[NetLabel]: SELinux support
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16  *                     Paul Moore, <paul.moore@hp.com>
17  *
18  *      This program is free software; you can redistribute it and/or modify
19  *      it under the terms of the GNU General Public License version 2,
20  *      as published by the Free Software Foundation.
21  */
22
23 #include <linux/module.h>
24 #include <linux/init.h>
25 #include <linux/kernel.h>
26 #include <linux/ptrace.h>
27 #include <linux/errno.h>
28 #include <linux/sched.h>
29 #include <linux/security.h>
30 #include <linux/xattr.h>
31 #include <linux/capability.h>
32 #include <linux/unistd.h>
33 #include <linux/mm.h>
34 #include <linux/mman.h>
35 #include <linux/slab.h>
36 #include <linux/pagemap.h>
37 #include <linux/swap.h>
38 #include <linux/smp_lock.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for sysctl_local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <asm/uaccess.h>
54 #include <asm/semaphore.h>
55 #include <asm/ioctls.h>
56 #include <linux/bitops.h>
57 #include <linux/interrupt.h>
58 #include <linux/netdevice.h>    /* for network interface checks */
59 #include <linux/netlink.h>
60 #include <linux/tcp.h>
61 #include <linux/udp.h>
62 #include <linux/quota.h>
63 #include <linux/un.h>           /* for Unix socket types */
64 #include <net/af_unix.h>        /* for Unix socket types */
65 #include <linux/parser.h>
66 #include <linux/nfs_mount.h>
67 #include <net/ipv6.h>
68 #include <linux/hugetlb.h>
69 #include <linux/personality.h>
70 #include <linux/sysctl.h>
71 #include <linux/audit.h>
72 #include <linux/string.h>
73 #include <linux/selinux.h>
74
75 #include "avc.h"
76 #include "objsec.h"
77 #include "netif.h"
78 #include "xfrm.h"
79 #include "selinux_netlabel.h"
80
81 #define XATTR_SELINUX_SUFFIX "selinux"
82 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
83
84 extern unsigned int policydb_loaded_version;
85 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
86 extern int selinux_compat_net;
87
88 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
89 int selinux_enforcing = 0;
90
91 static int __init enforcing_setup(char *str)
92 {
93         selinux_enforcing = simple_strtol(str,NULL,0);
94         return 1;
95 }
96 __setup("enforcing=", enforcing_setup);
97 #endif
98
99 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
100 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
101
102 static int __init selinux_enabled_setup(char *str)
103 {
104         selinux_enabled = simple_strtol(str, NULL, 0);
105         return 1;
106 }
107 __setup("selinux=", selinux_enabled_setup);
108 #else
109 int selinux_enabled = 1;
110 #endif
111
112 /* Original (dummy) security module. */
113 static struct security_operations *original_ops = NULL;
114
115 /* Minimal support for a secondary security module,
116    just to allow the use of the dummy or capability modules.
117    The owlsm module can alternatively be used as a secondary
118    module as long as CONFIG_OWLSM_FD is not enabled. */
119 static struct security_operations *secondary_ops = NULL;
120
121 /* Lists of inode and superblock security structures initialized
122    before the policy was loaded. */
123 static LIST_HEAD(superblock_security_head);
124 static DEFINE_SPINLOCK(sb_security_lock);
125
126 static kmem_cache_t *sel_inode_cache;
127
128 /* Return security context for a given sid or just the context 
129    length if the buffer is null or length is 0 */
130 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
131 {
132         char *context;
133         unsigned len;
134         int rc;
135
136         rc = security_sid_to_context(sid, &context, &len);
137         if (rc)
138                 return rc;
139
140         if (!buffer || !size)
141                 goto getsecurity_exit;
142
143         if (size < len) {
144                 len = -ERANGE;
145                 goto getsecurity_exit;
146         }
147         memcpy(buffer, context, len);
148
149 getsecurity_exit:
150         kfree(context);
151         return len;
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         memset(isec, 0, sizeof(*isec));
188         init_MUTEX(&isec->sem);
189         INIT_LIST_HEAD(&isec->list);
190         isec->inode = inode;
191         isec->sid = SECINITSID_UNLABELED;
192         isec->sclass = SECCLASS_FILE;
193         isec->task_sid = tsec->sid;
194         inode->i_security = isec;
195
196         return 0;
197 }
198
199 static void inode_free_security(struct inode *inode)
200 {
201         struct inode_security_struct *isec = inode->i_security;
202         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203
204         spin_lock(&sbsec->isec_lock);
205         if (!list_empty(&isec->list))
206                 list_del_init(&isec->list);
207         spin_unlock(&sbsec->isec_lock);
208
209         inode->i_security = NULL;
210         kmem_cache_free(sel_inode_cache, isec);
211 }
212
213 static int file_alloc_security(struct file *file)
214 {
215         struct task_security_struct *tsec = current->security;
216         struct file_security_struct *fsec;
217
218         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
219         if (!fsec)
220                 return -ENOMEM;
221
222         fsec->file = file;
223         fsec->sid = tsec->sid;
224         fsec->fown_sid = tsec->sid;
225         file->f_security = fsec;
226
227         return 0;
228 }
229
230 static void file_free_security(struct file *file)
231 {
232         struct file_security_struct *fsec = file->f_security;
233         file->f_security = NULL;
234         kfree(fsec);
235 }
236
237 static int superblock_alloc_security(struct super_block *sb)
238 {
239         struct superblock_security_struct *sbsec;
240
241         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
242         if (!sbsec)
243                 return -ENOMEM;
244
245         init_MUTEX(&sbsec->sem);
246         INIT_LIST_HEAD(&sbsec->list);
247         INIT_LIST_HEAD(&sbsec->isec_head);
248         spin_lock_init(&sbsec->isec_lock);
249         sbsec->sb = sb;
250         sbsec->sid = SECINITSID_UNLABELED;
251         sbsec->def_sid = SECINITSID_FILE;
252         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
253         sb->s_security = sbsec;
254
255         return 0;
256 }
257
258 static void superblock_free_security(struct super_block *sb)
259 {
260         struct superblock_security_struct *sbsec = sb->s_security;
261
262         spin_lock(&sb_security_lock);
263         if (!list_empty(&sbsec->list))
264                 list_del_init(&sbsec->list);
265         spin_unlock(&sb_security_lock);
266
267         sb->s_security = NULL;
268         kfree(sbsec);
269 }
270
271 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 {
273         struct sk_security_struct *ssec;
274
275         ssec = kzalloc(sizeof(*ssec), priority);
276         if (!ssec)
277                 return -ENOMEM;
278
279         ssec->sk = sk;
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         ssec->sid = SECINITSID_UNLABELED;
282         sk->sk_security = ssec;
283
284         return 0;
285 }
286
287 static void sk_free_security(struct sock *sk)
288 {
289         struct sk_security_struct *ssec = sk->sk_security;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294
295 /* The security server must be initialized before
296    any labeling or access decisions can be provided. */
297 extern int ss_initialized;
298
299 /* The file system's label must be initialized prior to use. */
300
301 static char *labeling_behaviors[6] = {
302         "uses xattr",
303         "uses transition SIDs",
304         "uses task SIDs",
305         "uses genfs_contexts",
306         "not configured for labeling",
307         "uses mountpoint labeling",
308 };
309
310 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312 static inline int inode_doinit(struct inode *inode)
313 {
314         return inode_doinit_with_dentry(inode, NULL);
315 }
316
317 enum {
318         Opt_context = 1,
319         Opt_fscontext = 2,
320         Opt_defcontext = 4,
321         Opt_rootcontext = 8,
322 };
323
324 static match_table_t tokens = {
325         {Opt_context, "context=%s"},
326         {Opt_fscontext, "fscontext=%s"},
327         {Opt_defcontext, "defcontext=%s"},
328         {Opt_rootcontext, "rootcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int may_context_mount_sb_relabel(u32 sid,
334                         struct superblock_security_struct *sbsec,
335                         struct task_security_struct *tsec)
336 {
337         int rc;
338
339         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340                           FILESYSTEM__RELABELFROM, NULL);
341         if (rc)
342                 return rc;
343
344         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345                           FILESYSTEM__RELABELTO, NULL);
346         return rc;
347 }
348
349 static int may_context_mount_inode_relabel(u32 sid,
350                         struct superblock_security_struct *sbsec,
351                         struct task_security_struct *tsec)
352 {
353         int rc;
354         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355                           FILESYSTEM__RELABELFROM, NULL);
356         if (rc)
357                 return rc;
358
359         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360                           FILESYSTEM__ASSOCIATE, NULL);
361         return rc;
362 }
363
364 static int try_context_mount(struct super_block *sb, void *data)
365 {
366         char *context = NULL, *defcontext = NULL;
367         char *fscontext = NULL, *rootcontext = NULL;
368         const char *name;
369         u32 sid;
370         int alloc = 0, rc = 0, seen = 0;
371         struct task_security_struct *tsec = current->security;
372         struct superblock_security_struct *sbsec = sb->s_security;
373
374         if (!data)
375                 goto out;
376
377         name = sb->s_type->name;
378
379         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
380
381                 /* NFS we understand. */
382                 if (!strcmp(name, "nfs")) {
383                         struct nfs_mount_data *d = data;
384
385                         if (d->version <  NFS_MOUNT_VERSION)
386                                 goto out;
387
388                         if (d->context[0]) {
389                                 context = d->context;
390                                 seen |= Opt_context;
391                         }
392                 } else
393                         goto out;
394
395         } else {
396                 /* Standard string-based options. */
397                 char *p, *options = data;
398
399                 while ((p = strsep(&options, ",")) != NULL) {
400                         int token;
401                         substring_t args[MAX_OPT_ARGS];
402
403                         if (!*p)
404                                 continue;
405
406                         token = match_token(p, tokens, args);
407
408                         switch (token) {
409                         case Opt_context:
410                                 if (seen & (Opt_context|Opt_defcontext)) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
413                                         goto out_free;
414                                 }
415                                 context = match_strdup(&args[0]);
416                                 if (!context) {
417                                         rc = -ENOMEM;
418                                         goto out_free;
419                                 }
420                                 if (!alloc)
421                                         alloc = 1;
422                                 seen |= Opt_context;
423                                 break;
424
425                         case Opt_fscontext:
426                                 if (seen & Opt_fscontext) {
427                                         rc = -EINVAL;
428                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
429                                         goto out_free;
430                                 }
431                                 fscontext = match_strdup(&args[0]);
432                                 if (!fscontext) {
433                                         rc = -ENOMEM;
434                                         goto out_free;
435                                 }
436                                 if (!alloc)
437                                         alloc = 1;
438                                 seen |= Opt_fscontext;
439                                 break;
440
441                         case Opt_rootcontext:
442                                 if (seen & Opt_rootcontext) {
443                                         rc = -EINVAL;
444                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
445                                         goto out_free;
446                                 }
447                                 rootcontext = match_strdup(&args[0]);
448                                 if (!rootcontext) {
449                                         rc = -ENOMEM;
450                                         goto out_free;
451                                 }
452                                 if (!alloc)
453                                         alloc = 1;
454                                 seen |= Opt_rootcontext;
455                                 break;
456
457                         case Opt_defcontext:
458                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
459                                         rc = -EINVAL;
460                                         printk(KERN_WARNING "SELinux:  "
461                                                "defcontext option is invalid "
462                                                "for this filesystem type\n");
463                                         goto out_free;
464                                 }
465                                 if (seen & (Opt_context|Opt_defcontext)) {
466                                         rc = -EINVAL;
467                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
468                                         goto out_free;
469                                 }
470                                 defcontext = match_strdup(&args[0]);
471                                 if (!defcontext) {
472                                         rc = -ENOMEM;
473                                         goto out_free;
474                                 }
475                                 if (!alloc)
476                                         alloc = 1;
477                                 seen |= Opt_defcontext;
478                                 break;
479
480                         default:
481                                 rc = -EINVAL;
482                                 printk(KERN_WARNING "SELinux:  unknown mount "
483                                        "option\n");
484                                 goto out_free;
485
486                         }
487                 }
488         }
489
490         if (!seen)
491                 goto out;
492
493         /* sets the context of the superblock for the fs being mounted. */
494         if (fscontext) {
495                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
496                 if (rc) {
497                         printk(KERN_WARNING "SELinux: security_context_to_sid"
498                                "(%s) failed for (dev %s, type %s) errno=%d\n",
499                                fscontext, sb->s_id, name, rc);
500                         goto out_free;
501                 }
502
503                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
504                 if (rc)
505                         goto out_free;
506
507                 sbsec->sid = sid;
508         }
509
510         /*
511          * Switch to using mount point labeling behavior.
512          * sets the label used on all file below the mountpoint, and will set
513          * the superblock context if not already set.
514          */
515         if (context) {
516                 rc = security_context_to_sid(context, strlen(context), &sid);
517                 if (rc) {
518                         printk(KERN_WARNING "SELinux: security_context_to_sid"
519                                "(%s) failed for (dev %s, type %s) errno=%d\n",
520                                context, sb->s_id, name, rc);
521                         goto out_free;
522                 }
523
524                 if (!fscontext) {
525                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
526                         if (rc)
527                                 goto out_free;
528                         sbsec->sid = sid;
529                 } else {
530                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
531                         if (rc)
532                                 goto out_free;
533                 }
534                 sbsec->mntpoint_sid = sid;
535
536                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
537         }
538
539         if (rootcontext) {
540                 struct inode *inode = sb->s_root->d_inode;
541                 struct inode_security_struct *isec = inode->i_security;
542                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
543                 if (rc) {
544                         printk(KERN_WARNING "SELinux: security_context_to_sid"
545                                "(%s) failed for (dev %s, type %s) errno=%d\n",
546                                rootcontext, sb->s_id, name, rc);
547                         goto out_free;
548                 }
549
550                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
551                 if (rc)
552                         goto out_free;
553
554                 isec->sid = sid;
555                 isec->initialized = 1;
556         }
557
558         if (defcontext) {
559                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
560                 if (rc) {
561                         printk(KERN_WARNING "SELinux: security_context_to_sid"
562                                "(%s) failed for (dev %s, type %s) errno=%d\n",
563                                defcontext, sb->s_id, name, rc);
564                         goto out_free;
565                 }
566
567                 if (sid == sbsec->def_sid)
568                         goto out_free;
569
570                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
571                 if (rc)
572                         goto out_free;
573
574                 sbsec->def_sid = sid;
575         }
576
577 out_free:
578         if (alloc) {
579                 kfree(context);
580                 kfree(defcontext);
581                 kfree(fscontext);
582                 kfree(rootcontext);
583         }
584 out:
585         return rc;
586 }
587
588 static int superblock_doinit(struct super_block *sb, void *data)
589 {
590         struct superblock_security_struct *sbsec = sb->s_security;
591         struct dentry *root = sb->s_root;
592         struct inode *inode = root->d_inode;
593         int rc = 0;
594
595         down(&sbsec->sem);
596         if (sbsec->initialized)
597                 goto out;
598
599         if (!ss_initialized) {
600                 /* Defer initialization until selinux_complete_init,
601                    after the initial policy is loaded and the security
602                    server is ready to handle calls. */
603                 spin_lock(&sb_security_lock);
604                 if (list_empty(&sbsec->list))
605                         list_add(&sbsec->list, &superblock_security_head);
606                 spin_unlock(&sb_security_lock);
607                 goto out;
608         }
609
610         /* Determine the labeling behavior to use for this filesystem type. */
611         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
612         if (rc) {
613                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
614                        __FUNCTION__, sb->s_type->name, rc);
615                 goto out;
616         }
617
618         rc = try_context_mount(sb, data);
619         if (rc)
620                 goto out;
621
622         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
623                 /* Make sure that the xattr handler exists and that no
624                    error other than -ENODATA is returned by getxattr on
625                    the root directory.  -ENODATA is ok, as this may be
626                    the first boot of the SELinux kernel before we have
627                    assigned xattr values to the filesystem. */
628                 if (!inode->i_op->getxattr) {
629                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
630                                "xattr support\n", sb->s_id, sb->s_type->name);
631                         rc = -EOPNOTSUPP;
632                         goto out;
633                 }
634                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
635                 if (rc < 0 && rc != -ENODATA) {
636                         if (rc == -EOPNOTSUPP)
637                                 printk(KERN_WARNING "SELinux: (dev %s, type "
638                                        "%s) has no security xattr handler\n",
639                                        sb->s_id, sb->s_type->name);
640                         else
641                                 printk(KERN_WARNING "SELinux: (dev %s, type "
642                                        "%s) getxattr errno %d\n", sb->s_id,
643                                        sb->s_type->name, -rc);
644                         goto out;
645                 }
646         }
647
648         if (strcmp(sb->s_type->name, "proc") == 0)
649                 sbsec->proc = 1;
650
651         sbsec->initialized = 1;
652
653         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
654                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
655                        sb->s_id, sb->s_type->name);
656         }
657         else {
658                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
659                        sb->s_id, sb->s_type->name,
660                        labeling_behaviors[sbsec->behavior-1]);
661         }
662
663         /* Initialize the root inode. */
664         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
665
666         /* Initialize any other inodes associated with the superblock, e.g.
