[PATCH] keys: add a way to store the appropriate context for newly-created keys
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
84
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
87
88 static int __init enforcing_setup(char *str)
89 {
90         selinux_enforcing = simple_strtol(str,NULL,0);
91         return 1;
92 }
93 __setup("enforcing=", enforcing_setup);
94 #endif
95
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99 static int __init selinux_enabled_setup(char *str)
100 {
101         selinux_enabled = simple_strtol(str, NULL, 0);
102         return 1;
103 }
104 __setup("selinux=", selinux_enabled_setup);
105 #else
106 int selinux_enabled = 1;
107 #endif
108
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
111
112 /* Minimal support for a secondary security module,
113    just to allow the use of the dummy or capability modules.
114    The owlsm module can alternatively be used as a secondary
115    module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
117
118 /* Lists of inode and superblock security structures initialized
119    before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
122
123 static kmem_cache_t *sel_inode_cache;
124
125 /* Return security context for a given sid or just the context 
126    length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128 {
129         char *context;
130         unsigned len;
131         int rc;
132
133         rc = security_sid_to_context(sid, &context, &len);
134         if (rc)
135                 return rc;
136
137         if (!buffer || !size)
138                 goto getsecurity_exit;
139
140         if (size < len) {
141                 len = -ERANGE;
142                 goto getsecurity_exit;
143         }
144         memcpy(buffer, context, len);
145
146 getsecurity_exit:
147         kfree(context);
148         return len;
149 }
150
151 /* Allocate and free functions for each kind of security blob. */
152
153 static int task_alloc_security(struct task_struct *task)
154 {
155         struct task_security_struct *tsec;
156
157         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158         if (!tsec)
159                 return -ENOMEM;
160
161         tsec->task = task;
162         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163         task->security = tsec;
164
165         return 0;
166 }
167
168 static void task_free_security(struct task_struct *task)
169 {
170         struct task_security_struct *tsec = task->security;
171         task->security = NULL;
172         kfree(tsec);
173 }
174
175 static int inode_alloc_security(struct inode *inode)
176 {
177         struct task_security_struct *tsec = current->security;
178         struct inode_security_struct *isec;
179
180         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
181         if (!isec)
182                 return -ENOMEM;
183
184         memset(isec, 0, sizeof(*isec));
185         init_MUTEX(&isec->sem);
186         INIT_LIST_HEAD(&isec->list);
187         isec->inode = inode;
188         isec->sid = SECINITSID_UNLABELED;
189         isec->sclass = SECCLASS_FILE;
190         isec->task_sid = tsec->sid;
191         inode->i_security = isec;
192
193         return 0;
194 }
195
196 static void inode_free_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec = inode->i_security;
199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
201         spin_lock(&sbsec->isec_lock);
202         if (!list_empty(&isec->list))
203                 list_del_init(&isec->list);
204         spin_unlock(&sbsec->isec_lock);
205
206         inode->i_security = NULL;
207         kmem_cache_free(sel_inode_cache, isec);
208 }
209
210 static int file_alloc_security(struct file *file)
211 {
212         struct task_security_struct *tsec = current->security;
213         struct file_security_struct *fsec;
214
215         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
216         if (!fsec)
217                 return -ENOMEM;
218
219         fsec->file = file;
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         init_MUTEX(&sbsec->sem);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sb->s_security = sbsec;
250
251         return 0;
252 }
253
254 static void superblock_free_security(struct super_block *sb)
255 {
256         struct superblock_security_struct *sbsec = sb->s_security;
257
258         spin_lock(&sb_security_lock);
259         if (!list_empty(&sbsec->list))
260                 list_del_init(&sbsec->list);
261         spin_unlock(&sb_security_lock);
262
263         sb->s_security = NULL;
264         kfree(sbsec);
265 }
266
267 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
268 {
269         struct sk_security_struct *ssec;
270
271         if (family != PF_UNIX)
272                 return 0;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_context = 1,
320         Opt_fscontext = 2,
321         Opt_defcontext = 4,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328 };
329
330 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
331
332 static int try_context_mount(struct super_block *sb, void *data)
333 {
334         char *context = NULL, *defcontext = NULL;
335         const char *name;
336         u32 sid;
337         int alloc = 0, rc = 0, seen = 0;
338         struct task_security_struct *tsec = current->security;
339         struct superblock_security_struct *sbsec = sb->s_security;
340
341         if (!data)
342                 goto out;
343
344         name = sb->s_type->name;
345
346         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
347
348                 /* NFS we understand. */
349                 if (!strcmp(name, "nfs")) {
350                         struct nfs_mount_data *d = data;
351
352                         if (d->version <  NFS_MOUNT_VERSION)
353                                 goto out;
354
355                         if (d->context[0]) {
356                                 context = d->context;
357                                 seen |= Opt_context;
358                         }
359                 } else
360                         goto out;
361
362         } else {
363                 /* Standard string-based options. */
364                 char *p, *options = data;
365
366                 while ((p = strsep(&options, ",")) != NULL) {
367                         int token;
368                         substring_t args[MAX_OPT_ARGS];
369
370                         if (!*p)
371                                 continue;
372
373                         token = match_token(p, tokens, args);
374
375                         switch (token) {
376                         case Opt_context:
377                                 if (seen) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
380                                         goto out_free;
381                                 }
382                                 context = match_strdup(&args[0]);
383                                 if (!context) {
384                                         rc = -ENOMEM;
385                                         goto out_free;
386                                 }
387                                 if (!alloc)
388                                         alloc = 1;
389                                 seen |= Opt_context;
390                                 break;
391
392                         case Opt_fscontext:
393                                 if (seen & (Opt_context|Opt_fscontext)) {
394                                         rc = -EINVAL;
395                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396                                         goto out_free;
397                                 }
398                                 context = match_strdup(&args[0]);
399                                 if (!context) {
400                                         rc = -ENOMEM;
401                                         goto out_free;
402                                 }
403                                 if (!alloc)
404                                         alloc = 1;
405                                 seen |= Opt_fscontext;
406                                 break;
407
408                         case Opt_defcontext:
409                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410                                         rc = -EINVAL;
411                                         printk(KERN_WARNING "SELinux:  "
412                                                "defcontext option is invalid "
413                                                "for this filesystem type\n");
414                                         goto out_free;
415                                 }
416                                 if (seen & (Opt_context|Opt_defcontext)) {
417                                         rc = -EINVAL;
418                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419                                         goto out_free;
420                                 }
421                                 defcontext = match_strdup(&args[0]);
422                                 if (!defcontext) {
423                                         rc = -ENOMEM;
424                                         goto out_free;
425                                 }
426                                 if (!alloc)
427                                         alloc = 1;
428                                 seen |= Opt_defcontext;
429                                 break;
430
431                         default:
432                                 rc = -EINVAL;
433                                 printk(KERN_WARNING "SELinux:  unknown mount "
434                                        "option\n");
435                                 goto out_free;
436
437                         }
438                 }
439         }
440
441         if (!seen)
442                 goto out;
443
444         if (context) {
445                 rc = security_context_to_sid(context, strlen(context), &sid);
446                 if (rc) {
447                         printk(KERN_WARNING "SELinux: security_context_to_sid"
448                                "(%s) failed for (dev %s, type %s) errno=%d\n",
449                                context, sb->s_id, name, rc);
450                         goto out_free;
451                 }
452
453                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454                                   FILESYSTEM__RELABELFROM, NULL);
455                 if (rc)
456                         goto out_free;
457
458                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459                                   FILESYSTEM__RELABELTO, NULL);
460                 if (rc)
461                         goto out_free;
462
463                 sbsec->sid = sid;
464
465                 if (seen & Opt_context)
466                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
467         }
468
469         if (defcontext) {
470                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471                 if (rc) {
472                         printk(KERN_WARNING "SELinux: security_context_to_sid"
473                                "(%s) failed for (dev %s, type %s) errno=%d\n",
474                                defcontext, sb->s_id, name, rc);
475                         goto out_free;
476                 }
477
478                 if (sid == sbsec->def_sid)
479                         goto out_free;
480
481                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482                                   FILESYSTEM__RELABELFROM, NULL);
483                 if (rc)
484                         goto out_free;
485
486                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487                                   FILESYSTEM__ASSOCIATE, NULL);
488                 if (rc)
489                         goto out_free;
490
491                 sbsec->def_sid = sid;
492         }
493
494 out_free:
495         if (alloc) {
496                 kfree(context);
497                 kfree(defcontext);
498         }
499 out:
500         return rc;
501 }
502
503 static int superblock_doinit(struct super_block *sb, void *data)
504 {
505         struct superblock_security_struct *sbsec = sb->s_security;
506         struct dentry *root = sb->s_root;
507         struct inode *inode = root->d_inode;
508         int rc = 0;
509
510         down(&sbsec->sem);
511         if (sbsec->initialized)
512                 goto out;
513
514         if (!ss_initialized) {
515                 /* Defer initialization until selinux_complete_init,
516                    after the initial policy is loaded and the security
517                    server is ready to handle calls. */
518                 spin_lock(&sb_security_lock);
519                 if (list_empty(&sbsec->list))
520                         list_add(&sbsec->list, &superblock_security_head);
521                 spin_unlock(&sb_security_lock);
522                 goto out;
523         }
524
525         /* Determine the labeling behavior to use for this filesystem type. */
526         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527         if (rc) {
528                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
529                        __FUNCTION__, sb->s_type->name, rc);
530                 goto out;
531         }
532
533         rc = try_context_mount(sb, data);
534         if (rc)
535                 goto out;
536
537         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538                 /* Make sure that the xattr handler exists and that no
539                    error other than -ENODATA is returned by getxattr on
540                    the root directory.  -ENODATA is ok, as this may be
541                    the first boot of the SELinux kernel before we have
542                    assigned xattr values to the filesystem. */
543                 if (!inode->i_op->getxattr) {
544                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545                                "xattr support\n", sb->s_id, sb->s_type->name);
546                         rc = -EOPNOTSUPP;
547                         goto out;
548                 }
549                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550                 if (rc < 0 && rc != -ENODATA) {
551                         if (rc == -EOPNOTSUPP)
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) has no security xattr handler\n",
554                                        sb->s_id, sb->s_type->name);
555                         else
556                                 printk(KERN_WARNING "SELinux: (dev %s, type "
557                                        "%s) getxattr errno %d\n", sb->s_id,
558                                        sb->s_type->name, -rc);
559                         goto out;
560                 }
561         }
562
563         if (strcmp(sb->s_type->name, "proc") == 0)
564                 sbsec->proc = 1;
565
566         sbsec->initialized = 1;
567
568         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570                        sb->s_id, sb->s_type->name);
571         }
572         else {
573                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574                        sb->s_id, sb->s_type->name,
575                        labeling_behaviors[sbsec->behavior-1]);
576         }
577
578         /* Initialize the root inode. */
579         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580
581         /* Initialize any other inodes associated with the superblock, e.g.
582            inodes created prior to initial policy load or inodes created
583            during get_sb by a pseudo filesystem that directly
584            populates itself. */
585         spin_lock(&sbsec->isec_lock);
586 next_inode:
587         if (!list_empty(&sbsec->isec_head)) {
588                 struct inode_security_struct *isec =
589                                 list_entry(sbsec->isec_head.next,
590                                            struct inode_security_struct, list);
591                 struct inode *inode = isec->inode;
592                 spin_unlock(&sbsec->isec_lock);
593                 inode = igrab(inode);
594                 if (inode) {
595                         if (!IS_PRIVATE (inode))
596                                 inode_doinit(inode);
597                         iput(inode);
598                 }
599                 spin_lock(&sbsec->isec_lock);
600                 list_del_init(&isec->list);
601                 goto next_inode;
602         }
603         spin_unlock(&sbsec->isec_lock);
604 out:
605         up(&sbsec->sem);
606         return rc;
607 }
608
609 static inline u16 inode_mode_to_security_class(umode_t mode)
610 {
611         switch (mode & S_IFMT) {
612         case S_IFSOCK:
613                 return SECCLASS_SOCK_FILE;
614         case S_IFLNK:
615                 return SECCLASS_LNK_FILE;
616         case S_IFREG:
617                 return SECCLASS_FILE;
618         case S_IFBLK:
619                 return SECCLASS_BLK_FILE;
620         case S_IFDIR:
621                 return SECCLASS_DIR;
622         case S_IFCHR:
623                 return SECCLASS_CHR_FILE;
624         case S_IFIFO:
625                 return SECCLASS_FIFO_FILE;
626
627         }
628
629         return SECCLASS_FILE;
630 }
631
632 static inline int default_protocol_stream(int protocol)
633 {
634         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
635 }
636
637 static inline int default_protocol_dgram(int protocol)
638 {
639         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
640 }
641
642 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
643 {
644         switch (family) {
645         case PF_UNIX:
646                 switch (type) {
647                 case SOCK_STREAM:
648                 case SOCK_SEQPACKET:
649                         return SECCLASS_UNIX_STREAM_SOCKET;
650                 case SOCK_DGRAM:
651                         return SECCLASS_UNIX_DGRAM_SOCKET;
652                 }
653                 break;
654         case PF_INET:
655         case PF_INET6:
656                 switch (type) {
657                 case SOCK_STREAM:
658                         if (default_protocol_stream(protocol))
659                                 return SECCLASS_TCP_SOCKET;
660                         else
661                                 return SECCLASS_RAWIP_SOCKET;
662                 case SOCK_DGRAM:
663                         if (default_protocol_dgram(protocol))
664                                 return SECCLASS_UDP_SOCKET;
665                         else
666                                 return SECCLASS_RAWIP_SOCKET;
667                 default:
668                         return SECCLASS_RAWIP_SOCKET;
669                 }
670                 break;
671         case PF_NETLINK:
672                 switch (protocol) {
673                 case NETLINK_ROUTE:
674                         return SECCLASS_NETLINK_ROUTE_SOCKET;
675                 case NETLINK_FIREWALL:
676                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
677                 case NETLINK_INET_DIAG:
678                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
679                 case NETLINK_NFLOG:
680                         return SECCLASS_NETLINK_NFLOG_SOCKET;
681                 case NETLINK_XFRM:
682                         return SECCLASS_NETLINK_XFRM_SOCKET;
683                 case NETLINK_SELINUX:
684                         return SECCLASS_NETLINK_SELINUX_SOCKET;
685                 case NETLINK_AUDIT:
686                         return SECCLASS_NETLINK_AUDIT_SOCKET;
687                 case NETLINK_IP6_FW:
688                         return SECCLASS_NETLINK_IP6FW_SOCKET;
689                 case NETLINK_DNRTMSG:
690                         return SECCLASS_NETLINK_DNRT_SOCKET;
691                 case NETLINK_KOBJECT_UEVENT:
692                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
693                 default:
694                         return SECCLASS_NETLINK_SOCKET;
695                 }
696         case PF_PACKET:
697                 return SECCLASS_PACKET_SOCKET;
698         case PF_KEY:
699                 return SECCLASS_KEY_SOCKET;
700         case PF_APPLETALK:
701                 return SECCLASS_APPLETALK_SOCKET;
702         }
703
704         return SECCLASS_SOCKET;
705 }
706
707 #ifdef CONFIG_PROC_FS
708 static int selinux_proc_get_sid(struct proc_dir_entry *de,
709                                 u16 tclass,
710                                 u32 *sid)
711 {
712         int buflen, rc;
713         char *buffer, *path, *end;
714
715         buffer = (char*)__get_free_page(GFP_KERNEL);
716         if (!buffer)
717                 return -ENOMEM;
718
719         buflen = PAGE_SIZE;
720         end = buffer+buflen;
721         *--end = '\0';
722         buflen--;
723         path = end-1;
724         *path = '/';
725         while (de && de != de->parent) {
726                 buflen -= de->namelen + 1;
727                 if (buflen < 0)
728                         break;
729                 end -= de->namelen;
730                 memcpy(end, de->name, de->namelen);
731                 *--end = '/';
732                 path = end;
733                 de = de->parent;
734         }
735         rc = security_genfs_sid("proc", path, tclass, sid);
736         free_page((unsigned long)buffer);
737         return rc;
738 }
739 #else
740 static int selinux_proc_get_sid(struct proc_dir_entry *de,
741                                 u16 tclass,
742                                 u32 *sid)
743 {
744         return -EINVAL;
745 }
746 #endif
747
748 /* The inode's security attributes must be initialized before first use. */
749 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
750 {
751         struct superblock_security_struct *sbsec = NULL;
752         struct inode_security_struct *isec = inode->i_security;
753         u32 sid;
754         struct dentry *dentry;
755 #define INITCONTEXTLEN 255
756         char *context = NULL;
757         unsigned len = 0;
758         int rc = 0;
759         int hold_sem = 0;
760
761         if (isec->initialized)
762                 goto out;
763
764         down(&isec->sem);
765         hold_sem = 1;
766         if (isec->initialized)
767                 goto out;
768
769         sbsec = inode->i_sb->s_security;
770         if (!sbsec->initialized) {
771                 /* Defer initialization until selinux_complete_init,
772                    after the initial policy is loaded and the security
773                    server is ready to handle calls. */
774                 spin_lock(&sbsec->isec_lock);
775                 if (list_empty(&isec->list))
776                         list_add(&isec->list, &sbsec->isec_head);
777                 spin_unlock(&sbsec->isec_lock);
778                 goto out;
779         }
780
781         switch (sbsec->behavior) {
782         case SECURITY_FS_USE_XATTR:
783                 if (!inode->i_op->getxattr) {
784                         isec->sid = sbsec->def_sid;
785                         break;
786                 }
787
788                 /* Need a dentry, since the xattr API requires one.
