[MLSXFRM]: Add security sid to sock
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/ptrace.h>
25 #include <linux/errno.h>
26 #include <linux/sched.h>
27 #include <linux/security.h>
28 #include <linux/xattr.h>
29 #include <linux/capability.h>
30 #include <linux/unistd.h>
31 #include <linux/mm.h>
32 #include <linux/mman.h>
33 #include <linux/slab.h>
34 #include <linux/pagemap.h>
35 #include <linux/swap.h>
36 #include <linux/smp_lock.h>
37 #include <linux/spinlock.h>
38 #include <linux/syscalls.h>
39 #include <linux/file.h>
40 #include <linux/namei.h>
41 #include <linux/mount.h>
42 #include <linux/ext2_fs.h>
43 #include <linux/proc_fs.h>
44 #include <linux/kd.h>
45 #include <linux/netfilter_ipv4.h>
46 #include <linux/netfilter_ipv6.h>
47 #include <linux/tty.h>
48 #include <net/icmp.h>
49 #include <net/ip.h>             /* for sysctl_local_port_range[] */
50 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
51 #include <asm/uaccess.h>
52 #include <asm/semaphore.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h>    /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/quota.h>
61 #include <linux/un.h>           /* for Unix socket types */
62 #include <net/af_unix.h>        /* for Unix socket types */
63 #include <linux/parser.h>
64 #include <linux/nfs_mount.h>
65 #include <net/ipv6.h>
66 #include <linux/hugetlb.h>
67 #include <linux/personality.h>
68 #include <linux/sysctl.h>
69 #include <linux/audit.h>
70 #include <linux/string.h>
71 #include <linux/selinux.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
84
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
87
88 static int __init enforcing_setup(char *str)
89 {
90         selinux_enforcing = simple_strtol(str,NULL,0);
91         return 1;
92 }
93 __setup("enforcing=", enforcing_setup);
94 #endif
95
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99 static int __init selinux_enabled_setup(char *str)
100 {
101         selinux_enabled = simple_strtol(str, NULL, 0);
102         return 1;
103 }
104 __setup("selinux=", selinux_enabled_setup);
105 #else
106 int selinux_enabled = 1;
107 #endif
108
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
111
112 /* Minimal support for a secondary security module,
113    just to allow the use of the dummy or capability modules.
114    The owlsm module can alternatively be used as a secondary
115    module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
117
118 /* Lists of inode and superblock security structures initialized
119    before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
122
123 static kmem_cache_t *sel_inode_cache;
124
125 /* Return security context for a given sid or just the context 
126    length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128 {
129         char *context;
130         unsigned len;
131         int rc;
132
133         rc = security_sid_to_context(sid, &context, &len);
134         if (rc)
135                 return rc;
136
137         if (!buffer || !size)
138                 goto getsecurity_exit;
139
140         if (size < len) {
141                 len = -ERANGE;
142                 goto getsecurity_exit;
143         }
144         memcpy(buffer, context, len);
145
146 getsecurity_exit:
147         kfree(context);
148         return len;
149 }
150
151 /* Allocate and free functions for each kind of security blob. */
152
153 static int task_alloc_security(struct task_struct *task)
154 {
155         struct task_security_struct *tsec;
156
157         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158         if (!tsec)
159                 return -ENOMEM;
160
161         tsec->task = task;
162         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163         task->security = tsec;
164
165         return 0;
166 }
167
168 static void task_free_security(struct task_struct *task)
169 {
170         struct task_security_struct *tsec = task->security;
171         task->security = NULL;
172         kfree(tsec);
173 }
174
175 static int inode_alloc_security(struct inode *inode)
176 {
177         struct task_security_struct *tsec = current->security;
178         struct inode_security_struct *isec;
179
180         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
181         if (!isec)
182                 return -ENOMEM;
183
184         memset(isec, 0, sizeof(*isec));
185         init_MUTEX(&isec->sem);
186         INIT_LIST_HEAD(&isec->list);
187         isec->inode = inode;
188         isec->sid = SECINITSID_UNLABELED;
189         isec->sclass = SECCLASS_FILE;
190         isec->task_sid = tsec->sid;
191         inode->i_security = isec;
192
193         return 0;
194 }
195
196 static void inode_free_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec = inode->i_security;
199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
201         spin_lock(&sbsec->isec_lock);
202         if (!list_empty(&isec->list))
203                 list_del_init(&isec->list);
204         spin_unlock(&sbsec->isec_lock);
205
206         inode->i_security = NULL;
207         kmem_cache_free(sel_inode_cache, isec);
208 }
209
210 static int file_alloc_security(struct file *file)
211 {
212         struct task_security_struct *tsec = current->security;
213         struct file_security_struct *fsec;
214
215         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
216         if (!fsec)
217                 return -ENOMEM;
218
219         fsec->file = file;
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         init_MUTEX(&sbsec->sem);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         ssec = kzalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         ssec->sk = sk;
277         ssec->peer_sid = SECINITSID_UNLABELED;
278         ssec->sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         return 0;
282 }
283
284 static void sk_free_security(struct sock *sk)
285 {
286         struct sk_security_struct *ssec = sk->sk_security;
287
288         sk->sk_security = NULL;
289         kfree(ssec);
290 }
291
292 /* The security server must be initialized before
293    any labeling or access decisions can be provided. */
294 extern int ss_initialized;
295
296 /* The file system's label must be initialized prior to use. */
297
298 static char *labeling_behaviors[6] = {
299         "uses xattr",
300         "uses transition SIDs",
301         "uses task SIDs",
302         "uses genfs_contexts",
303         "not configured for labeling",
304         "uses mountpoint labeling",
305 };
306
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309 static inline int inode_doinit(struct inode *inode)
310 {
311         return inode_doinit_with_dentry(inode, NULL);
312 }
313
314 enum {
315         Opt_context = 1,
316         Opt_fscontext = 2,
317         Opt_defcontext = 4,
318         Opt_rootcontext = 8,
319 };
320
321 static match_table_t tokens = {
322         {Opt_context, "context=%s"},
323         {Opt_fscontext, "fscontext=%s"},
324         {Opt_defcontext, "defcontext=%s"},
325         {Opt_rootcontext, "rootcontext=%s"},
326 };
327
328 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
329
330 static int may_context_mount_sb_relabel(u32 sid,
331                         struct superblock_security_struct *sbsec,
332                         struct task_security_struct *tsec)
333 {
334         int rc;
335
336         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
337                           FILESYSTEM__RELABELFROM, NULL);
338         if (rc)
339                 return rc;
340
341         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
342                           FILESYSTEM__RELABELTO, NULL);
343         return rc;
344 }
345
346 static int may_context_mount_inode_relabel(u32 sid,
347                         struct superblock_security_struct *sbsec,
348                         struct task_security_struct *tsec)
349 {
350         int rc;
351         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__RELABELFROM, NULL);
353         if (rc)
354                 return rc;
355
356         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
357                           FILESYSTEM__ASSOCIATE, NULL);
358         return rc;
359 }
360
361 static int try_context_mount(struct super_block *sb, void *data)
362 {
363         char *context = NULL, *defcontext = NULL;
364         char *fscontext = NULL, *rootcontext = NULL;
365         const char *name;
366         u32 sid;
367         int alloc = 0, rc = 0, seen = 0;
368         struct task_security_struct *tsec = current->security;
369         struct superblock_security_struct *sbsec = sb->s_security;
370
371         if (!data)
372                 goto out;
373
374         name = sb->s_type->name;
375
376         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
377
378                 /* NFS we understand. */
379                 if (!strcmp(name, "nfs")) {
380                         struct nfs_mount_data *d = data;
381
382                         if (d->version <  NFS_MOUNT_VERSION)
383                                 goto out;
384
385                         if (d->context[0]) {
386                                 context = d->context;
387                                 seen |= Opt_context;
388                         }
389                 } else
390                         goto out;
391
392         } else {
393                 /* Standard string-based options. */
394                 char *p, *options = data;
395
396                 while ((p = strsep(&options, ",")) != NULL) {
397                         int token;
398                         substring_t args[MAX_OPT_ARGS];
399
400                         if (!*p)
401                                 continue;
402
403                         token = match_token(p, tokens, args);
404
405                         switch (token) {
406                         case Opt_context:
407                                 if (seen & (Opt_context|Opt_defcontext)) {
408                                         rc = -EINVAL;
409                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
410                                         goto out_free;
411                                 }
412                                 context = match_strdup(&args[0]);
413                                 if (!context) {
414                                         rc = -ENOMEM;
415                                         goto out_free;
416                                 }
417                                 if (!alloc)
418                                         alloc = 1;
419                                 seen |= Opt_context;
420                                 break;
421
422                         case Opt_fscontext:
423                                 if (seen & Opt_fscontext) {
424                                         rc = -EINVAL;
425                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
426                                         goto out_free;
427                                 }
428                                 fscontext = match_strdup(&args[0]);
429                                 if (!fscontext) {
430                                         rc = -ENOMEM;
431                                         goto out_free;
432                                 }
433                                 if (!alloc)
434                                         alloc = 1;
435                                 seen |= Opt_fscontext;
436                                 break;
437
438                         case Opt_rootcontext:
439                                 if (seen & Opt_rootcontext) {
440                                         rc = -EINVAL;
441                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
442                                         goto out_free;
443                                 }
444                                 rootcontext = match_strdup(&args[0]);
445                                 if (!rootcontext) {
446                                         rc = -ENOMEM;
447                                         goto out_free;
448                                 }
449                                 if (!alloc)
450                                         alloc = 1;
451                                 seen |= Opt_rootcontext;
452                                 break;
453
454                         case Opt_defcontext:
455                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
456                                         rc = -EINVAL;
457                                         printk(KERN_WARNING "SELinux:  "
458                                                "defcontext option is invalid "
459                                                "for this filesystem type\n");
460                                         goto out_free;
461                                 }
462                                 if (seen & (Opt_context|Opt_defcontext)) {
463                                         rc = -EINVAL;
464                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
465                                         goto out_free;
466                                 }
467                                 defcontext = match_strdup(&args[0]);
468                                 if (!defcontext) {
469                                         rc = -ENOMEM;
470                                         goto out_free;
471                                 }
472                                 if (!alloc)
473                                         alloc = 1;
474                                 seen |= Opt_defcontext;
475                                 break;
476
477                         default:
478                                 rc = -EINVAL;
479                                 printk(KERN_WARNING "SELinux:  unknown mount "
480                                        "option\n");
481                                 goto out_free;
482
483                         }
484                 }
485         }
486
487         if (!seen)
488                 goto out;
489
490         /* sets the context of the superblock for the fs being mounted. */
491         if (fscontext) {
492                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
493                 if (rc) {
494                         printk(KERN_WARNING "SELinux: security_context_to_sid"
495                                "(%s) failed for (dev %s, type %s) errno=%d\n",
496                                fscontext, sb->s_id, name, rc);
497                         goto out_free;
498                 }
499
500                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
501                 if (rc)
502                         goto out_free;
503
504                 sbsec->sid = sid;
505         }
506
507         /*
508          * Switch to using mount point labeling behavior.
509          * sets the label used on all file below the mountpoint, and will set
510          * the superblock context if not already set.
511          */
512         if (context) {
513                 rc = security_context_to_sid(context, strlen(context), &sid);
514                 if (rc) {
515                         printk(KERN_WARNING "SELinux: security_context_to_sid"
516                                "(%s) failed for (dev %s, type %s) errno=%d\n",
517                                context, sb->s_id, name, rc);
518                         goto out_free;
519                 }
520
521                 if (!fscontext) {
522                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
523                         if (rc)
524                                 goto out_free;
525                         sbsec->sid = sid;
526                 } else {
527                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
528                         if (rc)
529                                 goto out_free;
530                 }
531                 sbsec->mntpoint_sid = sid;
532
533                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
534         }
535
536         if (rootcontext) {
537                 struct inode *inode = sb->s_root->d_inode;
538                 struct inode_security_struct *isec = inode->i_security;
539                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
540                 if (rc) {
541                         printk(KERN_WARNING "SELinux: security_context_to_sid"
542                                "(%s) failed for (dev %s, type %s) errno=%d\n",
543                                rootcontext, sb->s_id, name, rc);
544                         goto out_free;
545                 }
546
547                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
548                 if (rc)
549                         goto out_free;
550
551                 isec->sid = sid;
552                 isec->initialized = 1;
553         }
554
555         if (defcontext) {
556                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
557                 if (rc) {
558                         printk(KERN_WARNING "SELinux: security_context_to_sid"
559                                "(%s) failed for (dev %s, type %s) errno=%d\n",
560                                defcontext, sb->s_id, name, rc);
561                         goto out_free;
562                 }
563
564                 if (sid == sbsec->def_sid)
565                         goto out_free;
566
567                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
568                 if (rc)
569                         goto out_free;
570
571                 sbsec->def_sid = sid;
572         }
573
574 out_free:
575         if (alloc) {
576                 kfree(context);
577                 kfree(defcontext);
578                 kfree(fscontext);
579                 kfree(rootcontext);
580         }
581 out:
582         return rc;
583 }
584
585 static int superblock_doinit(struct super_block *sb, void *data)
586 {
587         struct superblock_security_struct *sbsec = sb->s_security;
588         struct dentry *root = sb->s_root;
589         struct inode *inode = root->d_inode;
590         int rc = 0;
591
592         down(&sbsec->sem);
593         if (sbsec->initialized)
594                 goto out;
595
596         if (!ss_initialized) {
597                 /* Defer initialization until selinux_complete_init,
598                    after the initial policy is loaded and the security
599                    server is ready to handle calls. */
600                 spin_lock(&sb_security_lock);
601                 if (list_empty(&sbsec->list))
602                         list_add(&sbsec->list, &superblock_security_head);
603                 spin_unlock(&sb_security_lock);
604                 goto out;
605         }
606
607         /* Determine the labeling behavior to use for this filesystem type. */
608         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
609         if (rc) {
610                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
611                        __FUNCTION__, sb->s_type->name, rc);
612                 goto out;
613         }
614
615         rc = try_context_mount(sb, data);
616         if (rc)
617                 goto out;
618
619         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
620                 /* Make sure that the xattr handler exists and that no
621                    error other than -ENODATA is returned by getxattr on
622                    the root directory.  -ENODATA is ok, as this may be
623                    the first boot of the SELinux kernel before we have
624                    assigned xattr values to the filesystem. */
625                 if (!inode->i_op->getxattr) {
626                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
627                                "xattr support\n", sb->s_id, sb->s_type->name);
628                         rc = -EOPNOTSUPP;
629                         goto out;
630                 }
631                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
632                 if (rc < 0 && rc != -ENODATA) {
633                         if (rc == -EOPNOTSUPP)
634                                 printk(KERN_WARNING "SELinux: (dev %s, type "
635                                        "%s) has no security xattr handler\n",
636                                        sb->s_id, sb->s_type->name);
637                         else
638                                 printk(KERN_WARNING "SELinux: (dev %s, type "
639                                        "%s) getxattr errno %d\n", sb->s_id,
640                                        sb->s_type->name, -rc);
641                         goto out;
642                 }
643         }
644
645         if (strcmp(sb->s_type->name, "proc") == 0)
646                 sbsec->proc = 1;
647
648         sbsec->initialized = 1;
649
650         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
651                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
652                        sb->s_id, sb->s_type->name);
653         }
654         else {
655                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
656                        sb->s_id, sb->s_type->name,
657                        labeling_behaviors[sbsec->behavior-1]);
658         }
659
660         /* Initialize the root inode. */
661         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
662
663         /* Initialize any other inodes associated with the superblock, e.g.
