security: remove register_security hook
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/ptrace.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129
130 /*
131  * Minimal support for a secondary security module,
132  * just to allow the use of the capability module.
133  */
134 static struct security_operations *secondary_ops;
135
136 /* Lists of inode and superblock security structures initialized
137    before the policy was loaded. */
138 static LIST_HEAD(superblock_security_head);
139 static DEFINE_SPINLOCK(sb_security_lock);
140
141 static struct kmem_cache *sel_inode_cache;
142
143 /**
144  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145  *
146  * Description:
147  * This function checks the SECMARK reference counter to see if any SECMARK
148  * targets are currently configured, if the reference counter is greater than
149  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
150  * enabled, false (0) if SECMARK is disabled.
151  *
152  */
153 static int selinux_secmark_enabled(void)
154 {
155         return (atomic_read(&selinux_secmark_refcount) > 0);
156 }
157
158 /* Allocate and free functions for each kind of security blob. */
159
160 static int task_alloc_security(struct task_struct *task)
161 {
162         struct task_security_struct *tsec;
163
164         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165         if (!tsec)
166                 return -ENOMEM;
167
168         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
169         task->security = tsec;
170
171         return 0;
172 }
173
174 static void task_free_security(struct task_struct *task)
175 {
176         struct task_security_struct *tsec = task->security;
177         task->security = NULL;
178         kfree(tsec);
179 }
180
181 static int inode_alloc_security(struct inode *inode)
182 {
183         struct task_security_struct *tsec = current->security;
184         struct inode_security_struct *isec;
185
186         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187         if (!isec)
188                 return -ENOMEM;
189
190         mutex_init(&isec->lock);
191         INIT_LIST_HEAD(&isec->list);
192         isec->inode = inode;
193         isec->sid = SECINITSID_UNLABELED;
194         isec->sclass = SECCLASS_FILE;
195         isec->task_sid = tsec->sid;
196         inode->i_security = isec;
197
198         return 0;
199 }
200
201 static void inode_free_security(struct inode *inode)
202 {
203         struct inode_security_struct *isec = inode->i_security;
204         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
205
206         spin_lock(&sbsec->isec_lock);
207         if (!list_empty(&isec->list))
208                 list_del_init(&isec->list);
209         spin_unlock(&sbsec->isec_lock);
210
211         inode->i_security = NULL;
212         kmem_cache_free(sel_inode_cache, isec);
213 }
214
215 static int file_alloc_security(struct file *file)
216 {
217         struct task_security_struct *tsec = current->security;
218         struct file_security_struct *fsec;
219
220         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
221         if (!fsec)
222                 return -ENOMEM;
223
224         fsec->sid = tsec->sid;
225         fsec->fown_sid = tsec->sid;
226         file->f_security = fsec;
227
228         return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233         struct file_security_struct *fsec = file->f_security;
234         file->f_security = NULL;
235         kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240         struct superblock_security_struct *sbsec;
241
242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243         if (!sbsec)
244                 return -ENOMEM;
245
246         mutex_init(&sbsec->lock);
247         INIT_LIST_HEAD(&sbsec->list);
248         INIT_LIST_HEAD(&sbsec->isec_head);
249         spin_lock_init(&sbsec->isec_lock);
250         sbsec->sb = sb;
251         sbsec->sid = SECINITSID_UNLABELED;
252         sbsec->def_sid = SECINITSID_FILE;
253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254         sb->s_security = sbsec;
255
256         return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261         struct superblock_security_struct *sbsec = sb->s_security;
262
263         spin_lock(&sb_security_lock);
264         if (!list_empty(&sbsec->list))
265                 list_del_init(&sbsec->list);
266         spin_unlock(&sb_security_lock);
267
268         sb->s_security = NULL;
269         kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274         struct sk_security_struct *ssec;
275
276         ssec = kzalloc(sizeof(*ssec), priority);
277         if (!ssec)
278                 return -ENOMEM;
279
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         ssec->sid = SECINITSID_UNLABELED;
282         sk->sk_security = ssec;
283
284         selinux_netlbl_sk_security_reset(ssec, family);
285
286         return 0;
287 }
288
289 static void sk_free_security(struct sock *sk)
290 {
291         struct sk_security_struct *ssec = sk->sk_security;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_error = -1,
321         Opt_context = 1,
322         Opt_fscontext = 2,
323         Opt_defcontext = 3,
324         Opt_rootcontext = 4,
325 };
326
327 static match_table_t tokens = {
328         {Opt_context, CONTEXT_STR "%s"},
329         {Opt_fscontext, FSCONTEXT_STR "%s"},
330         {Opt_defcontext, DEFCONTEXT_STR "%s"},
331         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332         {Opt_error, NULL},
333 };
334
335 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
336
337 static int may_context_mount_sb_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         struct task_security_struct *tsec)
340 {
341         int rc;
342
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__RELABELTO, NULL);
350         return rc;
351 }
352
353 static int may_context_mount_inode_relabel(u32 sid,
354                         struct superblock_security_struct *sbsec,
355                         struct task_security_struct *tsec)
356 {
357         int rc;
358         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
359                           FILESYSTEM__RELABELFROM, NULL);
360         if (rc)
361                 return rc;
362
363         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
364                           FILESYSTEM__ASSOCIATE, NULL);
365         return rc;
366 }
367
368 static int sb_finish_set_opts(struct super_block *sb)
369 {
370         struct superblock_security_struct *sbsec = sb->s_security;
371         struct dentry *root = sb->s_root;
372         struct inode *root_inode = root->d_inode;
373         int rc = 0;
374
375         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
376                 /* Make sure that the xattr handler exists and that no
377                    error other than -ENODATA is returned by getxattr on
378                    the root directory.  -ENODATA is ok, as this may be
379                    the first boot of the SELinux kernel before we have
380                    assigned xattr values to the filesystem. */
381                 if (!root_inode->i_op->getxattr) {
382                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
383                                "xattr support\n", sb->s_id, sb->s_type->name);
384                         rc = -EOPNOTSUPP;
385                         goto out;
386                 }
387                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
388                 if (rc < 0 && rc != -ENODATA) {
389                         if (rc == -EOPNOTSUPP)
390                                 printk(KERN_WARNING "SELinux: (dev %s, type "
391                                        "%s) has no security xattr handler\n",
392                                        sb->s_id, sb->s_type->name);
393                         else
394                                 printk(KERN_WARNING "SELinux: (dev %s, type "
395                                        "%s) getxattr errno %d\n", sb->s_id,
396                                        sb->s_type->name, -rc);
397                         goto out;
398                 }
399         }
400
401         sbsec->initialized = 1;
402
403         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
405                        sb->s_id, sb->s_type->name);
406         else
407                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
408                        sb->s_id, sb->s_type->name,
409                        labeling_behaviors[sbsec->behavior-1]);
410
411         /* Initialize the root inode. */
412         rc = inode_doinit_with_dentry(root_inode, root);
413
414         /* Initialize any other inodes associated with the superblock, e.g.
415            inodes created prior to initial policy load or inodes created
416            during get_sb by a pseudo filesystem that directly
417            populates itself. */
418         spin_lock(&sbsec->isec_lock);
419 next_inode:
420         if (!list_empty(&sbsec->isec_head)) {
421                 struct inode_security_struct *isec =
422                                 list_entry(sbsec->isec_head.next,
423                                            struct inode_security_struct, list);
424                 struct inode *inode = isec->inode;
425                 spin_unlock(&sbsec->isec_lock);
426                 inode = igrab(inode);
427                 if (inode) {
428                         if (!IS_PRIVATE(inode))
429                                 inode_doinit(inode);
430                         iput(inode);
431                 }
432                 spin_lock(&sbsec->isec_lock);
433                 list_del_init(&isec->list);
434                 goto next_inode;
435         }
436         spin_unlock(&sbsec->isec_lock);
437 out:
438         return rc;
439 }
440
441 /*
442  * This function should allow an FS to ask what it's mount security
443  * options were so it can use those later for submounts, displaying
444  * mount options, or whatever.
445  */
446 static int selinux_get_mnt_opts(const struct super_block *sb,
447                                 struct security_mnt_opts *opts)
448 {
449         int rc = 0, i;
450         struct superblock_security_struct *sbsec = sb->s_security;
451         char *context = NULL;
452         u32 len;
453         char tmp;
454
455         security_init_mnt_opts(opts);
456
457         if (!sbsec->initialized)
458                 return -EINVAL;
459
460         if (!ss_initialized)
461                 return -EINVAL;
462
463         /*
464          * if we ever use sbsec flags for anything other than tracking mount
465          * settings this is going to need a mask
466          */
467         tmp = sbsec->flags;
468         /* count the number of mount options for this sb */
469         for (i = 0; i < 8; i++) {
470                 if (tmp & 0x01)
471                         opts->num_mnt_opts++;
472                 tmp >>= 1;
473         }
474
475         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
476         if (!opts->mnt_opts) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
482         if (!opts->mnt_opts_flags) {
483                 rc = -ENOMEM;
484                 goto out_free;
485         }
486
487         i = 0;
488         if (sbsec->flags & FSCONTEXT_MNT) {
489                 rc = security_sid_to_context(sbsec->sid, &context, &len);
490                 if (rc)
491                         goto out_free;
492                 opts->mnt_opts[i] = context;
493                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494         }
495         if (sbsec->flags & CONTEXT_MNT) {
496                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
497                 if (rc)
498                         goto out_free;
499                 opts->mnt_opts[i] = context;
500                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501         }
502         if (sbsec->flags & DEFCONTEXT_MNT) {
503                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
504                 if (rc)
505                         goto out_free;
506                 opts->mnt_opts[i] = context;
507                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508         }
509         if (sbsec->flags & ROOTCONTEXT_MNT) {
510                 struct inode *root = sbsec->sb->s_root->d_inode;
511                 struct inode_security_struct *isec = root->i_security;
512
513                 rc = security_sid_to_context(isec->sid, &context, &len);
514                 if (rc)
515                         goto out_free;
516                 opts->mnt_opts[i] = context;
517                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         /* check if the old mount command had the same options */
533         if (sbsec->initialized)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!sbsec->initialized)
542                 if (sbsec->flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         int rc = 0, i;
555         struct task_security_struct *tsec = current->security;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct dentry *root = sb->s_root;
559         struct inode *root_inode = root->d_inode;
560         struct inode_security_struct *root_isec = root_inode->i_security;
561         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
562         u32 defcontext_sid = 0;
563         char **mount_options = opts->mnt_opts;
564         int *flags = opts->mnt_opts_flags;
565         int num_opts = opts->num_mnt_opts;
566         bool can_xattr = false;
567
568         mutex_lock(&sbsec->lock);
569
570         if (!ss_initialized) {
571                 if (!num_opts) {
572                         /* Defer initialization until selinux_complete_init,
573                            after the initial policy is loaded and the security
574                            server is ready to handle calls. */
575                         spin_lock(&sb_security_lock);
576                         if (list_empty(&sbsec->list))
577                                 list_add(&sbsec->list, &superblock_security_head);
578                         spin_unlock(&sb_security_lock);
579                         goto out;
580                 }
581                 rc = -EINVAL;
582                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
583                         "before the security server is initialized\n");
584                 goto out;
585         }
586
587         /*
588          * Binary mount data FS will come through this function twice.  Once
589          * from an explicit call and once from the generic calls from the vfs.
590          * Since the generic VFS calls will not contain any security mount data
591          * we need to skip the double mount verification.
592          *
593          * This does open a hole in which we will not notice if the first
594          * mount using this sb set explict options and a second mount using
595          * this sb does not set any security options.  (The first options
596          * will be used for both mounts)
597          */
598         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
599             && (num_opts == 0))
600                 goto out;
601
602         /*
603          * parse the mount options, check if they are valid sids.
604          * also check if someone is trying to mount the same sb more
605          * than once with different security options.
606          */
607         for (i = 0; i < num_opts; i++) {
608                 u32 sid;
609                 rc = security_context_to_sid(mount_options[i],
610                                              strlen(mount_options[i]), &sid);
611                 if (rc) {
612                         printk(KERN_WARNING "SELinux: security_context_to_sid"
613                                "(%s) failed for (dev %s, type %s) errno=%d\n",
614                                mount_options[i], sb->s_id, name, rc);
615                         goto out;
616                 }
617                 switch (flags[i]) {
618                 case FSCONTEXT_MNT:
619                         fscontext_sid = sid;
620
621                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
622                                         fscontext_sid))
623                                 goto out_double_mount;
624
625                         sbsec->flags |= FSCONTEXT_MNT;
626                         break;
627                 case CONTEXT_MNT:
628                         context_sid = sid;
629
630                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
631                                         context_sid))
632                                 goto out_double_mount;
633
634                         sbsec->flags |= CONTEXT_MNT;
635                         break;
636                 case ROOTCONTEXT_MNT:
637                         rootcontext_sid = sid;
638
639                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
640                                         rootcontext_sid))
641                                 goto out_double_mount;
642
643                         sbsec->flags |= ROOTCONTEXT_MNT;
644
645                         break;
646                 case DEFCONTEXT_MNT:
647                         defcontext_sid = sid;
648
649                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
650                                         defcontext_sid))
651                                 goto out_double_mount;
652
653                         sbsec->flags |= DEFCONTEXT_MNT;
654
655                         break;
656                 default:
657                         rc = -EINVAL;
658                         goto out;
659                 }
660         }
661
662         if (sbsec->initialized) {
663                 /* previously mounted with options, but not on this attempt? */
664                 if (sbsec->flags && !num_opts)
665                         goto out_double_mount;
666                 rc = 0;
667                 goto out;
668         }
669
670         if (strcmp(name, "proc") == 0)
671                 sbsec->proc = 1;
672
673         /*
674          * test if the fs supports xattrs, fs_use might make use of this if the
675          * fs has no definition in policy.
676          */
677         if (root_inode->i_op->getxattr) {
678                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
679                 if (rc >= 0 || rc == -ENODATA)
680                         can_xattr = true;
681         }
682
683         /* Determine the labeling behavior to use for this filesystem type. */
684         rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
685         if (rc) {
686                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
687                        __func__, name, rc);
688                 goto out;
689         }
690
691         /* sets the context of the superblock for the fs being mounted. */
692         if (fscontext_sid) {
693
694                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
695                 if (rc)
696                         goto out;
697
698                 sbsec->sid = fscontext_sid;
699         }
700
701         /*
702          * Switch to using mount point labeling behavior.
703          * sets the label used on all file below the mountpoint, and will set
704          * the superblock context if not already set.