789                    Life would be simpler if we could just pass the inode. */
790                 if (opt_dentry) {
791                         /* Called from d_instantiate or d_splice_alias. */
792                         dentry = dget(opt_dentry);
793                 } else {
794                         /* Called from selinux_complete_init, try to find a dentry. */
795                         dentry = d_find_alias(inode);
796                 }
797                 if (!dentry) {
798                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
799                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
800                                inode->i_ino);
801                         goto out;
802                 }
803
804                 len = INITCONTEXTLEN;
805                 context = kmalloc(len, GFP_KERNEL);
806                 if (!context) {
807                         rc = -ENOMEM;
808                         dput(dentry);
809                         goto out;
810                 }
811                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
812                                            context, len);
813                 if (rc == -ERANGE) {
814                         /* Need a larger buffer.  Query for the right size. */
815                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
816                                                    NULL, 0);
817                         if (rc < 0) {
818                                 dput(dentry);
819                                 goto out;
820                         }
821                         kfree(context);
822                         len = rc;
823                         context = kmalloc(len, GFP_KERNEL);
824                         if (!context) {
825                                 rc = -ENOMEM;
826                                 dput(dentry);
827                                 goto out;
828                         }
829                         rc = inode->i_op->getxattr(dentry,
830                                                    XATTR_NAME_SELINUX,
831                                                    context, len);
832                 }
833                 dput(dentry);
834                 if (rc < 0) {
835                         if (rc != -ENODATA) {
836                                 printk(KERN_WARNING "%s:  getxattr returned "
837                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
838                                        -rc, inode->i_sb->s_id, inode->i_ino);
839                                 kfree(context);
840                                 goto out;
841                         }
842                         /* Map ENODATA to the default file SID */
843                         sid = sbsec->def_sid;
844                         rc = 0;
845                 } else {
846                         rc = security_context_to_sid_default(context, rc, &sid,
847                                                              sbsec->def_sid);
848                         if (rc) {
849                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
850                                        "returned %d for dev=%s ino=%ld\n",
851                                        __FUNCTION__, context, -rc,
852                                        inode->i_sb->s_id, inode->i_ino);
853                                 kfree(context);
854                                 /* Leave with the unlabeled SID */
855                                 rc = 0;
856                                 break;
857                         }
858                 }
859                 kfree(context);
860                 isec->sid = sid;
861                 break;
862         case SECURITY_FS_USE_TASK:
863                 isec->sid = isec->task_sid;
864                 break;
865         case SECURITY_FS_USE_TRANS:
866                 /* Default to the fs SID. */
867                 isec->sid = sbsec->sid;
868
869                 /* Try to obtain a transition SID. */
870                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
871                 rc = security_transition_sid(isec->task_sid,
872                                              sbsec->sid,
873                                              isec->sclass,
874                                              &sid);
875                 if (rc)
876                         goto out;
877                 isec->sid = sid;
878                 break;
879         default:
880                 /* Default to the fs SID. */
881                 isec->sid = sbsec->sid;
882
883                 if (sbsec->proc) {
884                         struct proc_inode *proci = PROC_I(inode);
885                         if (proci->pde) {
886                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
887                                 rc = selinux_proc_get_sid(proci->pde,
888                                                           isec->sclass,
889                                                           &sid);
890                                 if (rc)
891                                         goto out;
892                                 isec->sid = sid;
893                         }
894                 }
895                 break;
896         }
897
898         isec->initialized = 1;
899
900 out:
901         if (isec->sclass == SECCLASS_FILE)
902                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
903
904         if (hold_sem)
905                 up(&isec->sem);
906         return rc;
907 }
908
909 /* Convert a Linux signal to an access vector. */
910 static inline u32 signal_to_av(int sig)
911 {
912         u32 perm = 0;
913
914         switch (sig) {
915         case SIGCHLD:
916                 /* Commonly granted from child to parent. */
917                 perm = PROCESS__SIGCHLD;
918                 break;
919         case SIGKILL:
920                 /* Cannot be caught or ignored */
921                 perm = PROCESS__SIGKILL;
922                 break;
923         case SIGSTOP:
924                 /* Cannot be caught or ignored */
925                 perm = PROCESS__SIGSTOP;
926                 break;
927         default:
928                 /* All other signals. */
929                 perm = PROCESS__SIGNAL;
930                 break;
931         }
932
933         return perm;
934 }
935
936 /* Check permission betweeen a pair of tasks, e.g. signal checks,
937    fork check, ptrace check, etc. */
938 static int task_has_perm(struct task_struct *tsk1,
939                          struct task_struct *tsk2,
940                          u32 perms)
941 {
942         struct task_security_struct *tsec1, *tsec2;
943
944         tsec1 = tsk1->security;
945         tsec2 = tsk2->security;
946         return avc_has_perm(tsec1->sid, tsec2->sid,
947                             SECCLASS_PROCESS, perms, NULL);
948 }
949
950 /* Check whether a task is allowed to use a capability. */
951 static int task_has_capability(struct task_struct *tsk,
952                                int cap)
953 {
954         struct task_security_struct *tsec;
955         struct avc_audit_data ad;
956
957         tsec = tsk->security;
958
959         AVC_AUDIT_DATA_INIT(&ad,CAP);
960         ad.tsk = tsk;
961         ad.u.cap = cap;
962
963         return avc_has_perm(tsec->sid, tsec->sid,
964                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
965 }
966
967 /* Check whether a task is allowed to use a system operation. */
968 static int task_has_system(struct task_struct *tsk,
969                            u32 perms)
970 {
971         struct task_security_struct *tsec;
972
973         tsec = tsk->security;
974
975         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
976                             SECCLASS_SYSTEM, perms, NULL);
977 }
978
979 /* Check whether a task has a particular permission to an inode.
980    The 'adp' parameter is optional and allows other audit
981    data to be passed (e.g. the dentry). */
982 static int inode_has_perm(struct task_struct *tsk,
983                           struct inode *inode,
984                           u32 perms,
985                           struct avc_audit_data *adp)
986 {
987         struct task_security_struct *tsec;
988         struct inode_security_struct *isec;
989         struct avc_audit_data ad;
990
991         tsec = tsk->security;
992         isec = inode->i_security;
993
994         if (!adp) {
995                 adp = &ad;
996                 AVC_AUDIT_DATA_INIT(&ad, FS);
997                 ad.u.fs.inode = inode;
998         }
999
1000         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1001 }
1002
1003 /* Same as inode_has_perm, but pass explicit audit data containing
1004    the dentry to help the auditing code to more easily generate the
1005    pathname if needed. */
1006 static inline int dentry_has_perm(struct task_struct *tsk,
1007                                   struct vfsmount *mnt,
1008                                   struct dentry *dentry,
1009                                   u32 av)
1010 {
1011         struct inode *inode = dentry->d_inode;
1012         struct avc_audit_data ad;
1013         AVC_AUDIT_DATA_INIT(&ad,FS);
1014         ad.u.fs.mnt = mnt;
1015         ad.u.fs.dentry = dentry;
1016         return inode_has_perm(tsk, inode, av, &ad);
1017 }
1018
1019 /* Check whether a task can use an open file descriptor to
1020    access an inode in a given way.  Check access to the
1021    descriptor itself, and then use dentry_has_perm to
1022    check a particular permission to the file.
1023    Access to the descriptor is implicitly granted if it
1024    has the same SID as the process.  If av is zero, then
1025    access to the file is not checked, e.g. for cases
1026    where only the descriptor is affected like seek. */
1027 static int file_has_perm(struct task_struct *tsk,
1028                                 struct file *file,
1029                                 u32 av)
1030 {
1031         struct task_security_struct *tsec = tsk->security;
1032         struct file_security_struct *fsec = file->f_security;
1033         struct vfsmount *mnt = file->f_vfsmnt;
1034         struct dentry *dentry = file->f_dentry;
1035         struct inode *inode = dentry->d_inode;
1036         struct avc_audit_data ad;
1037         int rc;
1038
1039         AVC_AUDIT_DATA_INIT(&ad, FS);
1040         ad.u.fs.mnt = mnt;
1041         ad.u.fs.dentry = dentry;
1042
1043         if (tsec->sid != fsec->sid) {
1044                 rc = avc_has_perm(tsec->sid, fsec->sid,
1045                                   SECCLASS_FD,
1046                                   FD__USE,
1047                                   &ad);
1048                 if (rc)
1049                         return rc;
1050         }
1051
1052         /* av is zero if only checking access to the descriptor. */
1053         if (av)
1054                 return inode_has_perm(tsk, inode, av, &ad);
1055
1056         return 0;
1057 }
1058
1059 /* Check whether a task can create a file. */
1060 static int may_create(struct inode *dir,
1061                       struct dentry *dentry,
1062                       u16 tclass)
1063 {
1064         struct task_security_struct *tsec;
1065         struct inode_security_struct *dsec;
1066         struct superblock_security_struct *sbsec;
1067         u32 newsid;
1068         struct avc_audit_data ad;
1069         int rc;
1070
1071         tsec = current->security;
1072         dsec = dir->i_security;
1073         sbsec = dir->i_sb->s_security;
1074
1075         AVC_AUDIT_DATA_INIT(&ad, FS);
1076         ad.u.fs.dentry = dentry;
1077
1078         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1079                           DIR__ADD_NAME | DIR__SEARCH,
1080                           &ad);
1081         if (rc)
1082                 return rc;
1083
1084         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1085                 newsid = tsec->create_sid;
1086         } else {
1087                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1088                                              &newsid);
1089                 if (rc)
1090                         return rc;
1091         }
1092
1093         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1094         if (rc)
1095                 return rc;
1096
1097         return avc_has_perm(newsid, sbsec->sid,
1098                             SECCLASS_FILESYSTEM,
1099                             FILESYSTEM__ASSOCIATE, &ad);
1100 }
1101
1102 /* Check whether a task can create a key. */
1103 static int may_create_key(u32 ksid,
1104                           struct task_struct *ctx)
1105 {
1106         struct task_security_struct *tsec;
1107
1108         tsec = ctx->security;
1109
1110         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1111 }
1112
1113 #define MAY_LINK   0
1114 #define MAY_UNLINK 1
1115 #define MAY_RMDIR  2
1116
1117 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1118 static int may_link(struct inode *dir,
1119                     struct dentry *dentry,
1120                     int kind)
1121
1122 {
1123         struct task_security_struct *tsec;
1124         struct inode_security_struct *dsec, *isec;
1125         struct avc_audit_data ad;
1126         u32 av;
1127         int rc;
1128
1129         tsec = current->security;
1130         dsec = dir->i_security;
1131         isec = dentry->d_inode->i_security;
1132
1133         AVC_AUDIT_DATA_INIT(&ad, FS);
1134         ad.u.fs.dentry = dentry;
1135
1136         av = DIR__SEARCH;
1137         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1138         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1139         if (rc)
1140                 return rc;
1141
1142         switch (kind) {
1143         case MAY_LINK:
1144                 av = FILE__LINK;
1145                 break;
1146         case MAY_UNLINK:
1147                 av = FILE__UNLINK;
1148                 break;
1149         case MAY_RMDIR:
1150                 av = DIR__RMDIR;
1151                 break;
1152         default:
1153                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1154                 return 0;
1155         }
1156
1157         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1158         return rc;
1159 }
1160
1161 static inline int may_rename(struct inode *old_dir,
1162                              struct dentry *old_dentry,
1163                              struct inode *new_dir,
1164                              struct dentry *new_dentry)
1165 {
1166         struct task_security_struct *tsec;
1167         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1168         struct avc_audit_data ad;
1169         u32 av;
1170         int old_is_dir, new_is_dir;
1171         int rc;
1172
1173         tsec = current->security;
1174         old_dsec = old_dir->i_security;
1175         old_isec = old_dentry->d_inode->i_security;
1176         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1177         new_dsec = new_dir->i_security;
1178
1179         AVC_AUDIT_DATA_INIT(&ad, FS);
1180
1181         ad.u.fs.dentry = old_dentry;
1182         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1183                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1184         if (rc)
1185                 return rc;
1186         rc = avc_has_perm(tsec->sid, old_isec->sid,
1187                           old_isec->sclass, FILE__RENAME, &ad);
1188         if (rc)
1189                 return rc;
1190         if (old_is_dir && new_dir != old_dir) {
1191                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1192                                   old_isec->sclass, DIR__REPARENT, &ad);
1193                 if (rc)
1194                         return rc;
1195         }
1196
1197         ad.u.fs.dentry = new_dentry;
1198         av = DIR__ADD_NAME | DIR__SEARCH;
1199         if (new_dentry->d_inode)
1200                 av |= DIR__REMOVE_NAME;
1201         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1202         if (rc)
1203                 return rc;
1204         if (new_dentry->d_inode) {
1205                 new_isec = new_dentry->d_inode->i_security;
1206                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1207                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1208                                   new_isec->sclass,
1209                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1210                 if (rc)
1211                         return rc;
1212         }
1213
1214         return 0;
1215 }
1216
1217 /* Check whether a task can perform a filesystem operation. */
1218 static int superblock_has_perm(struct task_struct *tsk,
1219                                struct super_block *sb,
1220                                u32 perms,
1221                                struct avc_audit_data *ad)
1222 {
1223         struct task_security_struct *tsec;
1224         struct superblock_security_struct *sbsec;
1225
1226         tsec = tsk->security;
1227         sbsec = sb->s_security;
1228         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1229                             perms, ad);
1230 }
1231
1232 /* Convert a Linux mode and permission mask to an access vector. */
1233 static inline u32 file_mask_to_av(int mode, int mask)
1234 {
1235         u32 av = 0;
1236
1237         if ((mode & S_IFMT) != S_IFDIR) {
1238                 if (mask & MAY_EXEC)
1239                         av |= FILE__EXECUTE;
1240                 if (mask & MAY_READ)
1241                         av |= FILE__READ;
1242
1243                 if (mask & MAY_APPEND)
1244                         av |= FILE__APPEND;
1245                 else if (mask & MAY_WRITE)
1246                         av |= FILE__WRITE;
1247
1248         } else {
1249                 if (mask & MAY_EXEC)
1250                         av |= DIR__SEARCH;
1251                 if (mask & MAY_WRITE)
1252                         av |= DIR__WRITE;
1253                 if (mask & MAY_READ)
1254                         av |= DIR__READ;
1255         }
1256
1257         return av;
1258 }
1259
1260 /* Convert a Linux file to an access vector. */
1261 static inline u32 file_to_av(struct file *file)
1262 {
1263         u32 av = 0;
1264
1265         if (file->f_mode & FMODE_READ)
1266                 av |= FILE__READ;
1267         if (file->f_mode & FMODE_WRITE) {
1268                 if (file->f_flags & O_APPEND)
1269                         av |= FILE__APPEND;
1270                 else
1271                         av |= FILE__WRITE;
1272         }
1273
1274         return av;
1275 }
1276
1277 /* Set an inode's SID to a specified value. */
1278 static int inode_security_set_sid(struct inode *inode, u32 sid)
1279 {
1280         struct inode_security_struct *isec = inode->i_security;
1281         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1282
1283         if (!sbsec->initialized) {
1284                 /* Defer initialization to selinux_complete_init. */
1285                 return 0;
1286         }
1287
1288         down(&isec->sem);
1289         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1290         isec->sid = sid;
1291         isec->initialized = 1;
1292         up(&isec->sem);
1293         return 0;
1294 }
1295
1296 /* Hook functions begin here. */
1297
1298 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1299 {
1300         struct task_security_struct *psec = parent->security;
1301         struct task_security_struct *csec = child->security;
1302         int rc;
1303
1304         rc = secondary_ops->ptrace(parent,child);
1305         if (rc)
1306                 return rc;
1307
1308         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1309         /* Save the SID of the tracing process for later use in apply_creds. */
