SELinux: Add network port SID cache
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86
87 #define XATTR_SELINUX_SUFFIX "selinux"
88 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89
90 #define NUM_SEL_MNT_OPTS 4
91
92 extern unsigned int policydb_loaded_version;
93 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
94 extern int selinux_compat_net;
95 extern struct security_operations *security_ops;
96
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing = 0;
102
103 static int __init enforcing_setup(char *str)
104 {
105         selinux_enforcing = simple_strtol(str,NULL,0);
106         return 1;
107 }
108 __setup("enforcing=", enforcing_setup);
109 #endif
110
111 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
112 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113
114 static int __init selinux_enabled_setup(char *str)
115 {
116         selinux_enabled = simple_strtol(str, NULL, 0);
117         return 1;
118 }
119 __setup("selinux=", selinux_enabled_setup);
120 #else
121 int selinux_enabled = 1;
122 #endif
123
124 /* Original (dummy) security module. */
125 static struct security_operations *original_ops = NULL;
126
127 /* Minimal support for a secondary security module,
128    just to allow the use of the dummy or capability modules.
129    The owlsm module can alternatively be used as a secondary
130    module as long as CONFIG_OWLSM_FD is not enabled. */
131 static struct security_operations *secondary_ops = NULL;
132
133 /* Lists of inode and superblock security structures initialized
134    before the policy was loaded. */
135 static LIST_HEAD(superblock_security_head);
136 static DEFINE_SPINLOCK(sb_security_lock);
137
138 static struct kmem_cache *sel_inode_cache;
139
140 /**
141  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
142  *
143  * Description:
144  * This function checks the SECMARK reference counter to see if any SECMARK
145  * targets are currently configured, if the reference counter is greater than
146  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
147  * enabled, false (0) if SECMARK is disabled.
148  *
149  */
150 static int selinux_secmark_enabled(void)
151 {
152         return (atomic_read(&selinux_secmark_refcount) > 0);
153 }
154
155 /* Allocate and free functions for each kind of security blob. */
156
157 static int task_alloc_security(struct task_struct *task)
158 {
159         struct task_security_struct *tsec;
160
161         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
162         if (!tsec)
163                 return -ENOMEM;
164
165         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->sid = tsec->sid;
222         fsec->fown_sid = tsec->sid;
223         file->f_security = fsec;
224
225         return 0;
226 }
227
228 static void file_free_security(struct file *file)
229 {
230         struct file_security_struct *fsec = file->f_security;
231         file->f_security = NULL;
232         kfree(fsec);
233 }
234
235 static int superblock_alloc_security(struct super_block *sb)
236 {
237         struct superblock_security_struct *sbsec;
238
239         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
240         if (!sbsec)
241                 return -ENOMEM;
242
243         mutex_init(&sbsec->lock);
244         INIT_LIST_HEAD(&sbsec->list);
245         INIT_LIST_HEAD(&sbsec->isec_head);
246         spin_lock_init(&sbsec->isec_lock);
247         sbsec->sb = sb;
248         sbsec->sid = SECINITSID_UNLABELED;
249         sbsec->def_sid = SECINITSID_FILE;
250         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
251         sb->s_security = sbsec;
252
253         return 0;
254 }
255
256 static void superblock_free_security(struct super_block *sb)
257 {
258         struct superblock_security_struct *sbsec = sb->s_security;
259
260         spin_lock(&sb_security_lock);
261         if (!list_empty(&sbsec->list))
262                 list_del_init(&sbsec->list);
263         spin_unlock(&sb_security_lock);
264
265         sb->s_security = NULL;
266         kfree(sbsec);
267 }
268
269 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
270 {
271         struct sk_security_struct *ssec;
272
273         ssec = kzalloc(sizeof(*ssec), priority);
274         if (!ssec)
275                 return -ENOMEM;
276
277         ssec->peer_sid = SECINITSID_UNLABELED;
278         ssec->sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         selinux_netlbl_sk_security_reset(ssec, family);
282
283         return 0;
284 }
285
286 static void sk_free_security(struct sock *sk)
287 {
288         struct sk_security_struct *ssec = sk->sk_security;
289
290         sk->sk_security = NULL;
291         kfree(ssec);
292 }
293
294 /* The security server must be initialized before
295    any labeling or access decisions can be provided. */
296 extern int ss_initialized;
297
298 /* The file system's label must be initialized prior to use. */
299
300 static char *labeling_behaviors[6] = {
301         "uses xattr",
302         "uses transition SIDs",
303         "uses task SIDs",
304         "uses genfs_contexts",
305         "not configured for labeling",
306         "uses mountpoint labeling",
307 };
308
309 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
310
311 static inline int inode_doinit(struct inode *inode)
312 {
313         return inode_doinit_with_dentry(inode, NULL);
314 }
315
316 enum {
317         Opt_error = -1,
318         Opt_context = 1,
319         Opt_fscontext = 2,
320         Opt_defcontext = 3,
321         Opt_rootcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, CONTEXT_STR "%s"},
326         {Opt_fscontext, FSCONTEXT_STR "%s"},
327         {Opt_defcontext, DEFCONTEXT_STR "%s"},
328         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
329         {Opt_error, NULL},
330 };
331
332 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
333
334 static int may_context_mount_sb_relabel(u32 sid,
335                         struct superblock_security_struct *sbsec,
336                         struct task_security_struct *tsec)
337 {
338         int rc;
339
340         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
341                           FILESYSTEM__RELABELFROM, NULL);
342         if (rc)
343                 return rc;
344
345         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
346                           FILESYSTEM__RELABELTO, NULL);
347         return rc;
348 }
349
350 static int may_context_mount_inode_relabel(u32 sid,
351                         struct superblock_security_struct *sbsec,
352                         struct task_security_struct *tsec)
353 {
354         int rc;
355         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
356                           FILESYSTEM__RELABELFROM, NULL);
357         if (rc)
358                 return rc;
359
360         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
361                           FILESYSTEM__ASSOCIATE, NULL);
362         return rc;
363 }
364
365 static int sb_finish_set_opts(struct super_block *sb)
366 {
367         struct superblock_security_struct *sbsec = sb->s_security;
368         struct dentry *root = sb->s_root;
369         struct inode *root_inode = root->d_inode;
370         int rc = 0;
371
372         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
373                 /* Make sure that the xattr handler exists and that no
374                    error other than -ENODATA is returned by getxattr on
375                    the root directory.  -ENODATA is ok, as this may be
376                    the first boot of the SELinux kernel before we have
377                    assigned xattr values to the filesystem. */
378                 if (!root_inode->i_op->getxattr) {
379                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
380                                "xattr support\n", sb->s_id, sb->s_type->name);
381                         rc = -EOPNOTSUPP;
382                         goto out;
383                 }
384                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
385                 if (rc < 0 && rc != -ENODATA) {
386                         if (rc == -EOPNOTSUPP)
387                                 printk(KERN_WARNING "SELinux: (dev %s, type "
388                                        "%s) has no security xattr handler\n",
389                                        sb->s_id, sb->s_type->name);
390                         else
391                                 printk(KERN_WARNING "SELinux: (dev %s, type "
392                                        "%s) getxattr errno %d\n", sb->s_id,
393                                        sb->s_type->name, -rc);
394                         goto out;
395                 }
396         }
397
398         sbsec->initialized = 1;
399
400         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
401                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
402                        sb->s_id, sb->s_type->name);
403         else
404                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
405                        sb->s_id, sb->s_type->name,
406                        labeling_behaviors[sbsec->behavior-1]);
407
408         /* Initialize the root inode. */
409         rc = inode_doinit_with_dentry(root_inode, root);
410
411         /* Initialize any other inodes associated with the superblock, e.g.
412            inodes created prior to initial policy load or inodes created
413            during get_sb by a pseudo filesystem that directly
414            populates itself. */
415         spin_lock(&sbsec->isec_lock);
416 next_inode:
417         if (!list_empty(&sbsec->isec_head)) {
418                 struct inode_security_struct *isec =
419                                 list_entry(sbsec->isec_head.next,
420                                            struct inode_security_struct, list);
421                 struct inode *inode = isec->inode;
422                 spin_unlock(&sbsec->isec_lock);
423                 inode = igrab(inode);
424                 if (inode) {
425                         if (!IS_PRIVATE(inode))
426                                 inode_doinit(inode);
427                         iput(inode);
428                 }
429                 spin_lock(&sbsec->isec_lock);
430                 list_del_init(&isec->list);
431                 goto next_inode;
432         }
433         spin_unlock(&sbsec->isec_lock);
434 out:
435         return rc;
436 }
437
438 /*
439  * This function should allow an FS to ask what it's mount security
440  * options were so it can use those later for submounts, displaying
441  * mount options, or whatever.
442  */
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444                                 struct security_mnt_opts *opts)
445 {
446         int rc = 0, i;
447         struct superblock_security_struct *sbsec = sb->s_security;
448         char *context = NULL;
449         u32 len;
450         char tmp;
451
452         security_init_mnt_opts(opts);
453
454         if (!sbsec->initialized)
455                 return -EINVAL;
456
457         if (!ss_initialized)
458                 return -EINVAL;
459
460         /*
461          * if we ever use sbsec flags for anything other than tracking mount
462          * settings this is going to need a mask
463          */
464         tmp = sbsec->flags;
465         /* count the number of mount options for this sb */
466         for (i = 0; i < 8; i++) {
467                 if (tmp & 0x01)
468                         opts->num_mnt_opts++;
469                 tmp >>= 1;
470         }
471
472         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473         if (!opts->mnt_opts) {
474                 rc = -ENOMEM;
475                 goto out_free;
476         }
477
478         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479         if (!opts->mnt_opts_flags) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         i = 0;
485         if (sbsec->flags & FSCONTEXT_MNT) {
486                 rc = security_sid_to_context(sbsec->sid, &context, &len);
487                 if (rc)
488                         goto out_free;
489                 opts->mnt_opts[i] = context;
490                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
491         }
492         if (sbsec->flags & CONTEXT_MNT) {
493                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
494                 if (rc)
495                         goto out_free;
496                 opts->mnt_opts[i] = context;
497                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
498         }
499         if (sbsec->flags & DEFCONTEXT_MNT) {
500                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
501                 if (rc)
502                         goto out_free;
503                 opts->mnt_opts[i] = context;
504                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
505         }
506         if (sbsec->flags & ROOTCONTEXT_MNT) {
507                 struct inode *root = sbsec->sb->s_root->d_inode;
508                 struct inode_security_struct *isec = root->i_security;
509
510                 rc = security_sid_to_context(isec->sid, &context, &len);
511                 if (rc)
512                         goto out_free;
513                 opts->mnt_opts[i] = context;
514                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
515         }
516
517         BUG_ON(i != opts->num_mnt_opts);
518
519         return 0;
520
521 out_free:
522         security_free_mnt_opts(opts);
523         return rc;
524 }
525
526 static int bad_option(struct superblock_security_struct *sbsec, char flag,
527                       u32 old_sid, u32 new_sid)
528 {
529         /* check if the old mount command had the same options */
530         if (sbsec->initialized)
531                 if (!(sbsec->flags & flag) ||
532                     (old_sid != new_sid))
533                         return 1;
534
535         /* check if we were passed the same options twice,
536          * aka someone passed context=a,context=b
537          */
538         if (!sbsec->initialized)
539                 if (sbsec->flags & flag)
540                         return 1;
541         return 0;
542 }
543
544 /*
545  * Allow filesystems with binary mount data to explicitly set mount point
546  * labeling information.
547  */
548 static int selinux_set_mnt_opts(struct super_block *sb,
549                                 struct security_mnt_opts *opts)
550 {
551         int rc = 0, i;
552         struct task_security_struct *tsec = current->security;
553         struct superblock_security_struct *sbsec = sb->s_security;
554         const char *name = sb->s_type->name;
555         struct inode *inode = sbsec->sb->s_root->d_inode;
556         struct inode_security_struct *root_isec = inode->i_security;
557         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
558         u32 defcontext_sid = 0;
559         char **mount_options = opts->mnt_opts;
560         int *flags = opts->mnt_opts_flags;
561         int num_opts = opts->num_mnt_opts;
562
563         mutex_lock(&sbsec->lock);
564
565         if (!ss_initialized) {
566                 if (!num_opts) {
567                         /* Defer initialization until selinux_complete_init,
568                            after the initial policy is loaded and the security
569                            server is ready to handle calls. */
570                         spin_lock(&sb_security_lock);
571                         if (list_empty(&sbsec->list))
572                                 list_add(&sbsec->list, &superblock_security_head);
573                         spin_unlock(&sb_security_lock);
574                         goto out;
575                 }
576                 rc = -EINVAL;
577                 printk(KERN_WARNING "Unable to set superblock options before "
578                        "the security server is initialized\n");
579                 goto out;
580         }
581
582         /*
583          * Binary mount data FS will come through this function twice.  Once
584          * from an explicit call and once from the generic calls from the vfs.
585          * Since the generic VFS calls will not contain any security mount data
586          * we need to skip the double mount verification.
587          *
588          * This does open a hole in which we will not notice if the first
589          * mount using this sb set explict options and a second mount using
590          * this sb does not set any security options.  (The first options
591          * will be used for both mounts)
592          */
593         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
594             && (num_opts == 0))
595                 goto out;
596
597         /*
598          * parse the mount options, check if they are valid sids.
599          * also check if someone is trying to mount the same sb more
600          * than once with different security options.
601          */
602         for (i = 0; i < num_opts; i++) {
603                 u32 sid;
604                 rc = security_context_to_sid(mount_options[i],
605                                              strlen(mount_options[i]), &sid);
606                 if (rc) {
607                         printk(KERN_WARNING "SELinux: security_context_to_sid"
608                                "(%s) failed for (dev %s, type %s) errno=%d\n",
609                                mount_options[i], sb->s_id, name, rc);
610                         goto out;
611                 }
612                 switch (flags[i]) {
613                 case FSCONTEXT_MNT:
614                         fscontext_sid = sid;
615
616                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
617                                         fscontext_sid))
618                                 goto out_double_mount;
619
620                         sbsec->flags |= FSCONTEXT_MNT;
621                         break;
622                 case CONTEXT_MNT:
623                         context_sid = sid;
624
625                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
626                                         context_sid))
627                                 goto out_double_mount;
628
629                         sbsec->flags |= CONTEXT_MNT;
630                         break;
631                 case ROOTCONTEXT_MNT:
632                         rootcontext_sid = sid;
633
634                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
635                                         rootcontext_sid))
636                                 goto out_double_mount;
637
638                         sbsec->flags |= ROOTCONTEXT_MNT;
639
640                         break;
641                 case DEFCONTEXT_MNT:
642                         defcontext_sid = sid;
643
644                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
645                                         defcontext_sid))
646                                 goto out_double_mount;
647
648                         sbsec->flags |= DEFCONTEXT_MNT;
649
650                         break;
651                 default:
652                         rc = -EINVAL;
653                         goto out;
654                 }
655         }
656
657         if (sbsec->initialized) {
658                 /* previously mounted with options, but not on this attempt? */
659                 if (sbsec->flags && !num_opts)
660                         goto out_double_mount;
661                 rc = 0;
662                 goto out;
663         }
664
665         if (strcmp(sb->s_type->name, "proc") == 0)
666                 sbsec->proc = 1;
667
668         /* Determine the labeling behavior to use for this filesystem type. */
669         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
670         if (rc) {
671                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
672                        __func__, sb->s_type->name, rc);
673                 goto out;
674         }
675
676         /* sets the context of the superblock for the fs being mounted. */
677         if (fscontext_sid) {
678
679                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
680                 if (rc)
681                         goto out;
682
683                 sbsec->sid = fscontext_sid;
684         }
685
686         /*
687          * Switch to using mount point labeling behavior.
688          * sets the label used on all file below the mountpoint, and will set
689          * the superblock context if not already set.
