request_sock *req,
4282                                       struct flowi *fl)
4283 {
4284         fl->secid = req->secid;
4285 }
4286
4287 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4288 {
4289         int err = 0;
4290         u32 perm;
4291         struct nlmsghdr *nlh;
4292         struct socket *sock = sk->sk_socket;
4293         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4294
4295         if (skb->len < NLMSG_SPACE(0)) {
4296                 err = -EINVAL;
4297                 goto out;
4298         }
4299         nlh = nlmsg_hdr(skb);
4300
4301         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4302         if (err) {
4303                 if (err == -EINVAL) {
4304                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4305                                   "SELinux:  unrecognized netlink message"
4306                                   " type=%hu for sclass=%hu\n",
4307                                   nlh->nlmsg_type, isec->sclass);
4308                         if (!selinux_enforcing)
4309                                 err = 0;
4310                 }
4311
4312                 /* Ignore */
4313                 if (err == -ENOENT)
4314                         err = 0;
4315                 goto out;
4316         }
4317
4318         err = socket_has_perm(current, sock, perm);
4319 out:
4320         return err;
4321 }
4322
4323 #ifdef CONFIG_NETFILTER
4324
4325 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4326                                        u16 family)
4327 {
4328         char *addrp;
4329         u32 peer_sid;
4330         struct avc_audit_data ad;
4331         u8 secmark_active;
4332         u8 peerlbl_active;
4333
4334         if (!selinux_policycap_netpeer)
4335                 return NF_ACCEPT;
4336
4337         secmark_active = selinux_secmark_enabled();
4338         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4339         if (!secmark_active && !peerlbl_active)
4340                 return NF_ACCEPT;
4341
4342         AVC_AUDIT_DATA_INIT(&ad, NET);
4343         ad.u.net.netif = ifindex;
4344         ad.u.net.family = family;
4345         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4346                 return NF_DROP;
4347
4348         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4349                 return NF_DROP;
4350
4351         if (peerlbl_active)
4352                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4353                                              peer_sid, &ad) != 0)
4354                         return NF_DROP;
4355
4356         if (secmark_active)
4357                 if (avc_has_perm(peer_sid, skb->secmark,
4358                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4359                         return NF_DROP;
4360
4361         return NF_ACCEPT;
4362 }
4363
4364 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4365                                          struct sk_buff *skb,
4366                                          const struct net_device *in,
4367                                          const struct net_device *out,
4368                                          int (*okfn)(struct sk_buff *))
4369 {
4370         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4371 }
4372
4373 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4374 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4375                                          struct sk_buff *skb,
4376                                          const struct net_device *in,
4377                                          const struct net_device *out,
4378                                          int (*okfn)(struct sk_buff *))
4379 {
4380         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4381 }
4382 #endif  /* IPV6 */
4383
4384 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4385                                                 int ifindex,
4386                                                 struct avc_audit_data *ad,
4387                                                 u16 family, char *addrp)
4388 {
4389         int err;
4390         struct sk_security_struct *sksec = sk->sk_security;
4391         u16 sk_class;
4392         u32 netif_perm, node_perm, send_perm;
4393         u32 port_sid, node_sid, if_sid, sk_sid;
4394
4395         sk_sid = sksec->sid;
4396         sk_class = sksec->sclass;
4397
4398         switch (sk_class) {
4399         case SECCLASS_UDP_SOCKET:
4400                 netif_perm = NETIF__UDP_SEND;
4401                 node_perm = NODE__UDP_SEND;
4402                 send_perm = UDP_SOCKET__SEND_MSG;
4403                 break;
4404         case SECCLASS_TCP_SOCKET:
4405                 netif_perm = NETIF__TCP_SEND;
4406                 node_perm = NODE__TCP_SEND;
4407                 send_perm = TCP_SOCKET__SEND_MSG;
4408                 break;
4409         case SECCLASS_DCCP_SOCKET:
4410                 netif_perm = NETIF__DCCP_SEND;
4411                 node_perm = NODE__DCCP_SEND;
4412                 send_perm = DCCP_SOCKET__SEND_MSG;
4413                 break;
4414         default:
4415                 netif_perm = NETIF__RAWIP_SEND;
4416                 node_perm = NODE__RAWIP_SEND;
4417                 send_perm = 0;
4418                 break;
4419         }
4420
4421         err = sel_netif_sid(ifindex, &if_sid);
4422         if (err)
4423                 return err;
4424         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4425                 return err;
4426
4427         err = sel_netnode_sid(addrp, family, &node_sid);
4428         if (err)
4429                 return err;
4430         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4431         if (err)
4432                 return err;
4433
4434         if (send_perm != 0)
4435                 return 0;
4436
4437         err = sel_netport_sid(sk->sk_protocol,
4438                               ntohs(ad->u.net.dport), &port_sid);
4439         if (unlikely(err)) {
4440                 printk(KERN_WARNING
4441                        "SELinux: failure in"
4442                        " selinux_ip_postroute_iptables_compat(),"
4443                        " network port label not found\n");
4444                 return err;
4445         }
4446         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4447 }
4448
4449 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4450                                                 int ifindex,
4451                                                 struct avc_audit_data *ad,
4452                                                 u16 family,
4453                                                 char *addrp,
4454                                                 u8 proto)
4455 {
4456         struct sock *sk = skb->sk;
4457         struct sk_security_struct *sksec;
4458
4459         if (sk == NULL)
4460                 return NF_ACCEPT;
4461         sksec = sk->sk_security;
4462
4463         if (selinux_compat_net) {
4464                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4465                                                          ad, family, addrp))
4466                         return NF_DROP;
4467         } else {
4468                 if (avc_has_perm(sksec->sid, skb->secmark,
4469                                  SECCLASS_PACKET, PACKET__SEND, ad))
4470                         return NF_DROP;
4471         }
4472
4473         if (selinux_policycap_netpeer)
4474                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4475                         return NF_DROP;
4476
4477         return NF_ACCEPT;
4478 }
4479
4480 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4481                                          u16 family)
4482 {
4483         u32 secmark_perm;
4484         u32 peer_sid;
4485         struct sock *sk;
4486         struct avc_audit_data ad;
4487         char *addrp;
4488         u8 proto;
4489         u8 secmark_active;
4490         u8 peerlbl_active;
4491
4492         AVC_AUDIT_DATA_INIT(&ad, NET);
4493         ad.u.net.netif = ifindex;
4494         ad.u.net.family = family;
4495         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4496                 return NF_DROP;
4497
4498         /* If any sort of compatibility mode is enabled then handoff processing
4499          * to the selinux_ip_postroute_compat() function to deal with the
4500          * special handling.  We do this in an attempt to keep this function
4501          * as fast and as clean as possible. */
4502         if (selinux_compat_net || !selinux_policycap_netpeer)
4503                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4504                                                    family, addrp, proto);
4505
4506         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4507          * packet transformation so allow the packet to pass without any checks
4508          * since we'll have another chance to perform access control checks
4509          * when the packet is on it's final way out.
