[PATCH] selinux: Disable automatic labeling of new inodes when no policy is loaded
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #endif
105
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
108
109 /* Minimal support for a secondary security module,
110    just to allow the use of the dummy or capability modules.
111    The owlsm module can alternatively be used as a secondary
112    module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
114
115 /* Lists of inode and superblock security structures initialized
116    before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
119
120 /* Allocate and free functions for each kind of security blob. */
121
122 static int task_alloc_security(struct task_struct *task)
123 {
124         struct task_security_struct *tsec;
125
126         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
127         if (!tsec)
128                 return -ENOMEM;
129
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140         task->security = NULL;
141         kfree(tsec);
142 }
143
144 static int inode_alloc_security(struct inode *inode)
145 {
146         struct task_security_struct *tsec = current->security;
147         struct inode_security_struct *isec;
148
149         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
150         if (!isec)
151                 return -ENOMEM;
152
153         init_MUTEX(&isec->sem);
154         INIT_LIST_HEAD(&isec->list);
155         isec->inode = inode;
156         isec->sid = SECINITSID_UNLABELED;
157         isec->sclass = SECCLASS_FILE;
158         isec->task_sid = tsec->sid;
159         inode->i_security = isec;
160
161         return 0;
162 }
163
164 static void inode_free_security(struct inode *inode)
165 {
166         struct inode_security_struct *isec = inode->i_security;
167         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
168
169         spin_lock(&sbsec->isec_lock);
170         if (!list_empty(&isec->list))
171                 list_del_init(&isec->list);
172         spin_unlock(&sbsec->isec_lock);
173
174         inode->i_security = NULL;
175         kfree(isec);
176 }
177
178 static int file_alloc_security(struct file *file)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct file_security_struct *fsec;
182
183         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
184         if (!fsec)
185                 return -ENOMEM;
186
187         fsec->file = file;
188         fsec->sid = tsec->sid;
189         fsec->fown_sid = tsec->sid;
190         file->f_security = fsec;
191
192         return 0;
193 }
194
195 static void file_free_security(struct file *file)
196 {
197         struct file_security_struct *fsec = file->f_security;
198         file->f_security = NULL;
199         kfree(fsec);
200 }
201
202 static int superblock_alloc_security(struct super_block *sb)
203 {
204         struct superblock_security_struct *sbsec;
205
206         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
207         if (!sbsec)
208                 return -ENOMEM;
209
210         init_MUTEX(&sbsec->sem);
211         INIT_LIST_HEAD(&sbsec->list);
212         INIT_LIST_HEAD(&sbsec->isec_head);
213         spin_lock_init(&sbsec->isec_lock);
214         sbsec->sb = sb;
215         sbsec->sid = SECINITSID_UNLABELED;
216         sbsec->def_sid = SECINITSID_FILE;
217         sb->s_security = sbsec;
218
219         return 0;
220 }
221
222 static void superblock_free_security(struct super_block *sb)
223 {
224         struct superblock_security_struct *sbsec = sb->s_security;
225
226         spin_lock(&sb_security_lock);
227         if (!list_empty(&sbsec->list))
228                 list_del_init(&sbsec->list);
229         spin_unlock(&sb_security_lock);
230
231         sb->s_security = NULL;
232         kfree(sbsec);
233 }
234
235 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
236 {
237         struct sk_security_struct *ssec;
238
239         if (family != PF_UNIX)
240                 return 0;
241
242         ssec = kzalloc(sizeof(*ssec), priority);
243         if (!ssec)
244                 return -ENOMEM;
245
246         ssec->sk = sk;
247         ssec->peer_sid = SECINITSID_UNLABELED;
248         sk->sk_security = ssec;
249
250         return 0;
251 }
252
253 static void sk_free_security(struct sock *sk)
254 {
255         struct sk_security_struct *ssec = sk->sk_security;
256
257         if (sk->sk_family != PF_UNIX)
258                 return;
259
260         sk->sk_security = NULL;
261         kfree(ssec);
262 }
263
264 /* The security server must be initialized before
265    any labeling or access decisions can be provided. */
266 extern int ss_initialized;
267
268 /* The file system's label must be initialized prior to use. */
269
270 static char *labeling_behaviors[6] = {
271         "uses xattr",
272         "uses transition SIDs",
273         "uses task SIDs",
274         "uses genfs_contexts",
275         "not configured for labeling",
276         "uses mountpoint labeling",
277 };
278
279 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
280
281 static inline int inode_doinit(struct inode *inode)
282 {
283         return inode_doinit_with_dentry(inode, NULL);
284 }
285
286 enum {
287         Opt_context = 1,
288         Opt_fscontext = 2,
289         Opt_defcontext = 4,
290 };
291
292 static match_table_t tokens = {
293         {Opt_context, "context=%s"},
294         {Opt_fscontext, "fscontext=%s"},
295         {Opt_defcontext, "defcontext=%s"},
296 };
297
298 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
299
300 static int try_context_mount(struct super_block *sb, void *data)
301 {
302         char *context = NULL, *defcontext = NULL;
303         const char *name;
304         u32 sid;
305         int alloc = 0, rc = 0, seen = 0;
306         struct task_security_struct *tsec = current->security;
307         struct superblock_security_struct *sbsec = sb->s_security;
308
309         if (!data)
310                 goto out;
311
312         name = sb->s_type->name;
313
314         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
315
316                 /* NFS we understand. */
317                 if (!strcmp(name, "nfs")) {
318                         struct nfs_mount_data *d = data;
319
320                         if (d->version <  NFS_MOUNT_VERSION)
321                                 goto out;
322
323                         if (d->context[0]) {
324                                 context = d->context;
325                                 seen |= Opt_context;
326                         }
327                 } else
328                         goto out;
329
330         } else {
331                 /* Standard string-based options. */
332                 char *p, *options = data;
333
334                 while ((p = strsep(&options, ",")) != NULL) {
335                         int token;
336                         substring_t args[MAX_OPT_ARGS];
337
338                         if (!*p)
339                                 continue;
340
341                         token = match_token(p, tokens, args);
342
343                         switch (token) {
344                         case Opt_context:
345                                 if (seen) {
346                                         rc = -EINVAL;
347                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
348                                         goto out_free;
349                                 }
350                                 context = match_strdup(&args[0]);
351                                 if (!context) {
352                                         rc = -ENOMEM;
353                                         goto out_free;
354                                 }
355                                 if (!alloc)
356                                         alloc = 1;
357                                 seen |= Opt_context;
358                                 break;
359
360                         case Opt_fscontext:
361                                 if (seen & (Opt_context|Opt_fscontext)) {
362                                         rc = -EINVAL;
363                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
364                                         goto out_free;
365                                 }
366                                 context = match_strdup(&args[0]);
367                                 if (!context) {
368                                         rc = -ENOMEM;
369                                         goto out_free;
370                                 }
371                                 if (!alloc)
372                                         alloc = 1;
373                                 seen |= Opt_fscontext;
374                                 break;
375
376                         case Opt_defcontext:
377                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
378                                         rc = -EINVAL;
379                                         printk(KERN_WARNING "SELinux:  "
380                                                "defcontext option is invalid "
381                                                "for this filesystem type\n");
382                                         goto out_free;
383                                 }
384                                 if (seen & (Opt_context|Opt_defcontext)) {
385                                         rc = -EINVAL;
386                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
387                                         goto out_free;
388                                 }
389                                 defcontext = match_strdup(&args[0]);
390                                 if (!defcontext) {
391                                         rc = -ENOMEM;
392                                         goto out_free;
393                                 }
394                                 if (!alloc)
395                                         alloc = 1;
396                                 seen |= Opt_defcontext;
397                                 break;
398
399                         default:
400                                 rc = -EINVAL;
401                                 printk(KERN_WARNING "SELinux:  unknown mount "
402                                        "option\n");
403                                 goto out_free;
404
405                         }
406                 }
407         }
408
409         if (!seen)
410                 goto out;
411
412         if (context) {
413                 rc = security_context_to_sid(context, strlen(context), &sid);
414                 if (rc) {
415                         printk(KERN_WARNING "SELinux: security_context_to_sid"
416                                "(%s) failed for (dev %s, type %s) errno=%d\n",
417                                context, sb->s_id, name, rc);
418                         goto out_free;
419                 }
420
421                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
422                                   FILESYSTEM__RELABELFROM, NULL);
423                 if (rc)
424                         goto out_free;
425
426                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
427                                   FILESYSTEM__RELABELTO, NULL);
428                 if (rc)
429                         goto out_free;
430
431                 sbsec->sid = sid;
432
433                 if (seen & Opt_context)
434                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
435         }
436
437         if (defcontext) {
438                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
439                 if (rc) {
440                         printk(KERN_WARNING "SELinux: security_context_to_sid"
441                                "(%s) failed for (dev %s, type %s) errno=%d\n",
442                                defcontext, sb->s_id, name, rc);
443                         goto out_free;
444                 }
445
446                 if (sid == sbsec->def_sid)
447                         goto out_free;
448
449                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450                                   FILESYSTEM__RELABELFROM, NULL);
451                 if (rc)
452                         goto out_free;
453
454                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__ASSOCIATE, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 sbsec->def_sid = sid;
460         }
461
462 out_free:
463         if (alloc) {
464                 kfree(context);
465                 kfree(defcontext);
466         }
467 out:
468         return rc;
469 }
470
471 static int superblock_doinit(struct super_block *sb, void *data)
472 {
473         struct superblock_security_struct *sbsec = sb->s_security;
474         struct dentry *root = sb->s_root;
475         struct inode *inode = root->d_inode;
476         int rc = 0;
477
478         down(&sbsec->sem);
479         if (sbsec->initialized)
480                 goto out;
481
482         if (!ss_initialized) {
483                 /* Defer initialization until selinux_complete_init,
484                    after the initial policy is loaded and the security
485                    server is ready to handle calls. */
486                 spin_lock(&sb_security_lock);
487                 if (list_empty(&sbsec->list))
488                         list_add(&sbsec->list, &superblock_security_head);
489                 spin_unlock(&sb_security_lock);
490                 goto out;
491         }
492
493         /* Determine the labeling behavior to use for this filesystem type. */
494         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
495         if (rc) {
496                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
497                        __FUNCTION__, sb->s_type->name, rc);
498                 goto out;
499         }
500
501         rc = try_context_mount(sb, data);
502         if (rc)
503                 goto out;
504
505         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506                 /* Make sure that the xattr handler exists and that no
507                    error other than -ENODATA is returned by getxattr on
508                    the root directory.  -ENODATA is ok, as this may be
509                    the first boot of the SELinux kernel before we have
510                    assigned xattr values to the filesystem. */
511                 if (!inode->i_op->getxattr) {
512                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513                                "xattr support\n", sb->s_id, sb->s_type->name);
514                         rc = -EOPNOTSUPP;
515                         goto out;
516                 }
517                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
518                 if (rc < 0 && rc != -ENODATA) {
519                         if (rc == -EOPNOTSUPP)
520                                 printk(KERN_WARNING "SELinux: (dev %s, type "
521                                        "%s) has no security xattr handler\n",
522                                        sb->s_id, sb->s_type->name);
523                         else
524                                 printk(KERN_WARNING "SELinux: (dev %s, type "
525                                        "%s) getxattr errno %d\n", sb->s_id,
526                                        sb->s_type->name, -rc);
527                         goto out;
528                 }
529         }
530
531         if (strcmp(sb->s_type->name, "proc") == 0)
532                 sbsec->proc = 1;
533
534         sbsec->initialized = 1;
535
536         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
537                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
538                        sb->s_id, sb->s_type->name);
539         }
540         else {
541                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
542                        sb->s_id, sb->s_type->name,
543                        labeling_behaviors[sbsec->behavior-1]);
544         }
545
546         /* Initialize the root inode. */
547         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
548
549         /* Initialize any other inodes associated with the superblock, e.g.
550            inodes created prior to initial policy load or inodes created
551            during get_sb by a pseudo filesystem that directly
552            populates itself. */
553         spin_lock(&sbsec->isec_lock);
554 next_inode:
555         if (!list_empty(&sbsec->isec_head)) {
556                 struct inode_security_struct *isec =
557                                 list_entry(sbsec->isec_head.next,
558                                            struct inode_security_struct, list);
559                 struct inode *inode = isec->inode;
560                 spin_unlock(&sbsec->isec_lock);
561                 inode = igrab(inode);
562                 if (inode) {
563                         if (!IS_PRIVATE (inode))
564                                 inode_doinit(inode);
565                         iput(inode);
566                 }
567                 spin_lock(&sbsec->isec_lock);
568                 list_del_init(&isec->list);
569                 goto next_inode;
570         }
571         spin_unlock(&sbsec->isec_lock);
572 out:
573         up(&sbsec->sem);
574         return rc;
575 }
576
577 static inline u16 inode_mode_to_security_class(umode_t mode)
578 {
579         switch (mode & S_IFMT) {
580         case S_IFSOCK:
581                 return SECCLASS_SOCK_FILE;
582         case S_IFLNK:
583                 return SECCLASS_LNK_FILE;
584         case S_IFREG:
585                 return SECCLASS_FILE;
586         case S_IFBLK:
587                 return SECCLASS_BLK_FILE;
588         case S_IFDIR:
589                 return SECCLASS_DIR;
590         case S_IFCHR:
591                 return SECCLASS_CHR_FILE;
592         case S_IFIFO:
593                 return SECCLASS_FIFO_FILE;
594
595         }
596
597         return SECCLASS_FILE;
598 }
599
600 static inline int default_protocol_stream(int protocol)
601 {
602         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
603 }
604
605 static inline int default_protocol_dgram(int protocol)
606 {
607         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
608 }
609
610 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
611 {
612         switch (family) {
613         case PF_UNIX:
614                 switch (type) {
615                 case SOCK_STREAM:
616                 case SOCK_SEQPACKET:
617                         return SECCLASS_UNIX_STREAM_SOCKET;
618                 case SOCK_DGRAM:
619                         return SECCLASS_UNIX_DGRAM_SOCKET;
620                 }
621                 break;
622         case PF_INET:
623         case PF_INET6:
624                 switch (type) {
625                 case SOCK_STREAM:
626                         if (default_protocol_stream(protocol))
627                                 return SECCLASS_TCP_SOCKET;
628                         else
629                                 return SECCLASS_RAWIP_SOCKET;
630                 case SOCK_DGRAM:
631                         if (default_protocol_dgram(protocol))
632                                 return SECCLASS_UDP_SOCKET;
633                         else
634                                 return SECCLASS_RAWIP_SOCKET;
635                 default:
636                         return SECCLASS_RAWIP_SOCKET;
637                 }
638                 break;
639         case PF_NETLINK:
640                 switch (protocol) {
641                 case NETLINK_ROUTE:
642                         return SECCLASS_NETLINK_ROUTE_SOCKET;
643                 case NETLINK_FIREWALL:
644                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
645                 case NETLINK_INET_DIAG:
646                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
647                 case NETLINK_NFLOG:
648                         return SECCLASS_NETLINK_NFLOG_SOCKET;
649                 case NETLINK_XFRM:
650                         return SECCLASS_NETLINK_XFRM_SOCKET;
651                 case NETLINK_SELINUX:
652                         return SECCLASS_NETLINK_SELINUX_SOCKET;
653                 case NETLINK_AUDIT:
654                         return SECCLASS_NETLINK_AUDIT_SOCKET;
655                 case NETLINK_IP6_FW:
656                         return SECCLASS_NETLINK_IP6FW_SOCKET;
657                 case NETLINK_DNRTMSG:
658                         return SECCLASS_NETLINK_DNRT_SOCKET;
659                 case NETLINK_KOBJECT_UEVENT:
660                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
661                 default:
662                         return SECCLASS_NETLINK_SOCKET;
663                 }
664         case PF_PACKET:
665                 return SECCLASS_PACKET_SOCKET;
666         case PF_KEY:
667                 return SECCLASS_KEY_SOCKET;
668         }
669
670         return SECCLASS_SOCKET;
671 }
672
673 #ifdef CONFIG_PROC_FS
674 static int selinux_proc_get_sid(struct proc_dir_entry *de,
675                                 u16 tclass,
676                                 u32 *sid)
677 {
678         int buflen, rc;
679         char *buffer, *path, *end;
680
681         buffer = (char*)__get_free_page(GFP_KERNEL);
682         if (!buffer)
683                 return -ENOMEM;
684
685         buflen = PAGE_SIZE;
686         end = buffer+buflen;
687         *--end = '\0';
688         buflen--;
689         path = end-1;
690         *path = '/';
691         while (de && de != de->parent) {
692                 buflen -= de->namelen + 1;
693                 if (buflen < 0)
694                         break;
695                 end -= de->namelen;
696                 memcpy(end, de->name, de->namelen);
697                 *--end = '/';
698                 path = end;
699                 de = de->parent;
700         }
701         rc = security_genfs_sid("proc", path, tclass, sid);
702         free_page((unsigned long)buffer);
703         return rc;
704 }
705 #else
706 static int selinux_proc_get_sid(struct proc_dir_entry *de,
707                                 u16 tclass,
708                                 u32 *sid)
709 {
710         return -EINVAL;
711 }
712 #endif
713
714 /* The inode's security attributes must be initialized before first use. */
715 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
716 {
717         struct superblock_security_struct *sbsec = NULL;
718         struct inode_security_struct *isec = inode->i_security;
719         u32 sid;
720         struct dentry *dentry;
721 #define INITCONTEXTLEN 255
722         char *context = NULL;
723         unsigned len = 0;
724         int rc = 0;
725         int hold_sem = 0;
726
727         if (isec->initialized)
728                 goto out;
729
730         down(&isec->sem);
731         hold_sem = 1;
732         if (isec->initialized)
733                 goto out;
734
735         sbsec = inode->i_sb->s_security;
736         if (!sbsec->initialized) {
737                 /* Defer initialization until selinux_complete_init,
738                    after the initial policy is loaded and the security
739                    server is ready to handle calls. */
740                 spin_lock(&sbsec->isec_lock);
741                 if (list_empty(&isec->list))
742                         list_add(&isec->list, &sbsec->isec_head);
743                 spin_unlock(&sbsec->isec_lock);
744                 goto out;
745         }
746
747         switch (sbsec->behavior) {
748         case SECURITY_FS_USE_XATTR:
749                 if (!inode->i_op->getxattr) {
750                         isec->sid = sbsec->def_sid;
751                         break;
752                 }
753
754                 /* Need a dentry, since the xattr API requires one.