690          */
691         if (context_sid) {
692                 if (!fscontext_sid) {
693                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
694                         if (rc)
695                                 goto out;
696                         sbsec->sid = context_sid;
697                 } else {
698                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
699                         if (rc)
700                                 goto out;
701                 }
702                 if (!rootcontext_sid)
703                         rootcontext_sid = context_sid;
704
705                 sbsec->mntpoint_sid = context_sid;
706                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
707         }
708
709         if (rootcontext_sid) {
710                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
711                 if (rc)
712                         goto out;
713
714                 root_isec->sid = rootcontext_sid;
715                 root_isec->initialized = 1;
716         }
717
718         if (defcontext_sid) {
719                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
720                         rc = -EINVAL;
721                         printk(KERN_WARNING "SELinux: defcontext option is "
722                                "invalid for this filesystem type\n");
723                         goto out;
724                 }
725
726                 if (defcontext_sid != sbsec->def_sid) {
727                         rc = may_context_mount_inode_relabel(defcontext_sid,
728                                                              sbsec, tsec);
729                         if (rc)
730                                 goto out;
731                 }
732
733                 sbsec->def_sid = defcontext_sid;
734         }
735
736         rc = sb_finish_set_opts(sb);
737 out:
738         mutex_unlock(&sbsec->lock);
739         return rc;
740 out_double_mount:
741         rc = -EINVAL;
742         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
743                "security settings for (dev %s, type %s)\n", sb->s_id, name);
744         goto out;
745 }
746
747 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
748                                         struct super_block *newsb)
749 {
750         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
751         struct superblock_security_struct *newsbsec = newsb->s_security;
752
753         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
754         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
755         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
756
757         /* we can't error, we can't save the info, this shouldn't get called
758          * this early in the boot process. */
759         BUG_ON(!ss_initialized);
760
761         /* how can we clone if the old one wasn't set up?? */
762         BUG_ON(!oldsbsec->initialized);
763
764         /* if fs is reusing a sb, just let its options stand... */
765         if (newsbsec->initialized)
766                 return;
767
768         mutex_lock(&newsbsec->lock);
769
770         newsbsec->flags = oldsbsec->flags;
771
772         newsbsec->sid = oldsbsec->sid;
773         newsbsec->def_sid = oldsbsec->def_sid;
774         newsbsec->behavior = oldsbsec->behavior;
775
776         if (set_context) {
777                 u32 sid = oldsbsec->mntpoint_sid;
778
779                 if (!set_fscontext)
780                         newsbsec->sid = sid;
781                 if (!set_rootcontext) {
782                         struct inode *newinode = newsb->s_root->d_inode;
783                         struct inode_security_struct *newisec = newinode->i_security;
784                         newisec->sid = sid;
785                 }
786                 newsbsec->mntpoint_sid = sid;
787         }
788         if (set_rootcontext) {
789                 const struct inode *oldinode = oldsb->s_root->d_inode;
790                 const struct inode_security_struct *oldisec = oldinode->i_security;
791                 struct inode *newinode = newsb->s_root->d_inode;
792                 struct inode_security_struct *newisec = newinode->i_security;
793
794                 newisec->sid = oldisec->sid;
795         }
796
797         sb_finish_set_opts(newsb);
798         mutex_unlock(&newsbsec->lock);
799 }
800
801 static int selinux_parse_opts_str(char *options,
802                                   struct security_mnt_opts *opts)
803 {
804         char *p;
805         char *context = NULL, *defcontext = NULL;
806         char *fscontext = NULL, *rootcontext = NULL;
807         int rc, num_mnt_opts = 0;
808
809         opts->num_mnt_opts = 0;
810
811         /* Standard string-based options. */
812         while ((p = strsep(&options, "|")) != NULL) {
813                 int token;
814                 substring_t args[MAX_OPT_ARGS];
815
816                 if (!*p)
817                         continue;
818
819                 token = match_token(p, tokens, args);
820
821                 switch (token) {
822                 case Opt_context:
823                         if (context || defcontext) {
824                                 rc = -EINVAL;
825                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
826                                 goto out_err;
827                         }
828                         context = match_strdup(&args[0]);
829                         if (!context) {
830                                 rc = -ENOMEM;
831                                 goto out_err;
832                         }
833                         break;
834
835                 case Opt_fscontext:
836                         if (fscontext) {
837                                 rc = -EINVAL;
838                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
839                                 goto out_err;
840                         }
841                         fscontext = match_strdup(&args[0]);
842                         if (!fscontext) {
843                                 rc = -ENOMEM;
844                                 goto out_err;
845                         }
846                         break;
847
848                 case Opt_rootcontext:
849                         if (rootcontext) {
850                                 rc = -EINVAL;
851                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
852                                 goto out_err;
853                         }
854                         rootcontext = match_strdup(&args[0]);
855                         if (!rootcontext) {
856                                 rc = -ENOMEM;
857                                 goto out_err;
858                         }
859                         break;
860
861                 case Opt_defcontext:
862                         if (context || defcontext) {
863                                 rc = -EINVAL;
864                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
865                                 goto out_err;
866                         }
867                         defcontext = match_strdup(&args[0]);
868                         if (!defcontext) {
869                                 rc = -ENOMEM;
870                                 goto out_err;
871                         }
872                         break;
873
874                 default:
875                         rc = -EINVAL;
876                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
877                         goto out_err;
878
879                 }
880         }
881
882         rc = -ENOMEM;
883         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
884         if (!opts->mnt_opts)
885                 goto out_err;
886
887         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
888         if (!opts->mnt_opts_flags) {
889                 kfree(opts->mnt_opts);
890                 goto out_err;
891         }
892
893         if (fscontext) {
894                 opts->mnt_opts[num_mnt_opts] = fscontext;
895                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
896         }
897         if (context) {
898                 opts->mnt_opts[num_mnt_opts] = context;
899                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
900         }
901         if (rootcontext) {
902                 opts->mnt_opts[num_mnt_opts] = rootcontext;
903                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
904         }
905         if (defcontext) {
906                 opts->mnt_opts[num_mnt_opts] = defcontext;
907                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
908         }
909
910         opts->num_mnt_opts = num_mnt_opts;
911         return 0;
912
913 out_err:
914         kfree(context);
915         kfree(defcontext);
916         kfree(fscontext);
917         kfree(rootcontext);
918         return rc;
919 }
920 /*
921  * string mount options parsing and call set the sbsec
922  */
923 static int superblock_doinit(struct super_block *sb, void *data)
924 {
925         int rc = 0;
926         char *options = data;
927         struct security_mnt_opts opts;
928
929         security_init_mnt_opts(&opts);
930
931         if (!data)
932                 goto out;
933
934         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
935
936         rc = selinux_parse_opts_str(options, &opts);
937         if (rc)
938                 goto out_err;
939
940 out:
941         rc = selinux_set_mnt_opts(sb, &opts);
942
943 out_err:
944         security_free_mnt_opts(&opts);
945         return rc;
946 }
947
948 static inline u16 inode_mode_to_security_class(umode_t mode)
949 {
950         switch (mode & S_IFMT) {
951         case S_IFSOCK:
952                 return SECCLASS_SOCK_FILE;
953         case S_IFLNK:
954                 return SECCLASS_LNK_FILE;
955         case S_IFREG:
956                 return SECCLASS_FILE;
957         case S_IFBLK:
958                 return SECCLASS_BLK_FILE;
959         case S_IFDIR:
960                 return SECCLASS_DIR;
961         case S_IFCHR:
962                 return SECCLASS_CHR_FILE;
963         case S_IFIFO:
964                 return SECCLASS_FIFO_FILE;
965
966         }
967
968         return SECCLASS_FILE;
969 }
970
971 static inline int default_protocol_stream(int protocol)
972 {
973         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
974 }
975
976 static inline int default_protocol_dgram(int protocol)
977 {
978         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
979 }
980
981 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
982 {
983         switch (family) {
984         case PF_UNIX:
985                 switch (type) {
986                 case SOCK_STREAM:
987                 case SOCK_SEQPACKET:
988                         return SECCLASS_UNIX_STREAM_SOCKET;
989                 case SOCK_DGRAM:
990                         return SECCLASS_UNIX_DGRAM_SOCKET;
991                 }
992                 break;
993         case PF_INET:
994         case PF_INET6:
995                 switch (type) {
996                 case SOCK_STREAM:
997                         if (default_protocol_stream(protocol))
998                                 return SECCLASS_TCP_SOCKET;
999                         else
1000                                 return SECCLASS_RAWIP_SOCKET;
1001                 case SOCK_DGRAM:
1002                         if (default_protocol_dgram(protocol))
1003                                 return SECCLASS_UDP_SOCKET;
1004                         else
1005                                 return SECCLASS_RAWIP_SOCKET;
1006                 case SOCK_DCCP:
1007                         return SECCLASS_DCCP_SOCKET;
1008                 default:
1009                         return SECCLASS_RAWIP_SOCKET;
1010                 }
1011                 break;
1012         case PF_NETLINK:
1013                 switch (protocol) {
1014                 case NETLINK_ROUTE:
1015                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1016                 case NETLINK_FIREWALL:
1017                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1018                 case NETLINK_INET_DIAG:
1019                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1020                 case NETLINK_NFLOG:
1021                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1022                 case NETLINK_XFRM:
1023                         return SECCLASS_NETLINK_XFRM_SOCKET;
1024                 case NETLINK_SELINUX:
1025                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1026                 case NETLINK_AUDIT:
1027                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1028                 case NETLINK_IP6_FW:
1029                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1030                 case NETLINK_DNRTMSG:
1031                         return SECCLASS_NETLINK_DNRT_SOCKET;
1032                 case NETLINK_KOBJECT_UEVENT:
1033                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1034                 default:
1035                         return SECCLASS_NETLINK_SOCKET;
1036                 }
1037         case PF_PACKET:
1038                 return SECCLASS_PACKET_SOCKET;
1039         case PF_KEY:
1040                 return SECCLASS_KEY_SOCKET;
1041         case PF_APPLETALK:
1042                 return SECCLASS_APPLETALK_SOCKET;
1043         }
1044
1045         return SECCLASS_SOCKET;
1046 }
1047
1048 #ifdef CONFIG_PROC_FS
1049 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1050                                 u16 tclass,
1051                                 u32 *sid)
1052 {
1053         int buflen, rc;
1054         char *buffer, *path, *end;
1055
1056         buffer = (char*)__get_free_page(GFP_KERNEL);
1057         if (!buffer)
1058                 return -ENOMEM;
1059
1060         buflen = PAGE_SIZE;
1061         end = buffer+buflen;
1062         *--end = '\0';
1063         buflen--;
1064         path = end-1;
1065         *path = '/';
1066         while (de && de != de->parent) {
1067                 buflen -= de->namelen + 1;
1068                 if (buflen < 0)
1069                         break;
1070                 end -= de->namelen;
1071                 memcpy(end, de->name, de->namelen);
1072                 *--end = '/';
1073                 path = end;
1074                 de = de->parent;
1075         }
1076         rc = security_genfs_sid("proc", path, tclass, sid);
1077         free_page((unsigned long)buffer);
1078         return rc;
1079 }
1080 #else
1081 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1082                                 u16 tclass,
1083                                 u32 *sid)
1084 {
1085         return -EINVAL;
1086 }
1087 #endif
1088
1089 /* The inode's security attributes must be initialized before first use. */
1090 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1091 {
1092         struct superblock_security_struct *sbsec = NULL;
1093         struct inode_security_struct *isec = inode->i_security;
1094         u32 sid;
1095         struct dentry *dentry;
1096 #define INITCONTEXTLEN 255
1097         char *context = NULL;
1098         unsigned len = 0;
1099         int rc = 0;
1100
1101         if (isec->initialized)
1102                 goto out;
1103
1104         mutex_lock(&isec->lock);
1105         if (isec->initialized)
1106                 goto out_unlock;
1107
1108         sbsec = inode->i_sb->s_security;
1109         if (!sbsec->initialized) {
1110                 /* Defer initialization until selinux_complete_init,
1111                    after the initial policy is loaded and the security
1112                    server is ready to handle calls. */
1113                 spin_lock(&sbsec->isec_lock);
1114                 if (list_empty(&isec->list))
1115                         list_add(&isec->list, &sbsec->isec_head);
1116                 spin_unlock(&sbsec->isec_lock);
1117                 goto out_unlock;
1118         }
1119
1120         switch (sbsec->behavior) {
1121         case SECURITY_FS_USE_XATTR:
1122                 if (!inode->i_op->getxattr) {
1123                         isec->sid = sbsec->def_sid;
1124                         break;
1125                 }
1126
1127                 /* Need a dentry, since the xattr API requires one.
1128                    Life would be simpler if we could just pass the inode. */
1129                 if (opt_dentry) {
1130                         /* Called from d_instantiate or d_splice_alias. */
1131                         dentry = dget(opt_dentry);
1132                 } else {
1133                         /* Called from selinux_complete_init, try to find a dentry. */
1134                         dentry = d_find_alias(inode);
1135                 }
1136                 if (!dentry) {
1137                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1138                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1139                                inode->i_ino);
1140                         goto out_unlock;
1141                 }
1142
1143                 len = INITCONTEXTLEN;
1144                 context = kmalloc(len, GFP_NOFS);
1145                 if (!context) {
1146                         rc = -ENOMEM;
1147                         dput(dentry);
1148                         goto out_unlock;
1149                 }
1150                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1151                                            context, len);
1152                 if (rc == -ERANGE) {
1153                         /* Need a larger buffer.  Query for the right size. */
1154                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1155                                                    NULL, 0);
1156                         if (rc < 0) {
1157                                 dput(dentry);
1158                                 goto out_unlock;
1159                         }
1160                         kfree(context);
1161                         len = rc;
1162                         context = kmalloc(len, GFP_NOFS);
1163                         if (!context) {
1164                                 rc = -ENOMEM;
1165                                 dput(dentry);
1166                                 goto out_unlock;
1167                         }
1168                         rc = inode->i_op->getxattr(dentry,
1169                                                    XATTR_NAME_SELINUX,
1170                                                    context, len);
1171                 }
1172                 dput(dentry);
1173                 if (rc < 0) {
1174                         if (rc != -ENODATA) {
1175                                 printk(KERN_WARNING "%s:  getxattr returned "
1176                                        "%d for dev=%s ino=%ld\n", __func__,
1177                                        -rc, inode->i_sb->s_id, inode->i_ino);
1178                                 kfree(context);
1179                                 goto out_unlock;
1180                         }
1181                         /* Map ENODATA to the default file SID */
1182                         sid = sbsec->def_sid;
1183                         rc = 0;
1184                 } else {
1185                         rc = security_context_to_sid_default(context, rc, &sid,
1186                                                              sbsec->def_sid,
1187                                                              GFP_NOFS);
1188                         if (rc) {
1189                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1190                                        "returned %d for dev=%s ino=%ld\n",
1191                                        __func__, context, -rc,
1192                                        inode->i_sb->s_id, inode->i_ino);
1193                                 kfree(context);
1194                                 /* Leave with the unlabeled SID */
1195                                 rc = 0;
1196                                 break;
1197                         }
1198                 }
1199                 kfree(context);
1200                 isec->sid = sid;
1201                 break;
1202         case SECURITY_FS_USE_TASK:
1203                 isec->sid = isec->task_sid;
1204                 break;
1205         case SECURITY_FS_USE_TRANS:
1206                 /* Default to the fs SID. */
1207                 isec->sid = sbsec->sid;
1208
1209                 /* Try to obtain a transition SID. */
1210                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1211                 rc = security_transition_sid(isec->task_sid,
1212                                              sbsec->sid,
1213                                              isec->sclass,
1214                                              &sid);
1215                 if (rc)
1216                         goto out_unlock;
1217                 isec->sid = sid;
1218                 break;
1219         case SECURITY_FS_USE_MNTPOINT:
1220                 isec->sid = sbsec->mntpoint_sid;
1221                 break;
1222         default:
1223                 /* Default to the fs superblock SID. */
1224                 isec->sid = sbsec->sid;
1225
1226                 if (sbsec->proc) {
1227                         struct proc_inode *proci = PROC_I(inode);
1228                         if (proci->pde) {
1229                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1230                                 rc = selinux_proc_get_sid(proci->pde,
1231                                                           isec->sclass,
1232                                                           &sid);
1233                                 if (rc)
1234                                         goto out_unlock;
1235                                 isec->sid = sid;
1236                         }
1237                 }
1238                 break;
1239         }
1240
1241         isec->initialized = 1;
1242
1243 out_unlock:
1244         mutex_unlock(&isec->lock);
1245 out:
1246         if (isec->sclass == SECCLASS_FILE)
1247                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1248         return rc;
1249 }
1250
1251 /* Convert a Linux signal to an access vector. */
1252 static inline u32 signal_to_av(int sig)
1253 {
1254         u32 perm = 0;
1255
1256         switch (sig) {
1257         case SIGCHLD:
1258                 /* Commonly granted from child to parent. */
1259                 perm = PROCESS__SIGCHLD;
1260                 break;
1261         case SIGKILL:
1262                 /* Cannot be caught or ignored */
1263                 perm = PROCESS__SIGKILL;
1264                 break;
1265         case SIGSTOP:
1266                 /* Cannot be caught or ignored */
1267                 perm = PROCESS__SIGSTOP;
1268                 break;
1269         default:
1270                 /* All other signals. */
1271                 perm = PROCESS__SIGNAL;
1272                 break;
1273         }
1274
1275         return perm;
1276 }
1277
1278 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1279    fork check, ptrace check, etc. */
1280 static int task_has_perm(struct task_struct *tsk1,
1281                          struct task_struct *tsk2,
1282                          u32 perms)
1283 {
1284         struct task_security_struct *tsec1, *tsec2;
1285
1286         tsec1 = tsk1->security;
1287         tsec2 = tsk2->security;
1288         return avc_has_perm(tsec1->sid, tsec2->sid,
1289                             SECCLASS_PROCESS, perms, NULL);
1290 }
1291
1292 #if CAP_LAST_CAP > 63
1293 #error Fix SELinux to handle capabilities > 63.
1294 #endif
1295
1296 /* Check whether a task is allowed to use a capability. */
1297 static int task_has_capability(struct task_struct *tsk,
1298                                int cap)
1299 {
1300         struct task_security_struct *tsec;
1301         struct avc_audit_data ad;
1302         u16 sclass;
1303         u32 av = CAP_TO_MASK(cap);
1304
1305         tsec = tsk->security;
1306
1307         AVC_AUDIT_DATA_INIT(&ad,CAP);
1308         ad.tsk = tsk;
1309         ad.u.cap = cap;
1310
1311         switch (CAP_TO_INDEX(cap)) {
1312         case 0:
1313                 sclass = SECCLASS_CAPABILITY;
1314                 break;
1315         case 1:
1316                 sclass = SECCLASS_CAPABILITY2;
1317                 break;
1318         default:
1319                 printk(KERN_ERR
1320                        "SELinux:  out of range capability %d\n", cap);
1321                 BUG();
1322         }
1323         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1324 }
1325
1326 /* Check whether a task is allowed to use a system operation. */
1327 static int task_has_system(struct task_struct *tsk,
1328                            u32 perms)
1329 {
1330         struct task_security_struct *tsec;
1331
1332         tsec = tsk->security;
1333
1334         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1335                             SECCLASS_SYSTEM, perms, NULL);
1336 }
1337
1338 /* Check whether a task has a particular permission to an inode.
1339    The 'adp' parameter is optional and allows other audit
1340    data to be passed (e.g. the dentry). */
1341 static int inode_has_perm(struct task_struct *tsk,
1342                           struct inode *inode,
1343                           u32 perms,
1344                           struct avc_audit_data *adp)
1345 {
1346         struct task_security_struct *tsec;
1347         struct inode_security_struct *isec;
1348         struct avc_audit_data ad;
1349
1350         if (unlikely (IS_PRIVATE (inode)))
1351                 return 0;
1352
1353         tsec = tsk->security;
1354         isec = inode->i_security;
1355
1356         if (!adp) {
1357                 adp = &ad;
1358                 AVC_AUDIT_DATA_INIT(&ad, FS);
1359                 ad.u.fs.inode = inode;
1360         }
1361
1362         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1363 }
1364
1365 /* Same as inode_has_perm, but pass explicit audit data containing
1366    the dentry to help the auditing code to more easily generate the
1367    pathname if needed. */
1368 static inline int dentry_has_perm(struct task_struct *tsk,
1369                                   struct vfsmount *mnt,
1370                                   struct dentry *dentry,
1371                                   u32 av)
1372 {
1373         struct inode *inode = dentry->d_inode;
1374         struct avc_audit_data ad;
1375         AVC_AUDIT_DATA_INIT(&ad,FS);
1376         ad.u.fs.path.mnt = mnt;
1377         ad.u.fs.path.dentry = dentry;
1378         return inode_has_perm(tsk, inode, av, &ad);
1379 }
1380
1381 /* Check whether a task can use an open file descriptor to
1382    access an inode in a given way.  Check access to the
1383    descriptor itself, and then use dentry_has_perm to
1384    check a particular permission to the file.