4510          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4511          *       is NULL, in this case go ahead and apply access control. */
4512         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4513                 return NF_ACCEPT;
4514
4515         secmark_active = selinux_secmark_enabled();
4516         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4517         if (!secmark_active && !peerlbl_active)
4518                 return NF_ACCEPT;
4519
4520         /* if the packet is locally generated (skb->sk != NULL) then use the
4521          * socket's label as the peer label, otherwise the packet is being
4522          * forwarded through this system and we need to fetch the peer label
4523          * directly from the packet */
4524         sk = skb->sk;
4525         if (sk) {
4526                 struct sk_security_struct *sksec = sk->sk_security;
4527                 peer_sid = sksec->sid;
4528                 secmark_perm = PACKET__SEND;
4529         } else {
4530                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4531                                 return NF_DROP;
4532                 secmark_perm = PACKET__FORWARD_OUT;
4533         }
4534
4535         if (secmark_active)
4536                 if (avc_has_perm(peer_sid, skb->secmark,
4537                                  SECCLASS_PACKET, secmark_perm, &ad))
4538                         return NF_DROP;
4539
4540         if (peerlbl_active) {
4541                 u32 if_sid;
4542                 u32 node_sid;
4543
4544                 if (sel_netif_sid(ifindex, &if_sid))
4545                         return NF_DROP;
4546                 if (avc_has_perm(peer_sid, if_sid,
4547                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4548                         return NF_DROP;
4549
4550                 if (sel_netnode_sid(addrp, family, &node_sid))
4551                         return NF_DROP;
4552                 if (avc_has_perm(peer_sid, node_sid,
4553                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4554                         return NF_DROP;
4555         }
4556
4557         return NF_ACCEPT;
4558 }
4559
4560 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4561                                            struct sk_buff *skb,
4562                                            const struct net_device *in,
4563                                            const struct net_device *out,
4564                                            int (*okfn)(struct sk_buff *))
4565 {
4566         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4567 }
4568
4569 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4570 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4571                                            struct sk_buff *skb,
4572                                            const struct net_device *in,
4573                                            const struct net_device *out,
4574                                            int (*okfn)(struct sk_buff *))
4575 {
4576         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4577 }
4578 #endif  /* IPV6 */
4579
4580 #endif  /* CONFIG_NETFILTER */
4581
4582 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4583 {
4584         int err;
4585
4586         err = secondary_ops->netlink_send(sk, skb);
4587         if (err)
4588                 return err;
4589
4590         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4591                 err = selinux_nlmsg_perm(sk, skb);
4592
4593         return err;
4594 }
4595
4596 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4597 {
4598         int err;
4599         struct avc_audit_data ad;
4600
4601         err = secondary_ops->netlink_recv(skb, capability);
4602         if (err)
4603                 return err;
4604
4605         AVC_AUDIT_DATA_INIT(&ad, CAP);
4606         ad.u.cap = capability;
4607
4608         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4609                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4610 }
4611
4612 static int ipc_alloc_security(struct task_struct *task,
4613                               struct kern_ipc_perm *perm,
4614                               u16 sclass)
4615 {
4616         struct task_security_struct *tsec = task->security;
4617         struct ipc_security_struct *isec;
4618
4619         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4620         if (!isec)
4621                 return -ENOMEM;
4622
4623         isec->sclass = sclass;
4624         isec->sid = tsec->sid;
4625         perm->security = isec;
4626
4627         return 0;
4628 }
4629
4630 static void ipc_free_security(struct kern_ipc_perm *perm)
4631 {
4632         struct ipc_security_struct *isec = perm->security;
4633         perm->security = NULL;
4634         kfree(isec);
4635 }
4636
4637 static int msg_msg_alloc_security(struct msg_msg *msg)
4638 {
4639         struct msg_security_struct *msec;
4640
4641         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4642         if (!msec)
4643                 return -ENOMEM;
4644
4645         msec->sid = SECINITSID_UNLABELED;
4646         msg->security = msec;
4647
4648         return 0;
4649 }
4650
4651 static void msg_msg_free_security(struct msg_msg *msg)
4652 {
4653         struct msg_security_struct *msec = msg->security;
4654
4655         msg->security = NULL;
4656         kfree(msec);
4657 }
4658
4659 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4660                         u32 perms)
4661 {
4662         struct task_security_struct *tsec;
4663         struct ipc_security_struct *isec;
4664         struct avc_audit_data ad;
4665
4666         tsec = current->security;
4667         isec = ipc_perms->security;
4668
4669         AVC_AUDIT_DATA_INIT(&ad, IPC);
4670         ad.u.ipc_id = ipc_perms->key;
4671
4672         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4673 }
4674
4675 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4676 {
4677         return msg_msg_alloc_security(msg);
4678 }
4679
4680 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4681 {
4682         msg_msg_free_security(msg);
4683 }
4684
4685 /* message queue security operations */