664            inodes created prior to initial policy load or inodes created
665            during get_sb by a pseudo filesystem that directly
666            populates itself. */
667         spin_lock(&sbsec->isec_lock);
668 next_inode:
669         if (!list_empty(&sbsec->isec_head)) {
670                 struct inode_security_struct *isec =
671                                 list_entry(sbsec->isec_head.next,
672                                            struct inode_security_struct, list);
673                 struct inode *inode = isec->inode;
674                 spin_unlock(&sbsec->isec_lock);
675                 inode = igrab(inode);
676                 if (inode) {
677                         if (!IS_PRIVATE (inode))
678                                 inode_doinit(inode);
679                         iput(inode);
680                 }
681                 spin_lock(&sbsec->isec_lock);
682                 list_del_init(&isec->list);
683                 goto next_inode;
684         }
685         spin_unlock(&sbsec->isec_lock);
686 out:
687         up(&sbsec->sem);
688         return rc;
689 }
690
691 static inline u16 inode_mode_to_security_class(umode_t mode)
692 {
693         switch (mode & S_IFMT) {
694         case S_IFSOCK:
695                 return SECCLASS_SOCK_FILE;
696         case S_IFLNK:
697                 return SECCLASS_LNK_FILE;
698         case S_IFREG:
699                 return SECCLASS_FILE;
700         case S_IFBLK:
701                 return SECCLASS_BLK_FILE;
702         case S_IFDIR:
703                 return SECCLASS_DIR;
704         case S_IFCHR:
705                 return SECCLASS_CHR_FILE;
706         case S_IFIFO:
707                 return SECCLASS_FIFO_FILE;
708
709         }
710
711         return SECCLASS_FILE;
712 }
713
714 static inline int default_protocol_stream(int protocol)
715 {
716         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
717 }
718
719 static inline int default_protocol_dgram(int protocol)
720 {
721         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
722 }
723
724 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
725 {
726         switch (family) {
727         case PF_UNIX:
728                 switch (type) {
729                 case SOCK_STREAM:
730                 case SOCK_SEQPACKET:
731                         return SECCLASS_UNIX_STREAM_SOCKET;
732                 case SOCK_DGRAM:
733                         return SECCLASS_UNIX_DGRAM_SOCKET;
734                 }
735                 break;
736         case PF_INET:
737         case PF_INET6:
738                 switch (type) {
739                 case SOCK_STREAM:
740                         if (default_protocol_stream(protocol))
741                                 return SECCLASS_TCP_SOCKET;
742                         else
743                                 return SECCLASS_RAWIP_SOCKET;
744                 case SOCK_DGRAM:
745                         if (default_protocol_dgram(protocol))
746                                 return SECCLASS_UDP_SOCKET;
747                         else
748                                 return SECCLASS_RAWIP_SOCKET;
749                 default:
750                         return SECCLASS_RAWIP_SOCKET;
751                 }
752                 break;
753         case PF_NETLINK:
754                 switch (protocol) {
755                 case NETLINK_ROUTE:
756                         return SECCLASS_NETLINK_ROUTE_SOCKET;
757                 case NETLINK_FIREWALL:
758                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
759                 case NETLINK_INET_DIAG:
760                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
761                 case NETLINK_NFLOG:
762                         return SECCLASS_NETLINK_NFLOG_SOCKET;
763                 case NETLINK_XFRM:
764                         return SECCLASS_NETLINK_XFRM_SOCKET;
765                 case NETLINK_SELINUX:
766                         return SECCLASS_NETLINK_SELINUX_SOCKET;
767                 case NETLINK_AUDIT:
768                         return SECCLASS_NETLINK_AUDIT_SOCKET;
769                 case NETLINK_IP6_FW:
770                         return SECCLASS_NETLINK_IP6FW_SOCKET;
771                 case NETLINK_DNRTMSG:
772                         return SECCLASS_NETLINK_DNRT_SOCKET;
773                 case NETLINK_KOBJECT_UEVENT:
774                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
775                 default:
776                         return SECCLASS_NETLINK_SOCKET;
777                 }
778         case PF_PACKET:
779                 return SECCLASS_PACKET_SOCKET;
780         case PF_KEY:
781                 return SECCLASS_KEY_SOCKET;
782         case PF_APPLETALK:
783                 return SECCLASS_APPLETALK_SOCKET;
784         }
785
786         return SECCLASS_SOCKET;
787 }
788
789 #ifdef CONFIG_PROC_FS
790 static int selinux_proc_get_sid(struct proc_dir_entry *de,
791                                 u16 tclass,
792                                 u32 *sid)
793 {
794         int buflen, rc;
795         char *buffer, *path, *end;
796
797         buffer = (char*)__get_free_page(GFP_KERNEL);
798         if (!buffer)
799                 return -ENOMEM;
800
801         buflen = PAGE_SIZE;
802         end = buffer+buflen;
803         *--end = '\0';
804         buflen--;
805         path = end-1;
806         *path = '/';
807         while (de && de != de->parent) {
808                 buflen -= de->namelen + 1;
809                 if (buflen < 0)
810                         break;
811                 end -= de->namelen;
812                 memcpy(end, de->name, de->namelen);
813                 *--end = '/';
814                 path = end;
815                 de = de->parent;
816         }
817         rc = security_genfs_sid("proc", path, tclass, sid);
818         free_page((unsigned long)buffer);
819         return rc;
820 }
821 #else
822 static int selinux_proc_get_sid(struct proc_dir_entry *de,
823                                 u16 tclass,
824                                 u32 *sid)
825 {
826         return -EINVAL;
827 }
828 #endif
829
830 /* The inode's security attributes must be initialized before first use. */
831 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
832 {
833         struct superblock_security_struct *sbsec = NULL;
834         struct inode_security_struct *isec = inode->i_security;
835         u32 sid;
836         struct dentry *dentry;
837 #define INITCONTEXTLEN 255
838         char *context = NULL;
839         unsigned len = 0;
840         int rc = 0;
841         int hold_sem = 0;
842
843         if (isec->initialized)
844                 goto out;
845
846         down(&isec->sem);
847         hold_sem = 1;
848         if (isec->initialized)
849                 goto out;
850
851         sbsec = inode->i_sb->s_security;
852         if (!sbsec->initialized) {
853                 /* Defer initialization until selinux_complete_init,
854                    after the initial policy is loaded and the security
855                    server is ready to handle calls. */
856                 spin_lock(&sbsec->isec_lock);
857                 if (list_empty(&isec->list))
858                         list_add(&isec->list, &sbsec->isec_head);
859                 spin_unlock(&sbsec->isec_lock);
860                 goto out;
861         }
862
863         switch (sbsec->behavior) {
864         case SECURITY_FS_USE_XATTR:
865                 if (!inode->i_op->getxattr) {
866                         isec->sid = sbsec->def_sid;
867                         break;
868                 }
869
870                 /* Need a dentry, since the xattr API requires one.
871                    Life would be simpler if we could just pass the inode. */
872                 if (opt_dentry) {
873                         /* Called from d_instantiate or d_splice_alias. */
874                         dentry = dget(opt_dentry);
875                 } else {
876                         /* Called from selinux_complete_init, try to find a dentry. */
877                         dentry = d_find_alias(inode);
878                 }
879                 if (!dentry) {
880                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
881                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
882                                inode->i_ino);
883                         goto out;
884                 }
885
886                 len = INITCONTEXTLEN;
887                 context = kmalloc(len, GFP_KERNEL);
888                 if (!context) {
889                         rc = -ENOMEM;
890                         dput(dentry);
891                         goto out;
892                 }
893                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
894                                            context, len);
895                 if (rc == -ERANGE) {
896                         /* Need a larger buffer.  Query for the right size. */
897                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
898                                                    NULL, 0);
899                         if (rc < 0) {
900                                 dput(dentry);
901                                 goto out;
902                         }
903                         kfree(context);
904                         len = rc;
905                         context = kmalloc(len, GFP_KERNEL);
906                         if (!context) {
907                                 rc = -ENOMEM;
908                                 dput(dentry);
909                                 goto out;
910                         }
911                         rc = inode->i_op->getxattr(dentry,
912                                                    XATTR_NAME_SELINUX,
913                                                    context, len);
914                 }
915                 dput(dentry);
916                 if (rc < 0) {
917                         if (rc != -ENODATA) {
918                                 printk(KERN_WARNING "%s:  getxattr returned "
919                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
920                                        -rc, inode->i_sb->s_id, inode->i_ino);
921                                 kfree(context);
922                                 goto out;
923                         }
924                         /* Map ENODATA to the default file SID */
925                         sid = sbsec->def_sid;
926                         rc = 0;
927                 } else {
928                         rc = security_context_to_sid_default(context, rc, &sid,
929                                                              sbsec->def_sid);
930                         if (rc) {
931                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
932                                        "returned %d for dev=%s ino=%ld\n",
933                                        __FUNCTION__, context, -rc,
934                                        inode->i_sb->s_id, inode->i_ino);
935                                 kfree(context);
936                                 /* Leave with the unlabeled SID */
937                                 rc = 0;
938                                 break;
939                         }
940                 }
941                 kfree(context);
942                 isec->sid = sid;
943                 break;
944         case SECURITY_FS_USE_TASK:
945                 isec->sid = isec->task_sid;
946                 break;
947         case SECURITY_FS_USE_TRANS:
948                 /* Default to the fs SID. */
949                 isec->sid = sbsec->sid;
950
951                 /* Try to obtain a transition SID. */
952                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
953                 rc = security_transition_sid(isec->task_sid,
954                                              sbsec->sid,
955                                              isec->sclass,
956                                              &sid);
957                 if (rc)
958                         goto out;
959                 isec->sid = sid;
960                 break;
961         case SECURITY_FS_USE_MNTPOINT:
962                 isec->sid = sbsec->mntpoint_sid;
963                 break;
964         default:
965                 /* Default to the fs superblock SID. */
966                 isec->sid = sbsec->sid;
967
968                 if (sbsec->proc) {
969                         struct proc_inode *proci = PROC_I(inode);
970                         if (proci->pde) {
971                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
972                                 rc = selinux_proc_get_sid(proci->pde,
973                                                           isec->sclass,
974                                                           &sid);
975                                 if (rc)
976                                         goto out;
977                                 isec->sid = sid;
978                         }
979                 }
980                 break;
981         }
982
983         isec->initialized = 1;
984
985 out:
986         if (isec->sclass == SECCLASS_FILE)
987                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
988
989         if (hold_sem)
990                 up(&isec->sem);
991         return rc;
992 }
993
994 /* Convert a Linux signal to an access vector. */
995 static inline u32 signal_to_av(int sig)
996 {
997         u32 perm = 0;
998
999         switch (sig) {
1000         case SIGCHLD:
1001                 /* Commonly granted from child to parent. */
1002                 perm = PROCESS__SIGCHLD;
1003                 break;
1004         case SIGKILL:
1005                 /* Cannot be caught or ignored */
1006                 perm = PROCESS__SIGKILL;
1007                 break;
1008         case SIGSTOP:
1009                 /* Cannot be caught or ignored */
1010                 perm = PROCESS__SIGSTOP;
1011                 break;
1012         default:
1013                 /* All other signals. */
1014                 perm = PROCESS__SIGNAL;
1015                 break;
1016         }
1017
1018         return perm;
1019 }
1020
1021 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1022    fork check, ptrace check, etc. */
1023 static int task_has_perm(struct task_struct *tsk1,
1024                          struct task_struct *tsk2,
1025                          u32 perms)
1026 {
1027         struct task_security_struct *tsec1, *tsec2;
1028
1029         tsec1 = tsk1->security;
1030         tsec2 = tsk2->security;
1031         return avc_has_perm(tsec1->sid, tsec2->sid,
1032                             SECCLASS_PROCESS, perms, NULL);
1033 }
1034
1035 /* Check whether a task is allowed to use a capability. */
1036 static int task_has_capability(struct task_struct *tsk,
1037                                int cap)
1038 {
1039         struct task_security_struct *tsec;
1040         struct avc_audit_data ad;
1041
1042         tsec = tsk->security;
1043
1044         AVC_AUDIT_DATA_INIT(&ad,CAP);
1045         ad.tsk = tsk;
1046         ad.u.cap = cap;
1047
1048         return avc_has_perm(tsec->sid, tsec->sid,
1049                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1050 }
1051
1052 /* Check whether a task is allowed to use a system operation. */
1053 static int task_has_system(struct task_struct *tsk,
1054                            u32 perms)
1055 {
1056         struct task_security_struct *tsec;
1057
1058         tsec = tsk->security;
1059
1060         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1061                             SECCLASS_SYSTEM, perms, NULL);
1062 }
1063
1064 /* Check whether a task has a particular permission to an inode.
1065    The 'adp' parameter is optional and allows other audit
1066    data to be passed (e.g. the dentry). */
1067 static int inode_has_perm(struct task_struct *tsk,
1068                           struct inode *inode,
1069                           u32 perms,
1070                           struct avc_audit_data *adp)
1071 {
1072         struct task_security_struct *tsec;
1073         struct inode_security_struct *isec;
1074         struct avc_audit_data ad;
1075
1076         tsec = tsk->security;
1077         isec = inode->i_security;
1078
1079         if (!adp) {
1080                 adp = &ad;
1081                 AVC_AUDIT_DATA_INIT(&ad, FS);
1082                 ad.u.fs.inode = inode;
1083         }
1084
1085         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1086 }
1087
1088 /* Same as inode_has_perm, but pass explicit audit data containing
1089    the dentry to help the auditing code to more easily generate the
1090    pathname if needed. */
1091 static inline int dentry_has_perm(struct task_struct *tsk,
1092                                   struct vfsmount *mnt,
1093                                   struct dentry *dentry,
1094                                   u32 av)
1095 {
1096         struct inode *inode = dentry->d_inode;
1097         struct avc_audit_data ad;
1098         AVC_AUDIT_DATA_INIT(&ad,FS);
1099         ad.u.fs.mnt = mnt;
1100         ad.u.fs.dentry = dentry;
1101         return inode_has_perm(tsk, inode, av, &ad);
1102 }
1103
1104 /* Check whether a task can use an open file descriptor to
1105    access an inode in a given way.  Check access to the
1106    descriptor itself, and then use dentry_has_perm to
1107    check a particular permission to the file.