755                    Life would be simpler if we could just pass the inode. */
756                 if (opt_dentry) {
757                         /* Called from d_instantiate or d_splice_alias. */
758                         dentry = dget(opt_dentry);
759                 } else {
760                         /* Called from selinux_complete_init, try to find a dentry. */
761                         dentry = d_find_alias(inode);
762                 }
763                 if (!dentry) {
764                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
765                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
766                                inode->i_ino);
767                         goto out;
768                 }
769
770                 len = INITCONTEXTLEN;
771                 context = kmalloc(len, GFP_KERNEL);
772                 if (!context) {
773                         rc = -ENOMEM;
774                         dput(dentry);
775                         goto out;
776                 }
777                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
778                                            context, len);
779                 if (rc == -ERANGE) {
780                         /* Need a larger buffer.  Query for the right size. */
781                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
782                                                    NULL, 0);
783                         if (rc < 0) {
784                                 dput(dentry);
785                                 goto out;
786                         }
787                         kfree(context);
788                         len = rc;
789                         context = kmalloc(len, GFP_KERNEL);
790                         if (!context) {
791                                 rc = -ENOMEM;
792                                 dput(dentry);
793                                 goto out;
794                         }
795                         rc = inode->i_op->getxattr(dentry,
796                                                    XATTR_NAME_SELINUX,
797                                                    context, len);
798                 }
799                 dput(dentry);
800                 if (rc < 0) {
801                         if (rc != -ENODATA) {
802                                 printk(KERN_WARNING "%s:  getxattr returned "
803                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
804                                        -rc, inode->i_sb->s_id, inode->i_ino);
805                                 kfree(context);
806                                 goto out;
807                         }
808                         /* Map ENODATA to the default file SID */
809                         sid = sbsec->def_sid;
810                         rc = 0;
811                 } else {
812                         rc = security_context_to_sid_default(context, rc, &sid,
813                                                              sbsec->def_sid);
814                         if (rc) {
815                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
816                                        "returned %d for dev=%s ino=%ld\n",
817                                        __FUNCTION__, context, -rc,
818                                        inode->i_sb->s_id, inode->i_ino);
819                                 kfree(context);
820                                 /* Leave with the unlabeled SID */
821                                 rc = 0;
822                                 break;
823                         }
824                 }
825                 kfree(context);
826                 isec->sid = sid;
827                 break;
828         case SECURITY_FS_USE_TASK:
829                 isec->sid = isec->task_sid;
830                 break;
831         case SECURITY_FS_USE_TRANS:
832                 /* Default to the fs SID. */
833                 isec->sid = sbsec->sid;
834
835                 /* Try to obtain a transition SID. */
836                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
837                 rc = security_transition_sid(isec->task_sid,
838                                              sbsec->sid,
839                                              isec->sclass,
840                                              &sid);
841                 if (rc)
842                         goto out;
843                 isec->sid = sid;
844                 break;
845         default:
846                 /* Default to the fs SID. */
847                 isec->sid = sbsec->sid;
848
849                 if (sbsec->proc) {
850                         struct proc_inode *proci = PROC_I(inode);
851                         if (proci->pde) {
852                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
853                                 rc = selinux_proc_get_sid(proci->pde,
854                                                           isec->sclass,
855                                                           &sid);
856                                 if (rc)
857                                         goto out;
858                                 isec->sid = sid;
859                         }
860                 }
861                 break;
862         }
863
864         isec->initialized = 1;
865
866 out:
867         if (isec->sclass == SECCLASS_FILE)
868                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
869
870         if (hold_sem)
871                 up(&isec->sem);
872         return rc;
873 }
874
875 /* Convert a Linux signal to an access vector. */
876 static inline u32 signal_to_av(int sig)
877 {
878         u32 perm = 0;
879
880         switch (sig) {
881         case SIGCHLD:
882                 /* Commonly granted from child to parent. */
883                 perm = PROCESS__SIGCHLD;
884                 break;
885         case SIGKILL:
886                 /* Cannot be caught or ignored */
887                 perm = PROCESS__SIGKILL;
888                 break;
889         case SIGSTOP:
890                 /* Cannot be caught or ignored */
891                 perm = PROCESS__SIGSTOP;
892                 break;
893         default:
894                 /* All other signals. */
895                 perm = PROCESS__SIGNAL;
896                 break;
897         }
898
899         return perm;
900 }
901
902 /* Check permission betweeen a pair of tasks, e.g. signal checks,
903    fork check, ptrace check, etc. */
904 static int task_has_perm(struct task_struct *tsk1,
905                          struct task_struct *tsk2,
906                          u32 perms)
907 {
908         struct task_security_struct *tsec1, *tsec2;
909
910         tsec1 = tsk1->security;
911         tsec2 = tsk2->security;
912         return avc_has_perm(tsec1->sid, tsec2->sid,
913                             SECCLASS_PROCESS, perms, NULL);
914 }
915
916 /* Check whether a task is allowed to use a capability. */
917 static int task_has_capability(struct task_struct *tsk,
918                                int cap)
919 {
920         struct task_security_struct *tsec;
921         struct avc_audit_data ad;
922
923         tsec = tsk->security;
924
925         AVC_AUDIT_DATA_INIT(&ad,CAP);
926         ad.tsk = tsk;
927         ad.u.cap = cap;
928
929         return avc_has_perm(tsec->sid, tsec->sid,
930                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
931 }
932
933 /* Check whether a task is allowed to use a system operation. */
934 static int task_has_system(struct task_struct *tsk,
935                            u32 perms)
936 {
937         struct task_security_struct *tsec;
938
939         tsec = tsk->security;
940
941         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
942                             SECCLASS_SYSTEM, perms, NULL);
943 }
944
945 /* Check whether a task has a particular permission to an inode.
946    The 'adp' parameter is optional and allows other audit
947    data to be passed (e.g. the dentry). */
948 static int inode_has_perm(struct task_struct *tsk,
949                           struct inode *inode,
950                           u32 perms,
951                           struct avc_audit_data *adp)
952 {
953         struct task_security_struct *tsec;
954         struct inode_security_struct *isec;
955         struct avc_audit_data ad;
956
957         tsec = tsk->security;
958         isec = inode->i_security;
959
960         if (!adp) {
961                 adp = &ad;
962                 AVC_AUDIT_DATA_INIT(&ad, FS);
963                 ad.u.fs.inode = inode;
964         }
965
966         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
967 }
968
969 /* Same as inode_has_perm, but pass explicit audit data containing
970    the dentry to help the auditing code to more easily generate the
971    pathname if needed. */
972 static inline int dentry_has_perm(struct task_struct *tsk,
973                                   struct vfsmount *mnt,
974                                   struct dentry *dentry,
975                                   u32 av)
976 {
977         struct inode *inode = dentry->d_inode;
978         struct avc_audit_data ad;
979         AVC_AUDIT_DATA_INIT(&ad,FS);
980         ad.u.fs.mnt = mnt;
981         ad.u.fs.dentry = dentry;
982         return inode_has_perm(tsk, inode, av, &ad);
983 }
984
985 /* Check whether a task can use an open file descriptor to
986    access an inode in a given way.  Check access to the
987    descriptor itself, and then use dentry_has_perm to
988    check a particular permission to the file.
989    Access to the descriptor is implicitly granted if it
990    has the same SID as the process.  If av is zero, then
991    access to the file is not checked, e.g. for cases
992    where only the descriptor is affected like seek. */
993 static int file_has_perm(struct task_struct *tsk,
994                                 struct file *file,
995                                 u32 av)
996 {
997         struct task_security_struct *tsec = tsk->security;
998         struct file_security_struct *fsec = file->f_security;
999         struct vfsmount *mnt = file->f_vfsmnt;
1000         struct dentry *dentry = file->f_dentry;
1001         struct inode *inode = dentry->d_inode;
1002         struct avc_audit_data ad;
1003         int rc;
1004
1005         AVC_AUDIT_DATA_INIT(&ad, FS);
1006         ad.u.fs.mnt = mnt;
1007         ad.u.fs.dentry = dentry;
1008
1009         if (tsec->sid != fsec->sid) {
1010                 rc = avc_has_perm(tsec->sid, fsec->sid,
1011                                   SECCLASS_FD,
1012                                   FD__USE,
1013                                   &ad);
1014                 if (rc)
1015                         return rc;
1016         }
1017
1018         /* av is zero if only checking access to the descriptor. */
1019         if (av)
1020                 return inode_has_perm(tsk, inode, av, &ad);
1021
1022         return 0;
1023 }
1024
1025 /* Check whether a task can create a file. */
1026 static int may_create(struct inode *dir,
1027                       struct dentry *dentry,
1028                       u16 tclass)
1029 {
1030         struct task_security_struct *tsec;
1031         struct inode_security_struct *dsec;
1032         struct superblock_security_struct *sbsec;
1033         u32 newsid;
1034         struct avc_audit_data ad;
1035         int rc;
1036
1037         tsec = current->security;
1038         dsec = dir->i_security;
1039         sbsec = dir->i_sb->s_security;
1040
1041         AVC_AUDIT_DATA_INIT(&ad, FS);
1042         ad.u.fs.dentry = dentry;
1043
1044         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1045                           DIR__ADD_NAME | DIR__SEARCH,
1046                           &ad);
1047         if (rc)
1048                 return rc;
1049
1050         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1051                 newsid = tsec->create_sid;
1052         } else {
1053                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1054                                              &newsid);
1055                 if (rc)
1056                         return rc;
1057         }
1058
1059         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1060         if (rc)
1061                 return rc;
1062
1063         return avc_has_perm(newsid, sbsec->sid,
1064                             SECCLASS_FILESYSTEM,
1065                             FILESYSTEM__ASSOCIATE, &ad);
1066 }
1067
1068 #define MAY_LINK   0
1069 #define MAY_UNLINK 1
1070 #define MAY_RMDIR  2
1071
1072 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1073 static int may_link(struct inode *dir,
1074                     struct dentry *dentry,
1075                     int kind)
1076
1077 {
1078         struct task_security_struct *tsec;
1079         struct inode_security_struct *dsec, *isec;
1080         struct avc_audit_data ad;
1081         u32 av;
1082         int rc;
1083
1084         tsec = current->security;
1085         dsec = dir->i_security;
1086         isec = dentry->d_inode->i_security;
1087
1088         AVC_AUDIT_DATA_INIT(&ad, FS);
1089         ad.u.fs.dentry = dentry;
1090
1091         av = DIR__SEARCH;
1092         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1093         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1094         if (rc)
1095                 return rc;
1096
1097         switch (kind) {
1098         case MAY_LINK:
1099                 av = FILE__LINK;
1100                 break;
1101         case MAY_UNLINK:
1102                 av = FILE__UNLINK;
1103                 break;
1104         case MAY_RMDIR:
1105                 av = DIR__RMDIR;
1106                 break;
1107         default:
1108                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1109                 return 0;
1110         }
1111
1112         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1113         return rc;
1114 }
1115
1116 static inline int may_rename(struct inode *old_dir,
1117                              struct dentry *old_dentry,
1118                              struct inode *new_dir,
1119                              struct dentry *new_dentry)
1120 {
1121         struct task_security_struct *tsec;
1122         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1123         struct avc_audit_data ad;
1124         u32 av;
1125         int old_is_dir, new_is_dir;
1126         int rc;
1127
1128         tsec = current->security;
1129         old_dsec = old_dir->i_security;
1130         old_isec = old_dentry->d_inode->i_security;
1131         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1132         new_dsec = new_dir->i_security;
1133
1134         AVC_AUDIT_DATA_INIT(&ad, FS);
1135
1136         ad.u.fs.dentry = old_dentry;
1137         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1138                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1139         if (rc)
1140                 return rc;
1141         rc = avc_has_perm(tsec->sid, old_isec->sid,
1142                           old_isec->sclass, FILE__RENAME, &ad);
1143         if (rc)
1144                 return rc;
1145         if (old_is_dir && new_dir != old_dir) {
1146                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1147                                   old_isec->sclass, DIR__REPARENT, &ad);
1148                 if (rc)
1149                         return rc;
1150         }
1151
1152         ad.u.fs.dentry = new_dentry;
1153         av = DIR__ADD_NAME | DIR__SEARCH;
1154         if (new_dentry->d_inode)
1155                 av |= DIR__REMOVE_NAME;
1156         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1157         if (rc)
1158                 return rc;
1159         if (new_dentry->d_inode) {
1160                 new_isec = new_dentry->d_inode->i_security;
1161                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1162                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1163                                   new_isec->sclass,
1164                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1165                 if (rc)
1166                         return rc;
1167         }
1168
1169         return 0;
1170 }
1171
1172 /* Check whether a task can perform a filesystem operation. */
1173 static int superblock_has_perm(struct task_struct *tsk,
1174                                struct super_block *sb,
1175                                u32 perms,
1176                                struct avc_audit_data *ad)
1177 {
1178         struct task_security_struct *tsec;
1179         struct superblock_security_struct *sbsec;
1180
1181         tsec = tsk->security;
1182         sbsec = sb->s_security;
1183         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1184                             perms, ad);
1185 }
1186
1187 /* Convert a Linux mode and permission mask to an access vector. */
1188 static inline u32 file_mask_to_av(int mode, int mask)
1189 {
1190         u32 av = 0;
1191
1192         if ((mode & S_IFMT) != S_IFDIR) {
1193                 if (mask & MAY_EXEC)
1194                         av |= FILE__EXECUTE;
1195                 if (mask & MAY_READ)
1196                         av |= FILE__READ;
1197
1198                 if (mask & MAY_APPEND)
1199                         av |= FILE__APPEND;
1200                 else if (mask & MAY_WRITE)
1201                         av |= FILE__WRITE;
1202
1203         } else {
1204                 if (mask & MAY_EXEC)
1205                         av |= DIR__SEARCH;
1206                 if (mask & MAY_WRITE)
1207                         av |= DIR__WRITE;
1208                 if (mask & MAY_READ)
1209                         av |= DIR__READ;
1210         }
1211
1212         return av;
1213 }
1214
1215 /* Convert a Linux file to an access vector. */
1216 static inline u32 file_to_av(struct file *file)
1217 {
1218         u32 av = 0;
1219
1220         if (file->f_mode & FMODE_READ)
1221                 av |= FILE__READ;
1222         if (file->f_mode & FMODE_WRITE) {
1223                 if (file->f_flags & O_APPEND)
1224                         av |= FILE__APPEND;
1225                 else
1226                         av |= FILE__WRITE;
1227         }
1228
1229         return av;
1230 }
1231
1232 /* Set an inode's SID to a specified value. */
1233 static int inode_security_set_sid(struct inode *inode, u32 sid)
1234 {
1235         struct inode_security_struct *isec = inode->i_security;
1236         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1237
1238         if (!sbsec->initialized) {
1239                 /* Defer initialization to selinux_complete_init. */
1240                 return 0;
1241         }
1242
1243         down(&isec->sem);
1244         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245         isec->sid = sid;
1246         isec->initialized = 1;
1247         up(&isec->sem);
1248         return 0;
1249 }
1250
1251 /* Hook functions begin here. */
1252
1253 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1254 {
1255         struct task_security_struct *psec = parent->security;
1256         struct task_security_struct *csec = child->security;
1257         int rc;
1258
1259         rc = secondary_ops->ptrace(parent,child);
1260         if (rc)
1261                 return rc;
1262
1263         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1264         /* Save the SID of the tracing process for later use in apply_creds. */
1265         if (!(child->ptrace & PT_PTRACED) && !rc)
1266                 csec->ptrace_sid = psec->sid;
1267         return rc;