4686 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4687 {
4688         struct task_security_struct *tsec;
4689         struct ipc_security_struct *isec;
4690         struct avc_audit_data ad;
4691         int rc;
4692
4693         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4694         if (rc)
4695                 return rc;
4696
4697         tsec = current->security;
4698         isec = msq->q_perm.security;
4699
4700         AVC_AUDIT_DATA_INIT(&ad, IPC);
4701         ad.u.ipc_id = msq->q_perm.key;
4702
4703         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4704                           MSGQ__CREATE, &ad);
4705         if (rc) {
4706                 ipc_free_security(&msq->q_perm);
4707                 return rc;
4708         }
4709         return 0;
4710 }
4711
4712 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4713 {
4714         ipc_free_security(&msq->q_perm);
4715 }
4716
4717 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4718 {
4719         struct task_security_struct *tsec;
4720         struct ipc_security_struct *isec;
4721         struct avc_audit_data ad;
4722
4723         tsec = current->security;
4724         isec = msq->q_perm.security;
4725
4726         AVC_AUDIT_DATA_INIT(&ad, IPC);
4727         ad.u.ipc_id = msq->q_perm.key;
4728
4729         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4730                             MSGQ__ASSOCIATE, &ad);
4731 }
4732
4733 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4734 {
4735         int err;
4736         int perms;
4737
4738         switch (cmd) {
4739         case IPC_INFO:
4740         case MSG_INFO:
4741                 /* No specific object, just general system-wide information. */
4742                 return task_has_system(current, SYSTEM__IPC_INFO);
4743         case IPC_STAT:
4744         case MSG_STAT:
4745                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4746                 break;
4747         case IPC_SET:
4748                 perms = MSGQ__SETATTR;
4749                 break;
4750         case IPC_RMID:
4751                 perms = MSGQ__DESTROY;
4752                 break;
4753         default:
4754                 return 0;
4755         }
4756
4757         err = ipc_has_perm(&msq->q_perm, perms);
4758         return err;
4759 }
4760
4761 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4762 {
4763         struct task_security_struct *tsec;
4764         struct ipc_security_struct *isec;
4765         struct msg_security_struct *msec;
4766         struct avc_audit_data ad;
4767         int rc;
4768
4769         tsec = current->security;
4770         isec = msq->q_perm.security;
4771         msec = msg->security;
4772
4773         /*
4774          * First time through, need to assign label to the message
4775          */
4776         if (msec->sid == SECINITSID_UNLABELED) {
4777                 /*
4778                  * Compute new sid based on current process and
4779                  * message queue this message will be stored in
4780                  */
4781                 rc = security_transition_sid(tsec->sid,
4782                                              isec->sid,
4783                                              SECCLASS_MSG,
4784                                              &msec->sid);
4785                 if (rc)
4786                         return rc;
4787         }
4788
4789         AVC_AUDIT_DATA_INIT(&ad, IPC);
4790         ad.u.ipc_id = msq->q_perm.key;
4791
4792         /* Can this process write to the queue? */
4793         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4794                           MSGQ__WRITE, &ad);
4795         if (!rc)
4796                 /* Can this process send the message */
4797                 rc = avc_has_perm(tsec->sid, msec->sid,
4798                                   SECCLASS_MSG, MSG__SEND, &ad);
4799         if (!rc)
4800                 /* Can the message be put in the queue? */
4801                 rc = avc_has_perm(msec->sid, isec->sid,
4802                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4803
4804         return rc;
4805 }
4806
4807 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4808                                     struct task_struct *target,
4809                                     long type, int mode)
4810 {
4811         struct task_security_struct *tsec;
4812         struct ipc_security_struct *isec;
4813         struct msg_security_struct *msec;
4814         struct avc_audit_data ad;
4815         int rc;
4816
4817         tsec = target->security;
4818         isec = msq->q_perm.security;
4819         msec = msg->security;
4820
4821         AVC_AUDIT_DATA_INIT(&ad, IPC);
4822         ad.u.ipc_id = msq->q_perm.key;
4823
4824         rc = avc_has_perm(tsec->sid, isec->sid,
4825                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4826         if (!rc)
4827                 rc = avc_has_perm(tsec->sid, msec->sid,
4828                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4829         return rc;
4830 }
4831
4832 /* Shared Memory security operations */
4833 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4834 {
4835         struct task_security_struct *tsec;
4836         struct ipc_security_struct *isec;
4837         struct avc_audit_data ad;
4838         int rc;
4839
4840         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4841         if (rc)
4842                 return rc;
4843
4844         tsec = current->security;
4845         isec = shp->shm_perm.security;
4846
4847         AVC_AUDIT_DATA_INIT(&ad, IPC);
4848         ad.u.ipc_id = shp->shm_perm.key;
4849
4850         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4851                           SHM__CREATE, &ad);
4852         if (rc) {
4853                 ipc_free_security(&shp->shm_perm);
4854                 return rc;
4855         }
4856         return 0;
4857 }
4858
4859 static void selinux_shm_free_security(struct shmid_kernel *shp)
4860 {
4861         ipc_free_security(&shp->shm_perm);
4862 }
4863
4864 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4865 {
4866         struct task_security_struct *tsec;