1108    Access to the descriptor is implicitly granted if it
1109    has the same SID as the process.  If av is zero, then
1110    access to the file is not checked, e.g. for cases
1111    where only the descriptor is affected like seek. */
1112 static int file_has_perm(struct task_struct *tsk,
1113                                 struct file *file,
1114                                 u32 av)
1115 {
1116         struct task_security_struct *tsec = tsk->security;
1117         struct file_security_struct *fsec = file->f_security;
1118         struct vfsmount *mnt = file->f_vfsmnt;
1119         struct dentry *dentry = file->f_dentry;
1120         struct inode *inode = dentry->d_inode;
1121         struct avc_audit_data ad;
1122         int rc;
1123
1124         AVC_AUDIT_DATA_INIT(&ad, FS);
1125         ad.u.fs.mnt = mnt;
1126         ad.u.fs.dentry = dentry;
1127
1128         if (tsec->sid != fsec->sid) {
1129                 rc = avc_has_perm(tsec->sid, fsec->sid,
1130                                   SECCLASS_FD,
1131                                   FD__USE,
1132                                   &ad);
1133                 if (rc)
1134                         return rc;
1135         }
1136
1137         /* av is zero if only checking access to the descriptor. */
1138         if (av)
1139                 return inode_has_perm(tsk, inode, av, &ad);
1140
1141         return 0;
1142 }
1143
1144 /* Check whether a task can create a file. */
1145 static int may_create(struct inode *dir,
1146                       struct dentry *dentry,
1147                       u16 tclass)
1148 {
1149         struct task_security_struct *tsec;
1150         struct inode_security_struct *dsec;
1151         struct superblock_security_struct *sbsec;
1152         u32 newsid;
1153         struct avc_audit_data ad;
1154         int rc;
1155
1156         tsec = current->security;
1157         dsec = dir->i_security;
1158         sbsec = dir->i_sb->s_security;
1159
1160         AVC_AUDIT_DATA_INIT(&ad, FS);
1161         ad.u.fs.dentry = dentry;
1162
1163         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1164                           DIR__ADD_NAME | DIR__SEARCH,
1165                           &ad);
1166         if (rc)
1167                 return rc;
1168
1169         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1170                 newsid = tsec->create_sid;
1171         } else {
1172                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1173                                              &newsid);
1174                 if (rc)
1175                         return rc;
1176         }
1177
1178         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1179         if (rc)
1180                 return rc;
1181
1182         return avc_has_perm(newsid, sbsec->sid,
1183                             SECCLASS_FILESYSTEM,
1184                             FILESYSTEM__ASSOCIATE, &ad);
1185 }
1186
1187 /* Check whether a task can create a key. */
1188 static int may_create_key(u32 ksid,
1189                           struct task_struct *ctx)
1190 {
1191         struct task_security_struct *tsec;
1192
1193         tsec = ctx->security;
1194
1195         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1196 }
1197
1198 #define MAY_LINK   0
1199 #define MAY_UNLINK 1
1200 #define MAY_RMDIR  2
1201
1202 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1203 static int may_link(struct inode *dir,
1204                     struct dentry *dentry,
1205                     int kind)
1206
1207 {
1208         struct task_security_struct *tsec;
1209         struct inode_security_struct *dsec, *isec;
1210         struct avc_audit_data ad;
1211         u32 av;
1212         int rc;
1213
1214         tsec = current->security;
1215         dsec = dir->i_security;
1216         isec = dentry->d_inode->i_security;
1217
1218         AVC_AUDIT_DATA_INIT(&ad, FS);
1219         ad.u.fs.dentry = dentry;
1220
1221         av = DIR__SEARCH;
1222         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1223         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1224         if (rc)
1225                 return rc;
1226
1227         switch (kind) {
1228         case MAY_LINK:
1229                 av = FILE__LINK;
1230                 break;
1231         case MAY_UNLINK:
1232                 av = FILE__UNLINK;
1233                 break;
1234         case MAY_RMDIR:
1235                 av = DIR__RMDIR;
1236                 break;
1237         default:
1238                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1239                 return 0;
1240         }
1241
1242         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1243         return rc;
1244 }
1245
1246 static inline int may_rename(struct inode *old_dir,
1247                              struct dentry *old_dentry,
1248                              struct inode *new_dir,
1249                              struct dentry *new_dentry)
1250 {
1251         struct task_security_struct *tsec;
1252         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1253         struct avc_audit_data ad;
1254         u32 av;
1255         int old_is_dir, new_is_dir;
1256         int rc;
1257
1258         tsec = current->security;
1259         old_dsec = old_dir->i_security;
1260         old_isec = old_dentry->d_inode->i_security;
1261         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1262         new_dsec = new_dir->i_security;
1263
1264         AVC_AUDIT_DATA_INIT(&ad, FS);
1265
1266         ad.u.fs.dentry = old_dentry;
1267         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1268                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1269         if (rc)
1270                 return rc;
1271         rc = avc_has_perm(tsec->sid, old_isec->sid,
1272                           old_isec->sclass, FILE__RENAME, &ad);
1273         if (rc)
1274                 return rc;
1275         if (old_is_dir && new_dir != old_dir) {
1276                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277                                   old_isec->sclass, DIR__REPARENT, &ad);
1278                 if (rc)
1279                         return rc;
1280         }
1281
1282         ad.u.fs.dentry = new_dentry;
1283         av = DIR__ADD_NAME | DIR__SEARCH;
1284         if (new_dentry->d_inode)
1285                 av |= DIR__REMOVE_NAME;
1286         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1287         if (rc)
1288                 return rc;
1289         if (new_dentry->d_inode) {
1290                 new_isec = new_dentry->d_inode->i_security;
1291                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1292                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1293                                   new_isec->sclass,
1294                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1295                 if (rc)
1296                         return rc;
1297         }
1298
1299         return 0;
1300 }
1301
1302 /* Check whether a task can perform a filesystem operation. */
1303 static int superblock_has_perm(struct task_struct *tsk,
1304                                struct super_block *sb,
1305                                u32 perms,
1306                                struct avc_audit_data *ad)
1307 {
1308         struct task_security_struct *tsec;
1309         struct superblock_security_struct *sbsec;
1310
1311         tsec = tsk->security;
1312         sbsec = sb->s_security;
1313         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1314                             perms, ad);
1315 }
1316
1317 /* Convert a Linux mode and permission mask to an access vector. */
1318 static inline u32 file_mask_to_av(int mode, int mask)
1319 {
1320         u32 av = 0;
1321
1322         if ((mode & S_IFMT) != S_IFDIR) {
1323                 if (mask & MAY_EXEC)
1324                         av |= FILE__EXECUTE;
1325                 if (mask & MAY_READ)
1326                         av |= FILE__READ;
1327
1328                 if (mask & MAY_APPEND)
1329                         av |= FILE__APPEND;
1330                 else if (mask & MAY_WRITE)
1331                         av |= FILE__WRITE;
1332
1333         } else {
1334                 if (mask & MAY_EXEC)
1335                         av |= DIR__SEARCH;
1336                 if (mask & MAY_WRITE)
1337                         av |= DIR__WRITE;
1338                 if (mask & MAY_READ)
1339                         av |= DIR__READ;
1340         }
1341
1342         return av;
1343 }
1344
1345 /* Convert a Linux file to an access vector. */
1346 static inline u32 file_to_av(struct file *file)
1347 {
1348         u32 av = 0;
1349
1350         if (file->f_mode & FMODE_READ)
1351                 av |= FILE__READ;
1352         if (file->f_mode & FMODE_WRITE) {
1353                 if (file->f_flags & O_APPEND)
1354                         av |= FILE__APPEND;
1355                 else
1356                         av |= FILE__WRITE;
1357         }
1358
1359         return av;
1360 }
1361
1362 /* Set an inode's SID to a specified value. */
1363 static int inode_security_set_sid(struct inode *inode, u32 sid)
1364 {
1365         struct inode_security_struct *isec = inode->i_security;
1366         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1367
1368         if (!sbsec->initialized) {
1369                 /* Defer initialization to selinux_complete_init. */
1370                 return 0;
1371         }
1372
1373         down(&isec->sem);
1374         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1375         isec->sid = sid;
1376         isec->initialized = 1;
1377         up(&isec->sem);
1378         return 0;
1379 }
1380
1381 /* Hook functions begin here. */
1382
1383 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1384 {
1385         struct task_security_struct *psec = parent->security;
1386         struct task_security_struct *csec = child->security;
1387         int rc;
1388
1389         rc = secondary_ops->ptrace(parent,child);
1390         if (rc)
1391                 return rc;
1392
1393         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1394         /* Save the SID of the tracing process for later use in apply_creds. */
1395         if (!(child->ptrace & PT_PTRACED) && !rc)
1396                 csec->ptrace_sid = psec->sid;
1397         return rc;
1398 }
1399
1400 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1401                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1402 {
1403         int error;
1404
1405         error = task_has_perm(current, target, PROCESS__GETCAP);
1406         if (error)
1407                 return error;
1408
1409         return secondary_ops->capget(target, effective, inheritable, permitted);
1410 }
1411
1412 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1413                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1414 {
1415         int error;
1416
1417         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1418         if (error)
1419                 return error;
1420
1421         return task_has_perm(current, target, PROCESS__SETCAP);
1422 }
1423
1424 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1425                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1426 {
1427         secondary_ops->capset_set(target, effective, inheritable, permitted);
1428 }
1429
1430 static int selinux_capable(struct task_struct *tsk, int cap)
1431 {
1432         int rc;
1433
1434         rc = secondary_ops->capable(tsk, cap);
1435         if (rc)
1436                 return rc;
1437
1438         return task_has_capability(tsk,cap);
1439 }
1440
1441 static int selinux_sysctl(ctl_table *table, int op)
1442 {
1443         int error = 0;
1444         u32 av;
1445         struct task_security_struct *tsec;
1446         u32 tsid;
1447         int rc;
1448
1449         rc = secondary_ops->sysctl(table, op);
1450         if (rc)
1451                 return rc;
1452
1453         tsec = current->security;
1454
1455         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1456                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1457         if (rc) {
1458                 /* Default to the well-defined sysctl SID. */
1459                 tsid = SECINITSID_SYSCTL;
1460         }
1461
1462         /* The op values are "defined" in sysctl.c, thereby creating
1463          * a bad coupling between this module and sysctl.c */
1464         if(op == 001) {
1465                 error = avc_has_perm(tsec->sid, tsid,
1466                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1467         } else {
1468                 av = 0;
1469                 if (op & 004)
1470                         av |= FILE__READ;
1471                 if (op & 002)
1472                         av |= FILE__WRITE;
1473                 if (av)
1474                         error = avc_has_perm(tsec->sid, tsid,
1475                                              SECCLASS_FILE, av, NULL);
1476         }
1477
1478         return error;
1479 }
1480
1481 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1482 {
1483         int rc = 0;
1484
1485         if (!sb)
1486                 return 0;
1487
1488         switch (cmds) {
1489                 case Q_SYNC:
1490                 case Q_QUOTAON:
1491                 case Q_QUOTAOFF:
1492                 case Q_SETINFO:
1493                 case Q_SETQUOTA:
1494                         rc = superblock_has_perm(current,
1495                                                  sb,
1496                                                  FILESYSTEM__QUOTAMOD, NULL);
1497                         break;
1498                 case Q_GETFMT:
1499                 case Q_GETINFO:
1500                 case Q_GETQUOTA:
1501                         rc = superblock_has_perm(current,
1502                                                  sb,
1503                                                  FILESYSTEM__QUOTAGET, NULL);
1504                         break;
1505                 default:
1506                         rc = 0;  /* let the kernel handle invalid cmds */
1507                         break;
1508         }
1509         return rc;
1510 }
1511
1512 static int selinux_quota_on(struct dentry *dentry)
1513 {
1514         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1515 }
1516
1517 static int selinux_syslog(int type)
1518 {
1519         int rc;
1520
1521         rc = secondary_ops->syslog(type);
1522         if (rc)
1523                 return rc;
1524
1525         switch (type) {
1526                 case 3:         /* Read last kernel messages */
1527                 case 10:        /* Return size of the log buffer */
1528                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1529                         break;
1530                 case 6:         /* Disable logging to console */
1531                 case 7:         /* Enable logging to console */
1532                 case 8:         /* Set level of messages printed to console */
1533                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1534                         break;
1535                 case 0:         /* Close log */
1536                 case 1:         /* Open log */
1537                 case 2:         /* Read from log */
1538                 case 4:         /* Read/clear last kernel messages */
1539                 case 5:         /* Clear ring buffer */
1540                 default:
1541                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1542                         break;
1543         }
1544         return rc;
1545 }
1546
1547 /*
1548  * Check that a process has enough memory to allocate a new virtual
1549  * mapping. 0 means there is enough memory for the allocation to
1550  * succeed and -ENOMEM implies there is not.
1551  *
1552  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1553  * if the capability is granted, but __vm_enough_memory requires 1 if
1554  * the capability is granted.
1555  *
1556  * Do not audit the selinux permission check, as this is applied to all
1557  * processes that allocate mappings.
1558  */
1559 static int selinux_vm_enough_memory(long pages)
1560 {
1561         int rc, cap_sys_admin = 0;
1562         struct task_security_struct *tsec = current->security;
1563
1564         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1565         if (rc == 0)
1566                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1567                                         SECCLASS_CAPABILITY,
1568                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1569                                         NULL);
1570
1571         if (rc == 0)
1572                 cap_sys_admin = 1;
1573
1574         return __vm_enough_memory(pages, cap_sys_admin);
1575 }
1576
1577 /* binprm security operations */
1578
1579 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1580 {
1581         struct bprm_security_struct *bsec;
1582
1583         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1584         if (!bsec)
1585                 return -ENOMEM;
1586
1587         bsec->bprm = bprm;
1588         bsec->sid = SECINITSID_UNLABELED;
1589         bsec->set = 0;
1590
1591         bprm->security = bsec;
1592         return 0;
1593 }
1594
1595 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1596 {
1597         struct task_security_struct *tsec;
1598         struct inode *inode = bprm->file->f_dentry->d_inode;
1599         struct inode_security_struct *isec;
1600         struct bprm_security_struct *bsec;
1601         u32 newsid;
1602         struct avc_audit_data ad;
1603         int rc;
1604
1605         rc = secondary_ops->bprm_set_security(bprm);
1606         if (rc)
1607                 return rc;
1608
1609         bsec = bprm->security;
1610
1611         if (bsec->set)
1612                 return 0;
1613
1614         tsec = current->security;
1615         isec = inode->i_security;
1616
1617         /* Default to the current task SID. */
1618         bsec->sid = tsec->sid;
1619
1620         /* Reset fs, key, and sock SIDs on execve. */
1621         tsec->create_sid = 0;
1622         tsec->keycreate_sid = 0;
1623         tsec->sockcreate_sid = 0;
1624
1625         if (tsec->exec_sid) {
1626                 newsid = tsec->exec_sid;
1627                 /* Reset exec SID on execve. */
1628                 tsec->exec_sid = 0;
1629         } else {
1630                 /* Check for a default transition on this program. */
1631                 rc = security_transition_sid(tsec->sid, isec->sid,
1632                                              SECCLASS_PROCESS, &newsid);
1633                 if (rc)
1634                         return rc;
1635         }
1636
1637         AVC_AUDIT_DATA_INIT(&ad, FS);
1638         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1639         ad.u.fs.dentry = bprm->file->f_dentry;
1640
1641         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1642                 newsid = tsec->sid;
1643
1644         if (tsec->sid == newsid) {
1645                 rc = avc_has_perm(tsec->sid, isec->sid,
1646                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1647                 if (rc)
1648                         return rc;
1649         } else {
1650                 /* Check permissions for the transition. */
1651                 rc = avc_has_perm(tsec->sid, newsid,
1652                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1653                 if (rc)
1654                         return rc;
1655
1656                 rc = avc_has_perm(newsid, isec->sid,
1657                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1658                 if (rc)
1659                         return rc;
1660
1661                 /* Clear any possibly unsafe personality bits on exec: */
1662                 current->personality &= ~PER_CLEAR_ON_SETID;
1663
1664                 /* Set the security field to the new SID. */
1665                 bsec->sid = newsid;
1666         }
1667
1668         bsec->set = 1;
1669         return 0;
1670 }
1671
1672 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1673 {
1674         return secondary_ops->bprm_check_security(bprm);
1675 }
1676
1677
1678 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1679 {
1680         struct task_security_struct *tsec = current->security;
1681         int atsecure = 0;
1682
1683         if (tsec->osid != tsec->sid) {
1684                 /* Enable secure mode for SIDs transitions unless
1685                    the noatsecure permission is granted between
1686                    the two SIDs, i.e. ahp returns 0. */
1687                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1688                                          SECCLASS_PROCESS,
1689                                          PROCESS__NOATSECURE, NULL);
1690         }
1691
1692         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1693 }
1694
1695 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1696 {
1697         kfree(bprm->security);
1698         bprm->security = NULL;
1699 }
1700
1701 extern struct vfsmount *selinuxfs_mount;
1702 extern struct dentry *selinux_null;
1703
1704 /* Derived from fs/exec.c:flush_old_files. */
1705 static inline void flush_unauthorized_files(struct files_struct * files)
1706 {
1707         struct avc_audit_data ad;
1708         struct file *file, *devnull = NULL;
1709         struct tty_struct *tty = current->signal->tty;
1710         struct fdtable *fdt;
1711         long j = -1;
1712
1713         if (tty) {
1714                 file_list_lock();
1715                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1716                 if (file) {
1717                         /* Revalidate access to controlling tty.
1718                            Use inode_has_perm on the tty inode directly rather
1719                            than using file_has_perm, as this particular open
1720                            file may belong to another process and we are only
1721                            interested in the inode-based check here. */
1722                         struct inode *inode = file->f_dentry->d_inode;
1723                         if (inode_has_perm(current, inode,
1724                                            FILE__READ | FILE__WRITE, NULL)) {
1725                                 /* Reset controlling tty. */
1726                                 current->signal->tty = NULL;
1727                                 current->signal->tty_old_pgrp = 0;
1728                         }
1729                 }
1730                 file_list_unlock();
1731         }
1732
1733         /* Revalidate access to inherited open files. */
1734
1735         AVC_AUDIT_DATA_INIT(&ad,FS);
1736
1737         spin_lock(&files->file_lock);
1738         for (;;) {
1739                 unsigned long set, i;
1740                 int fd;
1741
1742                 j++;
1743                 i = j * __NFDBITS;
1744                 fdt = files_fdtable(files);
1745                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1746                         break;
1747                 set = fdt->open_fds->fds_bits[j];
1748                 if (!set)
1749                         continue;
1750                 spin_unlock(&files->file_lock);
1751                 for ( ; set ; i++,set >>= 1) {
1752                         if (set & 1) {
1753                                 file = fget(i);
1754                                 if (!file)
1755                                         continue;
1756                                 if (file_has_perm(current,
1757                                                   file,
1758                                                   file_to_av(file))) {
1759                                         sys_close(i);
1760                                         fd = get_unused_fd();
1761                                         if (fd != i) {
1762                                                 if (fd >= 0)
1763                                                         put_unused_fd(fd);
1764                                                 fput(file);
1765                                                 continue;
1766                                         }
1767                                         if (devnull) {
1768                                                 get_file(devnull);
1769                                         } else {
1770                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1771                                                 if (!devnull) {
1772                                                         put_unused_fd(fd);
1773                                                         fput(file);
1774                                                         continue;
1775                                                 }
1776                                         }
1777                                         fd_install(fd, devnull);
1778                                 }
1779                                 fput(file);
1780                         }
1781                 }
1782                 spin_lock(&files->file_lock);
1783
1784         }
1785         spin_unlock(&files->file_lock);
1786 }
1787
1788 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1789 {
1790         struct task_security_struct *tsec;
1791         struct bprm_security_struct *bsec;
1792         u32 sid;
1793         int rc;
1794
1795         secondary_ops->bprm_apply_creds(bprm, unsafe);
1796
1797         tsec = current->security;
1798
1799         bsec = bprm->security;
1800         sid = bsec->sid;
1801
1802         tsec->osid = tsec->sid;
1803         bsec->unsafe = 0;
1804         if (tsec->sid != sid) {
1805                 /* Check for shared state.  If not ok, leave SID
1806                    unchanged and kill. */
1807                 if (unsafe & LSM_UNSAFE_SHARE) {
1808                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1809                                         PROCESS__SHARE, NULL);
1810                         if (rc) {
1811                                 bsec->unsafe = 1;
1812                                 return;
1813                         }
1814                 }
1815
1816                 /* Check for ptracing, and update the task SID if ok.