1385    Access to the descriptor is implicitly granted if it
1386    has the same SID as the process.  If av is zero, then
1387    access to the file is not checked, e.g. for cases
1388    where only the descriptor is affected like seek. */
1389 static int file_has_perm(struct task_struct *tsk,
1390                                 struct file *file,
1391                                 u32 av)
1392 {
1393         struct task_security_struct *tsec = tsk->security;
1394         struct file_security_struct *fsec = file->f_security;
1395         struct inode *inode = file->f_path.dentry->d_inode;
1396         struct avc_audit_data ad;
1397         int rc;
1398
1399         AVC_AUDIT_DATA_INIT(&ad, FS);
1400         ad.u.fs.path = file->f_path;
1401
1402         if (tsec->sid != fsec->sid) {
1403                 rc = avc_has_perm(tsec->sid, fsec->sid,
1404                                   SECCLASS_FD,
1405                                   FD__USE,
1406                                   &ad);
1407                 if (rc)
1408                         return rc;
1409         }
1410
1411         /* av is zero if only checking access to the descriptor. */
1412         if (av)
1413                 return inode_has_perm(tsk, inode, av, &ad);
1414
1415         return 0;
1416 }
1417
1418 /* Check whether a task can create a file. */
1419 static int may_create(struct inode *dir,
1420                       struct dentry *dentry,
1421                       u16 tclass)
1422 {
1423         struct task_security_struct *tsec;
1424         struct inode_security_struct *dsec;
1425         struct superblock_security_struct *sbsec;
1426         u32 newsid;
1427         struct avc_audit_data ad;
1428         int rc;
1429
1430         tsec = current->security;
1431         dsec = dir->i_security;
1432         sbsec = dir->i_sb->s_security;
1433
1434         AVC_AUDIT_DATA_INIT(&ad, FS);
1435         ad.u.fs.path.dentry = dentry;
1436
1437         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1438                           DIR__ADD_NAME | DIR__SEARCH,
1439                           &ad);
1440         if (rc)
1441                 return rc;
1442
1443         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1444                 newsid = tsec->create_sid;
1445         } else {
1446                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1447                                              &newsid);
1448                 if (rc)
1449                         return rc;
1450         }
1451
1452         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1453         if (rc)
1454                 return rc;
1455
1456         return avc_has_perm(newsid, sbsec->sid,
1457                             SECCLASS_FILESYSTEM,
1458                             FILESYSTEM__ASSOCIATE, &ad);
1459 }
1460
1461 /* Check whether a task can create a key. */
1462 static int may_create_key(u32 ksid,
1463                           struct task_struct *ctx)
1464 {
1465         struct task_security_struct *tsec;
1466
1467         tsec = ctx->security;
1468
1469         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1470 }
1471
1472 #define MAY_LINK   0
1473 #define MAY_UNLINK 1
1474 #define MAY_RMDIR  2
1475
1476 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1477 static int may_link(struct inode *dir,
1478                     struct dentry *dentry,
1479                     int kind)
1480
1481 {
1482         struct task_security_struct *tsec;
1483         struct inode_security_struct *dsec, *isec;
1484         struct avc_audit_data ad;
1485         u32 av;
1486         int rc;
1487
1488         tsec = current->security;
1489         dsec = dir->i_security;
1490         isec = dentry->d_inode->i_security;
1491
1492         AVC_AUDIT_DATA_INIT(&ad, FS);
1493         ad.u.fs.path.dentry = dentry;
1494
1495         av = DIR__SEARCH;
1496         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1497         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1498         if (rc)
1499                 return rc;
1500
1501         switch (kind) {
1502         case MAY_LINK:
1503                 av = FILE__LINK;
1504                 break;
1505         case MAY_UNLINK:
1506                 av = FILE__UNLINK;
1507                 break;
1508         case MAY_RMDIR:
1509                 av = DIR__RMDIR;
1510                 break;
1511         default:
1512                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1513                 return 0;
1514         }
1515
1516         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1517         return rc;
1518 }
1519
1520 static inline int may_rename(struct inode *old_dir,
1521                              struct dentry *old_dentry,
1522                              struct inode *new_dir,
1523                              struct dentry *new_dentry)
1524 {
1525         struct task_security_struct *tsec;
1526         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1527         struct avc_audit_data ad;
1528         u32 av;
1529         int old_is_dir, new_is_dir;
1530         int rc;
1531
1532         tsec = current->security;
1533         old_dsec = old_dir->i_security;
1534         old_isec = old_dentry->d_inode->i_security;
1535         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1536         new_dsec = new_dir->i_security;
1537
1538         AVC_AUDIT_DATA_INIT(&ad, FS);
1539
1540         ad.u.fs.path.dentry = old_dentry;
1541         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1542                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1543         if (rc)
1544                 return rc;
1545         rc = avc_has_perm(tsec->sid, old_isec->sid,
1546                           old_isec->sclass, FILE__RENAME, &ad);
1547         if (rc)
1548                 return rc;
1549         if (old_is_dir && new_dir != old_dir) {
1550                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1551                                   old_isec->sclass, DIR__REPARENT, &ad);
1552                 if (rc)
1553                         return rc;
1554         }
1555
1556         ad.u.fs.path.dentry = new_dentry;
1557         av = DIR__ADD_NAME | DIR__SEARCH;
1558         if (new_dentry->d_inode)
1559                 av |= DIR__REMOVE_NAME;
1560         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1561         if (rc)
1562                 return rc;
1563         if (new_dentry->d_inode) {
1564                 new_isec = new_dentry->d_inode->i_security;
1565                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1566                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1567                                   new_isec->sclass,
1568                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1569                 if (rc)
1570                         return rc;
1571         }
1572
1573         return 0;
1574 }
1575
1576 /* Check whether a task can perform a filesystem operation. */
1577 static int superblock_has_perm(struct task_struct *tsk,
1578                                struct super_block *sb,
1579                                u32 perms,
1580                                struct avc_audit_data *ad)
1581 {
1582         struct task_security_struct *tsec;
1583         struct superblock_security_struct *sbsec;
1584
1585         tsec = tsk->security;
1586         sbsec = sb->s_security;
1587         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1588                             perms, ad);
1589 }
1590
1591 /* Convert a Linux mode and permission mask to an access vector. */
1592 static inline u32 file_mask_to_av(int mode, int mask)
1593 {
1594         u32 av = 0;
1595
1596         if ((mode & S_IFMT) != S_IFDIR) {
1597                 if (mask & MAY_EXEC)
1598                         av |= FILE__EXECUTE;
1599                 if (mask & MAY_READ)
1600                         av |= FILE__READ;
1601
1602                 if (mask & MAY_APPEND)
1603                         av |= FILE__APPEND;
1604                 else if (mask & MAY_WRITE)
1605                         av |= FILE__WRITE;
1606
1607         } else {
1608                 if (mask & MAY_EXEC)
1609                         av |= DIR__SEARCH;
1610                 if (mask & MAY_WRITE)
1611                         av |= DIR__WRITE;
1612                 if (mask & MAY_READ)
1613                         av |= DIR__READ;
1614         }
1615
1616         return av;
1617 }
1618
1619 /*
1620  * Convert a file mask to an access vector and include the correct open
1621  * open permission.
1622  */
1623 static inline u32 open_file_mask_to_av(int mode, int mask)
1624 {
1625         u32 av = file_mask_to_av(mode, mask);
1626
1627         if (selinux_policycap_openperm) {
1628                 /*
1629                  * lnk files and socks do not really have an 'open'
1630                  */
1631                 if (S_ISREG(mode))
1632                         av |= FILE__OPEN;
1633                 else if (S_ISCHR(mode))
1634                         av |= CHR_FILE__OPEN;
1635                 else if (S_ISBLK(mode))
1636                         av |= BLK_FILE__OPEN;
1637                 else if (S_ISFIFO(mode))
1638                         av |= FIFO_FILE__OPEN;
1639                 else if (S_ISDIR(mode))
1640                         av |= DIR__OPEN;
1641                 else
1642                         printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1643                                 "with unknown mode:%x\n", mode);
1644         }
1645         return av;
1646 }
1647
1648 /* Convert a Linux file to an access vector. */
1649 static inline u32 file_to_av(struct file *file)
1650 {
1651         u32 av = 0;
1652
1653         if (file->f_mode & FMODE_READ)
1654                 av |= FILE__READ;
1655         if (file->f_mode & FMODE_WRITE) {
1656                 if (file->f_flags & O_APPEND)
1657                         av |= FILE__APPEND;
1658                 else
1659                         av |= FILE__WRITE;
1660         }
1661         if (!av) {
1662                 /*
1663                  * Special file opened with flags 3 for ioctl-only use.
1664                  */
1665                 av = FILE__IOCTL;
1666         }
1667
1668         return av;
1669 }
1670
1671 /* Hook functions begin here. */
1672
1673 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1674 {
1675         int rc;
1676
1677         rc = secondary_ops->ptrace(parent,child);
1678         if (rc)
1679                 return rc;
1680
1681         return task_has_perm(parent, child, PROCESS__PTRACE);
1682 }
1683
1684 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1685                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1686 {
1687         int error;
1688
1689         error = task_has_perm(current, target, PROCESS__GETCAP);
1690         if (error)
1691                 return error;
1692
1693         return secondary_ops->capget(target, effective, inheritable, permitted);
1694 }
1695
1696 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1697                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1698 {
1699         int error;
1700
1701         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1702         if (error)
1703                 return error;
1704
1705         return task_has_perm(current, target, PROCESS__SETCAP);
1706 }
1707
1708 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1709                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1710 {
1711         secondary_ops->capset_set(target, effective, inheritable, permitted);
1712 }
1713
1714 static int selinux_capable(struct task_struct *tsk, int cap)
1715 {
1716         int rc;
1717
1718         rc = secondary_ops->capable(tsk, cap);
1719         if (rc)
1720                 return rc;
1721
1722         return task_has_capability(tsk,cap);
1723 }
1724
1725 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1726 {
1727         int buflen, rc;
1728         char *buffer, *path, *end;
1729
1730         rc = -ENOMEM;
1731         buffer = (char*)__get_free_page(GFP_KERNEL);
1732         if (!buffer)
1733                 goto out;
1734
1735         buflen = PAGE_SIZE;
1736         end = buffer+buflen;
1737         *--end = '\0';
1738         buflen--;
1739         path = end-1;
1740         *path = '/';
1741         while (table) {
1742                 const char *name = table->procname;
1743                 size_t namelen = strlen(name);
1744                 buflen -= namelen + 1;
1745                 if (buflen < 0)
1746                         goto out_free;
1747                 end -= namelen;
1748                 memcpy(end, name, namelen);
1749                 *--end = '/';
1750                 path = end;
1751                 table = table->parent;
1752         }
1753         buflen -= 4;
1754         if (buflen < 0)
1755                 goto out_free;
1756         end -= 4;
1757         memcpy(end, "/sys", 4);
1758         path = end;
1759         rc = security_genfs_sid("proc", path, tclass, sid);
1760 out_free:
1761         free_page((unsigned long)buffer);
1762 out:
1763         return rc;
1764 }
1765
1766 static int selinux_sysctl(ctl_table *table, int op)
1767 {
1768         int error = 0;
1769         u32 av;
1770         struct task_security_struct *tsec;
1771         u32 tsid;
1772         int rc;
1773
1774         rc = secondary_ops->sysctl(table, op);
1775         if (rc)
1776                 return rc;
1777
1778         tsec = current->security;
1779
1780         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1781                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1782         if (rc) {
1783                 /* Default to the well-defined sysctl SID. */
1784                 tsid = SECINITSID_SYSCTL;
1785         }
1786
1787         /* The op values are "defined" in sysctl.c, thereby creating
1788          * a bad coupling between this module and sysctl.c */
1789         if(op == 001) {
1790                 error = avc_has_perm(tsec->sid, tsid,
1791                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1792         } else {
1793                 av = 0;
1794                 if (op & 004)
1795                         av |= FILE__READ;
1796                 if (op & 002)
1797                         av |= FILE__WRITE;
1798                 if (av)
1799                         error = avc_has_perm(tsec->sid, tsid,
1800                                              SECCLASS_FILE, av, NULL);
1801         }
1802
1803         return error;
1804 }
1805
1806 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1807 {
1808         int rc = 0;
1809
1810         if (!sb)
1811                 return 0;
1812
1813         switch (cmds) {
1814                 case Q_SYNC:
1815                 case Q_QUOTAON:
1816                 case Q_QUOTAOFF:
1817                 case Q_SETINFO:
1818                 case Q_SETQUOTA:
1819                         rc = superblock_has_perm(current,
1820                                                  sb,
1821                                                  FILESYSTEM__QUOTAMOD, NULL);
1822                         break;
1823                 case Q_GETFMT:
1824                 case Q_GETINFO:
1825                 case Q_GETQUOTA:
1826                         rc = superblock_has_perm(current,
1827                                                  sb,
1828                                                  FILESYSTEM__QUOTAGET, NULL);
1829                         break;
1830                 default:
1831                         rc = 0;  /* let the kernel handle invalid cmds */
1832                         break;
1833         }
1834         return rc;
1835 }
1836
1837 static int selinux_quota_on(struct dentry *dentry)
1838 {
1839         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1840 }
1841
1842 static int selinux_syslog(int type)
1843 {
1844         int rc;
1845
1846         rc = secondary_ops->syslog(type);
1847         if (rc)
1848                 return rc;
1849
1850         switch (type) {
1851                 case 3:         /* Read last kernel messages */
1852                 case 10:        /* Return size of the log buffer */
1853                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1854                         break;
1855                 case 6:         /* Disable logging to console */
1856                 case 7:         /* Enable logging to console */
1857                 case 8:         /* Set level of messages printed to console */
1858                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1859                         break;
1860                 case 0:         /* Close log */
1861                 case 1:         /* Open log */
1862                 case 2:         /* Read from log */
1863                 case 4:         /* Read/clear last kernel messages */
1864                 case 5:         /* Clear ring buffer */
1865                 default:
1866                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1867                         break;
1868         }
1869         return rc;
1870 }
1871
1872 /*
1873  * Check that a process has enough memory to allocate a new virtual
1874  * mapping. 0 means there is enough memory for the allocation to
1875  * succeed and -ENOMEM implies there is not.
1876  *
1877  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1878  * if the capability is granted, but __vm_enough_memory requires 1 if
1879  * the capability is granted.
1880  *
1881  * Do not audit the selinux permission check, as this is applied to all
1882  * processes that allocate mappings.
1883  */
1884 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1885 {
1886         int rc, cap_sys_admin = 0;
1887         struct task_security_struct *tsec = current->security;
1888
1889         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1890         if (rc == 0)
1891                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1892                                           SECCLASS_CAPABILITY,
1893                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1894                                           0,
1895                                           NULL);
1896
1897         if (rc == 0)
1898                 cap_sys_admin = 1;
1899
1900         return __vm_enough_memory(mm, pages, cap_sys_admin);
1901 }
1902
1903 /**
1904  * task_tracer_task - return the task that is tracing the given task
1905  * @task:               task to consider
1906  *
1907  * Returns NULL if noone is tracing @task, or the &struct task_struct
1908  * pointer to its tracer.
1909  *
1910  * Must be called under rcu_read_lock().
1911  */
1912 static struct task_struct *task_tracer_task(struct task_struct *task)
1913 {
1914         if (task->ptrace & PT_PTRACED)
1915                 return rcu_dereference(task->parent);
1916         return NULL;
1917 }
1918
1919 /* binprm security operations */
1920
1921 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1922 {
1923         struct bprm_security_struct *bsec;
1924
1925         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1926         if (!bsec)
1927                 return -ENOMEM;
1928
1929         bsec->sid = SECINITSID_UNLABELED;
1930         bsec->set = 0;
1931
1932         bprm->security = bsec;
1933         return 0;
1934 }
1935
1936 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1937 {
1938         struct task_security_struct *tsec;
1939         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1940         struct inode_security_struct *isec;
1941         struct bprm_security_struct *bsec;
1942         u32 newsid;
1943         struct avc_audit_data ad;
1944         int rc;
1945
1946         rc = secondary_ops->bprm_set_security(bprm);
1947         if (rc)
1948                 return rc;
1949
1950         bsec = bprm->security;
1951
1952         if (bsec->set)
1953                 return 0;
1954
1955         tsec = current->security;
1956         isec = inode->i_security;
1957
1958         /* Default to the current task SID. */
1959         bsec->sid = tsec->sid;
1960
1961         /* Reset fs, key, and sock SIDs on execve. */
1962         tsec->create_sid = 0;
1963         tsec->keycreate_sid = 0;
1964         tsec->sockcreate_sid = 0;
1965
1966         if (tsec->exec_sid) {
1967                 newsid = tsec->exec_sid;
1968                 /* Reset exec SID on execve. */
1969                 tsec->exec_sid = 0;
1970         } else {
1971                 /* Check for a default transition on this program. */
1972                 rc = security_transition_sid(tsec->sid, isec->sid,
1973                                              SECCLASS_PROCESS, &newsid);
1974                 if (rc)
1975                         return rc;
1976         }
1977
1978         AVC_AUDIT_DATA_INIT(&ad, FS);
1979         ad.u.fs.path = bprm->file->f_path;
1980
1981         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1982                 newsid = tsec->sid;
1983
1984         if (tsec->sid == newsid) {
1985                 rc = avc_has_perm(tsec->sid, isec->sid,
1986                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1987                 if (rc)
1988                         return rc;
1989         } else {
1990                 /* Check permissions for the transition. */
1991                 rc = avc_has_perm(tsec->sid, newsid,
1992                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1993                 if (rc)
1994                         return rc;
1995
1996                 rc = avc_has_perm(newsid, isec->sid,
1997                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1998                 if (rc)
1999                         return rc;
2000
2001                 /* Clear any possibly unsafe personality bits on exec: */
2002                 current->personality &= ~PER_CLEAR_ON_SETID;
2003
2004                 /* Set the security field to the new SID. */
2005                 bsec->sid = newsid;
2006         }
2007
2008         bsec->set = 1;
2009         return 0;
2010 }
2011
2012 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2013 {
2014         return secondary_ops->bprm_check_security(bprm);
2015 }
2016
2017
2018 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2019 {
2020         struct task_security_struct *tsec = current->security;
2021         int atsecure = 0;
2022
2023         if (tsec->osid != tsec->sid) {
2024                 /* Enable secure mode for SIDs transitions unless
2025                    the noatsecure permission is granted between
2026                    the two SIDs, i.e. ahp returns 0. */
2027                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2028                                          SECCLASS_PROCESS,
2029                                          PROCESS__NOATSECURE, NULL);
2030         }
2031
2032         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2033 }
2034
2035 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2036 {
2037         kfree(bprm->security);
2038         bprm->security = NULL;
2039 }
2040
2041 extern struct vfsmount *selinuxfs_mount;
2042 extern struct dentry *selinux_null;
2043
2044 /* Derived from fs/exec.c:flush_old_files. */
2045 static inline void flush_unauthorized_files(struct files_struct * files)
2046 {
2047         struct avc_audit_data ad;
2048         struct file *file, *devnull = NULL;
2049         struct tty_struct *tty;
2050         struct fdtable *fdt;
2051         long j = -1;
2052         int drop_tty = 0;
2053
2054         mutex_lock(&tty_mutex);
2055         tty = get_current_tty();
2056         if (tty) {
2057                 file_list_lock();
2058                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2059                 if (file) {
2060                         /* Revalidate access to controlling tty.
2061                            Use inode_has_perm on the tty inode directly rather
2062                            than using file_has_perm, as this particular open
2063                            file may belong to another process and we are only
2064                            interested in the inode-based check here. */
2065                         struct inode *inode = file->f_path.dentry->d_inode;
2066                         if (inode_has_perm(current, inode,
2067                                            FILE__READ | FILE__WRITE, NULL)) {
2068                                 drop_tty = 1;
2069                         }
2070                 }
2071                 file_list_unlock();
2072         }
2073         mutex_unlock(&tty_mutex);
2074         /* Reset controlling tty. */
2075         if (drop_tty)
2076                 no_tty();
2077
2078         /* Revalidate access to inherited open files. */
2079
2080         AVC_AUDIT_DATA_INIT(&ad,FS);
2081
2082         spin_lock(&files->file_lock);
2083         for (;;) {
2084                 unsigned long set, i;
2085                 int fd;
2086
2087                 j++;
2088                 i = j * __NFDBITS;
2089                 fdt = files_fdtable(files);
2090                 if (i >= fdt->max_fds)
2091                         break;
2092                 set = fdt->open_fds->fds_bits[j];
2093                 if (!set)
2094                         continue;
2095                 spin_unlock(&files->file_lock);
2096                 for ( ; set ; i++,set >>= 1) {
2097                         if (set & 1) {
2098                                 file = fget(i);
2099                                 if (!file)
2100                                         continue;
2101                                 if (file_has_perm(current,
2102                                                   file,
2103                                                   file_to_av(file))) {
2104                                         sys_close(i);
2105                                         fd = get_unused_fd();
2106                                         if (fd != i) {
2107                                                 if (fd >= 0)
2108                                                         put_unused_fd(fd);
2109                                                 fput(file);
2110                                                 continue;
2111                                         }
2112                                         if (devnull) {
2113                                                 get_file(devnull);
2114                                         } else {
2115                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2116                                                 if (IS_ERR(devnull)) {
2117                                                         devnull = NULL;
2118                                                         put_unused_fd(fd);
2119                                                         fput(file);
2120                                                         continue;
2121                                                 }
2122                                         }
2123                                         fd_install(fd, devnull);
2124                                 }
2125                                 fput(file);
2126                         }
2127                 }
2128                 spin_lock(&files->file_lock);
2129
2130         }
2131         spin_unlock(&files->file_lock);
2132 }
2133
2134 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2135 {
2136         struct task_security_struct *tsec;
2137         struct bprm_security_struct *bsec;
2138         u32 sid;
2139         int rc;
2140
2141         secondary_ops->bprm_apply_creds(bprm, unsafe);
2142
2143         tsec = current->security;
2144
2145         bsec = bprm->security;
2146         sid = bsec->sid;
2147
2148         tsec->osid = tsec->sid;
2149         bsec->unsafe = 0;
2150         if (tsec->sid != sid) {
2151                 /* Check for shared state.  If not ok, leave SID
2152                    unchanged and kill. */
2153                 if (unsafe & LSM_UNSAFE_SHARE) {
2154                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2155                                         PROCESS__SHARE, NULL);
2156                         if (rc) {
2157                                 bsec->unsafe = 1;
2158                                 return;
2159                         }
2160                 }
2161
2162                 /* Check for ptracing, and update the task SID if ok.