667            inodes created prior to initial policy load or inodes created
668            during get_sb by a pseudo filesystem that directly
669            populates itself. */
670         spin_lock(&sbsec->isec_lock);
671 next_inode:
672         if (!list_empty(&sbsec->isec_head)) {
673                 struct inode_security_struct *isec =
674                                 list_entry(sbsec->isec_head.next,
675                                            struct inode_security_struct, list);
676                 struct inode *inode = isec->inode;
677                 spin_unlock(&sbsec->isec_lock);
678                 inode = igrab(inode);
679                 if (inode) {
680                         if (!IS_PRIVATE (inode))
681                                 inode_doinit(inode);
682                         iput(inode);
683                 }
684                 spin_lock(&sbsec->isec_lock);
685                 list_del_init(&isec->list);
686                 goto next_inode;
687         }
688         spin_unlock(&sbsec->isec_lock);
689 out:
690         up(&sbsec->sem);
691         return rc;
692 }
693
694 static inline u16 inode_mode_to_security_class(umode_t mode)
695 {
696         switch (mode & S_IFMT) {
697         case S_IFSOCK:
698                 return SECCLASS_SOCK_FILE;
699         case S_IFLNK:
700                 return SECCLASS_LNK_FILE;
701         case S_IFREG:
702                 return SECCLASS_FILE;
703         case S_IFBLK:
704                 return SECCLASS_BLK_FILE;
705         case S_IFDIR:
706                 return SECCLASS_DIR;
707         case S_IFCHR:
708                 return SECCLASS_CHR_FILE;
709         case S_IFIFO:
710                 return SECCLASS_FIFO_FILE;
711
712         }
713
714         return SECCLASS_FILE;
715 }
716
717 static inline int default_protocol_stream(int protocol)
718 {
719         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
720 }
721
722 static inline int default_protocol_dgram(int protocol)
723 {
724         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
725 }
726
727 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
728 {
729         switch (family) {
730         case PF_UNIX:
731                 switch (type) {
732                 case SOCK_STREAM:
733                 case SOCK_SEQPACKET:
734                         return SECCLASS_UNIX_STREAM_SOCKET;
735                 case SOCK_DGRAM:
736                         return SECCLASS_UNIX_DGRAM_SOCKET;
737                 }
738                 break;
739         case PF_INET:
740         case PF_INET6:
741                 switch (type) {
742                 case SOCK_STREAM:
743                         if (default_protocol_stream(protocol))
744                                 return SECCLASS_TCP_SOCKET;
745                         else
746                                 return SECCLASS_RAWIP_SOCKET;
747                 case SOCK_DGRAM:
748                         if (default_protocol_dgram(protocol))
749                                 return SECCLASS_UDP_SOCKET;
750                         else
751                                 return SECCLASS_RAWIP_SOCKET;
752                 default:
753                         return SECCLASS_RAWIP_SOCKET;
754                 }
755                 break;
756         case PF_NETLINK:
757                 switch (protocol) {
758                 case NETLINK_ROUTE:
759                         return SECCLASS_NETLINK_ROUTE_SOCKET;
760                 case NETLINK_FIREWALL:
761                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
762                 case NETLINK_INET_DIAG:
763                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
764                 case NETLINK_NFLOG:
765                         return SECCLASS_NETLINK_NFLOG_SOCKET;
766                 case NETLINK_XFRM:
767                         return SECCLASS_NETLINK_XFRM_SOCKET;
768                 case NETLINK_SELINUX:
769                         return SECCLASS_NETLINK_SELINUX_SOCKET;
770                 case NETLINK_AUDIT:
771                         return SECCLASS_NETLINK_AUDIT_SOCKET;
772                 case NETLINK_IP6_FW:
773                         return SECCLASS_NETLINK_IP6FW_SOCKET;
774                 case NETLINK_DNRTMSG:
775                         return SECCLASS_NETLINK_DNRT_SOCKET;
776                 case NETLINK_KOBJECT_UEVENT:
777                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
778                 default:
779                         return SECCLASS_NETLINK_SOCKET;
780                 }
781         case PF_PACKET:
782                 return SECCLASS_PACKET_SOCKET;
783         case PF_KEY:
784                 return SECCLASS_KEY_SOCKET;
785         case PF_APPLETALK:
786                 return SECCLASS_APPLETALK_SOCKET;
787         }
788
789         return SECCLASS_SOCKET;
790 }
791
792 #ifdef CONFIG_PROC_FS
793 static int selinux_proc_get_sid(struct proc_dir_entry *de,
794                                 u16 tclass,
795                                 u32 *sid)
796 {
797         int buflen, rc;
798         char *buffer, *path, *end;
799
800         buffer = (char*)__get_free_page(GFP_KERNEL);
801         if (!buffer)
802                 return -ENOMEM;
803
804         buflen = PAGE_SIZE;
805         end = buffer+buflen;
806         *--end = '\0';
807         buflen--;
808         path = end-1;
809         *path = '/';
810         while (de && de != de->parent) {
811                 buflen -= de->namelen + 1;
812                 if (buflen < 0)
813                         break;
814                 end -= de->namelen;
815                 memcpy(end, de->name, de->namelen);
816                 *--end = '/';
817                 path = end;
818                 de = de->parent;
819         }
820         rc = security_genfs_sid("proc", path, tclass, sid);
821         free_page((unsigned long)buffer);
822         return rc;
823 }
824 #else
825 static int selinux_proc_get_sid(struct proc_dir_entry *de,
826                                 u16 tclass,
827                                 u32 *sid)
828 {
829         return -EINVAL;
830 }
831 #endif
832
833 /* The inode's security attributes must be initialized before first use. */
834 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
835 {
836         struct superblock_security_struct *sbsec = NULL;
837         struct inode_security_struct *isec = inode->i_security;
838         u32 sid;
839         struct dentry *dentry;
840 #define INITCONTEXTLEN 255
841         char *context = NULL;
842         unsigned len = 0;
843         int rc = 0;
844         int hold_sem = 0;
845
846         if (isec->initialized)
847                 goto out;
848
849         down(&isec->sem);
850         hold_sem = 1;
851         if (isec->initialized)
852                 goto out;
853
854         sbsec = inode->i_sb->s_security;
855         if (!sbsec->initialized) {
856                 /* Defer initialization until selinux_complete_init,
857                    after the initial policy is loaded and the security
858                    server is ready to handle calls. */
859                 spin_lock(&sbsec->isec_lock);
860                 if (list_empty(&isec->list))
861                         list_add(&isec->list, &sbsec->isec_head);
862                 spin_unlock(&sbsec->isec_lock);
863                 goto out;
864         }
865
866         switch (sbsec->behavior) {
867         case SECURITY_FS_USE_XATTR:
868                 if (!inode->i_op->getxattr) {
869                         isec->sid = sbsec->def_sid;
870                         break;
871                 }
872
873                 /* Need a dentry, since the xattr API requires one.
874                    Life would be simpler if we could just pass the inode. */
875                 if (opt_dentry) {
876                         /* Called from d_instantiate or d_splice_alias. */
877                         dentry = dget(opt_dentry);
878                 } else {
879                         /* Called from selinux_complete_init, try to find a dentry. */
880                         dentry = d_find_alias(inode);
881                 }
882                 if (!dentry) {
883                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
884                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
885                                inode->i_ino);
886                         goto out;
887                 }
888
889                 len = INITCONTEXTLEN;
890                 context = kmalloc(len, GFP_KERNEL);
891                 if (!context) {
892                         rc = -ENOMEM;
893                         dput(dentry);
894                         goto out;
895                 }
896                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
897                                            context, len);
898                 if (rc == -ERANGE) {
899                         /* Need a larger buffer.  Query for the right size. */
900                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
901                                                    NULL, 0);
902                         if (rc < 0) {
903                                 dput(dentry);
904                                 goto out;
905                         }
906                         kfree(context);
907                         len = rc;
908                         context = kmalloc(len, GFP_KERNEL);
909                         if (!context) {
910                                 rc = -ENOMEM;
911                                 dput(dentry);
912                                 goto out;
913                         }
914                         rc = inode->i_op->getxattr(dentry,
915                                                    XATTR_NAME_SELINUX,
916                                                    context, len);
917                 }
918                 dput(dentry);
919                 if (rc < 0) {
920                         if (rc != -ENODATA) {
921                                 printk(KERN_WARNING "%s:  getxattr returned "
922                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
923                                        -rc, inode->i_sb->s_id, inode->i_ino);
924                                 kfree(context);
925                                 goto out;
926                         }
927                         /* Map ENODATA to the default file SID */
928                         sid = sbsec->def_sid;
929                         rc = 0;
930                 } else {
931                         rc = security_context_to_sid_default(context, rc, &sid,
932                                                              sbsec->def_sid);
933                         if (rc) {
934                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
935                                        "returned %d for dev=%s ino=%ld\n",
936                                        __FUNCTION__, context, -rc,
937                                        inode->i_sb->s_id, inode->i_ino);
938                                 kfree(context);
939                                 /* Leave with the unlabeled SID */
940                                 rc = 0;
941                                 break;
942                         }
943                 }
944                 kfree(context);
945                 isec->sid = sid;
946                 break;
947         case SECURITY_FS_USE_TASK:
948                 isec->sid = isec->task_sid;
949                 break;
950         case SECURITY_FS_USE_TRANS:
951                 /* Default to the fs SID. */
952                 isec->sid = sbsec->sid;
953
954                 /* Try to obtain a transition SID. */
955                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
956                 rc = security_transition_sid(isec->task_sid,
957                                              sbsec->sid,
958                                              isec->sclass,
959                                              &sid);
960                 if (rc)
961                         goto out;
962                 isec->sid = sid;
963                 break;
964         case SECURITY_FS_USE_MNTPOINT:
965                 isec->sid = sbsec->mntpoint_sid;
966                 break;
967         default:
968                 /* Default to the fs superblock SID. */
969                 isec->sid = sbsec->sid;
970
971                 if (sbsec->proc) {
972                         struct proc_inode *proci = PROC_I(inode);
973                         if (proci->pde) {
974                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
975                                 rc = selinux_proc_get_sid(proci->pde,
976                                                           isec->sclass,
977                                                           &sid);
978                                 if (rc)
979                                         goto out;
980                                 isec->sid = sid;
981                         }
982                 }
983                 break;
984         }
985
986         isec->initialized = 1;
987
988 out:
989         if (isec->sclass == SECCLASS_FILE)
990                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
991
992         if (hold_sem)
993                 up(&isec->sem);
994         return rc;
995 }
996
997 /* Convert a Linux signal to an access vector. */
998 static inline u32 signal_to_av(int sig)
999 {
1000         u32 perm = 0;
1001
1002         switch (sig) {
1003         case SIGCHLD:
1004                 /* Commonly granted from child to parent. */
1005                 perm = PROCESS__SIGCHLD;
1006                 break;
1007         case SIGKILL:
1008                 /* Cannot be caught or ignored */
1009                 perm = PROCESS__SIGKILL;
1010                 break;
1011         case SIGSTOP:
1012                 /* Cannot be caught or ignored */
1013                 perm = PROCESS__SIGSTOP;
1014                 break;
1015         default:
1016                 /* All other signals. */
1017                 perm = PROCESS__SIGNAL;
1018                 break;
1019         }
1020
1021         return perm;
1022 }
1023
1024 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1025    fork check, ptrace check, etc. */
1026 static int task_has_perm(struct task_struct *tsk1,
1027                          struct task_struct *tsk2,
1028                          u32 perms)
1029 {
1030         struct task_security_struct *tsec1, *tsec2;
1031
1032         tsec1 = tsk1->security;
1033         tsec2 = tsk2->security;
1034         return avc_has_perm(tsec1->sid, tsec2->sid,
1035                             SECCLASS_PROCESS, perms, NULL);
1036 }
1037
1038 /* Check whether a task is allowed to use a capability. */
1039 static int task_has_capability(struct task_struct *tsk,
1040                                int cap)
1041 {
1042         struct task_security_struct *tsec;
1043         struct avc_audit_data ad;
1044
1045         tsec = tsk->security;
1046
1047         AVC_AUDIT_DATA_INIT(&ad,CAP);
1048         ad.tsk = tsk;
1049         ad.u.cap = cap;
1050
1051         return avc_has_perm(tsec->sid, tsec->sid,
1052                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1053 }
1054
1055 /* Check whether a task is allowed to use a system operation. */
1056 static int task_has_system(struct task_struct *tsk,
1057                            u32 perms)
1058 {
1059         struct task_security_struct *tsec;
1060
1061         tsec = tsk->security;
1062
1063         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1064                             SECCLASS_SYSTEM, perms, NULL);
1065 }
1066
1067 /* Check whether a task has a particular permission to an inode.
1068    The 'adp' parameter is optional and allows other audit
1069    data to be passed (e.g. the dentry). */
1070 static int inode_has_perm(struct task_struct *tsk,
1071                           struct inode *inode,
1072                           u32 perms,
1073                           struct avc_audit_data *adp)
1074 {
1075         struct task_security_struct *tsec;
1076         struct inode_security_struct *isec;
1077         struct avc_audit_data ad;
1078
1079         tsec = tsk->security;
1080         isec = inode->i_security;
1081
1082         if (!adp) {
1083                 adp = &ad;
1084                 AVC_AUDIT_DATA_INIT(&ad, FS);
1085                 ad.u.fs.inode = inode;
1086         }
1087
1088         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1089 }
1090
1091 /* Same as inode_has_perm, but pass explicit audit data containing
1092    the dentry to help the auditing code to more easily generate the
1093    pathname if needed. */
1094 static inline int dentry_has_perm(struct task_struct *tsk,
1095                                   struct vfsmount *mnt,
1096                                   struct dentry *dentry,
1097                                   u32 av)
1098 {
1099         struct inode *inode = dentry->d_inode;
1100         struct avc_audit_data ad;
1101         AVC_AUDIT_DATA_INIT(&ad,FS);
1102         ad.u.fs.mnt = mnt;
1103         ad.u.fs.dentry = dentry;
1104         return inode_has_perm(tsk, inode, av, &ad);
1105 }
1106
1107 /* Check whether a task can use an open file descriptor to
1108    access an inode in a given way.  Check access to the
1109    descriptor itself, and then use dentry_has_perm to
1110    check a particular permission to the file.
