[PATCH] SELinux: Add sockcreate node to procattr API
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
84
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
87
88 static int __init enforcing_setup(char *str)
89 {
90         selinux_enforcing = simple_strtol(str,NULL,0);
91         return 1;
92 }
93 __setup("enforcing=", enforcing_setup);
94 #endif
95
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99 static int __init selinux_enabled_setup(char *str)
100 {
101         selinux_enabled = simple_strtol(str, NULL, 0);
102         return 1;
103 }
104 __setup("selinux=", selinux_enabled_setup);
105 #else
106 int selinux_enabled = 1;
107 #endif
108
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
111
112 /* Minimal support for a secondary security module,
113    just to allow the use of the dummy or capability modules.
114    The owlsm module can alternatively be used as a secondary
115    module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
117
118 /* Lists of inode and superblock security structures initialized
119    before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
122
123 static kmem_cache_t *sel_inode_cache;
124
125 /* Return security context for a given sid or just the context 
126    length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128 {
129         char *context;
130         unsigned len;
131         int rc;
132
133         rc = security_sid_to_context(sid, &context, &len);
134         if (rc)
135                 return rc;
136
137         if (!buffer || !size)
138                 goto getsecurity_exit;
139
140         if (size < len) {
141                 len = -ERANGE;
142                 goto getsecurity_exit;
143         }
144         memcpy(buffer, context, len);
145
146 getsecurity_exit:
147         kfree(context);
148         return len;
149 }
150
151 /* Allocate and free functions for each kind of security blob. */
152
153 static int task_alloc_security(struct task_struct *task)
154 {
155         struct task_security_struct *tsec;
156
157         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158         if (!tsec)
159                 return -ENOMEM;
160
161         tsec->task = task;
162         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163         task->security = tsec;
164
165         return 0;
166 }
167
168 static void task_free_security(struct task_struct *task)
169 {
170         struct task_security_struct *tsec = task->security;
171         task->security = NULL;
172         kfree(tsec);
173 }
174
175 static int inode_alloc_security(struct inode *inode)
176 {
177         struct task_security_struct *tsec = current->security;
178         struct inode_security_struct *isec;
179
180         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
181         if (!isec)
182                 return -ENOMEM;
183
184         memset(isec, 0, sizeof(*isec));
185         init_MUTEX(&isec->sem);
186         INIT_LIST_HEAD(&isec->list);
187         isec->inode = inode;
188         isec->sid = SECINITSID_UNLABELED;
189         isec->sclass = SECCLASS_FILE;
190         isec->task_sid = tsec->sid;
191         inode->i_security = isec;
192
193         return 0;
194 }
195
196 static void inode_free_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec = inode->i_security;
199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
201         spin_lock(&sbsec->isec_lock);
202         if (!list_empty(&isec->list))
203                 list_del_init(&isec->list);
204         spin_unlock(&sbsec->isec_lock);
205
206         inode->i_security = NULL;
207         kmem_cache_free(sel_inode_cache, isec);
208 }
209
210 static int file_alloc_security(struct file *file)
211 {
212         struct task_security_struct *tsec = current->security;
213         struct file_security_struct *fsec;
214
215         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
216         if (!fsec)
217                 return -ENOMEM;
218
219         fsec->file = file;
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         init_MUTEX(&sbsec->sem);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sb->s_security = sbsec;
250
251         return 0;
252 }
253
254 static void superblock_free_security(struct super_block *sb)
255 {
256         struct superblock_security_struct *sbsec = sb->s_security;
257
258         spin_lock(&sb_security_lock);
259         if (!list_empty(&sbsec->list))
260                 list_del_init(&sbsec->list);
261         spin_unlock(&sb_security_lock);
262
263         sb->s_security = NULL;
264         kfree(sbsec);
265 }
266
267 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
268 {
269         struct sk_security_struct *ssec;
270
271         if (family != PF_UNIX)
272                 return 0;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328 };
329
330 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
331
332 static int try_context_mount(struct super_block *sb, void *data)
333 {
334         char *context = NULL, *defcontext = NULL;
335         const char *name;
336         u32 sid;
337         int alloc = 0, rc = 0, seen = 0;
338         struct task_security_struct *tsec = current->security;
339         struct superblock_security_struct *sbsec = sb->s_security;
340
341         if (!data)
342                 goto out;
343
344         name = sb->s_type->name;
345
346         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348                 /* NFS we understand. */
349                 if (!strcmp(name, "nfs")) {
350                         struct nfs_mount_data *d = data;
351
352                         if (d->version <  NFS_MOUNT_VERSION)
353                                 goto out;
354
355                         if (d->context[0]) {
356                                 context = d->context;
357                                 seen |= Opt_context;
358                         }
359                 } else
360                         goto out;
361
362         } else {
363                 /* Standard string-based options. */
364                 char *p, *options = data;
365
366                 while ((p = strsep(&options, ",")) != NULL) {
367                         int token;
368                         substring_t args[MAX_OPT_ARGS];
369
370                         if (!*p)
371                                 continue;
372
373                         token = match_token(p, tokens, args);
374
375                         switch (token) {
376                         case Opt_context:
377                                 if (seen) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380                                         goto out_free;
381                                 }
382                                 context = match_strdup(&args[0]);
383                                 if (!context) {
384                                         rc = -ENOMEM;
385                                         goto out_free;
386                                 }
387                                 if (!alloc)
388                                         alloc = 1;
389                                 seen |= Opt_context;
390                                 break;
391
392                         case Opt_fscontext:
393                                 if (seen & (Opt_context|Opt_fscontext)) {
394                                         rc = -EINVAL;
395                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396                                         goto out_free;
397                                 }
398                                 context = match_strdup(&args[0]);
399                                 if (!context) {
400                                         rc = -ENOMEM;
401                                         goto out_free;
402                                 }
403                                 if (!alloc)
404                                         alloc = 1;
405                                 seen |= Opt_fscontext;
406                                 break;
407
408                         case Opt_defcontext:
409                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410                                         rc = -EINVAL;
411                                         printk(KERN_WARNING "SELinux:  "
412                                                "defcontext option is invalid "
413                                                "for this filesystem type\n");
414                                         goto out_free;
415                                 }
416                                 if (seen & (Opt_context|Opt_defcontext)) {
417                                         rc = -EINVAL;
418                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419                                         goto out_free;
420                                 }
421                                 defcontext = match_strdup(&args[0]);
422                                 if (!defcontext) {
423                                         rc = -ENOMEM;
424                                         goto out_free;
425                                 }
426                                 if (!alloc)
427                                         alloc = 1;
428                                 seen |= Opt_defcontext;
429                                 break;
430
431                         default:
432                                 rc = -EINVAL;
433                                 printk(KERN_WARNING "SELinux:  unknown mount "
434                                        "option\n");
435                                 goto out_free;
436
437                         }
438                 }
439         }
440
441         if (!seen)
442                 goto out;
443
444         if (context) {
445                 rc = security_context_to_sid(context, strlen(context), &sid);
446                 if (rc) {
447                         printk(KERN_WARNING "SELinux: security_context_to_sid"
448                                "(%s) failed for (dev %s, type %s) errno=%d\n",
449                                context, sb->s_id, name, rc);
450                         goto out_free;
451                 }
452
453                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454                                   FILESYSTEM__RELABELFROM, NULL);
455                 if (rc)
456                         goto out_free;
457
458                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459                                   FILESYSTEM__RELABELTO, NULL);
460                 if (rc)
461                         goto out_free;
462
463                 sbsec->sid = sid;
464
465                 if (seen & Opt_context)
466                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467         }
468
469         if (defcontext) {
470                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471                 if (rc) {
472                         printk(KERN_WARNING "SELinux: security_context_to_sid"
473                                "(%s) failed for (dev %s, type %s) errno=%d\n",
474                                defcontext, sb->s_id, name, rc);
475                         goto out_free;
476                 }
477
478                 if (sid == sbsec->def_sid)
479                         goto out_free;
480
481                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482                                   FILESYSTEM__RELABELFROM, NULL);
483                 if (rc)
484                         goto out_free;
485
486                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487                                   FILESYSTEM__ASSOCIATE, NULL);
488                 if (rc)
489                         goto out_free;
490
491                 sbsec->def_sid = sid;
492         }
493
494 out_free:
495         if (alloc) {
496                 kfree(context);
497                 kfree(defcontext);
498         }
499 out:
500         return rc;
501 }
502
503 static int superblock_doinit(struct super_block *sb, void *data)
504 {
505         struct superblock_security_struct *sbsec = sb->s_security;
506         struct dentry *root = sb->s_root;
507         struct inode *inode = root->d_inode;
508         int rc = 0;
509
510         down(&sbsec->sem);
511         if (sbsec->initialized)
512                 goto out;
513
514         if (!ss_initialized) {
515                 /* Defer initialization until selinux_complete_init,
516                    after the initial policy is loaded and the security
517                    server is ready to handle calls. */
518                 spin_lock(&sb_security_lock);
519                 if (list_empty(&sbsec->list))
520                         list_add(&sbsec->list, &superblock_security_head);
521                 spin_unlock(&sb_security_lock);
522                 goto out;
523         }
524
525         /* Determine the labeling behavior to use for this filesystem type. */
526         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527         if (rc) {
528                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
529                        __FUNCTION__, sb->s_type->name, rc);
530                 goto out;
531         }
532
533         rc = try_context_mount(sb, data);
534         if (rc)
535                 goto out;
536
537         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538                 /* Make sure that the xattr handler exists and that no
539                    error other than -ENODATA is returned by getxattr on
540                    the root directory.  -ENODATA is ok, as this may be
541                    the first boot of the SELinux kernel before we have
542                    assigned xattr values to the filesystem. */
543                 if (!inode->i_op->getxattr) {
544                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545                                "xattr support\n", sb->s_id, sb->s_type->name);
546                         rc = -EOPNOTSUPP;
547                         goto out;
548                 }
549                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550                 if (rc < 0 && rc != -ENODATA) {
551                         if (rc == -EOPNOTSUPP)
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) has no security xattr handler\n",
554                                        sb->s_id, sb->s_type->name);
555                         else
556                                 printk(KERN_WARNING "SELinux: (dev %s, type "
557                                        "%s) getxattr errno %d\n", sb->s_id,
558                                        sb->s_type->name, -rc);
559                         goto out;
560                 }
561         }
562
563         if (strcmp(sb->s_type->name, "proc") == 0)
564                 sbsec->proc = 1;
565
566         sbsec->initialized = 1;
567
568         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570                        sb->s_id, sb->s_type->name);
571         }
572         else {
573                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574                        sb->s_id, sb->s_type->name,
575                        labeling_behaviors[sbsec->behavior-1]);
576         }
577
578         /* Initialize the root inode. */
579         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581         /* Initialize any other inodes associated with the superblock, e.g.
582            inodes created prior to initial policy load or inodes created
583            during get_sb by a pseudo filesystem that directly
584            populates itself. */
585         spin_lock(&sbsec->isec_lock);
586 next_inode:
587         if (!list_empty(&sbsec->isec_head)) {
588                 struct inode_security_struct *isec =
589                                 list_entry(sbsec->isec_head.next,
590                                            struct inode_security_struct, list);
591                 struct inode *inode = isec->inode;
592                 spin_unlock(&sbsec->isec_lock);
593                 inode = igrab(inode);
594                 if (inode) {
595                         if (!IS_PRIVATE (inode))
596                                 inode_doinit(inode);
597                         iput(inode);
598                 }
599                 spin_lock(&sbsec->isec_lock);
600                 list_del_init(&isec->list);
601                 goto next_inode;
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         up(&sbsec->sem);
606         return rc;
607 }
608
609 static inline u16 inode_mode_to_security_class(umode_t mode)
610 {
611         switch (mode & S_IFMT) {
612         case S_IFSOCK:
613                 return SECCLASS_SOCK_FILE;
614         case S_IFLNK:
615                 return SECCLASS_LNK_FILE;
616         case S_IFREG:
617                 return SECCLASS_FILE;
618         case S_IFBLK:
619                 return SECCLASS_BLK_FILE;
620         case S_IFDIR:
621                 return SECCLASS_DIR;
622         case S_IFCHR:
623                 return SECCLASS_CHR_FILE;
624         case S_IFIFO:
625                 return SECCLASS_FIFO_FILE;
626
627         }
628
629         return SECCLASS_FILE;
630 }
631
632 static inline int default_protocol_stream(int protocol)
633 {
634         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
635 }
636
637 static inline int default_protocol_dgram(int protocol)
638 {
639         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
640 }
641
642 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
643 {
644         switch (family) {
645         case PF_UNIX:
646                 switch (type) {
647                 case SOCK_STREAM:
648                 case SOCK_SEQPACKET:
649                         return SECCLASS_UNIX_STREAM_SOCKET;
650                 case SOCK_DGRAM:
651                         return SECCLASS_UNIX_DGRAM_SOCKET;
652                 }
653                 break;
654         case PF_INET:
655         case PF_INET6:
656                 switch (type) {
657                 case SOCK_STREAM:
658                         if (default_protocol_stream(protocol))
659                                 return SECCLASS_TCP_SOCKET;
660                         else
661                                 return SECCLASS_RAWIP_SOCKET;
662                 case SOCK_DGRAM:
663                         if (default_protocol_dgram(protocol))
664                                 return SECCLASS_UDP_SOCKET;
665                         else
666                                 return SECCLASS_RAWIP_SOCKET;
667                 default:
668                         return SECCLASS_RAWIP_SOCKET;
669                 }
670                 break;
671         case PF_NETLINK:
672                 switch (protocol) {
673                 case NETLINK_ROUTE:
674                         return SECCLASS_NETLINK_ROUTE_SOCKET;
675                 case NETLINK_FIREWALL:
676                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
677                 case NETLINK_INET_DIAG:
678                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
679                 case NETLINK_NFLOG:
680                         return SECCLASS_NETLINK_NFLOG_SOCKET;
681                 case NETLINK_XFRM:
682                         return SECCLASS_NETLINK_XFRM_SOCKET;
683                 case NETLINK_SELINUX:
684                         return SECCLASS_NETLINK_SELINUX_SOCKET;
685                 case NETLINK_AUDIT:
686                         return SECCLASS_NETLINK_AUDIT_SOCKET;
687                 case NETLINK_IP6_FW:
688                         return SECCLASS_NETLINK_IP6FW_SOCKET;
689                 case NETLINK_DNRTMSG:
690                         return SECCLASS_NETLINK_DNRT_SOCKET;
691                 case NETLINK_KOBJECT_UEVENT:
692                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
693                 default:
694                         return SECCLASS_NETLINK_SOCKET;
695                 }
696         case PF_PACKET:
697                 return SECCLASS_PACKET_SOCKET;
698         case PF_KEY:
699                 return SECCLASS_KEY_SOCKET;
700         case PF_APPLETALK:
701                 return SECCLASS_APPLETALK_SOCKET;
702         }
703
704         return SECCLASS_SOCKET;
705 }
706
707 #ifdef CONFIG_PROC_FS
708 static int selinux_proc_get_sid(struct proc_dir_entry *de,
709                                 u16 tclass,
710                                 u32 *sid)
711 {
712         int buflen, rc;
713         char *buffer, *path, *end;
714
715         buffer = (char*)__get_free_page(GFP_KERNEL);
716         if (!buffer)
717                 return -ENOMEM;
718
719         buflen = PAGE_SIZE;
720         end = buffer+buflen;
721         *--end = '\0';
722         buflen--;
723         path = end-1;
724         *path = '/';
725         while (de && de != de->parent) {
726                 buflen -= de->namelen + 1;
727                 if (buflen < 0)
728                         break;
729                 end -= de->namelen;
730                 memcpy(end, de->name, de->namelen);
731                 *--end = '/';
732                 path = end;
733                 de = de->parent;
734         }
735         rc = security_genfs_sid("proc", path, tclass, sid);
736         free_page((unsigned long)buffer);
737         return rc;
738 }
739 #else
740 static int selinux_proc_get_sid(struct proc_dir_entry *de,
741                                 u16 tclass,
742                                 u32 *sid)
743 {
744         return -EINVAL;
745 }
746 #endif
747
748 /* The inode's security attributes must be initialized before first use. */
749 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
750 {
751         struct superblock_security_struct *sbsec = NULL;
752         struct inode_security_struct *isec = inode->i_security;
753         u32 sid;
754         struct dentry *dentry;
755 #define INITCONTEXTLEN 255
756         char *context = NULL;
757         unsigned len = 0;
758         int rc = 0;
759         int hold_sem = 0;
760
761         if (isec->initialized)
762                 goto out;
763
764         down(&isec->sem);
765         hold_sem = 1;
766         if (isec->initialized)
767                 goto out;
768
769         sbsec = inode->i_sb->s_security;
770         if (!sbsec->initialized) {
771                 /* Defer initialization until selinux_complete_init,
772                    after the initial policy is loaded and the security
773                    server is ready to handle calls. */
774                 spin_lock(&sbsec->isec_lock);
775                 if (list_empty(&isec->list))
776                         list_add(&isec->list, &sbsec->isec_head);
777                 spin_unlock(&sbsec->isec_lock);
778                 goto out;
779         }
780
781         switch (sbsec->behavior) {
782         case SECURITY_FS_USE_XATTR:
783                 if (!inode->i_op->getxattr) {
784                         isec->sid = sbsec->def_sid;
785                         break;
786                 }
787
788                 /* Need a dentry, since the xattr API requires one.