1310         if (!(child->ptrace & PT_PTRACED) && !rc)
1311                 csec->ptrace_sid = psec->sid;
1312         return rc;
1313 }
1314
1315 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1316                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1317 {
1318         int error;
1319
1320         error = task_has_perm(current, target, PROCESS__GETCAP);
1321         if (error)
1322                 return error;
1323
1324         return secondary_ops->capget(target, effective, inheritable, permitted);
1325 }
1326
1327 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1328                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1329 {
1330         int error;
1331
1332         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1333         if (error)
1334                 return error;
1335
1336         return task_has_perm(current, target, PROCESS__SETCAP);
1337 }
1338
1339 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1340                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1341 {
1342         secondary_ops->capset_set(target, effective, inheritable, permitted);
1343 }
1344
1345 static int selinux_capable(struct task_struct *tsk, int cap)
1346 {
1347         int rc;
1348
1349         rc = secondary_ops->capable(tsk, cap);
1350         if (rc)
1351                 return rc;
1352
1353         return task_has_capability(tsk,cap);
1354 }
1355
1356 static int selinux_sysctl(ctl_table *table, int op)
1357 {
1358         int error = 0;
1359         u32 av;
1360         struct task_security_struct *tsec;
1361         u32 tsid;
1362         int rc;
1363
1364         rc = secondary_ops->sysctl(table, op);
1365         if (rc)
1366                 return rc;
1367
1368         tsec = current->security;
1369
1370         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1371                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1372         if (rc) {
1373                 /* Default to the well-defined sysctl SID. */
1374                 tsid = SECINITSID_SYSCTL;
1375         }
1376
1377         /* The op values are "defined" in sysctl.c, thereby creating
1378          * a bad coupling between this module and sysctl.c */
1379         if(op == 001) {
1380                 error = avc_has_perm(tsec->sid, tsid,
1381                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1382         } else {
1383                 av = 0;
1384                 if (op & 004)
1385                         av |= FILE__READ;
1386                 if (op & 002)
1387                         av |= FILE__WRITE;
1388                 if (av)
1389                         error = avc_has_perm(tsec->sid, tsid,
1390                                              SECCLASS_FILE, av, NULL);
1391         }
1392
1393         return error;
1394 }
1395
1396 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1397 {
1398         int rc = 0;
1399
1400         if (!sb)
1401                 return 0;
1402
1403         switch (cmds) {
1404                 case Q_SYNC:
1405                 case Q_QUOTAON:
1406                 case Q_QUOTAOFF:
1407                 case Q_SETINFO:
1408                 case Q_SETQUOTA:
1409                         rc = superblock_has_perm(current,
1410                                                  sb,
1411                                                  FILESYSTEM__QUOTAMOD, NULL);
1412                         break;
1413                 case Q_GETFMT:
1414                 case Q_GETINFO:
1415                 case Q_GETQUOTA:
1416                         rc = superblock_has_perm(current,
1417                                                  sb,
1418                                                  FILESYSTEM__QUOTAGET, NULL);
1419                         break;
1420                 default:
1421                         rc = 0;  /* let the kernel handle invalid cmds */
1422                         break;
1423         }
1424         return rc;
1425 }
1426
1427 static int selinux_quota_on(struct dentry *dentry)
1428 {
1429         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1430 }
1431
1432 static int selinux_syslog(int type)
1433 {
1434         int rc;
1435
1436         rc = secondary_ops->syslog(type);
1437         if (rc)
1438                 return rc;
1439
1440         switch (type) {
1441                 case 3:         /* Read last kernel messages */
1442                 case 10:        /* Return size of the log buffer */
1443                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1444                         break;
1445                 case 6:         /* Disable logging to console */
1446                 case 7:         /* Enable logging to console */
1447                 case 8:         /* Set level of messages printed to console */
1448                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1449                         break;
1450                 case 0:         /* Close log */
1451                 case 1:         /* Open log */
1452                 case 2:         /* Read from log */
1453                 case 4:         /* Read/clear last kernel messages */
1454                 case 5:         /* Clear ring buffer */
1455                 default:
1456                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1457                         break;
1458         }
1459         return rc;
1460 }
1461
1462 /*
1463  * Check that a process has enough memory to allocate a new virtual
1464  * mapping. 0 means there is enough memory for the allocation to
1465  * succeed and -ENOMEM implies there is not.
1466  *
1467  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1468  * if the capability is granted, but __vm_enough_memory requires 1 if
1469  * the capability is granted.
1470  *
1471  * Do not audit the selinux permission check, as this is applied to all
1472  * processes that allocate mappings.
1473  */
1474 static int selinux_vm_enough_memory(long pages)
1475 {
1476         int rc, cap_sys_admin = 0;
1477         struct task_security_struct *tsec = current->security;
1478
1479         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1480         if (rc == 0)
1481                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1482                                         SECCLASS_CAPABILITY,
1483                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1484                                         NULL);
1485
1486         if (rc == 0)
1487                 cap_sys_admin = 1;
1488
1489         return __vm_enough_memory(pages, cap_sys_admin);
1490 }
1491
1492 /* binprm security operations */
1493
1494 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1495 {
1496         struct bprm_security_struct *bsec;
1497
1498         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1499         if (!bsec)
1500                 return -ENOMEM;
1501
1502         bsec->bprm = bprm;
1503         bsec->sid = SECINITSID_UNLABELED;
1504         bsec->set = 0;
1505
1506         bprm->security = bsec;
1507         return 0;
1508 }
1509
1510 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1511 {
1512         struct task_security_struct *tsec;
1513         struct inode *inode = bprm->file->f_dentry->d_inode;
1514         struct inode_security_struct *isec;
1515         struct bprm_security_struct *bsec;
1516         u32 newsid;
1517         struct avc_audit_data ad;
1518         int rc;
1519
1520         rc = secondary_ops->bprm_set_security(bprm);
1521         if (rc)
1522                 return rc;
1523
1524         bsec = bprm->security;
1525
1526         if (bsec->set)
1527                 return 0;
1528
1529         tsec = current->security;
1530         isec = inode->i_security;
1531
1532         /* Default to the current task SID. */
1533         bsec->sid = tsec->sid;
1534
1535         /* Reset create SID on execve. */
1536         tsec->create_sid = 0;
1537
1538         if (tsec->exec_sid) {
1539                 newsid = tsec->exec_sid;
1540                 /* Reset exec SID on execve. */
1541                 tsec->exec_sid = 0;
1542         } else {
1543                 /* Check for a default transition on this program. */
1544                 rc = security_transition_sid(tsec->sid, isec->sid,
1545                                              SECCLASS_PROCESS, &newsid);
1546                 if (rc)
1547                         return rc;
1548         }
1549
1550         AVC_AUDIT_DATA_INIT(&ad, FS);
1551         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1552         ad.u.fs.dentry = bprm->file->f_dentry;
1553
1554         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1555                 newsid = tsec->sid;
1556
1557         if (tsec->sid == newsid) {
1558                 rc = avc_has_perm(tsec->sid, isec->sid,
1559                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1560                 if (rc)
1561                         return rc;
1562         } else {
1563                 /* Check permissions for the transition. */
1564                 rc = avc_has_perm(tsec->sid, newsid,
1565                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1566                 if (rc)
1567                         return rc;
1568
1569                 rc = avc_has_perm(newsid, isec->sid,
1570                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1571                 if (rc)
1572                         return rc;
1573
1574                 /* Clear any possibly unsafe personality bits on exec: */
1575                 current->personality &= ~PER_CLEAR_ON_SETID;
1576
1577                 /* Set the security field to the new SID. */
1578                 bsec->sid = newsid;
1579         }
1580
1581         bsec->set = 1;
1582         return 0;
1583 }
1584
1585 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1586 {
1587         return secondary_ops->bprm_check_security(bprm);
1588 }
1589
1590
1591 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1592 {
1593         struct task_security_struct *tsec = current->security;
1594         int atsecure = 0;
1595
1596         if (tsec->osid != tsec->sid) {
1597                 /* Enable secure mode for SIDs transitions unless
1598                    the noatsecure permission is granted between
1599                    the two SIDs, i.e. ahp returns 0. */
1600                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1601                                          SECCLASS_PROCESS,
1602                                          PROCESS__NOATSECURE, NULL);
1603         }
1604
1605         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1606 }
1607
1608 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1609 {
1610         kfree(bprm->security);
1611         bprm->security = NULL;
1612 }
1613
1614 extern struct vfsmount *selinuxfs_mount;
1615 extern struct dentry *selinux_null;
1616
1617 /* Derived from fs/exec.c:flush_old_files. */
1618 static inline void flush_unauthorized_files(struct files_struct * files)
1619 {
1620         struct avc_audit_data ad;
1621         struct file *file, *devnull = NULL;
1622         struct tty_struct *tty = current->signal->tty;
1623         struct fdtable *fdt;
1624         long j = -1;
1625
1626         if (tty) {
1627                 file_list_lock();
1628                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1629                 if (file) {
1630                         /* Revalidate access to controlling tty.
1631                            Use inode_has_perm on the tty inode directly rather
1632                            than using file_has_perm, as this particular open
1633                            file may belong to another process and we are only
1634                            interested in the inode-based check here. */
1635                         struct inode *inode = file->f_dentry->d_inode;
1636                         if (inode_has_perm(current, inode,
1637                                            FILE__READ | FILE__WRITE, NULL)) {
1638                                 /* Reset controlling tty. */
1639                                 current->signal->tty = NULL;
1640                                 current->signal->tty_old_pgrp = 0;
1641                         }
1642                 }
1643                 file_list_unlock();
1644         }
1645
1646         /* Revalidate access to inherited open files. */
1647
1648         AVC_AUDIT_DATA_INIT(&ad,FS);
1649
1650         spin_lock(&files->file_lock);
1651         for (;;) {
1652                 unsigned long set, i;
1653                 int fd;
1654
1655                 j++;
1656                 i = j * __NFDBITS;
1657                 fdt = files_fdtable(files);
1658                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1659                         break;
1660                 set = fdt->open_fds->fds_bits[j];
1661                 if (!set)
1662                         continue;
1663                 spin_unlock(&files->file_lock);
1664                 for ( ; set ; i++,set >>= 1) {
1665                         if (set & 1) {
1666                                 file = fget(i);
1667                                 if (!file)
1668                                         continue;
1669                                 if (file_has_perm(current,
1670                                                   file,
1671                                                   file_to_av(file))) {
1672                                         sys_close(i);
1673                                         fd = get_unused_fd();
1674                                         if (fd != i) {
1675                                                 if (fd >= 0)
1676                                                         put_unused_fd(fd);
1677                                                 fput(file);
1678                                                 continue;
1679                                         }
1680                                         if (devnull) {
1681                                                 get_file(devnull);
1682                                         } else {
1683                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1684                                                 if (!devnull) {
1685                                                         put_unused_fd(fd);
1686                                                         fput(file);
1687                                                         continue;
1688                                                 }
1689                                         }
1690                                         fd_install(fd, devnull);
1691                                 }
1692                                 fput(file);
1693                         }
1694                 }
1695                 spin_lock(&files->file_lock);
1696
1697         }
1698         spin_unlock(&files->file_lock);
1699 }
1700
1701 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1702 {
1703         struct task_security_struct *tsec;
1704         struct bprm_security_struct *bsec;
1705         u32 sid;
1706         int rc;
1707
1708         secondary_ops->bprm_apply_creds(bprm, unsafe);
1709
1710         tsec = current->security;
1711
1712         bsec = bprm->security;
1713         sid = bsec->sid;
1714
1715         tsec->osid = tsec->sid;
1716         bsec->unsafe = 0;
1717         if (tsec->sid != sid) {
1718                 /* Check for shared state.  If not ok, leave SID
1719                    unchanged and kill. */
1720                 if (unsafe & LSM_UNSAFE_SHARE) {
1721                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1722                                         PROCESS__SHARE, NULL);
1723                         if (rc) {
1724                                 bsec->unsafe = 1;
1725                                 return;
1726                         }
1727                 }
1728
1729                 /* Check for ptracing, and update the task SID if ok.
1730                    Otherwise, leave SID unchanged and kill. */
1731                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1732                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1733                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1734                                           NULL);
1735                         if (rc) {
1736                                 bsec->unsafe = 1;
1737                                 return;
1738                         }
1739                 }
1740                 tsec->sid = sid;
1741         }
1742 }
1743
1744 /*
1745  * called after apply_creds without the task lock held
1746  */
1747 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1748 {
1749         struct task_security_struct *tsec;
1750         struct rlimit *rlim, *initrlim;
1751         struct itimerval itimer;
1752         struct bprm_security_struct *bsec;
1753         int rc, i;
1754
1755         tsec = current->security;
1756         bsec = bprm->security;
1757
1758         if (bsec->unsafe) {
1759                 force_sig_specific(SIGKILL, current);
1760                 return;
1761         }
1762         if (tsec->osid == tsec->sid)
1763                 return;
1764
1765         /* Close files for which the new task SID is not authorized. */
1766         flush_unauthorized_files(current->files);
1767
1768         /* Check whether the new SID can inherit signal state
1769            from the old SID.  If not, clear itimers to avoid
1770            subsequent signal generation and flush and unblock
1771            signals. This must occur _after_ the task SID has
1772           been updated so that any kill done after the flush
1773           will be checked against the new SID. */
1774         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1775                           PROCESS__SIGINH, NULL);
1776         if (rc) {
1777                 memset(&itimer, 0, sizeof itimer);
1778                 for (i = 0; i < 3; i++)
1779                         do_setitimer(i, &itimer, NULL);
1780                 flush_signals(current);
1781                 spin_lock_irq(&current->sighand->siglock);
1782                 flush_signal_handlers(current, 1);
1783                 sigemptyset(&current->blocked);
1784                 recalc_sigpending();
1785                 spin_unlock_irq(&current->sighand->siglock);
1786         }
1787
1788         /* Check whether the new SID can inherit resource limits
1789            from the old SID.  If not, reset all soft limits to
1790            the lower of the current task's hard limit and the init
1791            task's soft limit.  Note that the setting of hard limits
1792            (even to lower them) can be controlled by the setrlimit
1793            check. The inclusion of the init task's soft limit into
1794            the computation is to avoid resetting soft limits higher
1795            than the default soft limit for cases where the default
1796            is lower than the hard limit, e.g. RLIMIT_CORE or
1797            RLIMIT_STACK.*/
1798         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1799                           PROCESS__RLIMITINH, NULL);
1800         if (rc) {
1801                 for (i = 0; i < RLIM_NLIMITS; i++) {
1802                         rlim = current->signal->rlim + i;
1803                         initrlim = init_task.signal->rlim+i;
1804                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1805                 }
1806                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1807                         /*
1808                          * This will cause RLIMIT_CPU calculations
1809                          * to be refigured.