1111    Access to the descriptor is implicitly granted if it
1112    has the same SID as the process.  If av is zero, then
1113    access to the file is not checked, e.g. for cases
1114    where only the descriptor is affected like seek. */
1115 static int file_has_perm(struct task_struct *tsk,
1116                                 struct file *file,
1117                                 u32 av)
1118 {
1119         struct task_security_struct *tsec = tsk->security;
1120         struct file_security_struct *fsec = file->f_security;
1121         struct vfsmount *mnt = file->f_vfsmnt;
1122         struct dentry *dentry = file->f_dentry;
1123         struct inode *inode = dentry->d_inode;
1124         struct avc_audit_data ad;
1125         int rc;
1126
1127         AVC_AUDIT_DATA_INIT(&ad, FS);
1128         ad.u.fs.mnt = mnt;
1129         ad.u.fs.dentry = dentry;
1130
1131         if (tsec->sid != fsec->sid) {
1132                 rc = avc_has_perm(tsec->sid, fsec->sid,
1133                                   SECCLASS_FD,
1134                                   FD__USE,
1135                                   &ad);
1136                 if (rc)
1137                         return rc;
1138         }
1139
1140         /* av is zero if only checking access to the descriptor. */
1141         if (av)
1142                 return inode_has_perm(tsk, inode, av, &ad);
1143
1144         return 0;
1145 }
1146
1147 /* Check whether a task can create a file. */
1148 static int may_create(struct inode *dir,
1149                       struct dentry *dentry,
1150                       u16 tclass)
1151 {
1152         struct task_security_struct *tsec;
1153         struct inode_security_struct *dsec;
1154         struct superblock_security_struct *sbsec;
1155         u32 newsid;
1156         struct avc_audit_data ad;
1157         int rc;
1158
1159         tsec = current->security;
1160         dsec = dir->i_security;
1161         sbsec = dir->i_sb->s_security;
1162
1163         AVC_AUDIT_DATA_INIT(&ad, FS);
1164         ad.u.fs.dentry = dentry;
1165
1166         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1167                           DIR__ADD_NAME | DIR__SEARCH,
1168                           &ad);
1169         if (rc)
1170                 return rc;
1171
1172         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1173                 newsid = tsec->create_sid;
1174         } else {
1175                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1176                                              &newsid);
1177                 if (rc)
1178                         return rc;
1179         }
1180
1181         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1182         if (rc)
1183                 return rc;
1184
1185         return avc_has_perm(newsid, sbsec->sid,
1186                             SECCLASS_FILESYSTEM,
1187                             FILESYSTEM__ASSOCIATE, &ad);
1188 }
1189
1190 /* Check whether a task can create a key. */
1191 static int may_create_key(u32 ksid,
1192                           struct task_struct *ctx)
1193 {
1194         struct task_security_struct *tsec;
1195
1196         tsec = ctx->security;
1197
1198         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1199 }
1200
1201 #define MAY_LINK   0
1202 #define MAY_UNLINK 1
1203 #define MAY_RMDIR  2
1204
1205 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1206 static int may_link(struct inode *dir,
1207                     struct dentry *dentry,
1208                     int kind)
1209
1210 {
1211         struct task_security_struct *tsec;
1212         struct inode_security_struct *dsec, *isec;
1213         struct avc_audit_data ad;
1214         u32 av;
1215         int rc;
1216
1217         tsec = current->security;
1218         dsec = dir->i_security;
1219         isec = dentry->d_inode->i_security;
1220
1221         AVC_AUDIT_DATA_INIT(&ad, FS);
1222         ad.u.fs.dentry = dentry;
1223
1224         av = DIR__SEARCH;
1225         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1226         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1227         if (rc)
1228                 return rc;
1229
1230         switch (kind) {
1231         case MAY_LINK:
1232                 av = FILE__LINK;
1233                 break;
1234         case MAY_UNLINK:
1235                 av = FILE__UNLINK;
1236                 break;
1237         case MAY_RMDIR:
1238                 av = DIR__RMDIR;
1239                 break;
1240         default:
1241                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1242                 return 0;
1243         }
1244
1245         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1246         return rc;
1247 }
1248
1249 static inline int may_rename(struct inode *old_dir,
1250                              struct dentry *old_dentry,
1251                              struct inode *new_dir,
1252                              struct dentry *new_dentry)
1253 {
1254         struct task_security_struct *tsec;
1255         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1256         struct avc_audit_data ad;
1257         u32 av;
1258         int old_is_dir, new_is_dir;
1259         int rc;
1260
1261         tsec = current->security;
1262         old_dsec = old_dir->i_security;
1263         old_isec = old_dentry->d_inode->i_security;
1264         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1265         new_dsec = new_dir->i_security;
1266
1267         AVC_AUDIT_DATA_INIT(&ad, FS);
1268
1269         ad.u.fs.dentry = old_dentry;
1270         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1271                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1272         if (rc)
1273                 return rc;
1274         rc = avc_has_perm(tsec->sid, old_isec->sid,
1275                           old_isec->sclass, FILE__RENAME, &ad);
1276         if (rc)
1277                 return rc;
1278         if (old_is_dir && new_dir != old_dir) {
1279                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1280                                   old_isec->sclass, DIR__REPARENT, &ad);
1281                 if (rc)
1282                         return rc;
1283         }
1284
1285         ad.u.fs.dentry = new_dentry;
1286         av = DIR__ADD_NAME | DIR__SEARCH;
1287         if (new_dentry->d_inode)
1288                 av |= DIR__REMOVE_NAME;
1289         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1290         if (rc)
1291                 return rc;
1292         if (new_dentry->d_inode) {
1293                 new_isec = new_dentry->d_inode->i_security;
1294                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1295                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1296                                   new_isec->sclass,
1297                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1298                 if (rc)
1299                         return rc;
1300         }
1301
1302         return 0;
1303 }
1304
1305 /* Check whether a task can perform a filesystem operation. */
1306 static int superblock_has_perm(struct task_struct *tsk,
1307                                struct super_block *sb,
1308                                u32 perms,
1309                                struct avc_audit_data *ad)
1310 {
1311         struct task_security_struct *tsec;
1312         struct superblock_security_struct *sbsec;
1313
1314         tsec = tsk->security;
1315         sbsec = sb->s_security;
1316         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1317                             perms, ad);
1318 }
1319
1320 /* Convert a Linux mode and permission mask to an access vector. */
1321 static inline u32 file_mask_to_av(int mode, int mask)
1322 {
1323         u32 av = 0;
1324
1325         if ((mode & S_IFMT) != S_IFDIR) {
1326                 if (mask & MAY_EXEC)
1327                         av |= FILE__EXECUTE;
1328                 if (mask & MAY_READ)
1329                         av |= FILE__READ;
1330
1331                 if (mask & MAY_APPEND)
1332                         av |= FILE__APPEND;
1333                 else if (mask & MAY_WRITE)
1334                         av |= FILE__WRITE;
1335
1336         } else {
1337                 if (mask & MAY_EXEC)
1338                         av |= DIR__SEARCH;
1339                 if (mask & MAY_WRITE)
1340                         av |= DIR__WRITE;
1341                 if (mask & MAY_READ)
1342                         av |= DIR__READ;
1343         }
1344
1345         return av;
1346 }
1347
1348 /* Convert a Linux file to an access vector. */
1349 static inline u32 file_to_av(struct file *file)
1350 {
1351         u32 av = 0;
1352
1353         if (file->f_mode & FMODE_READ)
1354                 av |= FILE__READ;
1355         if (file->f_mode & FMODE_WRITE) {
1356                 if (file->f_flags & O_APPEND)
1357                         av |= FILE__APPEND;
1358                 else
1359                         av |= FILE__WRITE;
1360         }
1361
1362         return av;
1363 }
1364
1365 /* Set an inode's SID to a specified value. */
1366 static int inode_security_set_sid(struct inode *inode, u32 sid)
1367 {
1368         struct inode_security_struct *isec = inode->i_security;
1369         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1370
1371         if (!sbsec->initialized) {
1372                 /* Defer initialization to selinux_complete_init. */
1373                 return 0;
1374         }
1375
1376         down(&isec->sem);
1377         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1378         isec->sid = sid;
1379         isec->initialized = 1;
1380         up(&isec->sem);
1381         return 0;
1382 }
1383
1384 /* Hook functions begin here. */
1385
1386 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1387 {
1388         struct task_security_struct *psec = parent->security;
1389         struct task_security_struct *csec = child->security;
1390         int rc;
1391
1392         rc = secondary_ops->ptrace(parent,child);
1393         if (rc)
1394                 return rc;
1395
1396         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1397         /* Save the SID of the tracing process for later use in apply_creds. */
1398         if (!(child->ptrace & PT_PTRACED) && !rc)
1399                 csec->ptrace_sid = psec->sid;
1400         return rc;
1401 }
1402
1403 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1404                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1405 {
1406         int error;
1407
1408         error = task_has_perm(current, target, PROCESS__GETCAP);
1409         if (error)
1410                 return error;
1411
1412         return secondary_ops->capget(target, effective, inheritable, permitted);
1413 }
1414
1415 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1416                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1417 {
1418         int error;
1419
1420         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1421         if (error)
1422                 return error;
1423
1424         return task_has_perm(current, target, PROCESS__SETCAP);
1425 }
1426
1427 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1428                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1429 {
1430         secondary_ops->capset_set(target, effective, inheritable, permitted);
1431 }
1432
1433 static int selinux_capable(struct task_struct *tsk, int cap)
1434 {
1435         int rc;
1436
1437         rc = secondary_ops->capable(tsk, cap);
1438         if (rc)
1439                 return rc;
1440
1441         return task_has_capability(tsk,cap);
1442 }
1443
1444 static int selinux_sysctl(ctl_table *table, int op)
1445 {
1446         int error = 0;
1447         u32 av;
1448         struct task_security_struct *tsec;
1449         u32 tsid;
1450         int rc;
1451
1452         rc = secondary_ops->sysctl(table, op);
1453         if (rc)
1454                 return rc;
1455
1456         tsec = current->security;
1457
1458         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1459                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1460         if (rc) {
1461                 /* Default to the well-defined sysctl SID. */
1462                 tsid = SECINITSID_SYSCTL;
1463         }
1464
1465         /* The op values are "defined" in sysctl.c, thereby creating
1466          * a bad coupling between this module and sysctl.c */
1467         if(op == 001) {
1468                 error = avc_has_perm(tsec->sid, tsid,
1469                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1470         } else {
1471                 av = 0;
1472                 if (op & 004)
1473                         av |= FILE__READ;
1474                 if (op & 002)
1475                         av |= FILE__WRITE;
1476                 if (av)
1477                         error = avc_has_perm(tsec->sid, tsid,
1478                                              SECCLASS_FILE, av, NULL);
1479         }
1480
1481         return error;
1482 }
1483
1484 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1485 {
1486         int rc = 0;
1487
1488         if (!sb)
1489                 return 0;
1490
1491         switch (cmds) {
1492                 case Q_SYNC:
1493                 case Q_QUOTAON:
1494                 case Q_QUOTAOFF:
1495                 case Q_SETINFO:
1496                 case Q_SETQUOTA:
1497                         rc = superblock_has_perm(current,
1498                                                  sb,
1499                                                  FILESYSTEM__QUOTAMOD, NULL);
1500                         break;
1501                 case Q_GETFMT:
1502                 case Q_GETINFO:
1503                 case Q_GETQUOTA:
1504                         rc = superblock_has_perm(current,
1505                                                  sb,
1506                                                  FILESYSTEM__QUOTAGET, NULL);
1507                         break;
1508                 default:
1509                         rc = 0;  /* let the kernel handle invalid cmds */
1510                         break;
1511         }
1512         return rc;
1513 }
1514
1515 static int selinux_quota_on(struct dentry *dentry)
1516 {
1517         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1518 }
1519
1520 static int selinux_syslog(int type)
1521 {
1522         int rc;
1523
1524         rc = secondary_ops->syslog(type);
1525         if (rc)
1526                 return rc;
1527
1528         switch (type) {
1529                 case 3:         /* Read last kernel messages */
1530                 case 10:        /* Return size of the log buffer */
1531                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1532                         break;
1533                 case 6:         /* Disable logging to console */
1534                 case 7:         /* Enable logging to console */
1535                 case 8:         /* Set level of messages printed to console */
1536                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1537                         break;
1538                 case 0:         /* Close log */
1539                 case 1:         /* Open log */
1540                 case 2:         /* Read from log */
1541                 case 4:         /* Read/clear last kernel messages */
1542                 case 5:         /* Clear ring buffer */
1543                 default:
1544                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1545                         break;
1546         }
1547         return rc;
1548 }
1549
1550 /*
1551  * Check that a process has enough memory to allocate a new virtual
1552  * mapping. 0 means there is enough memory for the allocation to
1553  * succeed and -ENOMEM implies there is not.
1554  *
1555  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1556  * if the capability is granted, but __vm_enough_memory requires 1 if
1557  * the capability is granted.
1558  *
1559  * Do not audit the selinux permission check, as this is applied to all
1560  * processes that allocate mappings.
1561  */
1562 static int selinux_vm_enough_memory(long pages)
1563 {
1564         int rc, cap_sys_admin = 0;
1565         struct task_security_struct *tsec = current->security;
1566
1567         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1568         if (rc == 0)
1569                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1570                                         SECCLASS_CAPABILITY,
1571                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1572                                         NULL);
1573
1574         if (rc == 0)
1575                 cap_sys_admin = 1;
1576
1577         return __vm_enough_memory(pages, cap_sys_admin);
1578 }
1579
1580 /* binprm security operations */
1581
1582 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1583 {
1584         struct bprm_security_struct *bsec;
1585
1586         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1587         if (!bsec)
1588                 return -ENOMEM;
1589
1590         bsec->bprm = bprm;
1591         bsec->sid = SECINITSID_UNLABELED;
1592         bsec->set = 0;
1593
1594         bprm->security = bsec;
1595         return 0;
1596 }
1597
1598 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1599 {
1600         struct task_security_struct *tsec;
1601         struct inode *inode = bprm->file->f_dentry->d_inode;
1602         struct inode_security_struct *isec;
1603         struct bprm_security_struct *bsec;
1604         u32 newsid;
1605         struct avc_audit_data ad;
1606         int rc;
1607
1608         rc = secondary_ops->bprm_set_security(bprm);
1609         if (rc)
1610                 return rc;
1611
1612         bsec = bprm->security;
1613
1614         if (bsec->set)
1615                 return 0;
1616
1617         tsec = current->security;
1618         isec = inode->i_security;
1619
1620         /* Default to the current task SID. */
1621         bsec->sid = tsec->sid;
1622
1623         /* Reset fs, key, and sock SIDs on execve. */
1624         tsec->create_sid = 0;
1625         tsec->keycreate_sid = 0;
1626         tsec->sockcreate_sid = 0;
1627
1628         if (tsec->exec_sid) {
1629                 newsid = tsec->exec_sid;
1630                 /* Reset exec SID on execve. */
1631                 tsec->exec_sid = 0;
1632         } else {
1633                 /* Check for a default transition on this program. */
1634                 rc = security_transition_sid(tsec->sid, isec->sid,
1635                                              SECCLASS_PROCESS, &newsid);
1636                 if (rc)
1637                         return rc;
1638         }
1639
1640         AVC_AUDIT_DATA_INIT(&ad, FS);
1641         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1642         ad.u.fs.dentry = bprm->file->f_dentry;
1643
1644         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1645                 newsid = tsec->sid;
1646
1647         if (tsec->sid == newsid) {
1648                 rc = avc_has_perm(tsec->sid, isec->sid,
1649                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1650                 if (rc)
1651                         return rc;
1652         } else {
1653                 /* Check permissions for the transition. */
1654                 rc = avc_has_perm(tsec->sid, newsid,
1655                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1656                 if (rc)
1657                         return rc;
1658
1659                 rc = avc_has_perm(newsid, isec->sid,
1660                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1661                 if (rc)
1662                         return rc;
1663
1664                 /* Clear any possibly unsafe personality bits on exec: */
1665                 current->personality &= ~PER_CLEAR_ON_SETID;
1666
1667                 /* Set the security field to the new SID. */
1668                 bsec->sid = newsid;
1669         }
1670
1671         bsec->set = 1;
1672         return 0;
1673 }
1674
1675 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1676 {
1677         return secondary_ops->bprm_check_security(bprm);
1678 }
1679
1680
1681 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1682 {
1683         struct task_security_struct *tsec = current->security;
1684         int atsecure = 0;
1685
1686         if (tsec->osid != tsec->sid) {
1687                 /* Enable secure mode for SIDs transitions unless
1688                    the noatsecure permission is granted between
1689                    the two SIDs, i.e. ahp returns 0. */
1690                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1691                                          SECCLASS_PROCESS,
1692                                          PROCESS__NOATSECURE, NULL);
1693         }
1694
1695         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1696 }
1697
1698 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1699 {
1700         kfree(bprm->security);
1701         bprm->security = NULL;
1702 }
1703
1704 extern struct vfsmount *selinuxfs_mount;
1705 extern struct dentry *selinux_null;
1706
1707 /* Derived from fs/exec.c:flush_old_files. */
1708 static inline void flush_unauthorized_files(struct files_struct * files)
1709 {
1710         struct avc_audit_data ad;
1711         struct file *file, *devnull = NULL;
1712         struct tty_struct *tty = current->signal->tty;
1713         struct fdtable *fdt;
1714         long j = -1;
1715
1716         if (tty) {
1717                 file_list_lock();
1718                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1719                 if (file) {
1720                         /* Revalidate access to controlling tty.
1721                            Use inode_has_perm on the tty inode directly rather
1722                            than using file_has_perm, as this particular open
1723                            file may belong to another process and we are only
1724                            interested in the inode-based check here. */
1725                         struct inode *inode = file->f_dentry->d_inode;
1726                         if (inode_has_perm(current, inode,
1727                                            FILE__READ | FILE__WRITE, NULL)) {
1728                                 /* Reset controlling tty. */
1729                                 current->signal->tty = NULL;
1730                                 current->signal->tty_old_pgrp = 0;
1731                         }
1732                 }
1733                 file_list_unlock();
1734         }
1735
1736         /* Revalidate access to inherited open files. */
1737
1738         AVC_AUDIT_DATA_INIT(&ad,FS);
1739
1740         spin_lock(&files->file_lock);
1741         for (;;) {
1742                 unsigned long set, i;
1743                 int fd;
1744
1745                 j++;
1746                 i = j * __NFDBITS;
1747                 fdt = files_fdtable(files);
1748                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1749                         break;
1750                 set = fdt->open_fds->fds_bits[j];
1751                 if (!set)
1752                         continue;
1753                 spin_unlock(&files->file_lock);
1754                 for ( ; set ; i++,set >>= 1) {
1755                         if (set & 1) {
1756                                 file = fget(i);
1757                                 if (!file)
1758                                         continue;
1759                                 if (file_has_perm(current,
1760                                                   file,
1761                                                   file_to_av(file))) {
1762                                         sys_close(i);
1763                                         fd = get_unused_fd();
1764                                         if (fd != i) {
1765                                                 if (fd >= 0)
1766                                                         put_unused_fd(fd);
1767                                                 fput(file);
1768                                                 continue;
1769                                         }
1770                                         if (devnull) {
1771                                                 get_file(devnull);
1772                                         } else {
1773                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1774                                                 if (!devnull) {
1775                                                         put_unused_fd(fd);
1776                                                         fput(file);
1777                                                         continue;
1778                                                 }
1779                                         }
1780                                         fd_install(fd, devnull);
1781                                 }
1782                                 fput(file);
1783                         }
1784                 }
1785                 spin_lock(&files->file_lock);
1786
1787         }
1788         spin_unlock(&files->file_lock);
1789 }
1790
1791 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1792 {
1793         struct task_security_struct *tsec;
1794         struct bprm_security_struct *bsec;
1795         u32 sid;
1796         int rc;
1797
1798         secondary_ops->bprm_apply_creds(bprm, unsafe);
1799
1800         tsec = current->security;
1801
1802         bsec = bprm->security;
1803         sid = bsec->sid;
1804
1805         tsec->osid = tsec->sid;
1806         bsec->unsafe = 0;
1807         if (tsec->sid != sid) {
1808                 /* Check for shared state.  If not ok, leave SID
1809                    unchanged and kill. */
1810                 if (unsafe & LSM_UNSAFE_SHARE) {
1811                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1812                                         PROCESS__SHARE, NULL);
1813                         if (rc) {
1814                                 bsec->unsafe = 1;
1815                                 return;
1816                         }
1817                 }
1818
1819                 /* Check for ptracing, and update the task SID if ok.