789                    Life would be simpler if we could just pass the inode. */
790                 if (opt_dentry) {
791                         /* Called from d_instantiate or d_splice_alias. */
792                         dentry = dget(opt_dentry);
793                 } else {
794                         /* Called from selinux_complete_init, try to find a dentry. */
795                         dentry = d_find_alias(inode);
796                 }
797                 if (!dentry) {
798                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
799                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
800                                inode->i_ino);
801                         goto out;
802                 }
803
804                 len = INITCONTEXTLEN;
805                 context = kmalloc(len, GFP_KERNEL);
806                 if (!context) {
807                         rc = -ENOMEM;
808                         dput(dentry);
809                         goto out;
810                 }
811                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
812                                            context, len);
813                 if (rc == -ERANGE) {
814                         /* Need a larger buffer.  Query for the right size. */
815                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
816                                                    NULL, 0);
817                         if (rc < 0) {
818                                 dput(dentry);
819                                 goto out;
820                         }
821                         kfree(context);
822                         len = rc;
823                         context = kmalloc(len, GFP_KERNEL);
824                         if (!context) {
825                                 rc = -ENOMEM;
826                                 dput(dentry);
827                                 goto out;
828                         }
829                         rc = inode->i_op->getxattr(dentry,
830                                                    XATTR_NAME_SELINUX,
831                                                    context, len);
832                 }
833                 dput(dentry);
834                 if (rc < 0) {
835                         if (rc != -ENODATA) {
836                                 printk(KERN_WARNING "%s:  getxattr returned "
837                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
838                                        -rc, inode->i_sb->s_id, inode->i_ino);
839                                 kfree(context);
840                                 goto out;
841                         }
842                         /* Map ENODATA to the default file SID */
843                         sid = sbsec->def_sid;
844                         rc = 0;
845                 } else {
846                         rc = security_context_to_sid_default(context, rc, &sid,
847                                                              sbsec->def_sid);
848                         if (rc) {
849                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
850                                        "returned %d for dev=%s ino=%ld\n",
851                                        __FUNCTION__, context, -rc,
852                                        inode->i_sb->s_id, inode->i_ino);
853                                 kfree(context);
854                                 /* Leave with the unlabeled SID */
855                                 rc = 0;
856                                 break;
857                         }
858                 }
859                 kfree(context);
860                 isec->sid = sid;
861                 break;
862         case SECURITY_FS_USE_TASK:
863                 isec->sid = isec->task_sid;
864                 break;
865         case SECURITY_FS_USE_TRANS:
866                 /* Default to the fs SID. */
867                 isec->sid = sbsec->sid;
868
869                 /* Try to obtain a transition SID. */
870                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
871                 rc = security_transition_sid(isec->task_sid,
872                                              sbsec->sid,
873                                              isec->sclass,
874                                              &sid);
875                 if (rc)
876                         goto out;
877                 isec->sid = sid;
878                 break;
879         default:
880                 /* Default to the fs SID. */
881                 isec->sid = sbsec->sid;
882
883                 if (sbsec->proc) {
884                         struct proc_inode *proci = PROC_I(inode);
885                         if (proci->pde) {
886                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
887                                 rc = selinux_proc_get_sid(proci->pde,
888                                                           isec->sclass,
889                                                           &sid);
890                                 if (rc)
891                                         goto out;
892                                 isec->sid = sid;
893                         }
894                 }
895                 break;
896         }
897
898         isec->initialized = 1;
899
900 out:
901         if (isec->sclass == SECCLASS_FILE)
902                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
903
904         if (hold_sem)
905                 up(&isec->sem);
906         return rc;
907 }
908
909 /* Convert a Linux signal to an access vector. */
910 static inline u32 signal_to_av(int sig)
911 {
912         u32 perm = 0;
913
914         switch (sig) {
915         case SIGCHLD:
916                 /* Commonly granted from child to parent. */
917                 perm = PROCESS__SIGCHLD;
918                 break;
919         case SIGKILL:
920                 /* Cannot be caught or ignored */
921                 perm = PROCESS__SIGKILL;
922                 break;
923         case SIGSTOP:
924                 /* Cannot be caught or ignored */
925                 perm = PROCESS__SIGSTOP;
926                 break;
927         default:
928                 /* All other signals. */
929                 perm = PROCESS__SIGNAL;
930                 break;
931         }
932
933         return perm;
934 }
935
936 /* Check permission betweeen a pair of tasks, e.g. signal checks,
937    fork check, ptrace check, etc. */
938 static int task_has_perm(struct task_struct *tsk1,
939                          struct task_struct *tsk2,
940                          u32 perms)
941 {
942         struct task_security_struct *tsec1, *tsec2;
943
944         tsec1 = tsk1->security;
945         tsec2 = tsk2->security;
946         return avc_has_perm(tsec1->sid, tsec2->sid,
947                             SECCLASS_PROCESS, perms, NULL);
948 }
949
950 /* Check whether a task is allowed to use a capability. */
951 static int task_has_capability(struct task_struct *tsk,
952                                int cap)
953 {
954         struct task_security_struct *tsec;
955         struct avc_audit_data ad;
956
957         tsec = tsk->security;
958
959         AVC_AUDIT_DATA_INIT(&ad,CAP);
960         ad.tsk = tsk;
961         ad.u.cap = cap;
962
963         return avc_has_perm(tsec->sid, tsec->sid,
964                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
965 }
966
967 /* Check whether a task is allowed to use a system operation. */
968 static int task_has_system(struct task_struct *tsk,
969                            u32 perms)
970 {
971         struct task_security_struct *tsec;
972
973         tsec = tsk->security;
974
975         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
976                             SECCLASS_SYSTEM, perms, NULL);
977 }
978
979 /* Check whether a task has a particular permission to an inode.
980    The 'adp' parameter is optional and allows other audit
981    data to be passed (e.g. the dentry). */
982 static int inode_has_perm(struct task_struct *tsk,
983                           struct inode *inode,
984                           u32 perms,
985                           struct avc_audit_data *adp)
986 {
987         struct task_security_struct *tsec;
988         struct inode_security_struct *isec;
989         struct avc_audit_data ad;
990
991         tsec = tsk->security;
992         isec = inode->i_security;
993
994         if (!adp) {
995                 adp = &ad;
996                 AVC_AUDIT_DATA_INIT(&ad, FS);
997                 ad.u.fs.inode = inode;
998         }
999
1000         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1001 }
1002
1003 /* Same as inode_has_perm, but pass explicit audit data containing
1004    the dentry to help the auditing code to more easily generate the
1005    pathname if needed. */
1006 static inline int dentry_has_perm(struct task_struct *tsk,
1007                                   struct vfsmount *mnt,
1008                                   struct dentry *dentry,
1009                                   u32 av)
1010 {
1011         struct inode *inode = dentry->d_inode;
1012         struct avc_audit_data ad;
1013         AVC_AUDIT_DATA_INIT(&ad,FS);
1014         ad.u.fs.mnt = mnt;
1015         ad.u.fs.dentry = dentry;
1016         return inode_has_perm(tsk, inode, av, &ad);
1017 }
1018
1019 /* Check whether a task can use an open file descriptor to
1020    access an inode in a given way.  Check access to the
1021    descriptor itself, and then use dentry_has_perm to
1022    check a particular permission to the file.
1023    Access to the descriptor is implicitly granted if it
1024    has the same SID as the process.  If av is zero, then
1025    access to the file is not checked, e.g. for cases
1026    where only the descriptor is affected like seek. */
1027 static int file_has_perm(struct task_struct *tsk,
1028                                 struct file *file,
1029                                 u32 av)
1030 {
1031         struct task_security_struct *tsec = tsk->security;
1032         struct file_security_struct *fsec = file->f_security;
1033         struct vfsmount *mnt = file->f_vfsmnt;
1034         struct dentry *dentry = file->f_dentry;
1035         struct inode *inode = dentry->d_inode;
1036         struct avc_audit_data ad;
1037         int rc;
1038
1039         AVC_AUDIT_DATA_INIT(&ad, FS);
1040         ad.u.fs.mnt = mnt;
1041         ad.u.fs.dentry = dentry;
1042
1043         if (tsec->sid != fsec->sid) {
1044                 rc = avc_has_perm(tsec->sid, fsec->sid,
1045                                   SECCLASS_FD,
1046                                   FD__USE,
1047                                   &ad);
1048                 if (rc)
1049                         return rc;
1050         }
1051
1052         /* av is zero if only checking access to the descriptor. */
1053         if (av)
1054                 return inode_has_perm(tsk, inode, av, &ad);
1055
1056         return 0;
1057 }
1058
1059 /* Check whether a task can create a file. */
1060 static int may_create(struct inode *dir,
1061                       struct dentry *dentry,
1062                       u16 tclass)
1063 {
1064         struct task_security_struct *tsec;
1065         struct inode_security_struct *dsec;
1066         struct superblock_security_struct *sbsec;
1067         u32 newsid;
1068         struct avc_audit_data ad;
1069         int rc;
1070
1071         tsec = current->security;
1072         dsec = dir->i_security;
1073         sbsec = dir->i_sb->s_security;
1074
1075         AVC_AUDIT_DATA_INIT(&ad, FS);
1076         ad.u.fs.dentry = dentry;
1077
1078         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1079                           DIR__ADD_NAME | DIR__SEARCH,
1080                           &ad);
1081         if (rc)
1082                 return rc;
1083
1084         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1085                 newsid = tsec->create_sid;
1086         } else {
1087                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1088                                              &newsid);
1089                 if (rc)
1090                         return rc;
1091         }
1092
1093         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1094         if (rc)
1095                 return rc;
1096
1097         return avc_has_perm(newsid, sbsec->sid,
1098                             SECCLASS_FILESYSTEM,
1099                             FILESYSTEM__ASSOCIATE, &ad);
1100 }
1101
1102 /* Check whether a task can create a key. */
1103 static int may_create_key(u32 ksid,
1104                           struct task_struct *ctx)
1105 {
1106         struct task_security_struct *tsec;
1107
1108         tsec = ctx->security;
1109
1110         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1111 }
1112
1113 #define MAY_LINK   0
1114 #define MAY_UNLINK 1
1115 #define MAY_RMDIR  2
1116
1117 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1118 static int may_link(struct inode *dir,
1119                     struct dentry *dentry,
1120                     int kind)
1121
1122 {
1123         struct task_security_struct *tsec;
1124         struct inode_security_struct *dsec, *isec;
1125         struct avc_audit_data ad;
1126         u32 av;
1127         int rc;
1128
1129         tsec = current->security;
1130         dsec = dir->i_security;
1131         isec = dentry->d_inode->i_security;
1132
1133         AVC_AUDIT_DATA_INIT(&ad, FS);
1134         ad.u.fs.dentry = dentry;
1135
1136         av = DIR__SEARCH;
1137         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1138         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1139         if (rc)
1140                 return rc;
1141
1142         switch (kind) {
1143         case MAY_LINK:
1144                 av = FILE__LINK;
1145                 break;
1146         case MAY_UNLINK:
1147                 av = FILE__UNLINK;
1148                 break;
1149         case MAY_RMDIR:
1150                 av = DIR__RMDIR;
1151                 break;
1152         default:
1153                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1154                 return 0;
1155         }
1156
1157         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1158         return rc;
1159 }
1160
1161 static inline int may_rename(struct inode *old_dir,
1162                              struct dentry *old_dentry,
1163                              struct inode *new_dir,
1164                              struct dentry *new_dentry)
1165 {
1166         struct task_security_struct *tsec;
1167         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1168         struct avc_audit_data ad;
1169         u32 av;
1170         int old_is_dir, new_is_dir;
1171         int rc;
1172
1173         tsec = current->security;
1174         old_dsec = old_dir->i_security;
1175         old_isec = old_dentry->d_inode->i_security;
1176         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1177         new_dsec = new_dir->i_security;
1178
1179         AVC_AUDIT_DATA_INIT(&ad, FS);
1180
1181         ad.u.fs.dentry = old_dentry;
1182         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1183                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1184         if (rc)
1185                 return rc;
1186         rc = avc_has_perm(tsec->sid, old_isec->sid,
1187                           old_isec->sclass, FILE__RENAME, &ad);
1188         if (rc)
1189                 return rc;
1190         if (old_is_dir && new_dir != old_dir) {
1191                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1192                                   old_isec->sclass, DIR__REPARENT, &ad);
1193                 if (rc)
1194                         return rc;
1195         }
1196
1197         ad.u.fs.dentry = new_dentry;
1198         av = DIR__ADD_NAME | DIR__SEARCH;
1199         if (new_dentry->d_inode)
1200                 av |= DIR__REMOVE_NAME;
1201         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1202         if (rc)
1203                 return rc;
1204         if (new_dentry->d_inode) {
1205                 new_isec = new_dentry->d_inode->i_security;
1206                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1207                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1208                                   new_isec->sclass,
1209                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1210                 if (rc)
1211                         return rc;
1212         }
1213
1214         return 0;
1215 }
1216
1217 /* Check whether a task can perform a filesystem operation. */
1218 static int superblock_has_perm(struct task_struct *tsk,
1219                                struct super_block *sb,
1220                                u32 perms,
1221                                struct avc_audit_data *ad)
1222 {
1223         struct task_security_struct *tsec;
1224         struct superblock_security_struct *sbsec;
1225
1226         tsec = tsk->security;
1227         sbsec = sb->s_security;
1228         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1229                             perms, ad);
1230 }
1231
1232 /* Convert a Linux mode and permission mask to an access vector. */
1233 static inline u32 file_mask_to_av(int mode, int mask)
1234 {
1235         u32 av = 0;
1236
1237         if ((mode & S_IFMT) != S_IFDIR) {
1238                 if (mask & MAY_EXEC)
1239                         av |= FILE__EXECUTE;
1240                 if (mask & MAY_READ)
1241                         av |= FILE__READ;
1242
1243                 if (mask & MAY_APPEND)
1244                         av |= FILE__APPEND;
1245                 else if (mask & MAY_WRITE)
1246                         av |= FILE__WRITE;
1247
1248         } else {
1249                 if (mask & MAY_EXEC)
1250                         av |= DIR__SEARCH;
1251                 if (mask & MAY_WRITE)
1252                         av |= DIR__WRITE;
1253                 if (mask & MAY_READ)
1254                         av |= DIR__READ;
1255         }
1256
1257         return av;
1258 }
1259
1260 /* Convert a Linux file to an access vector. */
1261 static inline u32 file_to_av(struct file *file)
1262 {
1263         u32 av = 0;
1264
1265         if (file->f_mode & FMODE_READ)
1266                 av |= FILE__READ;
1267         if (file->f_mode & FMODE_WRITE) {
1268                 if (file->f_flags & O_APPEND)
1269                         av |= FILE__APPEND;
1270                 else
1271                         av |= FILE__WRITE;
1272         }
1273
1274         return av;
1275 }
1276
1277 /* Set an inode's SID to a specified value. */
1278 static int inode_security_set_sid(struct inode *inode, u32 sid)
1279 {
1280         struct inode_security_struct *isec = inode->i_security;
1281         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1282
1283         if (!sbsec->initialized) {
1284                 /* Defer initialization to selinux_complete_init. */
1285                 return 0;
1286         }
1287
1288         down(&isec->sem);
1289         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1290         isec->sid = sid;
1291         isec->initialized = 1;
1292         up(&isec->sem);
1293         return 0;
1294 }
1295
1296 /* Hook functions begin here. */
1297
1298 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1299 {
1300         struct task_security_struct *psec = parent->security;
1301         struct task_security_struct *csec = child->security;
1302         int rc;
1303
1304         rc = secondary_ops->ptrace(parent,child);
1305         if (rc)
1306                 return rc;
1307
1308         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1309         /* Save the SID of the tracing process for later use in apply_creds. */
1310         if (!(child->ptrace & PT_PTRACED) && !rc)
1311                 csec->ptrace_sid = psec->sid;
1312         return rc;
1313 }
1314
1315 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1316                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1317 {
1318         int error;
1319
1320         error = task_has_perm(current, target, PROCESS__GETCAP);
1321         if (error)
1322                 return error;
1323
1324         return secondary_ops->capget(target, effective, inheritable, permitted);
1325 }
1326
1327 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1328                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1329 {
1330         int error;
1331
1332         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1333         if (error)
1334                 return error;
1335
1336         return task_has_perm(current, target, PROCESS__SETCAP);
1337 }
1338
1339 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1340                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1341 {
1342         secondary_ops->capset_set(target, effective, inheritable, permitted);
1343 }
1344
1345 static int selinux_capable(struct task_struct *tsk, int cap)
1346 {
1347         int rc;
1348
1349         rc = secondary_ops->capable(tsk, cap);
1350         if (rc)
1351                 return rc;
1352
1353         return task_has_capability(tsk,cap);
1354 }
1355
1356 static int selinux_sysctl(ctl_table *table, int op)
1357 {
1358         int error = 0;
1359         u32 av;
1360         struct task_security_struct *tsec;
1361         u32 tsid;
1362         int rc;
1363
1364         rc = secondary_ops->sysctl(table, op);
1365         if (rc)
1366                 return rc;
1367
1368         tsec = current->security;
1369
1370         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1371                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1372         if (rc) {
1373                 /* Default to the well-defined sysctl SID. */
1374                 tsid = SECINITSID_SYSCTL;
1375         }
1376
1377         /* The op values are "defined" in sysctl.c, thereby creating
1378          * a bad coupling between this module and sysctl.c */
1379         if(op == 001) {
1380                 error = avc_has_perm(tsec->sid, tsid,
1381                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1382         } else {
1383                 av = 0;
1384                 if (op & 004)
1385                         av |= FILE__READ;
1386                 if (op & 002)
1387                         av |= FILE__WRITE;
1388                 if (av)
1389                         error = avc_has_perm(tsec->sid, tsid,
1390                                              SECCLASS_FILE, av, NULL);
1391         }
1392
1393         return error;
1394 }
1395
1396 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1397 {
1398         int rc = 0;
1399
1400         if (!sb)
1401                 return 0;
1402
1403         switch (cmds) {
1404                 case Q_SYNC:
1405                 case Q_QUOTAON:
1406                 case Q_QUOTAOFF:
1407                 case Q_SETINFO:
1408                 case Q_SETQUOTA:
1409                         rc = superblock_has_perm(current,
1410                                                  sb,
1411                                                  FILESYSTEM__QUOTAMOD, NULL);
1412                         break;
1413                 case Q_GETFMT:
1414                 case Q_GETINFO:
1415                 case Q_GETQUOTA:
1416                         rc = superblock_has_perm(current,
1417                                                  sb,
1418                                                  FILESYSTEM__QUOTAGET, NULL);
1419                         break;
1420                 default:
1421                         rc = 0;  /* let the kernel handle invalid cmds */
1422                         break;
1423         }
1424         return rc;
1425 }
1426
1427 static int selinux_quota_on(struct dentry *dentry)
1428 {
1429         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1430 }
1431
1432 static int selinux_syslog(int type)
1433 {
1434         int rc;
1435
1436         rc = secondary_ops->syslog(type);
1437         if (rc)
1438                 return rc;
1439
1440         switch (type) {
1441                 case 3:         /* Read last kernel messages */
1442                 case 10:        /* Return size of the log buffer */
1443                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1444                         break;
1445                 case 6:         /* Disable logging to console */
1446                 case 7:         /* Enable logging to console */
1447                 case 8:         /* Set level of messages printed to console */
1448                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1449                         break;
1450                 case 0:         /* Close log */
1451                 case 1:         /* Open log */
1452                 case 2:         /* Read from log */
1453                 case 4:         /* Read/clear last kernel messages */
1454                 case 5:         /* Clear ring buffer */
1455                 default:
1456                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1457                         break;
1458         }
1459         return rc;
1460 }
1461
1462 /*
1463  * Check that a process has enough memory to allocate a new virtual
1464  * mapping. 0 means there is enough memory for the allocation to
1465  * succeed and -ENOMEM implies there is not.