1810                          */
1811                         current->it_prof_expires = jiffies_to_cputime(1);
1812                 }
1813         }
1814
1815         /* Wake up the parent if it is waiting so that it can
1816            recheck wait permission to the new task SID. */
1817         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1818 }
1819
1820 /* superblock security operations */
1821
1822 static int selinux_sb_alloc_security(struct super_block *sb)
1823 {
1824         return superblock_alloc_security(sb);
1825 }
1826
1827 static void selinux_sb_free_security(struct super_block *sb)
1828 {
1829         superblock_free_security(sb);
1830 }
1831
1832 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1833 {
1834         if (plen > olen)
1835                 return 0;
1836
1837         return !memcmp(prefix, option, plen);
1838 }
1839
1840 static inline int selinux_option(char *option, int len)
1841 {
1842         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1843                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1844                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1845 }
1846
1847 static inline void take_option(char **to, char *from, int *first, int len)
1848 {
1849         if (!*first) {
1850                 **to = ',';
1851                 *to += 1;
1852         }
1853         else
1854                 *first = 0;
1855         memcpy(*to, from, len);
1856         *to += len;
1857 }
1858
1859 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1860 {
1861         int fnosec, fsec, rc = 0;
1862         char *in_save, *in_curr, *in_end;
1863         char *sec_curr, *nosec_save, *nosec;
1864
1865         in_curr = orig;
1866         sec_curr = copy;
1867
1868         /* Binary mount data: just copy */
1869         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1870                 copy_page(sec_curr, in_curr);
1871                 goto out;
1872         }
1873
1874         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1875         if (!nosec) {
1876                 rc = -ENOMEM;
1877                 goto out;
1878         }
1879
1880         nosec_save = nosec;
1881         fnosec = fsec = 1;
1882         in_save = in_end = orig;
1883
1884         do {
1885                 if (*in_end == ',' || *in_end == '\0') {
1886                         int len = in_end - in_curr;
1887
1888                         if (selinux_option(in_curr, len))
1889                                 take_option(&sec_curr, in_curr, &fsec, len);
1890                         else
1891                                 take_option(&nosec, in_curr, &fnosec, len);
1892
1893                         in_curr = in_end + 1;
1894                 }
1895         } while (*in_end++);
1896
1897         strcpy(in_save, nosec_save);
1898         free_page((unsigned long)nosec_save);
1899 out:
1900         return rc;
1901 }
1902
1903 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1904 {
1905         struct avc_audit_data ad;
1906         int rc;
1907
1908         rc = superblock_doinit(sb, data);
1909         if (rc)
1910                 return rc;
1911
1912         AVC_AUDIT_DATA_INIT(&ad,FS);
1913         ad.u.fs.dentry = sb->s_root;
1914         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1915 }
1916
1917 static int selinux_sb_statfs(struct dentry *dentry)
1918 {
1919         struct avc_audit_data ad;
1920
1921         AVC_AUDIT_DATA_INIT(&ad,FS);
1922         ad.u.fs.dentry = dentry->d_sb->s_root;
1923         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1924 }
1925
1926 static int selinux_mount(char * dev_name,
1927                          struct nameidata *nd,
1928                          char * type,
1929                          unsigned long flags,
1930                          void * data)
1931 {
1932         int rc;
1933
1934         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1935         if (rc)
1936                 return rc;
1937
1938         if (flags & MS_REMOUNT)
1939                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1940                                            FILESYSTEM__REMOUNT, NULL);
1941         else
1942                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1943                                        FILE__MOUNTON);
1944 }
1945
1946 static int selinux_umount(struct vfsmount *mnt, int flags)
1947 {
1948         int rc;
1949
1950         rc = secondary_ops->sb_umount(mnt, flags);
1951         if (rc)
1952                 return rc;
1953
1954         return superblock_has_perm(current,mnt->mnt_sb,
1955                                    FILESYSTEM__UNMOUNT,NULL);
1956 }
1957
1958 /* inode security operations */
1959
1960 static int selinux_inode_alloc_security(struct inode *inode)
1961 {
1962         return inode_alloc_security(inode);
1963 }
1964
1965 static void selinux_inode_free_security(struct inode *inode)
1966 {
1967         inode_free_security(inode);
1968 }
1969
1970 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1971                                        char **name, void **value,
1972                                        size_t *len)
1973 {
1974         struct task_security_struct *tsec;
1975         struct inode_security_struct *dsec;
1976         struct superblock_security_struct *sbsec;
1977         u32 newsid, clen;
1978         int rc;
1979         char *namep = NULL, *context;
1980
1981         tsec = current->security;
1982         dsec = dir->i_security;
1983         sbsec = dir->i_sb->s_security;
1984
1985         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1986                 newsid = tsec->create_sid;
1987         } else {
1988                 rc = security_transition_sid(tsec->sid, dsec->sid,
1989                                              inode_mode_to_security_class(inode->i_mode),
1990                                              &newsid);
1991                 if (rc) {
1992                         printk(KERN_WARNING "%s:  "
1993                                "security_transition_sid failed, rc=%d (dev=%s "
1994                                "ino=%ld)\n",
1995                                __FUNCTION__,
1996                                -rc, inode->i_sb->s_id, inode->i_ino);
1997                         return rc;
1998                 }
1999         }
2000
2001         inode_security_set_sid(inode, newsid);
2002
2003         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2004                 return -EOPNOTSUPP;
2005
2006         if (name) {
2007                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2008                 if (!namep)
2009                         return -ENOMEM;
2010                 *name = namep;
2011         }
2012
2013         if (value && len) {
2014                 rc = security_sid_to_context(newsid, &context, &clen);
2015                 if (rc) {
2016                         kfree(namep);
2017                         return rc;
2018                 }
2019                 *value = context;
2020                 *len = clen;
2021         }
2022
2023         return 0;
2024 }
2025
2026 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2027 {
2028         return may_create(dir, dentry, SECCLASS_FILE);
2029 }
2030
2031 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2032 {
2033         int rc;
2034
2035         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2036         if (rc)
2037                 return rc;
2038         return may_link(dir, old_dentry, MAY_LINK);
2039 }
2040
2041 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2042 {
2043         int rc;
2044
2045         rc = secondary_ops->inode_unlink(dir, dentry);
2046         if (rc)
2047                 return rc;
2048         return may_link(dir, dentry, MAY_UNLINK);
2049 }
2050
2051 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2052 {
2053         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2054 }
2055
2056 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2057 {
2058         return may_create(dir, dentry, SECCLASS_DIR);
2059 }
2060
2061 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2062 {
2063         return may_link(dir, dentry, MAY_RMDIR);
2064 }
2065
2066 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2067 {
2068         int rc;
2069
2070         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2071         if (rc)
2072                 return rc;
2073
2074         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2075 }
2076
2077 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2078                                 struct inode *new_inode, struct dentry *new_dentry)
2079 {
2080         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2081 }
2082
2083 static int selinux_inode_readlink(struct dentry *dentry)
2084 {
2085         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2086 }
2087
2088 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2089 {
2090         int rc;
2091
2092         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2093         if (rc)
2094                 return rc;
2095         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2096 }
2097
2098 static int selinux_inode_permission(struct inode *inode, int mask,
2099                                     struct nameidata *nd)
2100 {
2101         int rc;
2102
2103         rc = secondary_ops->inode_permission(inode, mask, nd);
2104         if (rc)
2105                 return rc;
2106
2107         if (!mask) {
2108                 /* No permission to check.  Existence test. */
2109                 return 0;
2110         }
2111
2112         return inode_has_perm(current, inode,
2113                                file_mask_to_av(inode->i_mode, mask), NULL);
2114 }
2115
2116 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2117 {
2118         int rc;
2119
2120         rc = secondary_ops->inode_setattr(dentry, iattr);
2121         if (rc)
2122                 return rc;
2123
2124         if (iattr->ia_valid & ATTR_FORCE)
2125                 return 0;
2126
2127         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2128                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2129                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2130
2131         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2132 }
2133
2134 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2135 {
2136         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2137 }
2138
2139 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2140 {
2141         struct task_security_struct *tsec = current->security;
2142         struct inode *inode = dentry->d_inode;
2143         struct inode_security_struct *isec = inode->i_security;
2144         struct superblock_security_struct *sbsec;
2145         struct avc_audit_data ad;
2146         u32 newsid;
2147         int rc = 0;
2148
2149         if (strcmp(name, XATTR_NAME_SELINUX)) {
2150                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2151                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2152                     !capable(CAP_SYS_ADMIN)) {
2153                         /* A different attribute in the security namespace.
2154                            Restrict to administrator. */
2155                         return -EPERM;
2156                 }
2157
2158                 /* Not an attribute we recognize, so just check the
2159                    ordinary setattr permission. */
2160                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2161         }
2162
2163         sbsec = inode->i_sb->s_security;
2164         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2165                 return -EOPNOTSUPP;
2166
2167         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2168                 return -EPERM;
2169
2170         AVC_AUDIT_DATA_INIT(&ad,FS);
2171         ad.u.fs.dentry = dentry;
2172
2173         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2174                           FILE__RELABELFROM, &ad);
2175         if (rc)
2176                 return rc;
2177
2178         rc = security_context_to_sid(value, size, &newsid);
2179         if (rc)
2180                 return rc;
2181
2182         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2183                           FILE__RELABELTO, &ad);
2184         if (rc)
2185                 return rc;
2186
2187         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2188                                           isec->sclass);
2189         if (rc)
2190                 return rc;
2191
2192         return avc_has_perm(newsid,
2193                             sbsec->sid,
2194                             SECCLASS_FILESYSTEM,
2195                             FILESYSTEM__ASSOCIATE,
2196                             &ad);
2197 }
2198
2199 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2200                                         void *value, size_t size, int flags)
2201 {
2202         struct inode *inode = dentry->d_inode;
2203         struct inode_security_struct *isec = inode->i_security;
2204         u32 newsid;
2205         int rc;
2206
2207         if (strcmp(name, XATTR_NAME_SELINUX)) {
2208                 /* Not an attribute we recognize, so nothing to do. */
2209                 return;
2210         }
2211
2212         rc = security_context_to_sid(value, size, &newsid);
2213         if (rc) {
2214                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2215                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2216                 return;
2217         }
2218
2219         isec->sid = newsid;
2220         return;
2221 }
2222
2223 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2224 {
2225         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2226 }
2227
2228 static int selinux_inode_listxattr (struct dentry *dentry)
2229 {
2230         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2231 }
2232
2233 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2234 {
2235         if (strcmp(name, XATTR_NAME_SELINUX)) {
2236                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2237                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2238                     !capable(CAP_SYS_ADMIN)) {
2239                         /* A different attribute in the security namespace.
2240                            Restrict to administrator. */
2241                         return -EPERM;
2242                 }
2243
2244                 /* Not an attribute we recognize, so just check the
2245                    ordinary setattr permission. Might want a separate
2246                    permission for removexattr. */
2247                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2248         }
2249
2250         /* No one is allowed to remove a SELinux security label.
2251            You can change the label, but all data must be labeled. */
2252         return -EACCES;
2253 }
2254
2255 static const char *selinux_inode_xattr_getsuffix(void)
2256 {
2257       return XATTR_SELINUX_SUFFIX;
2258 }
2259
2260 /*
2261  * Copy the in-core inode security context value to the user.  If the
2262  * getxattr() prior to this succeeded, check to see if we need to
2263  * canonicalize the value to be finally returned to the user.
2264  *
2265  * Permission check is handled by selinux_inode_getxattr hook.
2266  */
2267 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2268 {
2269         struct inode_security_struct *isec = inode->i_security;
2270
2271         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2272                 return -EOPNOTSUPP;
2273
2274         return selinux_getsecurity(isec->sid, buffer, size);
2275 }
2276
2277 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2278                                      const void *value, size_t size, int flags)
2279 {
2280         struct inode_security_struct *isec = inode->i_security;
2281         u32 newsid;
2282         int rc;
2283
2284         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2285                 return -EOPNOTSUPP;
2286
2287         if (!value || !size)
2288                 return -EACCES;
2289
2290         rc = security_context_to_sid((void*)value, size, &newsid);
2291         if (rc)
2292                 return rc;
2293
2294         isec->sid = newsid;
2295         return 0;
2296 }
2297
2298 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2299 {
2300         const int len = sizeof(XATTR_NAME_SELINUX);
2301         if (buffer && len <= buffer_size)
2302                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2303         return len;
2304 }
2305
2306 /* file security operations */
2307
2308 static int selinux_file_permission(struct file *file, int mask)
2309 {
2310         struct inode *inode = file->f_dentry->d_inode;
2311
2312         if (!mask) {
2313                 /* No permission to check.  Existence test. */
2314                 return 0;
2315         }
2316
2317         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2318         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2319                 mask |= MAY_APPEND;
2320
2321         return file_has_perm(current, file,
2322                              file_mask_to_av(inode->i_mode, mask));
2323 }
2324
2325 static int selinux_file_alloc_security(struct file *file)
2326 {
2327         return file_alloc_security(file);
2328 }
2329
2330 static void selinux_file_free_security(struct file *file)
2331 {
2332         file_free_security(file);
2333 }
2334
2335 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2336                               unsigned long arg)
2337 {
2338         int error = 0;
2339
2340         switch (cmd) {
2341                 case FIONREAD:
2342                 /* fall through */
2343                 case FIBMAP:
2344                 /* fall through */
2345                 case FIGETBSZ:
2346                 /* fall through */
2347                 case EXT2_IOC_GETFLAGS:
2348                 /* fall through */
2349                 case EXT2_IOC_GETVERSION:
2350                         error = file_has_perm(current, file, FILE__GETATTR);
2351                         break;
2352
2353                 case EXT2_IOC_SETFLAGS:
2354                 /* fall through */
2355                 case EXT2_IOC_SETVERSION:
2356                         error = file_has_perm(current, file, FILE__SETATTR);
2357                         break;
2358
2359                 /* sys_ioctl() checks */
2360                 case FIONBIO:
2361                 /* fall through */
2362                 case FIOASYNC:
2363                         error = file_has_perm(current, file, 0);
2364                         break;
2365
2366                 case KDSKBENT:
2367                 case KDSKBSENT:
2368                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2369                         break;
2370
2371                 /* default case assumes that the command will go
2372                  * to the file's ioctl() function.
2373                  */
2374                 default:
2375                         error = file_has_perm(current, file, FILE__IOCTL);
2376
2377         }
2378         return error;
2379 }
2380
2381 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2382 {
2383 #ifndef CONFIG_PPC32
2384         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2385                 /*
2386                  * We are making executable an anonymous mapping or a
2387                  * private file mapping that will also be writable.
2388                  * This has an additional check.
2389                  */
2390                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2391                 if (rc)
2392                         return rc;
2393         }
2394 #endif
2395
2396         if (file) {
2397                 /* read access is always possible with a mapping */
2398                 u32 av = FILE__READ;
2399
2400                 /* write access only matters if the mapping is shared */
2401                 if (shared && (prot & PROT_WRITE))
2402                         av |= FILE__WRITE;
2403
2404                 if (prot & PROT_EXEC)
2405                         av |= FILE__EXECUTE;
2406
2407                 return file_has_perm(current, file, av);
2408         }
2409         return 0;
2410 }
2411
2412 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2413                              unsigned long prot, unsigned long flags)
2414 {
2415         int rc;
2416
2417         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2418         if (rc)
2419                 return rc;
2420
2421         if (selinux_checkreqprot)
2422                 prot = reqprot;
2423
2424         return file_map_prot_check(file, prot,
2425                                    (flags & MAP_TYPE) == MAP_SHARED);
2426 }
2427
2428 static int selinux_file_mprotect(struct vm_area_struct *vma,
2429                                  unsigned long reqprot,
2430                                  unsigned long prot)
2431 {
2432         int rc;
2433
2434         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2435         if (rc)
2436                 return rc;
2437
2438         if (selinux_checkreqprot)
2439                 prot = reqprot;
2440
2441 #ifndef CONFIG_PPC32
2442         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2443                 rc = 0;
2444                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2445                     vma->vm_end <= vma->vm_mm->brk) {
2446                         rc = task_has_perm(current, current,
2447                                            PROCESS__EXECHEAP);
2448                 } else if (!vma->vm_file &&
2449                            vma->vm_start <= vma->vm_mm->start_stack &&
2450                            vma->vm_end >= vma->vm_mm->start_stack) {
2451                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2452                 } else if (vma->vm_file && vma->anon_vma) {
2453                         /*
2454                          * We are making executable a file mapping that has
2455                          * had some COW done. Since pages might have been
2456                          * written, check ability to execute the possibly
2457                          * modified content.  This typically should only
2458                          * occur for text relocations.