705          */
706         if (context_sid) {
707                 if (!fscontext_sid) {
708                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
709                         if (rc)
710                                 goto out;
711                         sbsec->sid = context_sid;
712                 } else {
713                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
714                         if (rc)
715                                 goto out;
716                 }
717                 if (!rootcontext_sid)
718                         rootcontext_sid = context_sid;
719
720                 sbsec->mntpoint_sid = context_sid;
721                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
722         }
723
724         if (rootcontext_sid) {
725                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
726                 if (rc)
727                         goto out;
728
729                 root_isec->sid = rootcontext_sid;
730                 root_isec->initialized = 1;
731         }
732
733         if (defcontext_sid) {
734                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
735                         rc = -EINVAL;
736                         printk(KERN_WARNING "SELinux: defcontext option is "
737                                "invalid for this filesystem type\n");
738                         goto out;
739                 }
740
741                 if (defcontext_sid != sbsec->def_sid) {
742                         rc = may_context_mount_inode_relabel(defcontext_sid,
743                                                              sbsec, tsec);
744                         if (rc)
745                                 goto out;
746                 }
747
748                 sbsec->def_sid = defcontext_sid;
749         }
750
751         rc = sb_finish_set_opts(sb);
752 out:
753         mutex_unlock(&sbsec->lock);
754         return rc;
755 out_double_mount:
756         rc = -EINVAL;
757         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
758                "security settings for (dev %s, type %s)\n", sb->s_id, name);
759         goto out;
760 }
761
762 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
763                                         struct super_block *newsb)
764 {
765         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
766         struct superblock_security_struct *newsbsec = newsb->s_security;
767
768         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
769         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
770         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
771
772         /*
773          * if the parent was able to be mounted it clearly had no special lsm
774          * mount options.  thus we can safely put this sb on the list and deal
775          * with it later
776          */
777         if (!ss_initialized) {
778                 spin_lock(&sb_security_lock);
779                 if (list_empty(&newsbsec->list))
780                         list_add(&newsbsec->list, &superblock_security_head);
781                 spin_unlock(&sb_security_lock);
782                 return;
783         }
784
785         /* how can we clone if the old one wasn't set up?? */
786         BUG_ON(!oldsbsec->initialized);
787
788         /* if fs is reusing a sb, just let its options stand... */
789         if (newsbsec->initialized)
790                 return;
791
792         mutex_lock(&newsbsec->lock);
793
794         newsbsec->flags = oldsbsec->flags;
795
796         newsbsec->sid = oldsbsec->sid;
797         newsbsec->def_sid = oldsbsec->def_sid;
798         newsbsec->behavior = oldsbsec->behavior;
799
800         if (set_context) {
801                 u32 sid = oldsbsec->mntpoint_sid;
802
803                 if (!set_fscontext)
804                         newsbsec->sid = sid;
805                 if (!set_rootcontext) {
806                         struct inode *newinode = newsb->s_root->d_inode;
807                         struct inode_security_struct *newisec = newinode->i_security;
808                         newisec->sid = sid;
809                 }
810                 newsbsec->mntpoint_sid = sid;
811         }
812         if (set_rootcontext) {
813                 const struct inode *oldinode = oldsb->s_root->d_inode;
814                 const struct inode_security_struct *oldisec = oldinode->i_security;
815                 struct inode *newinode = newsb->s_root->d_inode;
816                 struct inode_security_struct *newisec = newinode->i_security;
817
818                 newisec->sid = oldisec->sid;
819         }
820
821         sb_finish_set_opts(newsb);
822         mutex_unlock(&newsbsec->lock);
823 }
824
825 static int selinux_parse_opts_str(char *options,
826                                   struct security_mnt_opts *opts)
827 {
828         char *p;
829         char *context = NULL, *defcontext = NULL;
830         char *fscontext = NULL, *rootcontext = NULL;
831         int rc, num_mnt_opts = 0;
832
833         opts->num_mnt_opts = 0;
834
835         /* Standard string-based options. */
836         while ((p = strsep(&options, "|")) != NULL) {
837                 int token;
838                 substring_t args[MAX_OPT_ARGS];
839
840                 if (!*p)
841                         continue;
842
843                 token = match_token(p, tokens, args);
844
845                 switch (token) {
846                 case Opt_context:
847                         if (context || defcontext) {
848                                 rc = -EINVAL;
849                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850                                 goto out_err;
851                         }
852                         context = match_strdup(&args[0]);
853                         if (!context) {
854                                 rc = -ENOMEM;
855                                 goto out_err;
856                         }
857                         break;
858
859                 case Opt_fscontext:
860                         if (fscontext) {
861                                 rc = -EINVAL;
862                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863                                 goto out_err;
864                         }
865                         fscontext = match_strdup(&args[0]);
866                         if (!fscontext) {
867                                 rc = -ENOMEM;
868                                 goto out_err;
869                         }
870                         break;
871
872                 case Opt_rootcontext:
873                         if (rootcontext) {
874                                 rc = -EINVAL;
875                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876                                 goto out_err;
877                         }
878                         rootcontext = match_strdup(&args[0]);
879                         if (!rootcontext) {
880                                 rc = -ENOMEM;
881                                 goto out_err;
882                         }
883                         break;
884
885                 case Opt_defcontext:
886                         if (context || defcontext) {
887                                 rc = -EINVAL;
888                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889                                 goto out_err;
890                         }
891                         defcontext = match_strdup(&args[0]);
892                         if (!defcontext) {
893                                 rc = -ENOMEM;
894                                 goto out_err;
895                         }
896                         break;
897
898                 default:
899                         rc = -EINVAL;
900                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
901                         goto out_err;
902
903                 }
904         }
905
906         rc = -ENOMEM;
907         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
908         if (!opts->mnt_opts)
909                 goto out_err;
910
911         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
912         if (!opts->mnt_opts_flags) {
913                 kfree(opts->mnt_opts);
914                 goto out_err;
915         }
916
917         if (fscontext) {
918                 opts->mnt_opts[num_mnt_opts] = fscontext;
919                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
920         }
921         if (context) {
922                 opts->mnt_opts[num_mnt_opts] = context;
923                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
924         }
925         if (rootcontext) {
926                 opts->mnt_opts[num_mnt_opts] = rootcontext;
927                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
928         }
929         if (defcontext) {
930                 opts->mnt_opts[num_mnt_opts] = defcontext;
931                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
932         }
933
934         opts->num_mnt_opts = num_mnt_opts;
935         return 0;
936
937 out_err:
938         kfree(context);
939         kfree(defcontext);
940         kfree(fscontext);
941         kfree(rootcontext);
942         return rc;
943 }
944 /*
945  * string mount options parsing and call set the sbsec
946  */
947 static int superblock_doinit(struct super_block *sb, void *data)
948 {
949         int rc = 0;
950         char *options = data;
951         struct security_mnt_opts opts;
952
953         security_init_mnt_opts(&opts);
954
955         if (!data)
956                 goto out;
957
958         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
959
960         rc = selinux_parse_opts_str(options, &opts);
961         if (rc)
962                 goto out_err;
963
964 out:
965         rc = selinux_set_mnt_opts(sb, &opts);
966
967 out_err:
968         security_free_mnt_opts(&opts);
969         return rc;
970 }
971
972 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
973 {
974         int i;
975         char *prefix;
976
977         for (i = 0; i < opts->num_mnt_opts; i++) {
978                 char *has_comma = strchr(opts->mnt_opts[i], ',');
979
980                 switch (opts->mnt_opts_flags[i]) {
981                 case CONTEXT_MNT:
982                         prefix = CONTEXT_STR;
983                         break;
984                 case FSCONTEXT_MNT:
985                         prefix = FSCONTEXT_STR;
986                         break;
987                 case ROOTCONTEXT_MNT:
988                         prefix = ROOTCONTEXT_STR;
989                         break;
990                 case DEFCONTEXT_MNT:
991                         prefix = DEFCONTEXT_STR;
992                         break;
993                 default:
994                         BUG();
995                 };
996                 /* we need a comma before each option */
997                 seq_putc(m, ',');
998                 seq_puts(m, prefix);
999                 if (has_comma)
1000                         seq_putc(m, '\"');
1001                 seq_puts(m, opts->mnt_opts[i]);
1002                 if (has_comma)
1003                         seq_putc(m, '\"');
1004         }
1005 }
1006
1007 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1008 {
1009         struct security_mnt_opts opts;
1010         int rc;
1011
1012         rc = selinux_get_mnt_opts(sb, &opts);
1013         if (rc)
1014                 return rc;
1015
1016         selinux_write_opts(m, &opts);
1017
1018         security_free_mnt_opts(&opts);
1019
1020         return rc;
1021 }
1022
1023 static inline u16 inode_mode_to_security_class(umode_t mode)
1024 {
1025         switch (mode & S_IFMT) {
1026         case S_IFSOCK:
1027                 return SECCLASS_SOCK_FILE;
1028         case S_IFLNK:
1029                 return SECCLASS_LNK_FILE;
1030         case S_IFREG:
1031                 return SECCLASS_FILE;
1032         case S_IFBLK:
1033                 return SECCLASS_BLK_FILE;
1034         case S_IFDIR:
1035                 return SECCLASS_DIR;
1036         case S_IFCHR:
1037                 return SECCLASS_CHR_FILE;
1038         case S_IFIFO:
1039                 return SECCLASS_FIFO_FILE;
1040
1041         }
1042
1043         return SECCLASS_FILE;
1044 }
1045
1046 static inline int default_protocol_stream(int protocol)
1047 {
1048         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1049 }
1050
1051 static inline int default_protocol_dgram(int protocol)
1052 {
1053         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1054 }
1055
1056 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1057 {
1058         switch (family) {
1059         case PF_UNIX:
1060                 switch (type) {
1061                 case SOCK_STREAM:
1062                 case SOCK_SEQPACKET:
1063                         return SECCLASS_UNIX_STREAM_SOCKET;
1064                 case SOCK_DGRAM:
1065                         return SECCLASS_UNIX_DGRAM_SOCKET;
1066                 }
1067                 break;
1068         case PF_INET:
1069         case PF_INET6:
1070                 switch (type) {
1071                 case SOCK_STREAM:
1072                         if (default_protocol_stream(protocol))
1073                                 return SECCLASS_TCP_SOCKET;
1074                         else
1075                                 return SECCLASS_RAWIP_SOCKET;
1076                 case SOCK_DGRAM:
1077                         if (default_protocol_dgram(protocol))
1078                                 return SECCLASS_UDP_SOCKET;
1079                         else
1080                                 return SECCLASS_RAWIP_SOCKET;
1081                 case SOCK_DCCP:
1082                         return SECCLASS_DCCP_SOCKET;
1083                 default:
1084                         return SECCLASS_RAWIP_SOCKET;
1085                 }
1086                 break;
1087         case PF_NETLINK:
1088                 switch (protocol) {
1089                 case NETLINK_ROUTE:
1090                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1091                 case NETLINK_FIREWALL:
1092                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1093                 case NETLINK_INET_DIAG:
1094                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1095                 case NETLINK_NFLOG:
1096                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1097                 case NETLINK_XFRM:
1098                         return SECCLASS_NETLINK_XFRM_SOCKET;
1099                 case NETLINK_SELINUX:
1100                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1101                 case NETLINK_AUDIT:
1102                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1103                 case NETLINK_IP6_FW:
1104                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1105                 case NETLINK_DNRTMSG:
1106                         return SECCLASS_NETLINK_DNRT_SOCKET;
1107                 case NETLINK_KOBJECT_UEVENT:
1108                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1109                 default:
1110                         return SECCLASS_NETLINK_SOCKET;
1111                 }
1112         case PF_PACKET:
1113                 return SECCLASS_PACKET_SOCKET;
1114         case PF_KEY:
1115                 return SECCLASS_KEY_SOCKET;
1116         case PF_APPLETALK:
1117                 return SECCLASS_APPLETALK_SOCKET;
1118         }
1119
1120         return SECCLASS_SOCKET;
1121 }
1122
1123 #ifdef CONFIG_PROC_FS
1124 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1125                                 u16 tclass,
1126                                 u32 *sid)
1127 {
1128         int buflen, rc;
1129         char *buffer, *path, *end;
1130
1131         buffer = (char *)__get_free_page(GFP_KERNEL);
1132         if (!buffer)
1133                 return -ENOMEM;
1134
1135         buflen = PAGE_SIZE;
1136         end = buffer+buflen;
1137         *--end = '\0';
1138         buflen--;
1139         path = end-1;
1140         *path = '/';
1141         while (de && de != de->parent) {
1142                 buflen -= de->namelen + 1;
1143                 if (buflen < 0)
1144                         break;
1145                 end -= de->namelen;
1146                 memcpy(end, de->name, de->namelen);
1147                 *--end = '/';
1148                 path = end;
1149                 de = de->parent;
1150         }
1151         rc = security_genfs_sid("proc", path, tclass, sid);
1152         free_page((unsigned long)buffer);
1153         return rc;
1154 }
1155 #else
1156 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1157                                 u16 tclass,
1158                                 u32 *sid)
1159 {
1160         return -EINVAL;
1161 }
1162 #endif
1163
1164 /* The inode's security attributes must be initialized before first use. */
1165 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1166 {
1167         struct superblock_security_struct *sbsec = NULL;
1168         struct inode_security_struct *isec = inode->i_security;
1169         u32 sid;
1170         struct dentry *dentry;
1171 #define INITCONTEXTLEN 255
1172         char *context = NULL;
1173         unsigned len = 0;
1174         int rc = 0;
1175
1176         if (isec->initialized)
1177                 goto out;
1178
1179         mutex_lock(&isec->lock);
1180         if (isec->initialized)
1181                 goto out_unlock;
1182
1183         sbsec = inode->i_sb->s_security;
1184         if (!sbsec->initialized) {
1185                 /* Defer initialization until selinux_complete_init,
1186                    after the initial policy is loaded and the security
1187                    server is ready to handle calls. */
1188                 spin_lock(&sbsec->isec_lock);
1189                 if (list_empty(&isec->list))
1190                         list_add(&isec->list, &sbsec->isec_head);
1191                 spin_unlock(&sbsec->isec_lock);
1192                 goto out_unlock;
1193         }
1194
1195         switch (sbsec->behavior) {
1196         case SECURITY_FS_USE_XATTR:
1197                 if (!inode->i_op->getxattr) {
1198                         isec->sid = sbsec->def_sid;
1199                         break;
1200                 }
1201
1202                 /* Need a dentry, since the xattr API requires one.
1203                    Life would be simpler if we could just pass the inode. */
1204                 if (opt_dentry) {
1205                         /* Called from d_instantiate or d_splice_alias. */
1206                         dentry = dget(opt_dentry);
1207                 } else {
1208                         /* Called from selinux_complete_init, try to find a dentry. */
1209                         dentry = d_find_alias(inode);
1210                 }
1211                 if (!dentry) {
1212                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1213                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1214                                inode->i_ino);
1215                         goto out_unlock;
1216                 }
1217
1218                 len = INITCONTEXTLEN;
1219                 context = kmalloc(len, GFP_NOFS);
1220                 if (!context) {
1221                         rc = -ENOMEM;
1222                         dput(dentry);
1223                         goto out_unlock;
1224                 }
1225                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1226                                            context, len);
1227                 if (rc == -ERANGE) {
1228                         /* Need a larger buffer.  Query for the right size. */
1229                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1230                                                    NULL, 0);
1231                         if (rc < 0) {
1232                                 dput(dentry);
1233                                 goto out_unlock;
1234                         }
1235                         kfree(context);
1236                         len = rc;
1237                         context = kmalloc(len, GFP_NOFS);
1238                         if (!context) {
1239                                 rc = -ENOMEM;
1240                                 dput(dentry);
1241                                 goto out_unlock;
1242                         }
1243                         rc = inode->i_op->getxattr(dentry,
1244                                                    XATTR_NAME_SELINUX,
1245                                                    context, len);
1246                 }
1247                 dput(dentry);
1248                 if (rc < 0) {
1249                         if (rc != -ENODATA) {
1250                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1251                                        "%d for dev=%s ino=%ld\n", __func__,
1252                                        -rc, inode->i_sb->s_id, inode->i_ino);
1253                                 kfree(context);
1254                                 goto out_unlock;
1255                         }
1256                         /* Map ENODATA to the default file SID */
1257                         sid = sbsec->def_sid;
1258                         rc = 0;
1259                 } else {
1260                         rc = security_context_to_sid_default(context, rc, &sid,
1261                                                              sbsec->def_sid,
1262                                                              GFP_NOFS);
1263                         if (rc) {
1264                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1265                                        "returned %d for dev=%s ino=%ld\n",
1266                                        __func__, context, -rc,
1267                                        inode->i_sb->s_id, inode->i_ino);
1268                                 kfree(context);
1269                                 /* Leave with the unlabeled SID */
1270                                 rc = 0;
1271                                 break;
1272                         }
1273                 }
1274                 kfree(context);
1275                 isec->sid = sid;
1276                 break;
1277         case SECURITY_FS_USE_TASK:
1278                 isec->sid = isec->task_sid;
1279                 break;
1280         case SECURITY_FS_USE_TRANS:
1281                 /* Default to the fs SID. */
1282                 isec->sid = sbsec->sid;
1283
1284                 /* Try to obtain a transition SID. */
1285                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1286                 rc = security_transition_sid(isec->task_sid,
1287                                              sbsec->sid,
1288                                              isec->sclass,
1289                                              &sid);
1290                 if (rc)
1291                         goto out_unlock;
1292                 isec->sid = sid;
1293                 break;
1294         case SECURITY_FS_USE_MNTPOINT:
1295                 isec->sid = sbsec->mntpoint_sid;
1296                 break;
1297         default:
1298                 /* Default to the fs superblock SID. */
1299                 isec->sid = sbsec->sid;
1300
1301                 if (sbsec->proc) {
1302                         struct proc_inode *proci = PROC_I(inode);
1303                         if (proci->pde) {
1304                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1305                                 rc = selinux_proc_get_sid(proci->pde,
1306                                                           isec->sclass,
1307                                                           &sid);
1308                                 if (rc)
1309                                         goto out_unlock;
1310                                 isec->sid = sid;
1311                         }
1312                 }
1313                 break;
1314         }
1315
1316         isec->initialized = 1;
1317
1318 out_unlock:
1319         mutex_unlock(&isec->lock);
1320 out:
1321         if (isec->sclass == SECCLASS_FILE)
1322                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1323         return rc;
1324 }
1325
1326 /* Convert a Linux signal to an access vector. */
1327 static inline u32 signal_to_av(int sig)
1328 {
1329         u32 perm = 0;
1330
1331         switch (sig) {
1332         case SIGCHLD:
1333                 /* Commonly granted from child to parent. */
1334                 perm = PROCESS__SIGCHLD;
1335                 break;
1336         case SIGKILL:
1337                 /* Cannot be caught or ignored */
1338                 perm = PROCESS__SIGKILL;
1339                 break;
1340         case SIGSTOP:
1341                 /* Cannot be caught or ignored */
1342                 perm = PROCESS__SIGSTOP;
1343                 break;
1344         default:
1345                 /* All other signals. */
1346                 perm = PROCESS__SIGNAL;
1347                 break;
1348         }
1349
1350         return perm;
1351 }
1352
1353 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1354    fork check, ptrace check, etc. */
1355 static int task_has_perm(struct task_struct *tsk1,
1356                          struct task_struct *tsk2,
1357                          u32 perms)
1358 {
1359         struct task_security_struct *tsec1, *tsec2;
1360
1361         tsec1 = tsk1->security;
1362         tsec2 = tsk2->security;
1363         return avc_has_perm(tsec1->sid, tsec2->sid,
1364                             SECCLASS_PROCESS, perms, NULL);
1365 }
1366
1367 #if CAP_LAST_CAP > 63
1368 #error Fix SELinux to handle capabilities > 63.
1369 #endif
1370
1371 /* Check whether a task is allowed to use a capability. */
1372 static int task_has_capability(struct task_struct *tsk,
1373                                int cap)
1374 {
1375         struct task_security_struct *tsec;
1376         struct avc_audit_data ad;
1377         u16 sclass;
1378         u32 av = CAP_TO_MASK(cap);
1379
1380         tsec = tsk->security;
1381
1382         AVC_AUDIT_DATA_INIT(&ad, CAP);
1383         ad.tsk = tsk;
1384         ad.u.cap = cap;
1385
1386         switch (CAP_TO_INDEX(cap)) {
1387         case 0:
1388                 sclass = SECCLASS_CAPABILITY;
1389                 break;
1390         case 1:
1391                 sclass = SECCLASS_CAPABILITY2;
1392                 break;
1393         default:
1394                 printk(KERN_ERR
1395                        "SELinux:  out of range capability %d\n", cap);
1396                 BUG();
1397         }
1398         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1399 }
1400
1401 /* Check whether a task is allowed to use a system operation. */
1402 static int task_has_system(struct task_struct *tsk,
1403                            u32 perms)
1404 {
1405         struct task_security_struct *tsec;
1406
1407         tsec = tsk->security;
1408
1409         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1410                             SECCLASS_SYSTEM, perms, NULL);
1411 }
1412
1413 /* Check whether a task has a particular permission to an inode.
1414    The 'adp' parameter is optional and allows other audit
1415    data to be passed (e.g. the dentry). */
1416 static int inode_has_perm(struct task_struct *tsk,
1417                           struct inode *inode,
1418                           u32 perms,
1419                           struct avc_audit_data *adp)
1420 {
1421         struct task_security_struct *tsec;
1422         struct inode_security_struct *isec;
1423         struct avc_audit_data ad;
1424
1425         if (unlikely(IS_PRIVATE(inode)))
1426                 return 0;
1427
1428         tsec = tsk->security;
1429         isec = inode->i_security;
1430
1431         if (!adp) {
1432                 adp = &ad;
1433                 AVC_AUDIT_DATA_INIT(&ad, FS);
1434                 ad.u.fs.inode = inode;
1435         }
1436
1437         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1438 }
1439
1440 /* Same as inode_has_perm, but pass explicit audit data containing
1441    the dentry to help the auditing code to more easily generate the
1442    pathname if needed. */
1443 static inline int dentry_has_perm(struct task_struct *tsk,
1444                                   struct vfsmount *mnt,
1445                                   struct dentry *dentry,
1446                                   u32 av)
1447 {
1448         struct inode *inode = dentry->d_inode;
1449         struct avc_audit_data ad;
1450         AVC_AUDIT_DATA_INIT(&ad, FS);
1451         ad.u.fs.path.mnt = mnt;
1452         ad.u.fs.path.dentry = dentry;
1453         return inode_has_perm(tsk, inode, av, &ad);
1454 }
1455
1456 /* Check whether a task can use an open file descriptor to
1457    access an inode in a given way.  Check access to the
1458    descriptor itself, and then use dentry_has_perm to
1459    check a particular permission to the file.