4867         struct ipc_security_struct *isec;
4868         struct avc_audit_data ad;
4869
4870         tsec = current->security;
4871         isec = shp->shm_perm.security;
4872
4873         AVC_AUDIT_DATA_INIT(&ad, IPC);
4874         ad.u.ipc_id = shp->shm_perm.key;
4875
4876         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4877                             SHM__ASSOCIATE, &ad);
4878 }
4879
4880 /* Note, at this point, shp is locked down */
4881 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4882 {
4883         int perms;
4884         int err;
4885
4886         switch (cmd) {
4887         case IPC_INFO:
4888         case SHM_INFO:
4889                 /* No specific object, just general system-wide information. */
4890                 return task_has_system(current, SYSTEM__IPC_INFO);
4891         case IPC_STAT:
4892         case SHM_STAT:
4893                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4894                 break;
4895         case IPC_SET:
4896                 perms = SHM__SETATTR;
4897                 break;
4898         case SHM_LOCK:
4899         case SHM_UNLOCK:
4900                 perms = SHM__LOCK;
4901                 break;
4902         case IPC_RMID:
4903                 perms = SHM__DESTROY;
4904                 break;
4905         default:
4906                 return 0;
4907         }
4908
4909         err = ipc_has_perm(&shp->shm_perm, perms);
4910         return err;
4911 }
4912
4913 static int selinux_shm_shmat(struct shmid_kernel *shp,
4914                              char __user *shmaddr, int shmflg)
4915 {
4916         u32 perms;
4917         int rc;
4918
4919         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4920         if (rc)
4921                 return rc;
4922
4923         if (shmflg & SHM_RDONLY)
4924                 perms = SHM__READ;
4925         else
4926                 perms = SHM__READ | SHM__WRITE;
4927
4928         return ipc_has_perm(&shp->shm_perm, perms);
4929 }
4930
4931 /* Semaphore security operations */
4932 static int selinux_sem_alloc_security(struct sem_array *sma)
4933 {
4934         struct task_security_struct *tsec;
4935         struct ipc_security_struct *isec;
4936         struct avc_audit_data ad;
4937         int rc;
4938
4939         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4940         if (rc)
4941                 return rc;
4942
4943         tsec = current->security;
4944         isec = sma->sem_perm.security;
4945
4946         AVC_AUDIT_DATA_INIT(&ad, IPC);
4947         ad.u.ipc_id = sma->sem_perm.key;
4948
4949         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4950                           SEM__CREATE, &ad);
4951         if (rc) {
4952                 ipc_free_security(&sma->sem_perm);
4953                 return rc;
4954         }
4955         return 0;
4956 }
4957
4958 static void selinux_sem_free_security(struct sem_array *sma)
4959 {
4960         ipc_free_security(&sma->sem_perm);
4961 }
4962
4963 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4964 {
4965         struct task_security_struct *tsec;
4966         struct ipc_security_struct *isec;
4967         struct avc_audit_data ad;
4968
4969         tsec = current->security;
4970         isec = sma->sem_perm.security;
4971
4972         AVC_AUDIT_DATA_INIT(&ad, IPC);
4973         ad.u.ipc_id = sma->sem_perm.key;
4974
4975         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4976                             SEM__ASSOCIATE, &ad);
4977 }
4978
4979 /* Note, at this point, sma is locked down */
4980 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4981 {
4982         int err;
4983         u32 perms;
4984
4985         switch (cmd) {
4986         case IPC_INFO:
4987         case SEM_INFO:
4988                 /* No specific object, just general system-wide information. */
4989                 return task_has_system(current, SYSTEM__IPC_INFO);
4990         case GETPID:
4991         case GETNCNT:
4992         case GETZCNT:
4993                 perms = SEM__GETATTR;
4994                 break;
4995         case GETVAL:
4996         case GETALL:
4997                 perms = SEM__READ;
4998                 break;
4999         case SETVAL:
5000         case SETALL:
5001                 perms = SEM__WRITE;
5002                 break;
5003         case IPC_RMID:
5004                 perms = SEM__DESTROY;
5005                 break;
5006         case IPC_SET:
5007                 perms = SEM__SETATTR;
5008                 break;
5009         case IPC_STAT:
5010         case SEM_STAT:
5011                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5012                 break;
5013         default:
5014                 return 0;
5015         }
5016
5017         err = ipc_has_perm(&sma->sem_perm, perms);
5018         return err;
5019 }
5020
5021 static int selinux_sem_semop(struct sem_array *sma,
5022                              struct sembuf *sops, unsigned nsops, int alter)
5023 {
5024         u32 perms;
5025
5026         if (alter)
5027                 perms = SEM__READ | SEM__WRITE;
5028         else
5029                 perms = SEM__READ;
5030
5031         return ipc_has_perm(&sma->sem_perm, perms);
5032 }
5033
5034 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5035 {
5036         u32 av = 0;
5037
5038         av = 0;
5039         if (flag & S_IRUGO)
5040                 av |= IPC__UNIX_READ;
5041         if (flag & S_IWUGO)
5042                 av |= IPC__UNIX_WRITE;
5043
5044         if (av == 0)
5045                 return 0;
5046
5047         return ipc_has_perm(ipcp, av);
5048 }
5049
5050 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5051 {
5052         struct ipc_security_struct *isec = ipcp->security;
5053         *secid = isec->sid;
5054 }
5055
5056 /* module stacking operations */
5057 static int selinux_register_security(const char *name, struct security_operations *ops)
5058 {
5059         if (secondary_ops != original_ops) {
5060                 printk(KERN_ERR "%s:  There is already a secondary security "
5061                        "module registered.\n", __func__);
5062                 return -EINVAL;
5063         }
5064
5065         secondary_ops = ops;
5066