2459                          */
2460                         rc = file_has_perm(current, vma->vm_file,
2461                                            FILE__EXECMOD);
2462                 }
2463                 if (rc)
2464                         return rc;
2465         }
2466 #endif
2467
2468         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2469 }
2470
2471 static int selinux_file_lock(struct file *file, unsigned int cmd)
2472 {
2473         return file_has_perm(current, file, FILE__LOCK);
2474 }
2475
2476 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2477                               unsigned long arg)
2478 {
2479         int err = 0;
2480
2481         switch (cmd) {
2482                 case F_SETFL:
2483                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2484                                 err = -EINVAL;
2485                                 break;
2486                         }
2487
2488                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2489                                 err = file_has_perm(current, file,FILE__WRITE);
2490                                 break;
2491                         }
2492                         /* fall through */
2493                 case F_SETOWN:
2494                 case F_SETSIG:
2495                 case F_GETFL:
2496                 case F_GETOWN:
2497                 case F_GETSIG:
2498                         /* Just check FD__USE permission */
2499                         err = file_has_perm(current, file, 0);
2500                         break;
2501                 case F_GETLK:
2502                 case F_SETLK:
2503                 case F_SETLKW:
2504 #if BITS_PER_LONG == 32
2505                 case F_GETLK64:
2506                 case F_SETLK64:
2507                 case F_SETLKW64:
2508 #endif
2509                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2510                                 err = -EINVAL;
2511                                 break;
2512                         }
2513                         err = file_has_perm(current, file, FILE__LOCK);
2514                         break;
2515         }
2516
2517         return err;
2518 }
2519
2520 static int selinux_file_set_fowner(struct file *file)
2521 {
2522         struct task_security_struct *tsec;
2523         struct file_security_struct *fsec;
2524
2525         tsec = current->security;
2526         fsec = file->f_security;
2527         fsec->fown_sid = tsec->sid;
2528
2529         return 0;
2530 }
2531
2532 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2533                                        struct fown_struct *fown, int signum)
2534 {
2535         struct file *file;
2536         u32 perm;
2537         struct task_security_struct *tsec;
2538         struct file_security_struct *fsec;
2539
2540         /* struct fown_struct is never outside the context of a struct file */
2541         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2542
2543         tsec = tsk->security;
2544         fsec = file->f_security;
2545
2546         if (!signum)
2547                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2548         else
2549                 perm = signal_to_av(signum);
2550
2551         return avc_has_perm(fsec->fown_sid, tsec->sid,
2552                             SECCLASS_PROCESS, perm, NULL);
2553 }
2554
2555 static int selinux_file_receive(struct file *file)
2556 {
2557         return file_has_perm(current, file, file_to_av(file));
2558 }
2559
2560 /* task security operations */
2561
2562 static int selinux_task_create(unsigned long clone_flags)
2563 {
2564         int rc;
2565
2566         rc = secondary_ops->task_create(clone_flags);
2567         if (rc)
2568                 return rc;
2569
2570         return task_has_perm(current, current, PROCESS__FORK);
2571 }
2572
2573 static int selinux_task_alloc_security(struct task_struct *tsk)
2574 {
2575         struct task_security_struct *tsec1, *tsec2;
2576         int rc;
2577
2578         tsec1 = current->security;
2579
2580         rc = task_alloc_security(tsk);
2581         if (rc)
2582                 return rc;
2583         tsec2 = tsk->security;
2584
2585         tsec2->osid = tsec1->osid;
2586         tsec2->sid = tsec1->sid;
2587
2588         /* Retain the exec and create SIDs across fork */
2589         tsec2->exec_sid = tsec1->exec_sid;
2590         tsec2->create_sid = tsec1->create_sid;
2591
2592         /* Retain ptracer SID across fork, if any.
2593            This will be reset by the ptrace hook upon any
2594            subsequent ptrace_attach operations. */
2595         tsec2->ptrace_sid = tsec1->ptrace_sid;
2596
2597         return 0;
2598 }
2599
2600 static void selinux_task_free_security(struct task_struct *tsk)
2601 {
2602         task_free_security(tsk);
2603 }
2604
2605 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2606 {
2607         /* Since setuid only affects the current process, and
2608            since the SELinux controls are not based on the Linux
2609            identity attributes, SELinux does not need to control
2610            this operation.  However, SELinux does control the use
2611            of the CAP_SETUID and CAP_SETGID capabilities using the
2612            capable hook. */
2613         return 0;
2614 }
2615
2616 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2617 {
2618         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2619 }
2620
2621 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2622 {
2623         /* See the comment for setuid above. */
2624         return 0;
2625 }
2626
2627 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2628 {
2629         return task_has_perm(current, p, PROCESS__SETPGID);
2630 }
2631
2632 static int selinux_task_getpgid(struct task_struct *p)
2633 {
2634         return task_has_perm(current, p, PROCESS__GETPGID);
2635 }
2636
2637 static int selinux_task_getsid(struct task_struct *p)
2638 {
2639         return task_has_perm(current, p, PROCESS__GETSESSION);
2640 }
2641
2642 static int selinux_task_setgroups(struct group_info *group_info)
2643 {
2644         /* See the comment for setuid above. */
2645         return 0;
2646 }
2647
2648 static int selinux_task_setnice(struct task_struct *p, int nice)
2649 {
2650         int rc;
2651
2652         rc = secondary_ops->task_setnice(p, nice);
2653         if (rc)
2654                 return rc;
2655
2656         return task_has_perm(current,p, PROCESS__SETSCHED);
2657 }
2658
2659 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2660 {
2661         return task_has_perm(current, p, PROCESS__SETSCHED);
2662 }
2663
2664 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2665 {
2666         struct rlimit *old_rlim = current->signal->rlim + resource;
2667         int rc;
2668
2669         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2670         if (rc)
2671                 return rc;
2672
2673         /* Control the ability to change the hard limit (whether
2674            lowering or raising it), so that the hard limit can
2675            later be used as a safe reset point for the soft limit
2676            upon context transitions. See selinux_bprm_apply_creds. */
2677         if (old_rlim->rlim_max != new_rlim->rlim_max)
2678                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2679
2680         return 0;
2681 }
2682
2683 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2684 {
2685         return task_has_perm(current, p, PROCESS__SETSCHED);
2686 }
2687
2688 static int selinux_task_getscheduler(struct task_struct *p)
2689 {
2690         return task_has_perm(current, p, PROCESS__GETSCHED);
2691 }
2692
2693 static int selinux_task_movememory(struct task_struct *p)
2694 {
2695         return task_has_perm(current, p, PROCESS__SETSCHED);
2696 }
2697
2698 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2699 {
2700         u32 perm;
2701         int rc;
2702
2703         rc = secondary_ops->task_kill(p, info, sig);
2704         if (rc)
2705                 return rc;
2706
2707         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2708                 return 0;
2709
2710         if (!sig)
2711                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2712         else
2713                 perm = signal_to_av(sig);
2714
2715         return task_has_perm(current, p, perm);
2716 }
2717
2718 static int selinux_task_prctl(int option,
2719                               unsigned long arg2,
2720                               unsigned long arg3,
2721                               unsigned long arg4,
2722                               unsigned long arg5)
2723 {
2724         /* The current prctl operations do not appear to require
2725            any SELinux controls since they merely observe or modify
2726            the state of the current process. */
2727         return 0;
2728 }
2729
2730 static int selinux_task_wait(struct task_struct *p)
2731 {
2732         u32 perm;
2733
2734         perm = signal_to_av(p->exit_signal);
2735
2736         return task_has_perm(p, current, perm);
2737 }
2738
2739 static void selinux_task_reparent_to_init(struct task_struct *p)
2740 {
2741         struct task_security_struct *tsec;
2742
2743         secondary_ops->task_reparent_to_init(p);
2744
2745         tsec = p->security;
2746         tsec->osid = tsec->sid;
2747         tsec->sid = SECINITSID_KERNEL;
2748         return;
2749 }
2750
2751 static void selinux_task_to_inode(struct task_struct *p,
2752                                   struct inode *inode)
2753 {
2754         struct task_security_struct *tsec = p->security;
2755         struct inode_security_struct *isec = inode->i_security;
2756
2757         isec->sid = tsec->sid;
2758         isec->initialized = 1;
2759         return;
2760 }
2761
2762 /* Returns error only if unable to parse addresses */
2763 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2764 {
2765         int offset, ihlen, ret = -EINVAL;
2766         struct iphdr _iph, *ih;
2767
2768         offset = skb->nh.raw - skb->data;
2769         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2770         if (ih == NULL)
2771                 goto out;
2772
2773         ihlen = ih->ihl * 4;
2774         if (ihlen < sizeof(_iph))
2775                 goto out;
2776
2777         ad->u.net.v4info.saddr = ih->saddr;
2778         ad->u.net.v4info.daddr = ih->daddr;
2779         ret = 0;
2780
2781         switch (ih->protocol) {
2782         case IPPROTO_TCP: {
2783                 struct tcphdr _tcph, *th;
2784
2785                 if (ntohs(ih->frag_off) & IP_OFFSET)
2786                         break;
2787
2788                 offset += ihlen;
2789                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2790                 if (th == NULL)
2791                         break;
2792
2793                 ad->u.net.sport = th->source;
2794                 ad->u.net.dport = th->dest;
2795                 break;
2796         }
2797         
2798         case IPPROTO_UDP: {
2799                 struct udphdr _udph, *uh;
2800                 
2801                 if (ntohs(ih->frag_off) & IP_OFFSET)
2802                         break;
2803                         
2804                 offset += ihlen;
2805                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2806                 if (uh == NULL)
2807                         break;  
2808
2809                 ad->u.net.sport = uh->source;
2810                 ad->u.net.dport = uh->dest;
2811                 break;
2812         }
2813
2814         default:
2815                 break;
2816         }
2817 out:
2818         return ret;
2819 }
2820
2821 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2822
2823 /* Returns error only if unable to parse addresses */
2824 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2825 {
2826         u8 nexthdr;
2827         int ret = -EINVAL, offset;
2828         struct ipv6hdr _ipv6h, *ip6;
2829
2830         offset = skb->nh.raw - skb->data;
2831         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2832         if (ip6 == NULL)
2833                 goto out;
2834
2835         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2836         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2837         ret = 0;
2838
2839         nexthdr = ip6->nexthdr;
2840         offset += sizeof(_ipv6h);
2841         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2842         if (offset < 0)
2843                 goto out;
2844
2845         switch (nexthdr) {
2846         case IPPROTO_TCP: {
2847                 struct tcphdr _tcph, *th;
2848
2849                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2850                 if (th == NULL)
2851                         break;
2852
2853                 ad->u.net.sport = th->source;
2854                 ad->u.net.dport = th->dest;
2855                 break;
2856         }
2857
2858         case IPPROTO_UDP: {
2859                 struct udphdr _udph, *uh;
2860
2861                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2862                 if (uh == NULL)
2863                         break;
2864
2865                 ad->u.net.sport = uh->source;
2866                 ad->u.net.dport = uh->dest;
2867                 break;
2868         }
2869
2870         /* includes fragments */
2871         default:
2872                 break;
2873         }
2874 out:
2875         return ret;
2876 }
2877
2878 #endif /* IPV6 */
2879
2880 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2881                              char **addrp, int *len, int src)
2882 {
2883         int ret = 0;
2884
2885         switch (ad->u.net.family) {
2886         case PF_INET:
2887                 ret = selinux_parse_skb_ipv4(skb, ad);
2888                 if (ret || !addrp)
2889                         break;
2890                 *len = 4;
2891                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2892                                         &ad->u.net.v4info.daddr);
2893                 break;
2894
2895 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2896         case PF_INET6:
2897                 ret = selinux_parse_skb_ipv6(skb, ad);
2898                 if (ret || !addrp)
2899                         break;
2900                 *len = 16;
2901                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2902                                         &ad->u.net.v6info.daddr);
2903                 break;
2904 #endif  /* IPV6 */
2905         default:
2906                 break;
2907         }
2908
2909         return ret;
2910 }
2911
2912 /* socket security operations */
2913 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2914                            u32 perms)
2915 {
2916         struct inode_security_struct *isec;
2917         struct task_security_struct *tsec;
2918         struct avc_audit_data ad;
2919         int err = 0;
2920
2921         tsec = task->security;
2922         isec = SOCK_INODE(sock)->i_security;
2923
2924         if (isec->sid == SECINITSID_KERNEL)
2925                 goto out;
2926
2927         AVC_AUDIT_DATA_INIT(&ad,NET);
2928         ad.u.net.sk = sock->sk;
2929         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2930
2931 out:
2932         return err;
2933 }
2934
2935 static int selinux_socket_create(int family, int type,
2936                                  int protocol, int kern)
2937 {
2938         int err = 0;
2939         struct task_security_struct *tsec;
2940
2941         if (kern)
2942                 goto out;
2943
2944         tsec = current->security;
2945         err = avc_has_perm(tsec->sid, tsec->sid,
2946                            socket_type_to_security_class(family, type,
2947                            protocol), SOCKET__CREATE, NULL);
2948
2949 out:
2950         return err;
2951 }
2952
2953 static void selinux_socket_post_create(struct socket *sock, int family,
2954                                        int type, int protocol, int kern)
2955 {
2956         struct inode_security_struct *isec;
2957         struct task_security_struct *tsec;
2958
2959         isec = SOCK_INODE(sock)->i_security;
2960
2961         tsec = current->security;
2962         isec->sclass = socket_type_to_security_class(family, type, protocol);
2963         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2964         isec->initialized = 1;
2965
2966         return;
2967 }
2968
2969 /* Range of port numbers used to automatically bind.
2970    Need to determine whether we should perform a name_bind
2971    permission check between the socket and the port number. */
2972 #define ip_local_port_range_0 sysctl_local_port_range[0]
2973 #define ip_local_port_range_1 sysctl_local_port_range[1]
2974
2975 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2976 {
2977         u16 family;
2978         int err;
2979
2980         err = socket_has_perm(current, sock, SOCKET__BIND);
2981         if (err)
2982                 goto out;
2983
2984         /*
2985          * If PF_INET or PF_INET6, check name_bind permission for the port.
2986          * Multiple address binding for SCTP is not supported yet: we just
2987          * check the first address now.
2988          */
2989         family = sock->sk->sk_family;
2990         if (family == PF_INET || family == PF_INET6) {
2991                 char *addrp;
2992                 struct inode_security_struct *isec;
2993                 struct task_security_struct *tsec;
2994                 struct avc_audit_data ad;
2995                 struct sockaddr_in *addr4 = NULL;
2996                 struct sockaddr_in6 *addr6 = NULL;
2997                 unsigned short snum;
2998                 struct sock *sk = sock->sk;
2999                 u32 sid, node_perm, addrlen;
3000
3001                 tsec = current->security;
3002                 isec = SOCK_INODE(sock)->i_security;
3003
3004                 if (family == PF_INET) {
3005                         addr4 = (struct sockaddr_in *)address;
3006                         snum = ntohs(addr4->sin_port);
3007                         addrlen = sizeof(addr4->sin_addr.s_addr);
3008                         addrp = (char *)&addr4->sin_addr.s_addr;
3009                 } else {
3010                         addr6 = (struct sockaddr_in6 *)address;
3011                         snum = ntohs(addr6->sin6_port);
3012                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3013                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3014                 }
3015
3016                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3017                            snum > ip_local_port_range_1)) {
3018                         err = security_port_sid(sk->sk_family, sk->sk_type,
3019                                                 sk->sk_protocol, snum, &sid);
3020                         if (err)
3021                                 goto out;
3022                         AVC_AUDIT_DATA_INIT(&ad,NET);
3023                         ad.u.net.sport = htons(snum);
3024                         ad.u.net.family = family;
3025                         err = avc_has_perm(isec->sid, sid,
3026                                            isec->sclass,
3027                                            SOCKET__NAME_BIND, &ad);
3028                         if (err)
3029                                 goto out;
3030                 }
3031                 
3032                 switch(isec->sclass) {
3033                 case SECCLASS_TCP_SOCKET:
3034                         node_perm = TCP_SOCKET__NODE_BIND;
3035                         break;
3036                         
3037                 case SECCLASS_UDP_SOCKET:
3038                         node_perm = UDP_SOCKET__NODE_BIND;
3039                         break;
3040                         
3041                 default:
3042                         node_perm = RAWIP_SOCKET__NODE_BIND;
3043                         break;
3044                 }
3045                 
3046                 err = security_node_sid(family, addrp, addrlen, &sid);
3047                 if (err)
3048                         goto out;
3049                 
3050                 AVC_AUDIT_DATA_INIT(&ad,NET);
3051                 ad.u.net.sport = htons(snum);
3052                 ad.u.net.family = family;
3053
3054                 if (family == PF_INET)
3055                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3056                 else
3057                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3058
3059                 err = avc_has_perm(isec->sid, sid,
3060                                    isec->sclass, node_perm, &ad);
3061                 if (err)
3062                         goto out;
3063         }
3064 out:
3065         return err;
3066 }
3067
3068 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3069 {
3070         struct inode_security_struct *isec;
3071         int err;
3072
3073         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3074         if (err)
3075                 return err;
3076
3077         /*
3078          * If a TCP socket, check name_connect permission for the port.