1820                    Otherwise, leave SID unchanged and kill. */
1821                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1822                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1823                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1824                                           NULL);
1825                         if (rc) {
1826                                 bsec->unsafe = 1;
1827                                 return;
1828                         }
1829                 }
1830                 tsec->sid = sid;
1831         }
1832 }
1833
1834 /*
1835  * called after apply_creds without the task lock held
1836  */
1837 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1838 {
1839         struct task_security_struct *tsec;
1840         struct rlimit *rlim, *initrlim;
1841         struct itimerval itimer;
1842         struct bprm_security_struct *bsec;
1843         int rc, i;
1844
1845         tsec = current->security;
1846         bsec = bprm->security;
1847
1848         if (bsec->unsafe) {
1849                 force_sig_specific(SIGKILL, current);
1850                 return;
1851         }
1852         if (tsec->osid == tsec->sid)
1853                 return;
1854
1855         /* Close files for which the new task SID is not authorized. */
1856         flush_unauthorized_files(current->files);
1857
1858         /* Check whether the new SID can inherit signal state
1859            from the old SID.  If not, clear itimers to avoid
1860            subsequent signal generation and flush and unblock
1861            signals. This must occur _after_ the task SID has
1862           been updated so that any kill done after the flush
1863           will be checked against the new SID. */
1864         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1865                           PROCESS__SIGINH, NULL);
1866         if (rc) {
1867                 memset(&itimer, 0, sizeof itimer);
1868                 for (i = 0; i < 3; i++)
1869                         do_setitimer(i, &itimer, NULL);
1870                 flush_signals(current);
1871                 spin_lock_irq(&current->sighand->siglock);
1872                 flush_signal_handlers(current, 1);
1873                 sigemptyset(&current->blocked);
1874                 recalc_sigpending();
1875                 spin_unlock_irq(&current->sighand->siglock);
1876         }
1877
1878         /* Check whether the new SID can inherit resource limits
1879            from the old SID.  If not, reset all soft limits to
1880            the lower of the current task's hard limit and the init
1881            task's soft limit.  Note that the setting of hard limits
1882            (even to lower them) can be controlled by the setrlimit
1883            check. The inclusion of the init task's soft limit into
1884            the computation is to avoid resetting soft limits higher
1885            than the default soft limit for cases where the default
1886            is lower than the hard limit, e.g. RLIMIT_CORE or
1887            RLIMIT_STACK.*/
1888         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1889                           PROCESS__RLIMITINH, NULL);
1890         if (rc) {
1891                 for (i = 0; i < RLIM_NLIMITS; i++) {
1892                         rlim = current->signal->rlim + i;
1893                         initrlim = init_task.signal->rlim+i;
1894                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1895                 }
1896                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1897                         /*
1898                          * This will cause RLIMIT_CPU calculations
1899                          * to be refigured.
1900                          */
1901                         current->it_prof_expires = jiffies_to_cputime(1);
1902                 }
1903         }
1904
1905         /* Wake up the parent if it is waiting so that it can
1906            recheck wait permission to the new task SID. */
1907         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1908 }
1909
1910 /* superblock security operations */
1911
1912 static int selinux_sb_alloc_security(struct super_block *sb)
1913 {
1914         return superblock_alloc_security(sb);
1915 }
1916
1917 static void selinux_sb_free_security(struct super_block *sb)
1918 {
1919         superblock_free_security(sb);
1920 }
1921
1922 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1923 {
1924         if (plen > olen)
1925                 return 0;
1926
1927         return !memcmp(prefix, option, plen);
1928 }
1929
1930 static inline int selinux_option(char *option, int len)
1931 {
1932         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1933                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1934                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1935                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1936 }
1937
1938 static inline void take_option(char **to, char *from, int *first, int len)
1939 {
1940         if (!*first) {
1941                 **to = ',';
1942                 *to += 1;
1943         }
1944         else
1945                 *first = 0;
1946         memcpy(*to, from, len);
1947         *to += len;
1948 }
1949
1950 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1951 {
1952         int fnosec, fsec, rc = 0;
1953         char *in_save, *in_curr, *in_end;
1954         char *sec_curr, *nosec_save, *nosec;
1955
1956         in_curr = orig;
1957         sec_curr = copy;
1958
1959         /* Binary mount data: just copy */
1960         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1961                 copy_page(sec_curr, in_curr);
1962                 goto out;
1963         }
1964
1965         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1966         if (!nosec) {
1967                 rc = -ENOMEM;
1968                 goto out;
1969         }
1970
1971         nosec_save = nosec;
1972         fnosec = fsec = 1;
1973         in_save = in_end = orig;
1974
1975         do {
1976                 if (*in_end == ',' || *in_end == '\0') {
1977                         int len = in_end - in_curr;
1978
1979                         if (selinux_option(in_curr, len))
1980                                 take_option(&sec_curr, in_curr, &fsec, len);
1981                         else
1982                                 take_option(&nosec, in_curr, &fnosec, len);
1983
1984                         in_curr = in_end + 1;
1985                 }
1986         } while (*in_end++);
1987
1988         strcpy(in_save, nosec_save);
1989         free_page((unsigned long)nosec_save);
1990 out:
1991         return rc;
1992 }
1993
1994 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1995 {
1996         struct avc_audit_data ad;
1997         int rc;
1998
1999         rc = superblock_doinit(sb, data);
2000         if (rc)
2001                 return rc;
2002
2003         AVC_AUDIT_DATA_INIT(&ad,FS);
2004         ad.u.fs.dentry = sb->s_root;
2005         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2006 }
2007
2008 static int selinux_sb_statfs(struct dentry *dentry)
2009 {
2010         struct avc_audit_data ad;
2011
2012         AVC_AUDIT_DATA_INIT(&ad,FS);
2013         ad.u.fs.dentry = dentry->d_sb->s_root;
2014         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2015 }
2016
2017 static int selinux_mount(char * dev_name,
2018                          struct nameidata *nd,
2019                          char * type,
2020                          unsigned long flags,
2021                          void * data)
2022 {
2023         int rc;
2024
2025         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2026         if (rc)
2027                 return rc;
2028
2029         if (flags & MS_REMOUNT)
2030                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2031                                            FILESYSTEM__REMOUNT, NULL);
2032         else
2033                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2034                                        FILE__MOUNTON);
2035 }
2036
2037 static int selinux_umount(struct vfsmount *mnt, int flags)
2038 {
2039         int rc;
2040
2041         rc = secondary_ops->sb_umount(mnt, flags);
2042         if (rc)
2043                 return rc;
2044
2045         return superblock_has_perm(current,mnt->mnt_sb,
2046                                    FILESYSTEM__UNMOUNT,NULL);
2047 }
2048
2049 /* inode security operations */
2050
2051 static int selinux_inode_alloc_security(struct inode *inode)
2052 {
2053         return inode_alloc_security(inode);
2054 }
2055
2056 static void selinux_inode_free_security(struct inode *inode)
2057 {
2058         inode_free_security(inode);
2059 }
2060
2061 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2062                                        char **name, void **value,
2063                                        size_t *len)
2064 {
2065         struct task_security_struct *tsec;
2066         struct inode_security_struct *dsec;
2067         struct superblock_security_struct *sbsec;
2068         u32 newsid, clen;
2069         int rc;
2070         char *namep = NULL, *context;
2071
2072         tsec = current->security;
2073         dsec = dir->i_security;
2074         sbsec = dir->i_sb->s_security;
2075
2076         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2077                 newsid = tsec->create_sid;
2078         } else {
2079                 rc = security_transition_sid(tsec->sid, dsec->sid,
2080                                              inode_mode_to_security_class(inode->i_mode),
2081                                              &newsid);
2082                 if (rc) {
2083                         printk(KERN_WARNING "%s:  "
2084                                "security_transition_sid failed, rc=%d (dev=%s "
2085                                "ino=%ld)\n",
2086                                __FUNCTION__,
2087                                -rc, inode->i_sb->s_id, inode->i_ino);
2088                         return rc;
2089                 }
2090         }
2091
2092         inode_security_set_sid(inode, newsid);
2093
2094         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2095                 return -EOPNOTSUPP;
2096
2097         if (name) {
2098                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2099                 if (!namep)
2100                         return -ENOMEM;
2101                 *name = namep;
2102         }
2103
2104         if (value && len) {
2105                 rc = security_sid_to_context(newsid, &context, &clen);
2106                 if (rc) {
2107                         kfree(namep);
2108                         return rc;
2109                 }
2110                 *value = context;
2111                 *len = clen;
2112         }
2113
2114         return 0;
2115 }
2116
2117 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2118 {
2119         return may_create(dir, dentry, SECCLASS_FILE);
2120 }
2121
2122 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2123 {
2124         int rc;
2125
2126         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2127         if (rc)
2128                 return rc;
2129         return may_link(dir, old_dentry, MAY_LINK);
2130 }
2131
2132 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2133 {
2134         int rc;
2135
2136         rc = secondary_ops->inode_unlink(dir, dentry);
2137         if (rc)
2138                 return rc;
2139         return may_link(dir, dentry, MAY_UNLINK);
2140 }
2141
2142 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2143 {
2144         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2145 }
2146
2147 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2148 {
2149         return may_create(dir, dentry, SECCLASS_DIR);
2150 }
2151
2152 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2153 {
2154         return may_link(dir, dentry, MAY_RMDIR);
2155 }
2156
2157 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2158 {
2159         int rc;
2160
2161         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2162         if (rc)
2163                 return rc;
2164
2165         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2166 }
2167
2168 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2169                                 struct inode *new_inode, struct dentry *new_dentry)
2170 {
2171         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2172 }
2173
2174 static int selinux_inode_readlink(struct dentry *dentry)
2175 {
2176         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2177 }
2178
2179 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2180 {
2181         int rc;
2182
2183         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2184         if (rc)
2185                 return rc;
2186         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2187 }
2188
2189 static int selinux_inode_permission(struct inode *inode, int mask,
2190                                     struct nameidata *nd)
2191 {
2192         int rc;
2193
2194         rc = secondary_ops->inode_permission(inode, mask, nd);
2195         if (rc)
2196                 return rc;
2197
2198         if (!mask) {
2199                 /* No permission to check.  Existence test. */
2200                 return 0;
2201         }
2202
2203         return inode_has_perm(current, inode,
2204                                file_mask_to_av(inode->i_mode, mask), NULL);
2205 }
2206
2207 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2208 {
2209         int rc;
2210
2211         rc = secondary_ops->inode_setattr(dentry, iattr);
2212         if (rc)
2213                 return rc;
2214
2215         if (iattr->ia_valid & ATTR_FORCE)
2216                 return 0;
2217
2218         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2219                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2220                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2221
2222         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2223 }
2224
2225 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2226 {
2227         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2228 }
2229
2230 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2231 {
2232         struct task_security_struct *tsec = current->security;
2233         struct inode *inode = dentry->d_inode;
2234         struct inode_security_struct *isec = inode->i_security;
2235         struct superblock_security_struct *sbsec;
2236         struct avc_audit_data ad;
2237         u32 newsid;
2238         int rc = 0;
2239
2240         if (strcmp(name, XATTR_NAME_SELINUX)) {
2241                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2242                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2243                     !capable(CAP_SYS_ADMIN)) {
2244                         /* A different attribute in the security namespace.
2245                            Restrict to administrator. */
2246                         return -EPERM;
2247                 }
2248
2249                 /* Not an attribute we recognize, so just check the
2250                    ordinary setattr permission. */
2251                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2252         }
2253
2254         sbsec = inode->i_sb->s_security;
2255         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2256                 return -EOPNOTSUPP;
2257
2258         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2259                 return -EPERM;
2260
2261         AVC_AUDIT_DATA_INIT(&ad,FS);
2262         ad.u.fs.dentry = dentry;
2263
2264         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2265                           FILE__RELABELFROM, &ad);
2266         if (rc)
2267                 return rc;
2268
2269         rc = security_context_to_sid(value, size, &newsid);
2270         if (rc)
2271                 return rc;
2272
2273         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2274                           FILE__RELABELTO, &ad);
2275         if (rc)
2276                 return rc;
2277
2278         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2279                                           isec->sclass);
2280         if (rc)
2281                 return rc;
2282
2283         return avc_has_perm(newsid,
2284                             sbsec->sid,
2285                             SECCLASS_FILESYSTEM,
2286                             FILESYSTEM__ASSOCIATE,
2287                             &ad);
2288 }
2289
2290 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2291                                         void *value, size_t size, int flags)
2292 {
2293         struct inode *inode = dentry->d_inode;
2294         struct inode_security_struct *isec = inode->i_security;
2295         u32 newsid;
2296         int rc;
2297
2298         if (strcmp(name, XATTR_NAME_SELINUX)) {
2299                 /* Not an attribute we recognize, so nothing to do. */
2300                 return;
2301         }
2302
2303         rc = security_context_to_sid(value, size, &newsid);
2304         if (rc) {
2305                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2306                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2307                 return;
2308         }
2309
2310         isec->sid = newsid;
2311         return;
2312 }
2313
2314 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2315 {
2316         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2317 }
2318
2319 static int selinux_inode_listxattr (struct dentry *dentry)
2320 {
2321         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2322 }
2323
2324 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2325 {
2326         if (strcmp(name, XATTR_NAME_SELINUX)) {
2327                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2328                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2329                     !capable(CAP_SYS_ADMIN)) {
2330                         /* A different attribute in the security namespace.
2331                            Restrict to administrator. */
2332                         return -EPERM;
2333                 }
2334
2335                 /* Not an attribute we recognize, so just check the
2336                    ordinary setattr permission. Might want a separate
2337                    permission for removexattr. */
2338                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2339         }
2340
2341         /* No one is allowed to remove a SELinux security label.
2342            You can change the label, but all data must be labeled. */
2343         return -EACCES;
2344 }
2345
2346 static const char *selinux_inode_xattr_getsuffix(void)
2347 {
2348       return XATTR_SELINUX_SUFFIX;
2349 }
2350
2351 /*
2352  * Copy the in-core inode security context value to the user.  If the
2353  * getxattr() prior to this succeeded, check to see if we need to
2354  * canonicalize the value to be finally returned to the user.
2355  *
2356  * Permission check is handled by selinux_inode_getxattr hook.
2357  */
2358 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2359 {
2360         struct inode_security_struct *isec = inode->i_security;
2361
2362         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2363                 return -EOPNOTSUPP;
2364
2365         return selinux_getsecurity(isec->sid, buffer, size);
2366 }
2367
2368 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2369                                      const void *value, size_t size, int flags)
2370 {
2371         struct inode_security_struct *isec = inode->i_security;
2372         u32 newsid;
2373         int rc;
2374
2375         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2376                 return -EOPNOTSUPP;
2377
2378         if (!value || !size)
2379                 return -EACCES;
2380
2381         rc = security_context_to_sid((void*)value, size, &newsid);
2382         if (rc)
2383                 return rc;
2384
2385         isec->sid = newsid;
2386         return 0;
2387 }
2388
2389 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2390 {
2391         const int len = sizeof(XATTR_NAME_SELINUX);
2392         if (buffer && len <= buffer_size)
2393                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2394         return len;
2395 }
2396
2397 /* file security operations */
2398
2399 static int selinux_file_permission(struct file *file, int mask)
2400 {
2401         int rc;
2402         struct inode *inode = file->f_dentry->d_inode;
2403
2404         if (!mask) {
2405                 /* No permission to check.  Existence test. */
2406                 return 0;
2407         }
2408
2409         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2410         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2411                 mask |= MAY_APPEND;
2412
2413         rc = file_has_perm(current, file,
2414                            file_mask_to_av(inode->i_mode, mask));
2415         if (rc)
2416                 return rc;
2417
2418         return selinux_netlbl_inode_permission(inode, mask);
2419 }
2420
2421 static int selinux_file_alloc_security(struct file *file)
2422 {
2423         return file_alloc_security(file);
2424 }
2425
2426 static void selinux_file_free_security(struct file *file)
2427 {
2428         file_free_security(file);
2429 }
2430
2431 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2432                               unsigned long arg)
2433 {
2434         int error = 0;
2435
2436         switch (cmd) {
2437                 case FIONREAD:
2438                 /* fall through */
2439                 case FIBMAP:
2440                 /* fall through */
2441                 case FIGETBSZ:
2442                 /* fall through */
2443                 case EXT2_IOC_GETFLAGS:
2444                 /* fall through */
2445                 case EXT2_IOC_GETVERSION:
2446                         error = file_has_perm(current, file, FILE__GETATTR);
2447                         break;
2448
2449                 case EXT2_IOC_SETFLAGS:
2450                 /* fall through */
2451                 case EXT2_IOC_SETVERSION:
2452                         error = file_has_perm(current, file, FILE__SETATTR);
2453                         break;
2454
2455                 /* sys_ioctl() checks */
2456                 case FIONBIO:
2457                 /* fall through */
2458                 case FIOASYNC:
2459                         error = file_has_perm(current, file, 0);
2460                         break;
2461
2462                 case KDSKBENT:
2463                 case KDSKBSENT:
2464                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2465                         break;
2466
2467                 /* default case assumes that the command will go
2468                  * to the file's ioctl() function.
2469                  */
2470                 default:
2471                         error = file_has_perm(current, file, FILE__IOCTL);
2472
2473         }
2474         return error;
2475 }
2476
2477 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2478 {
2479 #ifndef CONFIG_PPC32
2480         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2481                 /*
2482                  * We are making executable an anonymous mapping or a
2483                  * private file mapping that will also be writable.
2484                  * This has an additional check.
2485                  */
2486                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2487                 if (rc)
2488                         return rc;
2489         }
2490 #endif
2491
2492         if (file) {
2493                 /* read access is always possible with a mapping */
2494                 u32 av = FILE__READ;
2495
2496                 /* write access only matters if the mapping is shared */
2497                 if (shared && (prot & PROT_WRITE))
2498                         av |= FILE__WRITE;
2499
2500                 if (prot & PROT_EXEC)
2501                         av |= FILE__EXECUTE;
2502
2503                 return file_has_perm(current, file, av);
2504         }
2505         return 0;
2506 }
2507
2508 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2509                              unsigned long prot, unsigned long flags)
2510 {
2511         int rc;
2512
2513         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2514         if (rc)
2515                 return rc;
2516
2517         if (selinux_checkreqprot)
2518                 prot = reqprot;
2519
2520         return file_map_prot_check(file, prot,
2521                                    (flags & MAP_TYPE) == MAP_SHARED);
2522 }
2523
2524 static int selinux_file_mprotect(struct vm_area_struct *vma,
2525                                  unsigned long reqprot,
2526                                  unsigned long prot)
2527 {
2528         int rc;
2529
2530         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2531         if (rc)
2532                 return rc;
2533
2534         if (selinux_checkreqprot)
2535                 prot = reqprot;
2536
2537 #ifndef CONFIG_PPC32
2538         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2539                 rc = 0;
2540                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2541                     vma->vm_end <= vma->vm_mm->brk) {
2542                         rc = task_has_perm(current, current,
2543                                            PROCESS__EXECHEAP);
2544                 } else if (!vma->vm_file &&
2545                            vma->vm_start <= vma->vm_mm->start_stack &&
2546                            vma->vm_end >= vma->vm_mm->start_stack) {
2547                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2548                 } else if (vma->vm_file && vma->anon_vma) {
2549                         /*
2550                          * We are making executable a file mapping that has
2551                          * had some COW done. Since pages might have been
2552                          * written, check ability to execute the possibly
2553                          * modified content.  This typically should only
2554                          * occur for text relocations.