1460    Access to the descriptor is implicitly granted if it
1461    has the same SID as the process.  If av is zero, then
1462    access to the file is not checked, e.g. for cases
1463    where only the descriptor is affected like seek. */
1464 static int file_has_perm(struct task_struct *tsk,
1465                                 struct file *file,
1466                                 u32 av)
1467 {
1468         struct task_security_struct *tsec = tsk->security;
1469         struct file_security_struct *fsec = file->f_security;
1470         struct inode *inode = file->f_path.dentry->d_inode;
1471         struct avc_audit_data ad;
1472         int rc;
1473
1474         AVC_AUDIT_DATA_INIT(&ad, FS);
1475         ad.u.fs.path = file->f_path;
1476
1477         if (tsec->sid != fsec->sid) {
1478                 rc = avc_has_perm(tsec->sid, fsec->sid,
1479                                   SECCLASS_FD,
1480                                   FD__USE,
1481                                   &ad);
1482                 if (rc)
1483                         return rc;
1484         }
1485
1486         /* av is zero if only checking access to the descriptor. */
1487         if (av)
1488                 return inode_has_perm(tsk, inode, av, &ad);
1489
1490         return 0;
1491 }
1492
1493 /* Check whether a task can create a file. */
1494 static int may_create(struct inode *dir,
1495                       struct dentry *dentry,
1496                       u16 tclass)
1497 {
1498         struct task_security_struct *tsec;
1499         struct inode_security_struct *dsec;
1500         struct superblock_security_struct *sbsec;
1501         u32 newsid;
1502         struct avc_audit_data ad;
1503         int rc;
1504
1505         tsec = current->security;
1506         dsec = dir->i_security;
1507         sbsec = dir->i_sb->s_security;
1508
1509         AVC_AUDIT_DATA_INIT(&ad, FS);
1510         ad.u.fs.path.dentry = dentry;
1511
1512         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1513                           DIR__ADD_NAME | DIR__SEARCH,
1514                           &ad);
1515         if (rc)
1516                 return rc;
1517
1518         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1519                 newsid = tsec->create_sid;
1520         } else {
1521                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1522                                              &newsid);
1523                 if (rc)
1524                         return rc;
1525         }
1526
1527         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1528         if (rc)
1529                 return rc;
1530
1531         return avc_has_perm(newsid, sbsec->sid,
1532                             SECCLASS_FILESYSTEM,
1533                             FILESYSTEM__ASSOCIATE, &ad);
1534 }
1535
1536 /* Check whether a task can create a key. */
1537 static int may_create_key(u32 ksid,
1538                           struct task_struct *ctx)
1539 {
1540         struct task_security_struct *tsec;
1541
1542         tsec = ctx->security;
1543
1544         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1545 }
1546
1547 #define MAY_LINK        0
1548 #define MAY_UNLINK      1
1549 #define MAY_RMDIR       2
1550
1551 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1552 static int may_link(struct inode *dir,
1553                     struct dentry *dentry,
1554                     int kind)
1555
1556 {
1557         struct task_security_struct *tsec;
1558         struct inode_security_struct *dsec, *isec;
1559         struct avc_audit_data ad;
1560         u32 av;
1561         int rc;
1562
1563         tsec = current->security;
1564         dsec = dir->i_security;
1565         isec = dentry->d_inode->i_security;
1566
1567         AVC_AUDIT_DATA_INIT(&ad, FS);
1568         ad.u.fs.path.dentry = dentry;
1569
1570         av = DIR__SEARCH;
1571         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1572         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1573         if (rc)
1574                 return rc;
1575
1576         switch (kind) {
1577         case MAY_LINK:
1578                 av = FILE__LINK;
1579                 break;
1580         case MAY_UNLINK:
1581                 av = FILE__UNLINK;
1582                 break;
1583         case MAY_RMDIR:
1584                 av = DIR__RMDIR;
1585                 break;
1586         default:
1587                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1588                         __func__, kind);
1589                 return 0;
1590         }
1591
1592         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1593         return rc;
1594 }
1595
1596 static inline int may_rename(struct inode *old_dir,
1597                              struct dentry *old_dentry,
1598                              struct inode *new_dir,
1599                              struct dentry *new_dentry)
1600 {
1601         struct task_security_struct *tsec;
1602         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1603         struct avc_audit_data ad;
1604         u32 av;
1605         int old_is_dir, new_is_dir;
1606         int rc;
1607
1608         tsec = current->security;
1609         old_dsec = old_dir->i_security;
1610         old_isec = old_dentry->d_inode->i_security;
1611         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1612         new_dsec = new_dir->i_security;
1613
1614         AVC_AUDIT_DATA_INIT(&ad, FS);
1615
1616         ad.u.fs.path.dentry = old_dentry;
1617         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1618                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1619         if (rc)
1620                 return rc;
1621         rc = avc_has_perm(tsec->sid, old_isec->sid,
1622                           old_isec->sclass, FILE__RENAME, &ad);
1623         if (rc)
1624                 return rc;
1625         if (old_is_dir && new_dir != old_dir) {
1626                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1627                                   old_isec->sclass, DIR__REPARENT, &ad);
1628                 if (rc)
1629                         return rc;
1630         }
1631
1632         ad.u.fs.path.dentry = new_dentry;
1633         av = DIR__ADD_NAME | DIR__SEARCH;
1634         if (new_dentry->d_inode)
1635                 av |= DIR__REMOVE_NAME;
1636         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1637         if (rc)
1638                 return rc;
1639         if (new_dentry->d_inode) {
1640                 new_isec = new_dentry->d_inode->i_security;
1641                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1642                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1643                                   new_isec->sclass,
1644                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1645                 if (rc)
1646                         return rc;
1647         }
1648
1649         return 0;
1650 }
1651
1652 /* Check whether a task can perform a filesystem operation. */
1653 static int superblock_has_perm(struct task_struct *tsk,
1654                                struct super_block *sb,
1655                                u32 perms,
1656                                struct avc_audit_data *ad)
1657 {
1658         struct task_security_struct *tsec;
1659         struct superblock_security_struct *sbsec;
1660
1661         tsec = tsk->security;
1662         sbsec = sb->s_security;
1663         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1664                             perms, ad);
1665 }
1666
1667 /* Convert a Linux mode and permission mask to an access vector. */
1668 static inline u32 file_mask_to_av(int mode, int mask)
1669 {
1670         u32 av = 0;
1671
1672         if ((mode & S_IFMT) != S_IFDIR) {
1673                 if (mask & MAY_EXEC)
1674                         av |= FILE__EXECUTE;
1675                 if (mask & MAY_READ)
1676                         av |= FILE__READ;
1677
1678                 if (mask & MAY_APPEND)
1679                         av |= FILE__APPEND;
1680                 else if (mask & MAY_WRITE)
1681                         av |= FILE__WRITE;
1682
1683         } else {
1684                 if (mask & MAY_EXEC)
1685                         av |= DIR__SEARCH;
1686                 if (mask & MAY_WRITE)
1687                         av |= DIR__WRITE;
1688                 if (mask & MAY_READ)
1689                         av |= DIR__READ;
1690         }
1691
1692         return av;
1693 }
1694
1695 /*
1696  * Convert a file mask to an access vector and include the correct open
1697  * open permission.
1698  */
1699 static inline u32 open_file_mask_to_av(int mode, int mask)
1700 {
1701         u32 av = file_mask_to_av(mode, mask);
1702
1703         if (selinux_policycap_openperm) {
1704                 /*
1705                  * lnk files and socks do not really have an 'open'
1706                  */
1707                 if (S_ISREG(mode))
1708                         av |= FILE__OPEN;
1709                 else if (S_ISCHR(mode))
1710                         av |= CHR_FILE__OPEN;
1711                 else if (S_ISBLK(mode))
1712                         av |= BLK_FILE__OPEN;
1713                 else if (S_ISFIFO(mode))
1714                         av |= FIFO_FILE__OPEN;
1715                 else if (S_ISDIR(mode))
1716                         av |= DIR__OPEN;
1717                 else
1718                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1719                                 "unknown mode:%x\n", __func__, mode);
1720         }
1721         return av;
1722 }
1723
1724 /* Convert a Linux file to an access vector. */
1725 static inline u32 file_to_av(struct file *file)
1726 {
1727         u32 av = 0;
1728
1729         if (file->f_mode & FMODE_READ)
1730                 av |= FILE__READ;
1731         if (file->f_mode & FMODE_WRITE) {
1732                 if (file->f_flags & O_APPEND)
1733                         av |= FILE__APPEND;
1734                 else
1735                         av |= FILE__WRITE;
1736         }
1737         if (!av) {
1738                 /*
1739                  * Special file opened with flags 3 for ioctl-only use.
1740                  */
1741                 av = FILE__IOCTL;
1742         }
1743
1744         return av;
1745 }
1746
1747 /* Hook functions begin here. */
1748
1749 static int selinux_ptrace(struct task_struct *parent,
1750                           struct task_struct *child,
1751                           unsigned int mode)
1752 {
1753         int rc;
1754
1755         rc = secondary_ops->ptrace(parent, child, mode);
1756         if (rc)
1757                 return rc;
1758
1759         if (mode == PTRACE_MODE_READ) {
1760                 struct task_security_struct *tsec = parent->security;
1761                 struct task_security_struct *csec = child->security;
1762                 return avc_has_perm(tsec->sid, csec->sid,
1763                                     SECCLASS_FILE, FILE__READ, NULL);
1764         }
1765
1766         return task_has_perm(parent, child, PROCESS__PTRACE);
1767 }
1768
1769 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1770                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1771 {
1772         int error;
1773
1774         error = task_has_perm(current, target, PROCESS__GETCAP);
1775         if (error)
1776                 return error;
1777
1778         return secondary_ops->capget(target, effective, inheritable, permitted);
1779 }
1780
1781 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1782                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1783 {
1784         int error;
1785
1786         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1787         if (error)
1788                 return error;
1789
1790         return task_has_perm(current, target, PROCESS__SETCAP);
1791 }
1792
1793 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1794                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1795 {
1796         secondary_ops->capset_set(target, effective, inheritable, permitted);
1797 }
1798
1799 static int selinux_capable(struct task_struct *tsk, int cap)
1800 {
1801         int rc;
1802
1803         rc = secondary_ops->capable(tsk, cap);
1804         if (rc)
1805                 return rc;
1806
1807         return task_has_capability(tsk, cap);
1808 }
1809
1810 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1811 {
1812         int buflen, rc;
1813         char *buffer, *path, *end;
1814
1815         rc = -ENOMEM;
1816         buffer = (char *)__get_free_page(GFP_KERNEL);
1817         if (!buffer)
1818                 goto out;
1819
1820         buflen = PAGE_SIZE;
1821         end = buffer+buflen;
1822         *--end = '\0';
1823         buflen--;
1824         path = end-1;
1825         *path = '/';
1826         while (table) {
1827                 const char *name = table->procname;
1828                 size_t namelen = strlen(name);
1829                 buflen -= namelen + 1;
1830                 if (buflen < 0)
1831                         goto out_free;
1832                 end -= namelen;
1833                 memcpy(end, name, namelen);
1834                 *--end = '/';
1835                 path = end;
1836                 table = table->parent;
1837         }
1838         buflen -= 4;
1839         if (buflen < 0)
1840                 goto out_free;
1841         end -= 4;
1842         memcpy(end, "/sys", 4);
1843         path = end;
1844         rc = security_genfs_sid("proc", path, tclass, sid);
1845 out_free:
1846         free_page((unsigned long)buffer);
1847 out:
1848         return rc;
1849 }
1850
1851 static int selinux_sysctl(ctl_table *table, int op)
1852 {
1853         int error = 0;
1854         u32 av;
1855         struct task_security_struct *tsec;
1856         u32 tsid;
1857         int rc;
1858
1859         rc = secondary_ops->sysctl(table, op);
1860         if (rc)
1861                 return rc;
1862
1863         tsec = current->security;
1864
1865         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1866                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1867         if (rc) {
1868                 /* Default to the well-defined sysctl SID. */
1869                 tsid = SECINITSID_SYSCTL;
1870         }
1871
1872         /* The op values are "defined" in sysctl.c, thereby creating
1873          * a bad coupling between this module and sysctl.c */
1874         if (op == 001) {
1875                 error = avc_has_perm(tsec->sid, tsid,
1876                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1877         } else {
1878                 av = 0;
1879                 if (op & 004)
1880                         av |= FILE__READ;
1881                 if (op & 002)
1882                         av |= FILE__WRITE;
1883                 if (av)
1884                         error = avc_has_perm(tsec->sid, tsid,
1885                                              SECCLASS_FILE, av, NULL);
1886         }
1887
1888         return error;
1889 }
1890
1891 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1892 {
1893         int rc = 0;
1894
1895         if (!sb)
1896                 return 0;
1897
1898         switch (cmds) {
1899         case Q_SYNC:
1900         case Q_QUOTAON:
1901         case Q_QUOTAOFF:
1902         case Q_SETINFO:
1903         case Q_SETQUOTA:
1904                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1905                                          NULL);
1906                 break;
1907         case Q_GETFMT:
1908         case Q_GETINFO:
1909         case Q_GETQUOTA:
1910                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1911                                          NULL);
1912                 break;
1913         default:
1914                 rc = 0;  /* let the kernel handle invalid cmds */
1915                 break;
1916         }
1917         return rc;
1918 }
1919
1920 static int selinux_quota_on(struct dentry *dentry)
1921 {
1922         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1923 }
1924
1925 static int selinux_syslog(int type)
1926 {
1927         int rc;
1928
1929         rc = secondary_ops->syslog(type);
1930         if (rc)
1931                 return rc;
1932
1933         switch (type) {
1934         case 3:         /* Read last kernel messages */
1935         case 10:        /* Return size of the log buffer */
1936                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1937                 break;
1938         case 6:         /* Disable logging to console */
1939         case 7:         /* Enable logging to console */
1940         case 8:         /* Set level of messages printed to console */
1941                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1942                 break;
1943         case 0:         /* Close log */
1944         case 1:         /* Open log */
1945         case 2:         /* Read from log */
1946         case 4:         /* Read/clear last kernel messages */
1947         case 5:         /* Clear ring buffer */
1948         default:
1949                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1950                 break;
1951         }
1952         return rc;
1953 }
1954
1955 /*
1956  * Check that a process has enough memory to allocate a new virtual
1957  * mapping. 0 means there is enough memory for the allocation to
1958  * succeed and -ENOMEM implies there is not.
1959  *
1960  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1961  * if the capability is granted, but __vm_enough_memory requires 1 if
1962  * the capability is granted.
1963  *
1964  * Do not audit the selinux permission check, as this is applied to all
1965  * processes that allocate mappings.
1966  */
1967 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1968 {
1969         int rc, cap_sys_admin = 0;
1970         struct task_security_struct *tsec = current->security;
1971
1972         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1973         if (rc == 0)
1974                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1975                                           SECCLASS_CAPABILITY,
1976                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1977                                           0,
1978                                           NULL);
1979
1980         if (rc == 0)
1981                 cap_sys_admin = 1;
1982
1983         return __vm_enough_memory(mm, pages, cap_sys_admin);
1984 }
1985
1986 /**
1987  * task_tracer_task - return the task that is tracing the given task
1988  * @task:               task to consider
1989  *
1990  * Returns NULL if noone is tracing @task, or the &struct task_struct
1991  * pointer to its tracer.
1992  *
1993  * Must be called under rcu_read_lock().
1994  */
1995 static struct task_struct *task_tracer_task(struct task_struct *task)
1996 {
1997         if (task->ptrace & PT_PTRACED)
1998                 return rcu_dereference(task->parent);
1999         return NULL;
2000 }
2001
2002 /* binprm security operations */
2003
2004 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2005 {
2006         struct bprm_security_struct *bsec;
2007
2008         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2009         if (!bsec)
2010                 return -ENOMEM;
2011
2012         bsec->sid = SECINITSID_UNLABELED;
2013         bsec->set = 0;
2014
2015         bprm->security = bsec;
2016         return 0;
2017 }
2018
2019 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2020 {
2021         struct task_security_struct *tsec;
2022         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2023         struct inode_security_struct *isec;
2024         struct bprm_security_struct *bsec;
2025         u32 newsid;
2026         struct avc_audit_data ad;
2027         int rc;
2028
2029         rc = secondary_ops->bprm_set_security(bprm);
2030         if (rc)
2031                 return rc;
2032
2033         bsec = bprm->security;
2034
2035         if (bsec->set)
2036                 return 0;
2037
2038         tsec = current->security;
2039         isec = inode->i_security;
2040
2041         /* Default to the current task SID. */
2042         bsec->sid = tsec->sid;
2043
2044         /* Reset fs, key, and sock SIDs on execve. */
2045         tsec->create_sid = 0;
2046         tsec->keycreate_sid = 0;
2047         tsec->sockcreate_sid = 0;
2048
2049         if (tsec->exec_sid) {
2050                 newsid = tsec->exec_sid;
2051                 /* Reset exec SID on execve. */
2052                 tsec->exec_sid = 0;
2053         } else {
2054                 /* Check for a default transition on this program. */
2055                 rc = security_transition_sid(tsec->sid, isec->sid,
2056                                              SECCLASS_PROCESS, &newsid);
2057                 if (rc)
2058                         return rc;
2059         }
2060
2061         AVC_AUDIT_DATA_INIT(&ad, FS);
2062         ad.u.fs.path = bprm->file->f_path;
2063
2064         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2065                 newsid = tsec->sid;
2066
2067         if (tsec->sid == newsid) {
2068                 rc = avc_has_perm(tsec->sid, isec->sid,
2069                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2070                 if (rc)
2071                         return rc;
2072         } else {
2073                 /* Check permissions for the transition. */
2074                 rc = avc_has_perm(tsec->sid, newsid,
2075                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2076                 if (rc)
2077                         return rc;
2078
2079                 rc = avc_has_perm(newsid, isec->sid,
2080                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2081                 if (rc)
2082                         return rc;
2083
2084                 /* Clear any possibly unsafe personality bits on exec: */
2085                 current->personality &= ~PER_CLEAR_ON_SETID;
2086
2087                 /* Set the security field to the new SID. */
2088                 bsec->sid = newsid;
2089         }
2090
2091         bsec->set = 1;
2092         return 0;
2093 }
2094
2095 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2096 {
2097         return secondary_ops->bprm_check_security(bprm);
2098 }
2099
2100
2101 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2102 {
2103         struct task_security_struct *tsec = current->security;
2104         int atsecure = 0;
2105
2106         if (tsec->osid != tsec->sid) {
2107                 /* Enable secure mode for SIDs transitions unless
2108                    the noatsecure permission is granted between
2109                    the two SIDs, i.e. ahp returns 0. */
2110                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2111                                          SECCLASS_PROCESS,
2112                                          PROCESS__NOATSECURE, NULL);
2113         }
2114
2115         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2116 }
2117
2118 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2119 {
2120         kfree(bprm->security);
2121         bprm->security = NULL;
2122 }
2123
2124 extern struct vfsmount *selinuxfs_mount;
2125 extern struct dentry *selinux_null;
2126
2127 /* Derived from fs/exec.c:flush_old_files. */
2128 static inline void flush_unauthorized_files(struct files_struct *files)
2129 {
2130         struct avc_audit_data ad;
2131         struct file *file, *devnull = NULL;
2132         struct tty_struct *tty;
2133         struct fdtable *fdt;
2134         long j = -1;
2135         int drop_tty = 0;
2136
2137         mutex_lock(&tty_mutex);
2138         tty = get_current_tty();
2139         if (tty) {
2140                 file_list_lock();
2141                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2142                 if (file) {
2143                         /* Revalidate access to controlling tty.
2144                            Use inode_has_perm on the tty inode directly rather
2145                            than using file_has_perm, as this particular open
2146                            file may belong to another process and we are only
2147                            interested in the inode-based check here. */
2148                         struct inode *inode = file->f_path.dentry->d_inode;
2149                         if (inode_has_perm(current, inode,
2150                                            FILE__READ | FILE__WRITE, NULL)) {
2151                                 drop_tty = 1;
2152                         }
2153                 }
2154                 file_list_unlock();
2155         }
2156         mutex_unlock(&tty_mutex);
2157         /* Reset controlling tty. */
2158         if (drop_tty)
2159                 no_tty();
2160
2161         /* Revalidate access to inherited open files. */
2162
2163         AVC_AUDIT_DATA_INIT(&ad, FS);
2164
2165         spin_lock(&files->file_lock);
2166         for (;;) {
2167                 unsigned long set, i;
2168                 int fd;
2169
2170                 j++;
2171                 i = j * __NFDBITS;
2172                 fdt = files_fdtable(files);
2173                 if (i >= fdt->max_fds)
2174                         break;
2175                 set = fdt->open_fds->fds_bits[j];
2176                 if (!set)
2177                         continue;
2178                 spin_unlock(&files->file_lock);
2179                 for ( ; set ; i++, set >>= 1) {
2180                         if (set & 1) {
2181                                 file = fget(i);
2182                                 if (!file)
2183                                         continue;
2184                                 if (file_has_perm(current,
2185                                                   file,
2186                                                   file_to_av(file))) {
2187                                         sys_close(i);
2188                                         fd = get_unused_fd();
2189                                         if (fd != i) {
2190                                                 if (fd >= 0)
2191                                                         put_unused_fd(fd);
2192                                                 fput(file);
2193                                                 continue;
2194                                         }
2195                                         if (devnull) {
2196                                                 get_file(devnull);
2197                                         } else {
2198                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2199                                                 if (IS_ERR(devnull)) {
2200                                                         devnull = NULL;
2201                                                         put_unused_fd(fd);
2202                                                         fput(file);
2203                                                         continue;
2204                                                 }
2205                                         }
2206                                         fd_install(fd, devnull);
2207                                 }
2208                                 fput(file);
2209                         }
2210                 }
2211                 spin_lock(&files->file_lock);
2212
2213         }
2214         spin_unlock(&files->file_lock);
2215 }
2216
2217 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2218 {
2219         struct task_security_struct *tsec;
2220         struct bprm_security_struct *bsec;
2221         u32 sid;
2222         int rc;
2223
2224         secondary_ops->bprm_apply_creds(bprm, unsafe);
2225
2226         tsec = current->security;
2227
2228         bsec = bprm->security;
2229         sid = bsec->sid;
2230
2231         tsec->osid = tsec->sid;
2232         bsec->unsafe = 0;
2233         if (tsec->sid != sid) {
2234                 /* Check for shared state.  If not ok, leave SID
2235                    unchanged and kill. */
2236                 if (unsafe & LSM_UNSAFE_SHARE) {
2237                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2238                                         PROCESS__SHARE, NULL);
2239                         if (rc) {
2240                                 bsec->unsafe = 1;
2241                                 return;
2242                         }
2243                 }
2244
2245                 /* Check for ptracing, and update the task SID if ok.