1466  *
1467  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1468  * if the capability is granted, but __vm_enough_memory requires 1 if
1469  * the capability is granted.
1470  *
1471  * Do not audit the selinux permission check, as this is applied to all
1472  * processes that allocate mappings.
1473  */
1474 static int selinux_vm_enough_memory(long pages)
1475 {
1476         int rc, cap_sys_admin = 0;
1477         struct task_security_struct *tsec = current->security;
1478
1479         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1480         if (rc == 0)
1481                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1482                                         SECCLASS_CAPABILITY,
1483                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1484                                         NULL);
1485
1486         if (rc == 0)
1487                 cap_sys_admin = 1;
1488
1489         return __vm_enough_memory(pages, cap_sys_admin);
1490 }
1491
1492 /* binprm security operations */
1493
1494 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1495 {
1496         struct bprm_security_struct *bsec;
1497
1498         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1499         if (!bsec)
1500                 return -ENOMEM;
1501
1502         bsec->bprm = bprm;
1503         bsec->sid = SECINITSID_UNLABELED;
1504         bsec->set = 0;
1505
1506         bprm->security = bsec;
1507         return 0;
1508 }
1509
1510 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1511 {
1512         struct task_security_struct *tsec;
1513         struct inode *inode = bprm->file->f_dentry->d_inode;
1514         struct inode_security_struct *isec;
1515         struct bprm_security_struct *bsec;
1516         u32 newsid;
1517         struct avc_audit_data ad;
1518         int rc;
1519
1520         rc = secondary_ops->bprm_set_security(bprm);
1521         if (rc)
1522                 return rc;
1523
1524         bsec = bprm->security;
1525
1526         if (bsec->set)
1527                 return 0;
1528
1529         tsec = current->security;
1530         isec = inode->i_security;
1531
1532         /* Default to the current task SID. */
1533         bsec->sid = tsec->sid;
1534
1535         /* Reset create and sockcreate SID on execve. */
1536         tsec->create_sid = 0;
1537         tsec->sockcreate_sid = 0;
1538
1539         if (tsec->exec_sid) {
1540                 newsid = tsec->exec_sid;
1541                 /* Reset exec SID on execve. */
1542                 tsec->exec_sid = 0;
1543         } else {
1544                 /* Check for a default transition on this program. */
1545                 rc = security_transition_sid(tsec->sid, isec->sid,
1546                                              SECCLASS_PROCESS, &newsid);
1547                 if (rc)
1548                         return rc;
1549         }
1550
1551         AVC_AUDIT_DATA_INIT(&ad, FS);
1552         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1553         ad.u.fs.dentry = bprm->file->f_dentry;
1554
1555         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1556                 newsid = tsec->sid;
1557
1558         if (tsec->sid == newsid) {
1559                 rc = avc_has_perm(tsec->sid, isec->sid,
1560                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1561                 if (rc)
1562                         return rc;
1563         } else {
1564                 /* Check permissions for the transition. */
1565                 rc = avc_has_perm(tsec->sid, newsid,
1566                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1567                 if (rc)
1568                         return rc;
1569
1570                 rc = avc_has_perm(newsid, isec->sid,
1571                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1572                 if (rc)
1573                         return rc;
1574
1575                 /* Clear any possibly unsafe personality bits on exec: */
1576                 current->personality &= ~PER_CLEAR_ON_SETID;
1577
1578                 /* Set the security field to the new SID. */
1579                 bsec->sid = newsid;
1580         }
1581
1582         bsec->set = 1;
1583         return 0;
1584 }
1585
1586 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1587 {
1588         return secondary_ops->bprm_check_security(bprm);
1589 }
1590
1591
1592 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1593 {
1594         struct task_security_struct *tsec = current->security;
1595         int atsecure = 0;
1596
1597         if (tsec->osid != tsec->sid) {
1598                 /* Enable secure mode for SIDs transitions unless
1599                    the noatsecure permission is granted between
1600                    the two SIDs, i.e. ahp returns 0. */
1601                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1602                                          SECCLASS_PROCESS,
1603                                          PROCESS__NOATSECURE, NULL);
1604         }
1605
1606         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1607 }
1608
1609 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1610 {
1611         kfree(bprm->security);
1612         bprm->security = NULL;
1613 }
1614
1615 extern struct vfsmount *selinuxfs_mount;
1616 extern struct dentry *selinux_null;
1617
1618 /* Derived from fs/exec.c:flush_old_files. */
1619 static inline void flush_unauthorized_files(struct files_struct * files)
1620 {
1621         struct avc_audit_data ad;
1622         struct file *file, *devnull = NULL;
1623         struct tty_struct *tty = current->signal->tty;
1624         struct fdtable *fdt;
1625         long j = -1;
1626
1627         if (tty) {
1628                 file_list_lock();
1629                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1630                 if (file) {
1631                         /* Revalidate access to controlling tty.
1632                            Use inode_has_perm on the tty inode directly rather
1633                            than using file_has_perm, as this particular open
1634                            file may belong to another process and we are only
1635                            interested in the inode-based check here. */
1636                         struct inode *inode = file->f_dentry->d_inode;
1637                         if (inode_has_perm(current, inode,
1638                                            FILE__READ | FILE__WRITE, NULL)) {
1639                                 /* Reset controlling tty. */
1640                                 current->signal->tty = NULL;
1641                                 current->signal->tty_old_pgrp = 0;
1642                         }
1643                 }
1644                 file_list_unlock();
1645         }
1646
1647         /* Revalidate access to inherited open files. */
1648
1649         AVC_AUDIT_DATA_INIT(&ad,FS);
1650
1651         spin_lock(&files->file_lock);
1652         for (;;) {
1653                 unsigned long set, i;
1654                 int fd;
1655
1656                 j++;
1657                 i = j * __NFDBITS;
1658                 fdt = files_fdtable(files);
1659                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1660                         break;
1661                 set = fdt->open_fds->fds_bits[j];
1662                 if (!set)
1663                         continue;
1664                 spin_unlock(&files->file_lock);
1665                 for ( ; set ; i++,set >>= 1) {
1666                         if (set & 1) {
1667                                 file = fget(i);
1668                                 if (!file)
1669                                         continue;
1670                                 if (file_has_perm(current,
1671                                                   file,
1672                                                   file_to_av(file))) {
1673                                         sys_close(i);
1674                                         fd = get_unused_fd();
1675                                         if (fd != i) {
1676                                                 if (fd >= 0)
1677                                                         put_unused_fd(fd);
1678                                                 fput(file);
1679                                                 continue;
1680                                         }
1681                                         if (devnull) {
1682                                                 get_file(devnull);
1683                                         } else {
1684                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1685                                                 if (!devnull) {
1686                                                         put_unused_fd(fd);
1687                                                         fput(file);
1688                                                         continue;
1689                                                 }
1690                                         }
1691                                         fd_install(fd, devnull);
1692                                 }
1693                                 fput(file);
1694                         }
1695                 }
1696                 spin_lock(&files->file_lock);
1697
1698         }
1699         spin_unlock(&files->file_lock);
1700 }
1701
1702 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1703 {
1704         struct task_security_struct *tsec;
1705         struct bprm_security_struct *bsec;
1706         u32 sid;
1707         int rc;
1708
1709         secondary_ops->bprm_apply_creds(bprm, unsafe);
1710
1711         tsec = current->security;
1712
1713         bsec = bprm->security;
1714         sid = bsec->sid;
1715
1716         tsec->osid = tsec->sid;
1717         bsec->unsafe = 0;
1718         if (tsec->sid != sid) {
1719                 /* Check for shared state.  If not ok, leave SID
1720                    unchanged and kill. */
1721                 if (unsafe & LSM_UNSAFE_SHARE) {
1722                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1723                                         PROCESS__SHARE, NULL);
1724                         if (rc) {
1725                                 bsec->unsafe = 1;
1726                                 return;
1727                         }
1728                 }
1729
1730                 /* Check for ptracing, and update the task SID if ok.
1731                    Otherwise, leave SID unchanged and kill. */
1732                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1733                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1734                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1735                                           NULL);
1736                         if (rc) {
1737                                 bsec->unsafe = 1;
1738                                 return;
1739                         }
1740                 }
1741                 tsec->sid = sid;
1742         }
1743 }
1744
1745 /*
1746  * called after apply_creds without the task lock held
1747  */
1748 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1749 {
1750         struct task_security_struct *tsec;
1751         struct rlimit *rlim, *initrlim;
1752         struct itimerval itimer;
1753         struct bprm_security_struct *bsec;
1754         int rc, i;
1755
1756         tsec = current->security;
1757         bsec = bprm->security;
1758
1759         if (bsec->unsafe) {
1760                 force_sig_specific(SIGKILL, current);
1761                 return;
1762         }
1763         if (tsec->osid == tsec->sid)
1764                 return;
1765
1766         /* Close files for which the new task SID is not authorized. */
1767         flush_unauthorized_files(current->files);
1768
1769         /* Check whether the new SID can inherit signal state
1770            from the old SID.  If not, clear itimers to avoid
1771            subsequent signal generation and flush and unblock
1772            signals. This must occur _after_ the task SID has
1773           been updated so that any kill done after the flush
1774           will be checked against the new SID. */
1775         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1776                           PROCESS__SIGINH, NULL);
1777         if (rc) {
1778                 memset(&itimer, 0, sizeof itimer);
1779                 for (i = 0; i < 3; i++)
1780                         do_setitimer(i, &itimer, NULL);
1781                 flush_signals(current);
1782                 spin_lock_irq(&current->sighand->siglock);
1783                 flush_signal_handlers(current, 1);
1784                 sigemptyset(&current->blocked);
1785                 recalc_sigpending();
1786                 spin_unlock_irq(&current->sighand->siglock);
1787         }
1788
1789         /* Check whether the new SID can inherit resource limits
1790            from the old SID.  If not, reset all soft limits to
1791            the lower of the current task's hard limit and the init
1792            task's soft limit.  Note that the setting of hard limits
1793            (even to lower them) can be controlled by the setrlimit
1794            check. The inclusion of the init task's soft limit into
1795            the computation is to avoid resetting soft limits higher
1796            than the default soft limit for cases where the default
1797            is lower than the hard limit, e.g. RLIMIT_CORE or
1798            RLIMIT_STACK.*/
1799         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1800                           PROCESS__RLIMITINH, NULL);
1801         if (rc) {
1802                 for (i = 0; i < RLIM_NLIMITS; i++) {
1803                         rlim = current->signal->rlim + i;
1804                         initrlim = init_task.signal->rlim+i;
1805                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1806                 }
1807                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1808                         /*
1809                          * This will cause RLIMIT_CPU calculations
1810                          * to be refigured.