1817                    Otherwise, leave SID unchanged and kill. */
1818                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1819                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1820                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1821                                           NULL);
1822                         if (rc) {
1823                                 bsec->unsafe = 1;
1824                                 return;
1825                         }
1826                 }
1827                 tsec->sid = sid;
1828         }
1829 }
1830
1831 /*
1832  * called after apply_creds without the task lock held
1833  */
1834 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1835 {
1836         struct task_security_struct *tsec;
1837         struct rlimit *rlim, *initrlim;
1838         struct itimerval itimer;
1839         struct bprm_security_struct *bsec;
1840         int rc, i;
1841
1842         tsec = current->security;
1843         bsec = bprm->security;
1844
1845         if (bsec->unsafe) {
1846                 force_sig_specific(SIGKILL, current);
1847                 return;
1848         }
1849         if (tsec->osid == tsec->sid)
1850                 return;
1851
1852         /* Close files for which the new task SID is not authorized. */
1853         flush_unauthorized_files(current->files);
1854
1855         /* Check whether the new SID can inherit signal state
1856            from the old SID.  If not, clear itimers to avoid
1857            subsequent signal generation and flush and unblock
1858            signals. This must occur _after_ the task SID has
1859           been updated so that any kill done after the flush
1860           will be checked against the new SID. */
1861         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1862                           PROCESS__SIGINH, NULL);
1863         if (rc) {
1864                 memset(&itimer, 0, sizeof itimer);
1865                 for (i = 0; i < 3; i++)
1866                         do_setitimer(i, &itimer, NULL);
1867                 flush_signals(current);
1868                 spin_lock_irq(&current->sighand->siglock);
1869                 flush_signal_handlers(current, 1);
1870                 sigemptyset(&current->blocked);
1871                 recalc_sigpending();
1872                 spin_unlock_irq(&current->sighand->siglock);
1873         }
1874
1875         /* Check whether the new SID can inherit resource limits
1876            from the old SID.  If not, reset all soft limits to
1877            the lower of the current task's hard limit and the init
1878            task's soft limit.  Note that the setting of hard limits
1879            (even to lower them) can be controlled by the setrlimit
1880            check. The inclusion of the init task's soft limit into
1881            the computation is to avoid resetting soft limits higher
1882            than the default soft limit for cases where the default
1883            is lower than the hard limit, e.g. RLIMIT_CORE or
1884            RLIMIT_STACK.*/
1885         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1886                           PROCESS__RLIMITINH, NULL);
1887         if (rc) {
1888                 for (i = 0; i < RLIM_NLIMITS; i++) {
1889                         rlim = current->signal->rlim + i;
1890                         initrlim = init_task.signal->rlim+i;
1891                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1892                 }
1893                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1894                         /*
1895                          * This will cause RLIMIT_CPU calculations
1896                          * to be refigured.
1897                          */
1898                         current->it_prof_expires = jiffies_to_cputime(1);
1899                 }
1900         }
1901
1902         /* Wake up the parent if it is waiting so that it can
1903            recheck wait permission to the new task SID. */
1904         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1905 }
1906
1907 /* superblock security operations */
1908
1909 static int selinux_sb_alloc_security(struct super_block *sb)
1910 {
1911         return superblock_alloc_security(sb);
1912 }
1913
1914 static void selinux_sb_free_security(struct super_block *sb)
1915 {
1916         superblock_free_security(sb);
1917 }
1918
1919 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1920 {
1921         if (plen > olen)
1922                 return 0;
1923
1924         return !memcmp(prefix, option, plen);
1925 }
1926
1927 static inline int selinux_option(char *option, int len)
1928 {
1929         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1930                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1931                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1932                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1933 }
1934
1935 static inline void take_option(char **to, char *from, int *first, int len)
1936 {
1937         if (!*first) {
1938                 **to = ',';
1939                 *to += 1;
1940         }
1941         else
1942                 *first = 0;
1943         memcpy(*to, from, len);
1944         *to += len;
1945 }
1946
1947 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1948 {
1949         int fnosec, fsec, rc = 0;
1950         char *in_save, *in_curr, *in_end;
1951         char *sec_curr, *nosec_save, *nosec;
1952
1953         in_curr = orig;
1954         sec_curr = copy;
1955
1956         /* Binary mount data: just copy */
1957         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1958                 copy_page(sec_curr, in_curr);
1959                 goto out;
1960         }
1961
1962         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1963         if (!nosec) {
1964                 rc = -ENOMEM;
1965                 goto out;
1966         }
1967
1968         nosec_save = nosec;
1969         fnosec = fsec = 1;
1970         in_save = in_end = orig;
1971
1972         do {
1973                 if (*in_end == ',' || *in_end == '\0') {
1974                         int len = in_end - in_curr;
1975
1976                         if (selinux_option(in_curr, len))
1977                                 take_option(&sec_curr, in_curr, &fsec, len);
1978                         else
1979                                 take_option(&nosec, in_curr, &fnosec, len);
1980
1981                         in_curr = in_end + 1;
1982                 }
1983         } while (*in_end++);
1984
1985         strcpy(in_save, nosec_save);
1986         free_page((unsigned long)nosec_save);
1987 out:
1988         return rc;
1989 }
1990
1991 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1992 {
1993         struct avc_audit_data ad;
1994         int rc;
1995
1996         rc = superblock_doinit(sb, data);
1997         if (rc)
1998                 return rc;
1999
2000         AVC_AUDIT_DATA_INIT(&ad,FS);
2001         ad.u.fs.dentry = sb->s_root;
2002         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2003 }
2004
2005 static int selinux_sb_statfs(struct dentry *dentry)
2006 {
2007         struct avc_audit_data ad;
2008
2009         AVC_AUDIT_DATA_INIT(&ad,FS);
2010         ad.u.fs.dentry = dentry->d_sb->s_root;
2011         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2012 }
2013
2014 static int selinux_mount(char * dev_name,
2015                          struct nameidata *nd,
2016                          char * type,
2017                          unsigned long flags,
2018                          void * data)
2019 {
2020         int rc;
2021
2022         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2023         if (rc)
2024                 return rc;
2025
2026         if (flags & MS_REMOUNT)
2027                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2028                                            FILESYSTEM__REMOUNT, NULL);
2029         else
2030                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2031                                        FILE__MOUNTON);
2032 }
2033
2034 static int selinux_umount(struct vfsmount *mnt, int flags)
2035 {
2036         int rc;
2037
2038         rc = secondary_ops->sb_umount(mnt, flags);
2039         if (rc)
2040                 return rc;
2041
2042         return superblock_has_perm(current,mnt->mnt_sb,
2043                                    FILESYSTEM__UNMOUNT,NULL);
2044 }
2045
2046 /* inode security operations */
2047
2048 static int selinux_inode_alloc_security(struct inode *inode)
2049 {
2050         return inode_alloc_security(inode);
2051 }
2052
2053 static void selinux_inode_free_security(struct inode *inode)
2054 {
2055         inode_free_security(inode);
2056 }
2057
2058 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2059                                        char **name, void **value,
2060                                        size_t *len)
2061 {
2062         struct task_security_struct *tsec;
2063         struct inode_security_struct *dsec;
2064         struct superblock_security_struct *sbsec;
2065         u32 newsid, clen;
2066         int rc;
2067         char *namep = NULL, *context;
2068
2069         tsec = current->security;
2070         dsec = dir->i_security;
2071         sbsec = dir->i_sb->s_security;
2072
2073         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2074                 newsid = tsec->create_sid;
2075         } else {
2076                 rc = security_transition_sid(tsec->sid, dsec->sid,
2077                                              inode_mode_to_security_class(inode->i_mode),
2078                                              &newsid);
2079                 if (rc) {
2080                         printk(KERN_WARNING "%s:  "
2081                                "security_transition_sid failed, rc=%d (dev=%s "
2082                                "ino=%ld)\n",
2083                                __FUNCTION__,
2084                                -rc, inode->i_sb->s_id, inode->i_ino);
2085                         return rc;
2086                 }
2087         }
2088
2089         inode_security_set_sid(inode, newsid);
2090
2091         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2092                 return -EOPNOTSUPP;
2093
2094         if (name) {
2095                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2096                 if (!namep)
2097                         return -ENOMEM;
2098                 *name = namep;
2099         }
2100
2101         if (value && len) {
2102                 rc = security_sid_to_context(newsid, &context, &clen);
2103                 if (rc) {
2104                         kfree(namep);
2105                         return rc;
2106                 }
2107                 *value = context;
2108                 *len = clen;
2109         }
2110
2111         return 0;
2112 }
2113
2114 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2115 {
2116         return may_create(dir, dentry, SECCLASS_FILE);
2117 }
2118
2119 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2120 {
2121         int rc;
2122
2123         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2124         if (rc)
2125                 return rc;
2126         return may_link(dir, old_dentry, MAY_LINK);
2127 }
2128
2129 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2130 {
2131         int rc;
2132
2133         rc = secondary_ops->inode_unlink(dir, dentry);
2134         if (rc)
2135                 return rc;
2136         return may_link(dir, dentry, MAY_UNLINK);
2137 }
2138
2139 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2140 {
2141         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2142 }
2143
2144 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2145 {
2146         return may_create(dir, dentry, SECCLASS_DIR);
2147 }
2148
2149 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2150 {
2151         return may_link(dir, dentry, MAY_RMDIR);
2152 }
2153
2154 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2155 {
2156         int rc;
2157
2158         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2159         if (rc)
2160                 return rc;
2161
2162         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2163 }
2164
2165 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2166                                 struct inode *new_inode, struct dentry *new_dentry)
2167 {
2168         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2169 }
2170
2171 static int selinux_inode_readlink(struct dentry *dentry)
2172 {
2173         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2174 }
2175
2176 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2177 {
2178         int rc;
2179
2180         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2181         if (rc)
2182                 return rc;
2183         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2184 }
2185
2186 static int selinux_inode_permission(struct inode *inode, int mask,
2187                                     struct nameidata *nd)
2188 {
2189         int rc;
2190
2191         rc = secondary_ops->inode_permission(inode, mask, nd);
2192         if (rc)
2193                 return rc;
2194
2195         if (!mask) {
2196                 /* No permission to check.  Existence test. */
2197                 return 0;
2198         }
2199
2200         return inode_has_perm(current, inode,
2201                                file_mask_to_av(inode->i_mode, mask), NULL);
2202 }
2203
2204 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2205 {
2206         int rc;
2207
2208         rc = secondary_ops->inode_setattr(dentry, iattr);
2209         if (rc)
2210                 return rc;
2211
2212         if (iattr->ia_valid & ATTR_FORCE)
2213                 return 0;
2214
2215         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2216                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2217                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2218
2219         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2220 }
2221
2222 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2223 {
2224         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2225 }
2226
2227 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2228 {
2229         struct task_security_struct *tsec = current->security;
2230         struct inode *inode = dentry->d_inode;
2231         struct inode_security_struct *isec = inode->i_security;
2232         struct superblock_security_struct *sbsec;
2233         struct avc_audit_data ad;
2234         u32 newsid;
2235         int rc = 0;
2236
2237         if (strcmp(name, XATTR_NAME_SELINUX)) {
2238                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2239                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2240                     !capable(CAP_SYS_ADMIN)) {
2241                         /* A different attribute in the security namespace.
2242                            Restrict to administrator. */
2243                         return -EPERM;
2244                 }
2245
2246                 /* Not an attribute we recognize, so just check the
2247                    ordinary setattr permission. */
2248                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2249         }
2250
2251         sbsec = inode->i_sb->s_security;
2252         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2253                 return -EOPNOTSUPP;
2254
2255         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2256                 return -EPERM;
2257
2258         AVC_AUDIT_DATA_INIT(&ad,FS);
2259         ad.u.fs.dentry = dentry;
2260
2261         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2262                           FILE__RELABELFROM, &ad);
2263         if (rc)
2264                 return rc;
2265
2266         rc = security_context_to_sid(value, size, &newsid);
2267         if (rc)
2268                 return rc;
2269
2270         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2271                           FILE__RELABELTO, &ad);
2272         if (rc)
2273                 return rc;
2274
2275         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2276                                           isec->sclass);
2277         if (rc)
2278                 return rc;
2279
2280         return avc_has_perm(newsid,
2281                             sbsec->sid,
2282                             SECCLASS_FILESYSTEM,
2283                             FILESYSTEM__ASSOCIATE,
2284                             &ad);
2285 }
2286
2287 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2288                                         void *value, size_t size, int flags)
2289 {
2290         struct inode *inode = dentry->d_inode;
2291         struct inode_security_struct *isec = inode->i_security;
2292         u32 newsid;
2293         int rc;
2294
2295         if (strcmp(name, XATTR_NAME_SELINUX)) {
2296                 /* Not an attribute we recognize, so nothing to do. */
2297                 return;
2298         }
2299
2300         rc = security_context_to_sid(value, size, &newsid);
2301         if (rc) {
2302                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2303                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2304                 return;
2305         }
2306
2307         isec->sid = newsid;
2308         return;
2309 }
2310
2311 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2312 {
2313         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2314 }
2315
2316 static int selinux_inode_listxattr (struct dentry *dentry)
2317 {
2318         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2319 }
2320
2321 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2322 {
2323         if (strcmp(name, XATTR_NAME_SELINUX)) {
2324                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2325                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2326                     !capable(CAP_SYS_ADMIN)) {
2327                         /* A different attribute in the security namespace.
2328                            Restrict to administrator. */
2329                         return -EPERM;
2330                 }
2331
2332                 /* Not an attribute we recognize, so just check the
2333                    ordinary setattr permission. Might want a separate
2334                    permission for removexattr. */
2335                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2336         }
2337
2338         /* No one is allowed to remove a SELinux security label.
2339            You can change the label, but all data must be labeled. */
2340         return -EACCES;
2341 }
2342
2343 static const char *selinux_inode_xattr_getsuffix(void)
2344 {
2345       return XATTR_SELINUX_SUFFIX;
2346 }
2347
2348 /*
2349  * Copy the in-core inode security context value to the user.  If the
2350  * getxattr() prior to this succeeded, check to see if we need to
2351  * canonicalize the value to be finally returned to the user.
2352  *
2353  * Permission check is handled by selinux_inode_getxattr hook.
2354  */
2355 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2356 {
2357         struct inode_security_struct *isec = inode->i_security;
2358
2359         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2360                 return -EOPNOTSUPP;
2361
2362         return selinux_getsecurity(isec->sid, buffer, size);
2363 }
2364
2365 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2366                                      const void *value, size_t size, int flags)
2367 {
2368         struct inode_security_struct *isec = inode->i_security;
2369         u32 newsid;
2370         int rc;
2371
2372         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2373                 return -EOPNOTSUPP;
2374
2375         if (!value || !size)
2376                 return -EACCES;
2377
2378         rc = security_context_to_sid((void*)value, size, &newsid);
2379         if (rc)
2380                 return rc;
2381
2382         isec->sid = newsid;
2383         return 0;
2384 }
2385
2386 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2387 {
2388         const int len = sizeof(XATTR_NAME_SELINUX);
2389         if (buffer && len <= buffer_size)
2390                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2391         return len;
2392 }
2393
2394 /* file security operations */
2395
2396 static int selinux_file_permission(struct file *file, int mask)
2397 {
2398         struct inode *inode = file->f_dentry->d_inode;
2399
2400         if (!mask) {
2401                 /* No permission to check.  Existence test. */
2402                 return 0;
2403         }
2404
2405         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2406         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2407                 mask |= MAY_APPEND;
2408
2409         return file_has_perm(current, file,
2410                              file_mask_to_av(inode->i_mode, mask));
2411 }
2412
2413 static int selinux_file_alloc_security(struct file *file)
2414 {
2415         return file_alloc_security(file);
2416 }
2417
2418 static void selinux_file_free_security(struct file *file)
2419 {
2420         file_free_security(file);
2421 }
2422
2423 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2424                               unsigned long arg)
2425 {
2426         int error = 0;
2427
2428         switch (cmd) {
2429                 case FIONREAD:
2430                 /* fall through */
2431                 case FIBMAP:
2432                 /* fall through */
2433                 case FIGETBSZ:
2434                 /* fall through */
2435                 case EXT2_IOC_GETFLAGS:
2436                 /* fall through */
2437                 case EXT2_IOC_GETVERSION:
2438                         error = file_has_perm(current, file, FILE__GETATTR);
2439                         break;
2440
2441                 case EXT2_IOC_SETFLAGS:
2442                 /* fall through */
2443                 case EXT2_IOC_SETVERSION:
2444                         error = file_has_perm(current, file, FILE__SETATTR);
2445                         break;
2446
2447                 /* sys_ioctl() checks */
2448                 case FIONBIO:
2449                 /* fall through */
2450                 case FIOASYNC:
2451                         error = file_has_perm(current, file, 0);
2452                         break;
2453
2454                 case KDSKBENT:
2455                 case KDSKBSENT:
2456                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2457                         break;
2458
2459                 /* default case assumes that the command will go
2460                  * to the file's ioctl() function.
2461                  */
2462                 default:
2463                         error = file_has_perm(current, file, FILE__IOCTL);
2464
2465         }
2466         return error;
2467 }
2468
2469 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2470 {
2471 #ifndef CONFIG_PPC32
2472         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2473                 /*
2474                  * We are making executable an anonymous mapping or a
2475                  * private file mapping that will also be writable.
2476                  * This has an additional check.