2555                          */
2556                         rc = file_has_perm(current, vma->vm_file,
2557                                            FILE__EXECMOD);
2558                 }
2559                 if (rc)
2560                         return rc;
2561         }
2562 #endif
2563
2564         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2565 }
2566
2567 static int selinux_file_lock(struct file *file, unsigned int cmd)
2568 {
2569         return file_has_perm(current, file, FILE__LOCK);
2570 }
2571
2572 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2573                               unsigned long arg)
2574 {
2575         int err = 0;
2576
2577         switch (cmd) {
2578                 case F_SETFL:
2579                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2580                                 err = -EINVAL;
2581                                 break;
2582                         }
2583
2584                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2585                                 err = file_has_perm(current, file,FILE__WRITE);
2586                                 break;
2587                         }
2588                         /* fall through */
2589                 case F_SETOWN:
2590                 case F_SETSIG:
2591                 case F_GETFL:
2592                 case F_GETOWN:
2593                 case F_GETSIG:
2594                         /* Just check FD__USE permission */
2595                         err = file_has_perm(current, file, 0);
2596                         break;
2597                 case F_GETLK:
2598                 case F_SETLK:
2599                 case F_SETLKW:
2600 #if BITS_PER_LONG == 32
2601                 case F_GETLK64:
2602                 case F_SETLK64:
2603                 case F_SETLKW64:
2604 #endif
2605                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2606                                 err = -EINVAL;
2607                                 break;
2608                         }
2609                         err = file_has_perm(current, file, FILE__LOCK);
2610                         break;
2611         }
2612
2613         return err;
2614 }
2615
2616 static int selinux_file_set_fowner(struct file *file)
2617 {
2618         struct task_security_struct *tsec;
2619         struct file_security_struct *fsec;
2620
2621         tsec = current->security;
2622         fsec = file->f_security;
2623         fsec->fown_sid = tsec->sid;
2624
2625         return 0;
2626 }
2627
2628 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2629                                        struct fown_struct *fown, int signum)
2630 {
2631         struct file *file;
2632         u32 perm;
2633         struct task_security_struct *tsec;
2634         struct file_security_struct *fsec;
2635
2636         /* struct fown_struct is never outside the context of a struct file */
2637         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2638
2639         tsec = tsk->security;
2640         fsec = file->f_security;
2641
2642         if (!signum)
2643                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2644         else
2645                 perm = signal_to_av(signum);
2646
2647         return avc_has_perm(fsec->fown_sid, tsec->sid,
2648                             SECCLASS_PROCESS, perm, NULL);
2649 }
2650
2651 static int selinux_file_receive(struct file *file)
2652 {
2653         return file_has_perm(current, file, file_to_av(file));
2654 }
2655
2656 /* task security operations */
2657
2658 static int selinux_task_create(unsigned long clone_flags)
2659 {
2660         int rc;
2661
2662         rc = secondary_ops->task_create(clone_flags);
2663         if (rc)
2664                 return rc;
2665
2666         return task_has_perm(current, current, PROCESS__FORK);
2667 }
2668
2669 static int selinux_task_alloc_security(struct task_struct *tsk)
2670 {
2671         struct task_security_struct *tsec1, *tsec2;
2672         int rc;
2673
2674         tsec1 = current->security;
2675
2676         rc = task_alloc_security(tsk);
2677         if (rc)
2678                 return rc;
2679         tsec2 = tsk->security;
2680
2681         tsec2->osid = tsec1->osid;
2682         tsec2->sid = tsec1->sid;
2683
2684         /* Retain the exec, fs, key, and sock SIDs across fork */
2685         tsec2->exec_sid = tsec1->exec_sid;
2686         tsec2->create_sid = tsec1->create_sid;
2687         tsec2->keycreate_sid = tsec1->keycreate_sid;
2688         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2689
2690         /* Retain ptracer SID across fork, if any.
2691            This will be reset by the ptrace hook upon any
2692            subsequent ptrace_attach operations. */
2693         tsec2->ptrace_sid = tsec1->ptrace_sid;
2694
2695         return 0;
2696 }
2697
2698 static void selinux_task_free_security(struct task_struct *tsk)
2699 {
2700         task_free_security(tsk);
2701 }
2702
2703 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2704 {
2705         /* Since setuid only affects the current process, and
2706            since the SELinux controls are not based on the Linux
2707            identity attributes, SELinux does not need to control
2708            this operation.  However, SELinux does control the use
2709            of the CAP_SETUID and CAP_SETGID capabilities using the
2710            capable hook. */
2711         return 0;
2712 }
2713
2714 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2715 {
2716         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2717 }
2718
2719 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2720 {
2721         /* See the comment for setuid above. */
2722         return 0;
2723 }
2724
2725 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2726 {
2727         return task_has_perm(current, p, PROCESS__SETPGID);
2728 }
2729
2730 static int selinux_task_getpgid(struct task_struct *p)
2731 {
2732         return task_has_perm(current, p, PROCESS__GETPGID);
2733 }
2734
2735 static int selinux_task_getsid(struct task_struct *p)
2736 {
2737         return task_has_perm(current, p, PROCESS__GETSESSION);
2738 }
2739
2740 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2741 {
2742         selinux_get_task_sid(p, secid);
2743 }
2744
2745 static int selinux_task_setgroups(struct group_info *group_info)
2746 {
2747         /* See the comment for setuid above. */
2748         return 0;
2749 }
2750
2751 static int selinux_task_setnice(struct task_struct *p, int nice)
2752 {
2753         int rc;
2754
2755         rc = secondary_ops->task_setnice(p, nice);
2756         if (rc)
2757                 return rc;
2758
2759         return task_has_perm(current,p, PROCESS__SETSCHED);
2760 }
2761
2762 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2763 {
2764         return task_has_perm(current, p, PROCESS__SETSCHED);
2765 }
2766
2767 static int selinux_task_getioprio(struct task_struct *p)
2768 {
2769         return task_has_perm(current, p, PROCESS__GETSCHED);
2770 }
2771
2772 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2773 {
2774         struct rlimit *old_rlim = current->signal->rlim + resource;
2775         int rc;
2776
2777         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2778         if (rc)
2779                 return rc;
2780
2781         /* Control the ability to change the hard limit (whether
2782            lowering or raising it), so that the hard limit can
2783            later be used as a safe reset point for the soft limit
2784            upon context transitions. See selinux_bprm_apply_creds. */
2785         if (old_rlim->rlim_max != new_rlim->rlim_max)
2786                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2787
2788         return 0;
2789 }
2790
2791 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2792 {
2793         return task_has_perm(current, p, PROCESS__SETSCHED);
2794 }
2795
2796 static int selinux_task_getscheduler(struct task_struct *p)
2797 {
2798         return task_has_perm(current, p, PROCESS__GETSCHED);
2799 }
2800
2801 static int selinux_task_movememory(struct task_struct *p)
2802 {
2803         return task_has_perm(current, p, PROCESS__SETSCHED);
2804 }
2805
2806 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2807                                 int sig, u32 secid)
2808 {
2809         u32 perm;
2810         int rc;
2811         struct task_security_struct *tsec;
2812
2813         rc = secondary_ops->task_kill(p, info, sig, secid);
2814         if (rc)
2815                 return rc;
2816
2817         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2818                 return 0;
2819
2820         if (!sig)
2821                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2822         else
2823                 perm = signal_to_av(sig);
2824         tsec = p->security;
2825         if (secid)
2826                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2827         else
2828                 rc = task_has_perm(current, p, perm);
2829         return rc;
2830 }
2831
2832 static int selinux_task_prctl(int option,
2833                               unsigned long arg2,
2834                               unsigned long arg3,
2835                               unsigned long arg4,
2836                               unsigned long arg5)
2837 {
2838         /* The current prctl operations do not appear to require
2839            any SELinux controls since they merely observe or modify
2840            the state of the current process. */
2841         return 0;
2842 }
2843
2844 static int selinux_task_wait(struct task_struct *p)
2845 {
2846         u32 perm;
2847
2848         perm = signal_to_av(p->exit_signal);
2849
2850         return task_has_perm(p, current, perm);
2851 }
2852
2853 static void selinux_task_reparent_to_init(struct task_struct *p)
2854 {
2855         struct task_security_struct *tsec;
2856
2857         secondary_ops->task_reparent_to_init(p);
2858
2859         tsec = p->security;
2860         tsec->osid = tsec->sid;
2861         tsec->sid = SECINITSID_KERNEL;
2862         return;
2863 }
2864
2865 static void selinux_task_to_inode(struct task_struct *p,
2866                                   struct inode *inode)
2867 {
2868         struct task_security_struct *tsec = p->security;
2869         struct inode_security_struct *isec = inode->i_security;
2870
2871         isec->sid = tsec->sid;
2872         isec->initialized = 1;
2873         return;
2874 }
2875
2876 /* Returns error only if unable to parse addresses */
2877 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2878 {
2879         int offset, ihlen, ret = -EINVAL;
2880         struct iphdr _iph, *ih;
2881
2882         offset = skb->nh.raw - skb->data;
2883         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2884         if (ih == NULL)
2885                 goto out;
2886
2887         ihlen = ih->ihl * 4;
2888         if (ihlen < sizeof(_iph))
2889                 goto out;
2890
2891         ad->u.net.v4info.saddr = ih->saddr;
2892         ad->u.net.v4info.daddr = ih->daddr;
2893         ret = 0;
2894
2895         switch (ih->protocol) {
2896         case IPPROTO_TCP: {
2897                 struct tcphdr _tcph, *th;
2898
2899                 if (ntohs(ih->frag_off) & IP_OFFSET)
2900                         break;
2901
2902                 offset += ihlen;
2903                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2904                 if (th == NULL)
2905                         break;
2906
2907                 ad->u.net.sport = th->source;
2908                 ad->u.net.dport = th->dest;
2909                 break;
2910         }
2911         
2912         case IPPROTO_UDP: {
2913                 struct udphdr _udph, *uh;
2914                 
2915                 if (ntohs(ih->frag_off) & IP_OFFSET)
2916                         break;
2917                         
2918                 offset += ihlen;
2919                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2920                 if (uh == NULL)
2921                         break;  
2922
2923                 ad->u.net.sport = uh->source;
2924                 ad->u.net.dport = uh->dest;
2925                 break;
2926         }
2927
2928         default:
2929                 break;
2930         }
2931 out:
2932         return ret;
2933 }
2934
2935 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2936
2937 /* Returns error only if unable to parse addresses */
2938 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2939 {
2940         u8 nexthdr;
2941         int ret = -EINVAL, offset;
2942         struct ipv6hdr _ipv6h, *ip6;
2943
2944         offset = skb->nh.raw - skb->data;
2945         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2946         if (ip6 == NULL)
2947                 goto out;
2948
2949         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2950         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2951         ret = 0;
2952
2953         nexthdr = ip6->nexthdr;
2954         offset += sizeof(_ipv6h);
2955         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2956         if (offset < 0)
2957                 goto out;
2958
2959         switch (nexthdr) {
2960         case IPPROTO_TCP: {
2961                 struct tcphdr _tcph, *th;
2962
2963                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2964                 if (th == NULL)
2965                         break;
2966
2967                 ad->u.net.sport = th->source;
2968                 ad->u.net.dport = th->dest;
2969                 break;
2970         }
2971
2972         case IPPROTO_UDP: {
2973                 struct udphdr _udph, *uh;
2974
2975                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2976                 if (uh == NULL)
2977                         break;
2978
2979                 ad->u.net.sport = uh->source;
2980                 ad->u.net.dport = uh->dest;
2981                 break;
2982         }
2983
2984         /* includes fragments */
2985         default:
2986                 break;
2987         }
2988 out:
2989         return ret;
2990 }
2991
2992 #endif /* IPV6 */
2993
2994 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2995                              char **addrp, int *len, int src)
2996 {
2997         int ret = 0;
2998
2999         switch (ad->u.net.family) {
3000         case PF_INET:
3001                 ret = selinux_parse_skb_ipv4(skb, ad);
3002                 if (ret || !addrp)
3003                         break;
3004                 *len = 4;
3005                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3006                                         &ad->u.net.v4info.daddr);
3007                 break;
3008
3009 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3010         case PF_INET6:
3011                 ret = selinux_parse_skb_ipv6(skb, ad);
3012                 if (ret || !addrp)
3013                         break;
3014                 *len = 16;
3015                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3016                                         &ad->u.net.v6info.daddr);
3017                 break;
3018 #endif  /* IPV6 */
3019         default:
3020                 break;
3021         }
3022
3023         return ret;
3024 }
3025
3026 /* socket security operations */
3027 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3028                            u32 perms)
3029 {
3030         struct inode_security_struct *isec;
3031         struct task_security_struct *tsec;
3032         struct avc_audit_data ad;
3033         int err = 0;
3034
3035         tsec = task->security;
3036         isec = SOCK_INODE(sock)->i_security;
3037
3038         if (isec->sid == SECINITSID_KERNEL)
3039                 goto out;
3040
3041         AVC_AUDIT_DATA_INIT(&ad,NET);
3042         ad.u.net.sk = sock->sk;
3043         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3044
3045 out:
3046         return err;
3047 }
3048
3049 static int selinux_socket_create(int family, int type,
3050                                  int protocol, int kern)
3051 {
3052         int err = 0;
3053         struct task_security_struct *tsec;
3054         u32 newsid;
3055
3056         if (kern)
3057                 goto out;
3058
3059         tsec = current->security;
3060         newsid = tsec->sockcreate_sid ? : tsec->sid;
3061         err = avc_has_perm(tsec->sid, newsid,
3062                            socket_type_to_security_class(family, type,
3063                            protocol), SOCKET__CREATE, NULL);
3064
3065 out:
3066         return err;
3067 }
3068
3069 static int selinux_socket_post_create(struct socket *sock, int family,
3070                                       int type, int protocol, int kern)
3071 {
3072         int err = 0;
3073         struct inode_security_struct *isec;
3074         struct task_security_struct *tsec;
3075         struct sk_security_struct *sksec;
3076         u32 newsid;
3077
3078         isec = SOCK_INODE(sock)->i_security;
3079
3080         tsec = current->security;
3081         newsid = tsec->sockcreate_sid ? : tsec->sid;
3082         isec->sclass = socket_type_to_security_class(family, type, protocol);
3083         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3084         isec->initialized = 1;
3085
3086         if (sock->sk) {
3087                 sksec = sock->sk->sk_security;
3088                 sksec->sid = isec->sid;
3089                 err = selinux_netlbl_socket_post_create(sock,
3090                                                         family,
3091                                                         isec->sid);
3092         }
3093
3094         return err;
3095 }
3096
3097 /* Range of port numbers used to automatically bind.
3098    Need to determine whether we should perform a name_bind
3099    permission check between the socket and the port number. */
3100 #define ip_local_port_range_0 sysctl_local_port_range[0]
3101 #define ip_local_port_range_1 sysctl_local_port_range[1]
3102
3103 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3104 {
3105         u16 family;
3106         int err;
3107
3108         err = socket_has_perm(current, sock, SOCKET__BIND);
3109         if (err)
3110                 goto out;
3111
3112         /*
3113          * If PF_INET or PF_INET6, check name_bind permission for the port.
3114          * Multiple address binding for SCTP is not supported yet: we just
3115          * check the first address now.