1811                          */
1812                         current->it_prof_expires = jiffies_to_cputime(1);
1813                 }
1814         }
1815
1816         /* Wake up the parent if it is waiting so that it can
1817            recheck wait permission to the new task SID. */
1818         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1819 }
1820
1821 /* superblock security operations */
1822
1823 static int selinux_sb_alloc_security(struct super_block *sb)
1824 {
1825         return superblock_alloc_security(sb);
1826 }
1827
1828 static void selinux_sb_free_security(struct super_block *sb)
1829 {
1830         superblock_free_security(sb);
1831 }
1832
1833 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1834 {
1835         if (plen > olen)
1836                 return 0;
1837
1838         return !memcmp(prefix, option, plen);
1839 }
1840
1841 static inline int selinux_option(char *option, int len)
1842 {
1843         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1844                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1845                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1846 }
1847
1848 static inline void take_option(char **to, char *from, int *first, int len)
1849 {
1850         if (!*first) {
1851                 **to = ',';
1852                 *to += 1;
1853         }
1854         else
1855                 *first = 0;
1856         memcpy(*to, from, len);
1857         *to += len;
1858 }
1859
1860 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1861 {
1862         int fnosec, fsec, rc = 0;
1863         char *in_save, *in_curr, *in_end;
1864         char *sec_curr, *nosec_save, *nosec;
1865
1866         in_curr = orig;
1867         sec_curr = copy;
1868
1869         /* Binary mount data: just copy */
1870         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1871                 copy_page(sec_curr, in_curr);
1872                 goto out;
1873         }
1874
1875         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1876         if (!nosec) {
1877                 rc = -ENOMEM;
1878                 goto out;
1879         }
1880
1881         nosec_save = nosec;
1882         fnosec = fsec = 1;
1883         in_save = in_end = orig;
1884
1885         do {
1886                 if (*in_end == ',' || *in_end == '\0') {
1887                         int len = in_end - in_curr;
1888
1889                         if (selinux_option(in_curr, len))
1890                                 take_option(&sec_curr, in_curr, &fsec, len);
1891                         else
1892                                 take_option(&nosec, in_curr, &fnosec, len);
1893
1894                         in_curr = in_end + 1;
1895                 }
1896         } while (*in_end++);
1897
1898         strcpy(in_save, nosec_save);
1899         free_page((unsigned long)nosec_save);
1900 out:
1901         return rc;
1902 }
1903
1904 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1905 {
1906         struct avc_audit_data ad;
1907         int rc;
1908
1909         rc = superblock_doinit(sb, data);
1910         if (rc)
1911                 return rc;
1912
1913         AVC_AUDIT_DATA_INIT(&ad,FS);
1914         ad.u.fs.dentry = sb->s_root;
1915         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1916 }
1917
1918 static int selinux_sb_statfs(struct dentry *dentry)
1919 {
1920         struct avc_audit_data ad;
1921
1922         AVC_AUDIT_DATA_INIT(&ad,FS);
1923         ad.u.fs.dentry = dentry->d_sb->s_root;
1924         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1925 }
1926
1927 static int selinux_mount(char * dev_name,
1928                          struct nameidata *nd,
1929                          char * type,
1930                          unsigned long flags,
1931                          void * data)
1932 {
1933         int rc;
1934
1935         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1936         if (rc)
1937                 return rc;
1938
1939         if (flags & MS_REMOUNT)
1940                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1941                                            FILESYSTEM__REMOUNT, NULL);
1942         else
1943                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1944                                        FILE__MOUNTON);
1945 }
1946
1947 static int selinux_umount(struct vfsmount *mnt, int flags)
1948 {
1949         int rc;
1950
1951         rc = secondary_ops->sb_umount(mnt, flags);
1952         if (rc)
1953                 return rc;
1954
1955         return superblock_has_perm(current,mnt->mnt_sb,
1956                                    FILESYSTEM__UNMOUNT,NULL);
1957 }
1958
1959 /* inode security operations */
1960
1961 static int selinux_inode_alloc_security(struct inode *inode)
1962 {
1963         return inode_alloc_security(inode);
1964 }
1965
1966 static void selinux_inode_free_security(struct inode *inode)
1967 {
1968         inode_free_security(inode);
1969 }
1970
1971 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1972                                        char **name, void **value,
1973                                        size_t *len)
1974 {
1975         struct task_security_struct *tsec;
1976         struct inode_security_struct *dsec;
1977         struct superblock_security_struct *sbsec;
1978         u32 newsid, clen;
1979         int rc;
1980         char *namep = NULL, *context;
1981
1982         tsec = current->security;
1983         dsec = dir->i_security;
1984         sbsec = dir->i_sb->s_security;
1985
1986         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1987                 newsid = tsec->create_sid;
1988         } else {
1989                 rc = security_transition_sid(tsec->sid, dsec->sid,
1990                                              inode_mode_to_security_class(inode->i_mode),
1991                                              &newsid);
1992                 if (rc) {
1993                         printk(KERN_WARNING "%s:  "
1994                                "security_transition_sid failed, rc=%d (dev=%s "
1995                                "ino=%ld)\n",
1996                                __FUNCTION__,
1997                                -rc, inode->i_sb->s_id, inode->i_ino);
1998                         return rc;
1999                 }
2000         }
2001
2002         inode_security_set_sid(inode, newsid);
2003
2004         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2005                 return -EOPNOTSUPP;
2006
2007         if (name) {
2008                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2009                 if (!namep)
2010                         return -ENOMEM;
2011                 *name = namep;
2012         }
2013
2014         if (value && len) {
2015                 rc = security_sid_to_context(newsid, &context, &clen);
2016                 if (rc) {
2017                         kfree(namep);
2018                         return rc;
2019                 }
2020                 *value = context;
2021                 *len = clen;
2022         }
2023
2024         return 0;
2025 }
2026
2027 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2028 {
2029         return may_create(dir, dentry, SECCLASS_FILE);
2030 }
2031
2032 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2033 {
2034         int rc;
2035
2036         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2037         if (rc)
2038                 return rc;
2039         return may_link(dir, old_dentry, MAY_LINK);
2040 }
2041
2042 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2043 {
2044         int rc;
2045
2046         rc = secondary_ops->inode_unlink(dir, dentry);
2047         if (rc)
2048                 return rc;
2049         return may_link(dir, dentry, MAY_UNLINK);
2050 }
2051
2052 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2053 {
2054         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2055 }
2056
2057 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2058 {
2059         return may_create(dir, dentry, SECCLASS_DIR);
2060 }
2061
2062 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2063 {
2064         return may_link(dir, dentry, MAY_RMDIR);
2065 }
2066
2067 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2068 {
2069         int rc;
2070
2071         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2072         if (rc)
2073                 return rc;
2074
2075         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2076 }
2077
2078 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2079                                 struct inode *new_inode, struct dentry *new_dentry)
2080 {
2081         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2082 }
2083
2084 static int selinux_inode_readlink(struct dentry *dentry)
2085 {
2086         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2087 }
2088
2089 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2090 {
2091         int rc;
2092
2093         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2094         if (rc)
2095                 return rc;
2096         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2097 }
2098
2099 static int selinux_inode_permission(struct inode *inode, int mask,
2100                                     struct nameidata *nd)
2101 {
2102         int rc;
2103
2104         rc = secondary_ops->inode_permission(inode, mask, nd);
2105         if (rc)
2106                 return rc;
2107
2108         if (!mask) {
2109                 /* No permission to check.  Existence test. */
2110                 return 0;
2111         }
2112
2113         return inode_has_perm(current, inode,
2114                                file_mask_to_av(inode->i_mode, mask), NULL);
2115 }
2116
2117 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2118 {
2119         int rc;
2120
2121         rc = secondary_ops->inode_setattr(dentry, iattr);
2122         if (rc)
2123                 return rc;
2124
2125         if (iattr->ia_valid & ATTR_FORCE)
2126                 return 0;
2127
2128         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2129                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2130                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2131
2132         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2133 }
2134
2135 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2136 {
2137         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2138 }
2139
2140 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2141 {
2142         struct task_security_struct *tsec = current->security;
2143         struct inode *inode = dentry->d_inode;
2144         struct inode_security_struct *isec = inode->i_security;
2145         struct superblock_security_struct *sbsec;
2146         struct avc_audit_data ad;
2147         u32 newsid;
2148         int rc = 0;
2149
2150         if (strcmp(name, XATTR_NAME_SELINUX)) {
2151                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2152                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2153                     !capable(CAP_SYS_ADMIN)) {
2154                         /* A different attribute in the security namespace.
2155                            Restrict to administrator. */
2156                         return -EPERM;
2157                 }
2158
2159                 /* Not an attribute we recognize, so just check the
2160                    ordinary setattr permission. */
2161                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2162         }
2163
2164         sbsec = inode->i_sb->s_security;
2165         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2166                 return -EOPNOTSUPP;
2167
2168         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2169                 return -EPERM;
2170
2171         AVC_AUDIT_DATA_INIT(&ad,FS);
2172         ad.u.fs.dentry = dentry;
2173
2174         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2175                           FILE__RELABELFROM, &ad);
2176         if (rc)
2177                 return rc;
2178
2179         rc = security_context_to_sid(value, size, &newsid);
2180         if (rc)
2181                 return rc;
2182
2183         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2184                           FILE__RELABELTO, &ad);
2185         if (rc)
2186                 return rc;
2187
2188         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2189                                           isec->sclass);
2190         if (rc)
2191                 return rc;
2192
2193         return avc_has_perm(newsid,
2194                             sbsec->sid,
2195                             SECCLASS_FILESYSTEM,
2196                             FILESYSTEM__ASSOCIATE,
2197                             &ad);
2198 }
2199
2200 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2201                                         void *value, size_t size, int flags)
2202 {
2203         struct inode *inode = dentry->d_inode;
2204         struct inode_security_struct *isec = inode->i_security;
2205         u32 newsid;
2206         int rc;
2207
2208         if (strcmp(name, XATTR_NAME_SELINUX)) {
2209                 /* Not an attribute we recognize, so nothing to do. */
2210                 return;
2211         }
2212
2213         rc = security_context_to_sid(value, size, &newsid);
2214         if (rc) {
2215                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2216                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2217                 return;
2218         }
2219
2220         isec->sid = newsid;
2221         return;
2222 }
2223
2224 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2225 {
2226         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2227 }
2228
2229 static int selinux_inode_listxattr (struct dentry *dentry)
2230 {
2231         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2232 }
2233
2234 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2235 {
2236         if (strcmp(name, XATTR_NAME_SELINUX)) {
2237                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2238                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2239                     !capable(CAP_SYS_ADMIN)) {
2240                         /* A different attribute in the security namespace.
2241                            Restrict to administrator. */
2242                         return -EPERM;
2243                 }
2244
2245                 /* Not an attribute we recognize, so just check the
2246                    ordinary setattr permission. Might want a separate
2247                    permission for removexattr. */
2248                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2249         }
2250
2251         /* No one is allowed to remove a SELinux security label.
2252            You can change the label, but all data must be labeled. */
2253         return -EACCES;
2254 }
2255
2256 static const char *selinux_inode_xattr_getsuffix(void)
2257 {
2258       return XATTR_SELINUX_SUFFIX;
2259 }
2260
2261 /*
2262  * Copy the in-core inode security context value to the user.  If the
2263  * getxattr() prior to this succeeded, check to see if we need to
2264  * canonicalize the value to be finally returned to the user.
2265  *
2266  * Permission check is handled by selinux_inode_getxattr hook.
2267  */
2268 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2269 {
2270         struct inode_security_struct *isec = inode->i_security;
2271
2272         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2273                 return -EOPNOTSUPP;
2274
2275         return selinux_getsecurity(isec->sid, buffer, size);
2276 }
2277
2278 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2279                                      const void *value, size_t size, int flags)
2280 {
2281         struct inode_security_struct *isec = inode->i_security;
2282         u32 newsid;
2283         int rc;
2284
2285         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2286                 return -EOPNOTSUPP;
2287
2288         if (!value || !size)
2289                 return -EACCES;
2290
2291         rc = security_context_to_sid((void*)value, size, &newsid);
2292         if (rc)
2293                 return rc;
2294
2295         isec->sid = newsid;
2296         return 0;
2297 }
2298
2299 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2300 {
2301         const int len = sizeof(XATTR_NAME_SELINUX);
2302         if (buffer && len <= buffer_size)
2303                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2304         return len;
2305 }
2306
2307 /* file security operations */
2308
2309 static int selinux_file_permission(struct file *file, int mask)
2310 {
2311         struct inode *inode = file->f_dentry->d_inode;
2312
2313         if (!mask) {
2314                 /* No permission to check.  Existence test. */
2315                 return 0;
2316         }
2317
2318         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2319         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2320                 mask |= MAY_APPEND;
2321
2322         return file_has_perm(current, file,
2323                              file_mask_to_av(inode->i_mode, mask));
2324 }
2325
2326 static int selinux_file_alloc_security(struct file *file)
2327 {
2328         return file_alloc_security(file);
2329 }
2330
2331 static void selinux_file_free_security(struct file *file)
2332 {
2333         file_free_security(file);
2334 }
2335
2336 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2337                               unsigned long arg)
2338 {
2339         int error = 0;
2340
2341         switch (cmd) {
2342                 case FIONREAD:
2343                 /* fall through */
2344                 case FIBMAP:
2345                 /* fall through */
2346                 case FIGETBSZ:
2347                 /* fall through */
2348                 case EXT2_IOC_GETFLAGS:
2349                 /* fall through */
2350                 case EXT2_IOC_GETVERSION:
2351                         error = file_has_perm(current, file, FILE__GETATTR);
2352                         break;
2353
2354                 case EXT2_IOC_SETFLAGS:
2355                 /* fall through */
2356                 case EXT2_IOC_SETVERSION:
2357                         error = file_has_perm(current, file, FILE__SETATTR);
2358                         break;
2359
2360                 /* sys_ioctl() checks */
2361                 case FIONBIO:
2362                 /* fall through */
2363                 case FIOASYNC:
2364                         error = file_has_perm(current, file, 0);
2365                         break;
2366
2367                 case KDSKBENT:
2368                 case KDSKBSENT:
2369                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2370                         break;
2371
2372                 /* default case assumes that the command will go
2373                  * to the file's ioctl() function.
2374                  */
2375                 default:
2376                         error = file_has_perm(current, file, FILE__IOCTL);
2377
2378         }
2379         return error;
2380 }
2381
2382 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2383 {
2384 #ifndef CONFIG_PPC32
2385         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2386                 /*
2387                  * We are making executable an anonymous mapping or a
2388                  * private file mapping that will also be writable.
2389                  * This has an additional check.
2390                  */
2391                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2392                 if (rc)
2393                         return rc;
2394         }
2395 #endif
2396
2397         if (file) {
2398                 /* read access is always possible with a mapping */
2399                 u32 av = FILE__READ;
2400
2401                 /* write access only matters if the mapping is shared */
2402                 if (shared && (prot & PROT_WRITE))
2403                         av |= FILE__WRITE;
2404
2405                 if (prot & PROT_EXEC)
2406                         av |= FILE__EXECUTE;
2407
2408                 return file_has_perm(current, file, av);
2409         }
2410         return 0;
2411 }
2412
2413 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2414                              unsigned long prot, unsigned long flags)
2415 {
2416         int rc;
2417
2418         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2419         if (rc)
2420                 return rc;
2421
2422         if (selinux_checkreqprot)
2423                 prot = reqprot;
2424
2425         return file_map_prot_check(file, prot,
2426                                    (flags & MAP_TYPE) == MAP_SHARED);
2427 }
2428
2429 static int selinux_file_mprotect(struct vm_area_struct *vma,
2430                                  unsigned long reqprot,
2431                                  unsigned long prot)
2432 {
2433         int rc;
2434
2435         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2436         if (rc)
2437                 return rc;
2438
2439         if (selinux_checkreqprot)
2440                 prot = reqprot;
2441
2442 #ifndef CONFIG_PPC32
2443         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2444                 rc = 0;
2445                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2446                     vma->vm_end <= vma->vm_mm->brk) {
2447                         rc = task_has_perm(current, current,
2448                                            PROCESS__EXECHEAP);
2449                 } else if (!vma->vm_file &&
2450                            vma->vm_start <= vma->vm_mm->start_stack &&
2451                            vma->vm_end >= vma->vm_mm->start_stack) {
2452                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2453                 } else if (vma->vm_file && vma->anon_vma) {
2454                         /*
2455                          * We are making executable a file mapping that has
2456                          * had some COW done. Since pages might have been
2457                          * written, check ability to execute the possibly
2458                          * modified content.  This typically should only
2459                          * occur for text relocations.