2163                    Otherwise, leave SID unchanged and kill. */
2164                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2165                         struct task_struct *tracer;
2166                         struct task_security_struct *sec;
2167                         u32 ptsid = 0;
2168
2169                         rcu_read_lock();
2170                         tracer = task_tracer_task(current);
2171                         if (likely(tracer != NULL)) {
2172                                 sec = tracer->security;
2173                                 ptsid = sec->sid;
2174                         }
2175                         rcu_read_unlock();
2176
2177                         if (ptsid != 0) {
2178                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2179                                                   PROCESS__PTRACE, NULL);
2180                                 if (rc) {
2181                                         bsec->unsafe = 1;
2182                                         return;
2183                                 }
2184                         }
2185                 }
2186                 tsec->sid = sid;
2187         }
2188 }
2189
2190 /*
2191  * called after apply_creds without the task lock held
2192  */
2193 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2194 {
2195         struct task_security_struct *tsec;
2196         struct rlimit *rlim, *initrlim;
2197         struct itimerval itimer;
2198         struct bprm_security_struct *bsec;
2199         int rc, i;
2200
2201         tsec = current->security;
2202         bsec = bprm->security;
2203
2204         if (bsec->unsafe) {
2205                 force_sig_specific(SIGKILL, current);
2206                 return;
2207         }
2208         if (tsec->osid == tsec->sid)
2209                 return;
2210
2211         /* Close files for which the new task SID is not authorized. */
2212         flush_unauthorized_files(current->files);
2213
2214         /* Check whether the new SID can inherit signal state
2215            from the old SID.  If not, clear itimers to avoid
2216            subsequent signal generation and flush and unblock
2217            signals. This must occur _after_ the task SID has
2218           been updated so that any kill done after the flush
2219           will be checked against the new SID. */
2220         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2221                           PROCESS__SIGINH, NULL);
2222         if (rc) {
2223                 memset(&itimer, 0, sizeof itimer);
2224                 for (i = 0; i < 3; i++)
2225                         do_setitimer(i, &itimer, NULL);
2226                 flush_signals(current);
2227                 spin_lock_irq(&current->sighand->siglock);
2228                 flush_signal_handlers(current, 1);
2229                 sigemptyset(&current->blocked);
2230                 recalc_sigpending();
2231                 spin_unlock_irq(&current->sighand->siglock);
2232         }
2233
2234         /* Always clear parent death signal on SID transitions. */
2235         current->pdeath_signal = 0;
2236
2237         /* Check whether the new SID can inherit resource limits
2238            from the old SID.  If not, reset all soft limits to
2239            the lower of the current task's hard limit and the init
2240            task's soft limit.  Note that the setting of hard limits
2241            (even to lower them) can be controlled by the setrlimit
2242            check. The inclusion of the init task's soft limit into
2243            the computation is to avoid resetting soft limits higher
2244            than the default soft limit for cases where the default
2245            is lower than the hard limit, e.g. RLIMIT_CORE or
2246            RLIMIT_STACK.*/
2247         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2248                           PROCESS__RLIMITINH, NULL);
2249         if (rc) {
2250                 for (i = 0; i < RLIM_NLIMITS; i++) {
2251                         rlim = current->signal->rlim + i;
2252                         initrlim = init_task.signal->rlim+i;
2253                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2254                 }
2255                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2256                         /*
2257                          * This will cause RLIMIT_CPU calculations
2258                          * to be refigured.
2259                          */
2260                         current->it_prof_expires = jiffies_to_cputime(1);
2261                 }
2262         }
2263
2264         /* Wake up the parent if it is waiting so that it can
2265            recheck wait permission to the new task SID. */
2266         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2267 }
2268
2269 /* superblock security operations */
2270
2271 static int selinux_sb_alloc_security(struct super_block *sb)
2272 {
2273         return superblock_alloc_security(sb);
2274 }
2275
2276 static void selinux_sb_free_security(struct super_block *sb)
2277 {
2278         superblock_free_security(sb);
2279 }
2280
2281 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2282 {
2283         if (plen > olen)
2284                 return 0;
2285
2286         return !memcmp(prefix, option, plen);
2287 }
2288
2289 static inline int selinux_option(char *option, int len)
2290 {
2291         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2292                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2293                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2294                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2295 }
2296
2297 static inline void take_option(char **to, char *from, int *first, int len)
2298 {
2299         if (!*first) {
2300                 **to = ',';
2301                 *to += 1;
2302         } else
2303                 *first = 0;
2304         memcpy(*to, from, len);
2305         *to += len;
2306 }
2307
2308 static inline void take_selinux_option(char **to, char *from, int *first, 
2309                                        int len)
2310 {
2311         int current_size = 0;
2312
2313         if (!*first) {
2314                 **to = '|';
2315                 *to += 1;
2316         }
2317         else
2318                 *first = 0;
2319
2320         while (current_size < len) {
2321                 if (*from != '"') {
2322                         **to = *from;
2323                         *to += 1;
2324                 }
2325                 from += 1;
2326                 current_size += 1;
2327         }
2328 }
2329
2330 static int selinux_sb_copy_data(char *orig, char *copy)
2331 {
2332         int fnosec, fsec, rc = 0;
2333         char *in_save, *in_curr, *in_end;
2334         char *sec_curr, *nosec_save, *nosec;
2335         int open_quote = 0;
2336
2337         in_curr = orig;
2338         sec_curr = copy;
2339
2340         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2341         if (!nosec) {
2342                 rc = -ENOMEM;
2343                 goto out;
2344         }
2345
2346         nosec_save = nosec;
2347         fnosec = fsec = 1;
2348         in_save = in_end = orig;
2349
2350         do {
2351                 if (*in_end == '"')
2352                         open_quote = !open_quote;
2353                 if ((*in_end == ',' && open_quote == 0) ||
2354                                 *in_end == '\0') {
2355                         int len = in_end - in_curr;
2356
2357                         if (selinux_option(in_curr, len))
2358                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2359                         else
2360                                 take_option(&nosec, in_curr, &fnosec, len);
2361
2362                         in_curr = in_end + 1;
2363                 }
2364         } while (*in_end++);
2365
2366         strcpy(in_save, nosec_save);
2367         free_page((unsigned long)nosec_save);
2368 out:
2369         return rc;
2370 }
2371
2372 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2373 {
2374         struct avc_audit_data ad;
2375         int rc;
2376
2377         rc = superblock_doinit(sb, data);
2378         if (rc)
2379                 return rc;
2380
2381         AVC_AUDIT_DATA_INIT(&ad,FS);
2382         ad.u.fs.path.dentry = sb->s_root;
2383         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2384 }
2385
2386 static int selinux_sb_statfs(struct dentry *dentry)
2387 {
2388         struct avc_audit_data ad;
2389
2390         AVC_AUDIT_DATA_INIT(&ad,FS);
2391         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2392         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2393 }
2394
2395 static int selinux_mount(char * dev_name,
2396                          struct nameidata *nd,
2397                          char * type,
2398                          unsigned long flags,
2399                          void * data)
2400 {
2401         int rc;
2402
2403         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2404         if (rc)
2405                 return rc;
2406
2407         if (flags & MS_REMOUNT)
2408                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2409                                            FILESYSTEM__REMOUNT, NULL);
2410         else
2411                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2412                                        FILE__MOUNTON);
2413 }
2414
2415 static int selinux_umount(struct vfsmount *mnt, int flags)
2416 {
2417         int rc;
2418
2419         rc = secondary_ops->sb_umount(mnt, flags);
2420         if (rc)
2421                 return rc;
2422
2423         return superblock_has_perm(current,mnt->mnt_sb,
2424                                    FILESYSTEM__UNMOUNT,NULL);
2425 }
2426
2427 /* inode security operations */
2428
2429 static int selinux_inode_alloc_security(struct inode *inode)
2430 {
2431         return inode_alloc_security(inode);
2432 }
2433
2434 static void selinux_inode_free_security(struct inode *inode)
2435 {
2436         inode_free_security(inode);
2437 }
2438
2439 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2440                                        char **name, void **value,
2441                                        size_t *len)
2442 {
2443         struct task_security_struct *tsec;
2444         struct inode_security_struct *dsec;
2445         struct superblock_security_struct *sbsec;
2446         u32 newsid, clen;
2447         int rc;
2448         char *namep = NULL, *context;
2449
2450         tsec = current->security;
2451         dsec = dir->i_security;
2452         sbsec = dir->i_sb->s_security;
2453
2454         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2455                 newsid = tsec->create_sid;
2456         } else {
2457                 rc = security_transition_sid(tsec->sid, dsec->sid,
2458                                              inode_mode_to_security_class(inode->i_mode),
2459                                              &newsid);
2460                 if (rc) {
2461                         printk(KERN_WARNING "%s:  "
2462                                "security_transition_sid failed, rc=%d (dev=%s "
2463                                "ino=%ld)\n",
2464                                __func__,
2465                                -rc, inode->i_sb->s_id, inode->i_ino);
2466                         return rc;
2467                 }
2468         }
2469
2470         /* Possibly defer initialization to selinux_complete_init. */
2471         if (sbsec->initialized) {
2472                 struct inode_security_struct *isec = inode->i_security;
2473                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2474                 isec->sid = newsid;
2475                 isec->initialized = 1;
2476         }
2477
2478         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2479                 return -EOPNOTSUPP;
2480
2481         if (name) {
2482                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2483                 if (!namep)
2484                         return -ENOMEM;
2485                 *name = namep;
2486         }
2487
2488         if (value && len) {
2489                 rc = security_sid_to_context(newsid, &context, &clen);
2490                 if (rc) {
2491                         kfree(namep);
2492                         return rc;
2493                 }
2494                 *value = context;
2495                 *len = clen;
2496         }
2497
2498         return 0;
2499 }
2500
2501 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2502 {
2503         return may_create(dir, dentry, SECCLASS_FILE);
2504 }
2505
2506 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2507 {
2508         int rc;
2509
2510         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2511         if (rc)
2512                 return rc;
2513         return may_link(dir, old_dentry, MAY_LINK);
2514 }
2515
2516 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2517 {
2518         int rc;
2519
2520         rc = secondary_ops->inode_unlink(dir, dentry);
2521         if (rc)
2522                 return rc;
2523         return may_link(dir, dentry, MAY_UNLINK);
2524 }
2525
2526 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2527 {
2528         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2529 }
2530
2531 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2532 {
2533         return may_create(dir, dentry, SECCLASS_DIR);
2534 }
2535
2536 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2537 {
2538         return may_link(dir, dentry, MAY_RMDIR);
2539 }
2540
2541 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2542 {
2543         int rc;
2544
2545         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2546         if (rc)
2547                 return rc;
2548
2549         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2550 }
2551
2552 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2553                                 struct inode *new_inode, struct dentry *new_dentry)
2554 {
2555         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2556 }
2557
2558 static int selinux_inode_readlink(struct dentry *dentry)
2559 {
2560         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2561 }
2562
2563 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2564 {
2565         int rc;
2566
2567         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2568         if (rc)
2569                 return rc;
2570         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2571 }
2572
2573 static int selinux_inode_permission(struct inode *inode, int mask,
2574                                     struct nameidata *nd)
2575 {
2576         int rc;
2577
2578         rc = secondary_ops->inode_permission(inode, mask, nd);
2579         if (rc)
2580                 return rc;
2581
2582         if (!mask) {
2583                 /* No permission to check.  Existence test. */
2584                 return 0;
2585         }
2586
2587         return inode_has_perm(current, inode,
2588                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2589 }
2590
2591 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2592 {
2593         int rc;
2594
2595         rc = secondary_ops->inode_setattr(dentry, iattr);
2596         if (rc)
2597                 return rc;
2598
2599         if (iattr->ia_valid & ATTR_FORCE)
2600                 return 0;
2601
2602         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2603                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2604                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2605
2606         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2607 }
2608
2609 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2610 {
2611         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2612 }
2613
2614 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2615 {
2616         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2617                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2618                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2619                         if (!capable(CAP_SETFCAP))
2620                                 return -EPERM;
2621                 } else if (!capable(CAP_SYS_ADMIN)) {
2622                         /* A different attribute in the security namespace.
2623                            Restrict to administrator. */
2624                         return -EPERM;
2625                 }
2626         }
2627
2628         /* Not an attribute we recognize, so just check the
2629            ordinary setattr permission. */
2630         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2631 }
2632
2633 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2634 {
2635         struct task_security_struct *tsec = current->security;
2636         struct inode *inode = dentry->d_inode;
2637         struct inode_security_struct *isec = inode->i_security;
2638         struct superblock_security_struct *sbsec;
2639         struct avc_audit_data ad;
2640         u32 newsid;
2641         int rc = 0;
2642
2643         if (strcmp(name, XATTR_NAME_SELINUX))
2644                 return selinux_inode_setotherxattr(dentry, name);
2645
2646         sbsec = inode->i_sb->s_security;
2647         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2648                 return -EOPNOTSUPP;
2649
2650         if (!is_owner_or_cap(inode))
2651                 return -EPERM;
2652
2653         AVC_AUDIT_DATA_INIT(&ad,FS);
2654         ad.u.fs.path.dentry = dentry;
2655
2656         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2657                           FILE__RELABELFROM, &ad);
2658         if (rc)
2659                 return rc;
2660
2661         rc = security_context_to_sid(value, size, &newsid);
2662         if (rc)
2663                 return rc;
2664
2665         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2666                           FILE__RELABELTO, &ad);
2667         if (rc)
2668                 return rc;
2669
2670         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2671                                           isec->sclass);
2672         if (rc)
2673                 return rc;
2674
2675         return avc_has_perm(newsid,
2676                             sbsec->sid,
2677                             SECCLASS_FILESYSTEM,
2678                             FILESYSTEM__ASSOCIATE,
2679                             &ad);
2680 }
2681
2682 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2683                                         void *value, size_t size, int flags)
2684 {
2685         struct inode *inode = dentry->d_inode;
2686         struct inode_security_struct *isec = inode->i_security;
2687         u32 newsid;
2688         int rc;
2689
2690         if (strcmp(name, XATTR_NAME_SELINUX)) {
2691                 /* Not an attribute we recognize, so nothing to do. */
2692                 return;
2693         }
2694
2695         rc = security_context_to_sid(value, size, &newsid);
2696         if (rc) {
2697                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2698                        "%s, rc=%d\n", __func__, (char *)value, -rc);
2699                 return;
2700         }
2701
2702         isec->sid = newsid;
2703         return;
2704 }
2705
2706 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2707 {
2708         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2709 }
2710
2711 static int selinux_inode_listxattr (struct dentry *dentry)
2712 {
2713         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2714 }
2715
2716 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2717 {
2718         if (strcmp(name, XATTR_NAME_SELINUX))
2719                 return selinux_inode_setotherxattr(dentry, name);
2720
2721         /* No one is allowed to remove a SELinux security label.
2722            You can change the label, but all data must be labeled. */
2723         return -EACCES;
2724 }
2725
2726 /*
2727  * Copy the in-core inode security context value to the user.  If the
2728  * getxattr() prior to this succeeded, check to see if we need to
2729  * canonicalize the value to be finally returned to the user.
2730  *
2731  * Permission check is handled by selinux_inode_getxattr hook.
2732  */
2733 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2734 {
2735         u32 size;
2736         int error;
2737         char *context = NULL;
2738         struct inode_security_struct *isec = inode->i_security;
2739
2740         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2741                 return -EOPNOTSUPP;
2742
2743         error = security_sid_to_context(isec->sid, &context, &size);
2744         if (error)
2745                 return error;
2746         error = size;
2747         if (alloc) {
2748                 *buffer = context;
2749                 goto out_nofree;
2750         }
2751         kfree(context);
2752 out_nofree:
2753         return error;
2754 }
2755
2756 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2757                                      const void *value, size_t size, int flags)
2758 {
2759         struct inode_security_struct *isec = inode->i_security;
2760         u32 newsid;
2761         int rc;
2762
2763         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2764                 return -EOPNOTSUPP;
2765
2766         if (!value || !size)
2767                 return -EACCES;
2768
2769         rc = security_context_to_sid((void*)value, size, &newsid);
2770         if (rc)
2771                 return rc;
2772
2773         isec->sid = newsid;
2774         return 0;
2775 }
2776
2777 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2778 {
2779         const int len = sizeof(XATTR_NAME_SELINUX);
2780         if (buffer && len <= buffer_size)
2781                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2782         return len;
2783 }
2784
2785 static int selinux_inode_need_killpriv(struct dentry *dentry)
2786 {
2787         return secondary_ops->inode_need_killpriv(dentry);
2788 }
2789
2790 static int selinux_inode_killpriv(struct dentry *dentry)
2791 {
2792         return secondary_ops->inode_killpriv(dentry);
2793 }
2794
2795 /* file security operations */
2796
2797 static int selinux_revalidate_file_permission(struct file *file, int mask)
2798 {
2799         int rc;
2800         struct inode *inode = file->f_path.dentry->d_inode;
2801
2802         if (!mask) {
2803                 /* No permission to check.  Existence test. */
2804                 return 0;
2805         }
2806
2807         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2808         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2809                 mask |= MAY_APPEND;
2810
2811         rc = file_has_perm(current, file,
2812                            file_mask_to_av(inode->i_mode, mask));
2813         if (rc)
2814                 return rc;
2815
2816         return selinux_netlbl_inode_permission(inode, mask);
2817 }
2818
2819 static int selinux_file_permission(struct file *file, int mask)
2820 {
2821         struct inode *inode = file->f_path.dentry->d_inode;
2822         struct task_security_struct *tsec = current->security;
2823         struct file_security_struct *fsec = file->f_security;
2824         struct inode_security_struct *isec = inode->i_security;
2825
2826         if (!mask) {
2827                 /* No permission to check.  Existence test. */
2828                 return 0;
2829         }
2830
2831         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2832             && fsec->pseqno == avc_policy_seqno())
2833                 return selinux_netlbl_inode_permission(inode, mask);
2834
2835         return selinux_revalidate_file_permission(file, mask);
2836 }
2837
2838 static int selinux_file_alloc_security(struct file *file)
2839 {
2840         return file_alloc_security(file);
2841 }
2842
2843 static void selinux_file_free_security(struct file *file)
2844 {
2845         file_free_security(file);
2846 }
2847
2848 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2849                               unsigned long arg)
2850 {
2851         int error = 0;
2852
2853         switch (cmd) {
2854                 case FIONREAD:
2855                 /* fall through */
2856                 case FIBMAP:
2857                 /* fall through */
2858                 case FIGETBSZ:
2859                 /* fall through */
2860                 case EXT2_IOC_GETFLAGS:
2861                 /* fall through */
2862                 case EXT2_IOC_GETVERSION:
2863                         error = file_has_perm(current, file, FILE__GETATTR);
2864                         break;
2865
2866                 case EXT2_IOC_SETFLAGS:
2867                 /* fall through */
2868                 case EXT2_IOC_SETVERSION:
2869                         error = file_has_perm(current, file, FILE__SETATTR);
2870                         break;
2871
2872                 /* sys_ioctl() checks */
2873                 case FIONBIO:
2874                 /* fall through */
2875                 case FIOASYNC:
2876                         error = file_has_perm(current, file, 0);
2877                         break;
2878
2879                 case KDSKBENT:
2880                 case KDSKBSENT:
2881                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2882                         break;
2883
2884                 /* default case assumes that the command will go
2885                  * to the file's ioctl() function.
2886                  */
2887                 default:
2888                         error = file_has_perm(current, file, FILE__IOCTL);
2889
2890         }
2891         return error;
2892 }
2893
2894 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2895 {
2896 #ifndef CONFIG_PPC32
2897         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2898                 /*
2899                  * We are making executable an anonymous mapping or a
2900                  * private file mapping that will also be writable.
2901                  * This has an additional check.
2902                  */
2903                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2904                 if (rc)
2905                         return rc;
2906         }
2907 #endif
2908
2909         if (file) {
2910                 /* read access is always possible with a mapping */
2911                 u32 av = FILE__READ;
2912
2913                 /* write access only matters if the mapping is shared */
2914                 if (shared && (prot & PROT_WRITE))
2915                         av |= FILE__WRITE;
2916
2917                 if (prot & PROT_EXEC)
2918                         av |= FILE__EXECUTE;
2919
2920                 return file_has_perm(current, file, av);
2921         }
2922         return 0;
2923 }
2924
2925 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2926                              unsigned long prot, unsigned long flags,
2927                              unsigned long addr, unsigned long addr_only)
2928 {
2929         int rc = 0;
2930         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2931
2932         if (addr < mmap_min_addr)
2933                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2934                                   MEMPROTECT__MMAP_ZERO, NULL);
2935         if (rc || addr_only)
2936                 return rc;
2937
2938         if (selinux_checkreqprot)
2939                 prot = reqprot;
2940
2941         return file_map_prot_check(file, prot,
2942                                    (flags & MAP_TYPE) == MAP_SHARED);
2943 }
2944
2945 static int selinux_file_mprotect(struct vm_area_struct *vma,
2946                                  unsigned long reqprot,
2947                                  unsigned long prot)
2948 {
2949         int rc;
2950
2951         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2952         if (rc)
2953                 return rc;
2954
2955         if (selinux_checkreqprot)
2956                 prot = reqprot;
2957
2958 #ifndef CONFIG_PPC32
2959         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2960                 rc = 0;
2961                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2962                     vma->vm_end <= vma->vm_mm->brk) {
2963                         rc = task_has_perm(current, current,
2964                                            PROCESS__EXECHEAP);
2965                 } else if (!vma->vm_file &&
2966                            vma->vm_start <= vma->vm_mm->start_stack &&
2967                            vma->vm_end >= vma->vm_mm->start_stack) {
2968                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2969                 } else if (vma->vm_file && vma->anon_vma) {
2970                         /*
2971                          * We are making executable a file mapping that has
2972                          * had some COW done. Since pages might have been
2973                          * written, check ability to execute the possibly
2974                          * modified content.  This typically should only
2975                          * occur for text relocations.