3116          */
3117         family = sock->sk->sk_family;
3118         if (family == PF_INET || family == PF_INET6) {
3119                 char *addrp;
3120                 struct inode_security_struct *isec;
3121                 struct task_security_struct *tsec;
3122                 struct avc_audit_data ad;
3123                 struct sockaddr_in *addr4 = NULL;
3124                 struct sockaddr_in6 *addr6 = NULL;
3125                 unsigned short snum;
3126                 struct sock *sk = sock->sk;
3127                 u32 sid, node_perm, addrlen;
3128
3129                 tsec = current->security;
3130                 isec = SOCK_INODE(sock)->i_security;
3131
3132                 if (family == PF_INET) {
3133                         addr4 = (struct sockaddr_in *)address;
3134                         snum = ntohs(addr4->sin_port);
3135                         addrlen = sizeof(addr4->sin_addr.s_addr);
3136                         addrp = (char *)&addr4->sin_addr.s_addr;
3137                 } else {
3138                         addr6 = (struct sockaddr_in6 *)address;
3139                         snum = ntohs(addr6->sin6_port);
3140                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3141                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3142                 }
3143
3144                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3145                            snum > ip_local_port_range_1)) {
3146                         err = security_port_sid(sk->sk_family, sk->sk_type,
3147                                                 sk->sk_protocol, snum, &sid);
3148                         if (err)
3149                                 goto out;
3150                         AVC_AUDIT_DATA_INIT(&ad,NET);
3151                         ad.u.net.sport = htons(snum);
3152                         ad.u.net.family = family;
3153                         err = avc_has_perm(isec->sid, sid,
3154                                            isec->sclass,
3155                                            SOCKET__NAME_BIND, &ad);
3156                         if (err)
3157                                 goto out;
3158                 }
3159                 
3160                 switch(isec->sclass) {
3161                 case SECCLASS_TCP_SOCKET:
3162                         node_perm = TCP_SOCKET__NODE_BIND;
3163                         break;
3164                         
3165                 case SECCLASS_UDP_SOCKET:
3166                         node_perm = UDP_SOCKET__NODE_BIND;
3167                         break;
3168                         
3169                 default:
3170                         node_perm = RAWIP_SOCKET__NODE_BIND;
3171                         break;
3172                 }
3173                 
3174                 err = security_node_sid(family, addrp, addrlen, &sid);
3175                 if (err)
3176                         goto out;
3177                 
3178                 AVC_AUDIT_DATA_INIT(&ad,NET);
3179                 ad.u.net.sport = htons(snum);
3180                 ad.u.net.family = family;
3181
3182                 if (family == PF_INET)
3183                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3184                 else
3185                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3186
3187                 err = avc_has_perm(isec->sid, sid,
3188                                    isec->sclass, node_perm, &ad);
3189                 if (err)
3190                         goto out;
3191         }
3192 out:
3193         return err;
3194 }
3195
3196 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3197 {
3198         struct inode_security_struct *isec;
3199         int err;
3200
3201         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3202         if (err)
3203                 return err;
3204
3205         /*
3206          * If a TCP socket, check name_connect permission for the port.
3207          */
3208         isec = SOCK_INODE(sock)->i_security;
3209         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3210                 struct sock *sk = sock->sk;
3211                 struct avc_audit_data ad;
3212                 struct sockaddr_in *addr4 = NULL;
3213                 struct sockaddr_in6 *addr6 = NULL;
3214                 unsigned short snum;
3215                 u32 sid;
3216
3217                 if (sk->sk_family == PF_INET) {
3218                         addr4 = (struct sockaddr_in *)address;
3219                         if (addrlen < sizeof(struct sockaddr_in))
3220                                 return -EINVAL;
3221                         snum = ntohs(addr4->sin_port);
3222                 } else {
3223                         addr6 = (struct sockaddr_in6 *)address;
3224                         if (addrlen < SIN6_LEN_RFC2133)
3225                                 return -EINVAL;
3226                         snum = ntohs(addr6->sin6_port);
3227                 }
3228
3229                 err = security_port_sid(sk->sk_family, sk->sk_type,
3230                                         sk->sk_protocol, snum, &sid);
3231                 if (err)
3232                         goto out;
3233
3234                 AVC_AUDIT_DATA_INIT(&ad,NET);
3235                 ad.u.net.dport = htons(snum);
3236                 ad.u.net.family = sk->sk_family;
3237                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3238                                    TCP_SOCKET__NAME_CONNECT, &ad);
3239                 if (err)
3240                         goto out;
3241         }
3242
3243 out:
3244         return err;
3245 }
3246
3247 static int selinux_socket_listen(struct socket *sock, int backlog)
3248 {
3249         return socket_has_perm(current, sock, SOCKET__LISTEN);
3250 }
3251
3252 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3253 {
3254         int err;
3255         struct inode_security_struct *isec;
3256         struct inode_security_struct *newisec;
3257
3258         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3259         if (err)
3260                 return err;
3261
3262         newisec = SOCK_INODE(newsock)->i_security;
3263
3264         isec = SOCK_INODE(sock)->i_security;
3265         newisec->sclass = isec->sclass;
3266         newisec->sid = isec->sid;
3267         newisec->initialized = 1;
3268
3269         return 0;
3270 }
3271
3272 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3273                                   int size)
3274 {
3275         int rc;
3276
3277         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3278         if (rc)
3279                 return rc;
3280
3281         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3282 }
3283
3284 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3285                                   int size, int flags)
3286 {
3287         return socket_has_perm(current, sock, SOCKET__READ);
3288 }
3289
3290 static int selinux_socket_getsockname(struct socket *sock)
3291 {
3292         return socket_has_perm(current, sock, SOCKET__GETATTR);
3293 }
3294
3295 static int selinux_socket_getpeername(struct socket *sock)
3296 {
3297         return socket_has_perm(current, sock, SOCKET__GETATTR);
3298 }
3299
3300 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3301 {
3302         return socket_has_perm(current, sock, SOCKET__SETOPT);
3303 }
3304
3305 static int selinux_socket_getsockopt(struct socket *sock, int level,
3306                                      int optname)
3307 {
3308         return socket_has_perm(current, sock, SOCKET__GETOPT);
3309 }
3310
3311 static int selinux_socket_shutdown(struct socket *sock, int how)
3312 {
3313         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3314 }
3315
3316 static int selinux_socket_unix_stream_connect(struct socket *sock,
3317                                               struct socket *other,
3318                                               struct sock *newsk)
3319 {
3320         struct sk_security_struct *ssec;
3321         struct inode_security_struct *isec;
3322         struct inode_security_struct *other_isec;
3323         struct avc_audit_data ad;
3324         int err;
3325
3326         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3327         if (err)
3328                 return err;
3329
3330         isec = SOCK_INODE(sock)->i_security;
3331         other_isec = SOCK_INODE(other)->i_security;
3332
3333         AVC_AUDIT_DATA_INIT(&ad,NET);
3334         ad.u.net.sk = other->sk;
3335
3336         err = avc_has_perm(isec->sid, other_isec->sid,
3337                            isec->sclass,
3338                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3339         if (err)
3340                 return err;
3341
3342         /* connecting socket */
3343         ssec = sock->sk->sk_security;
3344         ssec->peer_sid = other_isec->sid;
3345         
3346         /* server child socket */
3347         ssec = newsk->sk_security;
3348         ssec->peer_sid = isec->sid;
3349         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3350
3351         return err;
3352 }
3353
3354 static int selinux_socket_unix_may_send(struct socket *sock,
3355                                         struct socket *other)
3356 {
3357         struct inode_security_struct *isec;
3358         struct inode_security_struct *other_isec;
3359         struct avc_audit_data ad;
3360         int err;
3361
3362         isec = SOCK_INODE(sock)->i_security;
3363         other_isec = SOCK_INODE(other)->i_security;
3364
3365         AVC_AUDIT_DATA_INIT(&ad,NET);
3366         ad.u.net.sk = other->sk;
3367
3368         err = avc_has_perm(isec->sid, other_isec->sid,
3369                            isec->sclass, SOCKET__SENDTO, &ad);
3370         if (err)
3371                 return err;
3372
3373         return 0;
3374 }
3375
3376 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3377                 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3378 {
3379         int err = 0;
3380         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3381         struct socket *sock;
3382         u16 sock_class = 0;
3383         u32 sock_sid = 0;
3384
3385         read_lock_bh(&sk->sk_callback_lock);
3386         sock = sk->sk_socket;
3387         if (sock) {
3388                 struct inode *inode;
3389                 inode = SOCK_INODE(sock);
3390                 if (inode) {
3391                         struct inode_security_struct *isec;
3392                         isec = inode->i_security;
3393                         sock_sid = isec->sid;
3394                         sock_class = isec->sclass;
3395                 }
3396         }
3397         read_unlock_bh(&sk->sk_callback_lock);
3398         if (!sock_sid)
3399                 goto out;
3400
3401         if (!skb->dev)
3402                 goto out;
3403
3404         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3405         if (err)
3406                 goto out;
3407
3408         switch (sock_class) {
3409         case SECCLASS_UDP_SOCKET:
3410                 netif_perm = NETIF__UDP_RECV;
3411                 node_perm = NODE__UDP_RECV;
3412                 recv_perm = UDP_SOCKET__RECV_MSG;
3413                 break;
3414         
3415         case SECCLASS_TCP_SOCKET:
3416                 netif_perm = NETIF__TCP_RECV;
3417                 node_perm = NODE__TCP_RECV;
3418                 recv_perm = TCP_SOCKET__RECV_MSG;
3419                 break;
3420         
3421         default:
3422                 netif_perm = NETIF__RAWIP_RECV;
3423                 node_perm = NODE__RAWIP_RECV;
3424                 break;
3425         }
3426
3427         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3428         if (err)
3429                 goto out;
3430         
3431         err = security_node_sid(family, addrp, len, &node_sid);
3432         if (err)
3433                 goto out;
3434         
3435         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3436         if (err)
3437                 goto out;
3438
3439         if (recv_perm) {
3440                 u32 port_sid;
3441
3442                 err = security_port_sid(sk->sk_family, sk->sk_type,
3443                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3444                                         &port_sid);
3445                 if (err)
3446                         goto out;
3447
3448                 err = avc_has_perm(sock_sid, port_sid,
3449                                    sock_class, recv_perm, ad);
3450         }
3451
3452 out:
3453         return err;
3454 }
3455
3456 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3457 {
3458         u16 family;
3459         char *addrp;
3460         int len, err = 0;
3461         struct avc_audit_data ad;
3462         struct sk_security_struct *sksec = sk->sk_security;
3463
3464         family = sk->sk_family;
3465         if (family != PF_INET && family != PF_INET6)
3466                 goto out;
3467
3468         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3469         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3470                 family = PF_INET;
3471
3472         AVC_AUDIT_DATA_INIT(&ad, NET);
3473         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3474         ad.u.net.family = family;
3475
3476         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3477         if (err)
3478                 goto out;
3479
3480         if (selinux_compat_net)
3481                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3482                                                   addrp, len);
3483         else
3484                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3485                                    PACKET__RECV, &ad);
3486         if (err)
3487                 goto out;
3488
3489         err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
3490         if (err)
3491                 goto out;
3492
3493         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3494 out:    
3495         return err;
3496 }
3497
3498 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3499                                             int __user *optlen, unsigned len)
3500 {
3501         int err = 0;
3502         char *scontext;
3503         u32 scontext_len;
3504         struct sk_security_struct *ssec;
3505         struct inode_security_struct *isec;
3506         u32 peer_sid = 0;
3507
3508         isec = SOCK_INODE(sock)->i_security;
3509
3510         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3511         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3512                 ssec = sock->sk->sk_security;
3513                 peer_sid = ssec->peer_sid;
3514         }
3515         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3516                 peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
3517                 if (peer_sid == SECSID_NULL)
3518                         peer_sid = selinux_socket_getpeer_stream(sock->sk);
3519                 if (peer_sid == SECSID_NULL) {
3520                         err = -ENOPROTOOPT;
3521                         goto out;
3522                 }
3523         }
3524         else {
3525                 err = -ENOPROTOOPT;
3526                 goto out;
3527         }
3528
3529         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3530
3531         if (err)
3532                 goto out;
3533
3534         if (scontext_len > len) {
3535                 err = -ERANGE;
3536                 goto out_len;
3537         }
3538
3539         if (copy_to_user(optval, scontext, scontext_len))
3540                 err = -EFAULT;
3541
3542 out_len:
3543         if (put_user(scontext_len, optlen))
3544                 err = -EFAULT;
3545
3546         kfree(scontext);
3547 out:    
3548         return err;
3549 }
3550
3551 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3552 {
3553         u32 peer_secid = SECSID_NULL;
3554         int err = 0;
3555
3556         if (sock && (sock->sk->sk_family == PF_UNIX))
3557                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3558         else if (skb) {
3559                 peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);
3560                 if (peer_secid == SECSID_NULL)
3561                         peer_secid = selinux_socket_getpeer_dgram(skb);
3562         }
3563
3564         if (peer_secid == SECSID_NULL)
3565                 err = -EINVAL;
3566         *secid = peer_secid;
3567
3568         return err;
3569 }
3570
3571 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3572 {
3573         return sk_alloc_security(sk, family, priority);
3574 }
3575
3576 static void selinux_sk_free_security(struct sock *sk)
3577 {
3578         sk_free_security(sk);
3579 }
3580
3581 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3582 {
3583         struct sk_security_struct *ssec = sk->sk_security;
3584         struct sk_security_struct *newssec = newsk->sk_security;
3585
3586         newssec->sid = ssec->sid;
3587         newssec->peer_sid = ssec->peer_sid;
3588 }
3589
3590 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3591 {
3592         if (!sk)
3593                 *secid = SECINITSID_ANY_SOCKET;
3594         else {
3595                 struct sk_security_struct *sksec = sk->sk_security;
3596
3597                 *secid = sksec->sid;
3598         }
3599 }
3600
3601 void selinux_sock_graft(struct sock* sk, struct socket *parent)
3602 {
3603         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3604         struct sk_security_struct *sksec = sk->sk_security;
3605
3606         isec->sid = sksec->sid;
3607
3608         selinux_netlbl_sock_graft(sk, parent);
3609 }
3610
3611 int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3612                                            struct request_sock *req)
3613 {
3614         struct sk_security_struct *sksec = sk->sk_security;
3615         int err;
3616         u32 newsid;
3617         u32 peersid;
3618
3619         newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);
3620         if (newsid != SECSID_NULL) {
3621                 req->secid = newsid;
3622                 return 0;
3623         }
3624
3625         err = selinux_xfrm_decode_session(skb, &peersid, 0);
3626         BUG_ON(err);
3627
3628         if (peersid == SECSID_NULL) {
3629                 req->secid = sksec->sid;
3630                 return 0;
3631         }
3632
3633         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3634         if (err)
3635                 return err;
3636
3637         req->secid = newsid;
3638         return 0;
3639 }
3640
3641 void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req)
3642 {
3643         struct sk_security_struct *newsksec = newsk->sk_security;
3644
3645         newsksec->sid = req->secid;
3646         /* NOTE: Ideally, we should also get the isec->sid for the
3647            new socket in sync, but we don't have the isec available yet.