2460                          */
2461                         rc = file_has_perm(current, vma->vm_file,
2462                                            FILE__EXECMOD);
2463                 }
2464                 if (rc)
2465                         return rc;
2466         }
2467 #endif
2468
2469         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2470 }
2471
2472 static int selinux_file_lock(struct file *file, unsigned int cmd)
2473 {
2474         return file_has_perm(current, file, FILE__LOCK);
2475 }
2476
2477 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2478                               unsigned long arg)
2479 {
2480         int err = 0;
2481
2482         switch (cmd) {
2483                 case F_SETFL:
2484                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2485                                 err = -EINVAL;
2486                                 break;
2487                         }
2488
2489                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2490                                 err = file_has_perm(current, file,FILE__WRITE);
2491                                 break;
2492                         }
2493                         /* fall through */
2494                 case F_SETOWN:
2495                 case F_SETSIG:
2496                 case F_GETFL:
2497                 case F_GETOWN:
2498                 case F_GETSIG:
2499                         /* Just check FD__USE permission */
2500                         err = file_has_perm(current, file, 0);
2501                         break;
2502                 case F_GETLK:
2503                 case F_SETLK:
2504                 case F_SETLKW:
2505 #if BITS_PER_LONG == 32
2506                 case F_GETLK64:
2507                 case F_SETLK64:
2508                 case F_SETLKW64:
2509 #endif
2510                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2511                                 err = -EINVAL;
2512                                 break;
2513                         }
2514                         err = file_has_perm(current, file, FILE__LOCK);
2515                         break;
2516         }
2517
2518         return err;
2519 }
2520
2521 static int selinux_file_set_fowner(struct file *file)
2522 {
2523         struct task_security_struct *tsec;
2524         struct file_security_struct *fsec;
2525
2526         tsec = current->security;
2527         fsec = file->f_security;
2528         fsec->fown_sid = tsec->sid;
2529
2530         return 0;
2531 }
2532
2533 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2534                                        struct fown_struct *fown, int signum)
2535 {
2536         struct file *file;
2537         u32 perm;
2538         struct task_security_struct *tsec;
2539         struct file_security_struct *fsec;
2540
2541         /* struct fown_struct is never outside the context of a struct file */
2542         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2543
2544         tsec = tsk->security;
2545         fsec = file->f_security;
2546
2547         if (!signum)
2548                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2549         else
2550                 perm = signal_to_av(signum);
2551
2552         return avc_has_perm(fsec->fown_sid, tsec->sid,
2553                             SECCLASS_PROCESS, perm, NULL);
2554 }
2555
2556 static int selinux_file_receive(struct file *file)
2557 {
2558         return file_has_perm(current, file, file_to_av(file));
2559 }
2560
2561 /* task security operations */
2562
2563 static int selinux_task_create(unsigned long clone_flags)
2564 {
2565         int rc;
2566
2567         rc = secondary_ops->task_create(clone_flags);
2568         if (rc)
2569                 return rc;
2570
2571         return task_has_perm(current, current, PROCESS__FORK);
2572 }
2573
2574 static int selinux_task_alloc_security(struct task_struct *tsk)
2575 {
2576         struct task_security_struct *tsec1, *tsec2;
2577         int rc;
2578
2579         tsec1 = current->security;
2580
2581         rc = task_alloc_security(tsk);
2582         if (rc)
2583                 return rc;
2584         tsec2 = tsk->security;
2585
2586         tsec2->osid = tsec1->osid;
2587         tsec2->sid = tsec1->sid;
2588
2589         /* Retain the exec, create, and sock SIDs across fork */
2590         tsec2->exec_sid = tsec1->exec_sid;
2591         tsec2->create_sid = tsec1->create_sid;
2592         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2593
2594         /* Retain ptracer SID across fork, if any.
2595            This will be reset by the ptrace hook upon any
2596            subsequent ptrace_attach operations. */
2597         tsec2->ptrace_sid = tsec1->ptrace_sid;
2598
2599         return 0;
2600 }
2601
2602 static void selinux_task_free_security(struct task_struct *tsk)
2603 {
2604         task_free_security(tsk);
2605 }
2606
2607 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2608 {
2609         /* Since setuid only affects the current process, and
2610            since the SELinux controls are not based on the Linux
2611            identity attributes, SELinux does not need to control
2612            this operation.  However, SELinux does control the use
2613            of the CAP_SETUID and CAP_SETGID capabilities using the
2614            capable hook. */
2615         return 0;
2616 }
2617
2618 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2619 {
2620         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2621 }
2622
2623 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2624 {
2625         /* See the comment for setuid above. */
2626         return 0;
2627 }
2628
2629 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2630 {
2631         return task_has_perm(current, p, PROCESS__SETPGID);
2632 }
2633
2634 static int selinux_task_getpgid(struct task_struct *p)
2635 {
2636         return task_has_perm(current, p, PROCESS__GETPGID);
2637 }
2638
2639 static int selinux_task_getsid(struct task_struct *p)
2640 {
2641         return task_has_perm(current, p, PROCESS__GETSESSION);
2642 }
2643
2644 static int selinux_task_setgroups(struct group_info *group_info)
2645 {
2646         /* See the comment for setuid above. */
2647         return 0;
2648 }
2649
2650 static int selinux_task_setnice(struct task_struct *p, int nice)
2651 {
2652         int rc;
2653
2654         rc = secondary_ops->task_setnice(p, nice);
2655         if (rc)
2656                 return rc;
2657
2658         return task_has_perm(current,p, PROCESS__SETSCHED);
2659 }
2660
2661 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2662 {
2663         return task_has_perm(current, p, PROCESS__SETSCHED);
2664 }
2665
2666 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2667 {
2668         struct rlimit *old_rlim = current->signal->rlim + resource;
2669         int rc;
2670
2671         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2672         if (rc)
2673                 return rc;
2674
2675         /* Control the ability to change the hard limit (whether
2676            lowering or raising it), so that the hard limit can
2677            later be used as a safe reset point for the soft limit
2678            upon context transitions. See selinux_bprm_apply_creds. */
2679         if (old_rlim->rlim_max != new_rlim->rlim_max)
2680                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2681
2682         return 0;
2683 }
2684
2685 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2686 {
2687         return task_has_perm(current, p, PROCESS__SETSCHED);
2688 }
2689
2690 static int selinux_task_getscheduler(struct task_struct *p)
2691 {
2692         return task_has_perm(current, p, PROCESS__GETSCHED);
2693 }
2694
2695 static int selinux_task_movememory(struct task_struct *p)
2696 {
2697         return task_has_perm(current, p, PROCESS__SETSCHED);
2698 }
2699
2700 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2701 {
2702         u32 perm;
2703         int rc;
2704
2705         rc = secondary_ops->task_kill(p, info, sig);
2706         if (rc)
2707                 return rc;
2708
2709         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2710                 return 0;
2711
2712         if (!sig)
2713                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2714         else
2715                 perm = signal_to_av(sig);
2716
2717         return task_has_perm(current, p, perm);
2718 }
2719
2720 static int selinux_task_prctl(int option,
2721                               unsigned long arg2,
2722                               unsigned long arg3,
2723                               unsigned long arg4,
2724                               unsigned long arg5)
2725 {
2726         /* The current prctl operations do not appear to require
2727            any SELinux controls since they merely observe or modify
2728            the state of the current process. */
2729         return 0;
2730 }
2731
2732 static int selinux_task_wait(struct task_struct *p)
2733 {
2734         u32 perm;
2735
2736         perm = signal_to_av(p->exit_signal);
2737
2738         return task_has_perm(p, current, perm);
2739 }
2740
2741 static void selinux_task_reparent_to_init(struct task_struct *p)
2742 {
2743         struct task_security_struct *tsec;
2744
2745         secondary_ops->task_reparent_to_init(p);
2746
2747         tsec = p->security;
2748         tsec->osid = tsec->sid;
2749         tsec->sid = SECINITSID_KERNEL;
2750         return;
2751 }
2752
2753 static void selinux_task_to_inode(struct task_struct *p,
2754                                   struct inode *inode)
2755 {
2756         struct task_security_struct *tsec = p->security;
2757         struct inode_security_struct *isec = inode->i_security;
2758
2759         isec->sid = tsec->sid;
2760         isec->initialized = 1;
2761         return;
2762 }
2763
2764 /* Returns error only if unable to parse addresses */
2765 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2766 {
2767         int offset, ihlen, ret = -EINVAL;
2768         struct iphdr _iph, *ih;
2769
2770         offset = skb->nh.raw - skb->data;
2771         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2772         if (ih == NULL)
2773                 goto out;
2774
2775         ihlen = ih->ihl * 4;
2776         if (ihlen < sizeof(_iph))
2777                 goto out;
2778
2779         ad->u.net.v4info.saddr = ih->saddr;
2780         ad->u.net.v4info.daddr = ih->daddr;
2781         ret = 0;
2782
2783         switch (ih->protocol) {
2784         case IPPROTO_TCP: {
2785                 struct tcphdr _tcph, *th;
2786
2787                 if (ntohs(ih->frag_off) & IP_OFFSET)
2788                         break;
2789
2790                 offset += ihlen;
2791                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2792                 if (th == NULL)
2793                         break;
2794
2795                 ad->u.net.sport = th->source;
2796                 ad->u.net.dport = th->dest;
2797                 break;
2798         }
2799         
2800         case IPPROTO_UDP: {
2801                 struct udphdr _udph, *uh;
2802                 
2803                 if (ntohs(ih->frag_off) & IP_OFFSET)
2804                         break;
2805                         
2806                 offset += ihlen;
2807                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2808                 if (uh == NULL)
2809                         break;  
2810
2811                 ad->u.net.sport = uh->source;
2812                 ad->u.net.dport = uh->dest;
2813                 break;
2814         }
2815
2816         default:
2817                 break;
2818         }
2819 out:
2820         return ret;
2821 }
2822
2823 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2824
2825 /* Returns error only if unable to parse addresses */
2826 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2827 {
2828         u8 nexthdr;
2829         int ret = -EINVAL, offset;
2830         struct ipv6hdr _ipv6h, *ip6;
2831
2832         offset = skb->nh.raw - skb->data;
2833         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2834         if (ip6 == NULL)
2835                 goto out;
2836
2837         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2838         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2839         ret = 0;
2840
2841         nexthdr = ip6->nexthdr;
2842         offset += sizeof(_ipv6h);
2843         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2844         if (offset < 0)
2845                 goto out;
2846
2847         switch (nexthdr) {
2848         case IPPROTO_TCP: {
2849                 struct tcphdr _tcph, *th;
2850
2851                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2852                 if (th == NULL)
2853                         break;
2854
2855                 ad->u.net.sport = th->source;
2856                 ad->u.net.dport = th->dest;
2857                 break;
2858         }
2859
2860         case IPPROTO_UDP: {
2861                 struct udphdr _udph, *uh;
2862
2863                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2864                 if (uh == NULL)
2865                         break;
2866
2867                 ad->u.net.sport = uh->source;
2868                 ad->u.net.dport = uh->dest;
2869                 break;
2870         }
2871
2872         /* includes fragments */
2873         default:
2874                 break;
2875         }
2876 out:
2877         return ret;
2878 }
2879
2880 #endif /* IPV6 */
2881
2882 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2883                              char **addrp, int *len, int src)
2884 {
2885         int ret = 0;
2886
2887         switch (ad->u.net.family) {
2888         case PF_INET:
2889                 ret = selinux_parse_skb_ipv4(skb, ad);
2890                 if (ret || !addrp)
2891                         break;
2892                 *len = 4;
2893                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2894                                         &ad->u.net.v4info.daddr);
2895                 break;
2896
2897 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2898         case PF_INET6:
2899                 ret = selinux_parse_skb_ipv6(skb, ad);
2900                 if (ret || !addrp)
2901                         break;
2902                 *len = 16;
2903                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2904                                         &ad->u.net.v6info.daddr);
2905                 break;
2906 #endif  /* IPV6 */
2907         default:
2908                 break;
2909         }
2910
2911         return ret;
2912 }
2913
2914 /* socket security operations */
2915 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2916                            u32 perms)
2917 {
2918         struct inode_security_struct *isec;
2919         struct task_security_struct *tsec;
2920         struct avc_audit_data ad;
2921         int err = 0;
2922
2923         tsec = task->security;
2924         isec = SOCK_INODE(sock)->i_security;
2925
2926         if (isec->sid == SECINITSID_KERNEL)
2927                 goto out;
2928
2929         AVC_AUDIT_DATA_INIT(&ad,NET);
2930         ad.u.net.sk = sock->sk;
2931         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2932
2933 out:
2934         return err;
2935 }
2936
2937 static int selinux_socket_create(int family, int type,
2938                                  int protocol, int kern)
2939 {
2940         int err = 0;
2941         struct task_security_struct *tsec;
2942         u32 newsid;
2943
2944         if (kern)
2945                 goto out;
2946
2947         tsec = current->security;
2948         newsid = tsec->sockcreate_sid ? : tsec->sid;
2949         err = avc_has_perm(tsec->sid, newsid,
2950                            socket_type_to_security_class(family, type,
2951                            protocol), SOCKET__CREATE, NULL);
2952
2953 out:
2954         return err;
2955 }
2956
2957 static void selinux_socket_post_create(struct socket *sock, int family,
2958                                        int type, int protocol, int kern)
2959 {
2960         struct inode_security_struct *isec;
2961         struct task_security_struct *tsec;
2962         u32 newsid;
2963
2964         isec = SOCK_INODE(sock)->i_security;
2965
2966         tsec = current->security;
2967         newsid = tsec->sockcreate_sid ? : tsec->sid;
2968         isec->sclass = socket_type_to_security_class(family, type, protocol);
2969         isec->sid = kern ? SECINITSID_KERNEL : newsid;
2970         isec->initialized = 1;
2971
2972         return;
2973 }
2974
2975 /* Range of port numbers used to automatically bind.
2976    Need to determine whether we should perform a name_bind
2977    permission check between the socket and the port number. */
2978 #define ip_local_port_range_0 sysctl_local_port_range[0]
2979 #define ip_local_port_range_1 sysctl_local_port_range[1]
2980
2981 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2982 {
2983         u16 family;
2984         int err;
2985
2986         err = socket_has_perm(current, sock, SOCKET__BIND);
2987         if (err)
2988                 goto out;
2989
2990         /*
2991          * If PF_INET or PF_INET6, check name_bind permission for the port.
2992          * Multiple address binding for SCTP is not supported yet: we just
2993          * check the first address now.
2994          */
2995         family = sock->sk->sk_family;
2996         if (family == PF_INET || family == PF_INET6) {
2997                 char *addrp;
2998                 struct inode_security_struct *isec;
2999                 struct task_security_struct *tsec;
3000                 struct avc_audit_data ad;
3001                 struct sockaddr_in *addr4 = NULL;
3002                 struct sockaddr_in6 *addr6 = NULL;
3003                 unsigned short snum;
3004                 struct sock *sk = sock->sk;
3005                 u32 sid, node_perm, addrlen;
3006
3007                 tsec = current->security;
3008                 isec = SOCK_INODE(sock)->i_security;
3009
3010                 if (family == PF_INET) {
3011                         addr4 = (struct sockaddr_in *)address;
3012                         snum = ntohs(addr4->sin_port);
3013                         addrlen = sizeof(addr4->sin_addr.s_addr);
3014                         addrp = (char *)&addr4->sin_addr.s_addr;
3015                 } else {
3016                         addr6 = (struct sockaddr_in6 *)address;
3017                         snum = ntohs(addr6->sin6_port);
3018                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3019                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3020                 }
3021
3022                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3023                            snum > ip_local_port_range_1)) {
3024                         err = security_port_sid(sk->sk_family, sk->sk_type,
3025                                                 sk->sk_protocol, snum, &sid);
3026                         if (err)
3027                                 goto out;
3028                         AVC_AUDIT_DATA_INIT(&ad,NET);
3029                         ad.u.net.sport = htons(snum);
3030                         ad.u.net.family = family;
3031                         err = avc_has_perm(isec->sid, sid,
3032                                            isec->sclass,
3033                                            SOCKET__NAME_BIND, &ad);
3034                         if (err)
3035                                 goto out;
3036                 }
3037                 
3038                 switch(isec->sclass) {
3039                 case SECCLASS_TCP_SOCKET:
3040                         node_perm = TCP_SOCKET__NODE_BIND;
3041                         break;
3042                         
3043                 case SECCLASS_UDP_SOCKET:
3044                         node_perm = UDP_SOCKET__NODE_BIND;
3045                         break;
3046                         
3047                 default:
3048                         node_perm = RAWIP_SOCKET__NODE_BIND;
3049                         break;
3050                 }
3051                 
3052                 err = security_node_sid(family, addrp, addrlen, &sid);
3053                 if (err)
3054                         goto out;
3055                 
3056                 AVC_AUDIT_DATA_INIT(&ad,NET);
3057                 ad.u.net.sport = htons(snum);
3058                 ad.u.net.family = family;
3059
3060                 if (family == PF_INET)
3061                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3062                 else
3063                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3064
3065                 err = avc_has_perm(isec->sid, sid,
3066                                    isec->sclass, node_perm, &ad);
3067                 if (err)
3068                         goto out;
3069         }
3070 out:
3071         return err;
3072 }
3073
3074 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3075 {
3076         struct inode_security_struct *isec;
3077         int err;
3078
3079         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3080         if (err)
3081                 return err;
3082
3083         /*
3084          * If a TCP socket, check name_connect permission for the port.