5067         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5068                __func__,
5069                name);
5070
5071         return 0;
5072 }
5073
5074 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5075 {
5076         if (inode)
5077                 inode_doinit_with_dentry(inode, dentry);
5078 }
5079
5080 static int selinux_getprocattr(struct task_struct *p,
5081                                char *name, char **value)
5082 {
5083         struct task_security_struct *tsec;
5084         u32 sid;
5085         int error;
5086         unsigned len;
5087
5088         if (current != p) {
5089                 error = task_has_perm(current, p, PROCESS__GETATTR);
5090                 if (error)
5091                         return error;
5092         }
5093
5094         tsec = p->security;
5095
5096         if (!strcmp(name, "current"))
5097                 sid = tsec->sid;
5098         else if (!strcmp(name, "prev"))
5099                 sid = tsec->osid;
5100         else if (!strcmp(name, "exec"))
5101                 sid = tsec->exec_sid;
5102         else if (!strcmp(name, "fscreate"))
5103                 sid = tsec->create_sid;
5104         else if (!strcmp(name, "keycreate"))
5105                 sid = tsec->keycreate_sid;
5106         else if (!strcmp(name, "sockcreate"))
5107                 sid = tsec->sockcreate_sid;
5108         else
5109                 return -EINVAL;
5110
5111         if (!sid)
5112                 return 0;
5113
5114         error = security_sid_to_context(sid, value, &len);
5115         if (error)
5116                 return error;
5117         return len;
5118 }
5119
5120 static int selinux_setprocattr(struct task_struct *p,
5121                                char *name, void *value, size_t size)
5122 {
5123         struct task_security_struct *tsec;
5124         struct task_struct *tracer;
5125         u32 sid = 0;
5126         int error;
5127         char *str = value;
5128
5129         if (current != p) {
5130                 /* SELinux only allows a process to change its own
5131                    security attributes. */
5132                 return -EACCES;
5133         }
5134
5135         /*
5136          * Basic control over ability to set these attributes at all.
5137          * current == p, but we'll pass them separately in case the
5138          * above restriction is ever removed.
5139          */
5140         if (!strcmp(name, "exec"))
5141                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5142         else if (!strcmp(name, "fscreate"))
5143                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5144         else if (!strcmp(name, "keycreate"))
5145                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5146         else if (!strcmp(name, "sockcreate"))
5147                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5148         else if (!strcmp(name, "current"))
5149                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5150         else
5151                 error = -EINVAL;
5152         if (error)
5153                 return error;
5154
5155         /* Obtain a SID for the context, if one was specified. */
5156         if (size && str[1] && str[1] != '\n') {
5157                 if (str[size-1] == '\n') {
5158                         str[size-1] = 0;
5159                         size--;
5160                 }
5161                 error = security_context_to_sid(value, size, &sid);
5162                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5163                         if (!capable(CAP_MAC_ADMIN))
5164                                 return error;
5165                         error = security_context_to_sid_force(value, size,
5166                                                               &sid);
5167                 }
5168                 if (error)
5169                         return error;
5170         }
5171
5172         /* Permission checking based on the specified context is
5173            performed during the actual operation (execve,
5174            open/mkdir/...), when we know the full context of the
5175            operation.  See selinux_bprm_set_security for the execve
5176            checks and may_create for the file creation checks. The
5177            operation will then fail if the context is not permitted. */
5178         tsec = p->security;
5179         if (!strcmp(name, "exec"))
5180                 tsec->exec_sid = sid;
5181         else if (!strcmp(name, "fscreate"))
5182                 tsec->create_sid = sid;
5183         else if (!strcmp(name, "keycreate")) {
5184                 error = may_create_key(sid, p);
5185                 if (error)
5186                         return error;
5187                 tsec->keycreate_sid = sid;
5188         } else if (!strcmp(name, "sockcreate"))
5189                 tsec->sockcreate_sid = sid;
5190         else if (!strcmp(name, "current")) {
5191                 struct av_decision avd;
5192
5193                 if (sid == 0)
5194                         return -EINVAL;
5195
5196                 /* Only allow single threaded processes to change context */
5197                 if (atomic_read(&p->mm->mm_users) != 1) {
5198                         struct task_struct *g, *t;
5199                         struct mm_struct *mm = p->mm;
5200                         read_lock(&tasklist_lock);
5201                         do_each_thread(g, t)
5202                                 if (t->mm == mm && t != p) {
5203                                         read_unlock(&tasklist_lock);
5204                                         return -EPERM;
5205                                 }
5206                         while_each_thread(g, t);
5207                         read_unlock(&tasklist_lock);
5208                 }
5209
5210                 /* Check permissions for the transition. */
5211                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5212                                      PROCESS__DYNTRANSITION, NULL);
5213                 if (error)
5214                         return error;
5215
5216                 /* Check for ptracing, and update the task SID if ok.