2477                  */
2478                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2479                 if (rc)
2480                         return rc;
2481         }
2482 #endif
2483
2484         if (file) {
2485                 /* read access is always possible with a mapping */
2486                 u32 av = FILE__READ;
2487
2488                 /* write access only matters if the mapping is shared */
2489                 if (shared && (prot & PROT_WRITE))
2490                         av |= FILE__WRITE;
2491
2492                 if (prot & PROT_EXEC)
2493                         av |= FILE__EXECUTE;
2494
2495                 return file_has_perm(current, file, av);
2496         }
2497         return 0;
2498 }
2499
2500 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2501                              unsigned long prot, unsigned long flags)
2502 {
2503         int rc;
2504
2505         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2506         if (rc)
2507                 return rc;
2508
2509         if (selinux_checkreqprot)
2510                 prot = reqprot;
2511
2512         return file_map_prot_check(file, prot,
2513                                    (flags & MAP_TYPE) == MAP_SHARED);
2514 }
2515
2516 static int selinux_file_mprotect(struct vm_area_struct *vma,
2517                                  unsigned long reqprot,
2518                                  unsigned long prot)
2519 {
2520         int rc;
2521
2522         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2523         if (rc)
2524                 return rc;
2525
2526         if (selinux_checkreqprot)
2527                 prot = reqprot;
2528
2529 #ifndef CONFIG_PPC32
2530         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2531                 rc = 0;
2532                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2533                     vma->vm_end <= vma->vm_mm->brk) {
2534                         rc = task_has_perm(current, current,
2535                                            PROCESS__EXECHEAP);
2536                 } else if (!vma->vm_file &&
2537                            vma->vm_start <= vma->vm_mm->start_stack &&
2538                            vma->vm_end >= vma->vm_mm->start_stack) {
2539                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2540                 } else if (vma->vm_file && vma->anon_vma) {
2541                         /*
2542                          * We are making executable a file mapping that has
2543                          * had some COW done. Since pages might have been
2544                          * written, check ability to execute the possibly
2545                          * modified content.  This typically should only
2546                          * occur for text relocations.
2547                          */
2548                         rc = file_has_perm(current, vma->vm_file,
2549                                            FILE__EXECMOD);
2550                 }
2551                 if (rc)
2552                         return rc;
2553         }
2554 #endif
2555
2556         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2557 }
2558
2559 static int selinux_file_lock(struct file *file, unsigned int cmd)
2560 {
2561         return file_has_perm(current, file, FILE__LOCK);
2562 }
2563
2564 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2565                               unsigned long arg)
2566 {
2567         int err = 0;
2568
2569         switch (cmd) {
2570                 case F_SETFL:
2571                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2572                                 err = -EINVAL;
2573                                 break;
2574                         }
2575
2576                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2577                                 err = file_has_perm(current, file,FILE__WRITE);
2578                                 break;
2579                         }
2580                         /* fall through */
2581                 case F_SETOWN:
2582                 case F_SETSIG:
2583                 case F_GETFL:
2584                 case F_GETOWN:
2585                 case F_GETSIG:
2586                         /* Just check FD__USE permission */
2587                         err = file_has_perm(current, file, 0);
2588                         break;
2589                 case F_GETLK:
2590                 case F_SETLK:
2591                 case F_SETLKW:
2592 #if BITS_PER_LONG == 32
2593                 case F_GETLK64:
2594                 case F_SETLK64:
2595                 case F_SETLKW64:
2596 #endif
2597                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2598                                 err = -EINVAL;
2599                                 break;
2600                         }
2601                         err = file_has_perm(current, file, FILE__LOCK);
2602                         break;
2603         }
2604
2605         return err;
2606 }
2607
2608 static int selinux_file_set_fowner(struct file *file)
2609 {
2610         struct task_security_struct *tsec;
2611         struct file_security_struct *fsec;
2612
2613         tsec = current->security;
2614         fsec = file->f_security;
2615         fsec->fown_sid = tsec->sid;
2616
2617         return 0;
2618 }
2619
2620 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2621                                        struct fown_struct *fown, int signum)
2622 {
2623         struct file *file;
2624         u32 perm;
2625         struct task_security_struct *tsec;
2626         struct file_security_struct *fsec;
2627
2628         /* struct fown_struct is never outside the context of a struct file */
2629         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2630
2631         tsec = tsk->security;
2632         fsec = file->f_security;
2633
2634         if (!signum)
2635                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2636         else
2637                 perm = signal_to_av(signum);
2638
2639         return avc_has_perm(fsec->fown_sid, tsec->sid,
2640                             SECCLASS_PROCESS, perm, NULL);
2641 }
2642
2643 static int selinux_file_receive(struct file *file)
2644 {
2645         return file_has_perm(current, file, file_to_av(file));
2646 }
2647
2648 /* task security operations */
2649
2650 static int selinux_task_create(unsigned long clone_flags)
2651 {
2652         int rc;
2653
2654         rc = secondary_ops->task_create(clone_flags);
2655         if (rc)
2656                 return rc;
2657
2658         return task_has_perm(current, current, PROCESS__FORK);
2659 }
2660
2661 static int selinux_task_alloc_security(struct task_struct *tsk)
2662 {
2663         struct task_security_struct *tsec1, *tsec2;
2664         int rc;
2665
2666         tsec1 = current->security;
2667
2668         rc = task_alloc_security(tsk);
2669         if (rc)
2670                 return rc;
2671         tsec2 = tsk->security;
2672
2673         tsec2->osid = tsec1->osid;
2674         tsec2->sid = tsec1->sid;
2675
2676         /* Retain the exec, fs, key, and sock SIDs across fork */
2677         tsec2->exec_sid = tsec1->exec_sid;
2678         tsec2->create_sid = tsec1->create_sid;
2679         tsec2->keycreate_sid = tsec1->keycreate_sid;
2680         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2681
2682         /* Retain ptracer SID across fork, if any.
2683            This will be reset by the ptrace hook upon any
2684            subsequent ptrace_attach operations. */
2685         tsec2->ptrace_sid = tsec1->ptrace_sid;
2686
2687         return 0;
2688 }
2689
2690 static void selinux_task_free_security(struct task_struct *tsk)
2691 {
2692         task_free_security(tsk);
2693 }
2694
2695 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2696 {
2697         /* Since setuid only affects the current process, and
2698            since the SELinux controls are not based on the Linux
2699            identity attributes, SELinux does not need to control
2700            this operation.  However, SELinux does control the use
2701            of the CAP_SETUID and CAP_SETGID capabilities using the
2702            capable hook. */
2703         return 0;
2704 }
2705
2706 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2707 {
2708         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2709 }
2710
2711 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2712 {
2713         /* See the comment for setuid above. */
2714         return 0;
2715 }
2716
2717 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2718 {
2719         return task_has_perm(current, p, PROCESS__SETPGID);
2720 }
2721
2722 static int selinux_task_getpgid(struct task_struct *p)
2723 {
2724         return task_has_perm(current, p, PROCESS__GETPGID);
2725 }
2726
2727 static int selinux_task_getsid(struct task_struct *p)
2728 {
2729         return task_has_perm(current, p, PROCESS__GETSESSION);
2730 }
2731
2732 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2733 {
2734         selinux_get_task_sid(p, secid);
2735 }
2736
2737 static int selinux_task_setgroups(struct group_info *group_info)
2738 {
2739         /* See the comment for setuid above. */
2740         return 0;
2741 }
2742
2743 static int selinux_task_setnice(struct task_struct *p, int nice)
2744 {
2745         int rc;
2746
2747         rc = secondary_ops->task_setnice(p, nice);
2748         if (rc)
2749                 return rc;
2750
2751         return task_has_perm(current,p, PROCESS__SETSCHED);
2752 }
2753
2754 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2755 {
2756         return task_has_perm(current, p, PROCESS__SETSCHED);
2757 }
2758
2759 static int selinux_task_getioprio(struct task_struct *p)
2760 {
2761         return task_has_perm(current, p, PROCESS__GETSCHED);
2762 }
2763
2764 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2765 {
2766         struct rlimit *old_rlim = current->signal->rlim + resource;
2767         int rc;
2768
2769         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2770         if (rc)
2771                 return rc;
2772
2773         /* Control the ability to change the hard limit (whether
2774            lowering or raising it), so that the hard limit can
2775            later be used as a safe reset point for the soft limit
2776            upon context transitions. See selinux_bprm_apply_creds. */
2777         if (old_rlim->rlim_max != new_rlim->rlim_max)
2778                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2779
2780         return 0;
2781 }
2782
2783 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2784 {
2785         return task_has_perm(current, p, PROCESS__SETSCHED);
2786 }
2787
2788 static int selinux_task_getscheduler(struct task_struct *p)
2789 {
2790         return task_has_perm(current, p, PROCESS__GETSCHED);
2791 }
2792
2793 static int selinux_task_movememory(struct task_struct *p)
2794 {
2795         return task_has_perm(current, p, PROCESS__SETSCHED);
2796 }
2797
2798 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2799                                 int sig, u32 secid)
2800 {
2801         u32 perm;
2802         int rc;
2803         struct task_security_struct *tsec;
2804
2805         rc = secondary_ops->task_kill(p, info, sig, secid);
2806         if (rc)
2807                 return rc;
2808
2809         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2810                 return 0;
2811
2812         if (!sig)
2813                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2814         else
2815                 perm = signal_to_av(sig);
2816         tsec = p->security;
2817         if (secid)
2818                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2819         else
2820                 rc = task_has_perm(current, p, perm);
2821         return rc;
2822 }
2823
2824 static int selinux_task_prctl(int option,
2825                               unsigned long arg2,
2826                               unsigned long arg3,
2827                               unsigned long arg4,
2828                               unsigned long arg5)
2829 {
2830         /* The current prctl operations do not appear to require
2831            any SELinux controls since they merely observe or modify
2832            the state of the current process. */
2833         return 0;
2834 }
2835
2836 static int selinux_task_wait(struct task_struct *p)
2837 {
2838         u32 perm;
2839
2840         perm = signal_to_av(p->exit_signal);
2841
2842         return task_has_perm(p, current, perm);
2843 }
2844
2845 static void selinux_task_reparent_to_init(struct task_struct *p)
2846 {
2847         struct task_security_struct *tsec;
2848
2849         secondary_ops->task_reparent_to_init(p);
2850
2851         tsec = p->security;
2852         tsec->osid = tsec->sid;
2853         tsec->sid = SECINITSID_KERNEL;
2854         return;
2855 }
2856
2857 static void selinux_task_to_inode(struct task_struct *p,
2858                                   struct inode *inode)
2859 {
2860         struct task_security_struct *tsec = p->security;
2861         struct inode_security_struct *isec = inode->i_security;
2862
2863         isec->sid = tsec->sid;
2864         isec->initialized = 1;
2865         return;
2866 }
2867
2868 /* Returns error only if unable to parse addresses */
2869 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2870 {
2871         int offset, ihlen, ret = -EINVAL;
2872         struct iphdr _iph, *ih;
2873
2874         offset = skb->nh.raw - skb->data;
2875         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2876         if (ih == NULL)
2877                 goto out;
2878
2879         ihlen = ih->ihl * 4;
2880         if (ihlen < sizeof(_iph))
2881                 goto out;
2882
2883         ad->u.net.v4info.saddr = ih->saddr;
2884         ad->u.net.v4info.daddr = ih->daddr;
2885         ret = 0;
2886
2887         switch (ih->protocol) {
2888         case IPPROTO_TCP: {
2889                 struct tcphdr _tcph, *th;
2890
2891                 if (ntohs(ih->frag_off) & IP_OFFSET)
2892                         break;
2893
2894                 offset += ihlen;
2895                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2896                 if (th == NULL)
2897                         break;
2898
2899                 ad->u.net.sport = th->source;
2900                 ad->u.net.dport = th->dest;
2901                 break;
2902         }
2903         
2904         case IPPROTO_UDP: {
2905                 struct udphdr _udph, *uh;
2906                 
2907                 if (ntohs(ih->frag_off) & IP_OFFSET)
2908                         break;
2909                         
2910                 offset += ihlen;
2911                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2912                 if (uh == NULL)
2913                         break;  
2914
2915                 ad->u.net.sport = uh->source;
2916                 ad->u.net.dport = uh->dest;
2917                 break;
2918         }
2919
2920         default:
2921                 break;
2922         }
2923 out:
2924         return ret;
2925 }
2926
2927 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2928
2929 /* Returns error only if unable to parse addresses */
2930 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2931 {
2932         u8 nexthdr;
2933         int ret = -EINVAL, offset;
2934         struct ipv6hdr _ipv6h, *ip6;
2935
2936         offset = skb->nh.raw - skb->data;
2937         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2938         if (ip6 == NULL)
2939                 goto out;
2940
2941         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2942         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2943         ret = 0;
2944
2945         nexthdr = ip6->nexthdr;
2946         offset += sizeof(_ipv6h);
2947         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2948         if (offset < 0)
2949                 goto out;
2950
2951         switch (nexthdr) {
2952         case IPPROTO_TCP: {
2953                 struct tcphdr _tcph, *th;
2954
2955                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2956                 if (th == NULL)
2957                         break;
2958
2959                 ad->u.net.sport = th->source;
2960                 ad->u.net.dport = th->dest;
2961                 break;
2962         }
2963
2964         case IPPROTO_UDP: {
2965                 struct udphdr _udph, *uh;
2966
2967                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2968                 if (uh == NULL)
2969                         break;
2970
2971                 ad->u.net.sport = uh->source;
2972                 ad->u.net.dport = uh->dest;
2973                 break;
2974         }
2975
2976         /* includes fragments */
2977         default:
2978                 break;
2979         }
2980 out:
2981         return ret;
2982 }
2983
2984 #endif /* IPV6 */
2985
2986 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2987                              char **addrp, int *len, int src)
2988 {
2989         int ret = 0;
2990
2991         switch (ad->u.net.family) {
2992         case PF_INET:
2993                 ret = selinux_parse_skb_ipv4(skb, ad);
2994                 if (ret || !addrp)
2995                         break;
2996                 *len = 4;
2997                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2998                                         &ad->u.net.v4info.daddr);
2999                 break;
3000
3001 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3002         case PF_INET6:
3003                 ret = selinux_parse_skb_ipv6(skb, ad);
3004                 if (ret || !addrp)
3005                         break;
3006                 *len = 16;
3007                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3008                                         &ad->u.net.v6info.daddr);
3009                 break;
3010 #endif  /* IPV6 */
3011         default:
3012                 break;
3013         }
3014
3015         return ret;
3016 }
3017
3018 /* socket security operations */
3019 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3020                            u32 perms)
3021 {
3022         struct inode_security_struct *isec;
3023         struct task_security_struct *tsec;
3024         struct avc_audit_data ad;
3025         int err = 0;
3026
3027         tsec = task->security;
3028         isec = SOCK_INODE(sock)->i_security;
3029
3030         if (isec->sid == SECINITSID_KERNEL)
3031                 goto out;
3032
3033         AVC_AUDIT_DATA_INIT(&ad,NET);
3034         ad.u.net.sk = sock->sk;
3035         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3036
3037 out:
3038         return err;
3039 }
3040
3041 static int selinux_socket_create(int family, int type,
3042                                  int protocol, int kern)
3043 {
3044         int err = 0;
3045         struct task_security_struct *tsec;
3046         u32 newsid;
3047
3048         if (kern)
3049                 goto out;
3050
3051         tsec = current->security;
3052         newsid = tsec->sockcreate_sid ? : tsec->sid;
3053         err = avc_has_perm(tsec->sid, newsid,
3054                            socket_type_to_security_class(family, type,
3055                            protocol), SOCKET__CREATE, NULL);
3056
3057 out:
3058         return err;
3059 }
3060
3061 static void selinux_socket_post_create(struct socket *sock, int family,
3062                                        int type, int protocol, int kern)
3063 {
3064         struct inode_security_struct *isec;
3065         struct task_security_struct *tsec;
3066         struct sk_security_struct *sksec;
3067         u32 newsid;
3068
3069         isec = SOCK_INODE(sock)->i_security;
3070
3071         tsec = current->security;
3072         newsid = tsec->sockcreate_sid ? : tsec->sid;
3073         isec->sclass = socket_type_to_security_class(family, type, protocol);
3074         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3075         isec->initialized = 1;
3076
3077         if (sock->sk) {
3078                 sksec = sock->sk->sk_security;
3079                 sksec->sid = isec->sid;
3080         }
3081
3082         return;
3083 }
3084
3085 /* Range of port numbers used to automatically bind.
3086    Need to determine whether we should perform a name_bind
3087    permission check between the socket and the port number. */
3088 #define ip_local_port_range_0 sysctl_local_port_range[0]
3089 #define ip_local_port_range_1 sysctl_local_port_range[1]
3090
3091 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3092 {
3093         u16 family;
3094         int err;
3095
3096         err = socket_has_perm(current, sock, SOCKET__BIND);
3097         if (err)
3098                 goto out;
3099
3100         /*
3101          * If PF_INET or PF_INET6, check name_bind permission for the port.
3102          * Multiple address binding for SCTP is not supported yet: we just
3103          * check the first address now.