3085          */
3086         isec = SOCK_INODE(sock)->i_security;
3087         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3088                 struct sock *sk = sock->sk;
3089                 struct avc_audit_data ad;
3090                 struct sockaddr_in *addr4 = NULL;
3091                 struct sockaddr_in6 *addr6 = NULL;
3092                 unsigned short snum;
3093                 u32 sid;
3094
3095                 if (sk->sk_family == PF_INET) {
3096                         addr4 = (struct sockaddr_in *)address;
3097                         if (addrlen < sizeof(struct sockaddr_in))
3098                                 return -EINVAL;
3099                         snum = ntohs(addr4->sin_port);
3100                 } else {
3101                         addr6 = (struct sockaddr_in6 *)address;
3102                         if (addrlen < SIN6_LEN_RFC2133)
3103                                 return -EINVAL;
3104                         snum = ntohs(addr6->sin6_port);
3105                 }
3106
3107                 err = security_port_sid(sk->sk_family, sk->sk_type,
3108                                         sk->sk_protocol, snum, &sid);
3109                 if (err)
3110                         goto out;
3111
3112                 AVC_AUDIT_DATA_INIT(&ad,NET);
3113                 ad.u.net.dport = htons(snum);
3114                 ad.u.net.family = sk->sk_family;
3115                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3116                                    TCP_SOCKET__NAME_CONNECT, &ad);
3117                 if (err)
3118                         goto out;
3119         }
3120
3121 out:
3122         return err;
3123 }
3124
3125 static int selinux_socket_listen(struct socket *sock, int backlog)
3126 {
3127         return socket_has_perm(current, sock, SOCKET__LISTEN);
3128 }
3129
3130 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3131 {
3132         int err;
3133         struct inode_security_struct *isec;
3134         struct inode_security_struct *newisec;
3135
3136         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3137         if (err)
3138                 return err;
3139
3140         newisec = SOCK_INODE(newsock)->i_security;
3141
3142         isec = SOCK_INODE(sock)->i_security;
3143         newisec->sclass = isec->sclass;
3144         newisec->sid = isec->sid;
3145         newisec->initialized = 1;
3146
3147         return 0;
3148 }
3149
3150 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3151                                   int size)
3152 {
3153         return socket_has_perm(current, sock, SOCKET__WRITE);
3154 }
3155
3156 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3157                                   int size, int flags)
3158 {
3159         return socket_has_perm(current, sock, SOCKET__READ);
3160 }
3161
3162 static int selinux_socket_getsockname(struct socket *sock)
3163 {
3164         return socket_has_perm(current, sock, SOCKET__GETATTR);
3165 }
3166
3167 static int selinux_socket_getpeername(struct socket *sock)
3168 {
3169         return socket_has_perm(current, sock, SOCKET__GETATTR);
3170 }
3171
3172 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3173 {
3174         return socket_has_perm(current, sock, SOCKET__SETOPT);
3175 }
3176
3177 static int selinux_socket_getsockopt(struct socket *sock, int level,
3178                                      int optname)
3179 {
3180         return socket_has_perm(current, sock, SOCKET__GETOPT);
3181 }
3182
3183 static int selinux_socket_shutdown(struct socket *sock, int how)
3184 {
3185         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3186 }
3187
3188 static int selinux_socket_unix_stream_connect(struct socket *sock,
3189                                               struct socket *other,
3190                                               struct sock *newsk)
3191 {
3192         struct sk_security_struct *ssec;
3193         struct inode_security_struct *isec;
3194         struct inode_security_struct *other_isec;
3195         struct avc_audit_data ad;
3196         int err;
3197
3198         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3199         if (err)
3200                 return err;
3201
3202         isec = SOCK_INODE(sock)->i_security;
3203         other_isec = SOCK_INODE(other)->i_security;
3204
3205         AVC_AUDIT_DATA_INIT(&ad,NET);
3206         ad.u.net.sk = other->sk;
3207
3208         err = avc_has_perm(isec->sid, other_isec->sid,
3209                            isec->sclass,
3210                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3211         if (err)
3212                 return err;
3213
3214         /* connecting socket */
3215         ssec = sock->sk->sk_security;
3216         ssec->peer_sid = other_isec->sid;
3217         
3218         /* server child socket */
3219         ssec = newsk->sk_security;
3220         ssec->peer_sid = isec->sid;
3221         
3222         return 0;
3223 }
3224
3225 static int selinux_socket_unix_may_send(struct socket *sock,
3226                                         struct socket *other)
3227 {
3228         struct inode_security_struct *isec;
3229         struct inode_security_struct *other_isec;
3230         struct avc_audit_data ad;
3231         int err;
3232
3233         isec = SOCK_INODE(sock)->i_security;
3234         other_isec = SOCK_INODE(other)->i_security;
3235
3236         AVC_AUDIT_DATA_INIT(&ad,NET);
3237         ad.u.net.sk = other->sk;
3238
3239         err = avc_has_perm(isec->sid, other_isec->sid,
3240                            isec->sclass, SOCKET__SENDTO, &ad);
3241         if (err)
3242                 return err;
3243
3244         return 0;
3245 }
3246
3247 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3248                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3249                 u16 family, char *addrp, int len)
3250 {
3251         int err = 0;
3252         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3253
3254         if (!skb->dev)
3255                 goto out;
3256
3257         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3258         if (err)
3259                 goto out;
3260
3261         switch (sock_class) {
3262         case SECCLASS_UDP_SOCKET:
3263                 netif_perm = NETIF__UDP_RECV;
3264                 node_perm = NODE__UDP_RECV;
3265                 recv_perm = UDP_SOCKET__RECV_MSG;
3266                 break;
3267         
3268         case SECCLASS_TCP_SOCKET:
3269                 netif_perm = NETIF__TCP_RECV;
3270                 node_perm = NODE__TCP_RECV;
3271                 recv_perm = TCP_SOCKET__RECV_MSG;
3272                 break;
3273         
3274         default:
3275                 netif_perm = NETIF__RAWIP_RECV;
3276                 node_perm = NODE__RAWIP_RECV;
3277                 break;
3278         }
3279
3280         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3281         if (err)
3282                 goto out;
3283         
3284         err = security_node_sid(family, addrp, len, &node_sid);
3285         if (err)
3286                 goto out;
3287         
3288         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3289         if (err)
3290                 goto out;
3291
3292         if (recv_perm) {
3293                 u32 port_sid;
3294
3295                 err = security_port_sid(sk->sk_family, sk->sk_type,
3296                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3297                                         &port_sid);
3298                 if (err)
3299                         goto out;
3300
3301                 err = avc_has_perm(sock_sid, port_sid,
3302                                    sock_class, recv_perm, ad);
3303         }
3304
3305 out:
3306         return err;
3307 }
3308
3309 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3310 {
3311         u16 family;
3312         u16 sock_class = 0;
3313         char *addrp;
3314         int len, err = 0;
3315         u32 sock_sid = 0;
3316         struct socket *sock;
3317         struct avc_audit_data ad;
3318
3319         family = sk->sk_family;
3320         if (family != PF_INET && family != PF_INET6)
3321                 goto out;
3322
3323         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3324         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3325                 family = PF_INET;
3326
3327         read_lock_bh(&sk->sk_callback_lock);
3328         sock = sk->sk_socket;
3329         if (sock) {
3330                 struct inode *inode;
3331                 inode = SOCK_INODE(sock);
3332                 if (inode) {
3333                         struct inode_security_struct *isec;
3334                         isec = inode->i_security;
3335                         sock_sid = isec->sid;
3336                         sock_class = isec->sclass;
3337                 }
3338         }
3339         read_unlock_bh(&sk->sk_callback_lock);
3340         if (!sock_sid)
3341                 goto out;
3342
3343         AVC_AUDIT_DATA_INIT(&ad, NET);
3344         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3345         ad.u.net.family = family;
3346
3347         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3348         if (err)
3349                 goto out;
3350
3351         if (selinux_compat_net)
3352                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3353                                                   sock_class, family,
3354                                                   addrp, len);
3355         else
3356                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3357                                    PACKET__RECV, &ad);
3358         if (err)
3359                 goto out;
3360
3361         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3362 out:    
3363         return err;
3364 }
3365
3366 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3367                                             int __user *optlen, unsigned len)
3368 {
3369         int err = 0;
3370         char *scontext;
3371         u32 scontext_len;
3372         struct sk_security_struct *ssec;
3373         struct inode_security_struct *isec;
3374         u32 peer_sid = 0;
3375
3376         isec = SOCK_INODE(sock)->i_security;
3377
3378         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3379         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3380                 ssec = sock->sk->sk_security;
3381                 peer_sid = ssec->peer_sid;
3382         }
3383         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3384                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3385
3386                 if (peer_sid == SECSID_NULL) {
3387                         err = -ENOPROTOOPT;
3388                         goto out;
3389                 }
3390         }
3391         else {
3392                 err = -ENOPROTOOPT;
3393                 goto out;
3394         }
3395
3396         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3397
3398         if (err)
3399                 goto out;
3400
3401         if (scontext_len > len) {
3402                 err = -ERANGE;
3403                 goto out_len;
3404         }
3405
3406         if (copy_to_user(optval, scontext, scontext_len))
3407                 err = -EFAULT;
3408
3409 out_len:
3410         if (put_user(scontext_len, optlen))
3411                 err = -EFAULT;
3412
3413         kfree(scontext);
3414 out:    
3415         return err;
3416 }
3417
3418 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3419 {
3420         int err = 0;
3421         u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3422
3423         if (peer_sid == SECSID_NULL)
3424                 return -EINVAL;
3425
3426         err = security_sid_to_context(peer_sid, secdata, seclen);
3427         if (err)
3428                 return err;
3429
3430         return 0;
3431 }
3432
3433
3434
3435 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3436 {
3437         return sk_alloc_security(sk, family, priority);
3438 }
3439
3440 static void selinux_sk_free_security(struct sock *sk)
3441 {
3442         sk_free_security(sk);
3443 }
3444
3445 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3446 {
3447         struct inode_security_struct *isec;
3448         u32 sock_sid = SECINITSID_ANY_SOCKET;
3449
3450         if (!sk)
3451                 return selinux_no_sk_sid(fl);
3452
3453         read_lock_bh(&sk->sk_callback_lock);
3454         isec = get_sock_isec(sk);
3455
3456         if (isec)
3457                 sock_sid = isec->sid;
3458
3459         read_unlock_bh(&sk->sk_callback_lock);
3460         return sock_sid;
3461 }
3462
3463 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3464 {
3465         int err = 0;
3466         u32 perm;
3467         struct nlmsghdr *nlh;
3468         struct socket *sock = sk->sk_socket;
3469         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3470         
3471         if (skb->len < NLMSG_SPACE(0)) {
3472                 err = -EINVAL;
3473                 goto out;
3474         }
3475         nlh = (struct nlmsghdr *)skb->data;
3476         
3477         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3478         if (err) {
3479                 if (err == -EINVAL) {
3480                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3481                                   "SELinux:  unrecognized netlink message"
3482                                   " type=%hu for sclass=%hu\n",
3483                                   nlh->nlmsg_type, isec->sclass);
3484                         if (!selinux_enforcing)
3485                                 err = 0;
3486                 }
3487
3488                 /* Ignore */
3489                 if (err == -ENOENT)
3490                         err = 0;
3491                 goto out;
3492         }
3493
3494         err = socket_has_perm(current, sock, perm);
3495 out:
3496         return err;
3497 }
3498
3499 #ifdef CONFIG_NETFILTER
3500
3501 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3502                                             struct inode_security_struct *isec,
3503                                             struct avc_audit_data *ad,
3504                                             u16 family, char *addrp, int len)
3505 {
3506         int err;
3507         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3508         
3509         err = sel_netif_sids(dev, &if_sid, NULL);
3510         if (err)
3511                 goto out;
3512
3513         switch (isec->sclass) {
3514         case SECCLASS_UDP_SOCKET:
3515                 netif_perm = NETIF__UDP_SEND;
3516                 node_perm = NODE__UDP_SEND;
3517                 send_perm = UDP_SOCKET__SEND_MSG;
3518                 break;
3519         
3520         case SECCLASS_TCP_SOCKET:
3521                 netif_perm = NETIF__TCP_SEND;
3522                 node_perm = NODE__TCP_SEND;
3523                 send_perm = TCP_SOCKET__SEND_MSG;
3524                 break;
3525         
3526         default:
3527                 netif_perm = NETIF__RAWIP_SEND;
3528                 node_perm = NODE__RAWIP_SEND;
3529                 break;
3530         }
3531
3532         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3533         if (err)
3534                 goto out;
3535                 
3536         err = security_node_sid(family, addrp, len, &node_sid);
3537         if (err)
3538                 goto out;
3539         
3540         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3541         if (err)
3542                 goto out;
3543
3544         if (send_perm) {
3545                 u32 port_sid;
3546                 
3547                 err = security_port_sid(sk->sk_family,
3548                                         sk->sk_type,
3549                                         sk->sk_protocol,
3550                                         ntohs(ad->u.net.dport),
3551                                         &port_sid);
3552                 if (err)
3553                         goto out;
3554
3555                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3556                                    send_perm, ad);
3557         }
3558 out:
3559         return err;
3560 }
3561
3562 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3563                                               struct sk_buff **pskb,
3564                                               const struct net_device *in,
3565                                               const struct net_device *out,
3566                                               int (*okfn)(struct sk_buff *),
3567                                               u16 family)
3568 {
3569         char *addrp;
3570         int len, err = 0;
3571         struct sock *sk;
3572         struct socket *sock;
3573         struct inode *inode;
3574         struct sk_buff *skb = *pskb;
3575         struct inode_security_struct *isec;
3576         struct avc_audit_data ad;
3577         struct net_device *dev = (struct net_device *)out;
3578
3579         sk = skb->sk;
3580         if (!sk)
3581                 goto out;
3582
3583         sock = sk->sk_socket;
3584         if (!sock)
3585                 goto out;
3586
3587         inode = SOCK_INODE(sock);
3588         if (!inode)
3589                 goto out;
3590
3591         isec = inode->i_security;
3592
3593         AVC_AUDIT_DATA_INIT(&ad, NET);
3594         ad.u.net.netif = dev->name;
3595         ad.u.net.family = family;
3596
3597         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3598         if (err)
3599                 goto out;
3600
3601         if (selinux_compat_net)
3602                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3603                                                        family, addrp, len);
3604         else
3605                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3606                                    PACKET__SEND, &ad);
3607
3608         if (err)
3609                 goto out;
3610
3611         err = selinux_xfrm_postroute_last(isec->sid, skb);
3612 out:
3613         return err ? NF_DROP : NF_ACCEPT;
3614 }
3615
3616 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3617                                                 struct sk_buff **pskb,
3618                                                 const struct net_device *in,
3619                                                 const struct net_device *out,
3620                                                 int (*okfn)(struct sk_buff *))
3621 {
3622         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3623 }
3624
3625 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3626
3627 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3628                                                 struct sk_buff **pskb,
3629                                                 const struct net_device *in,
3630                                                 const struct net_device *out,
3631                                                 int (*okfn)(struct sk_buff *))
3632 {
3633         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3634 }
3635
3636 #endif  /* IPV6 */
3637
3638 #endif  /* CONFIG_NETFILTER */
3639
3640 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3641 {
3642         struct task_security_struct *tsec;
3643         struct av_decision avd;
3644         int err;
3645
3646         err = secondary_ops->netlink_send(sk, skb);
3647         if (err)
3648                 return err;
3649
3650         tsec = current->security;
3651
3652         avd.allowed = 0;
3653         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3654                                 SECCLASS_CAPABILITY, ~0, &avd);
3655         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3656
3657         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3658                 err = selinux_nlmsg_perm(sk, skb);
3659
3660         return err;
3661 }
3662
3663 static int selinux_netlink_recv(struct sk_buff *skb)
3664 {
3665         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3666                 return -EPERM;
3667         return 0;
3668 }
3669
3670 static int ipc_alloc_security(struct task_struct *task,
3671                               struct kern_ipc_perm *perm,
3672                               u16 sclass)