1268 }
1269
1270 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1271                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1272 {
1273         int error;
1274
1275         error = task_has_perm(current, target, PROCESS__GETCAP);
1276         if (error)
1277                 return error;
1278
1279         return secondary_ops->capget(target, effective, inheritable, permitted);
1280 }
1281
1282 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1283                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1284 {
1285         int error;
1286
1287         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1288         if (error)
1289                 return error;
1290
1291         return task_has_perm(current, target, PROCESS__SETCAP);
1292 }
1293
1294 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1295                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1296 {
1297         secondary_ops->capset_set(target, effective, inheritable, permitted);
1298 }
1299
1300 static int selinux_capable(struct task_struct *tsk, int cap)
1301 {
1302         int rc;
1303
1304         rc = secondary_ops->capable(tsk, cap);
1305         if (rc)
1306                 return rc;
1307
1308         return task_has_capability(tsk,cap);
1309 }
1310
1311 static int selinux_sysctl(ctl_table *table, int op)
1312 {
1313         int error = 0;
1314         u32 av;
1315         struct task_security_struct *tsec;
1316         u32 tsid;
1317         int rc;
1318
1319         rc = secondary_ops->sysctl(table, op);
1320         if (rc)
1321                 return rc;
1322
1323         tsec = current->security;
1324
1325         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1326                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1327         if (rc) {
1328                 /* Default to the well-defined sysctl SID. */
1329                 tsid = SECINITSID_SYSCTL;
1330         }
1331
1332         /* The op values are "defined" in sysctl.c, thereby creating
1333          * a bad coupling between this module and sysctl.c */
1334         if(op == 001) {
1335                 error = avc_has_perm(tsec->sid, tsid,
1336                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1337         } else {
1338                 av = 0;
1339                 if (op & 004)
1340                         av |= FILE__READ;
1341                 if (op & 002)
1342                         av |= FILE__WRITE;
1343                 if (av)
1344                         error = avc_has_perm(tsec->sid, tsid,
1345                                              SECCLASS_FILE, av, NULL);
1346         }
1347
1348         return error;
1349 }
1350
1351 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1352 {
1353         int rc = 0;
1354
1355         if (!sb)
1356                 return 0;
1357
1358         switch (cmds) {
1359                 case Q_SYNC:
1360                 case Q_QUOTAON:
1361                 case Q_QUOTAOFF:
1362                 case Q_SETINFO:
1363                 case Q_SETQUOTA:
1364                         rc = superblock_has_perm(current,
1365                                                  sb,
1366                                                  FILESYSTEM__QUOTAMOD, NULL);
1367                         break;
1368                 case Q_GETFMT:
1369                 case Q_GETINFO:
1370                 case Q_GETQUOTA:
1371                         rc = superblock_has_perm(current,
1372                                                  sb,
1373                                                  FILESYSTEM__QUOTAGET, NULL);
1374                         break;
1375                 default:
1376                         rc = 0;  /* let the kernel handle invalid cmds */
1377                         break;
1378         }
1379         return rc;
1380 }
1381
1382 static int selinux_quota_on(struct dentry *dentry)
1383 {
1384         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1385 }
1386
1387 static int selinux_syslog(int type)
1388 {
1389         int rc;
1390
1391         rc = secondary_ops->syslog(type);
1392         if (rc)
1393                 return rc;
1394
1395         switch (type) {
1396                 case 3:         /* Read last kernel messages */
1397                 case 10:        /* Return size of the log buffer */
1398                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1399                         break;
1400                 case 6:         /* Disable logging to console */
1401                 case 7:         /* Enable logging to console */
1402                 case 8:         /* Set level of messages printed to console */
1403                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1404                         break;
1405                 case 0:         /* Close log */
1406                 case 1:         /* Open log */
1407                 case 2:         /* Read from log */
1408                 case 4:         /* Read/clear last kernel messages */
1409                 case 5:         /* Clear ring buffer */
1410                 default:
1411                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1412                         break;
1413         }
1414         return rc;
1415 }
1416
1417 /*
1418  * Check that a process has enough memory to allocate a new virtual
1419  * mapping. 0 means there is enough memory for the allocation to
1420  * succeed and -ENOMEM implies there is not.
1421  *
1422  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1423  * if the capability is granted, but __vm_enough_memory requires 1 if
1424  * the capability is granted.
1425  *
1426  * Do not audit the selinux permission check, as this is applied to all
1427  * processes that allocate mappings.
1428  */
1429 static int selinux_vm_enough_memory(long pages)
1430 {
1431         int rc, cap_sys_admin = 0;
1432         struct task_security_struct *tsec = current->security;
1433
1434         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1435         if (rc == 0)
1436                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1437                                         SECCLASS_CAPABILITY,
1438                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1439                                         NULL);
1440
1441         if (rc == 0)
1442                 cap_sys_admin = 1;
1443
1444         return __vm_enough_memory(pages, cap_sys_admin);
1445 }
1446
1447 /* binprm security operations */
1448
1449 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1450 {
1451         struct bprm_security_struct *bsec;
1452
1453         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1454         if (!bsec)
1455                 return -ENOMEM;
1456
1457         bsec->bprm = bprm;
1458         bsec->sid = SECINITSID_UNLABELED;
1459         bsec->set = 0;
1460
1461         bprm->security = bsec;
1462         return 0;
1463 }
1464
1465 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1466 {
1467         struct task_security_struct *tsec;
1468         struct inode *inode = bprm->file->f_dentry->d_inode;
1469         struct inode_security_struct *isec;
1470         struct bprm_security_struct *bsec;
1471         u32 newsid;
1472         struct avc_audit_data ad;
1473         int rc;
1474
1475         rc = secondary_ops->bprm_set_security(bprm);
1476         if (rc)
1477                 return rc;
1478
1479         bsec = bprm->security;
1480
1481         if (bsec->set)
1482                 return 0;
1483
1484         tsec = current->security;
1485         isec = inode->i_security;
1486
1487         /* Default to the current task SID. */
1488         bsec->sid = tsec->sid;
1489
1490         /* Reset create SID on execve. */
1491         tsec->create_sid = 0;
1492
1493         if (tsec->exec_sid) {
1494                 newsid = tsec->exec_sid;
1495                 /* Reset exec SID on execve. */
1496                 tsec->exec_sid = 0;
1497         } else {
1498                 /* Check for a default transition on this program. */
1499                 rc = security_transition_sid(tsec->sid, isec->sid,
1500                                              SECCLASS_PROCESS, &newsid);
1501                 if (rc)
1502                         return rc;
1503         }
1504
1505         AVC_AUDIT_DATA_INIT(&ad, FS);
1506         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1507         ad.u.fs.dentry = bprm->file->f_dentry;
1508
1509         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1510                 newsid = tsec->sid;
1511
1512         if (tsec->sid == newsid) {
1513                 rc = avc_has_perm(tsec->sid, isec->sid,
1514                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1515                 if (rc)
1516                         return rc;
1517         } else {
1518                 /* Check permissions for the transition. */
1519                 rc = avc_has_perm(tsec->sid, newsid,
1520                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1521                 if (rc)
1522                         return rc;
1523
1524                 rc = avc_has_perm(newsid, isec->sid,
1525                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1526                 if (rc)
1527                         return rc;
1528
1529                 /* Clear any possibly unsafe personality bits on exec: */
1530                 current->personality &= ~PER_CLEAR_ON_SETID;
1531
1532                 /* Set the security field to the new SID. */
1533                 bsec->sid = newsid;
1534         }
1535
1536         bsec->set = 1;
1537         return 0;
1538 }
1539
1540 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1541 {
1542         return secondary_ops->bprm_check_security(bprm);
1543 }
1544
1545
1546 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1547 {
1548         struct task_security_struct *tsec = current->security;
1549         int atsecure = 0;
1550
1551         if (tsec->osid != tsec->sid) {
1552                 /* Enable secure mode for SIDs transitions unless
1553                    the noatsecure permission is granted between
1554                    the two SIDs, i.e. ahp returns 0. */
1555                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1556                                          SECCLASS_PROCESS,
1557                                          PROCESS__NOATSECURE, NULL);
1558         }
1559
1560         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1561 }
1562
1563 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1564 {
1565         kfree(bprm->security);
1566         bprm->security = NULL;
1567 }
1568
1569 extern struct vfsmount *selinuxfs_mount;
1570 extern struct dentry *selinux_null;
1571
1572 /* Derived from fs/exec.c:flush_old_files. */
1573 static inline void flush_unauthorized_files(struct files_struct * files)
1574 {
1575         struct avc_audit_data ad;
1576         struct file *file, *devnull = NULL;
1577         struct tty_struct *tty = current->signal->tty;
1578         struct fdtable *fdt;
1579         long j = -1;
1580
1581         if (tty) {
1582                 file_list_lock();
1583                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1584                 if (file) {
1585                         /* Revalidate access to controlling tty.
1586                            Use inode_has_perm on the tty inode directly rather
1587                            than using file_has_perm, as this particular open
1588                            file may belong to another process and we are only
1589                            interested in the inode-based check here. */
1590                         struct inode *inode = file->f_dentry->d_inode;
1591                         if (inode_has_perm(current, inode,
1592                                            FILE__READ | FILE__WRITE, NULL)) {
1593                                 /* Reset controlling tty. */
1594                                 current->signal->tty = NULL;
1595                                 current->signal->tty_old_pgrp = 0;
1596                         }
1597                 }
1598                 file_list_unlock();
1599         }
1600
1601         /* Revalidate access to inherited open files. */
1602
1603         AVC_AUDIT_DATA_INIT(&ad,FS);
1604
1605         spin_lock(&files->file_lock);
1606         for (;;) {
1607                 unsigned long set, i;
1608                 int fd;
1609
1610                 j++;
1611                 i = j * __NFDBITS;
1612                 fdt = files_fdtable(files);
1613                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1614                         break;
1615                 set = fdt->open_fds->fds_bits[j];
1616                 if (!set)
1617                         continue;
1618                 spin_unlock(&files->file_lock);
1619                 for ( ; set ; i++,set >>= 1) {
1620                         if (set & 1) {
1621                                 file = fget(i);
1622                                 if (!file)
1623                                         continue;
1624                                 if (file_has_perm(current,
1625                                                   file,
1626                                                   file_to_av(file))) {
1627                                         sys_close(i);
1628                                         fd = get_unused_fd();
1629                                         if (fd != i) {
1630                                                 if (fd >= 0)
1631                                                         put_unused_fd(fd);
1632                                                 fput(file);
1633                                                 continue;
1634                                         }
1635                                         if (devnull) {
1636                                                 get_file(devnull);
1637                                         } else {
1638                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1639                                                 if (!devnull) {
1640                                                         put_unused_fd(fd);
1641                                                         fput(file);
1642                                                         continue;
1643                                                 }
1644                                         }
1645                                         fd_install(fd, devnull);
1646                                 }
1647                                 fput(file);
1648                         }
1649                 }
1650                 spin_lock(&files->file_lock);
1651
1652         }
1653         spin_unlock(&files->file_lock);
1654 }
1655
1656 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1657 {
1658         struct task_security_struct *tsec;
1659         struct bprm_security_struct *bsec;
1660         u32 sid;
1661         int rc;
1662
1663         secondary_ops->bprm_apply_creds(bprm, unsafe);
1664
1665         tsec = current->security;
1666
1667         bsec = bprm->security;
1668         sid = bsec->sid;
1669
1670         tsec->osid = tsec->sid;
1671         bsec->unsafe = 0;
1672         if (tsec->sid != sid) {
1673                 /* Check for shared state.  If not ok, leave SID
1674                    unchanged and kill. */
1675                 if (unsafe & LSM_UNSAFE_SHARE) {
1676                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1677                                         PROCESS__SHARE, NULL);
1678                         if (rc) {
1679                                 bsec->unsafe = 1;
1680                                 return;
1681                         }
1682                 }
1683
1684                 /* Check for ptracing, and update the task SID if ok.
1685                    Otherwise, leave SID unchanged and kill. */
1686                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1687                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1688                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1689                                           NULL);
1690                         if (rc) {
1691                                 bsec->unsafe = 1;
1692                                 return;
1693                         }
1694                 }
1695                 tsec->sid = sid;
1696         }
1697 }
1698
1699 /*
1700  * called after apply_creds without the task lock held
1701  */
1702 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1703 {
1704         struct task_security_struct *tsec;
1705         struct rlimit *rlim, *initrlim;
1706         struct itimerval itimer;
1707         struct bprm_security_struct *bsec;
1708         int rc, i;
1709
1710         tsec = current->security;
1711         bsec = bprm->security;
1712
1713         if (bsec->unsafe) {
1714                 force_sig_specific(SIGKILL, current);
1715                 return;
1716         }
1717         if (tsec->osid == tsec->sid)
1718                 return;
1719
1720         /* Close files for which the new task SID is not authorized. */
1721         flush_unauthorized_files(current->files);
1722
1723         /* Check whether the new SID can inherit signal state
1724            from the old SID.  If not, clear itimers to avoid
1725            subsequent signal generation and flush and unblock
1726            signals. This must occur _after_ the task SID has
1727           been updated so that any kill done after the flush
1728           will be checked against the new SID. */
1729         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1730                           PROCESS__SIGINH, NULL);
1731         if (rc) {
1732                 memset(&itimer, 0, sizeof itimer);
1733                 for (i = 0; i < 3; i++)
1734                         do_setitimer(i, &itimer, NULL);
1735                 flush_signals(current);
1736                 spin_lock_irq(&current->sighand->siglock);
1737                 flush_signal_handlers(current, 1);
1738                 sigemptyset(&current->blocked);
1739                 recalc_sigpending();
1740                 spin_unlock_irq(&current->sighand->siglock);
1741         }
1742
1743         /* Check whether the new SID can inherit resource limits
1744            from the old SID.  If not, reset all soft limits to
1745            the lower of the current task's hard limit and the init
1746            task's soft limit.  Note that the setting of hard limits
1747            (even to lower them) can be controlled by the setrlimit
1748            check. The inclusion of the init task's soft limit into
1749            the computation is to avoid resetting soft limits higher
1750            than the default soft limit for cases where the default
1751            is lower than the hard limit, e.g. RLIMIT_CORE or
1752            RLIMIT_STACK.*/
1753         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1754                           PROCESS__RLIMITINH, NULL);
1755         if (rc) {
1756                 for (i = 0; i < RLIM_NLIMITS; i++) {
1757                         rlim = current->signal->rlim + i;
1758                         initrlim = init_task.signal->rlim+i;
1759                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1760                 }
1761                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1762                         /*
1763                          * This will cause RLIMIT_CPU calculations
1764                          * to be refigured.