3079          */
3080         isec = SOCK_INODE(sock)->i_security;
3081         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3082                 struct sock *sk = sock->sk;
3083                 struct avc_audit_data ad;
3084                 struct sockaddr_in *addr4 = NULL;
3085                 struct sockaddr_in6 *addr6 = NULL;
3086                 unsigned short snum;
3087                 u32 sid;
3088
3089                 if (sk->sk_family == PF_INET) {
3090                         addr4 = (struct sockaddr_in *)address;
3091                         if (addrlen < sizeof(struct sockaddr_in))
3092                                 return -EINVAL;
3093                         snum = ntohs(addr4->sin_port);
3094                 } else {
3095                         addr6 = (struct sockaddr_in6 *)address;
3096                         if (addrlen < SIN6_LEN_RFC2133)
3097                                 return -EINVAL;
3098                         snum = ntohs(addr6->sin6_port);
3099                 }
3100
3101                 err = security_port_sid(sk->sk_family, sk->sk_type,
3102                                         sk->sk_protocol, snum, &sid);
3103                 if (err)
3104                         goto out;
3105
3106                 AVC_AUDIT_DATA_INIT(&ad,NET);
3107                 ad.u.net.dport = htons(snum);
3108                 ad.u.net.family = sk->sk_family;
3109                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3110                                    TCP_SOCKET__NAME_CONNECT, &ad);
3111                 if (err)
3112                         goto out;
3113         }
3114
3115 out:
3116         return err;
3117 }
3118
3119 static int selinux_socket_listen(struct socket *sock, int backlog)
3120 {
3121         return socket_has_perm(current, sock, SOCKET__LISTEN);
3122 }
3123
3124 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3125 {
3126         int err;
3127         struct inode_security_struct *isec;
3128         struct inode_security_struct *newisec;
3129
3130         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3131         if (err)
3132                 return err;
3133
3134         newisec = SOCK_INODE(newsock)->i_security;
3135
3136         isec = SOCK_INODE(sock)->i_security;
3137         newisec->sclass = isec->sclass;
3138         newisec->sid = isec->sid;
3139         newisec->initialized = 1;
3140
3141         return 0;
3142 }
3143
3144 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3145                                   int size)
3146 {
3147         return socket_has_perm(current, sock, SOCKET__WRITE);
3148 }
3149
3150 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3151                                   int size, int flags)
3152 {
3153         return socket_has_perm(current, sock, SOCKET__READ);
3154 }
3155
3156 static int selinux_socket_getsockname(struct socket *sock)
3157 {
3158         return socket_has_perm(current, sock, SOCKET__GETATTR);
3159 }
3160
3161 static int selinux_socket_getpeername(struct socket *sock)
3162 {
3163         return socket_has_perm(current, sock, SOCKET__GETATTR);
3164 }
3165
3166 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3167 {
3168         return socket_has_perm(current, sock, SOCKET__SETOPT);
3169 }
3170
3171 static int selinux_socket_getsockopt(struct socket *sock, int level,
3172                                      int optname)
3173 {
3174         return socket_has_perm(current, sock, SOCKET__GETOPT);
3175 }
3176
3177 static int selinux_socket_shutdown(struct socket *sock, int how)
3178 {
3179         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3180 }
3181
3182 static int selinux_socket_unix_stream_connect(struct socket *sock,
3183                                               struct socket *other,
3184                                               struct sock *newsk)
3185 {
3186         struct sk_security_struct *ssec;
3187         struct inode_security_struct *isec;
3188         struct inode_security_struct *other_isec;
3189         struct avc_audit_data ad;
3190         int err;
3191
3192         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3193         if (err)
3194                 return err;
3195
3196         isec = SOCK_INODE(sock)->i_security;
3197         other_isec = SOCK_INODE(other)->i_security;
3198
3199         AVC_AUDIT_DATA_INIT(&ad,NET);
3200         ad.u.net.sk = other->sk;
3201
3202         err = avc_has_perm(isec->sid, other_isec->sid,
3203                            isec->sclass,
3204                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3205         if (err)
3206                 return err;
3207
3208         /* connecting socket */
3209         ssec = sock->sk->sk_security;
3210         ssec->peer_sid = other_isec->sid;
3211         
3212         /* server child socket */
3213         ssec = newsk->sk_security;
3214         ssec->peer_sid = isec->sid;
3215         
3216         return 0;
3217 }
3218
3219 static int selinux_socket_unix_may_send(struct socket *sock,
3220                                         struct socket *other)
3221 {
3222         struct inode_security_struct *isec;
3223         struct inode_security_struct *other_isec;
3224         struct avc_audit_data ad;
3225         int err;
3226
3227         isec = SOCK_INODE(sock)->i_security;
3228         other_isec = SOCK_INODE(other)->i_security;
3229
3230         AVC_AUDIT_DATA_INIT(&ad,NET);
3231         ad.u.net.sk = other->sk;
3232
3233         err = avc_has_perm(isec->sid, other_isec->sid,
3234                            isec->sclass, SOCKET__SENDTO, &ad);
3235         if (err)
3236                 return err;
3237
3238         return 0;
3239 }
3240
3241 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3242                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3243                 u16 family, char *addrp, int len)
3244 {
3245         int err = 0;
3246         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3247
3248         if (!skb->dev)
3249                 goto out;
3250
3251         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3252         if (err)
3253                 goto out;
3254
3255         switch (sock_class) {
3256         case SECCLASS_UDP_SOCKET:
3257                 netif_perm = NETIF__UDP_RECV;
3258                 node_perm = NODE__UDP_RECV;
3259                 recv_perm = UDP_SOCKET__RECV_MSG;
3260                 break;
3261         
3262         case SECCLASS_TCP_SOCKET:
3263                 netif_perm = NETIF__TCP_RECV;
3264                 node_perm = NODE__TCP_RECV;
3265                 recv_perm = TCP_SOCKET__RECV_MSG;
3266                 break;
3267         
3268         default:
3269                 netif_perm = NETIF__RAWIP_RECV;
3270                 node_perm = NODE__RAWIP_RECV;
3271                 break;
3272         }
3273
3274         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3275         if (err)
3276                 goto out;
3277         
3278         err = security_node_sid(family, addrp, len, &node_sid);
3279         if (err)
3280                 goto out;
3281         
3282         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3283         if (err)
3284                 goto out;
3285
3286         if (recv_perm) {
3287                 u32 port_sid;
3288
3289                 err = security_port_sid(sk->sk_family, sk->sk_type,
3290                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3291                                         &port_sid);
3292                 if (err)
3293                         goto out;
3294
3295                 err = avc_has_perm(sock_sid, port_sid,
3296                                    sock_class, recv_perm, ad);
3297         }
3298
3299 out:
3300         return err;
3301 }
3302
3303 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3304 {
3305         u16 family;
3306         u16 sock_class = 0;
3307         char *addrp;
3308         int len, err = 0;
3309         u32 sock_sid = 0;
3310         struct socket *sock;
3311         struct avc_audit_data ad;
3312
3313         family = sk->sk_family;
3314         if (family != PF_INET && family != PF_INET6)
3315                 goto out;
3316
3317         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3318         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3319                 family = PF_INET;
3320
3321         read_lock_bh(&sk->sk_callback_lock);
3322         sock = sk->sk_socket;
3323         if (sock) {
3324                 struct inode *inode;
3325                 inode = SOCK_INODE(sock);
3326                 if (inode) {
3327                         struct inode_security_struct *isec;
3328                         isec = inode->i_security;
3329                         sock_sid = isec->sid;
3330                         sock_class = isec->sclass;
3331                 }
3332         }
3333         read_unlock_bh(&sk->sk_callback_lock);
3334         if (!sock_sid)
3335                 goto out;
3336
3337         AVC_AUDIT_DATA_INIT(&ad, NET);
3338         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3339         ad.u.net.family = family;
3340
3341         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3342         if (err)
3343                 goto out;
3344
3345         if (selinux_compat_net)
3346                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3347                                                   sock_class, family,
3348                                                   addrp, len);
3349         else
3350                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3351                                    PACKET__RECV, &ad);
3352         if (err)
3353                 goto out;
3354
3355         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3356 out:    
3357         return err;
3358 }
3359
3360 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3361                                             int __user *optlen, unsigned len)
3362 {
3363         int err = 0;
3364         char *scontext;
3365         u32 scontext_len;
3366         struct sk_security_struct *ssec;
3367         struct inode_security_struct *isec;
3368         u32 peer_sid = 0;
3369
3370         isec = SOCK_INODE(sock)->i_security;
3371
3372         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3373         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3374                 ssec = sock->sk->sk_security;
3375                 peer_sid = ssec->peer_sid;
3376         }
3377         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3378                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3379
3380                 if (peer_sid == SECSID_NULL) {
3381                         err = -ENOPROTOOPT;
3382                         goto out;
3383                 }
3384         }
3385         else {
3386                 err = -ENOPROTOOPT;
3387                 goto out;
3388         }
3389
3390         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3391
3392         if (err)
3393                 goto out;
3394
3395         if (scontext_len > len) {
3396                 err = -ERANGE;
3397                 goto out_len;
3398         }
3399
3400         if (copy_to_user(optval, scontext, scontext_len))
3401                 err = -EFAULT;
3402
3403 out_len:
3404         if (put_user(scontext_len, optlen))
3405                 err = -EFAULT;
3406
3407         kfree(scontext);
3408 out:    
3409         return err;
3410 }
3411
3412 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3413 {
3414         int err = 0;
3415         u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3416
3417         if (peer_sid == SECSID_NULL)
3418                 return -EINVAL;
3419
3420         err = security_sid_to_context(peer_sid, secdata, seclen);
3421         if (err)
3422                 return err;
3423
3424         return 0;
3425 }
3426
3427
3428
3429 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3430 {
3431         return sk_alloc_security(sk, family, priority);
3432 }
3433
3434 static void selinux_sk_free_security(struct sock *sk)
3435 {
3436         sk_free_security(sk);
3437 }
3438
3439 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3440 {
3441         struct inode_security_struct *isec;
3442         u32 sock_sid = SECINITSID_ANY_SOCKET;
3443
3444         if (!sk)
3445                 return selinux_no_sk_sid(fl);
3446
3447         read_lock_bh(&sk->sk_callback_lock);
3448         isec = get_sock_isec(sk);
3449
3450         if (isec)
3451                 sock_sid = isec->sid;
3452
3453         read_unlock_bh(&sk->sk_callback_lock);
3454         return sock_sid;
3455 }
3456
3457 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3458 {
3459         int err = 0;
3460         u32 perm;
3461         struct nlmsghdr *nlh;
3462         struct socket *sock = sk->sk_socket;
3463         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3464         
3465         if (skb->len < NLMSG_SPACE(0)) {
3466                 err = -EINVAL;
3467                 goto out;
3468         }
3469         nlh = (struct nlmsghdr *)skb->data;
3470         
3471         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3472         if (err) {
3473                 if (err == -EINVAL) {
3474                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3475                                   "SELinux:  unrecognized netlink message"
3476                                   " type=%hu for sclass=%hu\n",
3477                                   nlh->nlmsg_type, isec->sclass);
3478                         if (!selinux_enforcing)
3479                                 err = 0;
3480                 }
3481
3482                 /* Ignore */
3483                 if (err == -ENOENT)
3484                         err = 0;
3485                 goto out;
3486         }
3487
3488         err = socket_has_perm(current, sock, perm);
3489 out:
3490         return err;
3491 }
3492
3493 #ifdef CONFIG_NETFILTER
3494
3495 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3496                                             struct inode_security_struct *isec,
3497                                             struct avc_audit_data *ad,
3498                                             u16 family, char *addrp, int len)
3499 {
3500         int err;
3501         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3502         
3503         err = sel_netif_sids(dev, &if_sid, NULL);
3504         if (err)
3505                 goto out;
3506
3507         switch (isec->sclass) {
3508         case SECCLASS_UDP_SOCKET:
3509                 netif_perm = NETIF__UDP_SEND;
3510                 node_perm = NODE__UDP_SEND;
3511                 send_perm = UDP_SOCKET__SEND_MSG;
3512                 break;
3513         
3514         case SECCLASS_TCP_SOCKET:
3515                 netif_perm = NETIF__TCP_SEND;
3516                 node_perm = NODE__TCP_SEND;
3517                 send_perm = TCP_SOCKET__SEND_MSG;
3518                 break;
3519         
3520         default:
3521                 netif_perm = NETIF__RAWIP_SEND;
3522                 node_perm = NODE__RAWIP_SEND;
3523                 break;
3524         }
3525
3526         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3527         if (err)
3528                 goto out;
3529                 
3530         err = security_node_sid(family, addrp, len, &node_sid);
3531         if (err)
3532                 goto out;
3533         
3534         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3535         if (err)
3536                 goto out;
3537
3538         if (send_perm) {
3539                 u32 port_sid;
3540                 
3541                 err = security_port_sid(sk->sk_family,
3542                                         sk->sk_type,
3543                                         sk->sk_protocol,
3544                                         ntohs(ad->u.net.dport),
3545                                         &port_sid);
3546                 if (err)
3547                         goto out;
3548
3549                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3550                                    send_perm, ad);
3551         }
3552 out:
3553         return err;
3554 }
3555
3556 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3557                                               struct sk_buff **pskb,
3558                                               const struct net_device *in,
3559                                               const struct net_device *out,
3560                                               int (*okfn)(struct sk_buff *),
3561                                               u16 family)
3562 {
3563         char *addrp;
3564         int len, err = 0;
3565         struct sock *sk;
3566         struct socket *sock;
3567         struct inode *inode;
3568         struct sk_buff *skb = *pskb;
3569         struct inode_security_struct *isec;
3570         struct avc_audit_data ad;
3571         struct net_device *dev = (struct net_device *)out;
3572
3573         sk = skb->sk;
3574         if (!sk)
3575                 goto out;
3576
3577         sock = sk->sk_socket;
3578         if (!sock)
3579                 goto out;
3580
3581         inode = SOCK_INODE(sock);
3582         if (!inode)
3583                 goto out;
3584
3585         isec = inode->i_security;
3586
3587         AVC_AUDIT_DATA_INIT(&ad, NET);
3588         ad.u.net.netif = dev->name;
3589         ad.u.net.family = family;
3590
3591         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3592         if (err)
3593                 goto out;
3594
3595         if (selinux_compat_net)
3596                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3597                                                        family, addrp, len);
3598         else
3599                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3600                                    PACKET__SEND, &ad);
3601
3602         if (err)
3603                 goto out;
3604
3605         err = selinux_xfrm_postroute_last(isec->sid, skb);
3606 out:
3607         return err ? NF_DROP : NF_ACCEPT;
3608 }
3609
3610 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3611                                                 struct sk_buff **pskb,
3612                                                 const struct net_device *in,
3613                                                 const struct net_device *out,
3614                                                 int (*okfn)(struct sk_buff *))
3615 {
3616         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3617 }
3618
3619 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3620
3621 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3622                                                 struct sk_buff **pskb,
3623                                                 const struct net_device *in,
3624                                                 const struct net_device *out,
3625                                                 int (*okfn)(struct sk_buff *))
3626 {
3627         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3628 }
3629
3630 #endif  /* IPV6 */
3631
3632 #endif  /* CONFIG_NETFILTER */
3633
3634 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3635 {
3636         struct task_security_struct *tsec;
3637         struct av_decision avd;
3638         int err;
3639
3640         err = secondary_ops->netlink_send(sk, skb);
3641         if (err)
3642                 return err;
3643
3644         tsec = current->security;
3645
3646         avd.allowed = 0;
3647         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3648                                 SECCLASS_CAPABILITY, ~0, &avd);
3649         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3650
3651         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3652                 err = selinux_nlmsg_perm(sk, skb);
3653
3654         return err;
3655 }
3656
3657 static int selinux_netlink_recv(struct sk_buff *skb)
3658 {
3659         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3660                 return -EPERM;
3661         return 0;
3662 }
3663