3673 {
3674         struct task_security_struct *tsec = task->security;
3675         struct ipc_security_struct *isec;
3676
3677         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3678         if (!isec)
3679                 return -ENOMEM;
3680
3681         isec->sclass = sclass;
3682         isec->ipc_perm = perm;
3683         isec->sid = tsec->sid;
3684         perm->security = isec;
3685
3686         return 0;
3687 }
3688
3689 static void ipc_free_security(struct kern_ipc_perm *perm)
3690 {
3691         struct ipc_security_struct *isec = perm->security;
3692         perm->security = NULL;
3693         kfree(isec);
3694 }
3695
3696 static int msg_msg_alloc_security(struct msg_msg *msg)
3697 {
3698         struct msg_security_struct *msec;
3699
3700         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3701         if (!msec)
3702                 return -ENOMEM;
3703
3704         msec->msg = msg;
3705         msec->sid = SECINITSID_UNLABELED;
3706         msg->security = msec;
3707
3708         return 0;
3709 }
3710
3711 static void msg_msg_free_security(struct msg_msg *msg)
3712 {
3713         struct msg_security_struct *msec = msg->security;
3714
3715         msg->security = NULL;
3716         kfree(msec);
3717 }
3718
3719 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3720                         u32 perms)
3721 {
3722         struct task_security_struct *tsec;
3723         struct ipc_security_struct *isec;
3724         struct avc_audit_data ad;
3725
3726         tsec = current->security;
3727         isec = ipc_perms->security;
3728
3729         AVC_AUDIT_DATA_INIT(&ad, IPC);
3730         ad.u.ipc_id = ipc_perms->key;
3731
3732         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3733 }
3734
3735 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3736 {
3737         return msg_msg_alloc_security(msg);
3738 }
3739
3740 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3741 {
3742         msg_msg_free_security(msg);
3743 }
3744
3745 /* message queue security operations */
3746 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3747 {
3748         struct task_security_struct *tsec;
3749         struct ipc_security_struct *isec;
3750         struct avc_audit_data ad;
3751         int rc;
3752
3753         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3754         if (rc)
3755                 return rc;
3756
3757         tsec = current->security;
3758         isec = msq->q_perm.security;
3759
3760         AVC_AUDIT_DATA_INIT(&ad, IPC);
3761         ad.u.ipc_id = msq->q_perm.key;
3762
3763         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3764                           MSGQ__CREATE, &ad);
3765         if (rc) {
3766                 ipc_free_security(&msq->q_perm);
3767                 return rc;
3768         }
3769         return 0;
3770 }
3771
3772 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3773 {
3774         ipc_free_security(&msq->q_perm);
3775 }
3776
3777 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3778 {
3779         struct task_security_struct *tsec;
3780         struct ipc_security_struct *isec;
3781         struct avc_audit_data ad;
3782
3783         tsec = current->security;
3784         isec = msq->q_perm.security;
3785
3786         AVC_AUDIT_DATA_INIT(&ad, IPC);
3787         ad.u.ipc_id = msq->q_perm.key;
3788
3789         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3790                             MSGQ__ASSOCIATE, &ad);
3791 }
3792
3793 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3794 {
3795         int err;
3796         int perms;
3797
3798         switch(cmd) {
3799         case IPC_INFO:
3800         case MSG_INFO:
3801                 /* No specific object, just general system-wide information. */
3802                 return task_has_system(current, SYSTEM__IPC_INFO);
3803         case IPC_STAT:
3804         case MSG_STAT:
3805                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3806                 break;
3807         case IPC_SET:
3808                 perms = MSGQ__SETATTR;
3809                 break;
3810         case IPC_RMID:
3811                 perms = MSGQ__DESTROY;
3812                 break;
3813         default:
3814                 return 0;
3815         }
3816
3817         err = ipc_has_perm(&msq->q_perm, perms);
3818         return err;
3819 }
3820
3821 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3822 {
3823         struct task_security_struct *tsec;
3824         struct ipc_security_struct *isec;
3825         struct msg_security_struct *msec;
3826         struct avc_audit_data ad;
3827         int rc;
3828
3829         tsec = current->security;
3830         isec = msq->q_perm.security;
3831         msec = msg->security;
3832
3833         /*
3834          * First time through, need to assign label to the message
3835          */
3836         if (msec->sid == SECINITSID_UNLABELED) {
3837                 /*
3838                  * Compute new sid based on current process and
3839                  * message queue this message will be stored in
3840                  */
3841                 rc = security_transition_sid(tsec->sid,
3842                                              isec->sid,
3843                                              SECCLASS_MSG,
3844                                              &msec->sid);
3845                 if (rc)
3846                         return rc;
3847         }
3848
3849         AVC_AUDIT_DATA_INIT(&ad, IPC);
3850         ad.u.ipc_id = msq->q_perm.key;
3851
3852         /* Can this process write to the queue? */
3853         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3854                           MSGQ__WRITE, &ad);
3855         if (!rc)
3856                 /* Can this process send the message */
3857                 rc = avc_has_perm(tsec->sid, msec->sid,
3858                                   SECCLASS_MSG, MSG__SEND, &ad);
3859         if (!rc)
3860                 /* Can the message be put in the queue? */
3861                 rc = avc_has_perm(msec->sid, isec->sid,
3862                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3863
3864         return rc;
3865 }
3866
3867 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3868                                     struct task_struct *target,
3869                                     long type, int mode)
3870 {
3871         struct task_security_struct *tsec;
3872         struct ipc_security_struct *isec;
3873         struct msg_security_struct *msec;
3874         struct avc_audit_data ad;
3875         int rc;
3876
3877         tsec = target->security;
3878         isec = msq->q_perm.security;
3879         msec = msg->security;
3880
3881         AVC_AUDIT_DATA_INIT(&ad, IPC);
3882         ad.u.ipc_id = msq->q_perm.key;
3883
3884         rc = avc_has_perm(tsec->sid, isec->sid,
3885                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3886         if (!rc)
3887                 rc = avc_has_perm(tsec->sid, msec->sid,
3888                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3889         return rc;
3890 }
3891
3892 /* Shared Memory security operations */
3893 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3894 {
3895         struct task_security_struct *tsec;
3896         struct ipc_security_struct *isec;
3897         struct avc_audit_data ad;
3898         int rc;
3899
3900         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3901         if (rc)
3902                 return rc;
3903
3904         tsec = current->security;
3905         isec = shp->shm_perm.security;
3906
3907         AVC_AUDIT_DATA_INIT(&ad, IPC);
3908         ad.u.ipc_id = shp->shm_perm.key;
3909
3910         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3911                           SHM__CREATE, &ad);
3912         if (rc) {
3913                 ipc_free_security(&shp->shm_perm);
3914                 return rc;
3915         }
3916         return 0;
3917 }
3918
3919 static void selinux_shm_free_security(struct shmid_kernel *shp)
3920 {
3921         ipc_free_security(&shp->shm_perm);
3922 }
3923
3924 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3925 {
3926         struct task_security_struct *tsec;
3927         struct ipc_security_struct *isec;
3928         struct avc_audit_data ad;
3929
3930         tsec = current->security;
3931         isec = shp->shm_perm.security;
3932
3933         AVC_AUDIT_DATA_INIT(&ad, IPC);
3934         ad.u.ipc_id = shp->shm_perm.key;
3935
3936         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3937                             SHM__ASSOCIATE, &ad);
3938 }
3939
3940 /* Note, at this point, shp is locked down */
3941 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3942 {
3943         int perms;
3944         int err;
3945
3946         switch(cmd) {
3947         case IPC_INFO:
3948         case SHM_INFO:
3949                 /* No specific object, just general system-wide information. */
3950                 return task_has_system(current, SYSTEM__IPC_INFO);
3951         case IPC_STAT:
3952         case SHM_STAT:
3953                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3954                 break;
3955         case IPC_SET:
3956                 perms = SHM__SETATTR;
3957                 break;
3958         case SHM_LOCK:
3959         case SHM_UNLOCK:
3960                 perms = SHM__LOCK;
3961                 break;
3962         case IPC_RMID:
3963                 perms = SHM__DESTROY;
3964                 break;
3965         default:
3966                 return 0;
3967         }
3968
3969         err = ipc_has_perm(&shp->shm_perm, perms);
3970         return err;
3971 }
3972
3973 static int selinux_shm_shmat(struct shmid_kernel *shp,
3974                              char __user *shmaddr, int shmflg)
3975 {
3976         u32 perms;
3977         int rc;
3978
3979         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3980         if (rc)
3981                 return rc;
3982
3983         if (shmflg & SHM_RDONLY)
3984                 perms = SHM__READ;
3985         else
3986                 perms = SHM__READ | SHM__WRITE;
3987
3988         return ipc_has_perm(&shp->shm_perm, perms);
3989 }
3990
3991 /* Semaphore security operations */
3992 static int selinux_sem_alloc_security(struct sem_array *sma)
3993 {
3994         struct task_security_struct *tsec;
3995         struct ipc_security_struct *isec;
3996         struct avc_audit_data ad;
3997         int rc;
3998
3999         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4000         if (rc)
4001                 return rc;
4002
4003         tsec = current->security;
4004         isec = sma->sem_perm.security;
4005
4006         AVC_AUDIT_DATA_INIT(&ad, IPC);
4007         ad.u.ipc_id = sma->sem_perm.key;
4008
4009         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4010                           SEM__CREATE, &ad);
4011         if (rc) {
4012                 ipc_free_security(&sma->sem_perm);
4013                 return rc;
4014         }
4015         return 0;
4016 }
4017
4018 static void selinux_sem_free_security(struct sem_array *sma)
4019 {
4020         ipc_free_security(&sma->sem_perm);
4021 }
4022
4023 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4024 {
4025         struct task_security_struct *tsec;
4026         struct ipc_security_struct *isec;
4027         struct avc_audit_data ad;
4028
4029         tsec = current->security;
4030         isec = sma->sem_perm.security;
4031
4032         AVC_AUDIT_DATA_INIT(&ad, IPC);
4033         ad.u.ipc_id = sma->sem_perm.key;
4034
4035         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4036                             SEM__ASSOCIATE, &ad);
4037 }
4038
4039 /* Note, at this point, sma is locked down */
4040 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4041 {
4042         int err;
4043         u32 perms;
4044
4045         switch(cmd) {
4046         case IPC_INFO:
4047         case SEM_INFO:
4048                 /* No specific object, just general system-wide information. */
4049                 return task_has_system(current, SYSTEM__IPC_INFO);
4050         case GETPID:
4051         case GETNCNT:
4052         case GETZCNT:
4053                 perms = SEM__GETATTR;
4054                 break;
4055         case GETVAL:
4056         case GETALL:
4057                 perms = SEM__READ;
4058                 break;
4059         case SETVAL:
4060         case SETALL:
4061                 perms = SEM__WRITE;
4062                 break;
4063         case IPC_RMID:
4064                 perms = SEM__DESTROY;
4065                 break;
4066         case IPC_SET:
4067                 perms = SEM__SETATTR;
4068                 break;
4069         case IPC_STAT:
4070         case SEM_STAT:
4071                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4072                 break;
4073         default:
4074                 return 0;
4075         }
4076
4077         err = ipc_has_perm(&sma->sem_perm, perms);
4078         return err;
4079 }
4080
4081 static int selinux_sem_semop(struct sem_array *sma,
4082                              struct sembuf *sops, unsigned nsops, int alter)
4083 {
4084         u32 perms;
4085
4086         if (alter)
4087                 perms = SEM__READ | SEM__WRITE;
4088         else
4089                 perms = SEM__READ;
4090
4091         return ipc_has_perm(&sma->sem_perm, perms);
4092 }
4093
4094 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4095 {
4096         u32 av = 0;
4097
4098         av = 0;
4099         if (flag & S_IRUGO)
4100                 av |= IPC__UNIX_READ;
4101         if (flag & S_IWUGO)
4102                 av |= IPC__UNIX_WRITE;
4103
4104         if (av == 0)
4105                 return 0;
4106
4107         return ipc_has_perm(ipcp, av);
4108 }
4109
4110 /* module stacking operations */
4111 static int selinux_register_security (const char *name, struct security_operations *ops)
4112 {
4113         if (secondary_ops != original_ops) {
4114                 printk(KERN_INFO "%s:  There is already a secondary security "
4115                        "module registered.\n", __FUNCTION__);
4116                 return -EINVAL;
4117         }
4118
4119         secondary_ops = ops;
4120
4121         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4122                __FUNCTION__,
4123                name);
4124
4125         return 0;
4126 }
4127
4128 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4129 {
4130         if (ops != secondary_ops) {
4131                 printk (KERN_INFO "%s:  trying to unregister a security module "
4132                         "that is not registered.\n", __FUNCTION__);
4133                 return -EINVAL;
4134         }
4135
4136         secondary_ops = original_ops;
4137
4138         return 0;
4139 }
4140
4141 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4142 {
4143         if (inode)
4144                 inode_doinit_with_dentry(inode, dentry);
4145 }
4146
4147 static int selinux_getprocattr(struct task_struct *p,
4148                                char *name, void *value, size_t size)
4149 {
4150         struct task_security_struct *tsec;
4151         u32 sid;
4152         int error;
4153
4154         if (current != p) {
4155                 error = task_has_perm(current, p, PROCESS__GETATTR);
4156                 if (error)
4157                         return error;
4158         }
4159
4160         tsec = p->security;
4161
4162         if (!strcmp(name, "current"))
4163                 sid = tsec->sid;
4164         else if (!strcmp(name, "prev"))
4165                 sid = tsec->osid;
4166         else if (!strcmp(name, "exec"))
4167                 sid = tsec->exec_sid;
4168         else if (!strcmp(name, "fscreate"))
4169                 sid = tsec->create_sid;
4170         else if (!strcmp(name, "keycreate"))
4171                 sid = tsec->keycreate_sid;
4172         else if (!strcmp(name, "sockcreate"))
4173                 sid = tsec->sockcreate_sid;
4174         else
4175                 return -EINVAL;
4176
4177         if (!sid)
4178                 return 0;
4179
4180         return selinux_getsecurity(sid, value, size);
4181 }
4182
4183 static int selinux_setprocattr(struct task_struct *p,
4184                                char *name, void *value, size_t size)
4185 {
4186         struct task_security_struct *tsec;
4187         u32 sid = 0;
4188         int error;
4189         char *str = value;
4190
4191         if (current != p) {
4192                 /* SELinux only allows a process to change its own
4193                    security attributes. */
4194                 return -EACCES;
4195         }
4196
4197         /*
4198          * Basic control over ability to set these attributes at all.
4199          * current == p, but we'll pass them separately in case the
4200          * above restriction is ever removed.
4201          */
4202         if (!strcmp(name, "exec"))
4203                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4204         else if (!strcmp(name, "fscreate"))
4205                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4206         else if (!strcmp(name, "keycreate"))
4207                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4208         else if (!strcmp(name, "sockcreate"))
4209                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4210         else if (!strcmp(name, "current"))
4211                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4212         else
4213                 error = -EINVAL;
4214         if (error)
4215                 return error;
4216
4217         /* Obtain a SID for the context, if one was specified. */
4218         if (size && str[1] && str[1] != '\n') {
4219                 if (str[size-1] == '\n') {
4220                         str[size-1] = 0;
4221                         size--;
4222                 }
4223                 error = security_context_to_sid(value, size, &sid);
4224                 if (error)
4225                         return error;
4226         }
4227
4228         /* Permission checking based on the specified context is
4229            performed during the actual operation (execve,
4230            open/mkdir/...), when we know the full context of the
4231            operation.  See selinux_bprm_set_security for the execve
4232            checks and may_create for the file creation checks. The
4233            operation will then fail if the context is not permitted. */
4234         tsec = p->security;
4235         if (!strcmp(name, "exec"))
4236                 tsec->exec_sid = sid;
4237         else if (!strcmp(name, "fscreate"))
4238                 tsec->create_sid = sid;
4239         else if (!strcmp(name, "keycreate")) {
4240                 error = may_create_key(sid, p);
4241                 if (error)
4242                         return error;
4243                 tsec->keycreate_sid = sid;
4244         } else if (!strcmp(name, "sockcreate"))
4245                 tsec->sockcreate_sid = sid;
4246         else if (!strcmp(name, "current")) {
4247                 struct av_decision avd;
4248
4249                 if (sid == 0)
4250                         return -EINVAL;
4251
4252                 /* Only allow single threaded processes to change context */
4253                 if (atomic_read(&p->mm->mm_users) != 1) {
4254                         struct task_struct *g, *t;
4255                         struct mm_struct *mm = p->mm;
4256                         read_lock(&tasklist_lock);
4257                         do_each_thread(g, t)
4258                                 if (t->mm == mm && t != p) {
4259                                         read_unlock(&tasklist_lock);
4260                                         return -EPERM;
4261                                 }
4262                         while_each_thread(g, t);
4263                         read_unlock(&tasklist_lock);
4264                 }
4265
4266                 /* Check permissions for the transition. */
4267                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4268                                      PROCESS__DYNTRANSITION, NULL);
4269                 if (error)
4270                         return error;
4271
4272                 /* Check for ptracing, and update the task SID if ok.