1765                          */
1766                         current->it_prof_expires = jiffies_to_cputime(1);
1767                 }
1768         }
1769
1770         /* Wake up the parent if it is waiting so that it can
1771            recheck wait permission to the new task SID. */
1772         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1773 }
1774
1775 /* superblock security operations */
1776
1777 static int selinux_sb_alloc_security(struct super_block *sb)
1778 {
1779         return superblock_alloc_security(sb);
1780 }
1781
1782 static void selinux_sb_free_security(struct super_block *sb)
1783 {
1784         superblock_free_security(sb);
1785 }
1786
1787 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1788 {
1789         if (plen > olen)
1790                 return 0;
1791
1792         return !memcmp(prefix, option, plen);
1793 }
1794
1795 static inline int selinux_option(char *option, int len)
1796 {
1797         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1798                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1799                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1800 }
1801
1802 static inline void take_option(char **to, char *from, int *first, int len)
1803 {
1804         if (!*first) {
1805                 **to = ',';
1806                 *to += 1;
1807         }
1808         else
1809                 *first = 0;
1810         memcpy(*to, from, len);
1811         *to += len;
1812 }
1813
1814 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1815 {
1816         int fnosec, fsec, rc = 0;
1817         char *in_save, *in_curr, *in_end;
1818         char *sec_curr, *nosec_save, *nosec;
1819
1820         in_curr = orig;
1821         sec_curr = copy;
1822
1823         /* Binary mount data: just copy */
1824         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1825                 copy_page(sec_curr, in_curr);
1826                 goto out;
1827         }
1828
1829         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1830         if (!nosec) {
1831                 rc = -ENOMEM;
1832                 goto out;
1833         }
1834
1835         nosec_save = nosec;
1836         fnosec = fsec = 1;
1837         in_save = in_end = orig;
1838
1839         do {
1840                 if (*in_end == ',' || *in_end == '\0') {
1841                         int len = in_end - in_curr;
1842
1843                         if (selinux_option(in_curr, len))
1844                                 take_option(&sec_curr, in_curr, &fsec, len);
1845                         else
1846                                 take_option(&nosec, in_curr, &fnosec, len);
1847
1848                         in_curr = in_end + 1;
1849                 }
1850         } while (*in_end++);
1851
1852         strcpy(in_save, nosec_save);
1853         free_page((unsigned long)nosec_save);
1854 out:
1855         return rc;
1856 }
1857
1858 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1859 {
1860         struct avc_audit_data ad;
1861         int rc;
1862
1863         rc = superblock_doinit(sb, data);
1864         if (rc)
1865                 return rc;
1866
1867         AVC_AUDIT_DATA_INIT(&ad,FS);
1868         ad.u.fs.dentry = sb->s_root;
1869         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1870 }
1871
1872 static int selinux_sb_statfs(struct super_block *sb)
1873 {
1874         struct avc_audit_data ad;
1875
1876         AVC_AUDIT_DATA_INIT(&ad,FS);
1877         ad.u.fs.dentry = sb->s_root;
1878         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1879 }
1880
1881 static int selinux_mount(char * dev_name,
1882                          struct nameidata *nd,
1883                          char * type,
1884                          unsigned long flags,
1885                          void * data)
1886 {
1887         int rc;
1888
1889         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1890         if (rc)
1891                 return rc;
1892
1893         if (flags & MS_REMOUNT)
1894                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1895                                            FILESYSTEM__REMOUNT, NULL);
1896         else
1897                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1898                                        FILE__MOUNTON);
1899 }
1900
1901 static int selinux_umount(struct vfsmount *mnt, int flags)
1902 {
1903         int rc;
1904
1905         rc = secondary_ops->sb_umount(mnt, flags);
1906         if (rc)
1907                 return rc;
1908
1909         return superblock_has_perm(current,mnt->mnt_sb,
1910                                    FILESYSTEM__UNMOUNT,NULL);
1911 }
1912
1913 /* inode security operations */
1914
1915 static int selinux_inode_alloc_security(struct inode *inode)
1916 {
1917         return inode_alloc_security(inode);
1918 }
1919
1920 static void selinux_inode_free_security(struct inode *inode)
1921 {
1922         inode_free_security(inode);
1923 }
1924
1925 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1926                                        char **name, void **value,
1927                                        size_t *len)
1928 {
1929         struct task_security_struct *tsec;
1930         struct inode_security_struct *dsec;
1931         struct superblock_security_struct *sbsec;
1932         struct inode_security_struct *isec;
1933         u32 newsid, clen;
1934         int rc;
1935         char *namep = NULL, *context;
1936
1937         tsec = current->security;
1938         dsec = dir->i_security;
1939         sbsec = dir->i_sb->s_security;
1940         isec = inode->i_security;
1941
1942         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1943                 newsid = tsec->create_sid;
1944         } else {
1945                 rc = security_transition_sid(tsec->sid, dsec->sid,
1946                                              inode_mode_to_security_class(inode->i_mode),
1947                                              &newsid);
1948                 if (rc) {
1949                         printk(KERN_WARNING "%s:  "
1950                                "security_transition_sid failed, rc=%d (dev=%s "
1951                                "ino=%ld)\n",
1952                                __FUNCTION__,
1953                                -rc, inode->i_sb->s_id, inode->i_ino);
1954                         return rc;
1955                 }
1956         }
1957
1958         inode_security_set_sid(inode, newsid);
1959
1960         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1961                 return -EOPNOTSUPP;
1962
1963         if (name) {
1964                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1965                 if (!namep)
1966                         return -ENOMEM;
1967                 *name = namep;
1968         }
1969
1970         if (value && len) {
1971                 rc = security_sid_to_context(newsid, &context, &clen);
1972                 if (rc) {
1973                         kfree(namep);
1974                         return rc;
1975                 }
1976                 *value = context;
1977                 *len = clen;
1978         }
1979
1980         return 0;
1981 }
1982
1983 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1984 {
1985         return may_create(dir, dentry, SECCLASS_FILE);
1986 }
1987
1988 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1989 {
1990         int rc;
1991
1992         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1993         if (rc)
1994                 return rc;
1995         return may_link(dir, old_dentry, MAY_LINK);
1996 }
1997
1998 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
1999 {
2000         int rc;
2001
2002         rc = secondary_ops->inode_unlink(dir, dentry);
2003         if (rc)
2004                 return rc;
2005         return may_link(dir, dentry, MAY_UNLINK);
2006 }
2007
2008 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2009 {
2010         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2011 }
2012
2013 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2014 {
2015         return may_create(dir, dentry, SECCLASS_DIR);
2016 }
2017
2018 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2019 {
2020         return may_link(dir, dentry, MAY_RMDIR);
2021 }
2022
2023 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2024 {
2025         int rc;
2026
2027         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2028         if (rc)
2029                 return rc;
2030
2031         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2032 }
2033
2034 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2035                                 struct inode *new_inode, struct dentry *new_dentry)
2036 {
2037         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2038 }
2039
2040 static int selinux_inode_readlink(struct dentry *dentry)
2041 {
2042         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2043 }
2044
2045 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2046 {
2047         int rc;
2048
2049         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2050         if (rc)
2051                 return rc;
2052         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2053 }
2054
2055 static int selinux_inode_permission(struct inode *inode, int mask,
2056                                     struct nameidata *nd)
2057 {
2058         int rc;
2059
2060         rc = secondary_ops->inode_permission(inode, mask, nd);
2061         if (rc)
2062                 return rc;
2063
2064         if (!mask) {
2065                 /* No permission to check.  Existence test. */
2066                 return 0;
2067         }
2068
2069         return inode_has_perm(current, inode,
2070                                file_mask_to_av(inode->i_mode, mask), NULL);
2071 }
2072
2073 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2074 {
2075         int rc;
2076
2077         rc = secondary_ops->inode_setattr(dentry, iattr);
2078         if (rc)
2079                 return rc;
2080
2081         if (iattr->ia_valid & ATTR_FORCE)
2082                 return 0;
2083
2084         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2085                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2086                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2087
2088         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2089 }
2090
2091 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2092 {
2093         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2094 }
2095
2096 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2097 {
2098         struct task_security_struct *tsec = current->security;
2099         struct inode *inode = dentry->d_inode;
2100         struct inode_security_struct *isec = inode->i_security;
2101         struct superblock_security_struct *sbsec;
2102         struct avc_audit_data ad;
2103         u32 newsid;
2104         int rc = 0;
2105
2106         if (strcmp(name, XATTR_NAME_SELINUX)) {
2107                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2108                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2109                     !capable(CAP_SYS_ADMIN)) {
2110                         /* A different attribute in the security namespace.
2111                            Restrict to administrator. */
2112                         return -EPERM;
2113                 }
2114
2115                 /* Not an attribute we recognize, so just check the
2116                    ordinary setattr permission. */
2117                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2118         }
2119
2120         sbsec = inode->i_sb->s_security;
2121         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2122                 return -EOPNOTSUPP;
2123
2124         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2125                 return -EPERM;
2126
2127         AVC_AUDIT_DATA_INIT(&ad,FS);
2128         ad.u.fs.dentry = dentry;
2129
2130         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2131                           FILE__RELABELFROM, &ad);
2132         if (rc)
2133                 return rc;
2134
2135         rc = security_context_to_sid(value, size, &newsid);
2136         if (rc)
2137                 return rc;
2138
2139         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2140                           FILE__RELABELTO, &ad);
2141         if (rc)
2142                 return rc;
2143
2144         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2145                                           isec->sclass);
2146         if (rc)
2147                 return rc;
2148
2149         return avc_has_perm(newsid,
2150                             sbsec->sid,
2151                             SECCLASS_FILESYSTEM,
2152                             FILESYSTEM__ASSOCIATE,
2153                             &ad);
2154 }
2155
2156 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2157                                         void *value, size_t size, int flags)
2158 {
2159         struct inode *inode = dentry->d_inode;
2160         struct inode_security_struct *isec = inode->i_security;
2161         u32 newsid;
2162         int rc;
2163
2164         if (strcmp(name, XATTR_NAME_SELINUX)) {
2165                 /* Not an attribute we recognize, so nothing to do. */
2166                 return;
2167         }
2168
2169         rc = security_context_to_sid(value, size, &newsid);
2170         if (rc) {
2171                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2172                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2173                 return;
2174         }
2175
2176         isec->sid = newsid;
2177         return;
2178 }
2179
2180 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2181 {
2182         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2183 }
2184
2185 static int selinux_inode_listxattr (struct dentry *dentry)
2186 {
2187         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2188 }
2189
2190 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2191 {
2192         if (strcmp(name, XATTR_NAME_SELINUX)) {
2193                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2194                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2195                     !capable(CAP_SYS_ADMIN)) {
2196                         /* A different attribute in the security namespace.
2197                            Restrict to administrator. */
2198                         return -EPERM;
2199                 }
2200
2201                 /* Not an attribute we recognize, so just check the
2202                    ordinary setattr permission. Might want a separate
2203                    permission for removexattr. */
2204                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2205         }
2206
2207         /* No one is allowed to remove a SELinux security label.
2208            You can change the label, but all data must be labeled. */
2209         return -EACCES;
2210 }
2211
2212 /*
2213  * Copy the in-core inode security context value to the user.  If the
2214  * getxattr() prior to this succeeded, check to see if we need to
2215  * canonicalize the value to be finally returned to the user.
2216  *
2217  * Permission check is handled by selinux_inode_getxattr hook.
2218  */
2219 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2220 {
2221         struct inode_security_struct *isec = inode->i_security;
2222         char *context;
2223         unsigned len;
2224         int rc;
2225
2226         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2227                 rc = -EOPNOTSUPP;
2228                 goto out;
2229         }
2230
2231         rc = security_sid_to_context(isec->sid, &context, &len);
2232         if (rc)
2233                 goto out;
2234
2235         /* Probe for required buffer size */
2236         if (!buffer || !size) {
2237                 rc = len;
2238                 goto out_free;
2239         }
2240
2241         if (size < len) {
2242                 rc = -ERANGE;
2243                 goto out_free;
2244         }
2245
2246         if (err > 0) {
2247                 if ((len == err) && !(memcmp(context, buffer, len))) {
2248                         /* Don't need to canonicalize value */
2249                         rc = err;
2250                         goto out_free;
2251                 }
2252                 memset(buffer, 0, size);
2253         }
2254         memcpy(buffer, context, len);
2255         rc = len;
2256 out_free:
2257         kfree(context);
2258 out:
2259         return rc;
2260 }
2261
2262 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2263                                      const void *value, size_t size, int flags)
2264 {
2265         struct inode_security_struct *isec = inode->i_security;
2266         u32 newsid;
2267         int rc;
2268
2269         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2270                 return -EOPNOTSUPP;
2271
2272         if (!value || !size)
2273                 return -EACCES;
2274
2275         rc = security_context_to_sid((void*)value, size, &newsid);
2276         if (rc)
2277                 return rc;
2278
2279         isec->sid = newsid;
2280         return 0;
2281 }
2282
2283 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2284 {
2285         const int len = sizeof(XATTR_NAME_SELINUX);
2286         if (buffer && len <= buffer_size)
2287                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2288         return len;
2289 }
2290
2291 /* file security operations */
2292
2293 static int selinux_file_permission(struct file *file, int mask)
2294 {
2295         struct inode *inode = file->f_dentry->d_inode;
2296
2297         if (!mask) {
2298                 /* No permission to check.  Existence test. */
2299                 return 0;
2300         }
2301
2302         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2303         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2304                 mask |= MAY_APPEND;
2305
2306         return file_has_perm(current, file,
2307                              file_mask_to_av(inode->i_mode, mask));
2308 }
2309
2310 static int selinux_file_alloc_security(struct file *file)
2311 {
2312         return file_alloc_security(file);
2313 }
2314
2315 static void selinux_file_free_security(struct file *file)
2316 {
2317         file_free_security(file);
2318 }
2319
2320 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2321                               unsigned long arg)
2322 {
2323         int error = 0;
2324
2325         switch (cmd) {
2326                 case FIONREAD:
2327                 /* fall through */
2328                 case FIBMAP:
2329                 /* fall through */
2330                 case FIGETBSZ:
2331                 /* fall through */
2332                 case EXT2_IOC_GETFLAGS:
2333                 /* fall through */
2334                 case EXT2_IOC_GETVERSION:
2335                         error = file_has_perm(current, file, FILE__GETATTR);
2336                         break;
2337
2338                 case EXT2_IOC_SETFLAGS:
2339                 /* fall through */
2340                 case EXT2_IOC_SETVERSION:
2341                         error = file_has_perm(current, file, FILE__SETATTR);
2342                         break;
2343
2344                 /* sys_ioctl() checks */
2345                 case FIONBIO:
2346                 /* fall through */
2347                 case FIOASYNC:
2348                         error = file_has_perm(current, file, 0);
2349                         break;
2350
2351                 case KDSKBENT:
2352                 case KDSKBSENT:
2353                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2354                         break;
2355
2356                 /* default case assumes that the command will go
2357                  * to the file's ioctl() function.
2358                  */
2359                 default:
2360                         error = file_has_perm(current, file, FILE__IOCTL);
2361
2362         }
2363         return error;
2364 }
2365
2366 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2367 {
2368 #ifndef CONFIG_PPC32
2369         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2370                 /*
2371                  * We are making executable an anonymous mapping or a
2372                  * private file mapping that will also be writable.
2373                  * This has an additional check.