3648            So we will wait until sock_graft to do it, by which
3649            time it will have been created and available. */
3650 }
3651
3652 void selinux_req_classify_flow(const struct request_sock *req, struct flowi *fl)
3653 {
3654         fl->secid = req->secid;
3655 }
3656
3657 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3658 {
3659         int err = 0;
3660         u32 perm;
3661         struct nlmsghdr *nlh;
3662         struct socket *sock = sk->sk_socket;
3663         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3664         
3665         if (skb->len < NLMSG_SPACE(0)) {
3666                 err = -EINVAL;
3667                 goto out;
3668         }
3669         nlh = (struct nlmsghdr *)skb->data;
3670         
3671         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3672         if (err) {
3673                 if (err == -EINVAL) {
3674                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3675                                   "SELinux:  unrecognized netlink message"
3676                                   " type=%hu for sclass=%hu\n",
3677                                   nlh->nlmsg_type, isec->sclass);
3678                         if (!selinux_enforcing)
3679                                 err = 0;
3680                 }
3681
3682                 /* Ignore */
3683                 if (err == -ENOENT)
3684                         err = 0;
3685                 goto out;
3686         }
3687
3688         err = socket_has_perm(current, sock, perm);
3689 out:
3690         return err;
3691 }
3692
3693 #ifdef CONFIG_NETFILTER
3694
3695 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3696                                             struct avc_audit_data *ad,
3697                                             u16 family, char *addrp, int len)
3698 {
3699         int err = 0;
3700         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3701         struct socket *sock;
3702         struct inode *inode;
3703         struct inode_security_struct *isec;
3704
3705         sock = sk->sk_socket;
3706         if (!sock)
3707                 goto out;
3708
3709         inode = SOCK_INODE(sock);
3710         if (!inode)
3711                 goto out;
3712
3713         isec = inode->i_security;
3714         
3715         err = sel_netif_sids(dev, &if_sid, NULL);
3716         if (err)
3717                 goto out;
3718
3719         switch (isec->sclass) {
3720         case SECCLASS_UDP_SOCKET:
3721                 netif_perm = NETIF__UDP_SEND;
3722                 node_perm = NODE__UDP_SEND;
3723                 send_perm = UDP_SOCKET__SEND_MSG;
3724                 break;
3725         
3726         case SECCLASS_TCP_SOCKET:
3727                 netif_perm = NETIF__TCP_SEND;
3728                 node_perm = NODE__TCP_SEND;
3729                 send_perm = TCP_SOCKET__SEND_MSG;
3730                 break;
3731         
3732         default:
3733                 netif_perm = NETIF__RAWIP_SEND;
3734                 node_perm = NODE__RAWIP_SEND;
3735                 break;
3736         }
3737
3738         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3739         if (err)
3740                 goto out;
3741                 
3742         err = security_node_sid(family, addrp, len, &node_sid);
3743         if (err)
3744                 goto out;
3745         
3746         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3747         if (err)
3748                 goto out;
3749
3750         if (send_perm) {
3751                 u32 port_sid;
3752                 
3753                 err = security_port_sid(sk->sk_family,
3754                                         sk->sk_type,
3755                                         sk->sk_protocol,
3756                                         ntohs(ad->u.net.dport),
3757                                         &port_sid);
3758                 if (err)
3759                         goto out;
3760
3761                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3762                                    send_perm, ad);
3763         }
3764 out:
3765         return err;
3766 }
3767
3768 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3769                                               struct sk_buff **pskb,
3770                                               const struct net_device *in,
3771                                               const struct net_device *out,
3772                                               int (*okfn)(struct sk_buff *),
3773                                               u16 family)
3774 {
3775         char *addrp;
3776         int len, err = 0;
3777         struct sock *sk;
3778         struct sk_buff *skb = *pskb;
3779         struct avc_audit_data ad;
3780         struct net_device *dev = (struct net_device *)out;
3781         struct sk_security_struct *sksec;
3782
3783         sk = skb->sk;
3784         if (!sk)
3785                 goto out;
3786
3787         sksec = sk->sk_security;
3788
3789         AVC_AUDIT_DATA_INIT(&ad, NET);
3790         ad.u.net.netif = dev->name;
3791         ad.u.net.family = family;
3792
3793         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3794         if (err)
3795                 goto out;
3796
3797         if (selinux_compat_net)
3798                 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
3799                                                        family, addrp, len);
3800         else
3801                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3802                                    PACKET__SEND, &ad);
3803
3804         if (err)
3805                 goto out;
3806
3807         err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad);
3808 out:
3809         return err ? NF_DROP : NF_ACCEPT;
3810 }
3811
3812 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3813                                                 struct sk_buff **pskb,
3814                                                 const struct net_device *in,
3815                                                 const struct net_device *out,
3816                                                 int (*okfn)(struct sk_buff *))
3817 {
3818         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3819 }
3820
3821 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3822
3823 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3824                                                 struct sk_buff **pskb,
3825                                                 const struct net_device *in,
3826                                                 const struct net_device *out,
3827                                                 int (*okfn)(struct sk_buff *))
3828 {
3829         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3830 }
3831
3832 #endif  /* IPV6 */
3833
3834 #endif  /* CONFIG_NETFILTER */
3835
3836 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3837 {
3838         int err;
3839
3840         err = secondary_ops->netlink_send(sk, skb);
3841         if (err)
3842                 return err;
3843
3844         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3845                 err = selinux_nlmsg_perm(sk, skb);
3846
3847         return err;
3848 }
3849
3850 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3851 {
3852         int err;
3853         struct avc_audit_data ad;
3854
3855         err = secondary_ops->netlink_recv(skb, capability);
3856         if (err)
3857                 return err;
3858
3859         AVC_AUDIT_DATA_INIT(&ad, CAP);
3860         ad.u.cap = capability;
3861
3862         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3863                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3864 }
3865
3866 static int ipc_alloc_security(struct task_struct *task,
3867                               struct kern_ipc_perm *perm,
3868                               u16 sclass)
3869 {
3870         struct task_security_struct *tsec = task->security;
3871         struct ipc_security_struct *isec;
3872
3873         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3874         if (!isec)
3875                 return -ENOMEM;
3876
3877         isec->sclass = sclass;
3878         isec->ipc_perm = perm;
3879         isec->sid = tsec->sid;
3880         perm->security = isec;
3881
3882         return 0;
3883 }
3884
3885 static void ipc_free_security(struct kern_ipc_perm *perm)
3886 {
3887         struct ipc_security_struct *isec = perm->security;
3888         perm->security = NULL;
3889         kfree(isec);
3890 }
3891
3892 static int msg_msg_alloc_security(struct msg_msg *msg)
3893 {
3894         struct msg_security_struct *msec;
3895
3896         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3897         if (!msec)
3898                 return -ENOMEM;
3899
3900         msec->msg = msg;
3901         msec->sid = SECINITSID_UNLABELED;
3902         msg->security = msec;
3903
3904         return 0;
3905 }
3906
3907 static void msg_msg_free_security(struct msg_msg *msg)
3908 {
3909         struct msg_security_struct *msec = msg->security;
3910
3911         msg->security = NULL;
3912         kfree(msec);
3913 }
3914
3915 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3916                         u32 perms)
3917 {
3918         struct task_security_struct *tsec;
3919         struct ipc_security_struct *isec;
3920         struct avc_audit_data ad;
3921
3922         tsec = current->security;
3923         isec = ipc_perms->security;
3924
3925         AVC_AUDIT_DATA_INIT(&ad, IPC);
3926         ad.u.ipc_id = ipc_perms->key;
3927
3928         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3929 }
3930
3931 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3932 {
3933         return msg_msg_alloc_security(msg);
3934 }
3935
3936 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3937 {
3938         msg_msg_free_security(msg);
3939 }
3940
3941 /* message queue security operations */
3942 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3943 {
3944         struct task_security_struct *tsec;
3945         struct ipc_security_struct *isec;
3946         struct avc_audit_data ad;
3947         int rc;
3948
3949         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3950         if (rc)
3951                 return rc;
3952
3953         tsec = current->security;
3954         isec = msq->q_perm.security;
3955
3956         AVC_AUDIT_DATA_INIT(&ad, IPC);
3957         ad.u.ipc_id = msq->q_perm.key;
3958
3959         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3960                           MSGQ__CREATE, &ad);
3961         if (rc) {
3962                 ipc_free_security(&msq->q_perm);
3963                 return rc;
3964         }
3965         return 0;
3966 }
3967
3968 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3969 {
3970         ipc_free_security(&msq->q_perm);
3971 }
3972
3973 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3974 {
3975         struct task_security_struct *tsec;
3976         struct ipc_security_struct *isec;
3977         struct avc_audit_data ad;
3978
3979         tsec = current->security;
3980         isec = msq->q_perm.security;
3981
3982         AVC_AUDIT_DATA_INIT(&ad, IPC);
3983         ad.u.ipc_id = msq->q_perm.key;
3984
3985         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3986                             MSGQ__ASSOCIATE, &ad);
3987 }
3988
3989 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3990 {
3991         int err;
3992         int perms;
3993
3994         switch(cmd) {
3995         case IPC_INFO:
3996         case MSG_INFO:
3997                 /* No specific object, just general system-wide information. */
3998                 return task_has_system(current, SYSTEM__IPC_INFO);
3999         case IPC_STAT:
4000         case MSG_STAT:
4001                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4002                 break;
4003         case IPC_SET:
4004                 perms = MSGQ__SETATTR;
4005                 break;
4006         case IPC_RMID:
4007                 perms = MSGQ__DESTROY;
4008                 break;
4009         default:
4010                 return 0;
4011         }
4012
4013         err = ipc_has_perm(&msq->q_perm, perms);
4014         return err;
4015 }
4016
4017 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4018 {
4019         struct task_security_struct *tsec;
4020         struct ipc_security_struct *isec;
4021         struct msg_security_struct *msec;
4022         struct avc_audit_data ad;
4023         int rc;
4024
4025         tsec = current->security;
4026         isec = msq->q_perm.security;
4027         msec = msg->security;
4028
4029         /*
4030          * First time through, need to assign label to the message
4031          */
4032         if (msec->sid == SECINITSID_UNLABELED) {
4033                 /*
4034                  * Compute new sid based on current process and
4035                  * message queue this message will be stored in
4036                  */
4037                 rc = security_transition_sid(tsec->sid,
4038                                              isec->sid,
4039                                              SECCLASS_MSG,
4040                                              &msec->sid);
4041                 if (rc)
4042                         return rc;
4043         }
4044
4045         AVC_AUDIT_DATA_INIT(&ad, IPC);
4046         ad.u.ipc_id = msq->q_perm.key;
4047
4048         /* Can this process write to the queue? */
4049         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4050                           MSGQ__WRITE, &ad);
4051         if (!rc)
4052                 /* Can this process send the message */
4053                 rc = avc_has_perm(tsec->sid, msec->sid,
4054                                   SECCLASS_MSG, MSG__SEND, &ad);
4055         if (!rc)
4056                 /* Can the message be put in the queue? */
4057                 rc = avc_has_perm(msec->sid, isec->sid,
4058                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4059
4060         return rc;
4061 }
4062
4063 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4064                                     struct task_struct *target,
4065                                     long type, int mode)
4066 {
4067         struct task_security_struct *tsec;
4068         struct ipc_security_struct *isec;
4069         struct msg_security_struct *msec;
4070         struct avc_audit_data ad;
4071         int rc;
4072
4073         tsec = target->security;
4074         isec = msq->q_perm.security;
4075         msec = msg->security;
4076
4077         AVC_AUDIT_DATA_INIT(&ad, IPC);
4078         ad.u.ipc_id = msq->q_perm.key;
4079
4080         rc = avc_has_perm(tsec->sid, isec->sid,
4081                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4082         if (!rc)
4083                 rc = avc_has_perm(tsec->sid, msec->sid,
4084                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4085         return rc;
4086 }
4087
4088 /* Shared Memory security operations */
4089 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4090 {
4091         struct task_security_struct *tsec;
4092         struct ipc_security_struct *isec;
4093         struct avc_audit_data ad;
4094         int rc;
4095
4096         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4097         if (rc)
4098                 return rc;
4099
4100         tsec = current->security;
4101         isec = shp->shm_perm.security;
4102
4103         AVC_AUDIT_DATA_INIT(&ad, IPC);
4104         ad.u.ipc_id = shp->shm_perm.key;
4105
4106         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4107                           SHM__CREATE, &ad);
4108         if (rc) {
4109                 ipc_free_security(&shp->shm_perm);
4110                 return rc;
4111         }
4112         return 0;
4113 }
4114
4115 static void selinux_shm_free_security(struct shmid_kernel *shp)
4116 {
4117         ipc_free_security(&shp->shm_perm);
4118 }
4119
4120 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4121 {
4122         struct task_security_struct *tsec;
4123         struct ipc_security_struct *isec;
4124         struct avc_audit_data ad;
4125
4126         tsec = current->security;
4127         isec = shp->shm_perm.security;
4128
4129         AVC_AUDIT_DATA_INIT(&ad, IPC);
4130         ad.u.ipc_id = shp->shm_perm.key;
4131
4132         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4133                             SHM__ASSOCIATE, &ad);
4134 }
4135
4136 /* Note, at this point, shp is locked down */
4137 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4138 {
4139         int perms;
4140         int err;
4141
4142         switch(cmd) {
4143         case IPC_INFO:
4144         case SHM_INFO:
4145                 /* No specific object, just general system-wide information. */
4146                 return task_has_system(current, SYSTEM__IPC_INFO);
4147         case IPC_STAT:
4148         case SHM_STAT:
4149                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4150                 break;
4151         case IPC_SET:
4152                 perms = SHM__SETATTR;
4153                 break;
4154         case SHM_LOCK:
4155         case SHM_UNLOCK:
4156                 perms = SHM__LOCK;
4157                 break;
4158         case IPC_RMID:
4159                 perms = SHM__DESTROY;
4160                 break;
4161         default:
4162                 return 0;
4163         }
4164
4165         err = ipc_has_perm(&shp->shm_perm, perms);
4166         return err;
4167 }
4168
4169 static int selinux_shm_shmat(struct shmid_kernel *shp,
4170                              char __user *shmaddr, int shmflg)
4171 {
4172         u32 perms;
4173         int rc;
4174
4175         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4176         if (rc)
4177                 return rc;
4178
4179         if (shmflg & SHM_RDONLY)
4180                 perms = SHM__READ;
4181         else
4182                 perms = SHM__READ | SHM__WRITE;
4183
4184         return ipc_has_perm(&shp->shm_perm, perms);
4185 }
4186
4187 /* Semaphore security operations */
4188 static int selinux_sem_alloc_security(struct sem_array *sma)
4189 {
4190         struct task_security_struct *tsec;
4191         struct ipc_security_struct *isec;
4192         struct avc_audit_data ad;
4193         int rc;
4194
4195         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4196         if (rc)
4197                 return rc;
4198
4199         tsec = current->security;
4200         isec = sma->sem_perm.security;
4201
4202         AVC_AUDIT_DATA_INIT(&ad, IPC);
4203         ad.u.ipc_id = sma->sem_perm.key;
4204
4205         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4206                           SEM__CREATE, &ad);
4207         if (rc) {
4208                 ipc_free_security(&sma->sem_perm);
4209                 return rc;
4210         }
4211         return 0;
4212 }
4213
4214 static void selinux_sem_free_security(struct sem_array *sma)
4215 {
4216         ipc_free_security(&sma->sem_perm);
4217 }
4218
4219 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4220 {
4221         struct task_security_struct *tsec;
4222         struct ipc_security_struct *isec;
4223         struct avc_audit_data ad;
4224
4225         tsec = current->security;
4226         isec = sma->sem_perm.security;
4227
4228         AVC_AUDIT_DATA_INIT(&ad, IPC);
4229         ad.u.ipc_id = sma->sem_perm.key;
4230
4231         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4232                             SEM__ASSOCIATE, &ad);
4233 }
4234
4235 /* Note, at this point, sma is locked down */
4236 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4237 {
4238         int err;
4239         u32 perms;
4240
4241         switch(cmd) {
4242         case IPC_INFO:
4243         case SEM_INFO:
4244                 /* No specific object, just general system-wide information. */
4245                 return task_has_system(current, SYSTEM__IPC_INFO);
4246         case GETPID:
4247         case GETNCNT:
4248         case GETZCNT:
4249                 perms = SEM__GETATTR;
4250                 break;
4251         case GETVAL:
4252         case GETALL:
4253                 perms = SEM__READ;
4254                 break;
4255         case SETVAL:
4256         case SETALL:
4257                 perms = SEM__WRITE;
4258                 break;
4259         case IPC_RMID:
4260                 perms = SEM__DESTROY;
4261                 break;
4262         case IPC_SET:
4263                 perms = SEM__SETATTR;
4264                 break;
4265         case IPC_STAT:
4266         case SEM_STAT:
4267                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4268                 break;
4269         default:
4270                 return 0;
4271         }
4272
4273         err = ipc_has_perm(&sma->sem_perm, perms);
4274         return err;
4275 }
4276
4277 static int selinux_sem_semop(struct sem_array *sma,
4278                              struct sembuf *sops, unsigned nsops, int alter)
4279 {
4280         u32 perms;
4281
4282         if (alter)
4283                 perms = SEM__READ | SEM__WRITE;
4284         else
4285                 perms = SEM__READ;
4286
4287         return ipc_has_perm(&sma->sem_perm, perms);
4288 }
4289
4290 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4291 {
4292         u32 av = 0;
4293
4294         av = 0;
4295         if (flag & S_IRUGO)
4296                 av |= IPC__UNIX_READ;
4297         if (flag & S_IWUGO)
4298                 av |= IPC__UNIX_WRITE;
4299
4300         if (av == 0)
4301                 return 0;
4302
4303         return ipc_has_perm(ipcp, av);
4304 }
4305
4306 /* module stacking operations */
4307 static int selinux_register_security (const char *name, struct security_operations *ops)
4308 {
4309         if (secondary_ops != original_ops) {
4310                 printk(KERN_INFO "%s:  There is already a secondary security "
4311                        "module registered.\n", __FUNCTION__);
4312                 return -EINVAL;
4313         }
4314
4315         secondary_ops = ops;
4316
4317         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4318                __FUNCTION__,
4319                name);
4320
4321         return 0;
4322 }
4323
4324 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4325 {
4326         if (ops != secondary_ops) {
4327                 printk (KERN_INFO "%s:  trying to unregister a security module "
4328                         "that is not registered.\n", __FUNCTION__);
4329                 return -EINVAL;
4330         }
4331
4332         secondary_ops = original_ops;
4333
4334         return 0;
4335 }
4336
4337 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4338 {
4339         if (inode)
4340                 inode_doinit_with_dentry(inode, dentry);
4341 }
4342
4343 static int selinux_getprocattr(struct task_struct *p,
4344                                char *name, void *value, size_t size)
4345 {
4346         struct task_security_struct *tsec;
4347         u32 sid;
4348         int error;
4349
4350         if (current != p) {
4351                 error = task_has_perm(current, p, PROCESS__GETATTR);
4352                 if (error)
4353                         return error;
4354         }
4355
4356         tsec = p->security;
4357
4358         if (!strcmp(name, "current"))
4359                 sid = tsec->sid;
4360         else if (!strcmp(name, "prev"))
4361                 sid = tsec->osid;
4362         else if (!strcmp(name, "exec"))
4363                 sid = tsec->exec_sid;
4364         else if (!strcmp(name, "fscreate"))
4365                 sid = tsec->create_sid;
4366         else if (!strcmp(name, "keycreate"))
4367                 sid = tsec->keycreate_sid;
4368         else if (!strcmp(name, "sockcreate"))
4369                 sid = tsec->sockcreate_sid;
4370         else
4371                 return -EINVAL;
4372
4373         if (!sid)
4374                 return 0;
4375
4376         return selinux_getsecurity(sid, value, size);
4377 }
4378
4379 static int selinux_setprocattr(struct task_struct *p,
4380                                char *name, void *value, size_t size)
4381 {
4382         struct task_security_struct *tsec;
4383         u32 sid = 0;
4384         int error;
4385         char *str = value;
4386
4387         if (current != p) {
4388                 /* SELinux only allows a process to change its own
4389                    security attributes. */
4390                 return -EACCES;
4391         }
4392
4393         /*
4394          * Basic control over ability to set these attributes at all.
4395          * current == p, but we'll pass them separately in case the
4396          * above restriction is ever removed.