2976                          */
2977                         rc = file_has_perm(current, vma->vm_file,
2978                                            FILE__EXECMOD);
2979                 }
2980                 if (rc)
2981                         return rc;
2982         }
2983 #endif
2984
2985         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2986 }
2987
2988 static int selinux_file_lock(struct file *file, unsigned int cmd)
2989 {
2990         return file_has_perm(current, file, FILE__LOCK);
2991 }
2992
2993 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2994                               unsigned long arg)
2995 {
2996         int err = 0;
2997
2998         switch (cmd) {
2999                 case F_SETFL:
3000                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3001                                 err = -EINVAL;
3002                                 break;
3003                         }
3004
3005                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3006                                 err = file_has_perm(current, file,FILE__WRITE);
3007                                 break;
3008                         }
3009                         /* fall through */
3010                 case F_SETOWN:
3011                 case F_SETSIG:
3012                 case F_GETFL:
3013                 case F_GETOWN:
3014                 case F_GETSIG:
3015                         /* Just check FD__USE permission */
3016                         err = file_has_perm(current, file, 0);
3017                         break;
3018                 case F_GETLK:
3019                 case F_SETLK:
3020                 case F_SETLKW:
3021 #if BITS_PER_LONG == 32
3022                 case F_GETLK64:
3023                 case F_SETLK64:
3024                 case F_SETLKW64:
3025 #endif
3026                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3027                                 err = -EINVAL;
3028                                 break;
3029                         }
3030                         err = file_has_perm(current, file, FILE__LOCK);
3031                         break;
3032         }
3033
3034         return err;
3035 }
3036
3037 static int selinux_file_set_fowner(struct file *file)
3038 {
3039         struct task_security_struct *tsec;
3040         struct file_security_struct *fsec;
3041
3042         tsec = current->security;
3043         fsec = file->f_security;
3044         fsec->fown_sid = tsec->sid;
3045
3046         return 0;
3047 }
3048
3049 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3050                                        struct fown_struct *fown, int signum)
3051 {
3052         struct file *file;
3053         u32 perm;
3054         struct task_security_struct *tsec;
3055         struct file_security_struct *fsec;
3056
3057         /* struct fown_struct is never outside the context of a struct file */
3058         file = container_of(fown, struct file, f_owner);
3059
3060         tsec = tsk->security;
3061         fsec = file->f_security;
3062
3063         if (!signum)
3064                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3065         else
3066                 perm = signal_to_av(signum);
3067
3068         return avc_has_perm(fsec->fown_sid, tsec->sid,
3069                             SECCLASS_PROCESS, perm, NULL);
3070 }
3071
3072 static int selinux_file_receive(struct file *file)
3073 {
3074         return file_has_perm(current, file, file_to_av(file));
3075 }
3076
3077 static int selinux_dentry_open(struct file *file)
3078 {
3079         struct file_security_struct *fsec;
3080         struct inode *inode;
3081         struct inode_security_struct *isec;
3082         inode = file->f_path.dentry->d_inode;
3083         fsec = file->f_security;
3084         isec = inode->i_security;
3085         /*
3086          * Save inode label and policy sequence number
3087          * at open-time so that selinux_file_permission
3088          * can determine whether revalidation is necessary.
3089          * Task label is already saved in the file security
3090          * struct as its SID.
3091          */
3092         fsec->isid = isec->sid;
3093         fsec->pseqno = avc_policy_seqno();
3094         /*
3095          * Since the inode label or policy seqno may have changed
3096          * between the selinux_inode_permission check and the saving
3097          * of state above, recheck that access is still permitted.
3098          * Otherwise, access might never be revalidated against the
3099          * new inode label or new policy.
3100          * This check is not redundant - do not remove.
3101          */
3102         return inode_has_perm(current, inode, file_to_av(file), NULL);
3103 }
3104
3105 /* task security operations */
3106
3107 static int selinux_task_create(unsigned long clone_flags)
3108 {
3109         int rc;
3110
3111         rc = secondary_ops->task_create(clone_flags);
3112         if (rc)
3113                 return rc;
3114
3115         return task_has_perm(current, current, PROCESS__FORK);
3116 }
3117
3118 static int selinux_task_alloc_security(struct task_struct *tsk)
3119 {
3120         struct task_security_struct *tsec1, *tsec2;
3121         int rc;
3122
3123         tsec1 = current->security;
3124
3125         rc = task_alloc_security(tsk);
3126         if (rc)
3127                 return rc;
3128         tsec2 = tsk->security;
3129
3130         tsec2->osid = tsec1->osid;
3131         tsec2->sid = tsec1->sid;
3132
3133         /* Retain the exec, fs, key, and sock SIDs across fork */
3134         tsec2->exec_sid = tsec1->exec_sid;
3135         tsec2->create_sid = tsec1->create_sid;
3136         tsec2->keycreate_sid = tsec1->keycreate_sid;
3137         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3138
3139         return 0;
3140 }
3141
3142 static void selinux_task_free_security(struct task_struct *tsk)
3143 {
3144         task_free_security(tsk);
3145 }
3146
3147 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3148 {
3149         /* Since setuid only affects the current process, and
3150            since the SELinux controls are not based on the Linux
3151            identity attributes, SELinux does not need to control
3152            this operation.  However, SELinux does control the use
3153            of the CAP_SETUID and CAP_SETGID capabilities using the
3154            capable hook. */
3155         return 0;
3156 }
3157
3158 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3159 {
3160         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3161 }
3162
3163 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3164 {
3165         /* See the comment for setuid above. */
3166         return 0;
3167 }
3168
3169 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3170 {
3171         return task_has_perm(current, p, PROCESS__SETPGID);
3172 }
3173
3174 static int selinux_task_getpgid(struct task_struct *p)
3175 {
3176         return task_has_perm(current, p, PROCESS__GETPGID);
3177 }
3178
3179 static int selinux_task_getsid(struct task_struct *p)
3180 {
3181         return task_has_perm(current, p, PROCESS__GETSESSION);
3182 }
3183
3184 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3185 {
3186         selinux_get_task_sid(p, secid);
3187 }
3188
3189 static int selinux_task_setgroups(struct group_info *group_info)
3190 {
3191         /* See the comment for setuid above. */
3192         return 0;
3193 }
3194
3195 static int selinux_task_setnice(struct task_struct *p, int nice)
3196 {
3197         int rc;
3198
3199         rc = secondary_ops->task_setnice(p, nice);
3200         if (rc)
3201                 return rc;
3202
3203         return task_has_perm(current,p, PROCESS__SETSCHED);
3204 }
3205
3206 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3207 {
3208         int rc;
3209
3210         rc = secondary_ops->task_setioprio(p, ioprio);
3211         if (rc)
3212                 return rc;
3213
3214         return task_has_perm(current, p, PROCESS__SETSCHED);
3215 }
3216
3217 static int selinux_task_getioprio(struct task_struct *p)
3218 {
3219         return task_has_perm(current, p, PROCESS__GETSCHED);
3220 }
3221
3222 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3223 {
3224         struct rlimit *old_rlim = current->signal->rlim + resource;
3225         int rc;
3226
3227         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3228         if (rc)
3229                 return rc;
3230
3231         /* Control the ability to change the hard limit (whether
3232            lowering or raising it), so that the hard limit can
3233            later be used as a safe reset point for the soft limit
3234            upon context transitions. See selinux_bprm_apply_creds. */
3235         if (old_rlim->rlim_max != new_rlim->rlim_max)
3236                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3237
3238         return 0;
3239 }
3240
3241 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3242 {
3243         int rc;
3244
3245         rc = secondary_ops->task_setscheduler(p, policy, lp);
3246         if (rc)
3247                 return rc;
3248
3249         return task_has_perm(current, p, PROCESS__SETSCHED);
3250 }
3251
3252 static int selinux_task_getscheduler(struct task_struct *p)
3253 {
3254         return task_has_perm(current, p, PROCESS__GETSCHED);
3255 }
3256
3257 static int selinux_task_movememory(struct task_struct *p)
3258 {
3259         return task_has_perm(current, p, PROCESS__SETSCHED);
3260 }
3261
3262 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3263                                 int sig, u32 secid)
3264 {
3265         u32 perm;
3266         int rc;
3267         struct task_security_struct *tsec;
3268
3269         rc = secondary_ops->task_kill(p, info, sig, secid);
3270         if (rc)
3271                 return rc;
3272
3273         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3274                 return 0;
3275
3276         if (!sig)
3277                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3278         else
3279                 perm = signal_to_av(sig);
3280         tsec = p->security;
3281         if (secid)
3282                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3283         else
3284                 rc = task_has_perm(current, p, perm);
3285         return rc;
3286 }
3287
3288 static int selinux_task_prctl(int option,
3289                               unsigned long arg2,
3290                               unsigned long arg3,
3291                               unsigned long arg4,
3292                               unsigned long arg5)
3293 {
3294         /* The current prctl operations do not appear to require
3295            any SELinux controls since they merely observe or modify
3296            the state of the current process. */
3297         return 0;
3298 }
3299
3300 static int selinux_task_wait(struct task_struct *p)
3301 {
3302         return task_has_perm(p, current, PROCESS__SIGCHLD);
3303 }
3304
3305 static void selinux_task_reparent_to_init(struct task_struct *p)
3306 {
3307         struct task_security_struct *tsec;
3308
3309         secondary_ops->task_reparent_to_init(p);
3310
3311         tsec = p->security;
3312         tsec->osid = tsec->sid;
3313         tsec->sid = SECINITSID_KERNEL;
3314         return;
3315 }
3316
3317 static void selinux_task_to_inode(struct task_struct *p,
3318                                   struct inode *inode)
3319 {
3320         struct task_security_struct *tsec = p->security;
3321         struct inode_security_struct *isec = inode->i_security;
3322
3323         isec->sid = tsec->sid;
3324         isec->initialized = 1;
3325         return;
3326 }
3327
3328 /* Returns error only if unable to parse addresses */
3329 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3330                         struct avc_audit_data *ad, u8 *proto)
3331 {
3332         int offset, ihlen, ret = -EINVAL;
3333         struct iphdr _iph, *ih;
3334
3335         offset = skb_network_offset(skb);
3336         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3337         if (ih == NULL)
3338                 goto out;
3339
3340         ihlen = ih->ihl * 4;
3341         if (ihlen < sizeof(_iph))
3342                 goto out;
3343
3344         ad->u.net.v4info.saddr = ih->saddr;
3345         ad->u.net.v4info.daddr = ih->daddr;
3346         ret = 0;
3347
3348         if (proto)
3349                 *proto = ih->protocol;
3350
3351         switch (ih->protocol) {
3352         case IPPROTO_TCP: {
3353                 struct tcphdr _tcph, *th;
3354
3355                 if (ntohs(ih->frag_off) & IP_OFFSET)
3356                         break;
3357
3358                 offset += ihlen;
3359                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3360                 if (th == NULL)
3361                         break;
3362
3363                 ad->u.net.sport = th->source;
3364                 ad->u.net.dport = th->dest;
3365                 break;
3366         }
3367         
3368         case IPPROTO_UDP: {
3369                 struct udphdr _udph, *uh;
3370                 
3371                 if (ntohs(ih->frag_off) & IP_OFFSET)
3372                         break;
3373                         
3374                 offset += ihlen;
3375                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3376                 if (uh == NULL)
3377                         break;  
3378
3379                 ad->u.net.sport = uh->source;
3380                 ad->u.net.dport = uh->dest;
3381                 break;
3382         }
3383
3384         case IPPROTO_DCCP: {
3385                 struct dccp_hdr _dccph, *dh;
3386
3387                 if (ntohs(ih->frag_off) & IP_OFFSET)
3388                         break;
3389
3390                 offset += ihlen;
3391                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3392                 if (dh == NULL)
3393                         break;
3394
3395                 ad->u.net.sport = dh->dccph_sport;
3396                 ad->u.net.dport = dh->dccph_dport;
3397                 break;
3398         }
3399
3400         default:
3401                 break;
3402         }
3403 out:
3404         return ret;
3405 }
3406
3407 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3408
3409 /* Returns error only if unable to parse addresses */
3410 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3411                         struct avc_audit_data *ad, u8 *proto)
3412 {
3413         u8 nexthdr;
3414         int ret = -EINVAL, offset;
3415         struct ipv6hdr _ipv6h, *ip6;
3416
3417         offset = skb_network_offset(skb);
3418         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3419         if (ip6 == NULL)
3420                 goto out;
3421
3422         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3423         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3424         ret = 0;
3425
3426         nexthdr = ip6->nexthdr;
3427         offset += sizeof(_ipv6h);
3428         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3429         if (offset < 0)
3430                 goto out;
3431
3432         if (proto)
3433                 *proto = nexthdr;
3434
3435         switch (nexthdr) {
3436         case IPPROTO_TCP: {
3437                 struct tcphdr _tcph, *th;
3438
3439                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3440                 if (th == NULL)
3441                         break;
3442
3443                 ad->u.net.sport = th->source;
3444                 ad->u.net.dport = th->dest;
3445                 break;
3446         }
3447
3448         case IPPROTO_UDP: {
3449                 struct udphdr _udph, *uh;
3450
3451                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3452                 if (uh == NULL)
3453                         break;
3454
3455                 ad->u.net.sport = uh->source;
3456                 ad->u.net.dport = uh->dest;
3457                 break;
3458         }
3459
3460         case IPPROTO_DCCP: {
3461                 struct dccp_hdr _dccph, *dh;
3462
3463                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3464                 if (dh == NULL)
3465                         break;
3466
3467                 ad->u.net.sport = dh->dccph_sport;
3468                 ad->u.net.dport = dh->dccph_dport;
3469                 break;
3470         }
3471
3472         /* includes fragments */
3473         default:
3474                 break;
3475         }
3476 out:
3477         return ret;
3478 }
3479
3480 #endif /* IPV6 */
3481
3482 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3483                              char **addrp, int src, u8 *proto)
3484 {
3485         int ret = 0;
3486
3487         switch (ad->u.net.family) {
3488         case PF_INET:
3489                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3490                 if (ret || !addrp)
3491                         break;
3492                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3493                                         &ad->u.net.v4info.daddr);
3494                 break;
3495
3496 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3497         case PF_INET6:
3498                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3499                 if (ret || !addrp)
3500                         break;
3501                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3502                                         &ad->u.net.v6info.daddr);
3503                 break;
3504 #endif  /* IPV6 */
3505         default:
3506                 break;
3507         }
3508
3509         if (unlikely(ret))
3510                 printk(KERN_WARNING
3511                        "SELinux: failure in selinux_parse_skb(),"
3512                        " unable to parse packet\n");
3513
3514         return ret;
3515 }
3516
3517 /**
3518  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3519  * @skb: the packet
3520  * @family: protocol family
3521  * @sid: the packet's peer label SID
3522  *
3523  * Description:
3524  * Check the various different forms of network peer labeling and determine
3525  * the peer label/SID for the packet; most of the magic actually occurs in
3526  * the security server function security_net_peersid_cmp().  The function
3527  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3528  * or -EACCES if @sid is invalid due to inconsistencies with the different
3529  * peer labels.
3530  *
3531  */
3532 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3533 {
3534         int err;
3535         u32 xfrm_sid;
3536         u32 nlbl_sid;
3537         u32 nlbl_type;
3538
3539         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3540         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3541
3542         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3543         if (unlikely(err)) {
3544                 printk(KERN_WARNING
3545                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3546                        " unable to determine packet's peer label\n");
3547                 return -EACCES;
3548         }
3549
3550         return 0;
3551 }
3552
3553 /* socket security operations */
3554 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3555                            u32 perms)
3556 {
3557         struct inode_security_struct *isec;
3558         struct task_security_struct *tsec;
3559         struct avc_audit_data ad;
3560         int err = 0;
3561
3562         tsec = task->security;
3563         isec = SOCK_INODE(sock)->i_security;
3564
3565         if (isec->sid == SECINITSID_KERNEL)
3566                 goto out;
3567
3568         AVC_AUDIT_DATA_INIT(&ad,NET);
3569         ad.u.net.sk = sock->sk;
3570         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3571
3572 out:
3573         return err;
3574 }
3575
3576 static int selinux_socket_create(int family, int type,
3577                                  int protocol, int kern)
3578 {
3579         int err = 0;
3580         struct task_security_struct *tsec;
3581         u32 newsid;
3582
3583         if (kern)
3584                 goto out;
3585
3586         tsec = current->security;
3587         newsid = tsec->sockcreate_sid ? : tsec->sid;
3588         err = avc_has_perm(tsec->sid, newsid,
3589                            socket_type_to_security_class(family, type,
3590                            protocol), SOCKET__CREATE, NULL);
3591
3592 out:
3593         return err;
3594 }
3595
3596 static int selinux_socket_post_create(struct socket *sock, int family,
3597                                       int type, int protocol, int kern)
3598 {
3599         int err = 0;
3600         struct inode_security_struct *isec;
3601         struct task_security_struct *tsec;
3602         struct sk_security_struct *sksec;
3603         u32 newsid;
3604
3605         isec = SOCK_INODE(sock)->i_security;
3606
3607         tsec = current->security;
3608         newsid = tsec->sockcreate_sid ? : tsec->sid;
3609         isec->sclass = socket_type_to_security_class(family, type, protocol);
3610         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3611         isec->initialized = 1;
3612
3613         if (sock->sk) {
3614                 sksec = sock->sk->sk_security;
3615                 sksec->sid = isec->sid;
3616                 sksec->sclass = isec->sclass;
3617                 err = selinux_netlbl_socket_post_create(sock);
3618         }
3619
3620         return err;
3621 }
3622
3623 /* Range of port numbers used to automatically bind.
3624    Need to determine whether we should perform a name_bind
3625    permission check between the socket and the port number. */
3626
3627 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3628 {
3629         u16 family;
3630         int err;
3631
3632         err = socket_has_perm(current, sock, SOCKET__BIND);
3633         if (err)
3634                 goto out;
3635
3636         /*
3637          * If PF_INET or PF_INET6, check name_bind permission for the port.
3638          * Multiple address binding for SCTP is not supported yet: we just
3639          * check the first address now.