3104          */
3105         family = sock->sk->sk_family;
3106         if (family == PF_INET || family == PF_INET6) {
3107                 char *addrp;
3108                 struct inode_security_struct *isec;
3109                 struct task_security_struct *tsec;
3110                 struct avc_audit_data ad;
3111                 struct sockaddr_in *addr4 = NULL;
3112                 struct sockaddr_in6 *addr6 = NULL;
3113                 unsigned short snum;
3114                 struct sock *sk = sock->sk;
3115                 u32 sid, node_perm, addrlen;
3116
3117                 tsec = current->security;
3118                 isec = SOCK_INODE(sock)->i_security;
3119
3120                 if (family == PF_INET) {
3121                         addr4 = (struct sockaddr_in *)address;
3122                         snum = ntohs(addr4->sin_port);
3123                         addrlen = sizeof(addr4->sin_addr.s_addr);
3124                         addrp = (char *)&addr4->sin_addr.s_addr;
3125                 } else {
3126                         addr6 = (struct sockaddr_in6 *)address;
3127                         snum = ntohs(addr6->sin6_port);
3128                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3129                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3130                 }
3131
3132                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3133                            snum > ip_local_port_range_1)) {
3134                         err = security_port_sid(sk->sk_family, sk->sk_type,
3135                                                 sk->sk_protocol, snum, &sid);
3136                         if (err)
3137                                 goto out;
3138                         AVC_AUDIT_DATA_INIT(&ad,NET);
3139                         ad.u.net.sport = htons(snum);
3140                         ad.u.net.family = family;
3141                         err = avc_has_perm(isec->sid, sid,
3142                                            isec->sclass,
3143                                            SOCKET__NAME_BIND, &ad);
3144                         if (err)
3145                                 goto out;
3146                 }
3147                 
3148                 switch(isec->sclass) {
3149                 case SECCLASS_TCP_SOCKET:
3150                         node_perm = TCP_SOCKET__NODE_BIND;
3151                         break;
3152                         
3153                 case SECCLASS_UDP_SOCKET:
3154                         node_perm = UDP_SOCKET__NODE_BIND;
3155                         break;
3156                         
3157                 default:
3158                         node_perm = RAWIP_SOCKET__NODE_BIND;
3159                         break;
3160                 }
3161                 
3162                 err = security_node_sid(family, addrp, addrlen, &sid);
3163                 if (err)
3164                         goto out;
3165                 
3166                 AVC_AUDIT_DATA_INIT(&ad,NET);
3167                 ad.u.net.sport = htons(snum);
3168                 ad.u.net.family = family;
3169
3170                 if (family == PF_INET)
3171                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3172                 else
3173                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3174
3175                 err = avc_has_perm(isec->sid, sid,
3176                                    isec->sclass, node_perm, &ad);
3177                 if (err)
3178                         goto out;
3179         }
3180 out:
3181         return err;
3182 }
3183
3184 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3185 {
3186         struct inode_security_struct *isec;
3187         int err;
3188
3189         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3190         if (err)
3191                 return err;
3192
3193         /*
3194          * If a TCP socket, check name_connect permission for the port.
3195          */
3196         isec = SOCK_INODE(sock)->i_security;
3197         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3198                 struct sock *sk = sock->sk;
3199                 struct avc_audit_data ad;
3200                 struct sockaddr_in *addr4 = NULL;
3201                 struct sockaddr_in6 *addr6 = NULL;
3202                 unsigned short snum;
3203                 u32 sid;
3204
3205                 if (sk->sk_family == PF_INET) {
3206                         addr4 = (struct sockaddr_in *)address;
3207                         if (addrlen < sizeof(struct sockaddr_in))
3208                                 return -EINVAL;
3209                         snum = ntohs(addr4->sin_port);
3210                 } else {
3211                         addr6 = (struct sockaddr_in6 *)address;
3212                         if (addrlen < SIN6_LEN_RFC2133)
3213                                 return -EINVAL;
3214                         snum = ntohs(addr6->sin6_port);
3215                 }
3216
3217                 err = security_port_sid(sk->sk_family, sk->sk_type,
3218                                         sk->sk_protocol, snum, &sid);
3219                 if (err)
3220                         goto out;
3221
3222                 AVC_AUDIT_DATA_INIT(&ad,NET);
3223                 ad.u.net.dport = htons(snum);
3224                 ad.u.net.family = sk->sk_family;
3225                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3226                                    TCP_SOCKET__NAME_CONNECT, &ad);
3227                 if (err)
3228                         goto out;
3229         }
3230
3231 out:
3232         return err;
3233 }
3234
3235 static int selinux_socket_listen(struct socket *sock, int backlog)
3236 {
3237         return socket_has_perm(current, sock, SOCKET__LISTEN);
3238 }
3239
3240 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3241 {
3242         int err;
3243         struct inode_security_struct *isec;
3244         struct inode_security_struct *newisec;
3245
3246         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3247         if (err)
3248                 return err;
3249
3250         newisec = SOCK_INODE(newsock)->i_security;
3251
3252         isec = SOCK_INODE(sock)->i_security;
3253         newisec->sclass = isec->sclass;
3254         newisec->sid = isec->sid;
3255         newisec->initialized = 1;
3256
3257         return 0;
3258 }
3259
3260 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3261                                   int size)
3262 {
3263         return socket_has_perm(current, sock, SOCKET__WRITE);
3264 }
3265
3266 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3267                                   int size, int flags)
3268 {
3269         return socket_has_perm(current, sock, SOCKET__READ);
3270 }
3271
3272 static int selinux_socket_getsockname(struct socket *sock)
3273 {
3274         return socket_has_perm(current, sock, SOCKET__GETATTR);
3275 }
3276
3277 static int selinux_socket_getpeername(struct socket *sock)
3278 {
3279         return socket_has_perm(current, sock, SOCKET__GETATTR);
3280 }
3281
3282 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3283 {
3284         return socket_has_perm(current, sock, SOCKET__SETOPT);
3285 }
3286
3287 static int selinux_socket_getsockopt(struct socket *sock, int level,
3288                                      int optname)
3289 {
3290         return socket_has_perm(current, sock, SOCKET__GETOPT);
3291 }
3292
3293 static int selinux_socket_shutdown(struct socket *sock, int how)
3294 {
3295         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3296 }
3297
3298 static int selinux_socket_unix_stream_connect(struct socket *sock,
3299                                               struct socket *other,
3300                                               struct sock *newsk)
3301 {
3302         struct sk_security_struct *ssec;
3303         struct inode_security_struct *isec;
3304         struct inode_security_struct *other_isec;
3305         struct avc_audit_data ad;
3306         int err;
3307
3308         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3309         if (err)
3310                 return err;
3311
3312         isec = SOCK_INODE(sock)->i_security;
3313         other_isec = SOCK_INODE(other)->i_security;
3314
3315         AVC_AUDIT_DATA_INIT(&ad,NET);
3316         ad.u.net.sk = other->sk;
3317
3318         err = avc_has_perm(isec->sid, other_isec->sid,
3319                            isec->sclass,
3320                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3321         if (err)
3322                 return err;
3323
3324         /* connecting socket */
3325         ssec = sock->sk->sk_security;
3326         ssec->peer_sid = other_isec->sid;
3327         
3328         /* server child socket */
3329         ssec = newsk->sk_security;
3330         ssec->peer_sid = isec->sid;
3331         
3332         return 0;
3333 }
3334
3335 static int selinux_socket_unix_may_send(struct socket *sock,
3336                                         struct socket *other)
3337 {
3338         struct inode_security_struct *isec;
3339         struct inode_security_struct *other_isec;
3340         struct avc_audit_data ad;
3341         int err;
3342
3343         isec = SOCK_INODE(sock)->i_security;
3344         other_isec = SOCK_INODE(other)->i_security;
3345
3346         AVC_AUDIT_DATA_INIT(&ad,NET);
3347         ad.u.net.sk = other->sk;
3348
3349         err = avc_has_perm(isec->sid, other_isec->sid,
3350                            isec->sclass, SOCKET__SENDTO, &ad);
3351         if (err)
3352                 return err;
3353
3354         return 0;
3355 }
3356
3357 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3358                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3359                 u16 family, char *addrp, int len)
3360 {
3361         int err = 0;
3362         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3363
3364         if (!skb->dev)
3365                 goto out;
3366
3367         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3368         if (err)
3369                 goto out;
3370
3371         switch (sock_class) {
3372         case SECCLASS_UDP_SOCKET:
3373                 netif_perm = NETIF__UDP_RECV;
3374                 node_perm = NODE__UDP_RECV;
3375                 recv_perm = UDP_SOCKET__RECV_MSG;
3376                 break;
3377         
3378         case SECCLASS_TCP_SOCKET:
3379                 netif_perm = NETIF__TCP_RECV;
3380                 node_perm = NODE__TCP_RECV;
3381                 recv_perm = TCP_SOCKET__RECV_MSG;
3382                 break;
3383         
3384         default:
3385                 netif_perm = NETIF__RAWIP_RECV;
3386                 node_perm = NODE__RAWIP_RECV;
3387                 break;
3388         }
3389
3390         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3391         if (err)
3392                 goto out;
3393         
3394         err = security_node_sid(family, addrp, len, &node_sid);
3395         if (err)
3396                 goto out;
3397         
3398         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3399         if (err)
3400                 goto out;
3401
3402         if (recv_perm) {
3403                 u32 port_sid;
3404
3405                 err = security_port_sid(sk->sk_family, sk->sk_type,
3406                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3407                                         &port_sid);
3408                 if (err)
3409                         goto out;
3410
3411                 err = avc_has_perm(sock_sid, port_sid,
3412                                    sock_class, recv_perm, ad);
3413         }
3414
3415 out:
3416         return err;
3417 }
3418
3419 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3420 {
3421         u16 family;
3422         u16 sock_class = 0;
3423         char *addrp;
3424         int len, err = 0;
3425         u32 sock_sid = 0;
3426         struct socket *sock;
3427         struct avc_audit_data ad;
3428
3429         family = sk->sk_family;
3430         if (family != PF_INET && family != PF_INET6)
3431                 goto out;
3432
3433         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3434         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3435                 family = PF_INET;
3436
3437         read_lock_bh(&sk->sk_callback_lock);
3438         sock = sk->sk_socket;
3439         if (sock) {
3440                 struct inode *inode;
3441                 inode = SOCK_INODE(sock);
3442                 if (inode) {
3443                         struct inode_security_struct *isec;
3444                         isec = inode->i_security;
3445                         sock_sid = isec->sid;
3446                         sock_class = isec->sclass;
3447                 }
3448         }
3449         read_unlock_bh(&sk->sk_callback_lock);
3450         if (!sock_sid)
3451                 goto out;
3452
3453         AVC_AUDIT_DATA_INIT(&ad, NET);
3454         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3455         ad.u.net.family = family;
3456
3457         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3458         if (err)
3459                 goto out;
3460
3461         if (selinux_compat_net)
3462                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3463                                                   sock_class, family,
3464                                                   addrp, len);
3465         else
3466                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3467                                    PACKET__RECV, &ad);
3468         if (err)
3469                 goto out;
3470
3471         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3472 out:    
3473         return err;
3474 }
3475
3476 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3477                                             int __user *optlen, unsigned len)
3478 {
3479         int err = 0;
3480         char *scontext;
3481         u32 scontext_len;
3482         struct sk_security_struct *ssec;
3483         struct inode_security_struct *isec;
3484         u32 peer_sid = 0;
3485
3486         isec = SOCK_INODE(sock)->i_security;
3487
3488         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3489         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3490                 ssec = sock->sk->sk_security;
3491                 peer_sid = ssec->peer_sid;
3492         }
3493         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3494                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3495
3496                 if (peer_sid == SECSID_NULL) {
3497                         err = -ENOPROTOOPT;
3498                         goto out;
3499                 }
3500         }
3501         else {
3502                 err = -ENOPROTOOPT;
3503                 goto out;
3504         }
3505
3506         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3507
3508         if (err)
3509                 goto out;
3510
3511         if (scontext_len > len) {
3512                 err = -ERANGE;
3513                 goto out_len;
3514         }
3515
3516         if (copy_to_user(optval, scontext, scontext_len))
3517                 err = -EFAULT;
3518
3519 out_len:
3520         if (put_user(scontext_len, optlen))
3521                 err = -EFAULT;
3522
3523         kfree(scontext);
3524 out:    
3525         return err;
3526 }
3527
3528 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3529 {
3530         u32 peer_secid = SECSID_NULL;
3531         int err = 0;
3532
3533         if (sock && (sock->sk->sk_family == PF_UNIX))
3534                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3535         else if (skb)
3536                 peer_secid = selinux_socket_getpeer_dgram(skb);
3537
3538         if (peer_secid == SECSID_NULL)
3539                 err = -EINVAL;
3540         *secid = peer_secid;
3541
3542         return err;
3543 }
3544
3545 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3546 {
3547         return sk_alloc_security(sk, family, priority);
3548 }
3549
3550 static void selinux_sk_free_security(struct sock *sk)
3551 {
3552         sk_free_security(sk);
3553 }
3554
3555 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3556 {
3557         struct sk_security_struct *ssec = sk->sk_security;
3558         struct sk_security_struct *newssec = newsk->sk_security;
3559
3560         newssec->sid = ssec->sid;
3561         newssec->peer_sid = ssec->peer_sid;
3562 }
3563
3564 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3565 {
3566         if (!sk)
3567                 return selinux_no_sk_sid(fl);
3568         else {
3569                 struct sk_security_struct *sksec = sk->sk_security;
3570
3571                 return sksec->sid;
3572         }
3573 }
3574
3575 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3576 {
3577         int err = 0;
3578         u32 perm;
3579         struct nlmsghdr *nlh;
3580         struct socket *sock = sk->sk_socket;
3581         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3582         
3583         if (skb->len < NLMSG_SPACE(0)) {
3584                 err = -EINVAL;
3585                 goto out;
3586         }
3587         nlh = (struct nlmsghdr *)skb->data;
3588         
3589         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3590         if (err) {
3591                 if (err == -EINVAL) {
3592                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3593                                   "SELinux:  unrecognized netlink message"
3594                                   " type=%hu for sclass=%hu\n",
3595                                   nlh->nlmsg_type, isec->sclass);
3596                         if (!selinux_enforcing)
3597                                 err = 0;
3598                 }
3599
3600                 /* Ignore */
3601                 if (err == -ENOENT)
3602                         err = 0;
3603                 goto out;
3604         }
3605
3606         err = socket_has_perm(current, sock, perm);
3607 out:
3608         return err;
3609 }
3610
3611 #ifdef CONFIG_NETFILTER
3612
3613 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3614                                             struct inode_security_struct *isec,
3615                                             struct avc_audit_data *ad,
3616                                             u16 family, char *addrp, int len)
3617 {
3618         int err;
3619         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3620         
3621         err = sel_netif_sids(dev, &if_sid, NULL);
3622         if (err)
3623                 goto out;
3624
3625         switch (isec->sclass) {
3626         case SECCLASS_UDP_SOCKET:
3627                 netif_perm = NETIF__UDP_SEND;
3628                 node_perm = NODE__UDP_SEND;
3629                 send_perm = UDP_SOCKET__SEND_MSG;
3630                 break;
3631         
3632         case SECCLASS_TCP_SOCKET:
3633                 netif_perm = NETIF__TCP_SEND;
3634                 node_perm = NODE__TCP_SEND;
3635                 send_perm = TCP_SOCKET__SEND_MSG;
3636                 break;
3637         
3638         default:
3639                 netif_perm = NETIF__RAWIP_SEND;
3640                 node_perm = NODE__RAWIP_SEND;
3641                 break;
3642         }
3643
3644         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3645         if (err)
3646                 goto out;
3647                 
3648         err = security_node_sid(family, addrp, len, &node_sid);
3649         if (err)
3650                 goto out;
3651         
3652         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3653         if (err)
3654                 goto out;
3655
3656         if (send_perm) {
3657                 u32 port_sid;
3658                 
3659                 err = security_port_sid(sk->sk_family,
3660                                         sk->sk_type,
3661                                         sk->sk_protocol,
3662                                         ntohs(ad->u.net.dport),
3663                                         &port_sid);
3664                 if (err)
3665                         goto out;
3666
3667                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3668                                    send_perm, ad);
3669         }
3670 out:
3671         return err;
3672 }
3673
3674 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3675                                               struct sk_buff **pskb,
3676                                               const struct net_device *in,