3664 static int ipc_alloc_security(struct task_struct *task,
3665                               struct kern_ipc_perm *perm,
3666                               u16 sclass)
3667 {
3668         struct task_security_struct *tsec = task->security;
3669         struct ipc_security_struct *isec;
3670
3671         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3672         if (!isec)
3673                 return -ENOMEM;
3674
3675         isec->sclass = sclass;
3676         isec->ipc_perm = perm;
3677         isec->sid = tsec->sid;
3678         perm->security = isec;
3679
3680         return 0;
3681 }
3682
3683 static void ipc_free_security(struct kern_ipc_perm *perm)
3684 {
3685         struct ipc_security_struct *isec = perm->security;
3686         perm->security = NULL;
3687         kfree(isec);
3688 }
3689
3690 static int msg_msg_alloc_security(struct msg_msg *msg)
3691 {
3692         struct msg_security_struct *msec;
3693
3694         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3695         if (!msec)
3696                 return -ENOMEM;
3697
3698         msec->msg = msg;
3699         msec->sid = SECINITSID_UNLABELED;
3700         msg->security = msec;
3701
3702         return 0;
3703 }
3704
3705 static void msg_msg_free_security(struct msg_msg *msg)
3706 {
3707         struct msg_security_struct *msec = msg->security;
3708
3709         msg->security = NULL;
3710         kfree(msec);
3711 }
3712
3713 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3714                         u32 perms)
3715 {
3716         struct task_security_struct *tsec;
3717         struct ipc_security_struct *isec;
3718         struct avc_audit_data ad;
3719
3720         tsec = current->security;
3721         isec = ipc_perms->security;
3722
3723         AVC_AUDIT_DATA_INIT(&ad, IPC);
3724         ad.u.ipc_id = ipc_perms->key;
3725
3726         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3727 }
3728
3729 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3730 {
3731         return msg_msg_alloc_security(msg);
3732 }
3733
3734 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3735 {
3736         msg_msg_free_security(msg);
3737 }
3738
3739 /* message queue security operations */
3740 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3741 {
3742         struct task_security_struct *tsec;
3743         struct ipc_security_struct *isec;
3744         struct avc_audit_data ad;
3745         int rc;
3746
3747         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3748         if (rc)
3749                 return rc;
3750
3751         tsec = current->security;
3752         isec = msq->q_perm.security;
3753
3754         AVC_AUDIT_DATA_INIT(&ad, IPC);
3755         ad.u.ipc_id = msq->q_perm.key;
3756
3757         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3758                           MSGQ__CREATE, &ad);
3759         if (rc) {
3760                 ipc_free_security(&msq->q_perm);
3761                 return rc;
3762         }
3763         return 0;
3764 }
3765
3766 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3767 {
3768         ipc_free_security(&msq->q_perm);
3769 }
3770
3771 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3772 {
3773         struct task_security_struct *tsec;
3774         struct ipc_security_struct *isec;
3775         struct avc_audit_data ad;
3776
3777         tsec = current->security;
3778         isec = msq->q_perm.security;
3779
3780         AVC_AUDIT_DATA_INIT(&ad, IPC);
3781         ad.u.ipc_id = msq->q_perm.key;
3782
3783         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3784                             MSGQ__ASSOCIATE, &ad);
3785 }
3786
3787 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3788 {
3789         int err;
3790         int perms;
3791
3792         switch(cmd) {
3793         case IPC_INFO:
3794         case MSG_INFO:
3795                 /* No specific object, just general system-wide information. */
3796                 return task_has_system(current, SYSTEM__IPC_INFO);
3797         case IPC_STAT:
3798         case MSG_STAT:
3799                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3800                 break;
3801         case IPC_SET:
3802                 perms = MSGQ__SETATTR;
3803                 break;
3804         case IPC_RMID:
3805                 perms = MSGQ__DESTROY;
3806                 break;
3807         default:
3808                 return 0;
3809         }
3810
3811         err = ipc_has_perm(&msq->q_perm, perms);
3812         return err;
3813 }
3814
3815 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3816 {
3817         struct task_security_struct *tsec;
3818         struct ipc_security_struct *isec;
3819         struct msg_security_struct *msec;
3820         struct avc_audit_data ad;
3821         int rc;
3822
3823         tsec = current->security;
3824         isec = msq->q_perm.security;
3825         msec = msg->security;
3826
3827         /*
3828          * First time through, need to assign label to the message
3829          */
3830         if (msec->sid == SECINITSID_UNLABELED) {
3831                 /*
3832                  * Compute new sid based on current process and
3833                  * message queue this message will be stored in
3834                  */
3835                 rc = security_transition_sid(tsec->sid,
3836                                              isec->sid,
3837                                              SECCLASS_MSG,
3838                                              &msec->sid);
3839                 if (rc)
3840                         return rc;
3841         }
3842
3843         AVC_AUDIT_DATA_INIT(&ad, IPC);
3844         ad.u.ipc_id = msq->q_perm.key;
3845
3846         /* Can this process write to the queue? */
3847         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3848                           MSGQ__WRITE, &ad);
3849         if (!rc)
3850                 /* Can this process send the message */
3851                 rc = avc_has_perm(tsec->sid, msec->sid,
3852                                   SECCLASS_MSG, MSG__SEND, &ad);
3853         if (!rc)
3854                 /* Can the message be put in the queue? */
3855                 rc = avc_has_perm(msec->sid, isec->sid,
3856                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3857
3858         return rc;
3859 }
3860
3861 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3862                                     struct task_struct *target,
3863                                     long type, int mode)
3864 {
3865         struct task_security_struct *tsec;
3866         struct ipc_security_struct *isec;
3867         struct msg_security_struct *msec;
3868         struct avc_audit_data ad;
3869         int rc;
3870
3871         tsec = target->security;
3872         isec = msq->q_perm.security;
3873         msec = msg->security;
3874
3875         AVC_AUDIT_DATA_INIT(&ad, IPC);
3876         ad.u.ipc_id = msq->q_perm.key;
3877
3878         rc = avc_has_perm(tsec->sid, isec->sid,
3879                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3880         if (!rc)
3881                 rc = avc_has_perm(tsec->sid, msec->sid,
3882                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3883         return rc;
3884 }
3885
3886 /* Shared Memory security operations */
3887 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3888 {
3889         struct task_security_struct *tsec;
3890         struct ipc_security_struct *isec;
3891         struct avc_audit_data ad;
3892         int rc;
3893
3894         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3895         if (rc)
3896                 return rc;
3897
3898         tsec = current->security;
3899         isec = shp->shm_perm.security;
3900
3901         AVC_AUDIT_DATA_INIT(&ad, IPC);
3902         ad.u.ipc_id = shp->shm_perm.key;
3903
3904         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3905                           SHM__CREATE, &ad);
3906         if (rc) {
3907                 ipc_free_security(&shp->shm_perm);
3908                 return rc;
3909         }
3910         return 0;
3911 }
3912
3913 static void selinux_shm_free_security(struct shmid_kernel *shp)
3914 {
3915         ipc_free_security(&shp->shm_perm);
3916 }
3917
3918 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3919 {
3920         struct task_security_struct *tsec;
3921         struct ipc_security_struct *isec;
3922         struct avc_audit_data ad;
3923
3924         tsec = current->security;
3925         isec = shp->shm_perm.security;
3926
3927         AVC_AUDIT_DATA_INIT(&ad, IPC);
3928         ad.u.ipc_id = shp->shm_perm.key;
3929
3930         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3931                             SHM__ASSOCIATE, &ad);
3932 }
3933
3934 /* Note, at this point, shp is locked down */
3935 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3936 {
3937         int perms;
3938         int err;
3939
3940         switch(cmd) {
3941         case IPC_INFO:
3942         case SHM_INFO:
3943                 /* No specific object, just general system-wide information. */
3944                 return task_has_system(current, SYSTEM__IPC_INFO);
3945         case IPC_STAT:
3946         case SHM_STAT:
3947                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3948                 break;
3949         case IPC_SET:
3950                 perms = SHM__SETATTR;
3951                 break;
3952         case SHM_LOCK:
3953         case SHM_UNLOCK:
3954                 perms = SHM__LOCK;
3955                 break;
3956         case IPC_RMID:
3957                 perms = SHM__DESTROY;
3958                 break;
3959         default:
3960                 return 0;
3961         }
3962
3963         err = ipc_has_perm(&shp->shm_perm, perms);
3964         return err;
3965 }
3966
3967 static int selinux_shm_shmat(struct shmid_kernel *shp,
3968                              char __user *shmaddr, int shmflg)
3969 {
3970         u32 perms;
3971         int rc;
3972
3973         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3974         if (rc)
3975                 return rc;
3976
3977         if (shmflg & SHM_RDONLY)
3978                 perms = SHM__READ;
3979         else
3980                 perms = SHM__READ | SHM__WRITE;
3981
3982         return ipc_has_perm(&shp->shm_perm, perms);
3983 }
3984
3985 /* Semaphore security operations */
3986 static int selinux_sem_alloc_security(struct sem_array *sma)
3987 {
3988         struct task_security_struct *tsec;
3989         struct ipc_security_struct *isec;
3990         struct avc_audit_data ad;
3991         int rc;
3992
3993         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3994         if (rc)
3995                 return rc;
3996
3997         tsec = current->security;
3998         isec = sma->sem_perm.security;
3999
4000         AVC_AUDIT_DATA_INIT(&ad, IPC);
4001         ad.u.ipc_id = sma->sem_perm.key;
4002
4003         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4004                           SEM__CREATE, &ad);
4005         if (rc) {
4006                 ipc_free_security(&sma->sem_perm);
4007                 return rc;
4008         }
4009         return 0;
4010 }
4011
4012 static void selinux_sem_free_security(struct sem_array *sma)
4013 {
4014         ipc_free_security(&sma->sem_perm);
4015 }
4016
4017 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4018 {
4019         struct task_security_struct *tsec;
4020         struct ipc_security_struct *isec;
4021         struct avc_audit_data ad;
4022
4023         tsec = current->security;
4024         isec = sma->sem_perm.security;
4025
4026         AVC_AUDIT_DATA_INIT(&ad, IPC);
4027         ad.u.ipc_id = sma->sem_perm.key;
4028
4029         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4030                             SEM__ASSOCIATE, &ad);
4031 }
4032
4033 /* Note, at this point, sma is locked down */
4034 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4035 {
4036         int err;
4037         u32 perms;
4038
4039         switch(cmd) {
4040         case IPC_INFO:
4041         case SEM_INFO:
4042                 /* No specific object, just general system-wide information. */
4043                 return task_has_system(current, SYSTEM__IPC_INFO);
4044         case GETPID:
4045         case GETNCNT:
4046         case GETZCNT:
4047                 perms = SEM__GETATTR;
4048                 break;
4049         case GETVAL:
4050         case GETALL:
4051                 perms = SEM__READ;
4052                 break;
4053         case SETVAL:
4054         case SETALL:
4055                 perms = SEM__WRITE;
4056                 break;
4057         case IPC_RMID:
4058                 perms = SEM__DESTROY;
4059                 break;
4060         case IPC_SET:
4061                 perms = SEM__SETATTR;
4062                 break;
4063         case IPC_STAT:
4064         case SEM_STAT:
4065                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4066                 break;
4067         default:
4068                 return 0;
4069         }
4070
4071         err = ipc_has_perm(&sma->sem_perm, perms);
4072         return err;
4073 }
4074
4075 static int selinux_sem_semop(struct sem_array *sma,
4076                              struct sembuf *sops, unsigned nsops, int alter)
4077 {
4078         u32 perms;
4079
4080         if (alter)
4081                 perms = SEM__READ | SEM__WRITE;
4082         else
4083                 perms = SEM__READ;
4084
4085         return ipc_has_perm(&sma->sem_perm, perms);
4086 }
4087
4088 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4089 {
4090         u32 av = 0;
4091
4092         av = 0;
4093         if (flag & S_IRUGO)
4094                 av |= IPC__UNIX_READ;
4095         if (flag & S_IWUGO)
4096                 av |= IPC__UNIX_WRITE;
4097
4098         if (av == 0)
4099                 return 0;
4100
4101         return ipc_has_perm(ipcp, av);
4102 }
4103
4104 /* module stacking operations */
4105 static int selinux_register_security (const char *name, struct security_operations *ops)
4106 {
4107         if (secondary_ops != original_ops) {
4108                 printk(KERN_INFO "%s:  There is already a secondary security "
4109                        "module registered.\n", __FUNCTION__);
4110                 return -EINVAL;
4111         }
4112
4113         secondary_ops = ops;
4114
4115         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4116                __FUNCTION__,
4117                name);
4118
4119         return 0;
4120 }
4121
4122 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4123 {
4124         if (ops != secondary_ops) {
4125                 printk (KERN_INFO "%s:  trying to unregister a security module "
4126                         "that is not registered.\n", __FUNCTION__);
4127                 return -EINVAL;
4128         }
4129
4130         secondary_ops = original_ops;
4131
4132         return 0;
4133 }
4134
4135 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4136 {
4137         if (inode)
4138                 inode_doinit_with_dentry(inode, dentry);
4139 }
4140
4141 static int selinux_getprocattr(struct task_struct *p,
4142                                char *name, void *value, size_t size)
4143 {
4144         struct task_security_struct *tsec;
4145         u32 sid;
4146         int error;
4147
4148         if (current != p) {
4149                 error = task_has_perm(current, p, PROCESS__GETATTR);
4150                 if (error)
4151                         return error;
4152         }
4153
4154         tsec = p->security;
4155
4156         if (!strcmp(name, "current"))
4157                 sid = tsec->sid;
4158         else if (!strcmp(name, "prev"))
4159                 sid = tsec->osid;
4160         else if (!strcmp(name, "exec"))
4161                 sid = tsec->exec_sid;
4162         else if (!strcmp(name, "fscreate"))
4163                 sid = tsec->create_sid;
4164         else if (!strcmp(name, "keycreate"))
4165                 sid = tsec->keycreate_sid;
4166         else
4167                 return -EINVAL;
4168
4169         if (!sid)
4170                 return 0;
4171
4172         return selinux_getsecurity(sid, value, size);
4173 }
4174
4175 static int selinux_setprocattr(struct task_struct *p,
4176                                char *name, void *value, size_t size)
4177 {
4178         struct task_security_struct *tsec;
4179         u32 sid = 0;
4180         int error;
4181         char *str = value;
4182
4183         if (current != p) {
4184                 /* SELinux only allows a process to change its own
4185                    security attributes. */
4186                 return -EACCES;
4187         }
4188
4189         /*
4190          * Basic control over ability to set these attributes at all.
4191          * current == p, but we'll pass them separately in case the
4192          * above restriction is ever removed.
4193          */
4194         if (!strcmp(name, "exec"))
4195                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4196         else if (!strcmp(name, "fscreate"))
4197                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4198         else if (!strcmp(name, "keycreate"))
4199                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4200         else if (!strcmp(name, "current"))
4201                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4202         else
4203                 error = -EINVAL;
4204         if (error)
4205                 return error;
4206
4207         /* Obtain a SID for the context, if one was specified. */
4208         if (size && str[1] && str[1] != '\n') {
4209                 if (str[size-1] == '\n') {
4210                         str[size-1] = 0;
4211                         size--;
4212                 }
4213                 error = security_context_to_sid(value, size, &sid);
4214                 if (error)
4215                         return error;
4216         }
4217
4218         /* Permission checking based on the specified context is
4219            performed during the actual operation (execve,
4220            open/mkdir/...), when we know the full context of the
4221            operation.  See selinux_bprm_set_security for the execve
4222            checks and may_create for the file creation checks. The
4223            operation will then fail if the context is not permitted. */
4224         tsec = p->security;
4225         if (!strcmp(name, "exec"))
4226                 tsec->exec_sid = sid;
4227         else if (!strcmp(name, "fscreate"))
4228                 tsec->create_sid = sid;
4229         else if (!strcmp(name, "keycreate")) {
4230                 error = may_create_key(sid, p);
4231                 if (error)
4232                         return error;
4233                 tsec->keycreate_sid = sid;
4234         } else if (!strcmp(name, "current")) {
4235                 struct av_decision avd;
4236
4237                 if (sid == 0)
4238                         return -EINVAL;
4239
4240                 /* Only allow single threaded processes to change context */
4241                 if (atomic_read(&p->mm->mm_users) != 1) {
4242                         struct task_struct *g, *t;
4243                         struct mm_struct *mm = p->mm;
4244                         read_lock(&tasklist_lock);
4245                         do_each_thread(g, t)
4246                                 if (t->mm == mm && t != p) {
4247                                         read_unlock(&tasklist_lock);
4248                                         return -EPERM;
4249                                 }
4250                         while_each_thread(g, t);
4251                         read_unlock(&tasklist_lock);
4252                 }
4253
4254                 /* Check permissions for the transition. */
4255                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4256                                      PROCESS__DYNTRANSITION, NULL);
4257                 if (error)
4258                         return error;
4259
4260                 /* Check for ptracing, and update the task SID if ok.