2246                    Otherwise, leave SID unchanged and kill. */
2247                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2248                         struct task_struct *tracer;
2249                         struct task_security_struct *sec;
2250                         u32 ptsid = 0;
2251
2252                         rcu_read_lock();
2253                         tracer = task_tracer_task(current);
2254                         if (likely(tracer != NULL)) {
2255                                 sec = tracer->security;
2256                                 ptsid = sec->sid;
2257                         }
2258                         rcu_read_unlock();
2259
2260                         if (ptsid != 0) {
2261                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2262                                                   PROCESS__PTRACE, NULL);
2263                                 if (rc) {
2264                                         bsec->unsafe = 1;
2265                                         return;
2266                                 }
2267                         }
2268                 }
2269                 tsec->sid = sid;
2270         }
2271 }
2272
2273 /*
2274  * called after apply_creds without the task lock held
2275  */
2276 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2277 {
2278         struct task_security_struct *tsec;
2279         struct rlimit *rlim, *initrlim;
2280         struct itimerval itimer;
2281         struct bprm_security_struct *bsec;
2282         int rc, i;
2283
2284         tsec = current->security;
2285         bsec = bprm->security;
2286
2287         if (bsec->unsafe) {
2288                 force_sig_specific(SIGKILL, current);
2289                 return;
2290         }
2291         if (tsec->osid == tsec->sid)
2292                 return;
2293
2294         /* Close files for which the new task SID is not authorized. */
2295         flush_unauthorized_files(current->files);
2296
2297         /* Check whether the new SID can inherit signal state
2298            from the old SID.  If not, clear itimers to avoid
2299            subsequent signal generation and flush and unblock
2300            signals. This must occur _after_ the task SID has
2301           been updated so that any kill done after the flush
2302           will be checked against the new SID. */
2303         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2304                           PROCESS__SIGINH, NULL);
2305         if (rc) {
2306                 memset(&itimer, 0, sizeof itimer);
2307                 for (i = 0; i < 3; i++)
2308                         do_setitimer(i, &itimer, NULL);
2309                 flush_signals(current);
2310                 spin_lock_irq(&current->sighand->siglock);
2311                 flush_signal_handlers(current, 1);
2312                 sigemptyset(&current->blocked);
2313                 recalc_sigpending();
2314                 spin_unlock_irq(&current->sighand->siglock);
2315         }
2316
2317         /* Always clear parent death signal on SID transitions. */
2318         current->pdeath_signal = 0;
2319
2320         /* Check whether the new SID can inherit resource limits
2321            from the old SID.  If not, reset all soft limits to
2322            the lower of the current task's hard limit and the init
2323            task's soft limit.  Note that the setting of hard limits
2324            (even to lower them) can be controlled by the setrlimit
2325            check. The inclusion of the init task's soft limit into
2326            the computation is to avoid resetting soft limits higher
2327            than the default soft limit for cases where the default
2328            is lower than the hard limit, e.g. RLIMIT_CORE or
2329            RLIMIT_STACK.*/
2330         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2331                           PROCESS__RLIMITINH, NULL);
2332         if (rc) {
2333                 for (i = 0; i < RLIM_NLIMITS; i++) {
2334                         rlim = current->signal->rlim + i;
2335                         initrlim = init_task.signal->rlim+i;
2336                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2337                 }
2338                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2339                         /*
2340                          * This will cause RLIMIT_CPU calculations
2341                          * to be refigured.
2342                          */
2343                         current->it_prof_expires = jiffies_to_cputime(1);
2344                 }
2345         }
2346
2347         /* Wake up the parent if it is waiting so that it can
2348            recheck wait permission to the new task SID. */
2349         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2350 }
2351
2352 /* superblock security operations */
2353
2354 static int selinux_sb_alloc_security(struct super_block *sb)
2355 {
2356         return superblock_alloc_security(sb);
2357 }
2358
2359 static void selinux_sb_free_security(struct super_block *sb)
2360 {
2361         superblock_free_security(sb);
2362 }
2363
2364 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2365 {
2366         if (plen > olen)
2367                 return 0;
2368
2369         return !memcmp(prefix, option, plen);
2370 }
2371
2372 static inline int selinux_option(char *option, int len)
2373 {
2374         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2375                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2376                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2377                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2378 }
2379
2380 static inline void take_option(char **to, char *from, int *first, int len)
2381 {
2382         if (!*first) {
2383                 **to = ',';
2384                 *to += 1;
2385         } else
2386                 *first = 0;
2387         memcpy(*to, from, len);
2388         *to += len;
2389 }
2390
2391 static inline void take_selinux_option(char **to, char *from, int *first,
2392                                        int len)
2393 {
2394         int current_size = 0;
2395
2396         if (!*first) {
2397                 **to = '|';
2398                 *to += 1;
2399         } else
2400                 *first = 0;
2401
2402         while (current_size < len) {
2403                 if (*from != '"') {
2404                         **to = *from;
2405                         *to += 1;
2406                 }
2407                 from += 1;
2408                 current_size += 1;
2409         }
2410 }
2411
2412 static int selinux_sb_copy_data(char *orig, char *copy)
2413 {
2414         int fnosec, fsec, rc = 0;
2415         char *in_save, *in_curr, *in_end;
2416         char *sec_curr, *nosec_save, *nosec;
2417         int open_quote = 0;
2418
2419         in_curr = orig;
2420         sec_curr = copy;
2421
2422         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2423         if (!nosec) {
2424                 rc = -ENOMEM;
2425                 goto out;
2426         }
2427
2428         nosec_save = nosec;
2429         fnosec = fsec = 1;
2430         in_save = in_end = orig;
2431
2432         do {
2433                 if (*in_end == '"')
2434                         open_quote = !open_quote;
2435                 if ((*in_end == ',' && open_quote == 0) ||
2436                                 *in_end == '\0') {
2437                         int len = in_end - in_curr;
2438
2439                         if (selinux_option(in_curr, len))
2440                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2441                         else
2442                                 take_option(&nosec, in_curr, &fnosec, len);
2443
2444                         in_curr = in_end + 1;
2445                 }
2446         } while (*in_end++);
2447
2448         strcpy(in_save, nosec_save);
2449         free_page((unsigned long)nosec_save);
2450 out:
2451         return rc;
2452 }
2453
2454 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2455 {
2456         struct avc_audit_data ad;
2457         int rc;
2458
2459         rc = superblock_doinit(sb, data);
2460         if (rc)
2461                 return rc;
2462
2463         AVC_AUDIT_DATA_INIT(&ad, FS);
2464         ad.u.fs.path.dentry = sb->s_root;
2465         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2466 }
2467
2468 static int selinux_sb_statfs(struct dentry *dentry)
2469 {
2470         struct avc_audit_data ad;
2471
2472         AVC_AUDIT_DATA_INIT(&ad, FS);
2473         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2474         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2475 }
2476
2477 static int selinux_mount(char *dev_name,
2478                          struct path *path,
2479                          char *type,
2480                          unsigned long flags,
2481                          void *data)
2482 {
2483         int rc;
2484
2485         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2486         if (rc)
2487                 return rc;
2488
2489         if (flags & MS_REMOUNT)
2490                 return superblock_has_perm(current, path->mnt->mnt_sb,
2491                                            FILESYSTEM__REMOUNT, NULL);
2492         else
2493                 return dentry_has_perm(current, path->mnt, path->dentry,
2494                                        FILE__MOUNTON);
2495 }
2496
2497 static int selinux_umount(struct vfsmount *mnt, int flags)
2498 {
2499         int rc;
2500
2501         rc = secondary_ops->sb_umount(mnt, flags);
2502         if (rc)
2503                 return rc;
2504
2505         return superblock_has_perm(current, mnt->mnt_sb,
2506                                    FILESYSTEM__UNMOUNT, NULL);
2507 }
2508
2509 /* inode security operations */
2510
2511 static int selinux_inode_alloc_security(struct inode *inode)
2512 {
2513         return inode_alloc_security(inode);
2514 }
2515
2516 static void selinux_inode_free_security(struct inode *inode)
2517 {
2518         inode_free_security(inode);
2519 }
2520
2521 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2522                                        char **name, void **value,
2523                                        size_t *len)
2524 {
2525         struct task_security_struct *tsec;
2526         struct inode_security_struct *dsec;
2527         struct superblock_security_struct *sbsec;
2528         u32 newsid, clen;
2529         int rc;
2530         char *namep = NULL, *context;
2531
2532         tsec = current->security;
2533         dsec = dir->i_security;
2534         sbsec = dir->i_sb->s_security;
2535
2536         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2537                 newsid = tsec->create_sid;
2538         } else {
2539                 rc = security_transition_sid(tsec->sid, dsec->sid,
2540                                              inode_mode_to_security_class(inode->i_mode),
2541                                              &newsid);
2542                 if (rc) {
2543                         printk(KERN_WARNING "%s:  "
2544                                "security_transition_sid failed, rc=%d (dev=%s "
2545                                "ino=%ld)\n",
2546                                __func__,
2547                                -rc, inode->i_sb->s_id, inode->i_ino);
2548                         return rc;
2549                 }
2550         }
2551
2552         /* Possibly defer initialization to selinux_complete_init. */
2553         if (sbsec->initialized) {
2554                 struct inode_security_struct *isec = inode->i_security;
2555                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2556                 isec->sid = newsid;
2557                 isec->initialized = 1;
2558         }
2559
2560         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2561                 return -EOPNOTSUPP;
2562
2563         if (name) {
2564                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2565                 if (!namep)
2566                         return -ENOMEM;
2567                 *name = namep;
2568         }
2569
2570         if (value && len) {
2571                 rc = security_sid_to_context_force(newsid, &context, &clen);
2572                 if (rc) {
2573                         kfree(namep);
2574                         return rc;
2575                 }
2576                 *value = context;
2577                 *len = clen;
2578         }
2579
2580         return 0;
2581 }
2582
2583 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2584 {
2585         return may_create(dir, dentry, SECCLASS_FILE);
2586 }
2587
2588 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2589 {
2590         int rc;
2591
2592         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2593         if (rc)
2594                 return rc;
2595         return may_link(dir, old_dentry, MAY_LINK);
2596 }
2597
2598 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2599 {
2600         int rc;
2601
2602         rc = secondary_ops->inode_unlink(dir, dentry);
2603         if (rc)
2604                 return rc;
2605         return may_link(dir, dentry, MAY_UNLINK);
2606 }
2607
2608 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2609 {
2610         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2611 }
2612
2613 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2614 {
2615         return may_create(dir, dentry, SECCLASS_DIR);
2616 }
2617
2618 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2619 {
2620         return may_link(dir, dentry, MAY_RMDIR);
2621 }
2622
2623 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2624 {
2625         int rc;
2626
2627         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2628         if (rc)
2629                 return rc;
2630
2631         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2632 }
2633
2634 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2635                                 struct inode *new_inode, struct dentry *new_dentry)
2636 {
2637         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2638 }
2639
2640 static int selinux_inode_readlink(struct dentry *dentry)
2641 {
2642         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2643 }
2644
2645 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2646 {
2647         int rc;
2648
2649         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2650         if (rc)
2651                 return rc;
2652         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2653 }
2654
2655 static int selinux_inode_permission(struct inode *inode, int mask,
2656                                     struct nameidata *nd)
2657 {
2658         int rc;
2659
2660         rc = secondary_ops->inode_permission(inode, mask, nd);
2661         if (rc)
2662                 return rc;
2663
2664         if (!mask) {
2665                 /* No permission to check.  Existence test. */
2666                 return 0;
2667         }
2668
2669         return inode_has_perm(current, inode,
2670                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2671 }
2672
2673 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2674 {
2675         int rc;
2676
2677         rc = secondary_ops->inode_setattr(dentry, iattr);
2678         if (rc)
2679                 return rc;
2680
2681         if (iattr->ia_valid & ATTR_FORCE)
2682                 return 0;
2683
2684         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2685                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2686                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2687
2688         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2689 }
2690
2691 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2692 {
2693         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2694 }
2695
2696 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2697 {
2698         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2699                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2700                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2701                         if (!capable(CAP_SETFCAP))
2702                                 return -EPERM;
2703                 } else if (!capable(CAP_SYS_ADMIN)) {
2704                         /* A different attribute in the security namespace.
2705                            Restrict to administrator. */
2706                         return -EPERM;
2707                 }
2708         }
2709
2710         /* Not an attribute we recognize, so just check the
2711            ordinary setattr permission. */
2712         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2713 }
2714
2715 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2716                                   const void *value, size_t size, int flags)
2717 {
2718         struct task_security_struct *tsec = current->security;
2719         struct inode *inode = dentry->d_inode;
2720         struct inode_security_struct *isec = inode->i_security;
2721         struct superblock_security_struct *sbsec;
2722         struct avc_audit_data ad;
2723         u32 newsid;
2724         int rc = 0;
2725
2726         if (strcmp(name, XATTR_NAME_SELINUX))
2727                 return selinux_inode_setotherxattr(dentry, name);
2728
2729         sbsec = inode->i_sb->s_security;
2730         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2731                 return -EOPNOTSUPP;
2732
2733         if (!is_owner_or_cap(inode))
2734                 return -EPERM;
2735
2736         AVC_AUDIT_DATA_INIT(&ad, FS);
2737         ad.u.fs.path.dentry = dentry;
2738
2739         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2740                           FILE__RELABELFROM, &ad);
2741         if (rc)
2742                 return rc;
2743
2744         rc = security_context_to_sid(value, size, &newsid);
2745         if (rc == -EINVAL) {
2746                 if (!capable(CAP_MAC_ADMIN))
2747                         return rc;
2748                 rc = security_context_to_sid_force(value, size, &newsid);
2749         }
2750         if (rc)
2751                 return rc;
2752
2753         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2754                           FILE__RELABELTO, &ad);
2755         if (rc)
2756                 return rc;
2757
2758         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2759                                           isec->sclass);
2760         if (rc)
2761                 return rc;
2762
2763         return avc_has_perm(newsid,
2764                             sbsec->sid,
2765                             SECCLASS_FILESYSTEM,
2766                             FILESYSTEM__ASSOCIATE,
2767                             &ad);
2768 }
2769
2770 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2771                                         const void *value, size_t size,
2772                                         int flags)
2773 {
2774         struct inode *inode = dentry->d_inode;
2775         struct inode_security_struct *isec = inode->i_security;
2776         u32 newsid;
2777         int rc;
2778
2779         if (strcmp(name, XATTR_NAME_SELINUX)) {
2780                 /* Not an attribute we recognize, so nothing to do. */
2781                 return;
2782         }
2783
2784         rc = security_context_to_sid_force(value, size, &newsid);
2785         if (rc) {
2786                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2787                        "for (%s, %lu), rc=%d\n",
2788                        inode->i_sb->s_id, inode->i_ino, -rc);
2789                 return;
2790         }
2791
2792         isec->sid = newsid;
2793         return;
2794 }
2795
2796 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2797 {
2798         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2799 }
2800
2801 static int selinux_inode_listxattr(struct dentry *dentry)
2802 {
2803         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2804 }
2805
2806 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2807 {
2808         if (strcmp(name, XATTR_NAME_SELINUX))
2809                 return selinux_inode_setotherxattr(dentry, name);
2810
2811         /* No one is allowed to remove a SELinux security label.
2812            You can change the label, but all data must be labeled. */
2813         return -EACCES;
2814 }
2815
2816 /*
2817  * Copy the inode security context value to the user.
2818  *
2819  * Permission check is handled by selinux_inode_getxattr hook.
2820  */
2821 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2822 {
2823         u32 size;
2824         int error;
2825         char *context = NULL;
2826         struct task_security_struct *tsec = current->security;
2827         struct inode_security_struct *isec = inode->i_security;
2828
2829         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2830                 return -EOPNOTSUPP;
2831
2832         /*
2833          * If the caller has CAP_MAC_ADMIN, then get the raw context
2834          * value even if it is not defined by current policy; otherwise,
2835          * use the in-core value under current policy.
2836          * Use the non-auditing forms of the permission checks since
2837          * getxattr may be called by unprivileged processes commonly
2838          * and lack of permission just means that we fall back to the
2839          * in-core context value, not a denial.
2840          */
2841         error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2842         if (!error)
2843                 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2844                                              SECCLASS_CAPABILITY2,
2845                                              CAPABILITY2__MAC_ADMIN,
2846                                              0,
2847                                              NULL);
2848         if (!error)
2849                 error = security_sid_to_context_force(isec->sid, &context,
2850                                                       &size);
2851         else
2852                 error = security_sid_to_context(isec->sid, &context, &size);
2853         if (error)
2854                 return error;
2855         error = size;
2856         if (alloc) {
2857                 *buffer = context;
2858                 goto out_nofree;
2859         }
2860         kfree(context);
2861 out_nofree:
2862         return error;
2863 }
2864
2865 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2866                                      const void *value, size_t size, int flags)
2867 {
2868         struct inode_security_struct *isec = inode->i_security;
2869         u32 newsid;
2870         int rc;
2871
2872         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2873                 return -EOPNOTSUPP;
2874
2875         if (!value || !size)
2876                 return -EACCES;
2877
2878         rc = security_context_to_sid((void *)value, size, &newsid);
2879         if (rc)
2880                 return rc;
2881
2882         isec->sid = newsid;
2883         return 0;
2884 }
2885
2886 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2887 {
2888         const int len = sizeof(XATTR_NAME_SELINUX);
2889         if (buffer && len <= buffer_size)
2890                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2891         return len;
2892 }
2893
2894 static int selinux_inode_need_killpriv(struct dentry *dentry)
2895 {
2896         return secondary_ops->inode_need_killpriv(dentry);
2897 }
2898
2899 static int selinux_inode_killpriv(struct dentry *dentry)
2900 {
2901         return secondary_ops->inode_killpriv(dentry);
2902 }
2903
2904 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2905 {
2906         struct inode_security_struct *isec = inode->i_security;
2907         *secid = isec->sid;
2908 }
2909
2910 /* file security operations */
2911
2912 static int selinux_revalidate_file_permission(struct file *file, int mask)
2913 {
2914         int rc;
2915         struct inode *inode = file->f_path.dentry->d_inode;
2916
2917         if (!mask) {
2918                 /* No permission to check.  Existence test. */
2919                 return 0;
2920         }
2921
2922         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2923         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2924                 mask |= MAY_APPEND;
2925
2926         rc = file_has_perm(current, file,
2927                            file_mask_to_av(inode->i_mode, mask));
2928         if (rc)
2929                 return rc;
2930
2931         return selinux_netlbl_inode_permission(inode, mask);
2932 }
2933
2934 static int selinux_file_permission(struct file *file, int mask)
2935 {
2936         struct inode *inode = file->f_path.dentry->d_inode;
2937         struct task_security_struct *tsec = current->security;
2938         struct file_security_struct *fsec = file->f_security;
2939         struct inode_security_struct *isec = inode->i_security;
2940
2941         if (!mask) {
2942                 /* No permission to check.  Existence test. */
2943                 return 0;
2944         }
2945
2946         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2947             && fsec->pseqno == avc_policy_seqno())
2948                 return selinux_netlbl_inode_permission(inode, mask);
2949
2950         return selinux_revalidate_file_permission(file, mask);
2951 }
2952
2953 static int selinux_file_alloc_security(struct file *file)
2954 {
2955         return file_alloc_security(file);
2956 }
2957
2958 static void selinux_file_free_security(struct file *file)
2959 {
2960         file_free_security(file);
2961 }
2962
2963 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2964                               unsigned long arg)
2965 {
2966         u32 av = 0;
2967
2968         if (_IOC_DIR(cmd) & _IOC_WRITE)
2969                 av |= FILE__WRITE;
2970         if (_IOC_DIR(cmd) & _IOC_READ)
2971                 av |= FILE__READ;
2972         if (!av)
2973                 av = FILE__IOCTL;
2974
2975         return file_has_perm(current, file, av);
2976 }
2977
2978 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2979 {
2980 #ifndef CONFIG_PPC32
2981         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2982                 /*
2983                  * We are making executable an anonymous mapping or a
2984                  * private file mapping that will also be writable.
2985                  * This has an additional check.