5217                    Otherwise, leave SID unchanged and fail. */
5218                 task_lock(p);
5219                 rcu_read_lock();
5220                 tracer = task_tracer_task(p);
5221                 if (tracer != NULL) {
5222                         struct task_security_struct *ptsec = tracer->security;
5223                         u32 ptsid = ptsec->sid;
5224                         rcu_read_unlock();
5225                         error = avc_has_perm_noaudit(ptsid, sid,
5226                                                      SECCLASS_PROCESS,
5227                                                      PROCESS__PTRACE, 0, &avd);
5228                         if (!error)
5229                                 tsec->sid = sid;
5230                         task_unlock(p);
5231                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5232                                   PROCESS__PTRACE, &avd, error, NULL);
5233                         if (error)
5234                                 return error;
5235                 } else {
5236                         rcu_read_unlock();
5237                         tsec->sid = sid;
5238                         task_unlock(p);
5239                 }
5240         } else
5241                 return -EINVAL;
5242
5243         return size;
5244 }
5245
5246 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5247 {
5248         return security_sid_to_context(secid, secdata, seclen);
5249 }
5250
5251 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5252 {
5253         return security_context_to_sid(secdata, seclen, secid);
5254 }
5255
5256 static void selinux_release_secctx(char *secdata, u32 seclen)
5257 {
5258         kfree(secdata);
5259 }
5260
5261 #ifdef CONFIG_KEYS
5262
5263 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5264                              unsigned long flags)
5265 {
5266         struct task_security_struct *tsec = tsk->security;
5267         struct key_security_struct *ksec;
5268
5269         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5270         if (!ksec)
5271                 return -ENOMEM;
5272
5273         if (tsec->keycreate_sid)
5274                 ksec->sid = tsec->keycreate_sid;
5275         else
5276                 ksec->sid = tsec->sid;
5277         k->security = ksec;
5278
5279         return 0;
5280 }
5281
5282 static void selinux_key_free(struct key *k)
5283 {
5284         struct key_security_struct *ksec = k->security;
5285
5286         k->security = NULL;
5287         kfree(ksec);
5288 }
5289
5290 static int selinux_key_permission(key_ref_t key_ref,
5291                             struct task_struct *ctx,
5292                             key_perm_t perm)
5293 {
5294         struct key *key;
5295         struct task_security_struct *tsec;
5296         struct key_security_struct *ksec;
5297
5298         key = key_ref_to_ptr(key_ref);
5299
5300         tsec = ctx->security;
5301         ksec = key->security;
5302
5303         /* if no specific permissions are requested, we skip the
5304            permission check. No serious, additional covert channels
5305            appear to be created. */
5306         if (perm == 0)
5307                 return 0;
5308
5309         return avc_has_perm(tsec->sid, ksec->sid,
5310                             SECCLASS_KEY, perm, NULL);
5311 }
5312
5313 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5314 {
5315         struct key_security_struct *ksec = key->security;
5316         char *context = NULL;
5317         unsigned len;
5318         int rc;
5319
5320         rc = security_sid_to_context(ksec->sid, &context, &len);
5321         if (!rc)
5322                 rc = len;
5323         *_buffer = context;
5324         return rc;
5325 }
5326
5327 #endif
5328
5329 static struct security_operations selinux_ops = {
5330         .name =                         "selinux",
5331
5332         .ptrace =                       selinux_ptrace,
5333         .capget =                       selinux_capget,
5334         .capset_check =                 selinux_capset_check,
5335         .capset_set =                   selinux_capset_set,
5336         .sysctl =                       selinux_sysctl,
5337         .capable =                      selinux_capable,
5338         .quotactl =                     selinux_quotactl,
5339         .quota_on =                     selinux_quota_on,
5340         .syslog =                       selinux_syslog,
5341         .vm_enough_memory =             selinux_vm_enough_memory,
5342
5343         .netlink_send =                 selinux_netlink_send,
5344         .netlink_recv =                 selinux_netlink_recv,
5345
5346         .bprm_alloc_security =          selinux_bprm_alloc_security,
5347         .bprm_free_security =           selinux_bprm_free_security,
5348         .bprm_apply_creds =             selinux_bprm_apply_creds,
5349         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5350         .bprm_set_security =            selinux_bprm_set_security,
5351         .bprm_check_security =          selinux_bprm_check_security,
5352         .bprm_secureexec =              selinux_bprm_secureexec,
5353
5354         .sb_alloc_security =            selinux_sb_alloc_security,
5355         .sb_free_security =             selinux_sb_free_security,
5356         .sb_copy_data =                 selinux_sb_copy_data,
5357         .sb_kern_mount =                selinux_sb_kern_mount,
5358         .sb_statfs =                    selinux_sb_statfs,
5359         .sb_mount =                     selinux_mount,
5360         .sb_umount =                    selinux_umount,
5361         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5362         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5363         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5364         .sb_parse_opts_str =            selinux_parse_opts_str,
5365
5366
5367         .inode_alloc_security =         selinux_inode_alloc_security,
5368         .inode_free_security =          selinux_inode_free_security,
5369         .inode_init_security =          selinux_inode_init_security,
5370         .inode_create =                 selinux_inode_create,
5371         .inode_link =                   selinux_inode_link,
5372         .inode_unlink =                 selinux_inode_unlink,
5373         .inode_symlink =                selinux_inode_symlink,
5374         .inode_mkdir =                  selinux_inode_mkdir,
5375         .inode_rmdir =                  selinux_inode_rmdir,
5376         .inode_mknod =                  selinux_inode_mknod,
5377         .inode_rename =                 selinux_inode_rename,
5378         .inode_readlink =               selinux_inode_readlink,
5379         .inode_follow_link =            selinux_inode_follow_link,
5380         .inode_permission =             selinux_inode_permission,
5381         .inode_setattr =                selinux_inode_setattr,
5382         .inode_getattr =                selinux_inode_getattr,
5383         .inode_setxattr =               selinux_inode_setxattr,
5384         .inode_post_setxattr =          selinux_inode_post_setxattr,
5385         .inode_getxattr =               selinux_inode_getxattr,
5386         .inode_listxattr =              selinux_inode_listxattr,
5387         .inode_removexattr =            selinux_inode_removexattr,
5388         .inode_getsecurity =            selinux_inode_getsecurity,
5389         .inode_setsecurity =            selinux_inode_setsecurity,
5390         .inode_listsecurity =           selinux_inode_listsecurity,