3640          */
3641         family = sock->sk->sk_family;
3642         if (family == PF_INET || family == PF_INET6) {
3643                 char *addrp;
3644                 struct inode_security_struct *isec;
3645                 struct task_security_struct *tsec;
3646                 struct avc_audit_data ad;
3647                 struct sockaddr_in *addr4 = NULL;
3648                 struct sockaddr_in6 *addr6 = NULL;
3649                 unsigned short snum;
3650                 struct sock *sk = sock->sk;
3651                 u32 sid, node_perm, addrlen;
3652
3653                 tsec = current->security;
3654                 isec = SOCK_INODE(sock)->i_security;
3655
3656                 if (family == PF_INET) {
3657                         addr4 = (struct sockaddr_in *)address;
3658                         snum = ntohs(addr4->sin_port);
3659                         addrlen = sizeof(addr4->sin_addr.s_addr);
3660                         addrp = (char *)&addr4->sin_addr.s_addr;
3661                 } else {
3662                         addr6 = (struct sockaddr_in6 *)address;
3663                         snum = ntohs(addr6->sin6_port);
3664                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3665                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3666                 }
3667
3668                 if (snum) {
3669                         int low, high;
3670
3671                         inet_get_local_port_range(&low, &high);
3672
3673                         if (snum < max(PROT_SOCK, low) || snum > high) {
3674                                 err = sel_netport_sid(sk->sk_protocol,
3675                                                       snum, &sid);
3676                                 if (err)
3677                                         goto out;
3678                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3679                                 ad.u.net.sport = htons(snum);
3680                                 ad.u.net.family = family;
3681                                 err = avc_has_perm(isec->sid, sid,
3682                                                    isec->sclass,
3683                                                    SOCKET__NAME_BIND, &ad);
3684                                 if (err)
3685                                         goto out;
3686                         }
3687                 }
3688                 
3689                 switch(isec->sclass) {
3690                 case SECCLASS_TCP_SOCKET:
3691                         node_perm = TCP_SOCKET__NODE_BIND;
3692                         break;
3693                         
3694                 case SECCLASS_UDP_SOCKET:
3695                         node_perm = UDP_SOCKET__NODE_BIND;
3696                         break;
3697
3698                 case SECCLASS_DCCP_SOCKET:
3699                         node_perm = DCCP_SOCKET__NODE_BIND;
3700                         break;
3701
3702                 default:
3703                         node_perm = RAWIP_SOCKET__NODE_BIND;
3704                         break;
3705                 }
3706                 
3707                 err = sel_netnode_sid(addrp, family, &sid);
3708                 if (err)
3709                         goto out;
3710                 
3711                 AVC_AUDIT_DATA_INIT(&ad,NET);
3712                 ad.u.net.sport = htons(snum);
3713                 ad.u.net.family = family;
3714
3715                 if (family == PF_INET)
3716                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3717                 else
3718                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3719
3720                 err = avc_has_perm(isec->sid, sid,
3721                                    isec->sclass, node_perm, &ad);
3722                 if (err)
3723                         goto out;
3724         }
3725 out:
3726         return err;
3727 }
3728
3729 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3730 {
3731         struct inode_security_struct *isec;
3732         int err;
3733
3734         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3735         if (err)
3736                 return err;
3737
3738         /*
3739          * If a TCP or DCCP socket, check name_connect permission for the port.
3740          */
3741         isec = SOCK_INODE(sock)->i_security;
3742         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3743             isec->sclass == SECCLASS_DCCP_SOCKET) {
3744                 struct sock *sk = sock->sk;
3745                 struct avc_audit_data ad;
3746                 struct sockaddr_in *addr4 = NULL;
3747                 struct sockaddr_in6 *addr6 = NULL;
3748                 unsigned short snum;
3749                 u32 sid, perm;
3750
3751                 if (sk->sk_family == PF_INET) {
3752                         addr4 = (struct sockaddr_in *)address;
3753                         if (addrlen < sizeof(struct sockaddr_in))
3754                                 return -EINVAL;
3755                         snum = ntohs(addr4->sin_port);
3756                 } else {
3757                         addr6 = (struct sockaddr_in6 *)address;
3758                         if (addrlen < SIN6_LEN_RFC2133)
3759                                 return -EINVAL;
3760                         snum = ntohs(addr6->sin6_port);
3761                 }
3762
3763                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3764                 if (err)
3765                         goto out;
3766
3767                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3768                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3769
3770                 AVC_AUDIT_DATA_INIT(&ad,NET);
3771                 ad.u.net.dport = htons(snum);
3772                 ad.u.net.family = sk->sk_family;
3773                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3774                 if (err)
3775                         goto out;
3776         }
3777
3778 out:
3779         return err;
3780 }
3781
3782 static int selinux_socket_listen(struct socket *sock, int backlog)
3783 {
3784         return socket_has_perm(current, sock, SOCKET__LISTEN);
3785 }
3786
3787 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3788 {
3789         int err;
3790         struct inode_security_struct *isec;
3791         struct inode_security_struct *newisec;
3792
3793         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3794         if (err)
3795                 return err;
3796
3797         newisec = SOCK_INODE(newsock)->i_security;
3798
3799         isec = SOCK_INODE(sock)->i_security;
3800         newisec->sclass = isec->sclass;
3801         newisec->sid = isec->sid;
3802         newisec->initialized = 1;
3803
3804         return 0;
3805 }
3806
3807 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3808                                   int size)
3809 {
3810         int rc;
3811
3812         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3813         if (rc)
3814                 return rc;
3815
3816         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3817 }
3818
3819 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3820                                   int size, int flags)
3821 {
3822         return socket_has_perm(current, sock, SOCKET__READ);
3823 }
3824
3825 static int selinux_socket_getsockname(struct socket *sock)
3826 {
3827         return socket_has_perm(current, sock, SOCKET__GETATTR);
3828 }
3829
3830 static int selinux_socket_getpeername(struct socket *sock)
3831 {
3832         return socket_has_perm(current, sock, SOCKET__GETATTR);
3833 }
3834
3835 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3836 {
3837         int err;
3838
3839         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3840         if (err)
3841                 return err;
3842
3843         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3844 }
3845
3846 static int selinux_socket_getsockopt(struct socket *sock, int level,
3847                                      int optname)
3848 {
3849         return socket_has_perm(current, sock, SOCKET__GETOPT);
3850 }
3851
3852 static int selinux_socket_shutdown(struct socket *sock, int how)
3853 {
3854         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3855 }
3856
3857 static int selinux_socket_unix_stream_connect(struct socket *sock,
3858                                               struct socket *other,
3859                                               struct sock *newsk)
3860 {
3861         struct sk_security_struct *ssec;
3862         struct inode_security_struct *isec;
3863         struct inode_security_struct *other_isec;
3864         struct avc_audit_data ad;
3865         int err;
3866
3867         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3868         if (err)
3869                 return err;
3870
3871         isec = SOCK_INODE(sock)->i_security;
3872         other_isec = SOCK_INODE(other)->i_security;
3873
3874         AVC_AUDIT_DATA_INIT(&ad,NET);
3875         ad.u.net.sk = other->sk;
3876
3877         err = avc_has_perm(isec->sid, other_isec->sid,
3878                            isec->sclass,
3879                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3880         if (err)
3881                 return err;
3882
3883         /* connecting socket */
3884         ssec = sock->sk->sk_security;
3885         ssec->peer_sid = other_isec->sid;
3886         
3887         /* server child socket */
3888         ssec = newsk->sk_security;
3889         ssec->peer_sid = isec->sid;
3890         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3891
3892         return err;
3893 }
3894
3895 static int selinux_socket_unix_may_send(struct socket *sock,
3896                                         struct socket *other)
3897 {
3898         struct inode_security_struct *isec;
3899         struct inode_security_struct *other_isec;
3900         struct avc_audit_data ad;
3901         int err;
3902
3903         isec = SOCK_INODE(sock)->i_security;
3904         other_isec = SOCK_INODE(other)->i_security;
3905
3906         AVC_AUDIT_DATA_INIT(&ad,NET);
3907         ad.u.net.sk = other->sk;
3908
3909         err = avc_has_perm(isec->sid, other_isec->sid,
3910                            isec->sclass, SOCKET__SENDTO, &ad);
3911         if (err)
3912                 return err;
3913
3914         return 0;
3915 }
3916
3917 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3918                                     u32 peer_sid,
3919                                     struct avc_audit_data *ad)
3920 {
3921         int err;
3922         u32 if_sid;
3923         u32 node_sid;
3924
3925         err = sel_netif_sid(ifindex, &if_sid);
3926         if (err)
3927                 return err;
3928         err = avc_has_perm(peer_sid, if_sid,
3929                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3930         if (err)
3931                 return err;
3932
3933         err = sel_netnode_sid(addrp, family, &node_sid);
3934         if (err)
3935                 return err;
3936         return avc_has_perm(peer_sid, node_sid,
3937                             SECCLASS_NODE, NODE__RECVFROM, ad);
3938 }
3939
3940 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3941                                                 struct sk_buff *skb,
3942                                                 struct avc_audit_data *ad,
3943                                                 u16 family,
3944                                                 char *addrp)
3945 {
3946         int err;
3947         struct sk_security_struct *sksec = sk->sk_security;
3948         u16 sk_class;
3949         u32 netif_perm, node_perm, recv_perm;
3950         u32 port_sid, node_sid, if_sid, sk_sid;
3951
3952         sk_sid = sksec->sid;
3953         sk_class = sksec->sclass;
3954
3955         switch (sk_class) {
3956         case SECCLASS_UDP_SOCKET:
3957                 netif_perm = NETIF__UDP_RECV;
3958                 node_perm = NODE__UDP_RECV;
3959                 recv_perm = UDP_SOCKET__RECV_MSG;
3960                 break;
3961         case SECCLASS_TCP_SOCKET:
3962                 netif_perm = NETIF__TCP_RECV;
3963                 node_perm = NODE__TCP_RECV;
3964                 recv_perm = TCP_SOCKET__RECV_MSG;
3965                 break;
3966         case SECCLASS_DCCP_SOCKET:
3967                 netif_perm = NETIF__DCCP_RECV;
3968                 node_perm = NODE__DCCP_RECV;
3969                 recv_perm = DCCP_SOCKET__RECV_MSG;
3970                 break;
3971         default:
3972                 netif_perm = NETIF__RAWIP_RECV;
3973                 node_perm = NODE__RAWIP_RECV;
3974                 recv_perm = 0;
3975                 break;
3976         }
3977
3978         err = sel_netif_sid(skb->iif, &if_sid);
3979         if (err)
3980                 return err;
3981         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3982         if (err)
3983                 return err;
3984         
3985         err = sel_netnode_sid(addrp, family, &node_sid);
3986         if (err)
3987                 return err;
3988         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3989         if (err)
3990                 return err;
3991
3992         if (!recv_perm)
3993                 return 0;
3994         err = sel_netport_sid(sk->sk_protocol,
3995                               ntohs(ad->u.net.sport), &port_sid);
3996         if (unlikely(err)) {
3997                 printk(KERN_WARNING
3998                        "SELinux: failure in"
3999                        " selinux_sock_rcv_skb_iptables_compat(),"
4000                        " network port label not found\n");
4001                 return err;
4002         }
4003         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4004 }
4005
4006 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4007                                        struct avc_audit_data *ad,
4008                                        u16 family, char *addrp)
4009 {
4010         int err;
4011         struct sk_security_struct *sksec = sk->sk_security;
4012         u32 peer_sid;
4013         u32 sk_sid = sksec->sid;
4014
4015         if (selinux_compat_net)
4016                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4017                                                            family, addrp);
4018         else
4019                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4020                                    PACKET__RECV, ad);
4021         if (err)
4022                 return err;
4023
4024         if (selinux_policycap_netpeer) {
4025                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4026                 if (err)
4027                         return err;
4028                 err = avc_has_perm(sk_sid, peer_sid,
4029                                    SECCLASS_PEER, PEER__RECV, ad);
4030         } else {
4031                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4032                 if (err)
4033                         return err;
4034                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4035         }
4036
4037         return err;
4038 }
4039
4040 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4041 {
4042         int err;
4043         struct sk_security_struct *sksec = sk->sk_security;
4044         u16 family = sk->sk_family;
4045         u32 sk_sid = sksec->sid;
4046         struct avc_audit_data ad;
4047         char *addrp;
4048
4049         if (family != PF_INET && family != PF_INET6)
4050                 return 0;
4051
4052         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4053         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4054                 family = PF_INET;
4055
4056         AVC_AUDIT_DATA_INIT(&ad, NET);
4057         ad.u.net.netif = skb->iif;
4058         ad.u.net.family = family;
4059         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4060         if (err)
4061                 return err;
4062
4063         /* If any sort of compatibility mode is enabled then handoff processing
4064          * to the selinux_sock_rcv_skb_compat() function to deal with the
4065          * special handling.  We do this in an attempt to keep this function
4066          * as fast and as clean as possible. */
4067         if (selinux_compat_net || !selinux_policycap_netpeer)
4068                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4069                                                    family, addrp);
4070
4071         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4072                 u32 peer_sid;
4073
4074                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4075                 if (err)
4076                         return err;
4077                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4078                                                peer_sid, &ad);
4079                 if (err)
4080                         return err;
4081                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4082                                    PEER__RECV, &ad);
4083         }
4084
4085         if (selinux_secmark_enabled()) {
4086                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4087                                    PACKET__RECV, &ad);
4088                 if (err)
4089                         return err;
4090         }
4091
4092         return err;
4093 }
4094
4095 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4096                                             int __user *optlen, unsigned len)
4097 {
4098         int err = 0;
4099         char *scontext;
4100         u32 scontext_len;
4101         struct sk_security_struct *ssec;
4102         struct inode_security_struct *isec;
4103         u32 peer_sid = SECSID_NULL;
4104
4105         isec = SOCK_INODE(sock)->i_security;
4106
4107         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4108             isec->sclass == SECCLASS_TCP_SOCKET) {
4109                 ssec = sock->sk->sk_security;
4110                 peer_sid = ssec->peer_sid;
4111         }
4112         if (peer_sid == SECSID_NULL) {
4113                 err = -ENOPROTOOPT;
4114                 goto out;
4115         }
4116
4117         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4118
4119         if (err)
4120                 goto out;
4121
4122         if (scontext_len > len) {
4123                 err = -ERANGE;
4124                 goto out_len;
4125         }
4126
4127         if (copy_to_user(optval, scontext, scontext_len))
4128                 err = -EFAULT;
4129
4130 out_len:
4131         if (put_user(scontext_len, optlen))
4132                 err = -EFAULT;
4133
4134         kfree(scontext);
4135 out:    
4136         return err;
4137 }
4138
4139 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4140 {
4141         u32 peer_secid = SECSID_NULL;
4142         u16 family;
4143
4144         if (sock)
4145                 family = sock->sk->sk_family;
4146         else if (skb && skb->sk)
4147                 family = skb->sk->sk_family;
4148         else
4149                 goto out;
4150
4151         if (sock && family == PF_UNIX)
4152                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4153         else if (skb)
4154                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4155
4156 out:
4157         *secid = peer_secid;
4158         if (peer_secid == SECSID_NULL)
4159                 return -EINVAL;
4160         return 0;
4161 }
4162
4163 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4164 {
4165         return sk_alloc_security(sk, family, priority);
4166 }
4167
4168 static void selinux_sk_free_security(struct sock *sk)
4169 {
4170         sk_free_security(sk);
4171 }
4172
4173 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4174 {
4175         struct sk_security_struct *ssec = sk->sk_security;
4176         struct sk_security_struct *newssec = newsk->sk_security;
4177
4178         newssec->sid = ssec->sid;
4179         newssec->peer_sid = ssec->peer_sid;
4180         newssec->sclass = ssec->sclass;
4181
4182         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4183 }
4184
4185 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4186 {
4187         if (!sk)
4188                 *secid = SECINITSID_ANY_SOCKET;
4189         else {
4190                 struct sk_security_struct *sksec = sk->sk_security;
4191
4192                 *secid = sksec->sid;
4193         }
4194 }
4195
4196 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4197 {
4198         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4199         struct sk_security_struct *sksec = sk->sk_security;
4200
4201         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4202             sk->sk_family == PF_UNIX)
4203                 isec->sid = sksec->sid;
4204         sksec->sclass = isec->sclass;
4205
4206         selinux_netlbl_sock_graft(sk, parent);
4207 }
4208
4209 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4210                                      struct request_sock *req)
4211 {
4212         struct sk_security_struct *sksec = sk->sk_security;
4213         int err;
4214         u32 newsid;
4215         u32 peersid;
4216
4217         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4218         if (err)
4219                 return err;
4220         if (peersid == SECSID_NULL) {
4221                 req->secid = sksec->sid;
4222                 req->peer_secid = SECSID_NULL;
4223                 return 0;
4224         }
4225
4226         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4227         if (err)
4228                 return err;
4229
4230         req->secid = newsid;
4231         req->peer_secid = peersid;
4232         return 0;
4233 }
4234
4235 static void selinux_inet_csk_clone(struct sock *newsk,
4236                                    const struct request_sock *req)
4237 {
4238         struct sk_security_struct *newsksec = newsk->sk_security;
4239
4240         newsksec->sid = req->secid;
4241         newsksec->peer_sid = req->peer_secid;
4242         /* NOTE: Ideally, we should also get the isec->sid for the
4243            new socket in sync, but we don't have the isec available yet.
4244            So we will wait until sock_graft to do it, by which
4245            time it will have been created and available. */
4246
4247         /* We don't need to take any sort of lock here as we are the only
4248          * thread with access to newsksec */
4249         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4250 }
4251
4252 static void selinux_inet_conn_established(struct sock *sk,
4253                                 struct sk_buff *skb)
4254 {
4255         struct sk_security_struct *sksec = sk->sk_security;
4256
4257         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4258 }
4259
4260 static void selinux_req_classify_flow(const struct request_sock *req,
4261                                       struct flowi *fl)
4262 {
4263         fl->secid = req->secid;
4264 }
4265
4266 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4267 {
4268         int err = 0;
4269         u32 perm;
4270         struct nlmsghdr *nlh;
4271         struct socket *sock = sk->sk_socket;
4272         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4273         
4274         if (skb->len < NLMSG_SPACE(0)) {
4275                 err = -EINVAL;
4276                 goto out;
4277         }
4278         nlh = nlmsg_hdr(skb);
4279         
4280         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4281         if (err) {
4282                 if (err == -EINVAL) {
4283                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4284                                   "SELinux:  unrecognized netlink message"
4285                                   " type=%hu for sclass=%hu\n",
4286                                   nlh->nlmsg_type, isec->sclass);
4287                         if (!selinux_enforcing)
4288                                 err = 0;
4289                 }
4290
4291                 /* Ignore */
4292                 if (err == -ENOENT)
4293                         err = 0;
4294                 goto out;
4295         }
4296
4297         err = socket_has_perm(current, sock, perm);
4298 out:
4299         return err;
4300 }
4301
4302 #ifdef CONFIG_NETFILTER
4303
4304 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4305                                        u16 family)
4306 {
4307         char *addrp;
4308         u32 peer_sid;
4309         struct avc_audit_data ad;
4310         u8 secmark_active;
4311         u8 peerlbl_active;
4312
4313         if (!selinux_policycap_netpeer)
4314                 return NF_ACCEPT;
4315
4316         secmark_active = selinux_secmark_enabled();
4317         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4318         if (!secmark_active && !peerlbl_active)
4319                 return NF_ACCEPT;
4320
4321         AVC_AUDIT_DATA_INIT(&ad, NET);
4322         ad.u.net.netif = ifindex;
4323         ad.u.net.family = family;
4324         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4325                 return NF_DROP;
4326
4327         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4328                 return NF_DROP;
4329
4330         if (peerlbl_active)
4331                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4332                                              peer_sid, &ad) != 0)
4333                         return NF_DROP;
4334
4335         if (secmark_active)
4336                 if (avc_has_perm(peer_sid, skb->secmark,
4337                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4338                         return NF_DROP;
4339
4340         return NF_ACCEPT;
4341 }
4342
4343 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4344                                          struct sk_buff *skb,
4345                                          const struct net_device *in,
4346                                          const struct net_device *out,
4347                                          int (*okfn)(struct sk_buff *))
4348 {
4349         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4350 }
4351
4352 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4353 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4354                                          struct sk_buff *skb,
4355                                          const struct net_device *in,
4356                                          const struct net_device *out,
4357                                          int (*okfn)(struct sk_buff *))
4358 {
4359         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4360 }
4361 #endif  /* IPV6 */
4362
4363 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4364                                                 int ifindex,
4365                                                 struct avc_audit_data *ad,
4366                                                 u16 family, char *addrp)
4367 {
4368         int err;
4369         struct sk_security_struct *sksec = sk->sk_security;
4370         u16 sk_class;
4371         u32 netif_perm, node_perm, send_perm;
4372         u32 port_sid, node_sid, if_sid, sk_sid;
4373
4374         sk_sid = sksec->sid;
4375         sk_class = sksec->sclass;
4376
4377         switch (sk_class) {
4378         case SECCLASS_UDP_SOCKET:
4379                 netif_perm = NETIF__UDP_SEND;
4380                 node_perm = NODE__UDP_SEND;
4381                 send_perm = UDP_SOCKET__SEND_MSG;
4382                 break;
4383         case SECCLASS_TCP_SOCKET:
4384                 netif_perm = NETIF__TCP_SEND;
4385                 node_perm = NODE__TCP_SEND;
4386                 send_perm = TCP_SOCKET__SEND_MSG;
4387                 break;
4388         case SECCLASS_DCCP_SOCKET:
4389                 netif_perm = NETIF__DCCP_SEND;
4390                 node_perm = NODE__DCCP_SEND;
4391                 send_perm = DCCP_SOCKET__SEND_MSG;
4392                 break;
4393         default:
4394                 netif_perm = NETIF__RAWIP_SEND;
4395                 node_perm = NODE__RAWIP_SEND;
4396                 send_perm = 0;
4397                 break;
4398         }
4399
4400         err = sel_netif_sid(ifindex, &if_sid);
4401         if (err)
4402                 return err;
4403         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4404                 return err;
4405                 
4406         err = sel_netnode_sid(addrp, family, &node_sid);
4407         if (err)
4408                 return err;
4409         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4410         if (err)
4411                 return err;
4412
4413         if (send_perm != 0)
4414                 return 0;
4415
4416         err = sel_netport_sid(sk->sk_protocol,
4417                               ntohs(ad->u.net.dport), &port_sid);
4418         if (unlikely(err)) {
4419                 printk(KERN_WARNING
4420                        "SELinux: failure in"
4421                        " selinux_ip_postroute_iptables_compat(),"
4422                        " network port label not found\n");
4423                 return err;
4424         }
4425         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4426 }
4427
4428 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4429                                                 int ifindex,
4430                                                 struct avc_audit_data *ad,
4431                                                 u16 family,
4432                                                 char *addrp,
4433                                                 u8 proto)
4434 {
4435         struct sock *sk = skb->sk;
4436         struct sk_security_struct *sksec;
4437
4438         if (sk == NULL)
4439                 return NF_ACCEPT;
4440         sksec = sk->sk_security;
4441
4442         if (selinux_compat_net) {
4443                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4444                                                          ad, family, addrp))
4445                         return NF_DROP;
4446         } else {
4447                 if (avc_has_perm(sksec->sid, skb->secmark,
4448                                  SECCLASS_PACKET, PACKET__SEND, ad))
4449                         return NF_DROP;
4450         }
4451
4452         if (selinux_policycap_netpeer)
4453                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4454                         return NF_DROP;
4455
4456         return NF_ACCEPT;
4457 }
4458
4459 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4460                                          u16 family)
4461 {
4462         u32 secmark_perm;
4463         u32 peer_sid;
4464         struct sock *sk;
4465         struct avc_audit_data ad;
4466         char *addrp;
4467         u8 proto;
4468         u8 secmark_active;
4469         u8 peerlbl_active;
4470
4471         AVC_AUDIT_DATA_INIT(&ad, NET);
4472         ad.u.net.netif = ifindex;
4473         ad.u.net.family = family;
4474         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4475                 return NF_DROP;
4476
4477         /* If any sort of compatibility mode is enabled then handoff processing
4478          * to the selinux_ip_postroute_compat() function to deal with the
4479          * special handling.  We do this in an attempt to keep this function
4480          * as fast and as clean as possible. */
4481         if (selinux_compat_net || !selinux_policycap_netpeer)
4482                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4483                                                    family, addrp, proto);
4484
4485         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4486          * packet transformation so allow the packet to pass without any checks
4487          * since we'll have another chance to perform access control checks
4488          * when the packet is on it's final way out.