2986                  */
2987                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2988                 if (rc)
2989                         return rc;
2990         }
2991 #endif
2992
2993         if (file) {
2994                 /* read access is always possible with a mapping */
2995                 u32 av = FILE__READ;
2996
2997                 /* write access only matters if the mapping is shared */
2998                 if (shared && (prot & PROT_WRITE))
2999                         av |= FILE__WRITE;
3000
3001                 if (prot & PROT_EXEC)
3002                         av |= FILE__EXECUTE;
3003
3004                 return file_has_perm(current, file, av);
3005         }
3006         return 0;
3007 }
3008
3009 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3010                              unsigned long prot, unsigned long flags,
3011                              unsigned long addr, unsigned long addr_only)
3012 {
3013         int rc = 0;
3014         u32 sid = ((struct task_security_struct *)(current->security))->sid;
3015
3016         if (addr < mmap_min_addr)
3017                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3018                                   MEMPROTECT__MMAP_ZERO, NULL);
3019         if (rc || addr_only)
3020                 return rc;
3021
3022         if (selinux_checkreqprot)
3023                 prot = reqprot;
3024
3025         return file_map_prot_check(file, prot,
3026                                    (flags & MAP_TYPE) == MAP_SHARED);
3027 }
3028
3029 static int selinux_file_mprotect(struct vm_area_struct *vma,
3030                                  unsigned long reqprot,
3031                                  unsigned long prot)
3032 {
3033         int rc;
3034
3035         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3036         if (rc)
3037                 return rc;
3038
3039         if (selinux_checkreqprot)
3040                 prot = reqprot;
3041
3042 #ifndef CONFIG_PPC32
3043         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3044                 rc = 0;
3045                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3046                     vma->vm_end <= vma->vm_mm->brk) {
3047                         rc = task_has_perm(current, current,
3048                                            PROCESS__EXECHEAP);
3049                 } else if (!vma->vm_file &&
3050                            vma->vm_start <= vma->vm_mm->start_stack &&
3051                            vma->vm_end >= vma->vm_mm->start_stack) {
3052                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3053                 } else if (vma->vm_file && vma->anon_vma) {
3054                         /*
3055                          * We are making executable a file mapping that has
3056                          * had some COW done. Since pages might have been
3057                          * written, check ability to execute the possibly
3058                          * modified content.  This typically should only
3059                          * occur for text relocations.
3060                          */
3061                         rc = file_has_perm(current, vma->vm_file,
3062                                            FILE__EXECMOD);
3063                 }
3064                 if (rc)
3065                         return rc;
3066         }
3067 #endif
3068
3069         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3070 }
3071
3072 static int selinux_file_lock(struct file *file, unsigned int cmd)
3073 {
3074         return file_has_perm(current, file, FILE__LOCK);
3075 }
3076
3077 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3078                               unsigned long arg)
3079 {
3080         int err = 0;
3081
3082         switch (cmd) {
3083         case F_SETFL:
3084                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3085                         err = -EINVAL;
3086                         break;
3087                 }
3088
3089                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3090                         err = file_has_perm(current, file, FILE__WRITE);
3091                         break;
3092                 }
3093                 /* fall through */
3094         case F_SETOWN:
3095         case F_SETSIG:
3096         case F_GETFL:
3097         case F_GETOWN:
3098         case F_GETSIG:
3099                 /* Just check FD__USE permission */
3100                 err = file_has_perm(current, file, 0);
3101                 break;
3102         case F_GETLK:
3103         case F_SETLK:
3104         case F_SETLKW:
3105 #if BITS_PER_LONG == 32
3106         case F_GETLK64:
3107         case F_SETLK64:
3108         case F_SETLKW64:
3109 #endif
3110                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3111                         err = -EINVAL;
3112                         break;
3113                 }
3114                 err = file_has_perm(current, file, FILE__LOCK);
3115                 break;
3116         }
3117
3118         return err;
3119 }
3120
3121 static int selinux_file_set_fowner(struct file *file)
3122 {
3123         struct task_security_struct *tsec;
3124         struct file_security_struct *fsec;
3125
3126         tsec = current->security;
3127         fsec = file->f_security;
3128         fsec->fown_sid = tsec->sid;
3129
3130         return 0;
3131 }
3132
3133 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3134                                        struct fown_struct *fown, int signum)
3135 {
3136         struct file *file;
3137         u32 perm;
3138         struct task_security_struct *tsec;
3139         struct file_security_struct *fsec;
3140
3141         /* struct fown_struct is never outside the context of a struct file */
3142         file = container_of(fown, struct file, f_owner);
3143
3144         tsec = tsk->security;
3145         fsec = file->f_security;
3146
3147         if (!signum)
3148                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3149         else
3150                 perm = signal_to_av(signum);
3151
3152         return avc_has_perm(fsec->fown_sid, tsec->sid,
3153                             SECCLASS_PROCESS, perm, NULL);
3154 }
3155
3156 static int selinux_file_receive(struct file *file)
3157 {
3158         return file_has_perm(current, file, file_to_av(file));
3159 }
3160
3161 static int selinux_dentry_open(struct file *file)
3162 {
3163         struct file_security_struct *fsec;
3164         struct inode *inode;
3165         struct inode_security_struct *isec;
3166         inode = file->f_path.dentry->d_inode;
3167         fsec = file->f_security;
3168         isec = inode->i_security;
3169         /*
3170          * Save inode label and policy sequence number
3171          * at open-time so that selinux_file_permission
3172          * can determine whether revalidation is necessary.
3173          * Task label is already saved in the file security
3174          * struct as its SID.
3175          */
3176         fsec->isid = isec->sid;
3177         fsec->pseqno = avc_policy_seqno();
3178         /*
3179          * Since the inode label or policy seqno may have changed
3180          * between the selinux_inode_permission check and the saving
3181          * of state above, recheck that access is still permitted.
3182          * Otherwise, access might never be revalidated against the
3183          * new inode label or new policy.
3184          * This check is not redundant - do not remove.
3185          */
3186         return inode_has_perm(current, inode, file_to_av(file), NULL);
3187 }
3188
3189 /* task security operations */
3190
3191 static int selinux_task_create(unsigned long clone_flags)
3192 {
3193         int rc;
3194
3195         rc = secondary_ops->task_create(clone_flags);
3196         if (rc)
3197                 return rc;
3198
3199         return task_has_perm(current, current, PROCESS__FORK);
3200 }
3201
3202 static int selinux_task_alloc_security(struct task_struct *tsk)
3203 {
3204         struct task_security_struct *tsec1, *tsec2;
3205         int rc;
3206
3207         tsec1 = current->security;
3208
3209         rc = task_alloc_security(tsk);
3210         if (rc)
3211                 return rc;
3212         tsec2 = tsk->security;
3213
3214         tsec2->osid = tsec1->osid;
3215         tsec2->sid = tsec1->sid;
3216
3217         /* Retain the exec, fs, key, and sock SIDs across fork */
3218         tsec2->exec_sid = tsec1->exec_sid;
3219         tsec2->create_sid = tsec1->create_sid;
3220         tsec2->keycreate_sid = tsec1->keycreate_sid;
3221         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3222
3223         return 0;
3224 }
3225
3226 static void selinux_task_free_security(struct task_struct *tsk)
3227 {
3228         task_free_security(tsk);
3229 }
3230
3231 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3232 {
3233         /* Since setuid only affects the current process, and
3234            since the SELinux controls are not based on the Linux
3235            identity attributes, SELinux does not need to control
3236            this operation.  However, SELinux does control the use
3237            of the CAP_SETUID and CAP_SETGID capabilities using the
3238            capable hook. */
3239         return 0;
3240 }
3241
3242 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3243 {
3244         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3245 }
3246
3247 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3248 {
3249         /* See the comment for setuid above. */
3250         return 0;
3251 }
3252
3253 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3254 {
3255         return task_has_perm(current, p, PROCESS__SETPGID);
3256 }
3257
3258 static int selinux_task_getpgid(struct task_struct *p)
3259 {
3260         return task_has_perm(current, p, PROCESS__GETPGID);
3261 }
3262
3263 static int selinux_task_getsid(struct task_struct *p)
3264 {
3265         return task_has_perm(current, p, PROCESS__GETSESSION);
3266 }
3267
3268 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3269 {
3270         struct task_security_struct *tsec = p->security;
3271         *secid = tsec->sid;
3272 }
3273
3274 static int selinux_task_setgroups(struct group_info *group_info)
3275 {
3276         /* See the comment for setuid above. */
3277         return 0;
3278 }
3279
3280 static int selinux_task_setnice(struct task_struct *p, int nice)
3281 {
3282         int rc;
3283
3284         rc = secondary_ops->task_setnice(p, nice);
3285         if (rc)
3286                 return rc;
3287
3288         return task_has_perm(current, p, PROCESS__SETSCHED);
3289 }
3290
3291 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3292 {
3293         int rc;
3294
3295         rc = secondary_ops->task_setioprio(p, ioprio);
3296         if (rc)
3297                 return rc;
3298
3299         return task_has_perm(current, p, PROCESS__SETSCHED);
3300 }
3301
3302 static int selinux_task_getioprio(struct task_struct *p)
3303 {
3304         return task_has_perm(current, p, PROCESS__GETSCHED);
3305 }
3306
3307 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3308 {
3309         struct rlimit *old_rlim = current->signal->rlim + resource;
3310         int rc;
3311
3312         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3313         if (rc)
3314                 return rc;
3315
3316         /* Control the ability to change the hard limit (whether
3317            lowering or raising it), so that the hard limit can
3318            later be used as a safe reset point for the soft limit
3319            upon context transitions. See selinux_bprm_apply_creds. */
3320         if (old_rlim->rlim_max != new_rlim->rlim_max)
3321                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3322
3323         return 0;
3324 }
3325
3326 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3327 {
3328         int rc;
3329
3330         rc = secondary_ops->task_setscheduler(p, policy, lp);
3331         if (rc)
3332                 return rc;
3333
3334         return task_has_perm(current, p, PROCESS__SETSCHED);
3335 }
3336
3337 static int selinux_task_getscheduler(struct task_struct *p)
3338 {
3339         return task_has_perm(current, p, PROCESS__GETSCHED);
3340 }
3341
3342 static int selinux_task_movememory(struct task_struct *p)
3343 {
3344         return task_has_perm(current, p, PROCESS__SETSCHED);
3345 }
3346
3347 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3348                                 int sig, u32 secid)
3349 {
3350         u32 perm;
3351         int rc;
3352         struct task_security_struct *tsec;
3353
3354         rc = secondary_ops->task_kill(p, info, sig, secid);
3355         if (rc)
3356                 return rc;
3357
3358         if (!sig)
3359                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3360         else
3361                 perm = signal_to_av(sig);
3362         tsec = p->security;
3363         if (secid)
3364                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3365         else
3366                 rc = task_has_perm(current, p, perm);
3367         return rc;
3368 }
3369
3370 static int selinux_task_prctl(int option,
3371                               unsigned long arg2,
3372                               unsigned long arg3,
3373                               unsigned long arg4,
3374                               unsigned long arg5,
3375                               long *rc_p)
3376 {
3377         /* The current prctl operations do not appear to require
3378            any SELinux controls since they merely observe or modify
3379            the state of the current process. */
3380         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3381 }
3382
3383 static int selinux_task_wait(struct task_struct *p)
3384 {
3385         return task_has_perm(p, current, PROCESS__SIGCHLD);
3386 }
3387
3388 static void selinux_task_reparent_to_init(struct task_struct *p)
3389 {
3390         struct task_security_struct *tsec;
3391
3392         secondary_ops->task_reparent_to_init(p);
3393
3394         tsec = p->security;
3395         tsec->osid = tsec->sid;
3396         tsec->sid = SECINITSID_KERNEL;
3397         return;
3398 }
3399
3400 static void selinux_task_to_inode(struct task_struct *p,
3401                                   struct inode *inode)
3402 {
3403         struct task_security_struct *tsec = p->security;
3404         struct inode_security_struct *isec = inode->i_security;
3405
3406         isec->sid = tsec->sid;
3407         isec->initialized = 1;
3408         return;
3409 }
3410
3411 /* Returns error only if unable to parse addresses */
3412 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3413                         struct avc_audit_data *ad, u8 *proto)
3414 {
3415         int offset, ihlen, ret = -EINVAL;
3416         struct iphdr _iph, *ih;
3417
3418         offset = skb_network_offset(skb);
3419         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3420         if (ih == NULL)
3421                 goto out;
3422
3423         ihlen = ih->ihl * 4;
3424         if (ihlen < sizeof(_iph))
3425                 goto out;
3426
3427         ad->u.net.v4info.saddr = ih->saddr;
3428         ad->u.net.v4info.daddr = ih->daddr;
3429         ret = 0;
3430
3431         if (proto)
3432                 *proto = ih->protocol;
3433
3434         switch (ih->protocol) {
3435         case IPPROTO_TCP: {
3436                 struct tcphdr _tcph, *th;
3437
3438                 if (ntohs(ih->frag_off) & IP_OFFSET)
3439                         break;
3440
3441                 offset += ihlen;
3442                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3443                 if (th == NULL)
3444                         break;
3445
3446                 ad->u.net.sport = th->source;
3447                 ad->u.net.dport = th->dest;
3448                 break;
3449         }
3450
3451         case IPPROTO_UDP: {
3452                 struct udphdr _udph, *uh;
3453
3454                 if (ntohs(ih->frag_off) & IP_OFFSET)
3455                         break;
3456
3457                 offset += ihlen;
3458                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3459                 if (uh == NULL)
3460                         break;
3461
3462                 ad->u.net.sport = uh->source;
3463                 ad->u.net.dport = uh->dest;
3464                 break;
3465         }
3466
3467         case IPPROTO_DCCP: {
3468                 struct dccp_hdr _dccph, *dh;
3469
3470                 if (ntohs(ih->frag_off) & IP_OFFSET)
3471                         break;
3472
3473                 offset += ihlen;
3474                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3475                 if (dh == NULL)
3476                         break;
3477
3478                 ad->u.net.sport = dh->dccph_sport;
3479                 ad->u.net.dport = dh->dccph_dport;
3480                 break;
3481         }
3482
3483         default:
3484                 break;
3485         }
3486 out:
3487         return ret;
3488 }
3489
3490 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3491
3492 /* Returns error only if unable to parse addresses */
3493 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3494                         struct avc_audit_data *ad, u8 *proto)
3495 {
3496         u8 nexthdr;
3497         int ret = -EINVAL, offset;
3498         struct ipv6hdr _ipv6h, *ip6;
3499
3500         offset = skb_network_offset(skb);
3501         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3502         if (ip6 == NULL)
3503                 goto out;
3504
3505         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3506         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3507         ret = 0;
3508
3509         nexthdr = ip6->nexthdr;
3510         offset += sizeof(_ipv6h);
3511         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3512         if (offset < 0)
3513                 goto out;
3514
3515         if (proto)
3516                 *proto = nexthdr;
3517
3518         switch (nexthdr) {
3519         case IPPROTO_TCP: {
3520                 struct tcphdr _tcph, *th;
3521
3522                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3523                 if (th == NULL)
3524                         break;
3525
3526                 ad->u.net.sport = th->source;
3527                 ad->u.net.dport = th->dest;
3528                 break;
3529         }
3530
3531         case IPPROTO_UDP: {
3532                 struct udphdr _udph, *uh;
3533
3534                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3535                 if (uh == NULL)
3536                         break;
3537
3538                 ad->u.net.sport = uh->source;
3539                 ad->u.net.dport = uh->dest;
3540                 break;
3541         }
3542
3543         case IPPROTO_DCCP: {
3544                 struct dccp_hdr _dccph, *dh;
3545
3546                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3547                 if (dh == NULL)
3548                         break;
3549
3550                 ad->u.net.sport = dh->dccph_sport;
3551                 ad->u.net.dport = dh->dccph_dport;
3552                 break;
3553         }
3554
3555         /* includes fragments */
3556         default:
3557                 break;
3558         }
3559 out:
3560         return ret;
3561 }
3562
3563 #endif /* IPV6 */
3564
3565 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3566                              char **addrp, int src, u8 *proto)
3567 {
3568         int ret = 0;
3569
3570         switch (ad->u.net.family) {
3571         case PF_INET:
3572                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3573                 if (ret || !addrp)
3574                         break;
3575                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3576                                         &ad->u.net.v4info.daddr);
3577                 break;
3578
3579 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3580         case PF_INET6:
3581                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3582                 if (ret || !addrp)
3583                         break;
3584                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3585                                         &ad->u.net.v6info.daddr);
3586                 break;
3587 #endif  /* IPV6 */
3588         default:
3589                 break;
3590         }
3591
3592         if (unlikely(ret))
3593                 printk(KERN_WARNING
3594                        "SELinux: failure in selinux_parse_skb(),"
3595                        " unable to parse packet\n");
3596
3597         return ret;
3598 }
3599
3600 /**
3601  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3602  * @skb: the packet
3603  * @family: protocol family
3604  * @sid: the packet's peer label SID
3605  *
3606  * Description:
3607  * Check the various different forms of network peer labeling and determine
3608  * the peer label/SID for the packet; most of the magic actually occurs in
3609  * the security server function security_net_peersid_cmp().  The function
3610  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3611  * or -EACCES if @sid is invalid due to inconsistencies with the different
3612  * peer labels.
3613  *
3614  */
3615 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3616 {
3617         int err;
3618         u32 xfrm_sid;
3619         u32 nlbl_sid;
3620         u32 nlbl_type;
3621
3622         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3623         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3624
3625         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3626         if (unlikely(err)) {
3627                 printk(KERN_WARNING
3628                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3629                        " unable to determine packet's peer label\n");
3630                 return -EACCES;
3631         }
3632
3633         return 0;
3634 }
3635
3636 /* socket security operations */
3637 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3638                            u32 perms)
3639 {
3640         struct inode_security_struct *isec;
3641         struct task_security_struct *tsec;
3642         struct avc_audit_data ad;
3643         int err = 0;
3644
3645         tsec = task->security;
3646         isec = SOCK_INODE(sock)->i_security;
3647
3648         if (isec->sid == SECINITSID_KERNEL)
3649                 goto out;
3650
3651         AVC_AUDIT_DATA_INIT(&ad, NET);
3652         ad.u.net.sk = sock->sk;
3653         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3654
3655 out:
3656         return err;
3657 }
3658
3659 static int selinux_socket_create(int family, int type,
3660                                  int protocol, int kern)
3661 {
3662         int err = 0;
3663         struct task_security_struct *tsec;
3664         u32 newsid;
3665
3666         if (kern)
3667                 goto out;
3668
3669         tsec = current->security;
3670         newsid = tsec->sockcreate_sid ? : tsec->sid;
3671         err = avc_has_perm(tsec->sid, newsid,
3672                            socket_type_to_security_class(family, type,
3673                            protocol), SOCKET__CREATE, NULL);
3674
3675 out:
3676         return err;
3677 }
3678
3679 static int selinux_socket_post_create(struct socket *sock, int family,
3680                                       int type, int protocol, int kern)
3681 {
3682         int err = 0;
3683         struct inode_security_struct *isec;
3684         struct task_security_struct *tsec;
3685         struct sk_security_struct *sksec;
3686         u32 newsid;
3687
3688         isec = SOCK_INODE(sock)->i_security;
3689
3690         tsec = current->security;
3691         newsid = tsec->sockcreate_sid ? : tsec->sid;
3692         isec->sclass = socket_type_to_security_class(family, type, protocol);
3693         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3694         isec->initialized = 1;
3695
3696         if (sock->sk) {
3697                 sksec = sock->sk->sk_security;
3698                 sksec->sid = isec->sid;
3699                 sksec->sclass = isec->sclass;
3700                 err = selinux_netlbl_socket_post_create(sock);
3701         }
3702
3703         return err;
3704 }
3705
3706 /* Range of port numbers used to automatically bind.
3707    Need to determine whether we should perform a name_bind
3708    permission check between the socket and the port number. */
3709
3710 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3711 {
3712         u16 family;
3713         int err;
3714
3715         err = socket_has_perm(current, sock, SOCKET__BIND);
3716         if (err)
3717                 goto out;
3718
3719         /*
3720          * If PF_INET or PF_INET6, check name_bind permission for the port.
3721          * Multiple address binding for SCTP is not supported yet: we just
3722          * check the first address now.