5391         .inode_need_killpriv =          selinux_inode_need_killpriv,
5392         .inode_killpriv =               selinux_inode_killpriv,
5393         .inode_getsecid =               selinux_inode_getsecid,
5394
5395         .file_permission =              selinux_file_permission,
5396         .file_alloc_security =          selinux_file_alloc_security,
5397         .file_free_security =           selinux_file_free_security,
5398         .file_ioctl =                   selinux_file_ioctl,
5399         .file_mmap =                    selinux_file_mmap,
5400         .file_mprotect =                selinux_file_mprotect,
5401         .file_lock =                    selinux_file_lock,
5402         .file_fcntl =                   selinux_file_fcntl,
5403         .file_set_fowner =              selinux_file_set_fowner,
5404         .file_send_sigiotask =          selinux_file_send_sigiotask,
5405         .file_receive =                 selinux_file_receive,
5406
5407         .dentry_open =                  selinux_dentry_open,
5408
5409         .task_create =                  selinux_task_create,
5410         .task_alloc_security =          selinux_task_alloc_security,
5411         .task_free_security =           selinux_task_free_security,
5412         .task_setuid =                  selinux_task_setuid,
5413         .task_post_setuid =             selinux_task_post_setuid,
5414         .task_setgid =                  selinux_task_setgid,
5415         .task_setpgid =                 selinux_task_setpgid,
5416         .task_getpgid =                 selinux_task_getpgid,
5417         .task_getsid =                  selinux_task_getsid,
5418         .task_getsecid =                selinux_task_getsecid,
5419         .task_setgroups =               selinux_task_setgroups,
5420         .task_setnice =                 selinux_task_setnice,
5421         .task_setioprio =               selinux_task_setioprio,
5422         .task_getioprio =               selinux_task_getioprio,
5423         .task_setrlimit =               selinux_task_setrlimit,
5424         .task_setscheduler =            selinux_task_setscheduler,
5425         .task_getscheduler =            selinux_task_getscheduler,
5426         .task_movememory =              selinux_task_movememory,
5427         .task_kill =                    selinux_task_kill,
5428         .task_wait =                    selinux_task_wait,
5429         .task_prctl =                   selinux_task_prctl,
5430         .task_reparent_to_init =        selinux_task_reparent_to_init,
5431         .task_to_inode =                selinux_task_to_inode,
5432
5433         .ipc_permission =               selinux_ipc_permission,
5434         .ipc_getsecid =                 selinux_ipc_getsecid,
5435
5436         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5437         .msg_msg_free_security =        selinux_msg_msg_free_security,
5438
5439         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5440         .msg_queue_free_security =      selinux_msg_queue_free_security,
5441         .msg_queue_associate =          selinux_msg_queue_associate,
5442         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5443         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5444         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5445
5446         .shm_alloc_security =           selinux_shm_alloc_security,
5447         .shm_free_security =            selinux_shm_free_security,
5448         .shm_associate =                selinux_shm_associate,
5449         .shm_shmctl =                   selinux_shm_shmctl,
5450         .shm_shmat =                    selinux_shm_shmat,
5451
5452         .sem_alloc_security =           selinux_sem_alloc_security,
5453         .sem_free_security =            selinux_sem_free_security,
5454         .sem_associate =                selinux_sem_associate,
5455         .sem_semctl =                   selinux_sem_semctl,
5456         .sem_semop =                    selinux_sem_semop,
5457
5458         .register_security =            selinux_register_security,
5459
5460         .d_instantiate =                selinux_d_instantiate,
5461
5462         .getprocattr =                  selinux_getprocattr,
5463         .setprocattr =                  selinux_setprocattr,
5464
5465         .secid_to_secctx =              selinux_secid_to_secctx,
5466         .secctx_to_secid =              selinux_secctx_to_secid,
5467         .release_secctx =               selinux_release_secctx,
5468
5469         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5470         .unix_may_send =                selinux_socket_unix_may_send,
5471
5472         .socket_create =                selinux_socket_create,
5473         .socket_post_create =           selinux_socket_post_create,
5474         .socket_bind =                  selinux_socket_bind,
5475         .socket_connect =               selinux_socket_connect,
5476         .socket_listen =                selinux_socket_listen,
5477         .socket_accept =                selinux_socket_accept,
5478         .socket_sendmsg =               selinux_socket_sendmsg,
5479         .socket_recvmsg =               selinux_socket_recvmsg,
5480         .socket_getsockname =           selinux_socket_getsockname,
5481         .socket_getpeername =           selinux_socket_getpeername,
5482         .socket_getsockopt =            selinux_socket_getsockopt,
5483         .socket_setsockopt =            selinux_socket_setsockopt,
5484         .socket_shutdown =              selinux_socket_shutdown,
5485         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5486         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5487         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5488         .sk_alloc_security =            selinux_sk_alloc_security,
5489         .sk_free_security =             selinux_sk_free_security,
5490         .sk_clone_security =            selinux_sk_clone_security,
5491         .sk_getsecid =                  selinux_sk_getsecid,
5492         .sock_graft =                   selinux_sock_graft,
5493         .inet_conn_request =            selinux_inet_conn_request,
5494         .inet_csk_clone =               selinux_inet_csk_clone,
5495         .inet_conn_established =        selinux_inet_conn_established,
5496         .req_classify_flow =            selinux_req_classify_flow,
5497
5498 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5499         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5500         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5501         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5502         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5503         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5504         .xfrm_state_free_security =     selinux_xfrm_state_free,
5505         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5506         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5507         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5508         .xfrm_decode_session =          selinux_xfrm_decode_session,
5509 #endif
5510
5511 #ifdef CONFIG_KEYS
5512         .key_alloc =                    selinux_key_alloc,
5513         .key_free =                     selinux_key_free,
5514         .key_permission =               selinux_key_permission,
5515         .key_getsecurity =              selinux_key_getsecurity,
5516 #endif
5517
5518 #ifdef CONFIG_AUDIT
5519         .audit_rule_init =              selinux_audit_rule_init,