3677                                               const struct net_device *out,
3678                                               int (*okfn)(struct sk_buff *),
3679                                               u16 family)
3680 {
3681         char *addrp;
3682         int len, err = 0;
3683         struct sock *sk;
3684         struct socket *sock;
3685         struct inode *inode;
3686         struct sk_buff *skb = *pskb;
3687         struct inode_security_struct *isec;
3688         struct avc_audit_data ad;
3689         struct net_device *dev = (struct net_device *)out;
3690
3691         sk = skb->sk;
3692         if (!sk)
3693                 goto out;
3694
3695         sock = sk->sk_socket;
3696         if (!sock)
3697                 goto out;
3698
3699         inode = SOCK_INODE(sock);
3700         if (!inode)
3701                 goto out;
3702
3703         isec = inode->i_security;
3704
3705         AVC_AUDIT_DATA_INIT(&ad, NET);
3706         ad.u.net.netif = dev->name;
3707         ad.u.net.family = family;
3708
3709         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3710         if (err)
3711                 goto out;
3712
3713         if (selinux_compat_net)
3714                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3715                                                        family, addrp, len);
3716         else
3717                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3718                                    PACKET__SEND, &ad);
3719
3720         if (err)
3721                 goto out;
3722
3723         err = selinux_xfrm_postroute_last(isec->sid, skb);
3724 out:
3725         return err ? NF_DROP : NF_ACCEPT;
3726 }
3727
3728 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3729                                                 struct sk_buff **pskb,
3730                                                 const struct net_device *in,
3731                                                 const struct net_device *out,
3732                                                 int (*okfn)(struct sk_buff *))
3733 {
3734         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3735 }
3736
3737 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3738
3739 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3740                                                 struct sk_buff **pskb,
3741                                                 const struct net_device *in,
3742                                                 const struct net_device *out,
3743                                                 int (*okfn)(struct sk_buff *))
3744 {
3745         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3746 }
3747
3748 #endif  /* IPV6 */
3749
3750 #endif  /* CONFIG_NETFILTER */
3751
3752 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3753 {
3754         int err;
3755
3756         err = secondary_ops->netlink_send(sk, skb);
3757         if (err)
3758                 return err;
3759
3760         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3761                 err = selinux_nlmsg_perm(sk, skb);
3762
3763         return err;
3764 }
3765
3766 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3767 {
3768         int err;
3769         struct avc_audit_data ad;
3770
3771         err = secondary_ops->netlink_recv(skb, capability);
3772         if (err)
3773                 return err;
3774
3775         AVC_AUDIT_DATA_INIT(&ad, CAP);
3776         ad.u.cap = capability;
3777
3778         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3779                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3780 }
3781
3782 static int ipc_alloc_security(struct task_struct *task,
3783                               struct kern_ipc_perm *perm,
3784                               u16 sclass)
3785 {
3786         struct task_security_struct *tsec = task->security;
3787         struct ipc_security_struct *isec;
3788
3789         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3790         if (!isec)
3791                 return -ENOMEM;
3792
3793         isec->sclass = sclass;
3794         isec->ipc_perm = perm;
3795         isec->sid = tsec->sid;
3796         perm->security = isec;
3797
3798         return 0;
3799 }
3800
3801 static void ipc_free_security(struct kern_ipc_perm *perm)
3802 {
3803         struct ipc_security_struct *isec = perm->security;
3804         perm->security = NULL;
3805         kfree(isec);
3806 }
3807
3808 static int msg_msg_alloc_security(struct msg_msg *msg)
3809 {
3810         struct msg_security_struct *msec;
3811
3812         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3813         if (!msec)
3814                 return -ENOMEM;
3815
3816         msec->msg = msg;
3817         msec->sid = SECINITSID_UNLABELED;
3818         msg->security = msec;
3819
3820         return 0;
3821 }
3822
3823 static void msg_msg_free_security(struct msg_msg *msg)
3824 {
3825         struct msg_security_struct *msec = msg->security;
3826
3827         msg->security = NULL;
3828         kfree(msec);
3829 }
3830
3831 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3832                         u32 perms)
3833 {
3834         struct task_security_struct *tsec;
3835         struct ipc_security_struct *isec;
3836         struct avc_audit_data ad;
3837
3838         tsec = current->security;
3839         isec = ipc_perms->security;
3840
3841         AVC_AUDIT_DATA_INIT(&ad, IPC);
3842         ad.u.ipc_id = ipc_perms->key;
3843
3844         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3845 }
3846
3847 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3848 {
3849         return msg_msg_alloc_security(msg);
3850 }
3851
3852 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3853 {
3854         msg_msg_free_security(msg);
3855 }
3856
3857 /* message queue security operations */
3858 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3859 {
3860         struct task_security_struct *tsec;
3861         struct ipc_security_struct *isec;
3862         struct avc_audit_data ad;
3863         int rc;
3864
3865         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3866         if (rc)
3867                 return rc;
3868
3869         tsec = current->security;
3870         isec = msq->q_perm.security;
3871
3872         AVC_AUDIT_DATA_INIT(&ad, IPC);
3873         ad.u.ipc_id = msq->q_perm.key;
3874
3875         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3876                           MSGQ__CREATE, &ad);
3877         if (rc) {
3878                 ipc_free_security(&msq->q_perm);
3879                 return rc;
3880         }
3881         return 0;
3882 }
3883
3884 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3885 {
3886         ipc_free_security(&msq->q_perm);
3887 }
3888
3889 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3890 {
3891         struct task_security_struct *tsec;
3892         struct ipc_security_struct *isec;
3893         struct avc_audit_data ad;
3894
3895         tsec = current->security;
3896         isec = msq->q_perm.security;
3897
3898         AVC_AUDIT_DATA_INIT(&ad, IPC);
3899         ad.u.ipc_id = msq->q_perm.key;
3900
3901         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3902                             MSGQ__ASSOCIATE, &ad);
3903 }
3904
3905 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3906 {
3907         int err;
3908         int perms;
3909
3910         switch(cmd) {
3911         case IPC_INFO:
3912         case MSG_INFO:
3913                 /* No specific object, just general system-wide information. */
3914                 return task_has_system(current, SYSTEM__IPC_INFO);
3915         case IPC_STAT:
3916         case MSG_STAT:
3917                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3918                 break;
3919         case IPC_SET:
3920                 perms = MSGQ__SETATTR;
3921                 break;
3922         case IPC_RMID:
3923                 perms = MSGQ__DESTROY;
3924                 break;
3925         default:
3926                 return 0;
3927         }
3928
3929         err = ipc_has_perm(&msq->q_perm, perms);
3930         return err;
3931 }
3932
3933 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3934 {
3935         struct task_security_struct *tsec;
3936         struct ipc_security_struct *isec;
3937         struct msg_security_struct *msec;
3938         struct avc_audit_data ad;
3939         int rc;
3940
3941         tsec = current->security;
3942         isec = msq->q_perm.security;
3943         msec = msg->security;
3944
3945         /*
3946          * First time through, need to assign label to the message
3947          */
3948         if (msec->sid == SECINITSID_UNLABELED) {
3949                 /*
3950                  * Compute new sid based on current process and
3951                  * message queue this message will be stored in
3952                  */
3953                 rc = security_transition_sid(tsec->sid,
3954                                              isec->sid,
3955                                              SECCLASS_MSG,
3956                                              &msec->sid);
3957                 if (rc)
3958                         return rc;
3959         }
3960
3961         AVC_AUDIT_DATA_INIT(&ad, IPC);
3962         ad.u.ipc_id = msq->q_perm.key;
3963
3964         /* Can this process write to the queue? */
3965         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3966                           MSGQ__WRITE, &ad);
3967         if (!rc)
3968                 /* Can this process send the message */
3969                 rc = avc_has_perm(tsec->sid, msec->sid,
3970                                   SECCLASS_MSG, MSG__SEND, &ad);
3971         if (!rc)
3972                 /* Can the message be put in the queue? */
3973                 rc = avc_has_perm(msec->sid, isec->sid,
3974                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3975
3976         return rc;
3977 }
3978
3979 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3980                                     struct task_struct *target,
3981                                     long type, int mode)
3982 {
3983         struct task_security_struct *tsec;
3984         struct ipc_security_struct *isec;
3985         struct msg_security_struct *msec;
3986         struct avc_audit_data ad;
3987         int rc;
3988
3989         tsec = target->security;
3990         isec = msq->q_perm.security;
3991         msec = msg->security;
3992
3993         AVC_AUDIT_DATA_INIT(&ad, IPC);
3994         ad.u.ipc_id = msq->q_perm.key;
3995
3996         rc = avc_has_perm(tsec->sid, isec->sid,
3997                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3998         if (!rc)
3999                 rc = avc_has_perm(tsec->sid, msec->sid,
4000                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4001         return rc;
4002 }
4003
4004 /* Shared Memory security operations */
4005 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4006 {
4007         struct task_security_struct *tsec;
4008         struct ipc_security_struct *isec;
4009         struct avc_audit_data ad;
4010         int rc;
4011
4012         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4013         if (rc)
4014                 return rc;
4015
4016         tsec = current->security;
4017         isec = shp->shm_perm.security;
4018
4019         AVC_AUDIT_DATA_INIT(&ad, IPC);
4020         ad.u.ipc_id = shp->shm_perm.key;
4021
4022         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4023                           SHM__CREATE, &ad);
4024         if (rc) {
4025                 ipc_free_security(&shp->shm_perm);
4026                 return rc;
4027         }
4028         return 0;
4029 }
4030
4031 static void selinux_shm_free_security(struct shmid_kernel *shp)
4032 {
4033         ipc_free_security(&shp->shm_perm);
4034 }
4035
4036 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4037 {
4038         struct task_security_struct *tsec;
4039         struct ipc_security_struct *isec;
4040         struct avc_audit_data ad;
4041
4042         tsec = current->security;
4043         isec = shp->shm_perm.security;
4044
4045         AVC_AUDIT_DATA_INIT(&ad, IPC);
4046         ad.u.ipc_id = shp->shm_perm.key;
4047
4048         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4049                             SHM__ASSOCIATE, &ad);
4050 }
4051
4052 /* Note, at this point, shp is locked down */
4053 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4054 {
4055         int perms;
4056         int err;
4057
4058         switch(cmd) {
4059         case IPC_INFO:
4060         case SHM_INFO:
4061                 /* No specific object, just general system-wide information. */
4062                 return task_has_system(current, SYSTEM__IPC_INFO);
4063         case IPC_STAT:
4064         case SHM_STAT:
4065                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4066                 break;
4067         case IPC_SET:
4068                 perms = SHM__SETATTR;
4069                 break;
4070         case SHM_LOCK:
4071         case SHM_UNLOCK:
4072                 perms = SHM__LOCK;
4073                 break;
4074         case IPC_RMID:
4075                 perms = SHM__DESTROY;
4076                 break;
4077         default:
4078                 return 0;
4079         }
4080
4081         err = ipc_has_perm(&shp->shm_perm, perms);
4082         return err;
4083 }
4084
4085 static int selinux_shm_shmat(struct shmid_kernel *shp,
4086                              char __user *shmaddr, int shmflg)
4087 {
4088         u32 perms;
4089         int rc;
4090
4091         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4092         if (rc)
4093                 return rc;
4094
4095         if (shmflg & SHM_RDONLY)
4096                 perms = SHM__READ;
4097         else
4098                 perms = SHM__READ | SHM__WRITE;
4099
4100         return ipc_has_perm(&shp->shm_perm, perms);
4101 }
4102
4103 /* Semaphore security operations */
4104 static int selinux_sem_alloc_security(struct sem_array *sma)
4105 {
4106         struct task_security_struct *tsec;
4107         struct ipc_security_struct *isec;
4108         struct avc_audit_data ad;
4109         int rc;
4110
4111         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4112         if (rc)
4113                 return rc;
4114
4115         tsec = current->security;
4116         isec = sma->sem_perm.security;
4117
4118         AVC_AUDIT_DATA_INIT(&ad, IPC);
4119         ad.u.ipc_id = sma->sem_perm.key;
4120
4121         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4122                           SEM__CREATE, &ad);
4123         if (rc) {
4124                 ipc_free_security(&sma->sem_perm);
4125                 return rc;
4126         }
4127         return 0;
4128 }
4129
4130 static void selinux_sem_free_security(struct sem_array *sma)
4131 {
4132         ipc_free_security(&sma->sem_perm);
4133 }
4134
4135 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4136 {
4137         struct task_security_struct *tsec;
4138         struct ipc_security_struct *isec;
4139         struct avc_audit_data ad;
4140
4141         tsec = current->security;
4142         isec = sma->sem_perm.security;
4143
4144         AVC_AUDIT_DATA_INIT(&ad, IPC);
4145         ad.u.ipc_id = sma->sem_perm.key;
4146
4147         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4148                             SEM__ASSOCIATE, &ad);
4149 }
4150
4151 /* Note, at this point, sma is locked down */
4152 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4153 {
4154         int err;
4155         u32 perms;
4156
4157         switch(cmd) {
4158         case IPC_INFO:
4159         case SEM_INFO:
4160                 /* No specific object, just general system-wide information. */
4161                 return task_has_system(current, SYSTEM__IPC_INFO);
4162         case GETPID:
4163         case GETNCNT:
4164         case GETZCNT:
4165                 perms = SEM__GETATTR;
4166                 break;
4167         case GETVAL:
4168         case GETALL:
4169                 perms = SEM__READ;
4170                 break;
4171         case SETVAL:
4172         case SETALL:
4173                 perms = SEM__WRITE;
4174                 break;
4175         case IPC_RMID:
4176                 perms = SEM__DESTROY;
4177                 break;
4178         case IPC_SET:
4179                 perms = SEM__SETATTR;
4180                 break;
4181         case IPC_STAT:
4182         case SEM_STAT:
4183                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4184                 break;
4185         default:
4186                 return 0;
4187         }
4188
4189         err = ipc_has_perm(&sma->sem_perm, perms);
4190         return err;
4191 }
4192
4193 static int selinux_sem_semop(struct sem_array *sma,
4194                              struct sembuf *sops, unsigned nsops, int alter)
4195 {
4196         u32 perms;
4197
4198         if (alter)
4199                 perms = SEM__READ | SEM__WRITE;
4200         else
4201                 perms = SEM__READ;
4202
4203         return ipc_has_perm(&sma->sem_perm, perms);
4204 }
4205
4206 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4207 {
4208         u32 av = 0;
4209
4210         av = 0;
4211         if (flag & S_IRUGO)
4212                 av |= IPC__UNIX_READ;
4213         if (flag & S_IWUGO)
4214                 av |= IPC__UNIX_WRITE;
4215
4216         if (av == 0)
4217                 return 0;
4218
4219         return ipc_has_perm(ipcp, av);
4220 }
4221
4222 /* module stacking operations */
4223 static int selinux_register_security (const char *name, struct security_operations *ops)
4224 {
4225         if (secondary_ops != original_ops) {
4226                 printk(KERN_INFO "%s:  There is already a secondary security "
4227                        "module registered.\n", __FUNCTION__);
4228                 return -EINVAL;
4229         }
4230
4231         secondary_ops = ops;
4232
4233         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4234                __FUNCTION__,
4235                name);
4236
4237         return 0;
4238 }
4239
4240 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4241 {
4242         if (ops != secondary_ops) {
4243                 printk (KERN_INFO "%s:  trying to unregister a security module "
4244                         "that is not registered.\n", __FUNCTION__);
4245                 return -EINVAL;
4246         }
4247
4248         secondary_ops = original_ops;
4249
4250         return 0;
4251 }
4252
4253 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4254 {
4255         if (inode)
4256                 inode_doinit_with_dentry(inode, dentry);
4257 }
4258
4259 static int selinux_getprocattr(struct task_struct *p,
4260                                char *name, void *value, size_t size)
4261 {
4262         struct task_security_struct *tsec;
4263         u32 sid;
4264         int error;
4265
4266         if (current != p) {
4267                 error = task_has_perm(current, p, PROCESS__GETATTR);
4268                 if (error)
4269                         return error;
4270         }
4271
4272         tsec = p->security;
4273
4274         if (!strcmp(name, "current"))
4275                 sid = tsec->sid;
4276         else if (!strcmp(name, "prev"))
4277                 sid = tsec->osid;
4278         else if (!strcmp(name, "exec"))
4279                 sid = tsec->exec_sid;
4280         else if (!strcmp(name, "fscreate"))
4281                 sid = tsec->create_sid;
4282         else if (!strcmp(name, "keycreate"))
4283                 sid = tsec->keycreate_sid;
4284         else if (!strcmp(name, "sockcreate"))
4285                 sid = tsec->sockcreate_sid;
4286         else
4287                 return -EINVAL;
4288
4289         if (!sid)
4290                 return 0;
4291
4292         return selinux_getsecurity(sid, value, size);
4293 }
4294
4295 static int selinux_setprocattr(struct task_struct *p,
4296                                char *name, void *value, size_t size)
4297 {
4298         struct task_security_struct *tsec;
4299         u32 sid = 0;
4300         int error;
4301         char *str = value;
4302
4303         if (current != p) {
4304                 /* SELinux only allows a process to change its own
4305                    security attributes. */
4306                 return -EACCES;
4307         }
4308
4309         /*
4310          * Basic control over ability to set these attributes at all.
4311          * current == p, but we'll pass them separately in case the
4312          * above restriction is ever removed.