3723          */
3724         family = sock->sk->sk_family;
3725         if (family == PF_INET || family == PF_INET6) {
3726                 char *addrp;
3727                 struct inode_security_struct *isec;
3728                 struct task_security_struct *tsec;
3729                 struct avc_audit_data ad;
3730                 struct sockaddr_in *addr4 = NULL;
3731                 struct sockaddr_in6 *addr6 = NULL;
3732                 unsigned short snum;
3733                 struct sock *sk = sock->sk;
3734                 u32 sid, node_perm;
3735
3736                 tsec = current->security;
3737                 isec = SOCK_INODE(sock)->i_security;
3738
3739                 if (family == PF_INET) {
3740                         addr4 = (struct sockaddr_in *)address;
3741                         snum = ntohs(addr4->sin_port);
3742                         addrp = (char *)&addr4->sin_addr.s_addr;
3743                 } else {
3744                         addr6 = (struct sockaddr_in6 *)address;
3745                         snum = ntohs(addr6->sin6_port);
3746                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3747                 }
3748
3749                 if (snum) {
3750                         int low, high;
3751
3752                         inet_get_local_port_range(&low, &high);
3753
3754                         if (snum < max(PROT_SOCK, low) || snum > high) {
3755                                 err = sel_netport_sid(sk->sk_protocol,
3756                                                       snum, &sid);
3757                                 if (err)
3758                                         goto out;
3759                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3760                                 ad.u.net.sport = htons(snum);
3761                                 ad.u.net.family = family;
3762                                 err = avc_has_perm(isec->sid, sid,
3763                                                    isec->sclass,
3764                                                    SOCKET__NAME_BIND, &ad);
3765                                 if (err)
3766                                         goto out;
3767                         }
3768                 }
3769
3770                 switch (isec->sclass) {
3771                 case SECCLASS_TCP_SOCKET:
3772                         node_perm = TCP_SOCKET__NODE_BIND;
3773                         break;
3774
3775                 case SECCLASS_UDP_SOCKET:
3776                         node_perm = UDP_SOCKET__NODE_BIND;
3777                         break;
3778
3779                 case SECCLASS_DCCP_SOCKET:
3780                         node_perm = DCCP_SOCKET__NODE_BIND;
3781                         break;
3782
3783                 default:
3784                         node_perm = RAWIP_SOCKET__NODE_BIND;
3785                         break;
3786                 }
3787
3788                 err = sel_netnode_sid(addrp, family, &sid);
3789                 if (err)
3790                         goto out;
3791
3792                 AVC_AUDIT_DATA_INIT(&ad, NET);
3793                 ad.u.net.sport = htons(snum);
3794                 ad.u.net.family = family;
3795
3796                 if (family == PF_INET)
3797                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3798                 else
3799                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3800
3801                 err = avc_has_perm(isec->sid, sid,
3802                                    isec->sclass, node_perm, &ad);
3803                 if (err)
3804                         goto out;
3805         }
3806 out:
3807         return err;
3808 }
3809
3810 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3811 {
3812         struct inode_security_struct *isec;
3813         int err;
3814
3815         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3816         if (err)
3817                 return err;
3818
3819         /*
3820          * If a TCP or DCCP socket, check name_connect permission for the port.
3821          */
3822         isec = SOCK_INODE(sock)->i_security;
3823         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3824             isec->sclass == SECCLASS_DCCP_SOCKET) {
3825                 struct sock *sk = sock->sk;
3826                 struct avc_audit_data ad;
3827                 struct sockaddr_in *addr4 = NULL;
3828                 struct sockaddr_in6 *addr6 = NULL;
3829                 unsigned short snum;
3830                 u32 sid, perm;
3831
3832                 if (sk->sk_family == PF_INET) {
3833                         addr4 = (struct sockaddr_in *)address;
3834                         if (addrlen < sizeof(struct sockaddr_in))
3835                                 return -EINVAL;
3836                         snum = ntohs(addr4->sin_port);
3837                 } else {
3838                         addr6 = (struct sockaddr_in6 *)address;
3839                         if (addrlen < SIN6_LEN_RFC2133)
3840                                 return -EINVAL;
3841                         snum = ntohs(addr6->sin6_port);
3842                 }
3843
3844                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3845                 if (err)
3846                         goto out;
3847
3848                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3849                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3850
3851                 AVC_AUDIT_DATA_INIT(&ad, NET);
3852                 ad.u.net.dport = htons(snum);
3853                 ad.u.net.family = sk->sk_family;
3854                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3855                 if (err)
3856                         goto out;
3857         }
3858
3859 out:
3860         return err;
3861 }
3862
3863 static int selinux_socket_listen(struct socket *sock, int backlog)
3864 {
3865         return socket_has_perm(current, sock, SOCKET__LISTEN);
3866 }
3867
3868 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3869 {
3870         int err;
3871         struct inode_security_struct *isec;
3872         struct inode_security_struct *newisec;
3873
3874         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3875         if (err)
3876                 return err;
3877
3878         newisec = SOCK_INODE(newsock)->i_security;
3879
3880         isec = SOCK_INODE(sock)->i_security;
3881         newisec->sclass = isec->sclass;
3882         newisec->sid = isec->sid;
3883         newisec->initialized = 1;
3884
3885         return 0;
3886 }
3887
3888 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3889                                   int size)
3890 {
3891         int rc;
3892
3893         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3894         if (rc)
3895                 return rc;
3896
3897         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3898 }
3899
3900 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3901                                   int size, int flags)
3902 {
3903         return socket_has_perm(current, sock, SOCKET__READ);
3904 }
3905
3906 static int selinux_socket_getsockname(struct socket *sock)
3907 {
3908         return socket_has_perm(current, sock, SOCKET__GETATTR);
3909 }
3910
3911 static int selinux_socket_getpeername(struct socket *sock)
3912 {
3913         return socket_has_perm(current, sock, SOCKET__GETATTR);
3914 }
3915
3916 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3917 {
3918         int err;
3919
3920         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3921         if (err)
3922                 return err;
3923
3924         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3925 }
3926
3927 static int selinux_socket_getsockopt(struct socket *sock, int level,
3928                                      int optname)
3929 {
3930         return socket_has_perm(current, sock, SOCKET__GETOPT);
3931 }
3932
3933 static int selinux_socket_shutdown(struct socket *sock, int how)
3934 {
3935         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3936 }
3937
3938 static int selinux_socket_unix_stream_connect(struct socket *sock,
3939                                               struct socket *other,
3940                                               struct sock *newsk)
3941 {
3942         struct sk_security_struct *ssec;
3943         struct inode_security_struct *isec;
3944         struct inode_security_struct *other_isec;
3945         struct avc_audit_data ad;
3946         int err;
3947
3948         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3949         if (err)
3950                 return err;
3951
3952         isec = SOCK_INODE(sock)->i_security;
3953         other_isec = SOCK_INODE(other)->i_security;
3954
3955         AVC_AUDIT_DATA_INIT(&ad, NET);
3956         ad.u.net.sk = other->sk;
3957
3958         err = avc_has_perm(isec->sid, other_isec->sid,
3959                            isec->sclass,
3960                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3961         if (err)
3962                 return err;
3963
3964         /* connecting socket */
3965         ssec = sock->sk->sk_security;
3966         ssec->peer_sid = other_isec->sid;
3967
3968         /* server child socket */
3969         ssec = newsk->sk_security;
3970         ssec->peer_sid = isec->sid;
3971         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3972
3973         return err;
3974 }
3975
3976 static int selinux_socket_unix_may_send(struct socket *sock,
3977                                         struct socket *other)
3978 {
3979         struct inode_security_struct *isec;
3980         struct inode_security_struct *other_isec;
3981         struct avc_audit_data ad;
3982         int err;
3983
3984         isec = SOCK_INODE(sock)->i_security;
3985         other_isec = SOCK_INODE(other)->i_security;
3986
3987         AVC_AUDIT_DATA_INIT(&ad, NET);
3988         ad.u.net.sk = other->sk;
3989
3990         err = avc_has_perm(isec->sid, other_isec->sid,
3991                            isec->sclass, SOCKET__SENDTO, &ad);
3992         if (err)
3993                 return err;
3994
3995         return 0;
3996 }
3997
3998 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3999                                     u32 peer_sid,
4000                                     struct avc_audit_data *ad)
4001 {
4002         int err;
4003         u32 if_sid;
4004         u32 node_sid;
4005
4006         err = sel_netif_sid(ifindex, &if_sid);
4007         if (err)
4008                 return err;
4009         err = avc_has_perm(peer_sid, if_sid,
4010                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4011         if (err)
4012                 return err;
4013
4014         err = sel_netnode_sid(addrp, family, &node_sid);
4015         if (err)
4016                 return err;
4017         return avc_has_perm(peer_sid, node_sid,
4018                             SECCLASS_NODE, NODE__RECVFROM, ad);
4019 }
4020
4021 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4022                                                 struct sk_buff *skb,
4023                                                 struct avc_audit_data *ad,
4024                                                 u16 family,
4025                                                 char *addrp)
4026 {
4027         int err;
4028         struct sk_security_struct *sksec = sk->sk_security;
4029         u16 sk_class;
4030         u32 netif_perm, node_perm, recv_perm;
4031         u32 port_sid, node_sid, if_sid, sk_sid;
4032
4033         sk_sid = sksec->sid;
4034         sk_class = sksec->sclass;
4035
4036         switch (sk_class) {
4037         case SECCLASS_UDP_SOCKET:
4038                 netif_perm = NETIF__UDP_RECV;
4039                 node_perm = NODE__UDP_RECV;
4040                 recv_perm = UDP_SOCKET__RECV_MSG;
4041                 break;
4042         case SECCLASS_TCP_SOCKET:
4043                 netif_perm = NETIF__TCP_RECV;
4044                 node_perm = NODE__TCP_RECV;
4045                 recv_perm = TCP_SOCKET__RECV_MSG;
4046                 break;
4047         case SECCLASS_DCCP_SOCKET:
4048                 netif_perm = NETIF__DCCP_RECV;
4049                 node_perm = NODE__DCCP_RECV;
4050                 recv_perm = DCCP_SOCKET__RECV_MSG;
4051                 break;
4052         default:
4053                 netif_perm = NETIF__RAWIP_RECV;
4054                 node_perm = NODE__RAWIP_RECV;
4055                 recv_perm = 0;
4056                 break;
4057         }
4058
4059         err = sel_netif_sid(skb->iif, &if_sid);
4060         if (err)
4061                 return err;
4062         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4063         if (err)
4064                 return err;
4065
4066         err = sel_netnode_sid(addrp, family, &node_sid);
4067         if (err)
4068                 return err;
4069         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4070         if (err)
4071                 return err;
4072
4073         if (!recv_perm)
4074                 return 0;
4075         err = sel_netport_sid(sk->sk_protocol,
4076                               ntohs(ad->u.net.sport), &port_sid);
4077         if (unlikely(err)) {
4078                 printk(KERN_WARNING
4079                        "SELinux: failure in"
4080                        " selinux_sock_rcv_skb_iptables_compat(),"
4081                        " network port label not found\n");
4082                 return err;
4083         }
4084         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4085 }
4086
4087 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4088                                        struct avc_audit_data *ad,
4089                                        u16 family, char *addrp)
4090 {
4091         int err;
4092         struct sk_security_struct *sksec = sk->sk_security;
4093         u32 peer_sid;
4094         u32 sk_sid = sksec->sid;
4095
4096         if (selinux_compat_net)
4097                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4098                                                            family, addrp);
4099         else
4100                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4101                                    PACKET__RECV, ad);
4102         if (err)
4103                 return err;
4104
4105         if (selinux_policycap_netpeer) {
4106                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4107                 if (err)
4108                         return err;
4109                 err = avc_has_perm(sk_sid, peer_sid,
4110                                    SECCLASS_PEER, PEER__RECV, ad);
4111         } else {
4112                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4113                 if (err)
4114                         return err;
4115                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4116         }
4117
4118         return err;
4119 }
4120
4121 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4122 {
4123         int err;
4124         struct sk_security_struct *sksec = sk->sk_security;
4125         u16 family = sk->sk_family;
4126         u32 sk_sid = sksec->sid;
4127         struct avc_audit_data ad;
4128         char *addrp;
4129
4130         if (family != PF_INET && family != PF_INET6)
4131                 return 0;
4132
4133         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4134         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4135                 family = PF_INET;
4136
4137         AVC_AUDIT_DATA_INIT(&ad, NET);
4138         ad.u.net.netif = skb->iif;
4139         ad.u.net.family = family;
4140         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4141         if (err)
4142                 return err;
4143
4144         /* If any sort of compatibility mode is enabled then handoff processing
4145          * to the selinux_sock_rcv_skb_compat() function to deal with the
4146          * special handling.  We do this in an attempt to keep this function
4147          * as fast and as clean as possible. */
4148         if (selinux_compat_net || !selinux_policycap_netpeer)
4149                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4150                                                    family, addrp);
4151
4152         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4153                 u32 peer_sid;
4154
4155                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4156                 if (err)
4157                         return err;
4158                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4159                                                peer_sid, &ad);
4160                 if (err)
4161                         return err;
4162                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4163                                    PEER__RECV, &ad);
4164         }
4165
4166         if (selinux_secmark_enabled()) {
4167                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4168                                    PACKET__RECV, &ad);
4169                 if (err)
4170                         return err;
4171         }
4172
4173         return err;
4174 }
4175
4176 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4177                                             int __user *optlen, unsigned len)
4178 {
4179         int err = 0;
4180         char *scontext;
4181         u32 scontext_len;
4182         struct sk_security_struct *ssec;
4183         struct inode_security_struct *isec;
4184         u32 peer_sid = SECSID_NULL;
4185
4186         isec = SOCK_INODE(sock)->i_security;
4187
4188         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4189             isec->sclass == SECCLASS_TCP_SOCKET) {
4190                 ssec = sock->sk->sk_security;
4191                 peer_sid = ssec->peer_sid;
4192         }
4193         if (peer_sid == SECSID_NULL) {
4194                 err = -ENOPROTOOPT;
4195                 goto out;
4196         }
4197
4198         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4199
4200         if (err)
4201                 goto out;
4202
4203         if (scontext_len > len) {
4204                 err = -ERANGE;
4205                 goto out_len;
4206         }
4207
4208         if (copy_to_user(optval, scontext, scontext_len))
4209                 err = -EFAULT;
4210
4211 out_len:
4212         if (put_user(scontext_len, optlen))
4213                 err = -EFAULT;
4214
4215         kfree(scontext);
4216 out:
4217         return err;
4218 }
4219
4220 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4221 {
4222         u32 peer_secid = SECSID_NULL;
4223         u16 family;
4224
4225         if (sock)
4226                 family = sock->sk->sk_family;
4227         else if (skb && skb->sk)
4228                 family = skb->sk->sk_family;
4229         else
4230                 goto out;
4231
4232         if (sock && family == PF_UNIX)
4233                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4234         else if (skb)
4235                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4236
4237 out:
4238         *secid = peer_secid;
4239         if (peer_secid == SECSID_NULL)
4240                 return -EINVAL;
4241         return 0;
4242 }
4243
4244 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4245 {
4246         return sk_alloc_security(sk, family, priority);
4247 }
4248
4249 static void selinux_sk_free_security(struct sock *sk)
4250 {
4251         sk_free_security(sk);
4252 }
4253
4254 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4255 {
4256         struct sk_security_struct *ssec = sk->sk_security;
4257         struct sk_security_struct *newssec = newsk->sk_security;
4258
4259         newssec->sid = ssec->sid;
4260         newssec->peer_sid = ssec->peer_sid;
4261         newssec->sclass = ssec->sclass;
4262
4263         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4264 }
4265
4266 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4267 {
4268         if (!sk)
4269                 *secid = SECINITSID_ANY_SOCKET;
4270         else {
4271                 struct sk_security_struct *sksec = sk->sk_security;
4272
4273                 *secid = sksec->sid;
4274         }
4275 }
4276
4277 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4278 {
4279         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4280         struct sk_security_struct *sksec = sk->sk_security;
4281
4282         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4283             sk->sk_family == PF_UNIX)
4284                 isec->sid = sksec->sid;
4285         sksec->sclass = isec->sclass;
4286
4287         selinux_netlbl_sock_graft(sk, parent);
4288 }
4289
4290 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4291                                      struct request_sock *req)
4292 {
4293         struct sk_security_struct *sksec = sk->sk_security;
4294         int err;
4295         u32 newsid;
4296         u32 peersid;
4297
4298         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4299         if (err)
4300                 return err;
4301         if (peersid == SECSID_NULL) {
4302                 req->secid = sksec->sid;
4303                 req->peer_secid = SECSID_NULL;
4304                 return 0;
4305         }
4306
4307         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4308         if (err)
4309                 return err;
4310
4311         req->secid = newsid;
4312         req->peer_secid = peersid;
4313         return 0;
4314 }
4315
4316 static void selinux_inet_csk_clone(struct sock *newsk,
4317                                    const struct request_sock *req)
4318 {
4319         struct sk_security_struct *newsksec = newsk->sk_security;
4320
4321         newsksec->sid = req->secid;
4322         newsksec->peer_sid = req->peer_secid;
4323         /* NOTE: Ideally, we should also get the isec->sid for the
4324            new socket in sync, but we don't have the isec available yet.
4325            So we will wait until sock_graft to do it, by which
4326            time it will have been created and available. */
4327
4328         /* We don't need to take any sort of lock here as we are the only
4329          * thread with access to newsksec */
4330         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4331 }
4332
4333 static void selinux_inet_conn_established(struct sock *sk,
4334                                 struct sk_buff *skb)
4335 {
4336         struct sk_security_struct *sksec = sk->sk_security;
4337
4338         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4339 }
4340
4341 static void selinux_req_classify_flow(const struct request_sock *req,
4342                                       struct flowi *fl)
4343 {
4344         fl->secid = req->secid;
4345 }
4346
4347 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4348 {
4349         int err = 0;
4350         u32 perm;
4351         struct nlmsghdr *nlh;
4352         struct socket *sock = sk->sk_socket;
4353         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4354
4355         if (skb->len < NLMSG_SPACE(0)) {
4356                 err = -EINVAL;
4357                 goto out;
4358         }
4359         nlh = nlmsg_hdr(skb);
4360
4361         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4362         if (err) {
4363                 if (err == -EINVAL) {
4364                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4365                                   "SELinux:  unrecognized netlink message"
4366                                   " type=%hu for sclass=%hu\n",
4367                                   nlh->nlmsg_type, isec->sclass);
4368                         if (!selinux_enforcing)
4369                                 err = 0;
4370                 }
4371
4372                 /* Ignore */
4373                 if (err == -ENOENT)
4374                         err = 0;
4375                 goto out;
4376         }
4377
4378         err = socket_has_perm(current, sock, perm);
4379 out:
4380         return err;
4381 }
4382
4383 #ifdef CONFIG_NETFILTER
4384
4385 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4386                                        u16 family)
4387 {
4388         char *addrp;
4389         u32 peer_sid;
4390         struct avc_audit_data ad;
4391         u8 secmark_active;
4392         u8 peerlbl_active;
4393
4394         if (!selinux_policycap_netpeer)
4395                 return NF_ACCEPT;
4396
4397         secmark_active = selinux_secmark_enabled();
4398         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4399         if (!secmark_active && !peerlbl_active)
4400                 return NF_ACCEPT;
4401
4402         AVC_AUDIT_DATA_INIT(&ad, NET);
4403         ad.u.net.netif = ifindex;
4404         ad.u.net.family = family;
4405         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4406                 return NF_DROP;
4407
4408         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4409                 return NF_DROP;
4410
4411         if (peerlbl_active)
4412                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4413                                              peer_sid, &ad) != 0)
4414                         return NF_DROP;
4415
4416         if (secmark_active)
4417                 if (avc_has_perm(peer_sid, skb->secmark,
4418                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4419                         return NF_DROP;
4420
4421         return NF_ACCEPT;
4422 }
4423
4424 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4425                                          struct sk_buff *skb,
4426                                          const struct net_device *in,
4427                                          const struct net_device *out,
4428                                          int (*okfn)(struct sk_buff *))
4429 {
4430         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4431 }
4432
4433 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4434 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4435                                          struct sk_buff *skb,
4436                                          const struct net_device *in,
4437                                          const struct net_device *out,
4438                                          int (*okfn)(struct sk_buff *))
4439 {
4440         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4441 }
4442 #endif  /* IPV6 */
4443
4444 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4445                                                 int ifindex,
4446                                                 struct avc_audit_data *ad,
4447                                                 u16 family, char *addrp)
4448 {
4449         int err;
4450         struct sk_security_struct *sksec = sk->sk_security;
4451         u16 sk_class;
4452         u32 netif_perm, node_perm, send_perm;
4453         u32 port_sid, node_sid, if_sid, sk_sid;
4454
4455         sk_sid = sksec->sid;
4456         sk_class = sksec->sclass;
4457
4458         switch (sk_class) {
4459         case SECCLASS_UDP_SOCKET:
4460                 netif_perm = NETIF__UDP_SEND;
4461                 node_perm = NODE__UDP_SEND;
4462                 send_perm = UDP_SOCKET__SEND_MSG;
4463                 break;
4464         case SECCLASS_TCP_SOCKET:
4465                 netif_perm = NETIF__TCP_SEND;
4466                 node_perm = NODE__TCP_SEND;
4467                 send_perm = TCP_SOCKET__SEND_MSG;
4468                 break;
4469         case SECCLASS_DCCP_SOCKET:
4470                 netif_perm = NETIF__DCCP_SEND;
4471                 node_perm = NODE__DCCP_SEND;
4472                 send_perm = DCCP_SOCKET__SEND_MSG;
4473                 break;
4474         default:
4475                 netif_perm = NETIF__RAWIP_SEND;
4476                 node_perm = NODE__RAWIP_SEND;
4477                 send_perm = 0;
4478                 break;
4479         }
4480
4481         err = sel_netif_sid(ifindex, &if_sid);
4482         if (err)
4483                 return err;
4484         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4485                 return err;
4486
4487         err = sel_netnode_sid(addrp, family, &node_sid);
4488         if (err)
4489                 return err;
4490         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4491         if (err)
4492                 return err;
4493
4494         if (send_perm != 0)
4495                 return 0;
4496
4497         err = sel_netport_sid(sk->sk_protocol,
4498                               ntohs(ad->u.net.dport), &port_sid);
4499         if (unlikely(err)) {
4500                 printk(KERN_WARNING
4501                        "SELinux: failure in"
4502                        " selinux_ip_postroute_iptables_compat(),"
4503                        " network port label not found\n");
4504                 return err;
4505         }
4506         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4507 }
4508
4509 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4510                                                 int ifindex,
4511                                                 struct avc_audit_data *ad,
4512                                                 u16 family,
4513                                                 char *addrp,
4514                                                 u8 proto)
4515 {
4516         struct sock *sk = skb->sk;
4517         struct sk_security_struct *sksec;
4518
4519         if (sk == NULL)
4520                 return NF_ACCEPT;
4521         sksec = sk->sk_security;
4522
4523         if (selinux_compat_net) {
4524                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4525                                                          ad, family, addrp))
4526                         return NF_DROP;
4527         } else {
4528                 if (avc_has_perm(sksec->sid, skb->secmark,
4529                                  SECCLASS_PACKET, PACKET__SEND, ad))
4530                         return NF_DROP;
4531         }
4532
4533         if (selinux_policycap_netpeer)
4534                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4535                         return NF_DROP;
4536
4537         return NF_ACCEPT;
4538 }
4539
4540 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4541                                          u16 family)
4542 {
4543         u32 secmark_perm;
4544         u32 peer_sid;
4545         struct sock *sk;
4546         struct avc_audit_data ad;
4547         char *addrp;
4548         u8 proto;
4549         u8 secmark_active;
4550         u8 peerlbl_active;
4551
4552         AVC_AUDIT_DATA_INIT(&ad, NET);
4553         ad.u.net.netif = ifindex;
4554         ad.u.net.family = family;
4555         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4556                 return NF_DROP;
4557
4558         /* If any sort of compatibility mode is enabled then handoff processing
4559          * to the selinux_ip_postroute_compat() function to deal with the
4560          * special handling.  We do this in an attempt to keep this function
4561          * as fast and as clean as possible. */
4562         if (selinux_compat_net || !selinux_policycap_netpeer)
4563                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4564                                                    family, addrp, proto);
4565
4566         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4567          * packet transformation so allow the packet to pass without any checks
4568          * since we'll have another chance to perform access control checks
4569          * when the packet is on it's final way out.