5520         .audit_rule_known =             selinux_audit_rule_known,
5521         .audit_rule_match =             selinux_audit_rule_match,
5522         .audit_rule_free =              selinux_audit_rule_free,
5523 #endif
5524 };
5525
5526 static __init int selinux_init(void)
5527 {
5528         struct task_security_struct *tsec;
5529
5530         if (!security_module_enable(&selinux_ops)) {
5531                 selinux_enabled = 0;
5532                 return 0;
5533         }
5534
5535         if (!selinux_enabled) {
5536                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5537                 return 0;
5538         }
5539
5540         printk(KERN_INFO "SELinux:  Initializing.\n");
5541
5542         /* Set the security state for the initial task. */
5543         if (task_alloc_security(current))
5544                 panic("SELinux:  Failed to initialize initial task.\n");
5545         tsec = current->security;
5546         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5547
5548         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5549                                             sizeof(struct inode_security_struct),
5550                                             0, SLAB_PANIC, NULL);
5551         avc_init();
5552
5553         original_ops = secondary_ops = security_ops;
5554         if (!secondary_ops)
5555                 panic("SELinux: No initial security operations\n");
5556         if (register_security(&selinux_ops))
5557                 panic("SELinux: Unable to register with kernel.\n");
5558
5559         if (selinux_enforcing)
5560                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5561         else
5562                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5563
5564         return 0;
5565 }
5566
5567 void selinux_complete_init(void)
5568 {
5569         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5570
5571         /* Set up any superblocks initialized prior to the policy load. */
5572         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5573         spin_lock(&sb_lock);
5574         spin_lock(&sb_security_lock);
5575 next_sb:
5576         if (!list_empty(&superblock_security_head)) {
5577                 struct superblock_security_struct *sbsec =
5578                                 list_entry(superblock_security_head.next,
5579                                            struct superblock_security_struct,
5580                                            list);
5581                 struct super_block *sb = sbsec->sb;
5582                 sb->s_count++;
5583                 spin_unlock(&sb_security_lock);
5584                 spin_unlock(&sb_lock);
5585                 down_read(&sb->s_umount);
5586                 if (sb->s_root)
5587                         superblock_doinit(sb, NULL);
5588                 drop_super(sb);
5589                 spin_lock(&sb_lock);
5590                 spin_lock(&sb_security_lock);
5591                 list_del_init(&sbsec->list);
5592                 goto next_sb;
5593         }
5594         spin_unlock(&sb_security_lock);
5595         spin_unlock(&sb_lock);
5596 }
5597
5598 /* SELinux requires early initialization in order to label
5599    all processes and objects when they are created. */
5600 security_initcall(selinux_init);
5601
5602 #if defined(CONFIG_NETFILTER)
5603
5604 static struct nf_hook_ops selinux_ipv4_ops[] = {
5605         {
5606                 .hook =         selinux_ipv4_postroute,
5607                 .owner =        THIS_MODULE,
5608                 .pf =           PF_INET,
5609                 .hooknum =      NF_INET_POST_ROUTING,
5610                 .priority =     NF_IP_PRI_SELINUX_LAST,
5611         },
5612         {
5613                 .hook =         selinux_ipv4_forward,
5614                 .owner =        THIS_MODULE,
5615                 .pf =           PF_INET,
5616                 .hooknum =      NF_INET_FORWARD,
5617                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5618         }
5619 };
5620
5621 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5622
5623 static struct nf_hook_ops selinux_ipv6_ops[] = {
5624         {
5625                 .hook =         selinux_ipv6_postroute,
5626                 .owner =        THIS_MODULE,
5627                 .pf =           PF_INET6,
5628                 .hooknum =      NF_INET_POST_ROUTING,
5629                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5630         },
5631         {
5632                 .hook =         selinux_ipv6_forward,
5633                 .owner =        THIS_MODULE,
5634                 .pf =           PF_INET6,
5635                 .hooknum =      NF_INET_FORWARD,
5636                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5637         }
5638 };
5639
5640 #endif  /* IPV6 */
5641
5642 static int __init selinux_nf_ip_init(void)
5643 {
5644         int err = 0;
5645         u32 iter;
5646
5647         if (!selinux_enabled)
5648                 goto out;
5649
5650         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5651
5652         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5653                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5654                 if (err)
5655                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5656                               err);
5657         }
5658
5659 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5660         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5661                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5662                 if (err)
5663                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5664                               err);
5665         }
5666 #endif  /* IPV6 */
5667
5668 out:
5669         return err;
5670 }
5671
5672 __initcall(selinux_nf_ip_init);
5673
5674 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5675 static void selinux_nf_ip_exit(void)
5676 {
5677         u32 iter;
5678
5679         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5680
5681         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5682                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5683 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5684         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5685                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5686 #endif  /* IPV6 */
5687 }
5688 #endif
5689
5690 #else /* CONFIG_NETFILTER */
5691
5692 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5693 #define selinux_nf_ip_exit()
5694 #endif
5695
5696 #endif /* CONFIG_NETFILTER */
5697
5698 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5699 static int selinux_disabled;
5700
5701 int selinux_disable(void)
5702 {
5703         extern void exit_sel_fs(void);
5704
5705         if (ss_initialized) {
5706                 /* Not permitted after initial policy load. */
5707                 return -EINVAL;
5708         }
5709
5710         if (selinux_disabled) {
5711                 /* Only do this once. */
5712                 return -EINVAL;
5713         }
5714
5715         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5716
5717         selinux_disabled = 1;
5718         selinux_enabled = 0;
5719
5720         /* Reset security_ops to the secondary module, dummy or capability. */
5721         security_ops = secondary_ops;
5722
5723         /* Unregister netfilter hooks. */
5724         selinux_nf_ip_exit();
5725
5726         /* Unregister selinuxfs. */
5727         exit_sel_fs();
5728
5729         return 0;
5730 }
5731 #endif