2374                  */
2375                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2376                 if (rc)
2377                         return rc;
2378         }
2379 #endif
2380
2381         if (file) {
2382                 /* read access is always possible with a mapping */
2383                 u32 av = FILE__READ;
2384
2385                 /* write access only matters if the mapping is shared */
2386                 if (shared && (prot & PROT_WRITE))
2387                         av |= FILE__WRITE;
2388
2389                 if (prot & PROT_EXEC)
2390                         av |= FILE__EXECUTE;
2391
2392                 return file_has_perm(current, file, av);
2393         }
2394         return 0;
2395 }
2396
2397 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2398                              unsigned long prot, unsigned long flags)
2399 {
2400         int rc;
2401
2402         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2403         if (rc)
2404                 return rc;
2405
2406         if (selinux_checkreqprot)
2407                 prot = reqprot;
2408
2409         return file_map_prot_check(file, prot,
2410                                    (flags & MAP_TYPE) == MAP_SHARED);
2411 }
2412
2413 static int selinux_file_mprotect(struct vm_area_struct *vma,
2414                                  unsigned long reqprot,
2415                                  unsigned long prot)
2416 {
2417         int rc;
2418
2419         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2420         if (rc)
2421                 return rc;
2422
2423         if (selinux_checkreqprot)
2424                 prot = reqprot;
2425
2426 #ifndef CONFIG_PPC32
2427         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2428                 rc = 0;
2429                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2430                     vma->vm_end <= vma->vm_mm->brk) {
2431                         rc = task_has_perm(current, current,
2432                                            PROCESS__EXECHEAP);
2433                 } else if (!vma->vm_file &&
2434                            vma->vm_start <= vma->vm_mm->start_stack &&
2435                            vma->vm_end >= vma->vm_mm->start_stack) {
2436                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2437                 } else if (vma->vm_file && vma->anon_vma) {
2438                         /*
2439                          * We are making executable a file mapping that has
2440                          * had some COW done. Since pages might have been
2441                          * written, check ability to execute the possibly
2442                          * modified content.  This typically should only
2443                          * occur for text relocations.
2444                          */
2445                         rc = file_has_perm(current, vma->vm_file,
2446                                            FILE__EXECMOD);
2447                 }
2448                 if (rc)
2449                         return rc;
2450         }
2451 #endif
2452
2453         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2454 }
2455
2456 static int selinux_file_lock(struct file *file, unsigned int cmd)
2457 {
2458         return file_has_perm(current, file, FILE__LOCK);
2459 }
2460
2461 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2462                               unsigned long arg)
2463 {
2464         int err = 0;
2465
2466         switch (cmd) {
2467                 case F_SETFL:
2468                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2469                                 err = -EINVAL;
2470                                 break;
2471                         }
2472
2473                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2474                                 err = file_has_perm(current, file,FILE__WRITE);
2475                                 break;
2476                         }
2477                         /* fall through */
2478                 case F_SETOWN:
2479                 case F_SETSIG:
2480                 case F_GETFL:
2481                 case F_GETOWN:
2482                 case F_GETSIG:
2483                         /* Just check FD__USE permission */
2484                         err = file_has_perm(current, file, 0);
2485                         break;
2486                 case F_GETLK:
2487                 case F_SETLK:
2488                 case F_SETLKW:
2489 #if BITS_PER_LONG == 32
2490                 case F_GETLK64:
2491                 case F_SETLK64:
2492                 case F_SETLKW64:
2493 #endif
2494                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2495                                 err = -EINVAL;
2496                                 break;
2497                         }
2498                         err = file_has_perm(current, file, FILE__LOCK);
2499                         break;
2500         }
2501
2502         return err;
2503 }
2504
2505 static int selinux_file_set_fowner(struct file *file)
2506 {
2507         struct task_security_struct *tsec;
2508         struct file_security_struct *fsec;
2509
2510         tsec = current->security;
2511         fsec = file->f_security;
2512         fsec->fown_sid = tsec->sid;
2513
2514         return 0;
2515 }
2516
2517 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2518                                        struct fown_struct *fown, int signum)
2519 {
2520         struct file *file;
2521         u32 perm;
2522         struct task_security_struct *tsec;
2523         struct file_security_struct *fsec;
2524
2525         /* struct fown_struct is never outside the context of a struct file */
2526         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2527
2528         tsec = tsk->security;
2529         fsec = file->f_security;
2530
2531         if (!signum)
2532                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2533         else
2534                 perm = signal_to_av(signum);
2535
2536         return avc_has_perm(fsec->fown_sid, tsec->sid,
2537                             SECCLASS_PROCESS, perm, NULL);
2538 }
2539
2540 static int selinux_file_receive(struct file *file)
2541 {
2542         return file_has_perm(current, file, file_to_av(file));
2543 }
2544
2545 /* task security operations */
2546
2547 static int selinux_task_create(unsigned long clone_flags)
2548 {
2549         int rc;
2550
2551         rc = secondary_ops->task_create(clone_flags);
2552         if (rc)
2553                 return rc;
2554
2555         return task_has_perm(current, current, PROCESS__FORK);
2556 }
2557
2558 static int selinux_task_alloc_security(struct task_struct *tsk)
2559 {
2560         struct task_security_struct *tsec1, *tsec2;
2561         int rc;
2562
2563         tsec1 = current->security;
2564
2565         rc = task_alloc_security(tsk);
2566         if (rc)
2567                 return rc;
2568         tsec2 = tsk->security;
2569
2570         tsec2->osid = tsec1->osid;
2571         tsec2->sid = tsec1->sid;
2572
2573         /* Retain the exec and create SIDs across fork */
2574         tsec2->exec_sid = tsec1->exec_sid;
2575         tsec2->create_sid = tsec1->create_sid;
2576
2577         /* Retain ptracer SID across fork, if any.
2578            This will be reset by the ptrace hook upon any
2579            subsequent ptrace_attach operations. */
2580         tsec2->ptrace_sid = tsec1->ptrace_sid;
2581
2582         return 0;
2583 }
2584
2585 static void selinux_task_free_security(struct task_struct *tsk)
2586 {
2587         task_free_security(tsk);
2588 }
2589
2590 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2591 {
2592         /* Since setuid only affects the current process, and
2593            since the SELinux controls are not based on the Linux
2594            identity attributes, SELinux does not need to control
2595            this operation.  However, SELinux does control the use
2596            of the CAP_SETUID and CAP_SETGID capabilities using the
2597            capable hook. */
2598         return 0;
2599 }
2600
2601 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2602 {
2603         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2604 }
2605
2606 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2607 {
2608         /* See the comment for setuid above. */
2609         return 0;
2610 }
2611
2612 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2613 {
2614         return task_has_perm(current, p, PROCESS__SETPGID);
2615 }
2616
2617 static int selinux_task_getpgid(struct task_struct *p)
2618 {
2619         return task_has_perm(current, p, PROCESS__GETPGID);
2620 }
2621
2622 static int selinux_task_getsid(struct task_struct *p)
2623 {
2624         return task_has_perm(current, p, PROCESS__GETSESSION);
2625 }
2626
2627 static int selinux_task_setgroups(struct group_info *group_info)
2628 {
2629         /* See the comment for setuid above. */
2630         return 0;
2631 }
2632
2633 static int selinux_task_setnice(struct task_struct *p, int nice)
2634 {
2635         int rc;
2636
2637         rc = secondary_ops->task_setnice(p, nice);
2638         if (rc)
2639                 return rc;
2640
2641         return task_has_perm(current,p, PROCESS__SETSCHED);
2642 }
2643
2644 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2645 {
2646         struct rlimit *old_rlim = current->signal->rlim + resource;
2647         int rc;
2648
2649         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2650         if (rc)
2651                 return rc;
2652
2653         /* Control the ability to change the hard limit (whether
2654            lowering or raising it), so that the hard limit can
2655            later be used as a safe reset point for the soft limit
2656            upon context transitions. See selinux_bprm_apply_creds. */
2657         if (old_rlim->rlim_max != new_rlim->rlim_max)
2658                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2659
2660         return 0;
2661 }
2662
2663 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2664 {
2665         return task_has_perm(current, p, PROCESS__SETSCHED);
2666 }
2667
2668 static int selinux_task_getscheduler(struct task_struct *p)
2669 {
2670         return task_has_perm(current, p, PROCESS__GETSCHED);
2671 }
2672
2673 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2674 {
2675         u32 perm;
2676         int rc;
2677
2678         rc = secondary_ops->task_kill(p, info, sig);
2679         if (rc)
2680                 return rc;
2681
2682         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2683                 return 0;
2684
2685         if (!sig)
2686                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2687         else
2688                 perm = signal_to_av(sig);
2689
2690         return task_has_perm(current, p, perm);
2691 }
2692
2693 static int selinux_task_prctl(int option,
2694                               unsigned long arg2,
2695                               unsigned long arg3,
2696                               unsigned long arg4,
2697                               unsigned long arg5)
2698 {
2699         /* The current prctl operations do not appear to require
2700            any SELinux controls since they merely observe or modify
2701            the state of the current process. */
2702         return 0;
2703 }
2704
2705 static int selinux_task_wait(struct task_struct *p)
2706 {
2707         u32 perm;
2708
2709         perm = signal_to_av(p->exit_signal);
2710
2711         return task_has_perm(p, current, perm);
2712 }
2713
2714 static void selinux_task_reparent_to_init(struct task_struct *p)
2715 {
2716         struct task_security_struct *tsec;
2717
2718         secondary_ops->task_reparent_to_init(p);
2719
2720         tsec = p->security;
2721         tsec->osid = tsec->sid;
2722         tsec->sid = SECINITSID_KERNEL;
2723         return;
2724 }
2725
2726 static void selinux_task_to_inode(struct task_struct *p,
2727                                   struct inode *inode)
2728 {
2729         struct task_security_struct *tsec = p->security;
2730         struct inode_security_struct *isec = inode->i_security;
2731
2732         isec->sid = tsec->sid;
2733         isec->initialized = 1;
2734         return;
2735 }
2736
2737 /* Returns error only if unable to parse addresses */
2738 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2739 {
2740         int offset, ihlen, ret = -EINVAL;
2741         struct iphdr _iph, *ih;
2742
2743         offset = skb->nh.raw - skb->data;
2744         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2745         if (ih == NULL)
2746                 goto out;
2747
2748         ihlen = ih->ihl * 4;
2749         if (ihlen < sizeof(_iph))
2750                 goto out;
2751
2752         ad->u.net.v4info.saddr = ih->saddr;
2753         ad->u.net.v4info.daddr = ih->daddr;
2754         ret = 0;
2755
2756         switch (ih->protocol) {
2757         case IPPROTO_TCP: {
2758                 struct tcphdr _tcph, *th;
2759
2760                 if (ntohs(ih->frag_off) & IP_OFFSET)
2761                         break;
2762
2763                 offset += ihlen;
2764                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2765                 if (th == NULL)
2766                         break;
2767
2768                 ad->u.net.sport = th->source;
2769                 ad->u.net.dport = th->dest;
2770                 break;
2771         }
2772         
2773         case IPPROTO_UDP: {
2774                 struct udphdr _udph, *uh;
2775                 
2776                 if (ntohs(ih->frag_off) & IP_OFFSET)
2777                         break;
2778                         
2779                 offset += ihlen;
2780                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2781                 if (uh == NULL)
2782                         break;  
2783
2784                 ad->u.net.sport = uh->source;
2785                 ad->u.net.dport = uh->dest;
2786                 break;
2787         }
2788
2789         default:
2790                 break;
2791         }
2792 out:
2793         return ret;
2794 }
2795
2796 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2797
2798 /* Returns error only if unable to parse addresses */
2799 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2800 {
2801         u8 nexthdr;
2802         int ret = -EINVAL, offset;
2803         struct ipv6hdr _ipv6h, *ip6;
2804
2805         offset = skb->nh.raw - skb->data;
2806         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2807         if (ip6 == NULL)
2808                 goto out;
2809
2810         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2811         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2812         ret = 0;
2813
2814         nexthdr = ip6->nexthdr;
2815         offset += sizeof(_ipv6h);
2816         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2817         if (offset < 0)
2818                 goto out;
2819
2820         switch (nexthdr) {
2821         case IPPROTO_TCP: {
2822                 struct tcphdr _tcph, *th;
2823
2824                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2825                 if (th == NULL)
2826                         break;
2827
2828                 ad->u.net.sport = th->source;
2829                 ad->u.net.dport = th->dest;
2830                 break;
2831         }
2832
2833         case IPPROTO_UDP: {
2834                 struct udphdr _udph, *uh;
2835
2836                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2837                 if (uh == NULL)
2838                         break;
2839
2840                 ad->u.net.sport = uh->source;
2841                 ad->u.net.dport = uh->dest;
2842                 break;
2843         }
2844
2845         /* includes fragments */
2846         default:
2847                 break;
2848         }
2849 out:
2850         return ret;
2851 }
2852
2853 #endif /* IPV6 */
2854
2855 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2856                              char **addrp, int *len, int src)
2857 {
2858         int ret = 0;
2859
2860         switch (ad->u.net.family) {
2861         case PF_INET:
2862                 ret = selinux_parse_skb_ipv4(skb, ad);
2863                 if (ret || !addrp)
2864                         break;
2865                 *len = 4;
2866                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2867                                         &ad->u.net.v4info.daddr);
2868                 break;
2869
2870 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2871         case PF_INET6:
2872                 ret = selinux_parse_skb_ipv6(skb, ad);
2873                 if (ret || !addrp)
2874                         break;
2875                 *len = 16;
2876                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2877                                         &ad->u.net.v6info.daddr);
2878                 break;
2879 #endif  /* IPV6 */
2880         default:
2881                 break;
2882         }
2883
2884         return ret;
2885 }
2886
2887 /* socket security operations */
2888 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2889                            u32 perms)
2890 {
2891         struct inode_security_struct *isec;
2892         struct task_security_struct *tsec;
2893         struct avc_audit_data ad;
2894         int err = 0;
2895
2896         tsec = task->security;
2897         isec = SOCK_INODE(sock)->i_security;
2898
2899         if (isec->sid == SECINITSID_KERNEL)
2900                 goto out;
2901
2902         AVC_AUDIT_DATA_INIT(&ad,NET);
2903         ad.u.net.sk = sock->sk;
2904         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2905
2906 out:
2907         return err;
2908 }
2909
2910 static int selinux_socket_create(int family, int type,
2911                                  int protocol, int kern)
2912 {
2913         int err = 0;
2914         struct task_security_struct *tsec;
2915
2916         if (kern)
2917                 goto out;
2918
2919         tsec = current->security;
2920         err = avc_has_perm(tsec->sid, tsec->sid,
2921                            socket_type_to_security_class(family, type,
2922                            protocol), SOCKET__CREATE, NULL);
2923
2924 out:
2925         return err;
2926 }
2927
2928 static void selinux_socket_post_create(struct socket *sock, int family,
2929                                        int type, int protocol, int kern)
2930 {
2931         struct inode_security_struct *isec;
2932         struct task_security_struct *tsec;
2933
2934         isec = SOCK_INODE(sock)->i_security;
2935
2936         tsec = current->security;
2937         isec->sclass = socket_type_to_security_class(family, type, protocol);
2938         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2939         isec->initialized = 1;
2940
2941         return;
2942 }
2943
2944 /* Range of port numbers used to automatically bind.
2945    Need to determine whether we should perform a name_bind
2946    permission check between the socket and the port number. */
2947 #define ip_local_port_range_0 sysctl_local_port_range[0]
2948 #define ip_local_port_range_1 sysctl_local_port_range[1]
2949
2950 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2951 {
2952         u16 family;
2953         int err;
2954
2955         err = socket_has_perm(current, sock, SOCKET__BIND);
2956         if (err)
2957                 goto out;
2958
2959         /*
2960          * If PF_INET or PF_INET6, check name_bind permission for the port.
2961          * Multiple address binding for SCTP is not supported yet: we just
2962          * check the first address now.