4570          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4571          *       is NULL, in this case go ahead and apply access control. */
4572         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4573                 return NF_ACCEPT;
4574
4575         secmark_active = selinux_secmark_enabled();
4576         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4577         if (!secmark_active && !peerlbl_active)
4578                 return NF_ACCEPT;
4579
4580         /* if the packet is locally generated (skb->sk != NULL) then use the
4581          * socket's label as the peer label, otherwise the packet is being
4582          * forwarded through this system and we need to fetch the peer label
4583          * directly from the packet */
4584         sk = skb->sk;
4585         if (sk) {
4586                 struct sk_security_struct *sksec = sk->sk_security;
4587                 peer_sid = sksec->sid;
4588                 secmark_perm = PACKET__SEND;
4589         } else {
4590                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4591                                 return NF_DROP;
4592                 secmark_perm = PACKET__FORWARD_OUT;
4593         }
4594
4595         if (secmark_active)
4596                 if (avc_has_perm(peer_sid, skb->secmark,
4597                                  SECCLASS_PACKET, secmark_perm, &ad))
4598                         return NF_DROP;
4599
4600         if (peerlbl_active) {
4601                 u32 if_sid;
4602                 u32 node_sid;
4603
4604                 if (sel_netif_sid(ifindex, &if_sid))
4605                         return NF_DROP;
4606                 if (avc_has_perm(peer_sid, if_sid,
4607                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4608                         return NF_DROP;
4609
4610                 if (sel_netnode_sid(addrp, family, &node_sid))
4611                         return NF_DROP;
4612                 if (avc_has_perm(peer_sid, node_sid,
4613                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4614                         return NF_DROP;
4615         }
4616
4617         return NF_ACCEPT;
4618 }
4619
4620 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4621                                            struct sk_buff *skb,
4622                                            const struct net_device *in,
4623                                            const struct net_device *out,
4624                                            int (*okfn)(struct sk_buff *))
4625 {
4626         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4627 }
4628
4629 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4630 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4631                                            struct sk_buff *skb,
4632                                            const struct net_device *in,
4633                                            const struct net_device *out,
4634                                            int (*okfn)(struct sk_buff *))
4635 {
4636         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4637 }
4638 #endif  /* IPV6 */
4639
4640 #endif  /* CONFIG_NETFILTER */
4641
4642 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4643 {
4644         int err;
4645
4646         err = secondary_ops->netlink_send(sk, skb);
4647         if (err)
4648                 return err;
4649
4650         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4651                 err = selinux_nlmsg_perm(sk, skb);
4652
4653         return err;
4654 }
4655
4656 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4657 {
4658         int err;
4659         struct avc_audit_data ad;
4660
4661         err = secondary_ops->netlink_recv(skb, capability);
4662         if (err)
4663                 return err;
4664
4665         AVC_AUDIT_DATA_INIT(&ad, CAP);
4666         ad.u.cap = capability;
4667
4668         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4669                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4670 }
4671
4672 static int ipc_alloc_security(struct task_struct *task,
4673                               struct kern_ipc_perm *perm,
4674                               u16 sclass)
4675 {
4676         struct task_security_struct *tsec = task->security;
4677         struct ipc_security_struct *isec;
4678
4679         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4680         if (!isec)
4681                 return -ENOMEM;
4682
4683         isec->sclass = sclass;
4684         isec->sid = tsec->sid;
4685         perm->security = isec;
4686
4687         return 0;
4688 }
4689
4690 static void ipc_free_security(struct kern_ipc_perm *perm)
4691 {
4692         struct ipc_security_struct *isec = perm->security;
4693         perm->security = NULL;
4694         kfree(isec);
4695 }
4696
4697 static int msg_msg_alloc_security(struct msg_msg *msg)
4698 {
4699         struct msg_security_struct *msec;
4700
4701         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4702         if (!msec)
4703                 return -ENOMEM;
4704
4705         msec->sid = SECINITSID_UNLABELED;
4706         msg->security = msec;
4707
4708         return 0;
4709 }
4710
4711 static void msg_msg_free_security(struct msg_msg *msg)
4712 {
4713         struct msg_security_struct *msec = msg->security;
4714
4715         msg->security = NULL;
4716         kfree(msec);
4717 }
4718
4719 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4720                         u32 perms)
4721 {
4722         struct task_security_struct *tsec;
4723         struct ipc_security_struct *isec;
4724         struct avc_audit_data ad;
4725
4726         tsec = current->security;
4727         isec = ipc_perms->security;
4728
4729         AVC_AUDIT_DATA_INIT(&ad, IPC);
4730         ad.u.ipc_id = ipc_perms->key;
4731
4732         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4733 }
4734
4735 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4736 {
4737         return msg_msg_alloc_security(msg);
4738 }
4739
4740 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4741 {
4742         msg_msg_free_security(msg);
4743 }
4744
4745 /* message queue security operations */
4746 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4747 {
4748         struct task_security_struct *tsec;
4749         struct ipc_security_struct *isec;
4750         struct avc_audit_data ad;
4751         int rc;
4752
4753         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4754         if (rc)
4755                 return rc;
4756
4757         tsec = current->security;
4758         isec = msq->q_perm.security;
4759
4760         AVC_AUDIT_DATA_INIT(&ad, IPC);
4761         ad.u.ipc_id = msq->q_perm.key;
4762
4763         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4764                           MSGQ__CREATE, &ad);
4765         if (rc) {
4766                 ipc_free_security(&msq->q_perm);
4767                 return rc;
4768         }
4769         return 0;
4770 }
4771
4772 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4773 {
4774         ipc_free_security(&msq->q_perm);
4775 }
4776
4777 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4778 {
4779         struct task_security_struct *tsec;
4780         struct ipc_security_struct *isec;
4781         struct avc_audit_data ad;
4782
4783         tsec = current->security;
4784         isec = msq->q_perm.security;
4785
4786         AVC_AUDIT_DATA_INIT(&ad, IPC);
4787         ad.u.ipc_id = msq->q_perm.key;
4788
4789         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4790                             MSGQ__ASSOCIATE, &ad);
4791 }
4792
4793 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4794 {
4795         int err;
4796         int perms;
4797
4798         switch (cmd) {
4799         case IPC_INFO:
4800         case MSG_INFO:
4801                 /* No specific object, just general system-wide information. */
4802                 return task_has_system(current, SYSTEM__IPC_INFO);
4803         case IPC_STAT:
4804         case MSG_STAT:
4805                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4806                 break;
4807         case IPC_SET:
4808                 perms = MSGQ__SETATTR;
4809                 break;
4810         case IPC_RMID:
4811                 perms = MSGQ__DESTROY;
4812                 break;
4813         default:
4814                 return 0;
4815         }
4816
4817         err = ipc_has_perm(&msq->q_perm, perms);
4818         return err;
4819 }
4820
4821 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4822 {
4823         struct task_security_struct *tsec;
4824         struct ipc_security_struct *isec;
4825         struct msg_security_struct *msec;
4826         struct avc_audit_data ad;
4827         int rc;
4828
4829         tsec = current->security;
4830         isec = msq->q_perm.security;
4831         msec = msg->security;
4832
4833         /*
4834          * First time through, need to assign label to the message
4835          */
4836         if (msec->sid == SECINITSID_UNLABELED) {
4837                 /*
4838                  * Compute new sid based on current process and
4839                  * message queue this message will be stored in
4840                  */
4841                 rc = security_transition_sid(tsec->sid,
4842                                              isec->sid,
4843                                              SECCLASS_MSG,
4844                                              &msec->sid);
4845                 if (rc)
4846                         return rc;
4847         }
4848
4849         AVC_AUDIT_DATA_INIT(&ad, IPC);
4850         ad.u.ipc_id = msq->q_perm.key;
4851
4852         /* Can this process write to the queue? */
4853         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4854                           MSGQ__WRITE, &ad);
4855         if (!rc)
4856                 /* Can this process send the message */
4857                 rc = avc_has_perm(tsec->sid, msec->sid,
4858                                   SECCLASS_MSG, MSG__SEND, &ad);
4859         if (!rc)
4860                 /* Can the message be put in the queue? */
4861                 rc = avc_has_perm(msec->sid, isec->sid,
4862                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4863
4864         return rc;
4865 }
4866
4867 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4868                                     struct task_struct *target,
4869                                     long type, int mode)
4870 {
4871         struct task_security_struct *tsec;
4872         struct ipc_security_struct *isec;
4873         struct msg_security_struct *msec;
4874         struct avc_audit_data ad;
4875         int rc;
4876
4877         tsec = target->security;
4878         isec = msq->q_perm.security;
4879         msec = msg->security;
4880
4881         AVC_AUDIT_DATA_INIT(&ad, IPC);
4882         ad.u.ipc_id = msq->q_perm.key;
4883
4884         rc = avc_has_perm(tsec->sid, isec->sid,
4885                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4886         if (!rc)
4887                 rc = avc_has_perm(tsec->sid, msec->sid,
4888                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4889         return rc;
4890 }
4891
4892 /* Shared Memory security operations */
4893 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4894 {
4895         struct task_security_struct *tsec;
4896         struct ipc_security_struct *isec;
4897         struct avc_audit_data ad;
4898         int rc;
4899
4900         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4901         if (rc)
4902                 return rc;
4903
4904         tsec = current->security;
4905         isec = shp->shm_perm.security;
4906
4907         AVC_AUDIT_DATA_INIT(&ad, IPC);
4908         ad.u.ipc_id = shp->shm_perm.key;
4909
4910         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4911                           SHM__CREATE, &ad);
4912         if (rc) {
4913                 ipc_free_security(&shp->shm_perm);
4914                 return rc;
4915         }
4916         return 0;
4917 }
4918
4919 static void selinux_shm_free_security(struct shmid_kernel *shp)
4920 {
4921         ipc_free_security(&shp->shm_perm);
4922 }
4923
4924 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4925 {
4926         struct task_security_struct *tsec;
4927         struct ipc_security_struct *isec;
4928         struct avc_audit_data ad;
4929
4930         tsec = current->security;
4931         isec = shp->shm_perm.security;
4932
4933         AVC_AUDIT_DATA_INIT(&ad, IPC);
4934         ad.u.ipc_id = shp->shm_perm.key;
4935
4936         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4937                             SHM__ASSOCIATE, &ad);
4938 }
4939
4940 /* Note, at this point, shp is locked down */
4941 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4942 {
4943         int perms;
4944         int err;
4945
4946         switch (cmd) {
4947         case IPC_INFO:
4948         case SHM_INFO:
4949                 /* No specific object, just general system-wide information. */
4950                 return task_has_system(current, SYSTEM__IPC_INFO);
4951         case IPC_STAT:
4952         case SHM_STAT:
4953                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4954                 break;
4955         case IPC_SET:
4956                 perms = SHM__SETATTR;
4957                 break;
4958         case SHM_LOCK:
4959         case SHM_UNLOCK:
4960                 perms = SHM__LOCK;
4961                 break;
4962         case IPC_RMID:
4963                 perms = SHM__DESTROY;
4964                 break;
4965         default:
4966                 return 0;
4967         }
4968
4969         err = ipc_has_perm(&shp->shm_perm, perms);
4970         return err;
4971 }
4972
4973 static int selinux_shm_shmat(struct shmid_kernel *shp,
4974                              char __user *shmaddr, int shmflg)
4975 {
4976         u32 perms;
4977         int rc;
4978
4979         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4980         if (rc)
4981                 return rc;
4982
4983         if (shmflg & SHM_RDONLY)
4984                 perms = SHM__READ;
4985         else
4986                 perms = SHM__READ | SHM__WRITE;
4987
4988         return ipc_has_perm(&shp->shm_perm, perms);
4989 }
4990
4991 /* Semaphore security operations */
4992 static int selinux_sem_alloc_security(struct sem_array *sma)
4993 {
4994         struct task_security_struct *tsec;
4995         struct ipc_security_struct *isec;
4996         struct avc_audit_data ad;
4997         int rc;
4998
4999         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5000         if (rc)
5001                 return rc;
5002
5003         tsec = current->security;
5004         isec = sma->sem_perm.security;
5005
5006         AVC_AUDIT_DATA_INIT(&ad, IPC);
5007         ad.u.ipc_id = sma->sem_perm.key;
5008
5009         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5010                           SEM__CREATE, &ad);
5011         if (rc) {
5012                 ipc_free_security(&sma->sem_perm);
5013                 return rc;
5014         }
5015         return 0;
5016 }
5017
5018 static void selinux_sem_free_security(struct sem_array *sma)
5019 {
5020         ipc_free_security(&sma->sem_perm);
5021 }
5022
5023 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5024 {
5025         struct task_security_struct *tsec;
5026         struct ipc_security_struct *isec;
5027         struct avc_audit_data ad;
5028
5029         tsec = current->security;
5030         isec = sma->sem_perm.security;
5031
5032         AVC_AUDIT_DATA_INIT(&ad, IPC);
5033         ad.u.ipc_id = sma->sem_perm.key;
5034
5035         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5036                             SEM__ASSOCIATE, &ad);
5037 }
5038
5039 /* Note, at this point, sma is locked down */
5040 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5041 {
5042         int err;
5043         u32 perms;
5044
5045         switch (cmd) {
5046         case IPC_INFO:
5047         case SEM_INFO:
5048                 /* No specific object, just general system-wide information. */
5049                 return task_has_system(current, SYSTEM__IPC_INFO);
5050         case GETPID:
5051         case GETNCNT:
5052         case GETZCNT:
5053                 perms = SEM__GETATTR;
5054                 break;
5055         case GETVAL:
5056         case GETALL:
5057                 perms = SEM__READ;
5058                 break;
5059         case SETVAL:
5060         case SETALL:
5061                 perms = SEM__WRITE;
5062                 break;
5063         case IPC_RMID:
5064                 perms = SEM__DESTROY;
5065                 break;
5066         case IPC_SET:
5067                 perms = SEM__SETATTR;
5068                 break;
5069         case IPC_STAT:
5070         case SEM_STAT:
5071                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5072                 break;
5073         default:
5074                 return 0;
5075         }
5076
5077         err = ipc_has_perm(&sma->sem_perm, perms);
5078         return err;
5079 }
5080
5081 static int selinux_sem_semop(struct sem_array *sma,
5082                              struct sembuf *sops, unsigned nsops, int alter)
5083 {
5084         u32 perms;
5085
5086         if (alter)
5087                 perms = SEM__READ | SEM__WRITE;
5088         else
5089                 perms = SEM__READ;
5090
5091         return ipc_has_perm(&sma->sem_perm, perms);
5092 }
5093
5094 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5095 {
5096         u32 av = 0;
5097
5098         av = 0;
5099         if (flag & S_IRUGO)
5100                 av |= IPC__UNIX_READ;
5101         if (flag & S_IWUGO)
5102                 av |= IPC__UNIX_WRITE;
5103
5104         if (av == 0)
5105                 return 0;
5106
5107         return ipc_has_perm(ipcp, av);
5108 }
5109
5110 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5111 {
5112         struct ipc_security_struct *isec = ipcp->security;
5113         *secid = isec->sid;
5114 }
5115
5116 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5117 {
5118         if (inode)
5119                 inode_doinit_with_dentry(inode, dentry);
5120 }
5121
5122 static int selinux_getprocattr(struct task_struct *p,
5123                                char *name, char **value)
5124 {
5125         struct task_security_struct *tsec;
5126         u32 sid;
5127         int error;
5128         unsigned len;
5129
5130         if (current != p) {
5131                 error = task_has_perm(current, p, PROCESS__GETATTR);
5132                 if (error)
5133                         return error;
5134         }
5135
5136         tsec = p->security;
5137
5138         if (!strcmp(name, "current"))
5139                 sid = tsec->sid;
5140         else if (!strcmp(name, "prev"))
5141                 sid = tsec->osid;
5142         else if (!strcmp(name, "exec"))
5143                 sid = tsec->exec_sid;
5144         else if (!strcmp(name, "fscreate"))
5145                 sid = tsec->create_sid;
5146         else if (!strcmp(name, "keycreate"))
5147                 sid = tsec->keycreate_sid;
5148         else if (!strcmp(name, "sockcreate"))
5149                 sid = tsec->sockcreate_sid;
5150         else
5151                 return -EINVAL;
5152
5153         if (!sid)
5154                 return 0;
5155
5156         error = security_sid_to_context(sid, value, &len);
5157         if (error)
5158                 return error;
5159         return len;
5160 }
5161
5162 static int selinux_setprocattr(struct task_struct *p,
5163                                char *name, void *value, size_t size)
5164 {
5165         struct task_security_struct *tsec;
5166         struct task_struct *tracer;
5167         u32 sid = 0;
5168         int error;
5169         char *str = value;
5170
5171         if (current != p) {
5172                 /* SELinux only allows a process to change its own
5173                    security attributes. */
5174                 return -EACCES;
5175         }
5176
5177         /*
5178          * Basic control over ability to set these attributes at all.
5179          * current == p, but we'll pass them separately in case the
5180          * above restriction is ever removed.