4397          */
4398         if (!strcmp(name, "exec"))
4399                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4400         else if (!strcmp(name, "fscreate"))
4401                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4402         else if (!strcmp(name, "keycreate"))
4403                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4404         else if (!strcmp(name, "sockcreate"))
4405                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4406         else if (!strcmp(name, "current"))
4407                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4408         else
4409                 error = -EINVAL;
4410         if (error)
4411                 return error;
4412
4413         /* Obtain a SID for the context, if one was specified. */
4414         if (size && str[1] && str[1] != '\n') {
4415                 if (str[size-1] == '\n') {
4416                         str[size-1] = 0;
4417                         size--;
4418                 }
4419                 error = security_context_to_sid(value, size, &sid);
4420                 if (error)
4421                         return error;
4422         }
4423
4424         /* Permission checking based on the specified context is
4425            performed during the actual operation (execve,
4426            open/mkdir/...), when we know the full context of the
4427            operation.  See selinux_bprm_set_security for the execve
4428            checks and may_create for the file creation checks. The
4429            operation will then fail if the context is not permitted. */
4430         tsec = p->security;
4431         if (!strcmp(name, "exec"))
4432                 tsec->exec_sid = sid;
4433         else if (!strcmp(name, "fscreate"))
4434                 tsec->create_sid = sid;
4435         else if (!strcmp(name, "keycreate")) {
4436                 error = may_create_key(sid, p);
4437                 if (error)
4438                         return error;
4439                 tsec->keycreate_sid = sid;
4440         } else if (!strcmp(name, "sockcreate"))
4441                 tsec->sockcreate_sid = sid;
4442         else if (!strcmp(name, "current")) {
4443                 struct av_decision avd;
4444
4445                 if (sid == 0)
4446                         return -EINVAL;
4447
4448                 /* Only allow single threaded processes to change context */
4449                 if (atomic_read(&p->mm->mm_users) != 1) {
4450                         struct task_struct *g, *t;
4451                         struct mm_struct *mm = p->mm;
4452                         read_lock(&tasklist_lock);
4453                         do_each_thread(g, t)
4454                                 if (t->mm == mm && t != p) {
4455                                         read_unlock(&tasklist_lock);
4456                                         return -EPERM;
4457                                 }
4458                         while_each_thread(g, t);
4459                         read_unlock(&tasklist_lock);
4460                 }
4461
4462                 /* Check permissions for the transition. */
4463                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4464                                      PROCESS__DYNTRANSITION, NULL);
4465                 if (error)
4466                         return error;
4467
4468                 /* Check for ptracing, and update the task SID if ok.
4469                    Otherwise, leave SID unchanged and fail. */
4470                 task_lock(p);
4471                 if (p->ptrace & PT_PTRACED) {
4472                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4473                                                      SECCLASS_PROCESS,
4474                                                      PROCESS__PTRACE, &avd);
4475                         if (!error)
4476                                 tsec->sid = sid;
4477                         task_unlock(p);
4478                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4479                                   PROCESS__PTRACE, &avd, error, NULL);
4480                         if (error)
4481                                 return error;
4482                 } else {
4483                         tsec->sid = sid;
4484                         task_unlock(p);
4485                 }
4486         }
4487         else
4488                 return -EINVAL;
4489
4490         return size;
4491 }
4492
4493 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4494 {
4495         return security_sid_to_context(secid, secdata, seclen);
4496 }
4497
4498 static void selinux_release_secctx(char *secdata, u32 seclen)
4499 {
4500         if (secdata)
4501                 kfree(secdata);
4502 }
4503
4504 #ifdef CONFIG_KEYS
4505
4506 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4507                              unsigned long flags)
4508 {
4509         struct task_security_struct *tsec = tsk->security;
4510         struct key_security_struct *ksec;
4511
4512         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4513         if (!ksec)
4514                 return -ENOMEM;
4515
4516         ksec->obj = k;
4517         if (tsec->keycreate_sid)
4518                 ksec->sid = tsec->keycreate_sid;
4519         else
4520                 ksec->sid = tsec->sid;
4521         k->security = ksec;
4522
4523         return 0;
4524 }
4525
4526 static void selinux_key_free(struct key *k)
4527 {
4528         struct key_security_struct *ksec = k->security;
4529
4530         k->security = NULL;
4531         kfree(ksec);
4532 }
4533
4534 static int selinux_key_permission(key_ref_t key_ref,
4535                             struct task_struct *ctx,
4536                             key_perm_t perm)
4537 {
4538         struct key *key;
4539         struct task_security_struct *tsec;
4540         struct key_security_struct *ksec;
4541
4542         key = key_ref_to_ptr(key_ref);
4543
4544         tsec = ctx->security;
4545         ksec = key->security;
4546
4547         /* if no specific permissions are requested, we skip the
4548            permission check. No serious, additional covert channels
4549            appear to be created. */
4550         if (perm == 0)
4551                 return 0;
4552
4553         return avc_has_perm(tsec->sid, ksec->sid,
4554                             SECCLASS_KEY, perm, NULL);
4555 }
4556
4557 #endif
4558
4559 static struct security_operations selinux_ops = {
4560         .ptrace =                       selinux_ptrace,
4561         .capget =                       selinux_capget,
4562         .capset_check =                 selinux_capset_check,
4563         .capset_set =                   selinux_capset_set,
4564         .sysctl =                       selinux_sysctl,
4565         .capable =                      selinux_capable,
4566         .quotactl =                     selinux_quotactl,
4567         .quota_on =                     selinux_quota_on,
4568         .syslog =                       selinux_syslog,
4569         .vm_enough_memory =             selinux_vm_enough_memory,
4570
4571         .netlink_send =                 selinux_netlink_send,
4572         .netlink_recv =                 selinux_netlink_recv,
4573
4574         .bprm_alloc_security =          selinux_bprm_alloc_security,
4575         .bprm_free_security =           selinux_bprm_free_security,
4576         .bprm_apply_creds =             selinux_bprm_apply_creds,
4577         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4578         .bprm_set_security =            selinux_bprm_set_security,
4579         .bprm_check_security =          selinux_bprm_check_security,
4580         .bprm_secureexec =              selinux_bprm_secureexec,
4581
4582         .sb_alloc_security =            selinux_sb_alloc_security,
4583         .sb_free_security =             selinux_sb_free_security,
4584         .sb_copy_data =                 selinux_sb_copy_data,
4585         .sb_kern_mount =                selinux_sb_kern_mount,
4586         .sb_statfs =                    selinux_sb_statfs,
4587         .sb_mount =                     selinux_mount,
4588         .sb_umount =                    selinux_umount,
4589
4590         .inode_alloc_security =         selinux_inode_alloc_security,
4591         .inode_free_security =          selinux_inode_free_security,
4592         .inode_init_security =          selinux_inode_init_security,
4593         .inode_create =                 selinux_inode_create,
4594         .inode_link =                   selinux_inode_link,
4595         .inode_unlink =                 selinux_inode_unlink,
4596         .inode_symlink =                selinux_inode_symlink,
4597         .inode_mkdir =                  selinux_inode_mkdir,
4598         .inode_rmdir =                  selinux_inode_rmdir,
4599         .inode_mknod =                  selinux_inode_mknod,
4600         .inode_rename =                 selinux_inode_rename,
4601         .inode_readlink =               selinux_inode_readlink,
4602         .inode_follow_link =            selinux_inode_follow_link,
4603         .inode_permission =             selinux_inode_permission,
4604         .inode_setattr =                selinux_inode_setattr,
4605         .inode_getattr =                selinux_inode_getattr,
4606         .inode_setxattr =               selinux_inode_setxattr,
4607         .inode_post_setxattr =          selinux_inode_post_setxattr,
4608         .inode_getxattr =               selinux_inode_getxattr,
4609         .inode_listxattr =              selinux_inode_listxattr,
4610         .inode_removexattr =            selinux_inode_removexattr,
4611         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4612         .inode_getsecurity =            selinux_inode_getsecurity,
4613         .inode_setsecurity =            selinux_inode_setsecurity,
4614         .inode_listsecurity =           selinux_inode_listsecurity,
4615
4616         .file_permission =              selinux_file_permission,
4617         .file_alloc_security =          selinux_file_alloc_security,
4618         .file_free_security =           selinux_file_free_security,
4619         .file_ioctl =                   selinux_file_ioctl,
4620         .file_mmap =                    selinux_file_mmap,
4621         .file_mprotect =                selinux_file_mprotect,
4622         .file_lock =                    selinux_file_lock,
4623         .file_fcntl =                   selinux_file_fcntl,
4624         .file_set_fowner =              selinux_file_set_fowner,
4625         .file_send_sigiotask =          selinux_file_send_sigiotask,
4626         .file_receive =                 selinux_file_receive,
4627
4628         .task_create =                  selinux_task_create,
4629         .task_alloc_security =          selinux_task_alloc_security,
4630         .task_free_security =           selinux_task_free_security,
4631         .task_setuid =                  selinux_task_setuid,
4632         .task_post_setuid =             selinux_task_post_setuid,
4633         .task_setgid =                  selinux_task_setgid,
4634         .task_setpgid =                 selinux_task_setpgid,
4635         .task_getpgid =                 selinux_task_getpgid,
4636         .task_getsid =                  selinux_task_getsid,
4637         .task_getsecid =                selinux_task_getsecid,
4638         .task_setgroups =               selinux_task_setgroups,
4639         .task_setnice =                 selinux_task_setnice,
4640         .task_setioprio =               selinux_task_setioprio,
4641         .task_getioprio =               selinux_task_getioprio,
4642         .task_setrlimit =               selinux_task_setrlimit,
4643         .task_setscheduler =            selinux_task_setscheduler,
4644         .task_getscheduler =            selinux_task_getscheduler,
4645         .task_movememory =              selinux_task_movememory,
4646         .task_kill =                    selinux_task_kill,
4647         .task_wait =                    selinux_task_wait,
4648         .task_prctl =                   selinux_task_prctl,
4649         .task_reparent_to_init =        selinux_task_reparent_to_init,
4650         .task_to_inode =                selinux_task_to_inode,
4651
4652         .ipc_permission =               selinux_ipc_permission,
4653
4654         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4655         .msg_msg_free_security =        selinux_msg_msg_free_security,
4656
4657         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4658         .msg_queue_free_security =      selinux_msg_queue_free_security,
4659         .msg_queue_associate =          selinux_msg_queue_associate,
4660         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4661         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4662         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4663
4664         .shm_alloc_security =           selinux_shm_alloc_security,
4665         .shm_free_security =            selinux_shm_free_security,
4666         .shm_associate =                selinux_shm_associate,
4667         .shm_shmctl =                   selinux_shm_shmctl,
4668         .shm_shmat =                    selinux_shm_shmat,
4669
4670         .sem_alloc_security =           selinux_sem_alloc_security,
4671         .sem_free_security =            selinux_sem_free_security,
4672         .sem_associate =                selinux_sem_associate,
4673         .sem_semctl =                   selinux_sem_semctl,
4674         .sem_semop =                    selinux_sem_semop,
4675
4676         .register_security =            selinux_register_security,
4677         .unregister_security =          selinux_unregister_security,
4678
4679         .d_instantiate =                selinux_d_instantiate,
4680
4681         .getprocattr =                  selinux_getprocattr,
4682         .setprocattr =                  selinux_setprocattr,
4683
4684         .secid_to_secctx =              selinux_secid_to_secctx,
4685         .release_secctx =               selinux_release_secctx,
4686
4687         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4688         .unix_may_send =                selinux_socket_unix_may_send,
4689
4690         .socket_create =                selinux_socket_create,
4691         .socket_post_create =           selinux_socket_post_create,
4692         .socket_bind =                  selinux_socket_bind,
4693         .socket_connect =               selinux_socket_connect,
4694         .socket_listen =                selinux_socket_listen,
4695         .socket_accept =                selinux_socket_accept,
4696         .socket_sendmsg =               selinux_socket_sendmsg,
4697         .socket_recvmsg =               selinux_socket_recvmsg,
4698         .socket_getsockname =           selinux_socket_getsockname,
4699         .socket_getpeername =           selinux_socket_getpeername,
4700         .socket_getsockopt =            selinux_socket_getsockopt,
4701         .socket_setsockopt =            selinux_socket_setsockopt,
4702         .socket_shutdown =              selinux_socket_shutdown,
4703         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4704         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4705         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4706         .sk_alloc_security =            selinux_sk_alloc_security,
4707         .sk_free_security =             selinux_sk_free_security,
4708         .sk_clone_security =            selinux_sk_clone_security,
4709         .sk_getsecid =                  selinux_sk_getsecid,
4710         .sock_graft =                   selinux_sock_graft,
4711         .inet_conn_request =            selinux_inet_conn_request,
4712         .inet_csk_clone =               selinux_inet_csk_clone,
4713         .req_classify_flow =            selinux_req_classify_flow,
4714
4715 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4716         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4717         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4718         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4719         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4720         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4721         .xfrm_state_free_security =     selinux_xfrm_state_free,
4722         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4723         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4724         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
4725         .xfrm_flow_state_match =        selinux_xfrm_flow_state_match,
4726         .xfrm_decode_session =          selinux_xfrm_decode_session,
4727 #endif
4728
4729 #ifdef CONFIG_KEYS
4730         .key_alloc =                    selinux_key_alloc,
4731         .key_free =                     selinux_key_free,
4732         .key_permission =               selinux_key_permission,
4733 #endif
4734 };
4735
4736 static __init int selinux_init(void)
4737 {
4738         struct task_security_struct *tsec;
4739
4740         if (!selinux_enabled) {
4741                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4742                 return 0;
4743         }
4744
4745         printk(KERN_INFO "SELinux:  Initializing.\n");
4746
4747         /* Set the security state for the initial task. */
4748         if (task_alloc_security(current))
4749                 panic("SELinux:  Failed to initialize initial task.\n");
4750         tsec = current->security;
4751         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4752
4753         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4754                                             sizeof(struct inode_security_struct),
4755                                             0, SLAB_PANIC, NULL, NULL);
4756         avc_init();
4757
4758         original_ops = secondary_ops = security_ops;
4759         if (!secondary_ops)
4760                 panic ("SELinux: No initial security operations\n");
4761         if (register_security (&selinux_ops))
4762                 panic("SELinux: Unable to register with kernel.\n");
4763
4764         if (selinux_enforcing) {
4765                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4766         } else {
4767                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4768         }
4769
4770 #ifdef CONFIG_KEYS
4771         /* Add security information to initial keyrings */
4772         selinux_key_alloc(&root_user_keyring, current,
4773                           KEY_ALLOC_NOT_IN_QUOTA);
4774         selinux_key_alloc(&root_session_keyring, current,
4775                           KEY_ALLOC_NOT_IN_QUOTA);
4776 #endif
4777
4778         return 0;
4779 }
4780
4781 void selinux_complete_init(void)
4782 {
4783         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4784
4785         /* Set up any superblocks initialized prior to the policy load. */
4786         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4787         spin_lock(&sb_lock);
4788         spin_lock(&sb_security_lock);
4789 next_sb:
4790         if (!list_empty(&superblock_security_head)) {
4791                 struct superblock_security_struct *sbsec =
4792                                 list_entry(superblock_security_head.next,
4793                                            struct superblock_security_struct,
4794                                            list);
4795                 struct super_block *sb = sbsec->sb;
4796                 sb->s_count++;
4797                 spin_unlock(&sb_security_lock);
4798                 spin_unlock(&sb_lock);
4799                 down_read(&sb->s_umount);
4800                 if (sb->s_root)
4801                         superblock_doinit(sb, NULL);
4802                 drop_super(sb);
4803                 spin_lock(&sb_lock);
4804                 spin_lock(&sb_security_lock);
4805                 list_del_init(&sbsec->list);
4806                 goto next_sb;
4807         }
4808         spin_unlock(&sb_security_lock);
4809         spin_unlock(&sb_lock);
4810 }
4811
4812 /* SELinux requires early initialization in order to label
4813    all processes and objects when they are created. */
4814 security_initcall(selinux_init);
4815
4816 #if defined(CONFIG_NETFILTER)
4817
4818 static struct nf_hook_ops selinux_ipv4_op = {
4819         .hook =         selinux_ipv4_postroute_last,
4820         .owner =        THIS_MODULE,
4821         .pf =           PF_INET,
4822         .hooknum =      NF_IP_POST_ROUTING,
4823         .priority =     NF_IP_PRI_SELINUX_LAST,
4824 };
4825
4826 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4827
4828 static struct nf_hook_ops selinux_ipv6_op = {
4829         .hook =         selinux_ipv6_postroute_last,
4830         .owner =        THIS_MODULE,
4831         .pf =           PF_INET6,
4832         .hooknum =      NF_IP6_POST_ROUTING,
4833         .priority =     NF_IP6_PRI_SELINUX_LAST,
4834 };
4835
4836 #endif  /* IPV6 */
4837
4838 static int __init selinux_nf_ip_init(void)
4839 {
4840         int err = 0;
4841
4842         if (!selinux_enabled)
4843                 goto out;
4844                 
4845         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4846         
4847         err = nf_register_hook(&selinux_ipv4_op);
4848         if (err)
4849                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4850
4851 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4852
4853         err = nf_register_hook(&selinux_ipv6_op);
4854         if (err)
4855                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4856
4857 #endif  /* IPV6 */
4858
4859 out:
4860         return err;
4861 }
4862
4863 __initcall(selinux_nf_ip_init);
4864
4865 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4866 static void selinux_nf_ip_exit(void)
4867 {
4868         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4869
4870         nf_unregister_hook(&selinux_ipv4_op);
4871 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4872         nf_unregister_hook(&selinux_ipv6_op);
4873 #endif  /* IPV6 */
4874 }
4875 #endif
4876
4877 #else /* CONFIG_NETFILTER */
4878
4879 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4880 #define selinux_nf_ip_exit()
4881 #endif
4882
4883 #endif /* CONFIG_NETFILTER */
4884
4885 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4886 int selinux_disable(void)
4887 {
4888         extern void exit_sel_fs(void);
4889         static int selinux_disabled = 0;
4890
4891         if (ss_initialized) {
4892                 /* Not permitted after initial policy load. */
4893                 return -EINVAL;
4894         }
4895
4896         if (selinux_disabled) {
4897                 /* Only do this once. */
4898                 return -EINVAL;
4899         }
4900
4901         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4902
4903         selinux_disabled = 1;
4904         selinux_enabled = 0;
4905
4906         /* Reset security_ops to the secondary module, dummy or capability. */
4907         security_ops = secondary_ops;
4908
4909         /* Unregister netfilter hooks. */
4910         selinux_nf_ip_exit();
4911
4912         /* Unregister selinuxfs. */
4913         exit_sel_fs();
4914
4915         return 0;
4916 }
4917 #endif
4918
4919