4273                    Otherwise, leave SID unchanged and fail. */
4274                 task_lock(p);
4275                 if (p->ptrace & PT_PTRACED) {
4276                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4277                                                      SECCLASS_PROCESS,
4278                                                      PROCESS__PTRACE, &avd);
4279                         if (!error)
4280                                 tsec->sid = sid;
4281                         task_unlock(p);
4282                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4283                                   PROCESS__PTRACE, &avd, error, NULL);
4284                         if (error)
4285                                 return error;
4286                 } else {
4287                         tsec->sid = sid;
4288                         task_unlock(p);
4289                 }
4290         }
4291         else
4292                 return -EINVAL;
4293
4294         return size;
4295 }
4296
4297 #ifdef CONFIG_KEYS
4298
4299 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4300                              unsigned long flags)
4301 {
4302         struct task_security_struct *tsec = tsk->security;
4303         struct key_security_struct *ksec;
4304
4305         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4306         if (!ksec)
4307                 return -ENOMEM;
4308
4309         ksec->obj = k;
4310         if (tsec->keycreate_sid)
4311                 ksec->sid = tsec->keycreate_sid;
4312         else
4313                 ksec->sid = tsec->sid;
4314         k->security = ksec;
4315
4316         return 0;
4317 }
4318
4319 static void selinux_key_free(struct key *k)
4320 {
4321         struct key_security_struct *ksec = k->security;
4322
4323         k->security = NULL;
4324         kfree(ksec);
4325 }
4326
4327 static int selinux_key_permission(key_ref_t key_ref,
4328                             struct task_struct *ctx,
4329                             key_perm_t perm)
4330 {
4331         struct key *key;
4332         struct task_security_struct *tsec;
4333         struct key_security_struct *ksec;
4334
4335         key = key_ref_to_ptr(key_ref);
4336
4337         tsec = ctx->security;
4338         ksec = key->security;
4339
4340         /* if no specific permissions are requested, we skip the
4341            permission check. No serious, additional covert channels
4342            appear to be created. */
4343         if (perm == 0)
4344                 return 0;
4345
4346         return avc_has_perm(tsec->sid, ksec->sid,
4347                             SECCLASS_KEY, perm, NULL);
4348 }
4349
4350 #endif
4351
4352 static struct security_operations selinux_ops = {
4353         .ptrace =                       selinux_ptrace,
4354         .capget =                       selinux_capget,
4355         .capset_check =                 selinux_capset_check,
4356         .capset_set =                   selinux_capset_set,
4357         .sysctl =                       selinux_sysctl,
4358         .capable =                      selinux_capable,
4359         .quotactl =                     selinux_quotactl,
4360         .quota_on =                     selinux_quota_on,
4361         .syslog =                       selinux_syslog,
4362         .vm_enough_memory =             selinux_vm_enough_memory,
4363
4364         .netlink_send =                 selinux_netlink_send,
4365         .netlink_recv =                 selinux_netlink_recv,
4366
4367         .bprm_alloc_security =          selinux_bprm_alloc_security,
4368         .bprm_free_security =           selinux_bprm_free_security,
4369         .bprm_apply_creds =             selinux_bprm_apply_creds,
4370         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4371         .bprm_set_security =            selinux_bprm_set_security,
4372         .bprm_check_security =          selinux_bprm_check_security,
4373         .bprm_secureexec =              selinux_bprm_secureexec,
4374
4375         .sb_alloc_security =            selinux_sb_alloc_security,
4376         .sb_free_security =             selinux_sb_free_security,
4377         .sb_copy_data =                 selinux_sb_copy_data,
4378         .sb_kern_mount =                selinux_sb_kern_mount,
4379         .sb_statfs =                    selinux_sb_statfs,
4380         .sb_mount =                     selinux_mount,
4381         .sb_umount =                    selinux_umount,
4382
4383         .inode_alloc_security =         selinux_inode_alloc_security,
4384         .inode_free_security =          selinux_inode_free_security,
4385         .inode_init_security =          selinux_inode_init_security,
4386         .inode_create =                 selinux_inode_create,
4387         .inode_link =                   selinux_inode_link,
4388         .inode_unlink =                 selinux_inode_unlink,
4389         .inode_symlink =                selinux_inode_symlink,
4390         .inode_mkdir =                  selinux_inode_mkdir,
4391         .inode_rmdir =                  selinux_inode_rmdir,
4392         .inode_mknod =                  selinux_inode_mknod,
4393         .inode_rename =                 selinux_inode_rename,
4394         .inode_readlink =               selinux_inode_readlink,
4395         .inode_follow_link =            selinux_inode_follow_link,
4396         .inode_permission =             selinux_inode_permission,
4397         .inode_setattr =                selinux_inode_setattr,
4398         .inode_getattr =                selinux_inode_getattr,
4399         .inode_setxattr =               selinux_inode_setxattr,
4400         .inode_post_setxattr =          selinux_inode_post_setxattr,
4401         .inode_getxattr =               selinux_inode_getxattr,
4402         .inode_listxattr =              selinux_inode_listxattr,
4403         .inode_removexattr =            selinux_inode_removexattr,
4404         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4405         .inode_getsecurity =            selinux_inode_getsecurity,
4406         .inode_setsecurity =            selinux_inode_setsecurity,
4407         .inode_listsecurity =           selinux_inode_listsecurity,
4408
4409         .file_permission =              selinux_file_permission,
4410         .file_alloc_security =          selinux_file_alloc_security,
4411         .file_free_security =           selinux_file_free_security,
4412         .file_ioctl =                   selinux_file_ioctl,
4413         .file_mmap =                    selinux_file_mmap,
4414         .file_mprotect =                selinux_file_mprotect,
4415         .file_lock =                    selinux_file_lock,
4416         .file_fcntl =                   selinux_file_fcntl,
4417         .file_set_fowner =              selinux_file_set_fowner,
4418         .file_send_sigiotask =          selinux_file_send_sigiotask,
4419         .file_receive =                 selinux_file_receive,
4420
4421         .task_create =                  selinux_task_create,
4422         .task_alloc_security =          selinux_task_alloc_security,
4423         .task_free_security =           selinux_task_free_security,
4424         .task_setuid =                  selinux_task_setuid,
4425         .task_post_setuid =             selinux_task_post_setuid,
4426         .task_setgid =                  selinux_task_setgid,
4427         .task_setpgid =                 selinux_task_setpgid,
4428         .task_getpgid =                 selinux_task_getpgid,
4429         .task_getsid =                  selinux_task_getsid,
4430         .task_setgroups =               selinux_task_setgroups,
4431         .task_setnice =                 selinux_task_setnice,
4432         .task_setioprio =               selinux_task_setioprio,
4433         .task_setrlimit =               selinux_task_setrlimit,
4434         .task_setscheduler =            selinux_task_setscheduler,
4435         .task_getscheduler =            selinux_task_getscheduler,
4436         .task_movememory =              selinux_task_movememory,
4437         .task_kill =                    selinux_task_kill,
4438         .task_wait =                    selinux_task_wait,
4439         .task_prctl =                   selinux_task_prctl,
4440         .task_reparent_to_init =        selinux_task_reparent_to_init,
4441         .task_to_inode =                selinux_task_to_inode,
4442
4443         .ipc_permission =               selinux_ipc_permission,
4444
4445         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4446         .msg_msg_free_security =        selinux_msg_msg_free_security,
4447
4448         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4449         .msg_queue_free_security =      selinux_msg_queue_free_security,
4450         .msg_queue_associate =          selinux_msg_queue_associate,
4451         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4452         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4453         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4454
4455         .shm_alloc_security =           selinux_shm_alloc_security,
4456         .shm_free_security =            selinux_shm_free_security,
4457         .shm_associate =                selinux_shm_associate,
4458         .shm_shmctl =                   selinux_shm_shmctl,
4459         .shm_shmat =                    selinux_shm_shmat,
4460
4461         .sem_alloc_security =           selinux_sem_alloc_security,
4462         .sem_free_security =            selinux_sem_free_security,
4463         .sem_associate =                selinux_sem_associate,
4464         .sem_semctl =                   selinux_sem_semctl,
4465         .sem_semop =                    selinux_sem_semop,
4466
4467         .register_security =            selinux_register_security,
4468         .unregister_security =          selinux_unregister_security,
4469
4470         .d_instantiate =                selinux_d_instantiate,
4471
4472         .getprocattr =                  selinux_getprocattr,
4473         .setprocattr =                  selinux_setprocattr,
4474
4475         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4476         .unix_may_send =                selinux_socket_unix_may_send,
4477
4478         .socket_create =                selinux_socket_create,
4479         .socket_post_create =           selinux_socket_post_create,
4480         .socket_bind =                  selinux_socket_bind,
4481         .socket_connect =               selinux_socket_connect,
4482         .socket_listen =                selinux_socket_listen,
4483         .socket_accept =                selinux_socket_accept,
4484         .socket_sendmsg =               selinux_socket_sendmsg,
4485         .socket_recvmsg =               selinux_socket_recvmsg,
4486         .socket_getsockname =           selinux_socket_getsockname,
4487         .socket_getpeername =           selinux_socket_getpeername,
4488         .socket_getsockopt =            selinux_socket_getsockopt,
4489         .socket_setsockopt =            selinux_socket_setsockopt,
4490         .socket_shutdown =              selinux_socket_shutdown,
4491         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4492         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4493         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4494         .sk_alloc_security =            selinux_sk_alloc_security,
4495         .sk_free_security =             selinux_sk_free_security,
4496         .sk_getsid =                    selinux_sk_getsid_security,
4497
4498 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4499         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4500         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4501         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4502         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4503         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4504         .xfrm_state_free_security =     selinux_xfrm_state_free,
4505         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4506         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4507 #endif
4508
4509 #ifdef CONFIG_KEYS
4510         .key_alloc =                    selinux_key_alloc,
4511         .key_free =                     selinux_key_free,
4512         .key_permission =               selinux_key_permission,
4513 #endif
4514 };
4515
4516 static __init int selinux_init(void)
4517 {
4518         struct task_security_struct *tsec;
4519
4520         if (!selinux_enabled) {
4521                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4522                 return 0;
4523         }
4524
4525         printk(KERN_INFO "SELinux:  Initializing.\n");
4526
4527         /* Set the security state for the initial task. */
4528         if (task_alloc_security(current))
4529                 panic("SELinux:  Failed to initialize initial task.\n");
4530         tsec = current->security;
4531         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4532
4533         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4534                                             sizeof(struct inode_security_struct),
4535                                             0, SLAB_PANIC, NULL, NULL);
4536         avc_init();
4537
4538         original_ops = secondary_ops = security_ops;
4539         if (!secondary_ops)
4540                 panic ("SELinux: No initial security operations\n");
4541         if (register_security (&selinux_ops))
4542                 panic("SELinux: Unable to register with kernel.\n");
4543
4544         if (selinux_enforcing) {
4545                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4546         } else {
4547                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4548         }
4549
4550 #ifdef CONFIG_KEYS
4551         /* Add security information to initial keyrings */
4552         selinux_key_alloc(&root_user_keyring, current,
4553                           KEY_ALLOC_NOT_IN_QUOTA);
4554         selinux_key_alloc(&root_session_keyring, current,
4555                           KEY_ALLOC_NOT_IN_QUOTA);
4556 #endif
4557
4558         return 0;
4559 }
4560
4561 void selinux_complete_init(void)
4562 {
4563         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4564
4565         /* Set up any superblocks initialized prior to the policy load. */
4566         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4567         spin_lock(&sb_lock);
4568         spin_lock(&sb_security_lock);
4569 next_sb:
4570         if (!list_empty(&superblock_security_head)) {
4571                 struct superblock_security_struct *sbsec =
4572                                 list_entry(superblock_security_head.next,
4573                                            struct superblock_security_struct,
4574                                            list);
4575                 struct super_block *sb = sbsec->sb;
4576                 sb->s_count++;
4577                 spin_unlock(&sb_security_lock);
4578                 spin_unlock(&sb_lock);
4579                 down_read(&sb->s_umount);
4580                 if (sb->s_root)
4581                         superblock_doinit(sb, NULL);
4582                 drop_super(sb);
4583                 spin_lock(&sb_lock);
4584                 spin_lock(&sb_security_lock);
4585                 list_del_init(&sbsec->list);
4586                 goto next_sb;
4587         }
4588         spin_unlock(&sb_security_lock);
4589         spin_unlock(&sb_lock);
4590 }
4591
4592 /* SELinux requires early initialization in order to label
4593    all processes and objects when they are created. */
4594 security_initcall(selinux_init);
4595
4596 #if defined(CONFIG_NETFILTER)
4597
4598 static struct nf_hook_ops selinux_ipv4_op = {
4599         .hook =         selinux_ipv4_postroute_last,
4600         .owner =        THIS_MODULE,
4601         .pf =           PF_INET,
4602         .hooknum =      NF_IP_POST_ROUTING,
4603         .priority =     NF_IP_PRI_SELINUX_LAST,
4604 };
4605
4606 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4607
4608 static struct nf_hook_ops selinux_ipv6_op = {
4609         .hook =         selinux_ipv6_postroute_last,
4610         .owner =        THIS_MODULE,
4611         .pf =           PF_INET6,
4612         .hooknum =      NF_IP6_POST_ROUTING,
4613         .priority =     NF_IP6_PRI_SELINUX_LAST,
4614 };
4615
4616 #endif  /* IPV6 */
4617
4618 static int __init selinux_nf_ip_init(void)
4619 {
4620         int err = 0;
4621
4622         if (!selinux_enabled)
4623                 goto out;
4624                 
4625         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4626         
4627         err = nf_register_hook(&selinux_ipv4_op);
4628         if (err)
4629                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4630
4631 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4632
4633         err = nf_register_hook(&selinux_ipv6_op);
4634         if (err)
4635                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4636
4637 #endif  /* IPV6 */
4638
4639 out:
4640         return err;
4641 }
4642
4643 __initcall(selinux_nf_ip_init);
4644
4645 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4646 static void selinux_nf_ip_exit(void)
4647 {
4648         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4649
4650         nf_unregister_hook(&selinux_ipv4_op);
4651 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4652         nf_unregister_hook(&selinux_ipv6_op);
4653 #endif  /* IPV6 */
4654 }
4655 #endif
4656
4657 #else /* CONFIG_NETFILTER */
4658
4659 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4660 #define selinux_nf_ip_exit()
4661 #endif
4662
4663 #endif /* CONFIG_NETFILTER */
4664
4665 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4666 int selinux_disable(void)
4667 {
4668         extern void exit_sel_fs(void);
4669         static int selinux_disabled = 0;
4670
4671         if (ss_initialized) {
4672                 /* Not permitted after initial policy load. */
4673                 return -EINVAL;
4674         }
4675
4676         if (selinux_disabled) {
4677                 /* Only do this once. */
4678                 return -EINVAL;
4679         }
4680
4681         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4682
4683         selinux_disabled = 1;
4684         selinux_enabled = 0;
4685
4686         /* Reset security_ops to the secondary module, dummy or capability. */
4687         security_ops = secondary_ops;
4688
4689         /* Unregister netfilter hooks. */
4690         selinux_nf_ip_exit();
4691
4692         /* Unregister selinuxfs. */
4693         exit_sel_fs();
4694
4695         return 0;
4696 }
4697 #endif
4698
4699