4489          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4490          *       is NULL, in this case go ahead and apply access control. */
4491         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4492                 return NF_ACCEPT;
4493
4494         secmark_active = selinux_secmark_enabled();
4495         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4496         if (!secmark_active && !peerlbl_active)
4497                 return NF_ACCEPT;
4498
4499         /* if the packet is locally generated (skb->sk != NULL) then use the
4500          * socket's label as the peer label, otherwise the packet is being
4501          * forwarded through this system and we need to fetch the peer label
4502          * directly from the packet */
4503         sk = skb->sk;
4504         if (sk) {
4505                 struct sk_security_struct *sksec = sk->sk_security;
4506                 peer_sid = sksec->sid;
4507                 secmark_perm = PACKET__SEND;
4508         } else {
4509                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4510                                 return NF_DROP;
4511                 secmark_perm = PACKET__FORWARD_OUT;
4512         }
4513
4514         if (secmark_active)
4515                 if (avc_has_perm(peer_sid, skb->secmark,
4516                                  SECCLASS_PACKET, secmark_perm, &ad))
4517                         return NF_DROP;
4518
4519         if (peerlbl_active) {
4520                 u32 if_sid;
4521                 u32 node_sid;
4522
4523                 if (sel_netif_sid(ifindex, &if_sid))
4524                         return NF_DROP;
4525                 if (avc_has_perm(peer_sid, if_sid,
4526                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4527                         return NF_DROP;
4528
4529                 if (sel_netnode_sid(addrp, family, &node_sid))
4530                         return NF_DROP;
4531                 if (avc_has_perm(peer_sid, node_sid,
4532                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4533                         return NF_DROP;
4534         }
4535
4536         return NF_ACCEPT;
4537 }
4538
4539 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4540                                            struct sk_buff *skb,
4541                                            const struct net_device *in,
4542                                            const struct net_device *out,
4543                                            int (*okfn)(struct sk_buff *))
4544 {
4545         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4546 }
4547
4548 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4549 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4550                                            struct sk_buff *skb,
4551                                            const struct net_device *in,
4552                                            const struct net_device *out,
4553                                            int (*okfn)(struct sk_buff *))
4554 {
4555         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4556 }
4557 #endif  /* IPV6 */
4558
4559 #endif  /* CONFIG_NETFILTER */
4560
4561 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4562 {
4563         int err;
4564
4565         err = secondary_ops->netlink_send(sk, skb);
4566         if (err)
4567                 return err;
4568
4569         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4570                 err = selinux_nlmsg_perm(sk, skb);
4571
4572         return err;
4573 }
4574
4575 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4576 {
4577         int err;
4578         struct avc_audit_data ad;
4579
4580         err = secondary_ops->netlink_recv(skb, capability);
4581         if (err)
4582                 return err;
4583
4584         AVC_AUDIT_DATA_INIT(&ad, CAP);
4585         ad.u.cap = capability;
4586
4587         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4588                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4589 }
4590
4591 static int ipc_alloc_security(struct task_struct *task,
4592                               struct kern_ipc_perm *perm,
4593                               u16 sclass)
4594 {
4595         struct task_security_struct *tsec = task->security;
4596         struct ipc_security_struct *isec;
4597
4598         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4599         if (!isec)
4600                 return -ENOMEM;
4601
4602         isec->sclass = sclass;
4603         isec->sid = tsec->sid;
4604         perm->security = isec;
4605
4606         return 0;
4607 }
4608
4609 static void ipc_free_security(struct kern_ipc_perm *perm)
4610 {
4611         struct ipc_security_struct *isec = perm->security;
4612         perm->security = NULL;
4613         kfree(isec);
4614 }
4615
4616 static int msg_msg_alloc_security(struct msg_msg *msg)
4617 {
4618         struct msg_security_struct *msec;
4619
4620         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4621         if (!msec)
4622                 return -ENOMEM;
4623
4624         msec->sid = SECINITSID_UNLABELED;
4625         msg->security = msec;
4626
4627         return 0;
4628 }
4629
4630 static void msg_msg_free_security(struct msg_msg *msg)
4631 {
4632         struct msg_security_struct *msec = msg->security;
4633
4634         msg->security = NULL;
4635         kfree(msec);
4636 }
4637
4638 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4639                         u32 perms)
4640 {
4641         struct task_security_struct *tsec;
4642         struct ipc_security_struct *isec;
4643         struct avc_audit_data ad;
4644
4645         tsec = current->security;
4646         isec = ipc_perms->security;
4647
4648         AVC_AUDIT_DATA_INIT(&ad, IPC);
4649         ad.u.ipc_id = ipc_perms->key;
4650
4651         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4652 }
4653
4654 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4655 {
4656         return msg_msg_alloc_security(msg);
4657 }
4658
4659 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4660 {
4661         msg_msg_free_security(msg);
4662 }
4663
4664 /* message queue security operations */
4665 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4666 {
4667         struct task_security_struct *tsec;
4668         struct ipc_security_struct *isec;
4669         struct avc_audit_data ad;
4670         int rc;
4671
4672         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4673         if (rc)
4674                 return rc;
4675
4676         tsec = current->security;
4677         isec = msq->q_perm.security;
4678
4679         AVC_AUDIT_DATA_INIT(&ad, IPC);
4680         ad.u.ipc_id = msq->q_perm.key;
4681
4682         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4683                           MSGQ__CREATE, &ad);
4684         if (rc) {
4685                 ipc_free_security(&msq->q_perm);
4686                 return rc;
4687         }
4688         return 0;
4689 }
4690
4691 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4692 {
4693         ipc_free_security(&msq->q_perm);
4694 }
4695
4696 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4697 {
4698         struct task_security_struct *tsec;
4699         struct ipc_security_struct *isec;
4700         struct avc_audit_data ad;
4701
4702         tsec = current->security;
4703         isec = msq->q_perm.security;
4704
4705         AVC_AUDIT_DATA_INIT(&ad, IPC);
4706         ad.u.ipc_id = msq->q_perm.key;
4707
4708         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4709                             MSGQ__ASSOCIATE, &ad);
4710 }
4711
4712 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4713 {
4714         int err;
4715         int perms;
4716
4717         switch(cmd) {
4718         case IPC_INFO:
4719         case MSG_INFO:
4720                 /* No specific object, just general system-wide information. */
4721                 return task_has_system(current, SYSTEM__IPC_INFO);
4722         case IPC_STAT:
4723         case MSG_STAT:
4724                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4725                 break;
4726         case IPC_SET:
4727                 perms = MSGQ__SETATTR;
4728                 break;
4729         case IPC_RMID:
4730                 perms = MSGQ__DESTROY;
4731                 break;
4732         default:
4733                 return 0;
4734         }
4735
4736         err = ipc_has_perm(&msq->q_perm, perms);
4737         return err;
4738 }
4739
4740 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4741 {
4742         struct task_security_struct *tsec;
4743         struct ipc_security_struct *isec;
4744         struct msg_security_struct *msec;
4745         struct avc_audit_data ad;
4746         int rc;
4747
4748         tsec = current->security;
4749         isec = msq->q_perm.security;
4750         msec = msg->security;
4751
4752         /*
4753          * First time through, need to assign label to the message
4754          */
4755         if (msec->sid == SECINITSID_UNLABELED) {
4756                 /*
4757                  * Compute new sid based on current process and
4758                  * message queue this message will be stored in
4759                  */
4760                 rc = security_transition_sid(tsec->sid,
4761                                              isec->sid,
4762                                              SECCLASS_MSG,
4763                                              &msec->sid);
4764                 if (rc)
4765                         return rc;
4766         }
4767
4768         AVC_AUDIT_DATA_INIT(&ad, IPC);
4769         ad.u.ipc_id = msq->q_perm.key;
4770
4771         /* Can this process write to the queue? */
4772         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4773                           MSGQ__WRITE, &ad);
4774         if (!rc)
4775                 /* Can this process send the message */
4776                 rc = avc_has_perm(tsec->sid, msec->sid,
4777                                   SECCLASS_MSG, MSG__SEND, &ad);
4778         if (!rc)
4779                 /* Can the message be put in the queue? */
4780                 rc = avc_has_perm(msec->sid, isec->sid,
4781                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4782
4783         return rc;
4784 }
4785
4786 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4787                                     struct task_struct *target,
4788                                     long type, int mode)
4789 {
4790         struct task_security_struct *tsec;
4791         struct ipc_security_struct *isec;
4792         struct msg_security_struct *msec;
4793         struct avc_audit_data ad;
4794         int rc;
4795
4796         tsec = target->security;
4797         isec = msq->q_perm.security;
4798         msec = msg->security;
4799
4800         AVC_AUDIT_DATA_INIT(&ad, IPC);
4801         ad.u.ipc_id = msq->q_perm.key;
4802
4803         rc = avc_has_perm(tsec->sid, isec->sid,
4804                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4805         if (!rc)
4806                 rc = avc_has_perm(tsec->sid, msec->sid,
4807                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4808         return rc;
4809 }
4810
4811 /* Shared Memory security operations */
4812 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4813 {
4814         struct task_security_struct *tsec;
4815         struct ipc_security_struct *isec;
4816         struct avc_audit_data ad;
4817         int rc;
4818
4819         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4820         if (rc)
4821                 return rc;
4822
4823         tsec = current->security;
4824         isec = shp->shm_perm.security;
4825
4826         AVC_AUDIT_DATA_INIT(&ad, IPC);
4827         ad.u.ipc_id = shp->shm_perm.key;
4828
4829         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4830                           SHM__CREATE, &ad);
4831         if (rc) {
4832                 ipc_free_security(&shp->shm_perm);
4833                 return rc;
4834         }
4835         return 0;
4836 }
4837
4838 static void selinux_shm_free_security(struct shmid_kernel *shp)
4839 {
4840         ipc_free_security(&shp->shm_perm);
4841 }
4842
4843 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4844 {
4845         struct task_security_struct *tsec;
4846         struct ipc_security_struct *isec;
4847         struct avc_audit_data ad;
4848
4849         tsec = current->security;
4850         isec = shp->shm_perm.security;
4851
4852         AVC_AUDIT_DATA_INIT(&ad, IPC);
4853         ad.u.ipc_id = shp->shm_perm.key;
4854
4855         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4856                             SHM__ASSOCIATE, &ad);
4857 }
4858
4859 /* Note, at this point, shp is locked down */
4860 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4861 {
4862         int perms;
4863         int err;
4864
4865         switch(cmd) {
4866         case IPC_INFO:
4867         case SHM_INFO:
4868                 /* No specific object, just general system-wide information. */
4869                 return task_has_system(current, SYSTEM__IPC_INFO);
4870         case IPC_STAT:
4871         case SHM_STAT:
4872                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4873                 break;
4874         case IPC_SET:
4875                 perms = SHM__SETATTR;
4876                 break;
4877         case SHM_LOCK:
4878         case SHM_UNLOCK:
4879                 perms = SHM__LOCK;
4880                 break;
4881         case IPC_RMID:
4882                 perms = SHM__DESTROY;
4883                 break;
4884         default:
4885                 return 0;
4886         }
4887
4888         err = ipc_has_perm(&shp->shm_perm, perms);
4889         return err;
4890 }
4891
4892 static int selinux_shm_shmat(struct shmid_kernel *shp,
4893                              char __user *shmaddr, int shmflg)
4894 {
4895         u32 perms;
4896         int rc;
4897
4898         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4899         if (rc)
4900                 return rc;
4901
4902         if (shmflg & SHM_RDONLY)
4903                 perms = SHM__READ;
4904         else
4905                 perms = SHM__READ | SHM__WRITE;
4906
4907         return ipc_has_perm(&shp->shm_perm, perms);
4908 }
4909
4910 /* Semaphore security operations */
4911 static int selinux_sem_alloc_security(struct sem_array *sma)
4912 {
4913         struct task_security_struct *tsec;
4914         struct ipc_security_struct *isec;
4915         struct avc_audit_data ad;
4916         int rc;
4917
4918         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4919         if (rc)
4920                 return rc;
4921
4922         tsec = current->security;
4923         isec = sma->sem_perm.security;
4924
4925         AVC_AUDIT_DATA_INIT(&ad, IPC);
4926         ad.u.ipc_id = sma->sem_perm.key;
4927
4928         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4929                           SEM__CREATE, &ad);
4930         if (rc) {
4931                 ipc_free_security(&sma->sem_perm);
4932                 return rc;
4933         }
4934         return 0;
4935 }
4936
4937 static void selinux_sem_free_security(struct sem_array *sma)
4938 {
4939         ipc_free_security(&sma->sem_perm);
4940 }
4941
4942 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4943 {
4944         struct task_security_struct *tsec;
4945         struct ipc_security_struct *isec;
4946         struct avc_audit_data ad;
4947
4948         tsec = current->security;
4949         isec = sma->sem_perm.security;
4950
4951         AVC_AUDIT_DATA_INIT(&ad, IPC);
4952         ad.u.ipc_id = sma->sem_perm.key;
4953
4954         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4955                             SEM__ASSOCIATE, &ad);
4956 }
4957
4958 /* Note, at this point, sma is locked down */
4959 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4960 {
4961         int err;
4962         u32 perms;
4963
4964         switch(cmd) {
4965         case IPC_INFO:
4966         case SEM_INFO:
4967                 /* No specific object, just general system-wide information. */
4968                 return task_has_system(current, SYSTEM__IPC_INFO);
4969         case GETPID:
4970         case GETNCNT:
4971         case GETZCNT:
4972                 perms = SEM__GETATTR;
4973                 break;
4974         case GETVAL:
4975         case GETALL:
4976                 perms = SEM__READ;
4977                 break;
4978         case SETVAL:
4979         case SETALL:
4980                 perms = SEM__WRITE;
4981                 break;
4982         case IPC_RMID:
4983                 perms = SEM__DESTROY;
4984                 break;
4985         case IPC_SET:
4986                 perms = SEM__SETATTR;
4987                 break;
4988         case IPC_STAT:
4989         case SEM_STAT:
4990                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4991                 break;
4992         default:
4993                 return 0;
4994         }
4995
4996         err = ipc_has_perm(&sma->sem_perm, perms);
4997         return err;
4998 }
4999
5000 static int selinux_sem_semop(struct sem_array *sma,
5001                              struct sembuf *sops, unsigned nsops, int alter)
5002 {
5003         u32 perms;
5004
5005         if (alter)
5006                 perms = SEM__READ | SEM__WRITE;
5007         else
5008                 perms = SEM__READ;
5009
5010         return ipc_has_perm(&sma->sem_perm, perms);
5011 }
5012
5013 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5014 {
5015         u32 av = 0;
5016
5017         av = 0;
5018         if (flag & S_IRUGO)
5019                 av |= IPC__UNIX_READ;
5020         if (flag & S_IWUGO)
5021                 av |= IPC__UNIX_WRITE;
5022
5023         if (av == 0)
5024                 return 0;
5025
5026         return ipc_has_perm(ipcp, av);
5027 }
5028
5029 /* module stacking operations */
5030 static int selinux_register_security (const char *name, struct security_operations *ops)
5031 {
5032         if (secondary_ops != original_ops) {
5033                 printk(KERN_ERR "%s:  There is already a secondary security "
5034                        "module registered.\n", __func__);
5035                 return -EINVAL;
5036         }
5037
5038         secondary_ops = ops;
5039
5040         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5041                __func__,
5042                name);
5043
5044         return 0;
5045 }
5046
5047 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5048 {
5049         if (inode)
5050                 inode_doinit_with_dentry(inode, dentry);
5051 }
5052
5053 static int selinux_getprocattr(struct task_struct *p,
5054                                char *name, char **value)
5055 {
5056         struct task_security_struct *tsec;
5057         u32 sid;
5058         int error;
5059         unsigned len;
5060
5061         if (current != p) {
5062                 error = task_has_perm(current, p, PROCESS__GETATTR);
5063                 if (error)
5064                         return error;
5065         }
5066
5067         tsec = p->security;
5068
5069         if (!strcmp(name, "current"))
5070                 sid = tsec->sid;
5071         else if (!strcmp(name, "prev"))
5072                 sid = tsec->osid;
5073         else if (!strcmp(name, "exec"))
5074                 sid = tsec->exec_sid;
5075         else if (!strcmp(name, "fscreate"))
5076                 sid = tsec->create_sid;
5077         else if (!strcmp(name, "keycreate"))
5078                 sid = tsec->keycreate_sid;
5079         else if (!strcmp(name, "sockcreate"))
5080                 sid = tsec->sockcreate_sid;
5081         else
5082                 return -EINVAL;
5083
5084         if (!sid)
5085                 return 0;
5086
5087         error = security_sid_to_context(sid, value, &len);
5088         if (error)
5089                 return error;
5090         return len;
5091 }
5092
5093 static int selinux_setprocattr(struct task_struct *p,
5094                                char *name, void *value, size_t size)
5095 {
5096         struct task_security_struct *tsec;
5097         struct task_struct *tracer;
5098         u32 sid = 0;
5099         int error;
5100         char *str = value;
5101
5102         if (current != p) {
5103                 /* SELinux only allows a process to change its own
5104                    security attributes. */
5105                 return -EACCES;
5106         }
5107
5108         /*
5109          * Basic control over ability to set these attributes at all.