2963          */
2964         family = sock->sk->sk_family;
2965         if (family == PF_INET || family == PF_INET6) {
2966                 char *addrp;
2967                 struct inode_security_struct *isec;
2968                 struct task_security_struct *tsec;
2969                 struct avc_audit_data ad;
2970                 struct sockaddr_in *addr4 = NULL;
2971                 struct sockaddr_in6 *addr6 = NULL;
2972                 unsigned short snum;
2973                 struct sock *sk = sock->sk;
2974                 u32 sid, node_perm, addrlen;
2975
2976                 tsec = current->security;
2977                 isec = SOCK_INODE(sock)->i_security;
2978
2979                 if (family == PF_INET) {
2980                         addr4 = (struct sockaddr_in *)address;
2981                         snum = ntohs(addr4->sin_port);
2982                         addrlen = sizeof(addr4->sin_addr.s_addr);
2983                         addrp = (char *)&addr4->sin_addr.s_addr;
2984                 } else {
2985                         addr6 = (struct sockaddr_in6 *)address;
2986                         snum = ntohs(addr6->sin6_port);
2987                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
2988                         addrp = (char *)&addr6->sin6_addr.s6_addr;
2989                 }
2990
2991                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2992                            snum > ip_local_port_range_1)) {
2993                         err = security_port_sid(sk->sk_family, sk->sk_type,
2994                                                 sk->sk_protocol, snum, &sid);
2995                         if (err)
2996                                 goto out;
2997                         AVC_AUDIT_DATA_INIT(&ad,NET);
2998                         ad.u.net.sport = htons(snum);
2999                         ad.u.net.family = family;
3000                         err = avc_has_perm(isec->sid, sid,
3001                                            isec->sclass,
3002                                            SOCKET__NAME_BIND, &ad);
3003                         if (err)
3004                                 goto out;
3005                 }
3006                 
3007                 switch(isec->sclass) {
3008                 case SECCLASS_TCP_SOCKET:
3009                         node_perm = TCP_SOCKET__NODE_BIND;
3010                         break;
3011                         
3012                 case SECCLASS_UDP_SOCKET:
3013                         node_perm = UDP_SOCKET__NODE_BIND;
3014                         break;
3015                         
3016                 default:
3017                         node_perm = RAWIP_SOCKET__NODE_BIND;
3018                         break;
3019                 }
3020                 
3021                 err = security_node_sid(family, addrp, addrlen, &sid);
3022                 if (err)
3023                         goto out;
3024                 
3025                 AVC_AUDIT_DATA_INIT(&ad,NET);
3026                 ad.u.net.sport = htons(snum);
3027                 ad.u.net.family = family;
3028
3029                 if (family == PF_INET)
3030                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3031                 else
3032                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3033
3034                 err = avc_has_perm(isec->sid, sid,
3035                                    isec->sclass, node_perm, &ad);
3036                 if (err)
3037                         goto out;
3038         }
3039 out:
3040         return err;
3041 }
3042
3043 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3044 {
3045         struct inode_security_struct *isec;
3046         int err;
3047
3048         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3049         if (err)
3050                 return err;
3051
3052         /*
3053          * If a TCP socket, check name_connect permission for the port.
3054          */
3055         isec = SOCK_INODE(sock)->i_security;
3056         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3057                 struct sock *sk = sock->sk;
3058                 struct avc_audit_data ad;
3059                 struct sockaddr_in *addr4 = NULL;
3060                 struct sockaddr_in6 *addr6 = NULL;
3061                 unsigned short snum;
3062                 u32 sid;
3063
3064                 if (sk->sk_family == PF_INET) {
3065                         addr4 = (struct sockaddr_in *)address;
3066                         if (addrlen < sizeof(struct sockaddr_in))
3067                                 return -EINVAL;
3068                         snum = ntohs(addr4->sin_port);
3069                 } else {
3070                         addr6 = (struct sockaddr_in6 *)address;
3071                         if (addrlen < SIN6_LEN_RFC2133)
3072                                 return -EINVAL;
3073                         snum = ntohs(addr6->sin6_port);
3074                 }
3075
3076                 err = security_port_sid(sk->sk_family, sk->sk_type,
3077                                         sk->sk_protocol, snum, &sid);
3078                 if (err)
3079                         goto out;
3080
3081                 AVC_AUDIT_DATA_INIT(&ad,NET);
3082                 ad.u.net.dport = htons(snum);
3083                 ad.u.net.family = sk->sk_family;
3084                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3085                                    TCP_SOCKET__NAME_CONNECT, &ad);
3086                 if (err)
3087                         goto out;
3088         }
3089
3090 out:
3091         return err;
3092 }
3093
3094 static int selinux_socket_listen(struct socket *sock, int backlog)
3095 {
3096         return socket_has_perm(current, sock, SOCKET__LISTEN);
3097 }
3098
3099 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3100 {
3101         int err;
3102         struct inode_security_struct *isec;
3103         struct inode_security_struct *newisec;
3104
3105         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3106         if (err)
3107                 return err;
3108
3109         newisec = SOCK_INODE(newsock)->i_security;
3110
3111         isec = SOCK_INODE(sock)->i_security;
3112         newisec->sclass = isec->sclass;
3113         newisec->sid = isec->sid;
3114         newisec->initialized = 1;
3115
3116         return 0;
3117 }
3118
3119 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3120                                   int size)
3121 {
3122         return socket_has_perm(current, sock, SOCKET__WRITE);
3123 }
3124
3125 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3126                                   int size, int flags)
3127 {
3128         return socket_has_perm(current, sock, SOCKET__READ);
3129 }
3130
3131 static int selinux_socket_getsockname(struct socket *sock)
3132 {
3133         return socket_has_perm(current, sock, SOCKET__GETATTR);
3134 }
3135
3136 static int selinux_socket_getpeername(struct socket *sock)
3137 {
3138         return socket_has_perm(current, sock, SOCKET__GETATTR);
3139 }
3140
3141 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3142 {
3143         return socket_has_perm(current, sock, SOCKET__SETOPT);
3144 }
3145
3146 static int selinux_socket_getsockopt(struct socket *sock, int level,
3147                                      int optname)
3148 {
3149         return socket_has_perm(current, sock, SOCKET__GETOPT);
3150 }
3151
3152 static int selinux_socket_shutdown(struct socket *sock, int how)
3153 {
3154         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3155 }
3156
3157 static int selinux_socket_unix_stream_connect(struct socket *sock,
3158                                               struct socket *other,
3159                                               struct sock *newsk)
3160 {
3161         struct sk_security_struct *ssec;
3162         struct inode_security_struct *isec;
3163         struct inode_security_struct *other_isec;
3164         struct avc_audit_data ad;
3165         int err;
3166
3167         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3168         if (err)
3169                 return err;
3170
3171         isec = SOCK_INODE(sock)->i_security;
3172         other_isec = SOCK_INODE(other)->i_security;
3173
3174         AVC_AUDIT_DATA_INIT(&ad,NET);
3175         ad.u.net.sk = other->sk;
3176
3177         err = avc_has_perm(isec->sid, other_isec->sid,
3178                            isec->sclass,
3179                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3180         if (err)
3181                 return err;
3182
3183         /* connecting socket */
3184         ssec = sock->sk->sk_security;
3185         ssec->peer_sid = other_isec->sid;
3186         
3187         /* server child socket */
3188         ssec = newsk->sk_security;
3189         ssec->peer_sid = isec->sid;
3190         
3191         return 0;
3192 }
3193
3194 static int selinux_socket_unix_may_send(struct socket *sock,
3195                                         struct socket *other)
3196 {
3197         struct inode_security_struct *isec;
3198         struct inode_security_struct *other_isec;
3199         struct avc_audit_data ad;
3200         int err;
3201
3202         isec = SOCK_INODE(sock)->i_security;
3203         other_isec = SOCK_INODE(other)->i_security;
3204
3205         AVC_AUDIT_DATA_INIT(&ad,NET);
3206         ad.u.net.sk = other->sk;
3207
3208         err = avc_has_perm(isec->sid, other_isec->sid,
3209                            isec->sclass, SOCKET__SENDTO, &ad);
3210         if (err)
3211                 return err;
3212
3213         return 0;
3214 }
3215
3216 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3217 {
3218         u16 family;
3219         char *addrp;
3220         int len, err = 0;
3221         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3222         u32 sock_sid = 0;
3223         u16 sock_class = 0;
3224         struct socket *sock;
3225         struct net_device *dev;
3226         struct avc_audit_data ad;
3227
3228         family = sk->sk_family;
3229         if (family != PF_INET && family != PF_INET6)
3230                 goto out;
3231
3232         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3233         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3234                 family = PF_INET;
3235
3236         read_lock_bh(&sk->sk_callback_lock);
3237         sock = sk->sk_socket;
3238         if (sock) {
3239                 struct inode *inode;
3240                 inode = SOCK_INODE(sock);
3241                 if (inode) {
3242                         struct inode_security_struct *isec;
3243                         isec = inode->i_security;
3244                         sock_sid = isec->sid;
3245                         sock_class = isec->sclass;
3246                 }
3247         }
3248         read_unlock_bh(&sk->sk_callback_lock);
3249         if (!sock_sid)
3250                 goto out;
3251
3252         dev = skb->dev;
3253         if (!dev)
3254                 goto out;
3255
3256         err = sel_netif_sids(dev, &if_sid, NULL);
3257         if (err)
3258                 goto out;
3259
3260         switch (sock_class) {
3261         case SECCLASS_UDP_SOCKET:
3262                 netif_perm = NETIF__UDP_RECV;
3263                 node_perm = NODE__UDP_RECV;
3264                 recv_perm = UDP_SOCKET__RECV_MSG;
3265                 break;
3266         
3267         case SECCLASS_TCP_SOCKET:
3268                 netif_perm = NETIF__TCP_RECV;
3269                 node_perm = NODE__TCP_RECV;
3270                 recv_perm = TCP_SOCKET__RECV_MSG;
3271                 break;
3272         
3273         default:
3274                 netif_perm = NETIF__RAWIP_RECV;
3275                 node_perm = NODE__RAWIP_RECV;
3276                 break;
3277         }
3278
3279         AVC_AUDIT_DATA_INIT(&ad, NET);
3280         ad.u.net.netif = dev->name;
3281         ad.u.net.family = family;
3282
3283         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3284         if (err)
3285                 goto out;
3286
3287         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3288         if (err)
3289                 goto out;
3290         
3291         /* Fixme: this lookup is inefficient */
3292         err = security_node_sid(family, addrp, len, &node_sid);
3293         if (err)
3294                 goto out;
3295         
3296         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3297         if (err)
3298                 goto out;
3299
3300         if (recv_perm) {
3301                 u32 port_sid;
3302
3303                 /* Fixme: make this more efficient */
3304                 err = security_port_sid(sk->sk_family, sk->sk_type,
3305                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3306                                         &port_sid);
3307                 if (err)
3308                         goto out;
3309
3310                 err = avc_has_perm(sock_sid, port_sid,
3311                                    sock_class, recv_perm, &ad);
3312         }
3313
3314         if (!err)
3315                 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3316
3317 out:    
3318         return err;
3319 }
3320
3321 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3322                                             int __user *optlen, unsigned len)
3323 {
3324         int err = 0;
3325         char *scontext;
3326         u32 scontext_len;
3327         struct sk_security_struct *ssec;
3328         struct inode_security_struct *isec;
3329         u32 peer_sid = 0;
3330
3331         isec = SOCK_INODE(sock)->i_security;
3332
3333         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3334         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3335                 ssec = sock->sk->sk_security;
3336                 peer_sid = ssec->peer_sid;
3337         }
3338         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3339                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3340
3341                 if (peer_sid == SECSID_NULL) {
3342                         err = -ENOPROTOOPT;
3343                         goto out;
3344                 }
3345         }
3346         else {
3347                 err = -ENOPROTOOPT;
3348                 goto out;
3349         }
3350
3351         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3352
3353         if (err)
3354                 goto out;
3355
3356         if (scontext_len > len) {
3357                 err = -ERANGE;
3358                 goto out_len;
3359         }
3360
3361         if (copy_to_user(optval, scontext, scontext_len))
3362                 err = -EFAULT;
3363
3364 out_len:
3365         if (put_user(scontext_len, optlen))
3366                 err = -EFAULT;
3367
3368         kfree(scontext);
3369 out:    
3370         return err;
3371 }
3372
3373 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3374 {
3375         int err = 0;
3376         u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3377
3378         if (peer_sid == SECSID_NULL)
3379                 return -EINVAL;
3380
3381         err = security_sid_to_context(peer_sid, secdata, seclen);
3382         if (err)
3383                 return err;
3384
3385         return 0;
3386 }
3387
3388
3389
3390 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3391 {
3392         return sk_alloc_security(sk, family, priority);
3393 }
3394
3395 static void selinux_sk_free_security(struct sock *sk)
3396 {
3397         sk_free_security(sk);
3398 }
3399
3400 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3401 {
3402         struct inode_security_struct *isec;
3403         u32 sock_sid = SECINITSID_ANY_SOCKET;
3404
3405         if (!sk)
3406                 return selinux_no_sk_sid(fl);
3407
3408         read_lock_bh(&sk->sk_callback_lock);
3409         isec = get_sock_isec(sk);
3410
3411         if (isec)
3412                 sock_sid = isec->sid;
3413
3414         read_unlock_bh(&sk->sk_callback_lock);
3415         return sock_sid;
3416 }
3417
3418 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3419 {
3420         int err = 0;
3421         u32 perm;
3422         struct nlmsghdr *nlh;
3423         struct socket *sock = sk->sk_socket;
3424         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3425         
3426         if (skb->len < NLMSG_SPACE(0)) {
3427                 err = -EINVAL;
3428                 goto out;
3429         }
3430         nlh = (struct nlmsghdr *)skb->data;
3431         
3432         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3433         if (err) {
3434                 if (err == -EINVAL) {
3435                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3436                                   "SELinux:  unrecognized netlink message"
3437                                   " type=%hu for sclass=%hu\n",
3438                                   nlh->nlmsg_type, isec->sclass);
3439                         if (!selinux_enforcing)
3440                                 err = 0;
3441                 }
3442
3443                 /* Ignore */
3444                 if (err == -ENOENT)
3445                         err = 0;
3446                 goto out;
3447         }
3448
3449         err = socket_has_perm(current, sock, perm);
3450 out:
3451         return err;
3452 }
3453
3454 #ifdef CONFIG_NETFILTER
3455
3456 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3457                                               struct sk_buff **pskb,
3458                                               const struct net_device *in,
3459                                               const struct net_device *out,
3460                                               int (*okfn)(struct sk_buff *),
3461                                               u16 family)
3462 {
3463         char *addrp;
3464         int len, err = NF_ACCEPT;
3465         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3466         struct sock *sk;
3467         struct socket *sock;
3468         struct inode *inode;
3469         struct sk_buff *skb = *pskb;
3470         struct inode_security_struct *isec;
3471         struct avc_audit_data ad;
3472         struct net_device *dev = (struct net_device *)out;
3473         
3474         sk = skb->sk;
3475         if (!sk)
3476                 goto out;
3477                 
3478         sock = sk->sk_socket;
3479         if (!sock)
3480                 goto out;
3481                 
3482         inode = SOCK_INODE(sock);
3483         if (!inode)
3484                 goto out;
3485
3486         err = sel_netif_sids(dev, &if_sid, NULL);
3487         if (err)
3488                 goto out;
3489
3490         isec = inode->i_security;
3491         
3492         switch (isec->sclass) {
3493         case SECCLASS_UDP_SOCKET:
3494                 netif_perm = NETIF__UDP_SEND;
3495                 node_perm = NODE__UDP_SEND;
3496                 send_perm = UDP_SOCKET__SEND_MSG;
3497                 break;
3498         
3499         case SECCLASS_TCP_SOCKET:
3500                 netif_perm = NETIF__TCP_SEND;
3501                 node_perm = NODE__TCP_SEND;
3502                 send_perm = TCP_SOCKET__SEND_MSG;
3503                 break;
3504         
3505         default:
3506                 netif_perm = NETIF__RAWIP_SEND;
3507                 node_perm = NODE__RAWIP_SEND;
3508                 break;
3509         }
3510
3511
3512         AVC_AUDIT_DATA_INIT(&ad, NET);
3513         ad.u.net.netif = dev->name;
3514         ad.u.net.family = family;
3515
3516         err = selinux_parse_skb(skb, &ad, &addrp,
3517                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3518         if (err != NF_ACCEPT)
3519                 goto out;
3520
3521         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3522                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3523         if (err != NF_ACCEPT)
3524                 goto out;
3525                 
3526         /* Fixme: this lookup is inefficient */
3527         err = security_node_sid(family, addrp, len,
3528                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3529         if (err != NF_ACCEPT)
3530                 goto out;
3531         