5181          */
5182         if (!strcmp(name, "exec"))
5183                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5184         else if (!strcmp(name, "fscreate"))
5185                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5186         else if (!strcmp(name, "keycreate"))
5187                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5188         else if (!strcmp(name, "sockcreate"))
5189                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5190         else if (!strcmp(name, "current"))
5191                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5192         else
5193                 error = -EINVAL;
5194         if (error)
5195                 return error;
5196
5197         /* Obtain a SID for the context, if one was specified. */
5198         if (size && str[1] && str[1] != '\n') {
5199                 if (str[size-1] == '\n') {
5200                         str[size-1] = 0;
5201                         size--;
5202                 }
5203                 error = security_context_to_sid(value, size, &sid);
5204                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5205                         if (!capable(CAP_MAC_ADMIN))
5206                                 return error;
5207                         error = security_context_to_sid_force(value, size,
5208                                                               &sid);
5209                 }
5210                 if (error)
5211                         return error;
5212         }
5213
5214         /* Permission checking based on the specified context is
5215            performed during the actual operation (execve,
5216            open/mkdir/...), when we know the full context of the
5217            operation.  See selinux_bprm_set_security for the execve
5218            checks and may_create for the file creation checks. The
5219            operation will then fail if the context is not permitted. */
5220         tsec = p->security;
5221         if (!strcmp(name, "exec"))
5222                 tsec->exec_sid = sid;
5223         else if (!strcmp(name, "fscreate"))
5224                 tsec->create_sid = sid;
5225         else if (!strcmp(name, "keycreate")) {
5226                 error = may_create_key(sid, p);
5227                 if (error)
5228                         return error;
5229                 tsec->keycreate_sid = sid;
5230         } else if (!strcmp(name, "sockcreate"))
5231                 tsec->sockcreate_sid = sid;
5232         else if (!strcmp(name, "current")) {
5233                 struct av_decision avd;
5234
5235                 if (sid == 0)
5236                         return -EINVAL;
5237
5238                 /* Only allow single threaded processes to change context */
5239                 if (atomic_read(&p->mm->mm_users) != 1) {
5240                         struct task_struct *g, *t;
5241                         struct mm_struct *mm = p->mm;
5242                         read_lock(&tasklist_lock);
5243                         do_each_thread(g, t) {
5244                                 if (t->mm == mm && t != p) {
5245                                         read_unlock(&tasklist_lock);
5246                                         return -EPERM;
5247                                 }
5248                         } while_each_thread(g, t);
5249                         read_unlock(&tasklist_lock);
5250                 }
5251
5252                 /* Check permissions for the transition. */
5253                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5254                                      PROCESS__DYNTRANSITION, NULL);
5255                 if (error)
5256                         return error;
5257
5258                 /* Check for ptracing, and update the task SID if ok.
5259                    Otherwise, leave SID unchanged and fail. */
5260                 task_lock(p);
5261                 rcu_read_lock();
5262                 tracer = task_tracer_task(p);
5263                 if (tracer != NULL) {
5264                         struct task_security_struct *ptsec = tracer->security;
5265                         u32 ptsid = ptsec->sid;
5266                         rcu_read_unlock();
5267                         error = avc_has_perm_noaudit(ptsid, sid,
5268                                                      SECCLASS_PROCESS,
5269                                                      PROCESS__PTRACE, 0, &avd);
5270                         if (!error)
5271                                 tsec->sid = sid;
5272                         task_unlock(p);
5273                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5274                                   PROCESS__PTRACE, &avd, error, NULL);
5275                         if (error)
5276                                 return error;
5277                 } else {
5278                         rcu_read_unlock();
5279                         tsec->sid = sid;
5280                         task_unlock(p);
5281                 }
5282         } else
5283                 return -EINVAL;
5284
5285         return size;
5286 }
5287
5288 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5289 {
5290         return security_sid_to_context(secid, secdata, seclen);
5291 }
5292
5293 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5294 {
5295         return security_context_to_sid(secdata, seclen, secid);
5296 }
5297
5298 static void selinux_release_secctx(char *secdata, u32 seclen)
5299 {
5300         kfree(secdata);
5301 }
5302
5303 #ifdef CONFIG_KEYS
5304
5305 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5306                              unsigned long flags)
5307 {
5308         struct task_security_struct *tsec = tsk->security;
5309         struct key_security_struct *ksec;
5310
5311         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5312         if (!ksec)
5313                 return -ENOMEM;
5314
5315         if (tsec->keycreate_sid)
5316                 ksec->sid = tsec->keycreate_sid;
5317         else
5318                 ksec->sid = tsec->sid;
5319         k->security = ksec;
5320
5321         return 0;
5322 }
5323
5324 static void selinux_key_free(struct key *k)
5325 {
5326         struct key_security_struct *ksec = k->security;
5327
5328         k->security = NULL;
5329         kfree(ksec);
5330 }
5331
5332 static int selinux_key_permission(key_ref_t key_ref,
5333                             struct task_struct *ctx,
5334                             key_perm_t perm)
5335 {
5336         struct key *key;
5337         struct task_security_struct *tsec;
5338         struct key_security_struct *ksec;
5339
5340         key = key_ref_to_ptr(key_ref);
5341
5342         tsec = ctx->security;
5343         ksec = key->security;
5344
5345         /* if no specific permissions are requested, we skip the
5346            permission check. No serious, additional covert channels
5347            appear to be created. */
5348         if (perm == 0)
5349                 return 0;
5350
5351         return avc_has_perm(tsec->sid, ksec->sid,
5352                             SECCLASS_KEY, perm, NULL);
5353 }
5354
5355 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5356 {
5357         struct key_security_struct *ksec = key->security;
5358         char *context = NULL;
5359         unsigned len;
5360         int rc;
5361
5362         rc = security_sid_to_context(ksec->sid, &context, &len);
5363         if (!rc)
5364                 rc = len;
5365         *_buffer = context;
5366         return rc;
5367 }
5368
5369 #endif
5370
5371 static struct security_operations selinux_ops = {
5372         .name =                         "selinux",
5373
5374         .ptrace =                       selinux_ptrace,
5375         .capget =                       selinux_capget,
5376         .capset_check =                 selinux_capset_check,
5377         .capset_set =                   selinux_capset_set,
5378         .sysctl =                       selinux_sysctl,
5379         .capable =                      selinux_capable,
5380         .quotactl =                     selinux_quotactl,
5381         .quota_on =                     selinux_quota_on,
5382         .syslog =                       selinux_syslog,
5383         .vm_enough_memory =             selinux_vm_enough_memory,
5384
5385         .netlink_send =                 selinux_netlink_send,
5386         .netlink_recv =                 selinux_netlink_recv,
5387
5388         .bprm_alloc_security =          selinux_bprm_alloc_security,
5389         .bprm_free_security =           selinux_bprm_free_security,
5390         .bprm_apply_creds =             selinux_bprm_apply_creds,
5391         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5392         .bprm_set_security =            selinux_bprm_set_security,
5393         .bprm_check_security =          selinux_bprm_check_security,
5394         .bprm_secureexec =              selinux_bprm_secureexec,
5395
5396         .sb_alloc_security =            selinux_sb_alloc_security,
5397         .sb_free_security =             selinux_sb_free_security,
5398         .sb_copy_data =                 selinux_sb_copy_data,
5399         .sb_kern_mount =                selinux_sb_kern_mount,
5400         .sb_show_options =              selinux_sb_show_options,
5401         .sb_statfs =                    selinux_sb_statfs,
5402         .sb_mount =                     selinux_mount,
5403         .sb_umount =                    selinux_umount,
5404         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5405         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5406         .sb_parse_opts_str =            selinux_parse_opts_str,
5407
5408
5409         .inode_alloc_security =         selinux_inode_alloc_security,
5410         .inode_free_security =          selinux_inode_free_security,
5411         .inode_init_security =          selinux_inode_init_security,
5412         .inode_create =                 selinux_inode_create,
5413         .inode_link =                   selinux_inode_link,
5414         .inode_unlink =                 selinux_inode_unlink,
5415         .inode_symlink =                selinux_inode_symlink,
5416         .inode_mkdir =                  selinux_inode_mkdir,
5417         .inode_rmdir =                  selinux_inode_rmdir,
5418         .inode_mknod =                  selinux_inode_mknod,
5419         .inode_rename =                 selinux_inode_rename,
5420         .inode_readlink =               selinux_inode_readlink,
5421         .inode_follow_link =            selinux_inode_follow_link,
5422         .inode_permission =             selinux_inode_permission,
5423         .inode_setattr =                selinux_inode_setattr,
5424         .inode_getattr =                selinux_inode_getattr,
5425         .inode_setxattr =               selinux_inode_setxattr,
5426         .inode_post_setxattr =          selinux_inode_post_setxattr,
5427         .inode_getxattr =               selinux_inode_getxattr,
5428         .inode_listxattr =              selinux_inode_listxattr,
5429         .inode_removexattr =            selinux_inode_removexattr,
5430         .inode_getsecurity =            selinux_inode_getsecurity,
5431         .inode_setsecurity =            selinux_inode_setsecurity,
5432         .inode_listsecurity =           selinux_inode_listsecurity,
5433         .inode_need_killpriv =          selinux_inode_need_killpriv,
5434         .inode_killpriv =               selinux_inode_killpriv,
5435         .inode_getsecid =               selinux_inode_getsecid,
5436
5437         .file_permission =              selinux_file_permission,
5438         .file_alloc_security =          selinux_file_alloc_security,
5439         .file_free_security =           selinux_file_free_security,
5440         .file_ioctl =                   selinux_file_ioctl,
5441         .file_mmap =                    selinux_file_mmap,
5442         .file_mprotect =                selinux_file_mprotect,
5443         .file_lock =                    selinux_file_lock,
5444         .file_fcntl =                   selinux_file_fcntl,
5445         .file_set_fowner =              selinux_file_set_fowner,
5446         .file_send_sigiotask =          selinux_file_send_sigiotask,
5447         .file_receive =                 selinux_file_receive,
5448
5449         .dentry_open =                  selinux_dentry_open,
5450
5451         .task_create =                  selinux_task_create,
5452         .task_alloc_security =          selinux_task_alloc_security,
5453         .task_free_security =           selinux_task_free_security,
5454         .task_setuid =                  selinux_task_setuid,
5455         .task_post_setuid =             selinux_task_post_setuid,
5456         .task_setgid =                  selinux_task_setgid,
5457         .task_setpgid =                 selinux_task_setpgid,
5458         .task_getpgid =                 selinux_task_getpgid,
5459         .task_getsid =                  selinux_task_getsid,
5460         .task_getsecid =                selinux_task_getsecid,
5461         .task_setgroups =               selinux_task_setgroups,
5462         .task_setnice =                 selinux_task_setnice,
5463         .task_setioprio =               selinux_task_setioprio,
5464         .task_getioprio =               selinux_task_getioprio,
5465         .task_setrlimit =               selinux_task_setrlimit,
5466         .task_setscheduler =            selinux_task_setscheduler,
5467         .task_getscheduler =            selinux_task_getscheduler,
5468         .task_movememory =              selinux_task_movememory,
5469         .task_kill =                    selinux_task_kill,
5470         .task_wait =                    selinux_task_wait,
5471         .task_prctl =                   selinux_task_prctl,
5472         .task_reparent_to_init =        selinux_task_reparent_to_init,
5473         .task_to_inode =                selinux_task_to_inode,
5474
5475         .ipc_permission =               selinux_ipc_permission,
5476         .ipc_getsecid =                 selinux_ipc_getsecid,
5477
5478         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5479         .msg_msg_free_security =        selinux_msg_msg_free_security,
5480
5481         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5482         .msg_queue_free_security =      selinux_msg_queue_free_security,
5483         .msg_queue_associate =          selinux_msg_queue_associate,
5484         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5485         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5486         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5487
5488         .shm_alloc_security =           selinux_shm_alloc_security,
5489         .shm_free_security =            selinux_shm_free_security,
5490         .shm_associate =                selinux_shm_associate,
5491         .shm_shmctl =                   selinux_shm_shmctl,
5492         .shm_shmat =                    selinux_shm_shmat,
5493
5494         .sem_alloc_security =           selinux_sem_alloc_security,
5495         .sem_free_security =            selinux_sem_free_security,
5496         .sem_associate =                selinux_sem_associate,
5497         .sem_semctl =                   selinux_sem_semctl,
5498         .sem_semop =                    selinux_sem_semop,
5499
5500         .d_instantiate =                selinux_d_instantiate,
5501
5502         .getprocattr =                  selinux_getprocattr,
5503         .setprocattr =                  selinux_setprocattr,
5504
5505         .secid_to_secctx =              selinux_secid_to_secctx,
5506         .secctx_to_secid =              selinux_secctx_to_secid,
5507         .release_secctx =               selinux_release_secctx,
5508
5509         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5510         .unix_may_send =                selinux_socket_unix_may_send,
5511
5512         .socket_create =                selinux_socket_create,
5513         .socket_post_create =           selinux_socket_post_create,
5514         .socket_bind =                  selinux_socket_bind,
5515         .socket_connect =               selinux_socket_connect,
5516         .socket_listen =                selinux_socket_listen,
5517         .socket_accept =                selinux_socket_accept,
5518         .socket_sendmsg =               selinux_socket_sendmsg,
5519         .socket_recvmsg =               selinux_socket_recvmsg,
5520         .socket_getsockname =           selinux_socket_getsockname,
5521         .socket_getpeername =           selinux_socket_getpeername,
5522         .socket_getsockopt =            selinux_socket_getsockopt,
5523         .socket_setsockopt =            selinux_socket_setsockopt,
5524         .socket_shutdown =              selinux_socket_shutdown,
5525         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5526         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5527         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5528         .sk_alloc_security =            selinux_sk_alloc_security,
5529         .sk_free_security =             selinux_sk_free_security,
5530         .sk_clone_security =            selinux_sk_clone_security,
5531         .sk_getsecid =                  selinux_sk_getsecid,
5532         .sock_graft =                   selinux_sock_graft,
5533         .inet_conn_request =            selinux_inet_conn_request,
5534         .inet_csk_clone =               selinux_inet_csk_clone,
5535         .inet_conn_established =        selinux_inet_conn_established,
5536         .req_classify_flow =            selinux_req_classify_flow,
5537
5538 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5539         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5540         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5541         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5542         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5543         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5544         .xfrm_state_free_security =     selinux_xfrm_state_free,
5545         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5546         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5547         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5548         .xfrm_decode_session =          selinux_xfrm_decode_session,
5549 #endif
5550
5551 #ifdef CONFIG_KEYS
5552         .key_alloc =                    selinux_key_alloc,
5553         .key_free =                     selinux_key_free,
5554         .key_permission =               selinux_key_permission,
5555         .key_getsecurity =              selinux_key_getsecurity,
5556 #endif
5557
5558 #ifdef CONFIG_AUDIT
5559         .audit_rule_init =              selinux_audit_rule_init,
5560         .audit_rule_known =             selinux_audit_rule_known,
5561         .audit_rule_match =             selinux_audit_rule_match,
5562         .audit_rule_free =              selinux_audit_rule_free,
5563 #endif
5564 };
5565
5566 static __init int selinux_init(void)
5567 {
5568         struct task_security_struct *tsec;
5569
5570         if (!security_module_enable(&selinux_ops)) {
5571                 selinux_enabled = 0;
5572                 return 0;
5573         }
5574
5575         if (!selinux_enabled) {
5576                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5577                 return 0;
5578         }
5579
5580         printk(KERN_INFO "SELinux:  Initializing.\n");
5581
5582         /* Set the security state for the initial task. */
5583         if (task_alloc_security(current))
5584                 panic("SELinux:  Failed to initialize initial task.\n");
5585         tsec = current->security;
5586         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5587
5588         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5589                                             sizeof(struct inode_security_struct),
5590                                             0, SLAB_PANIC, NULL);
5591         avc_init();
5592
5593         secondary_ops = security_ops;
5594         if (!secondary_ops)
5595                 panic("SELinux: No initial security operations\n");
5596         if (register_security(&selinux_ops))
5597                 panic("SELinux: Unable to register with kernel.\n");
5598
5599         if (selinux_enforcing)
5600                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5601         else
5602                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5603
5604         return 0;
5605 }
5606
5607 void selinux_complete_init(void)
5608 {
5609         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5610
5611         /* Set up any superblocks initialized prior to the policy load. */
5612         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5613         spin_lock(&sb_lock);
5614         spin_lock(&sb_security_lock);
5615 next_sb:
5616         if (!list_empty(&superblock_security_head)) {
5617                 struct superblock_security_struct *sbsec =
5618                                 list_entry(superblock_security_head.next,
5619                                            struct superblock_security_struct,
5620                                            list);
5621                 struct super_block *sb = sbsec->sb;
5622                 sb->s_count++;
5623                 spin_unlock(&sb_security_lock);
5624                 spin_unlock(&sb_lock);
5625                 down_read(&sb->s_umount);
5626                 if (sb->s_root)
5627                         superblock_doinit(sb, NULL);
5628                 drop_super(sb);
5629                 spin_lock(&sb_lock);
5630                 spin_lock(&sb_security_lock);
5631                 list_del_init(&sbsec->list);
5632                 goto next_sb;
5633         }
5634         spin_unlock(&sb_security_lock);
5635         spin_unlock(&sb_lock);
5636 }
5637
5638 /* SELinux requires early initialization in order to label
5639    all processes and objects when they are created. */
5640 security_initcall(selinux_init);
5641
5642 #if defined(CONFIG_NETFILTER)
5643
5644 static struct nf_hook_ops selinux_ipv4_ops[] = {
5645         {
5646                 .hook =         selinux_ipv4_postroute,
5647                 .owner =        THIS_MODULE,
5648                 .pf =           PF_INET,
5649                 .hooknum =      NF_INET_POST_ROUTING,
5650                 .priority =     NF_IP_PRI_SELINUX_LAST,
5651         },
5652         {
5653                 .hook =         selinux_ipv4_forward,
5654                 .owner =        THIS_MODULE,
5655                 .pf =           PF_INET,
5656                 .hooknum =      NF_INET_FORWARD,
5657                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5658         }
5659 };
5660
5661 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5662
5663 static struct nf_hook_ops selinux_ipv6_ops[] = {
5664         {
5665                 .hook =         selinux_ipv6_postroute,
5666                 .owner =        THIS_MODULE,
5667                 .pf =           PF_INET6,
5668                 .hooknum =      NF_INET_POST_ROUTING,
5669                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5670         },
5671         {
5672                 .hook =         selinux_ipv6_forward,
5673                 .owner =        THIS_MODULE,
5674                 .pf =           PF_INET6,
5675                 .hooknum =      NF_INET_FORWARD,
5676                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5677         }
5678 };
5679
5680 #endif  /* IPV6 */
5681
5682 static int __init selinux_nf_ip_init(void)
5683 {
5684         int err = 0;
5685         u32 iter;
5686
5687         if (!selinux_enabled)
5688                 goto out;
5689
5690         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5691
5692         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5693                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5694                 if (err)
5695                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5696                               err);
5697         }
5698
5699 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5700         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5701                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5702                 if (err)
5703                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5704                               err);
5705         }
5706 #endif  /* IPV6 */
5707
5708 out:
5709         return err;
5710 }
5711
5712 __initcall(selinux_nf_ip_init);
5713
5714 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5715 static void selinux_nf_ip_exit(void)
5716 {
5717         u32 iter;
5718
5719         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5720
5721         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5722                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5723 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5724         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5725                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5726 #endif  /* IPV6 */
5727 }
5728 #endif
5729
5730 #else /* CONFIG_NETFILTER */
5731
5732 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5733 #define selinux_nf_ip_exit()
5734 #endif
5735
5736 #endif /* CONFIG_NETFILTER */
5737
5738 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5739 static int selinux_disabled;
5740
5741 int selinux_disable(void)
5742 {
5743         extern void exit_sel_fs(void);
5744
5745         if (ss_initialized) {
5746                 /* Not permitted after initial policy load. */
5747                 return -EINVAL;
5748         }
5749
5750         if (selinux_disabled) {
5751                 /* Only do this once. */
5752                 return -EINVAL;
5753         }
5754
5755         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5756
5757         selinux_disabled = 1;
5758         selinux_enabled = 0;
5759
5760         /* Reset security_ops to the secondary module, dummy or capability. */
5761         security_ops = secondary_ops;
5762
5763         /* Unregister netfilter hooks. */
5764         selinux_nf_ip_exit();
5765
5766         /* Unregister selinuxfs. */
5767         exit_sel_fs();
5768
5769         return 0;
5770 }
5771 #endif