5110          * current == p, but we'll pass them separately in case the
5111          * above restriction is ever removed.
5112          */
5113         if (!strcmp(name, "exec"))
5114                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5115         else if (!strcmp(name, "fscreate"))
5116                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5117         else if (!strcmp(name, "keycreate"))
5118                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5119         else if (!strcmp(name, "sockcreate"))
5120                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5121         else if (!strcmp(name, "current"))
5122                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5123         else
5124                 error = -EINVAL;
5125         if (error)
5126                 return error;
5127
5128         /* Obtain a SID for the context, if one was specified. */
5129         if (size && str[1] && str[1] != '\n') {
5130                 if (str[size-1] == '\n') {
5131                         str[size-1] = 0;
5132                         size--;
5133                 }
5134                 error = security_context_to_sid(value, size, &sid);
5135                 if (error)
5136                         return error;
5137         }
5138
5139         /* Permission checking based on the specified context is
5140            performed during the actual operation (execve,
5141            open/mkdir/...), when we know the full context of the
5142            operation.  See selinux_bprm_set_security for the execve
5143            checks and may_create for the file creation checks. The
5144            operation will then fail if the context is not permitted. */
5145         tsec = p->security;
5146         if (!strcmp(name, "exec"))
5147                 tsec->exec_sid = sid;
5148         else if (!strcmp(name, "fscreate"))
5149                 tsec->create_sid = sid;
5150         else if (!strcmp(name, "keycreate")) {
5151                 error = may_create_key(sid, p);
5152                 if (error)
5153                         return error;
5154                 tsec->keycreate_sid = sid;
5155         } else if (!strcmp(name, "sockcreate"))
5156                 tsec->sockcreate_sid = sid;
5157         else if (!strcmp(name, "current")) {
5158                 struct av_decision avd;
5159
5160                 if (sid == 0)
5161                         return -EINVAL;
5162
5163                 /* Only allow single threaded processes to change context */
5164                 if (atomic_read(&p->mm->mm_users) != 1) {
5165                         struct task_struct *g, *t;
5166                         struct mm_struct *mm = p->mm;
5167                         read_lock(&tasklist_lock);
5168                         do_each_thread(g, t)
5169                                 if (t->mm == mm && t != p) {
5170                                         read_unlock(&tasklist_lock);
5171                                         return -EPERM;
5172                                 }
5173                         while_each_thread(g, t);
5174                         read_unlock(&tasklist_lock);
5175                 }
5176
5177                 /* Check permissions for the transition. */
5178                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5179                                      PROCESS__DYNTRANSITION, NULL);
5180                 if (error)
5181                         return error;
5182
5183                 /* Check for ptracing, and update the task SID if ok.
5184                    Otherwise, leave SID unchanged and fail. */
5185                 task_lock(p);
5186                 rcu_read_lock();
5187                 tracer = task_tracer_task(p);
5188                 if (tracer != NULL) {
5189                         struct task_security_struct *ptsec = tracer->security;
5190                         u32 ptsid = ptsec->sid;
5191                         rcu_read_unlock();
5192                         error = avc_has_perm_noaudit(ptsid, sid,
5193                                                      SECCLASS_PROCESS,
5194                                                      PROCESS__PTRACE, 0, &avd);
5195                         if (!error)
5196                                 tsec->sid = sid;
5197                         task_unlock(p);
5198                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5199                                   PROCESS__PTRACE, &avd, error, NULL);
5200                         if (error)
5201                                 return error;
5202                 } else {
5203                         rcu_read_unlock();
5204                         tsec->sid = sid;
5205                         task_unlock(p);
5206                 }
5207         }
5208         else
5209                 return -EINVAL;
5210
5211         return size;
5212 }
5213
5214 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5215 {
5216         return security_sid_to_context(secid, secdata, seclen);
5217 }
5218
5219 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5220 {
5221         return security_context_to_sid(secdata, seclen, secid);
5222 }
5223
5224 static void selinux_release_secctx(char *secdata, u32 seclen)
5225 {
5226         kfree(secdata);
5227 }
5228
5229 #ifdef CONFIG_KEYS
5230
5231 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5232                              unsigned long flags)
5233 {
5234         struct task_security_struct *tsec = tsk->security;
5235         struct key_security_struct *ksec;
5236
5237         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5238         if (!ksec)
5239                 return -ENOMEM;
5240
5241         if (tsec->keycreate_sid)
5242                 ksec->sid = tsec->keycreate_sid;
5243         else
5244                 ksec->sid = tsec->sid;
5245         k->security = ksec;
5246
5247         return 0;
5248 }
5249
5250 static void selinux_key_free(struct key *k)
5251 {
5252         struct key_security_struct *ksec = k->security;
5253
5254         k->security = NULL;
5255         kfree(ksec);
5256 }
5257
5258 static int selinux_key_permission(key_ref_t key_ref,
5259                             struct task_struct *ctx,
5260                             key_perm_t perm)
5261 {
5262         struct key *key;
5263         struct task_security_struct *tsec;
5264         struct key_security_struct *ksec;
5265
5266         key = key_ref_to_ptr(key_ref);
5267
5268         tsec = ctx->security;
5269         ksec = key->security;
5270
5271         /* if no specific permissions are requested, we skip the
5272            permission check. No serious, additional covert channels
5273            appear to be created. */
5274         if (perm == 0)
5275                 return 0;
5276
5277         return avc_has_perm(tsec->sid, ksec->sid,
5278                             SECCLASS_KEY, perm, NULL);
5279 }
5280
5281 #endif
5282
5283 static struct security_operations selinux_ops = {
5284         .ptrace =                       selinux_ptrace,
5285         .capget =                       selinux_capget,
5286         .capset_check =                 selinux_capset_check,
5287         .capset_set =                   selinux_capset_set,
5288         .sysctl =                       selinux_sysctl,
5289         .capable =                      selinux_capable,
5290         .quotactl =                     selinux_quotactl,
5291         .quota_on =                     selinux_quota_on,
5292         .syslog =                       selinux_syslog,
5293         .vm_enough_memory =             selinux_vm_enough_memory,
5294
5295         .netlink_send =                 selinux_netlink_send,
5296         .netlink_recv =                 selinux_netlink_recv,
5297
5298         .bprm_alloc_security =          selinux_bprm_alloc_security,
5299         .bprm_free_security =           selinux_bprm_free_security,
5300         .bprm_apply_creds =             selinux_bprm_apply_creds,
5301         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5302         .bprm_set_security =            selinux_bprm_set_security,
5303         .bprm_check_security =          selinux_bprm_check_security,
5304         .bprm_secureexec =              selinux_bprm_secureexec,
5305
5306         .sb_alloc_security =            selinux_sb_alloc_security,
5307         .sb_free_security =             selinux_sb_free_security,
5308         .sb_copy_data =                 selinux_sb_copy_data,
5309         .sb_kern_mount =                selinux_sb_kern_mount,
5310         .sb_statfs =                    selinux_sb_statfs,
5311         .sb_mount =                     selinux_mount,
5312         .sb_umount =                    selinux_umount,
5313         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5314         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5315         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5316         .sb_parse_opts_str =            selinux_parse_opts_str,
5317
5318
5319         .inode_alloc_security =         selinux_inode_alloc_security,
5320         .inode_free_security =          selinux_inode_free_security,
5321         .inode_init_security =          selinux_inode_init_security,
5322         .inode_create =                 selinux_inode_create,
5323         .inode_link =                   selinux_inode_link,
5324         .inode_unlink =                 selinux_inode_unlink,
5325         .inode_symlink =                selinux_inode_symlink,
5326         .inode_mkdir =                  selinux_inode_mkdir,
5327         .inode_rmdir =                  selinux_inode_rmdir,
5328         .inode_mknod =                  selinux_inode_mknod,
5329         .inode_rename =                 selinux_inode_rename,
5330         .inode_readlink =               selinux_inode_readlink,
5331         .inode_follow_link =            selinux_inode_follow_link,
5332         .inode_permission =             selinux_inode_permission,
5333         .inode_setattr =                selinux_inode_setattr,
5334         .inode_getattr =                selinux_inode_getattr,
5335         .inode_setxattr =               selinux_inode_setxattr,
5336         .inode_post_setxattr =          selinux_inode_post_setxattr,
5337         .inode_getxattr =               selinux_inode_getxattr,
5338         .inode_listxattr =              selinux_inode_listxattr,
5339         .inode_removexattr =            selinux_inode_removexattr,
5340         .inode_getsecurity =            selinux_inode_getsecurity,
5341         .inode_setsecurity =            selinux_inode_setsecurity,
5342         .inode_listsecurity =           selinux_inode_listsecurity,
5343         .inode_need_killpriv =          selinux_inode_need_killpriv,
5344         .inode_killpriv =               selinux_inode_killpriv,
5345
5346         .file_permission =              selinux_file_permission,
5347         .file_alloc_security =          selinux_file_alloc_security,
5348         .file_free_security =           selinux_file_free_security,
5349         .file_ioctl =                   selinux_file_ioctl,
5350         .file_mmap =                    selinux_file_mmap,
5351         .file_mprotect =                selinux_file_mprotect,
5352         .file_lock =                    selinux_file_lock,
5353         .file_fcntl =                   selinux_file_fcntl,
5354         .file_set_fowner =              selinux_file_set_fowner,
5355         .file_send_sigiotask =          selinux_file_send_sigiotask,
5356         .file_receive =                 selinux_file_receive,
5357
5358         .dentry_open =                  selinux_dentry_open,
5359
5360         .task_create =                  selinux_task_create,
5361         .task_alloc_security =          selinux_task_alloc_security,
5362         .task_free_security =           selinux_task_free_security,
5363         .task_setuid =                  selinux_task_setuid,
5364         .task_post_setuid =             selinux_task_post_setuid,
5365         .task_setgid =                  selinux_task_setgid,
5366         .task_setpgid =                 selinux_task_setpgid,
5367         .task_getpgid =                 selinux_task_getpgid,
5368         .task_getsid =                  selinux_task_getsid,
5369         .task_getsecid =                selinux_task_getsecid,
5370         .task_setgroups =               selinux_task_setgroups,
5371         .task_setnice =                 selinux_task_setnice,
5372         .task_setioprio =               selinux_task_setioprio,
5373         .task_getioprio =               selinux_task_getioprio,
5374         .task_setrlimit =               selinux_task_setrlimit,
5375         .task_setscheduler =            selinux_task_setscheduler,
5376         .task_getscheduler =            selinux_task_getscheduler,
5377         .task_movememory =              selinux_task_movememory,
5378         .task_kill =                    selinux_task_kill,
5379         .task_wait =                    selinux_task_wait,
5380         .task_prctl =                   selinux_task_prctl,
5381         .task_reparent_to_init =        selinux_task_reparent_to_init,
5382         .task_to_inode =                selinux_task_to_inode,
5383
5384         .ipc_permission =               selinux_ipc_permission,
5385
5386         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5387         .msg_msg_free_security =        selinux_msg_msg_free_security,
5388
5389         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5390         .msg_queue_free_security =      selinux_msg_queue_free_security,
5391         .msg_queue_associate =          selinux_msg_queue_associate,
5392         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5393         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5394         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5395
5396         .shm_alloc_security =           selinux_shm_alloc_security,
5397         .shm_free_security =            selinux_shm_free_security,
5398         .shm_associate =                selinux_shm_associate,
5399         .shm_shmctl =                   selinux_shm_shmctl,
5400         .shm_shmat =                    selinux_shm_shmat,
5401
5402         .sem_alloc_security =           selinux_sem_alloc_security,
5403         .sem_free_security =            selinux_sem_free_security,
5404         .sem_associate =                selinux_sem_associate,
5405         .sem_semctl =                   selinux_sem_semctl,
5406         .sem_semop =                    selinux_sem_semop,
5407
5408         .register_security =            selinux_register_security,
5409
5410         .d_instantiate =                selinux_d_instantiate,
5411
5412         .getprocattr =                  selinux_getprocattr,
5413         .setprocattr =                  selinux_setprocattr,
5414
5415         .secid_to_secctx =              selinux_secid_to_secctx,
5416         .secctx_to_secid =              selinux_secctx_to_secid,
5417         .release_secctx =               selinux_release_secctx,
5418
5419         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5420         .unix_may_send =                selinux_socket_unix_may_send,
5421
5422         .socket_create =                selinux_socket_create,
5423         .socket_post_create =           selinux_socket_post_create,
5424         .socket_bind =                  selinux_socket_bind,
5425         .socket_connect =               selinux_socket_connect,
5426         .socket_listen =                selinux_socket_listen,
5427         .socket_accept =                selinux_socket_accept,
5428         .socket_sendmsg =               selinux_socket_sendmsg,
5429         .socket_recvmsg =               selinux_socket_recvmsg,
5430         .socket_getsockname =           selinux_socket_getsockname,
5431         .socket_getpeername =           selinux_socket_getpeername,
5432         .socket_getsockopt =            selinux_socket_getsockopt,
5433         .socket_setsockopt =            selinux_socket_setsockopt,
5434         .socket_shutdown =              selinux_socket_shutdown,
5435         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5436         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5437         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5438         .sk_alloc_security =            selinux_sk_alloc_security,
5439         .sk_free_security =             selinux_sk_free_security,
5440         .sk_clone_security =            selinux_sk_clone_security,
5441         .sk_getsecid =                  selinux_sk_getsecid,
5442         .sock_graft =                   selinux_sock_graft,
5443         .inet_conn_request =            selinux_inet_conn_request,
5444         .inet_csk_clone =               selinux_inet_csk_clone,
5445         .inet_conn_established =        selinux_inet_conn_established,
5446         .req_classify_flow =            selinux_req_classify_flow,
5447
5448 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5449         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5450         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5451         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5452         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5453         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5454         .xfrm_state_free_security =     selinux_xfrm_state_free,
5455         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5456         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5457         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5458         .xfrm_decode_session =          selinux_xfrm_decode_session,
5459 #endif
5460
5461 #ifdef CONFIG_KEYS
5462         .key_alloc =                    selinux_key_alloc,
5463         .key_free =                     selinux_key_free,
5464         .key_permission =               selinux_key_permission,
5465 #endif
5466 };
5467
5468 static __init int selinux_init(void)
5469 {
5470         struct task_security_struct *tsec;
5471
5472         if (!selinux_enabled) {
5473                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5474                 return 0;
5475         }
5476
5477         printk(KERN_INFO "SELinux:  Initializing.\n");
5478
5479         /* Set the security state for the initial task. */
5480         if (task_alloc_security(current))
5481                 panic("SELinux:  Failed to initialize initial task.\n");
5482         tsec = current->security;
5483         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5484
5485         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5486                                             sizeof(struct inode_security_struct),
5487                                             0, SLAB_PANIC, NULL);
5488         avc_init();
5489
5490         original_ops = secondary_ops = security_ops;
5491         if (!secondary_ops)
5492                 panic ("SELinux: No initial security operations\n");
5493         if (register_security (&selinux_ops))
5494                 panic("SELinux: Unable to register with kernel.\n");
5495
5496         if (selinux_enforcing) {
5497                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5498         } else {
5499                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5500         }
5501
5502 #ifdef CONFIG_KEYS
5503         /* Add security information to initial keyrings */
5504         selinux_key_alloc(&root_user_keyring, current,
5505                           KEY_ALLOC_NOT_IN_QUOTA);
5506         selinux_key_alloc(&root_session_keyring, current,
5507                           KEY_ALLOC_NOT_IN_QUOTA);
5508 #endif
5509
5510         return 0;
5511 }
5512
5513 void selinux_complete_init(void)
5514 {
5515         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5516
5517         /* Set up any superblocks initialized prior to the policy load. */
5518         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5519         spin_lock(&sb_lock);
5520         spin_lock(&sb_security_lock);
5521 next_sb:
5522         if (!list_empty(&superblock_security_head)) {
5523                 struct superblock_security_struct *sbsec =
5524                                 list_entry(superblock_security_head.next,
5525                                            struct superblock_security_struct,
5526                                            list);
5527                 struct super_block *sb = sbsec->sb;
5528                 sb->s_count++;
5529                 spin_unlock(&sb_security_lock);
5530                 spin_unlock(&sb_lock);
5531                 down_read(&sb->s_umount);
5532                 if (sb->s_root)
5533                         superblock_doinit(sb, NULL);
5534                 drop_super(sb);
5535                 spin_lock(&sb_lock);
5536                 spin_lock(&sb_security_lock);
5537                 list_del_init(&sbsec->list);
5538                 goto next_sb;
5539         }
5540         spin_unlock(&sb_security_lock);
5541         spin_unlock(&sb_lock);
5542 }
5543
5544 /* SELinux requires early initialization in order to label
5545    all processes and objects when they are created. */
5546 security_initcall(selinux_init);
5547
5548 #if defined(CONFIG_NETFILTER)
5549
5550 static struct nf_hook_ops selinux_ipv4_ops[] = {
5551         {
5552                 .hook =         selinux_ipv4_postroute,
5553                 .owner =        THIS_MODULE,
5554                 .pf =           PF_INET,
5555                 .hooknum =      NF_INET_POST_ROUTING,
5556                 .priority =     NF_IP_PRI_SELINUX_LAST,
5557         },
5558         {
5559                 .hook =         selinux_ipv4_forward,
5560                 .owner =        THIS_MODULE,
5561                 .pf =           PF_INET,
5562                 .hooknum =      NF_INET_FORWARD,
5563                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5564         }
5565 };
5566
5567 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5568
5569 static struct nf_hook_ops selinux_ipv6_ops[] = {
5570         {
5571                 .hook =         selinux_ipv6_postroute,
5572                 .owner =        THIS_MODULE,
5573                 .pf =           PF_INET6,
5574                 .hooknum =      NF_INET_POST_ROUTING,
5575                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5576         },
5577         {
5578                 .hook =         selinux_ipv6_forward,
5579                 .owner =        THIS_MODULE,
5580                 .pf =           PF_INET6,
5581                 .hooknum =      NF_INET_FORWARD,
5582                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5583         }
5584 };
5585
5586 #endif  /* IPV6 */
5587
5588 static int __init selinux_nf_ip_init(void)
5589 {
5590         int err = 0;
5591         u32 iter;
5592
5593         if (!selinux_enabled)
5594                 goto out;
5595
5596         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5597
5598         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5599                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5600                 if (err)
5601                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5602                               err);
5603         }
5604
5605 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5606         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5607                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5608                 if (err)
5609                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5610                               err);
5611         }
5612 #endif  /* IPV6 */
5613
5614 out:
5615         return err;
5616 }
5617
5618 __initcall(selinux_nf_ip_init);
5619
5620 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5621 static void selinux_nf_ip_exit(void)
5622 {
5623         u32 iter;
5624
5625         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5626
5627         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5628                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5629 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5630         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5631                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5632 #endif  /* IPV6 */
5633 }
5634 #endif
5635
5636 #else /* CONFIG_NETFILTER */
5637
5638 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5639 #define selinux_nf_ip_exit()
5640 #endif
5641
5642 #endif /* CONFIG_NETFILTER */
5643
5644 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5645 int selinux_disable(void)
5646 {
5647         extern void exit_sel_fs(void);
5648         static int selinux_disabled = 0;
5649
5650         if (ss_initialized) {
5651                 /* Not permitted after initial policy load. */
5652                 return -EINVAL;
5653         }
5654
5655         if (selinux_disabled) {
5656                 /* Only do this once. */
5657                 return -EINVAL;
5658         }
5659
5660         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5661
5662         selinux_disabled = 1;
5663         selinux_enabled = 0;
5664
5665         /* Reset security_ops to the secondary module, dummy or capability. */
5666         security_ops = secondary_ops;
5667
5668         /* Unregister netfilter hooks. */
5669         selinux_nf_ip_exit();
5670
5671         /* Unregister selinuxfs. */
5672         exit_sel_fs();
5673
5674         return 0;
5675 }
5676 #endif