3532         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3533                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3534         if (err != NF_ACCEPT)
3535                 goto out;
3536
3537         if (send_perm) {
3538                 u32 port_sid;
3539                 
3540                 /* Fixme: make this more efficient */
3541                 err = security_port_sid(sk->sk_family,
3542                                         sk->sk_type,
3543                                         sk->sk_protocol,
3544                                         ntohs(ad.u.net.dport),
3545                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3546                 if (err != NF_ACCEPT)
3547                         goto out;
3548
3549                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3550                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3551         }
3552
3553         if (err != NF_ACCEPT)
3554                 goto out;
3555
3556         err = selinux_xfrm_postroute_last(isec->sid, skb);
3557
3558 out:
3559         return err;
3560 }
3561
3562 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3563                                                 struct sk_buff **pskb,
3564                                                 const struct net_device *in,
3565                                                 const struct net_device *out,
3566                                                 int (*okfn)(struct sk_buff *))
3567 {
3568         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3569 }
3570
3571 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3572
3573 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3574                                                 struct sk_buff **pskb,
3575                                                 const struct net_device *in,
3576                                                 const struct net_device *out,
3577                                                 int (*okfn)(struct sk_buff *))
3578 {
3579         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3580 }
3581
3582 #endif  /* IPV6 */
3583
3584 #endif  /* CONFIG_NETFILTER */
3585
3586 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3587 {
3588         struct task_security_struct *tsec;
3589         struct av_decision avd;
3590         int err;
3591
3592         err = secondary_ops->netlink_send(sk, skb);
3593         if (err)
3594                 return err;
3595
3596         tsec = current->security;
3597
3598         avd.allowed = 0;
3599         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3600                                 SECCLASS_CAPABILITY, ~0, &avd);
3601         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3602
3603         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3604                 err = selinux_nlmsg_perm(sk, skb);
3605
3606         return err;
3607 }
3608
3609 static int selinux_netlink_recv(struct sk_buff *skb)
3610 {
3611         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3612                 return -EPERM;
3613         return 0;
3614 }
3615
3616 static int ipc_alloc_security(struct task_struct *task,
3617                               struct kern_ipc_perm *perm,
3618                               u16 sclass)
3619 {
3620         struct task_security_struct *tsec = task->security;
3621         struct ipc_security_struct *isec;
3622
3623         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3624         if (!isec)
3625                 return -ENOMEM;
3626
3627         isec->sclass = sclass;
3628         isec->ipc_perm = perm;
3629         isec->sid = tsec->sid;
3630         perm->security = isec;
3631
3632         return 0;
3633 }
3634
3635 static void ipc_free_security(struct kern_ipc_perm *perm)
3636 {
3637         struct ipc_security_struct *isec = perm->security;
3638         perm->security = NULL;
3639         kfree(isec);
3640 }
3641
3642 static int msg_msg_alloc_security(struct msg_msg *msg)
3643 {
3644         struct msg_security_struct *msec;
3645
3646         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3647         if (!msec)
3648                 return -ENOMEM;
3649
3650         msec->msg = msg;
3651         msec->sid = SECINITSID_UNLABELED;
3652         msg->security = msec;
3653
3654         return 0;
3655 }
3656
3657 static void msg_msg_free_security(struct msg_msg *msg)
3658 {
3659         struct msg_security_struct *msec = msg->security;
3660
3661         msg->security = NULL;
3662         kfree(msec);
3663 }
3664
3665 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3666                         u32 perms)
3667 {
3668         struct task_security_struct *tsec;
3669         struct ipc_security_struct *isec;
3670         struct avc_audit_data ad;
3671
3672         tsec = current->security;
3673         isec = ipc_perms->security;
3674
3675         AVC_AUDIT_DATA_INIT(&ad, IPC);
3676         ad.u.ipc_id = ipc_perms->key;
3677
3678         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3679 }
3680
3681 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3682 {
3683         return msg_msg_alloc_security(msg);
3684 }
3685
3686 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3687 {
3688         msg_msg_free_security(msg);
3689 }
3690
3691 /* message queue security operations */
3692 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3693 {
3694         struct task_security_struct *tsec;
3695         struct ipc_security_struct *isec;
3696         struct avc_audit_data ad;
3697         int rc;
3698
3699         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3700         if (rc)
3701                 return rc;
3702
3703         tsec = current->security;
3704         isec = msq->q_perm.security;
3705
3706         AVC_AUDIT_DATA_INIT(&ad, IPC);
3707         ad.u.ipc_id = msq->q_perm.key;
3708
3709         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3710                           MSGQ__CREATE, &ad);
3711         if (rc) {
3712                 ipc_free_security(&msq->q_perm);
3713                 return rc;
3714         }
3715         return 0;
3716 }
3717
3718 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3719 {
3720         ipc_free_security(&msq->q_perm);
3721 }
3722
3723 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3724 {
3725         struct task_security_struct *tsec;
3726         struct ipc_security_struct *isec;
3727         struct avc_audit_data ad;
3728
3729         tsec = current->security;
3730         isec = msq->q_perm.security;
3731
3732         AVC_AUDIT_DATA_INIT(&ad, IPC);
3733         ad.u.ipc_id = msq->q_perm.key;
3734
3735         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3736                             MSGQ__ASSOCIATE, &ad);
3737 }
3738
3739 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3740 {
3741         int err;
3742         int perms;
3743
3744         switch(cmd) {
3745         case IPC_INFO:
3746         case MSG_INFO:
3747                 /* No specific object, just general system-wide information. */
3748                 return task_has_system(current, SYSTEM__IPC_INFO);
3749         case IPC_STAT:
3750         case MSG_STAT:
3751                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3752                 break;
3753         case IPC_SET:
3754                 perms = MSGQ__SETATTR;
3755                 break;
3756         case IPC_RMID:
3757                 perms = MSGQ__DESTROY;
3758                 break;
3759         default:
3760                 return 0;
3761         }
3762
3763         err = ipc_has_perm(&msq->q_perm, perms);
3764         return err;
3765 }
3766
3767 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3768 {
3769         struct task_security_struct *tsec;
3770         struct ipc_security_struct *isec;
3771         struct msg_security_struct *msec;
3772         struct avc_audit_data ad;
3773         int rc;
3774
3775         tsec = current->security;
3776         isec = msq->q_perm.security;
3777         msec = msg->security;
3778
3779         /*
3780          * First time through, need to assign label to the message
3781          */
3782         if (msec->sid == SECINITSID_UNLABELED) {
3783                 /*
3784                  * Compute new sid based on current process and
3785                  * message queue this message will be stored in
3786                  */
3787                 rc = security_transition_sid(tsec->sid,
3788                                              isec->sid,
3789                                              SECCLASS_MSG,
3790                                              &msec->sid);
3791                 if (rc)
3792                         return rc;
3793         }
3794
3795         AVC_AUDIT_DATA_INIT(&ad, IPC);
3796         ad.u.ipc_id = msq->q_perm.key;
3797
3798         /* Can this process write to the queue? */
3799         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3800                           MSGQ__WRITE, &ad);
3801         if (!rc)
3802                 /* Can this process send the message */
3803                 rc = avc_has_perm(tsec->sid, msec->sid,
3804                                   SECCLASS_MSG, MSG__SEND, &ad);
3805         if (!rc)
3806                 /* Can the message be put in the queue? */
3807                 rc = avc_has_perm(msec->sid, isec->sid,
3808                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3809
3810         return rc;
3811 }
3812
3813 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3814                                     struct task_struct *target,
3815                                     long type, int mode)
3816 {
3817         struct task_security_struct *tsec;
3818         struct ipc_security_struct *isec;
3819         struct msg_security_struct *msec;
3820         struct avc_audit_data ad;
3821         int rc;
3822
3823         tsec = target->security;
3824         isec = msq->q_perm.security;
3825         msec = msg->security;
3826
3827         AVC_AUDIT_DATA_INIT(&ad, IPC);
3828         ad.u.ipc_id = msq->q_perm.key;
3829
3830         rc = avc_has_perm(tsec->sid, isec->sid,
3831                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3832         if (!rc)
3833                 rc = avc_has_perm(tsec->sid, msec->sid,
3834                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3835         return rc;
3836 }
3837
3838 /* Shared Memory security operations */
3839 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3840 {
3841         struct task_security_struct *tsec;
3842         struct ipc_security_struct *isec;
3843         struct avc_audit_data ad;
3844         int rc;
3845
3846         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3847         if (rc)
3848                 return rc;
3849
3850         tsec = current->security;
3851         isec = shp->shm_perm.security;
3852
3853         AVC_AUDIT_DATA_INIT(&ad, IPC);
3854         ad.u.ipc_id = shp->shm_perm.key;
3855
3856         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3857                           SHM__CREATE, &ad);
3858         if (rc) {
3859                 ipc_free_security(&shp->shm_perm);
3860                 return rc;
3861         }
3862         return 0;
3863 }
3864
3865 static void selinux_shm_free_security(struct shmid_kernel *shp)
3866 {
3867         ipc_free_security(&shp->shm_perm);
3868 }
3869
3870 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3871 {
3872         struct task_security_struct *tsec;
3873         struct ipc_security_struct *isec;
3874         struct avc_audit_data ad;
3875
3876         tsec = current->security;
3877         isec = shp->shm_perm.security;
3878
3879         AVC_AUDIT_DATA_INIT(&ad, IPC);
3880         ad.u.ipc_id = shp->shm_perm.key;
3881
3882         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3883                             SHM__ASSOCIATE, &ad);
3884 }
3885
3886 /* Note, at this point, shp is locked down */
3887 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3888 {
3889         int perms;
3890         int err;
3891
3892         switch(cmd) {
3893         case IPC_INFO:
3894         case SHM_INFO:
3895                 /* No specific object, just general system-wide information. */
3896                 return task_has_system(current, SYSTEM__IPC_INFO);
3897         case IPC_STAT:
3898         case SHM_STAT:
3899                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3900                 break;
3901         case IPC_SET:
3902                 perms = SHM__SETATTR;
3903                 break;
3904         case SHM_LOCK:
3905         case SHM_UNLOCK:
3906                 perms = SHM__LOCK;
3907                 break;
3908         case IPC_RMID:
3909                 perms = SHM__DESTROY;
3910                 break;
3911         default:
3912                 return 0;
3913         }
3914
3915         err = ipc_has_perm(&shp->shm_perm, perms);
3916         return err;
3917 }
3918
3919 static int selinux_shm_shmat(struct shmid_kernel *shp,
3920                              char __user *shmaddr, int shmflg)
3921 {
3922         u32 perms;
3923         int rc;
3924
3925         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3926         if (rc)
3927                 return rc;
3928
3929         if (shmflg & SHM_RDONLY)
3930                 perms = SHM__READ;
3931         else
3932                 perms = SHM__READ | SHM__WRITE;
3933
3934         return ipc_has_perm(&shp->shm_perm, perms);
3935 }
3936
3937 /* Semaphore security operations */
3938 static int selinux_sem_alloc_security(struct sem_array *sma)
3939 {
3940         struct task_security_struct *tsec;
3941         struct ipc_security_struct *isec;
3942         struct avc_audit_data ad;
3943         int rc;
3944
3945         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3946         if (rc)
3947                 return rc;
3948
3949         tsec = current->security;
3950         isec = sma->sem_perm.security;
3951
3952         AVC_AUDIT_DATA_INIT(&ad, IPC);
3953         ad.u.ipc_id = sma->sem_perm.key;
3954
3955         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3956                           SEM__CREATE, &ad);
3957         if (rc) {
3958                 ipc_free_security(&sma->sem_perm);
3959                 return rc;
3960         }
3961         return 0;
3962 }
3963
3964 static void selinux_sem_free_security(struct sem_array *sma)
3965 {
3966         ipc_free_security(&sma->sem_perm);
3967 }
3968
3969 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3970 {
3971         struct task_security_struct *tsec;
3972         struct ipc_security_struct *isec;
3973         struct avc_audit_data ad;
3974
3975         tsec = current->security;
3976         isec = sma->sem_perm.security;
3977
3978         AVC_AUDIT_DATA_INIT(&ad, IPC);
3979         ad.u.ipc_id = sma->sem_perm.key;
3980
3981         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3982                             SEM__ASSOCIATE, &ad);
3983 }
3984
3985 /* Note, at this point, sma is locked down */
3986 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3987 {
3988         int err;
3989         u32 perms;
3990
3991         switch(cmd) {
3992         case IPC_INFO:
3993         case SEM_INFO:
3994                 /* No specific object, just general system-wide information. */
3995                 return task_has_system(current, SYSTEM__IPC_INFO);
3996         case GETPID:
3997         case GETNCNT:
3998         case GETZCNT:
3999                 perms = SEM__GETATTR;
4000                 break;
4001         case GETVAL:
4002         case GETALL:
4003                 perms = SEM__READ;
4004                 break;
4005         case SETVAL:
4006         case SETALL:
4007                 perms = SEM__WRITE;
4008                 break;
4009         case IPC_RMID:
4010                 perms = SEM__DESTROY;
4011                 break;
4012         case IPC_SET:
4013                 perms = SEM__SETATTR;
4014                 break;
4015         case IPC_STAT:
4016         case SEM_STAT:
4017                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4018                 break;
4019         default:
4020                 return 0;
4021         }
4022
4023         err = ipc_has_perm(&sma->sem_perm, perms);
4024         return err;
4025 }
4026
4027 static int selinux_sem_semop(struct sem_array *sma,
4028                              struct sembuf *sops, unsigned nsops, int alter)
4029 {
4030         u32 perms;
4031
4032         if (alter)
4033                 perms = SEM__READ | SEM__WRITE;
4034         else
4035                 perms = SEM__READ;
4036
4037         return ipc_has_perm(&sma->sem_perm, perms);
4038 }
4039
4040 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4041 {
4042         u32 av = 0;
4043
4044         av = 0;
4045         if (flag & S_IRUGO)
4046                 av |= IPC__UNIX_READ;
4047         if (flag & S_IWUGO)
4048                 av |= IPC__UNIX_WRITE;
4049
4050         if (av == 0)
4051                 return 0;
4052
4053         return ipc_has_perm(ipcp, av);
4054 }
4055
4056 /* module stacking operations */
4057 static int selinux_register_security (const char *name, struct security_operations *ops)
4058 {
4059         if (secondary_ops != original_ops) {
4060                 printk(KERN_INFO "%s:  There is already a secondary security "
4061                        "module registered.\n", __FUNCTION__);
4062                 return -EINVAL;
4063         }
4064
4065         secondary_ops = ops;
4066
4067         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4068                __FUNCTION__,
4069                name);
4070
4071         return 0;
4072 }
4073
4074 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4075 {
4076         if (ops != secondary_ops) {
4077                 printk (KERN_INFO "%s:  trying to unregister a security module "
4078                         "that is not registered.\n", __FUNCTION__);
4079                 return -EINVAL;
4080         }
4081
4082         secondary_ops = original_ops;
4083
4084         return 0;
4085 }
4086
4087 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4088 {
4089         if (inode)
4090                 inode_doinit_with_dentry(inode, dentry);
4091 }
4092
4093 static int selinux_getprocattr(struct task_struct *p,
4094                                char *name, void *value, size_t size)
4095 {
4096         struct task_security_struct *tsec;
4097         u32 sid, len;
4098         char *context;
4099         int error;
4100
4101         if (current != p) {
4102                 error = task_has_perm(current, p, PROCESS__GETATTR);
4103                 if (error)
4104                         return error;
4105         }
4106
4107         if (!size)
4108                 return -ERANGE;
4109
4110         tsec = p->security;
4111
4112         if (!strcmp(name, "current"))
4113                 sid = tsec->sid;
4114         else if (!strcmp(name, "prev"))
4115                 sid = tsec->osid;
4116         else if (!strcmp(name, "exec"))
4117                 sid = tsec->exec_sid;
4118         else if (!strcmp(name, "fscreate"))
4119                 sid = tsec->create_sid;
4120         else
4121                 return -EINVAL;
4122
4123         if (!sid)
4124                 return 0;
4125
4126         error = security_sid_to_context(sid, &context, &len);
4127         if (error)
4128                 return error;
4129         if (len > size) {
4130                 kfree(context);
4131                 return -ERANGE;
4132         }
4133         memcpy(value, context, len);
4134         kfree(context);
4135         return len;
4136 }
4137
4138 static int selinux_setprocattr(struct task_struct *p,
4139                                char *name, void *value, size_t size)
4140 {
4141         struct task_security_struct *tsec;
4142         u32 sid = 0;
4143         int error;
4144         char *str = value;
4145
4146         if (current != p) {
4147                 /* SELinux only allows a process to change its own
4148                    security attributes. */
4149                 return -EACCES;
4150         }
4151
4152         /*
4153          * Basic control over ability to set these attributes at all.