4313          */
4314         if (!strcmp(name, "exec"))
4315                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4316         else if (!strcmp(name, "fscreate"))
4317                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4318         else if (!strcmp(name, "keycreate"))
4319                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4320         else if (!strcmp(name, "sockcreate"))
4321                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4322         else if (!strcmp(name, "current"))
4323                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4324         else
4325                 error = -EINVAL;
4326         if (error)
4327                 return error;
4328
4329         /* Obtain a SID for the context, if one was specified. */
4330         if (size && str[1] && str[1] != '\n') {
4331                 if (str[size-1] == '\n') {
4332                         str[size-1] = 0;
4333                         size--;
4334                 }
4335                 error = security_context_to_sid(value, size, &sid);
4336                 if (error)
4337                         return error;
4338         }
4339
4340         /* Permission checking based on the specified context is
4341            performed during the actual operation (execve,
4342            open/mkdir/...), when we know the full context of the
4343            operation.  See selinux_bprm_set_security for the execve
4344            checks and may_create for the file creation checks. The
4345            operation will then fail if the context is not permitted. */
4346         tsec = p->security;
4347         if (!strcmp(name, "exec"))
4348                 tsec->exec_sid = sid;
4349         else if (!strcmp(name, "fscreate"))
4350                 tsec->create_sid = sid;
4351         else if (!strcmp(name, "keycreate")) {
4352                 error = may_create_key(sid, p);
4353                 if (error)
4354                         return error;
4355                 tsec->keycreate_sid = sid;
4356         } else if (!strcmp(name, "sockcreate"))
4357                 tsec->sockcreate_sid = sid;
4358         else if (!strcmp(name, "current")) {
4359                 struct av_decision avd;
4360
4361                 if (sid == 0)
4362                         return -EINVAL;
4363
4364                 /* Only allow single threaded processes to change context */
4365                 if (atomic_read(&p->mm->mm_users) != 1) {
4366                         struct task_struct *g, *t;
4367                         struct mm_struct *mm = p->mm;
4368                         read_lock(&tasklist_lock);
4369                         do_each_thread(g, t)
4370                                 if (t->mm == mm && t != p) {
4371                                         read_unlock(&tasklist_lock);
4372                                         return -EPERM;
4373                                 }
4374                         while_each_thread(g, t);
4375                         read_unlock(&tasklist_lock);
4376                 }
4377
4378                 /* Check permissions for the transition. */
4379                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4380                                      PROCESS__DYNTRANSITION, NULL);
4381                 if (error)
4382                         return error;
4383
4384                 /* Check for ptracing, and update the task SID if ok.
4385                    Otherwise, leave SID unchanged and fail. */
4386                 task_lock(p);
4387                 if (p->ptrace & PT_PTRACED) {
4388                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4389                                                      SECCLASS_PROCESS,
4390                                                      PROCESS__PTRACE, &avd);
4391                         if (!error)
4392                                 tsec->sid = sid;
4393                         task_unlock(p);
4394                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4395                                   PROCESS__PTRACE, &avd, error, NULL);
4396                         if (error)
4397                                 return error;
4398                 } else {
4399                         tsec->sid = sid;
4400                         task_unlock(p);
4401                 }
4402         }
4403         else
4404                 return -EINVAL;
4405
4406         return size;
4407 }
4408
4409 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4410 {
4411         return security_sid_to_context(secid, secdata, seclen);
4412 }
4413
4414 static void selinux_release_secctx(char *secdata, u32 seclen)
4415 {
4416         if (secdata)
4417                 kfree(secdata);
4418 }
4419
4420 #ifdef CONFIG_KEYS
4421
4422 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4423                              unsigned long flags)
4424 {
4425         struct task_security_struct *tsec = tsk->security;
4426         struct key_security_struct *ksec;
4427
4428         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4429         if (!ksec)
4430                 return -ENOMEM;
4431
4432         ksec->obj = k;
4433         if (tsec->keycreate_sid)
4434                 ksec->sid = tsec->keycreate_sid;
4435         else
4436                 ksec->sid = tsec->sid;
4437         k->security = ksec;
4438
4439         return 0;
4440 }
4441
4442 static void selinux_key_free(struct key *k)
4443 {
4444         struct key_security_struct *ksec = k->security;
4445
4446         k->security = NULL;
4447         kfree(ksec);
4448 }
4449
4450 static int selinux_key_permission(key_ref_t key_ref,
4451                             struct task_struct *ctx,
4452                             key_perm_t perm)
4453 {
4454         struct key *key;
4455         struct task_security_struct *tsec;
4456         struct key_security_struct *ksec;
4457
4458         key = key_ref_to_ptr(key_ref);
4459
4460         tsec = ctx->security;
4461         ksec = key->security;
4462
4463         /* if no specific permissions are requested, we skip the
4464            permission check. No serious, additional covert channels
4465            appear to be created. */
4466         if (perm == 0)
4467                 return 0;
4468
4469         return avc_has_perm(tsec->sid, ksec->sid,
4470                             SECCLASS_KEY, perm, NULL);
4471 }
4472
4473 #endif
4474
4475 static struct security_operations selinux_ops = {
4476         .ptrace =                       selinux_ptrace,
4477         .capget =                       selinux_capget,
4478         .capset_check =                 selinux_capset_check,
4479         .capset_set =                   selinux_capset_set,
4480         .sysctl =                       selinux_sysctl,
4481         .capable =                      selinux_capable,
4482         .quotactl =                     selinux_quotactl,
4483         .quota_on =                     selinux_quota_on,
4484         .syslog =                       selinux_syslog,
4485         .vm_enough_memory =             selinux_vm_enough_memory,
4486
4487         .netlink_send =                 selinux_netlink_send,
4488         .netlink_recv =                 selinux_netlink_recv,
4489
4490         .bprm_alloc_security =          selinux_bprm_alloc_security,
4491         .bprm_free_security =           selinux_bprm_free_security,
4492         .bprm_apply_creds =             selinux_bprm_apply_creds,
4493         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4494         .bprm_set_security =            selinux_bprm_set_security,
4495         .bprm_check_security =          selinux_bprm_check_security,
4496         .bprm_secureexec =              selinux_bprm_secureexec,
4497
4498         .sb_alloc_security =            selinux_sb_alloc_security,
4499         .sb_free_security =             selinux_sb_free_security,
4500         .sb_copy_data =                 selinux_sb_copy_data,
4501         .sb_kern_mount =                selinux_sb_kern_mount,
4502         .sb_statfs =                    selinux_sb_statfs,
4503         .sb_mount =                     selinux_mount,
4504         .sb_umount =                    selinux_umount,
4505
4506         .inode_alloc_security =         selinux_inode_alloc_security,
4507         .inode_free_security =          selinux_inode_free_security,
4508         .inode_init_security =          selinux_inode_init_security,
4509         .inode_create =                 selinux_inode_create,
4510         .inode_link =                   selinux_inode_link,
4511         .inode_unlink =                 selinux_inode_unlink,
4512         .inode_symlink =                selinux_inode_symlink,
4513         .inode_mkdir =                  selinux_inode_mkdir,
4514         .inode_rmdir =                  selinux_inode_rmdir,
4515         .inode_mknod =                  selinux_inode_mknod,
4516         .inode_rename =                 selinux_inode_rename,
4517         .inode_readlink =               selinux_inode_readlink,
4518         .inode_follow_link =            selinux_inode_follow_link,
4519         .inode_permission =             selinux_inode_permission,
4520         .inode_setattr =                selinux_inode_setattr,
4521         .inode_getattr =                selinux_inode_getattr,
4522         .inode_setxattr =               selinux_inode_setxattr,
4523         .inode_post_setxattr =          selinux_inode_post_setxattr,
4524         .inode_getxattr =               selinux_inode_getxattr,
4525         .inode_listxattr =              selinux_inode_listxattr,
4526         .inode_removexattr =            selinux_inode_removexattr,
4527         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4528         .inode_getsecurity =            selinux_inode_getsecurity,
4529         .inode_setsecurity =            selinux_inode_setsecurity,
4530         .inode_listsecurity =           selinux_inode_listsecurity,
4531
4532         .file_permission =              selinux_file_permission,
4533         .file_alloc_security =          selinux_file_alloc_security,
4534         .file_free_security =           selinux_file_free_security,
4535         .file_ioctl =                   selinux_file_ioctl,
4536         .file_mmap =                    selinux_file_mmap,
4537         .file_mprotect =                selinux_file_mprotect,
4538         .file_lock =                    selinux_file_lock,
4539         .file_fcntl =                   selinux_file_fcntl,
4540         .file_set_fowner =              selinux_file_set_fowner,
4541         .file_send_sigiotask =          selinux_file_send_sigiotask,
4542         .file_receive =                 selinux_file_receive,
4543
4544         .task_create =                  selinux_task_create,
4545         .task_alloc_security =          selinux_task_alloc_security,
4546         .task_free_security =           selinux_task_free_security,
4547         .task_setuid =                  selinux_task_setuid,
4548         .task_post_setuid =             selinux_task_post_setuid,
4549         .task_setgid =                  selinux_task_setgid,
4550         .task_setpgid =                 selinux_task_setpgid,
4551         .task_getpgid =                 selinux_task_getpgid,
4552         .task_getsid =                  selinux_task_getsid,
4553         .task_getsecid =                selinux_task_getsecid,
4554         .task_setgroups =               selinux_task_setgroups,
4555         .task_setnice =                 selinux_task_setnice,
4556         .task_setioprio =               selinux_task_setioprio,
4557         .task_getioprio =               selinux_task_getioprio,
4558         .task_setrlimit =               selinux_task_setrlimit,
4559         .task_setscheduler =            selinux_task_setscheduler,
4560         .task_getscheduler =            selinux_task_getscheduler,
4561         .task_movememory =              selinux_task_movememory,
4562         .task_kill =                    selinux_task_kill,
4563         .task_wait =                    selinux_task_wait,
4564         .task_prctl =                   selinux_task_prctl,
4565         .task_reparent_to_init =        selinux_task_reparent_to_init,
4566         .task_to_inode =                selinux_task_to_inode,
4567
4568         .ipc_permission =               selinux_ipc_permission,
4569
4570         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4571         .msg_msg_free_security =        selinux_msg_msg_free_security,
4572
4573         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4574         .msg_queue_free_security =      selinux_msg_queue_free_security,
4575         .msg_queue_associate =          selinux_msg_queue_associate,
4576         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4577         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4578         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4579
4580         .shm_alloc_security =           selinux_shm_alloc_security,
4581         .shm_free_security =            selinux_shm_free_security,
4582         .shm_associate =                selinux_shm_associate,
4583         .shm_shmctl =                   selinux_shm_shmctl,
4584         .shm_shmat =                    selinux_shm_shmat,
4585
4586         .sem_alloc_security =           selinux_sem_alloc_security,
4587         .sem_free_security =            selinux_sem_free_security,
4588         .sem_associate =                selinux_sem_associate,
4589         .sem_semctl =                   selinux_sem_semctl,
4590         .sem_semop =                    selinux_sem_semop,
4591
4592         .register_security =            selinux_register_security,
4593         .unregister_security =          selinux_unregister_security,
4594
4595         .d_instantiate =                selinux_d_instantiate,
4596
4597         .getprocattr =                  selinux_getprocattr,
4598         .setprocattr =                  selinux_setprocattr,
4599
4600         .secid_to_secctx =              selinux_secid_to_secctx,
4601         .release_secctx =               selinux_release_secctx,
4602
4603         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4604         .unix_may_send =                selinux_socket_unix_may_send,
4605
4606         .socket_create =                selinux_socket_create,
4607         .socket_post_create =           selinux_socket_post_create,
4608         .socket_bind =                  selinux_socket_bind,
4609         .socket_connect =               selinux_socket_connect,
4610         .socket_listen =                selinux_socket_listen,
4611         .socket_accept =                selinux_socket_accept,
4612         .socket_sendmsg =               selinux_socket_sendmsg,
4613         .socket_recvmsg =               selinux_socket_recvmsg,
4614         .socket_getsockname =           selinux_socket_getsockname,
4615         .socket_getpeername =           selinux_socket_getpeername,
4616         .socket_getsockopt =            selinux_socket_getsockopt,
4617         .socket_setsockopt =            selinux_socket_setsockopt,
4618         .socket_shutdown =              selinux_socket_shutdown,
4619         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4620         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4621         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4622         .sk_alloc_security =            selinux_sk_alloc_security,
4623         .sk_free_security =             selinux_sk_free_security,
4624         .sk_clone_security =            selinux_sk_clone_security,
4625         .sk_getsid =                    selinux_sk_getsid_security,
4626
4627 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4628         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4629         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4630         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4631         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4632         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4633         .xfrm_state_free_security =     selinux_xfrm_state_free,
4634         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4635         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4636 #endif
4637
4638 #ifdef CONFIG_KEYS
4639         .key_alloc =                    selinux_key_alloc,
4640         .key_free =                     selinux_key_free,
4641         .key_permission =               selinux_key_permission,
4642 #endif
4643 };
4644
4645 static __init int selinux_init(void)
4646 {
4647         struct task_security_struct *tsec;
4648
4649         if (!selinux_enabled) {
4650                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4651                 return 0;
4652         }
4653
4654         printk(KERN_INFO "SELinux:  Initializing.\n");
4655
4656         /* Set the security state for the initial task. */
4657         if (task_alloc_security(current))
4658                 panic("SELinux:  Failed to initialize initial task.\n");
4659         tsec = current->security;
4660         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4661
4662         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4663                                             sizeof(struct inode_security_struct),
4664                                             0, SLAB_PANIC, NULL, NULL);
4665         avc_init();
4666
4667         original_ops = secondary_ops = security_ops;
4668         if (!secondary_ops)
4669                 panic ("SELinux: No initial security operations\n");
4670         if (register_security (&selinux_ops))
4671                 panic("SELinux: Unable to register with kernel.\n");
4672
4673         if (selinux_enforcing) {
4674                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4675         } else {
4676                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4677         }
4678
4679 #ifdef CONFIG_KEYS
4680         /* Add security information to initial keyrings */
4681         selinux_key_alloc(&root_user_keyring, current,
4682                           KEY_ALLOC_NOT_IN_QUOTA);
4683         selinux_key_alloc(&root_session_keyring, current,
4684                           KEY_ALLOC_NOT_IN_QUOTA);
4685 #endif
4686
4687         return 0;
4688 }
4689
4690 void selinux_complete_init(void)
4691 {
4692         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4693
4694         /* Set up any superblocks initialized prior to the policy load. */
4695         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4696         spin_lock(&sb_lock);
4697         spin_lock(&sb_security_lock);
4698 next_sb:
4699         if (!list_empty(&superblock_security_head)) {
4700                 struct superblock_security_struct *sbsec =
4701                                 list_entry(superblock_security_head.next,
4702                                            struct superblock_security_struct,
4703                                            list);
4704                 struct super_block *sb = sbsec->sb;
4705                 sb->s_count++;
4706                 spin_unlock(&sb_security_lock);
4707                 spin_unlock(&sb_lock);
4708                 down_read(&sb->s_umount);
4709                 if (sb->s_root)
4710                         superblock_doinit(sb, NULL);
4711                 drop_super(sb);
4712                 spin_lock(&sb_lock);
4713                 spin_lock(&sb_security_lock);
4714                 list_del_init(&sbsec->list);
4715                 goto next_sb;
4716         }
4717         spin_unlock(&sb_security_lock);
4718         spin_unlock(&sb_lock);
4719 }
4720
4721 /* SELinux requires early initialization in order to label
4722    all processes and objects when they are created. */
4723 security_initcall(selinux_init);
4724
4725 #if defined(CONFIG_NETFILTER)
4726
4727 static struct nf_hook_ops selinux_ipv4_op = {
4728         .hook =         selinux_ipv4_postroute_last,
4729         .owner =        THIS_MODULE,
4730         .pf =           PF_INET,
4731         .hooknum =      NF_IP_POST_ROUTING,
4732         .priority =     NF_IP_PRI_SELINUX_LAST,
4733 };
4734
4735 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4736
4737 static struct nf_hook_ops selinux_ipv6_op = {
4738         .hook =         selinux_ipv6_postroute_last,
4739         .owner =        THIS_MODULE,
4740         .pf =           PF_INET6,
4741         .hooknum =      NF_IP6_POST_ROUTING,
4742         .priority =     NF_IP6_PRI_SELINUX_LAST,
4743 };
4744
4745 #endif  /* IPV6 */
4746
4747 static int __init selinux_nf_ip_init(void)
4748 {
4749         int err = 0;
4750
4751         if (!selinux_enabled)
4752                 goto out;
4753                 
4754         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4755         
4756         err = nf_register_hook(&selinux_ipv4_op);
4757         if (err)
4758                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4759
4760 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4761
4762         err = nf_register_hook(&selinux_ipv6_op);
4763         if (err)
4764                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4765
4766 #endif  /* IPV6 */
4767
4768 out:
4769         return err;
4770 }
4771
4772 __initcall(selinux_nf_ip_init);
4773
4774 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4775 static void selinux_nf_ip_exit(void)
4776 {
4777         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4778
4779         nf_unregister_hook(&selinux_ipv4_op);
4780 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4781         nf_unregister_hook(&selinux_ipv6_op);
4782 #endif  /* IPV6 */
4783 }
4784 #endif
4785
4786 #else /* CONFIG_NETFILTER */
4787
4788 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4789 #define selinux_nf_ip_exit()
4790 #endif
4791
4792 #endif /* CONFIG_NETFILTER */
4793
4794 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4795 int selinux_disable(void)
4796 {
4797         extern void exit_sel_fs(void);
4798         static int selinux_disabled = 0;
4799
4800         if (ss_initialized) {
4801                 /* Not permitted after initial policy load. */
4802                 return -EINVAL;
4803         }
4804
4805         if (selinux_disabled) {
4806                 /* Only do this once. */
4807                 return -EINVAL;
4808         }
4809
4810         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4811
4812         selinux_disabled = 1;
4813         selinux_enabled = 0;
4814
4815         /* Reset security_ops to the secondary module, dummy or capability. */
4816         security_ops = secondary_ops;
4817
4818         /* Unregister netfilter hooks. */
4819         selinux_nf_ip_exit();
4820
4821         /* Unregister selinuxfs. */
4822         exit_sel_fs();
4823
4824         return 0;
4825 }
4826 #endif
4827
4828