4261                    Otherwise, leave SID unchanged and fail. */
4262                 task_lock(p);
4263                 if (p->ptrace & PT_PTRACED) {
4264                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4265                                                      SECCLASS_PROCESS,
4266                                                      PROCESS__PTRACE, &avd);
4267                         if (!error)
4268                                 tsec->sid = sid;
4269                         task_unlock(p);
4270                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4271                                   PROCESS__PTRACE, &avd, error, NULL);
4272                         if (error)
4273                                 return error;
4274                 } else {
4275                         tsec->sid = sid;
4276                         task_unlock(p);
4277                 }
4278         }
4279         else
4280                 return -EINVAL;
4281
4282         return size;
4283 }
4284
4285 #ifdef CONFIG_KEYS
4286
4287 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4288                              unsigned long flags)
4289 {
4290         struct task_security_struct *tsec = tsk->security;
4291         struct key_security_struct *ksec;
4292
4293         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4294         if (!ksec)
4295                 return -ENOMEM;
4296
4297         ksec->obj = k;
4298         if (tsec->keycreate_sid)
4299                 ksec->sid = tsec->keycreate_sid;
4300         else
4301                 ksec->sid = tsec->sid;
4302         k->security = ksec;
4303
4304         return 0;
4305 }
4306
4307 static void selinux_key_free(struct key *k)
4308 {
4309         struct key_security_struct *ksec = k->security;
4310
4311         k->security = NULL;
4312         kfree(ksec);
4313 }
4314
4315 static int selinux_key_permission(key_ref_t key_ref,
4316                             struct task_struct *ctx,
4317                             key_perm_t perm)
4318 {
4319         struct key *key;
4320         struct task_security_struct *tsec;
4321         struct key_security_struct *ksec;
4322
4323         key = key_ref_to_ptr(key_ref);
4324
4325         tsec = ctx->security;
4326         ksec = key->security;
4327
4328         /* if no specific permissions are requested, we skip the
4329            permission check. No serious, additional covert channels
4330            appear to be created. */
4331         if (perm == 0)
4332                 return 0;
4333
4334         return avc_has_perm(tsec->sid, ksec->sid,
4335                             SECCLASS_KEY, perm, NULL);
4336 }
4337
4338 #endif
4339
4340 static struct security_operations selinux_ops = {
4341         .ptrace =                       selinux_ptrace,
4342         .capget =                       selinux_capget,
4343         .capset_check =                 selinux_capset_check,
4344         .capset_set =                   selinux_capset_set,
4345         .sysctl =                       selinux_sysctl,
4346         .capable =                      selinux_capable,
4347         .quotactl =                     selinux_quotactl,
4348         .quota_on =                     selinux_quota_on,
4349         .syslog =                       selinux_syslog,
4350         .vm_enough_memory =             selinux_vm_enough_memory,
4351
4352         .netlink_send =                 selinux_netlink_send,
4353         .netlink_recv =                 selinux_netlink_recv,
4354
4355         .bprm_alloc_security =          selinux_bprm_alloc_security,
4356         .bprm_free_security =           selinux_bprm_free_security,
4357         .bprm_apply_creds =             selinux_bprm_apply_creds,
4358         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4359         .bprm_set_security =            selinux_bprm_set_security,
4360         .bprm_check_security =          selinux_bprm_check_security,
4361         .bprm_secureexec =              selinux_bprm_secureexec,
4362
4363         .sb_alloc_security =            selinux_sb_alloc_security,
4364         .sb_free_security =             selinux_sb_free_security,
4365         .sb_copy_data =                 selinux_sb_copy_data,
4366         .sb_kern_mount =                selinux_sb_kern_mount,
4367         .sb_statfs =                    selinux_sb_statfs,
4368         .sb_mount =                     selinux_mount,
4369         .sb_umount =                    selinux_umount,
4370
4371         .inode_alloc_security =         selinux_inode_alloc_security,
4372         .inode_free_security =          selinux_inode_free_security,
4373         .inode_init_security =          selinux_inode_init_security,
4374         .inode_create =                 selinux_inode_create,
4375         .inode_link =                   selinux_inode_link,
4376         .inode_unlink =                 selinux_inode_unlink,
4377         .inode_symlink =                selinux_inode_symlink,
4378         .inode_mkdir =                  selinux_inode_mkdir,
4379         .inode_rmdir =                  selinux_inode_rmdir,
4380         .inode_mknod =                  selinux_inode_mknod,
4381         .inode_rename =                 selinux_inode_rename,
4382         .inode_readlink =               selinux_inode_readlink,
4383         .inode_follow_link =            selinux_inode_follow_link,
4384         .inode_permission =             selinux_inode_permission,
4385         .inode_setattr =                selinux_inode_setattr,
4386         .inode_getattr =                selinux_inode_getattr,
4387         .inode_setxattr =               selinux_inode_setxattr,
4388         .inode_post_setxattr =          selinux_inode_post_setxattr,
4389         .inode_getxattr =               selinux_inode_getxattr,
4390         .inode_listxattr =              selinux_inode_listxattr,
4391         .inode_removexattr =            selinux_inode_removexattr,
4392         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4393         .inode_getsecurity =            selinux_inode_getsecurity,
4394         .inode_setsecurity =            selinux_inode_setsecurity,
4395         .inode_listsecurity =           selinux_inode_listsecurity,
4396
4397         .file_permission =              selinux_file_permission,
4398         .file_alloc_security =          selinux_file_alloc_security,
4399         .file_free_security =           selinux_file_free_security,
4400         .file_ioctl =                   selinux_file_ioctl,
4401         .file_mmap =                    selinux_file_mmap,
4402         .file_mprotect =                selinux_file_mprotect,
4403         .file_lock =                    selinux_file_lock,
4404         .file_fcntl =                   selinux_file_fcntl,
4405         .file_set_fowner =              selinux_file_set_fowner,
4406         .file_send_sigiotask =          selinux_file_send_sigiotask,
4407         .file_receive =                 selinux_file_receive,
4408
4409         .task_create =                  selinux_task_create,
4410         .task_alloc_security =          selinux_task_alloc_security,
4411         .task_free_security =           selinux_task_free_security,
4412         .task_setuid =                  selinux_task_setuid,
4413         .task_post_setuid =             selinux_task_post_setuid,
4414         .task_setgid =                  selinux_task_setgid,
4415         .task_setpgid =                 selinux_task_setpgid,
4416         .task_getpgid =                 selinux_task_getpgid,
4417         .task_getsid =                  selinux_task_getsid,
4418         .task_setgroups =               selinux_task_setgroups,
4419         .task_setnice =                 selinux_task_setnice,
4420         .task_setioprio =               selinux_task_setioprio,
4421         .task_setrlimit =               selinux_task_setrlimit,
4422         .task_setscheduler =            selinux_task_setscheduler,
4423         .task_getscheduler =            selinux_task_getscheduler,
4424         .task_movememory =              selinux_task_movememory,
4425         .task_kill =                    selinux_task_kill,
4426         .task_wait =                    selinux_task_wait,
4427         .task_prctl =                   selinux_task_prctl,
4428         .task_reparent_to_init =        selinux_task_reparent_to_init,
4429         .task_to_inode =                selinux_task_to_inode,
4430
4431         .ipc_permission =               selinux_ipc_permission,
4432
4433         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4434         .msg_msg_free_security =        selinux_msg_msg_free_security,
4435
4436         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4437         .msg_queue_free_security =      selinux_msg_queue_free_security,
4438         .msg_queue_associate =          selinux_msg_queue_associate,
4439         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4440         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4441         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4442
4443         .shm_alloc_security =           selinux_shm_alloc_security,
4444         .shm_free_security =            selinux_shm_free_security,
4445         .shm_associate =                selinux_shm_associate,
4446         .shm_shmctl =                   selinux_shm_shmctl,
4447         .shm_shmat =                    selinux_shm_shmat,
4448
4449         .sem_alloc_security =           selinux_sem_alloc_security,
4450         .sem_free_security =            selinux_sem_free_security,
4451         .sem_associate =                selinux_sem_associate,
4452         .sem_semctl =                   selinux_sem_semctl,
4453         .sem_semop =                    selinux_sem_semop,
4454
4455         .register_security =            selinux_register_security,
4456         .unregister_security =          selinux_unregister_security,
4457
4458         .d_instantiate =                selinux_d_instantiate,
4459
4460         .getprocattr =                  selinux_getprocattr,
4461         .setprocattr =                  selinux_setprocattr,
4462
4463         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4464         .unix_may_send =                selinux_socket_unix_may_send,
4465
4466         .socket_create =                selinux_socket_create,
4467         .socket_post_create =           selinux_socket_post_create,
4468         .socket_bind =                  selinux_socket_bind,
4469         .socket_connect =               selinux_socket_connect,
4470         .socket_listen =                selinux_socket_listen,
4471         .socket_accept =                selinux_socket_accept,
4472         .socket_sendmsg =               selinux_socket_sendmsg,
4473         .socket_recvmsg =               selinux_socket_recvmsg,
4474         .socket_getsockname =           selinux_socket_getsockname,
4475         .socket_getpeername =           selinux_socket_getpeername,
4476         .socket_getsockopt =            selinux_socket_getsockopt,
4477         .socket_setsockopt =            selinux_socket_setsockopt,
4478         .socket_shutdown =              selinux_socket_shutdown,
4479         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4480         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4481         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4482         .sk_alloc_security =            selinux_sk_alloc_security,
4483         .sk_free_security =             selinux_sk_free_security,
4484         .sk_getsid =                    selinux_sk_getsid_security,
4485
4486 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4487         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4488         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4489         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4490         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4491         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4492         .xfrm_state_free_security =     selinux_xfrm_state_free,
4493         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4494         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4495 #endif
4496
4497 #ifdef CONFIG_KEYS
4498         .key_alloc =                    selinux_key_alloc,
4499         .key_free =                     selinux_key_free,
4500         .key_permission =               selinux_key_permission,
4501 #endif
4502 };
4503
4504 static __init int selinux_init(void)
4505 {
4506         struct task_security_struct *tsec;
4507
4508         if (!selinux_enabled) {
4509                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4510                 return 0;
4511         }
4512
4513         printk(KERN_INFO "SELinux:  Initializing.\n");
4514
4515         /* Set the security state for the initial task. */
4516         if (task_alloc_security(current))
4517                 panic("SELinux:  Failed to initialize initial task.\n");
4518         tsec = current->security;
4519         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4520
4521         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4522                                             sizeof(struct inode_security_struct),
4523                                             0, SLAB_PANIC, NULL, NULL);
4524         avc_init();
4525
4526         original_ops = secondary_ops = security_ops;
4527         if (!secondary_ops)
4528                 panic ("SELinux: No initial security operations\n");
4529         if (register_security (&selinux_ops))
4530                 panic("SELinux: Unable to register with kernel.\n");
4531
4532         if (selinux_enforcing) {
4533                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4534         } else {
4535                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4536         }
4537
4538 #ifdef CONFIG_KEYS
4539         /* Add security information to initial keyrings */
4540         selinux_key_alloc(&root_user_keyring, current,
4541                           KEY_ALLOC_NOT_IN_QUOTA);
4542         selinux_key_alloc(&root_session_keyring, current,
4543                           KEY_ALLOC_NOT_IN_QUOTA);
4544 #endif
4545
4546         return 0;
4547 }
4548
4549 void selinux_complete_init(void)
4550 {
4551         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4552
4553         /* Set up any superblocks initialized prior to the policy load. */
4554         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4555         spin_lock(&sb_lock);
4556         spin_lock(&sb_security_lock);
4557 next_sb:
4558         if (!list_empty(&superblock_security_head)) {
4559                 struct superblock_security_struct *sbsec =
4560                                 list_entry(superblock_security_head.next,
4561                                            struct superblock_security_struct,
4562                                            list);
4563                 struct super_block *sb = sbsec->sb;
4564                 sb->s_count++;
4565                 spin_unlock(&sb_security_lock);
4566                 spin_unlock(&sb_lock);
4567                 down_read(&sb->s_umount);
4568                 if (sb->s_root)
4569                         superblock_doinit(sb, NULL);
4570                 drop_super(sb);
4571                 spin_lock(&sb_lock);
4572                 spin_lock(&sb_security_lock);
4573                 list_del_init(&sbsec->list);
4574                 goto next_sb;
4575         }
4576         spin_unlock(&sb_security_lock);
4577         spin_unlock(&sb_lock);
4578 }
4579
4580 /* SELinux requires early initialization in order to label
4581    all processes and objects when they are created. */
4582 security_initcall(selinux_init);
4583
4584 #if defined(CONFIG_NETFILTER)
4585
4586 static struct nf_hook_ops selinux_ipv4_op = {
4587         .hook =         selinux_ipv4_postroute_last,
4588         .owner =        THIS_MODULE,
4589         .pf =           PF_INET,
4590         .hooknum =      NF_IP_POST_ROUTING,
4591         .priority =     NF_IP_PRI_SELINUX_LAST,
4592 };
4593
4594 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4595
4596 static struct nf_hook_ops selinux_ipv6_op = {
4597         .hook =         selinux_ipv6_postroute_last,
4598         .owner =        THIS_MODULE,
4599         .pf =           PF_INET6,
4600         .hooknum =      NF_IP6_POST_ROUTING,
4601         .priority =     NF_IP6_PRI_SELINUX_LAST,
4602 };
4603
4604 #endif  /* IPV6 */
4605
4606 static int __init selinux_nf_ip_init(void)
4607 {
4608         int err = 0;
4609
4610         if (!selinux_enabled)
4611                 goto out;
4612                 
4613         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4614         
4615         err = nf_register_hook(&selinux_ipv4_op);
4616         if (err)
4617                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4618
4619 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4620
4621         err = nf_register_hook(&selinux_ipv6_op);
4622         if (err)
4623                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4624
4625 #endif  /* IPV6 */
4626
4627 out:
4628         return err;
4629 }
4630
4631 __initcall(selinux_nf_ip_init);
4632
4633 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4634 static void selinux_nf_ip_exit(void)
4635 {
4636         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4637
4638         nf_unregister_hook(&selinux_ipv4_op);
4639 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4640         nf_unregister_hook(&selinux_ipv6_op);
4641 #endif  /* IPV6 */
4642 }
4643 #endif
4644
4645 #else /* CONFIG_NETFILTER */
4646
4647 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4648 #define selinux_nf_ip_exit()
4649 #endif
4650
4651 #endif /* CONFIG_NETFILTER */
4652
4653 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4654 int selinux_disable(void)
4655 {
4656         extern void exit_sel_fs(void);
4657         static int selinux_disabled = 0;
4658
4659         if (ss_initialized) {
4660                 /* Not permitted after initial policy load. */
4661                 return -EINVAL;
4662         }
4663
4664         if (selinux_disabled) {
4665                 /* Only do this once. */
4666                 return -EINVAL;
4667         }
4668
4669         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4670
4671         selinux_disabled = 1;
4672         selinux_enabled = 0;
4673
4674         /* Reset security_ops to the secondary module, dummy or capability. */
4675         security_ops = secondary_ops;
4676
4677         /* Unregister netfilter hooks. */
4678         selinux_nf_ip_exit();
4679
4680         /* Unregister selinuxfs. */
4681         exit_sel_fs();
4682
4683         return 0;
4684 }
4685 #endif
4686
4687