4154          * current == p, but we'll pass them separately in case the
4155          * above restriction is ever removed.
4156          */
4157         if (!strcmp(name, "exec"))
4158                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4159         else if (!strcmp(name, "fscreate"))
4160                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4161         else if (!strcmp(name, "current"))
4162                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4163         else
4164                 error = -EINVAL;
4165         if (error)
4166                 return error;
4167
4168         /* Obtain a SID for the context, if one was specified. */
4169         if (size && str[1] && str[1] != '\n') {
4170                 if (str[size-1] == '\n') {
4171                         str[size-1] = 0;
4172                         size--;
4173                 }
4174                 error = security_context_to_sid(value, size, &sid);
4175                 if (error)
4176                         return error;
4177         }
4178
4179         /* Permission checking based on the specified context is
4180            performed during the actual operation (execve,
4181            open/mkdir/...), when we know the full context of the
4182            operation.  See selinux_bprm_set_security for the execve
4183            checks and may_create for the file creation checks. The
4184            operation will then fail if the context is not permitted. */
4185         tsec = p->security;
4186         if (!strcmp(name, "exec"))
4187                 tsec->exec_sid = sid;
4188         else if (!strcmp(name, "fscreate"))
4189                 tsec->create_sid = sid;
4190         else if (!strcmp(name, "current")) {
4191                 struct av_decision avd;
4192
4193                 if (sid == 0)
4194                         return -EINVAL;
4195
4196                 /* Only allow single threaded processes to change context */
4197                 if (atomic_read(&p->mm->mm_users) != 1) {
4198                         struct task_struct *g, *t;
4199                         struct mm_struct *mm = p->mm;
4200                         read_lock(&tasklist_lock);
4201                         do_each_thread(g, t)
4202                                 if (t->mm == mm && t != p) {
4203                                         read_unlock(&tasklist_lock);
4204                                         return -EPERM;
4205                                 }
4206                         while_each_thread(g, t);
4207                         read_unlock(&tasklist_lock);
4208                 }
4209
4210                 /* Check permissions for the transition. */
4211                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4212                                      PROCESS__DYNTRANSITION, NULL);
4213                 if (error)
4214                         return error;
4215
4216                 /* Check for ptracing, and update the task SID if ok.
4217                    Otherwise, leave SID unchanged and fail. */
4218                 task_lock(p);
4219                 if (p->ptrace & PT_PTRACED) {
4220                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4221                                                      SECCLASS_PROCESS,
4222                                                      PROCESS__PTRACE, &avd);
4223                         if (!error)
4224                                 tsec->sid = sid;
4225                         task_unlock(p);
4226                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4227                                   PROCESS__PTRACE, &avd, error, NULL);
4228                         if (error)
4229                                 return error;
4230                 } else {
4231                         tsec->sid = sid;
4232                         task_unlock(p);
4233                 }
4234         }
4235         else
4236                 return -EINVAL;
4237
4238         return size;
4239 }
4240
4241 static struct security_operations selinux_ops = {
4242         .ptrace =                       selinux_ptrace,
4243         .capget =                       selinux_capget,
4244         .capset_check =                 selinux_capset_check,
4245         .capset_set =                   selinux_capset_set,
4246         .sysctl =                       selinux_sysctl,
4247         .capable =                      selinux_capable,
4248         .quotactl =                     selinux_quotactl,
4249         .quota_on =                     selinux_quota_on,
4250         .syslog =                       selinux_syslog,
4251         .vm_enough_memory =             selinux_vm_enough_memory,
4252
4253         .netlink_send =                 selinux_netlink_send,
4254         .netlink_recv =                 selinux_netlink_recv,
4255
4256         .bprm_alloc_security =          selinux_bprm_alloc_security,
4257         .bprm_free_security =           selinux_bprm_free_security,
4258         .bprm_apply_creds =             selinux_bprm_apply_creds,
4259         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4260         .bprm_set_security =            selinux_bprm_set_security,
4261         .bprm_check_security =          selinux_bprm_check_security,
4262         .bprm_secureexec =              selinux_bprm_secureexec,
4263
4264         .sb_alloc_security =            selinux_sb_alloc_security,
4265         .sb_free_security =             selinux_sb_free_security,
4266         .sb_copy_data =                 selinux_sb_copy_data,
4267         .sb_kern_mount =                selinux_sb_kern_mount,
4268         .sb_statfs =                    selinux_sb_statfs,
4269         .sb_mount =                     selinux_mount,
4270         .sb_umount =                    selinux_umount,
4271
4272         .inode_alloc_security =         selinux_inode_alloc_security,
4273         .inode_free_security =          selinux_inode_free_security,
4274         .inode_init_security =          selinux_inode_init_security,
4275         .inode_create =                 selinux_inode_create,
4276         .inode_link =                   selinux_inode_link,
4277         .inode_unlink =                 selinux_inode_unlink,
4278         .inode_symlink =                selinux_inode_symlink,
4279         .inode_mkdir =                  selinux_inode_mkdir,
4280         .inode_rmdir =                  selinux_inode_rmdir,
4281         .inode_mknod =                  selinux_inode_mknod,
4282         .inode_rename =                 selinux_inode_rename,
4283         .inode_readlink =               selinux_inode_readlink,
4284         .inode_follow_link =            selinux_inode_follow_link,
4285         .inode_permission =             selinux_inode_permission,
4286         .inode_setattr =                selinux_inode_setattr,
4287         .inode_getattr =                selinux_inode_getattr,
4288         .inode_setxattr =               selinux_inode_setxattr,
4289         .inode_post_setxattr =          selinux_inode_post_setxattr,
4290         .inode_getxattr =               selinux_inode_getxattr,
4291         .inode_listxattr =              selinux_inode_listxattr,
4292         .inode_removexattr =            selinux_inode_removexattr,
4293         .inode_getsecurity =            selinux_inode_getsecurity,
4294         .inode_setsecurity =            selinux_inode_setsecurity,
4295         .inode_listsecurity =           selinux_inode_listsecurity,
4296
4297         .file_permission =              selinux_file_permission,
4298         .file_alloc_security =          selinux_file_alloc_security,
4299         .file_free_security =           selinux_file_free_security,
4300         .file_ioctl =                   selinux_file_ioctl,
4301         .file_mmap =                    selinux_file_mmap,
4302         .file_mprotect =                selinux_file_mprotect,
4303         .file_lock =                    selinux_file_lock,
4304         .file_fcntl =                   selinux_file_fcntl,
4305         .file_set_fowner =              selinux_file_set_fowner,
4306         .file_send_sigiotask =          selinux_file_send_sigiotask,
4307         .file_receive =                 selinux_file_receive,
4308
4309         .task_create =                  selinux_task_create,
4310         .task_alloc_security =          selinux_task_alloc_security,
4311         .task_free_security =           selinux_task_free_security,
4312         .task_setuid =                  selinux_task_setuid,
4313         .task_post_setuid =             selinux_task_post_setuid,
4314         .task_setgid =                  selinux_task_setgid,
4315         .task_setpgid =                 selinux_task_setpgid,
4316         .task_getpgid =                 selinux_task_getpgid,
4317         .task_getsid =                  selinux_task_getsid,
4318         .task_setgroups =               selinux_task_setgroups,
4319         .task_setnice =                 selinux_task_setnice,
4320         .task_setrlimit =               selinux_task_setrlimit,
4321         .task_setscheduler =            selinux_task_setscheduler,
4322         .task_getscheduler =            selinux_task_getscheduler,
4323         .task_kill =                    selinux_task_kill,
4324         .task_wait =                    selinux_task_wait,
4325         .task_prctl =                   selinux_task_prctl,
4326         .task_reparent_to_init =        selinux_task_reparent_to_init,
4327         .task_to_inode =                selinux_task_to_inode,
4328
4329         .ipc_permission =               selinux_ipc_permission,
4330
4331         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4332         .msg_msg_free_security =        selinux_msg_msg_free_security,
4333
4334         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4335         .msg_queue_free_security =      selinux_msg_queue_free_security,
4336         .msg_queue_associate =          selinux_msg_queue_associate,
4337         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4338         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4339         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4340
4341         .shm_alloc_security =           selinux_shm_alloc_security,
4342         .shm_free_security =            selinux_shm_free_security,
4343         .shm_associate =                selinux_shm_associate,
4344         .shm_shmctl =                   selinux_shm_shmctl,
4345         .shm_shmat =                    selinux_shm_shmat,
4346
4347         .sem_alloc_security =           selinux_sem_alloc_security,
4348         .sem_free_security =            selinux_sem_free_security,
4349         .sem_associate =                selinux_sem_associate,
4350         .sem_semctl =                   selinux_sem_semctl,
4351         .sem_semop =                    selinux_sem_semop,
4352
4353         .register_security =            selinux_register_security,
4354         .unregister_security =          selinux_unregister_security,
4355
4356         .d_instantiate =                selinux_d_instantiate,
4357
4358         .getprocattr =                  selinux_getprocattr,
4359         .setprocattr =                  selinux_setprocattr,
4360
4361         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4362         .unix_may_send =                selinux_socket_unix_may_send,
4363
4364         .socket_create =                selinux_socket_create,
4365         .socket_post_create =           selinux_socket_post_create,
4366         .socket_bind =                  selinux_socket_bind,
4367         .socket_connect =               selinux_socket_connect,
4368         .socket_listen =                selinux_socket_listen,
4369         .socket_accept =                selinux_socket_accept,
4370         .socket_sendmsg =               selinux_socket_sendmsg,
4371         .socket_recvmsg =               selinux_socket_recvmsg,
4372         .socket_getsockname =           selinux_socket_getsockname,
4373         .socket_getpeername =           selinux_socket_getpeername,
4374         .socket_getsockopt =            selinux_socket_getsockopt,
4375         .socket_setsockopt =            selinux_socket_setsockopt,
4376         .socket_shutdown =              selinux_socket_shutdown,
4377         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4378         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4379         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4380         .sk_alloc_security =            selinux_sk_alloc_security,
4381         .sk_free_security =             selinux_sk_free_security,
4382         .sk_getsid =                    selinux_sk_getsid_security,
4383
4384 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4385         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4386         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4387         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4388         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4389         .xfrm_state_free_security =     selinux_xfrm_state_free,
4390         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4391 #endif
4392 };
4393
4394 static __init int selinux_init(void)
4395 {
4396         struct task_security_struct *tsec;
4397
4398         if (!selinux_enabled) {
4399                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4400                 return 0;
4401         }
4402
4403         printk(KERN_INFO "SELinux:  Initializing.\n");
4404
4405         /* Set the security state for the initial task. */
4406         if (task_alloc_security(current))
4407                 panic("SELinux:  Failed to initialize initial task.\n");
4408         tsec = current->security;
4409         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4410
4411         avc_init();
4412
4413         original_ops = secondary_ops = security_ops;
4414         if (!secondary_ops)
4415                 panic ("SELinux: No initial security operations\n");
4416         if (register_security (&selinux_ops))
4417                 panic("SELinux: Unable to register with kernel.\n");
4418
4419         if (selinux_enforcing) {
4420                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4421         } else {
4422                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4423         }
4424         return 0;
4425 }
4426
4427 void selinux_complete_init(void)
4428 {
4429         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4430
4431         /* Set up any superblocks initialized prior to the policy load. */
4432         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4433         spin_lock(&sb_security_lock);
4434 next_sb:
4435         if (!list_empty(&superblock_security_head)) {
4436                 struct superblock_security_struct *sbsec =
4437                                 list_entry(superblock_security_head.next,
4438                                            struct superblock_security_struct,
4439                                            list);
4440                 struct super_block *sb = sbsec->sb;
4441                 spin_lock(&sb_lock);
4442                 sb->s_count++;
4443                 spin_unlock(&sb_lock);
4444                 spin_unlock(&sb_security_lock);
4445                 down_read(&sb->s_umount);
4446                 if (sb->s_root)
4447                         superblock_doinit(sb, NULL);
4448                 drop_super(sb);
4449                 spin_lock(&sb_security_lock);
4450                 list_del_init(&sbsec->list);
4451                 goto next_sb;
4452         }
4453         spin_unlock(&sb_security_lock);
4454 }
4455
4456 /* SELinux requires early initialization in order to label
4457    all processes and objects when they are created. */
4458 security_initcall(selinux_init);
4459
4460 #if defined(CONFIG_NETFILTER)
4461
4462 static struct nf_hook_ops selinux_ipv4_op = {
4463         .hook =         selinux_ipv4_postroute_last,
4464         .owner =        THIS_MODULE,
4465         .pf =           PF_INET,
4466         .hooknum =      NF_IP_POST_ROUTING,
4467         .priority =     NF_IP_PRI_SELINUX_LAST,
4468 };
4469
4470 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4471
4472 static struct nf_hook_ops selinux_ipv6_op = {
4473         .hook =         selinux_ipv6_postroute_last,
4474         .owner =        THIS_MODULE,
4475         .pf =           PF_INET6,
4476         .hooknum =      NF_IP6_POST_ROUTING,
4477         .priority =     NF_IP6_PRI_SELINUX_LAST,
4478 };
4479
4480 #endif  /* IPV6 */
4481
4482 static int __init selinux_nf_ip_init(void)
4483 {
4484         int err = 0;
4485
4486         if (!selinux_enabled)
4487                 goto out;
4488                 
4489         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4490         
4491         err = nf_register_hook(&selinux_ipv4_op);
4492         if (err)
4493                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4494
4495 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4496
4497         err = nf_register_hook(&selinux_ipv6_op);
4498         if (err)
4499                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4500
4501 #endif  /* IPV6 */
4502
4503 out:
4504         return err;
4505 }
4506
4507 __initcall(selinux_nf_ip_init);
4508
4509 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4510 static void selinux_nf_ip_exit(void)
4511 {
4512         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4513
4514         nf_unregister_hook(&selinux_ipv4_op);
4515 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4516         nf_unregister_hook(&selinux_ipv6_op);
4517 #endif  /* IPV6 */
4518 }
4519 #endif
4520
4521 #else /* CONFIG_NETFILTER */
4522
4523 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4524 #define selinux_nf_ip_exit()
4525 #endif
4526
4527 #endif /* CONFIG_NETFILTER */
4528
4529 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4530 int selinux_disable(void)
4531 {
4532         extern void exit_sel_fs(void);
4533         static int selinux_disabled = 0;
4534
4535         if (ss_initialized) {
4536                 /* Not permitted after initial policy load. */
4537                 return -EINVAL;
4538         }
4539
4540         if (selinux_disabled) {
4541                 /* Only do this once. */
4542                 return -EINVAL;
4543         }
4544
4545         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4546
4547         selinux_disabled = 1;
4548
4549         /* Reset security_ops to the secondary module, dummy or capability. */
4550         security_ops = secondary_ops;
4551
4552         /* Unregister netfilter hooks. */
4553         selinux_nf_ip_exit();
4554
4555         /* Unregister selinuxfs. */
4556         exit_sel_fs();
4557
4558         return 0;
4559 }
4560 #endif
4561
4562