SELinux: create new open permission
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *                Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /**
140  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
141  *
142  * Description:
143  * This function checks the SECMARK reference counter to see if any SECMARK
144  * targets are currently configured, if the reference counter is greater than
145  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
146  * enabled, false (0) if SECMARK is disabled.
147  *
148  */
149 static int selinux_secmark_enabled(void)
150 {
151         return (atomic_read(&selinux_secmark_refcount) > 0);
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
165         task->security = tsec;
166
167         return 0;
168 }
169
170 static void task_free_security(struct task_struct *task)
171 {
172         struct task_security_struct *tsec = task->security;
173         task->security = NULL;
174         kfree(tsec);
175 }
176
177 static int inode_alloc_security(struct inode *inode)
178 {
179         struct task_security_struct *tsec = current->security;
180         struct inode_security_struct *isec;
181
182         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
183         if (!isec)
184                 return -ENOMEM;
185
186         mutex_init(&isec->lock);
187         INIT_LIST_HEAD(&isec->list);
188         isec->inode = inode;
189         isec->sid = SECINITSID_UNLABELED;
190         isec->sclass = SECCLASS_FILE;
191         isec->task_sid = tsec->sid;
192         inode->i_security = isec;
193
194         return 0;
195 }
196
197 static void inode_free_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec = inode->i_security;
200         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
202         spin_lock(&sbsec->isec_lock);
203         if (!list_empty(&isec->list))
204                 list_del_init(&isec->list);
205         spin_unlock(&sbsec->isec_lock);
206
207         inode->i_security = NULL;
208         kmem_cache_free(sel_inode_cache, isec);
209 }
210
211 static int file_alloc_security(struct file *file)
212 {
213         struct task_security_struct *tsec = current->security;
214         struct file_security_struct *fsec;
215
216         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
217         if (!fsec)
218                 return -ENOMEM;
219
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         mutex_init(&sbsec->lock);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         ssec = kzalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         ssec->peer_sid = SECINITSID_UNLABELED;
277         ssec->sid = SECINITSID_UNLABELED;
278         sk->sk_security = ssec;
279
280         selinux_netlbl_sk_security_reset(ssec, family);
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         sk->sk_security = NULL;
290         kfree(ssec);
291 }
292
293 /* The security server must be initialized before
294    any labeling or access decisions can be provided. */
295 extern int ss_initialized;
296
297 /* The file system's label must be initialized prior to use. */
298
299 static char *labeling_behaviors[6] = {
300         "uses xattr",
301         "uses transition SIDs",
302         "uses task SIDs",
303         "uses genfs_contexts",
304         "not configured for labeling",
305         "uses mountpoint labeling",
306 };
307
308 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309
310 static inline int inode_doinit(struct inode *inode)
311 {
312         return inode_doinit_with_dentry(inode, NULL);
313 }
314
315 enum {
316         Opt_error = -1,
317         Opt_context = 1,
318         Opt_fscontext = 2,
319         Opt_defcontext = 3,
320         Opt_rootcontext = 4,
321 };
322
323 static match_table_t tokens = {
324         {Opt_context, "context=%s"},
325         {Opt_fscontext, "fscontext=%s"},
326         {Opt_defcontext, "defcontext=%s"},
327         {Opt_rootcontext, "rootcontext=%s"},
328         {Opt_error, NULL},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int may_context_mount_sb_relabel(u32 sid,
334                         struct superblock_security_struct *sbsec,
335                         struct task_security_struct *tsec)
336 {
337         int rc;
338
339         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340                           FILESYSTEM__RELABELFROM, NULL);
341         if (rc)
342                 return rc;
343
344         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345                           FILESYSTEM__RELABELTO, NULL);
346         return rc;
347 }
348
349 static int may_context_mount_inode_relabel(u32 sid,
350                         struct superblock_security_struct *sbsec,
351                         struct task_security_struct *tsec)
352 {
353         int rc;
354         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
355                           FILESYSTEM__RELABELFROM, NULL);
356         if (rc)
357                 return rc;
358
359         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
360                           FILESYSTEM__ASSOCIATE, NULL);
361         return rc;
362 }
363
364 static int sb_finish_set_opts(struct super_block *sb)
365 {
366         struct superblock_security_struct *sbsec = sb->s_security;
367         struct dentry *root = sb->s_root;
368         struct inode *root_inode = root->d_inode;
369         int rc = 0;
370
371         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
372                 /* Make sure that the xattr handler exists and that no
373                    error other than -ENODATA is returned by getxattr on
374                    the root directory.  -ENODATA is ok, as this may be
375                    the first boot of the SELinux kernel before we have
376                    assigned xattr values to the filesystem. */
377                 if (!root_inode->i_op->getxattr) {
378                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
379                                "xattr support\n", sb->s_id, sb->s_type->name);
380                         rc = -EOPNOTSUPP;
381                         goto out;
382                 }
383                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
384                 if (rc < 0 && rc != -ENODATA) {
385                         if (rc == -EOPNOTSUPP)
386                                 printk(KERN_WARNING "SELinux: (dev %s, type "
387                                        "%s) has no security xattr handler\n",
388                                        sb->s_id, sb->s_type->name);
389                         else
390                                 printk(KERN_WARNING "SELinux: (dev %s, type "
391                                        "%s) getxattr errno %d\n", sb->s_id,
392                                        sb->s_type->name, -rc);
393                         goto out;
394                 }
395         }
396
397         sbsec->initialized = 1;
398
399         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
400                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
401                        sb->s_id, sb->s_type->name);
402         else
403                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
404                        sb->s_id, sb->s_type->name,
405                        labeling_behaviors[sbsec->behavior-1]);
406
407         /* Initialize the root inode. */
408         rc = inode_doinit_with_dentry(root_inode, root);
409
410         /* Initialize any other inodes associated with the superblock, e.g.
411            inodes created prior to initial policy load or inodes created
412            during get_sb by a pseudo filesystem that directly
413            populates itself. */
414         spin_lock(&sbsec->isec_lock);
415 next_inode:
416         if (!list_empty(&sbsec->isec_head)) {
417                 struct inode_security_struct *isec =
418                                 list_entry(sbsec->isec_head.next,
419                                            struct inode_security_struct, list);
420                 struct inode *inode = isec->inode;
421                 spin_unlock(&sbsec->isec_lock);
422                 inode = igrab(inode);
423                 if (inode) {
424                         if (!IS_PRIVATE(inode))
425                                 inode_doinit(inode);
426                         iput(inode);
427                 }
428                 spin_lock(&sbsec->isec_lock);
429                 list_del_init(&isec->list);
430                 goto next_inode;
431         }
432         spin_unlock(&sbsec->isec_lock);
433 out:
434         return rc;
435 }
436
437 /*
438  * This function should allow an FS to ask what it's mount security
439  * options were so it can use those later for submounts, displaying
440  * mount options, or whatever.
441  */
442 static int selinux_get_mnt_opts(const struct super_block *sb,
443                                 struct security_mnt_opts *opts)
444 {
445         int rc = 0, i;
446         struct superblock_security_struct *sbsec = sb->s_security;
447         char *context = NULL;
448         u32 len;
449         char tmp;
450
451         security_init_mnt_opts(opts);
452
453         if (!sbsec->initialized)
454                 return -EINVAL;
455
456         if (!ss_initialized)
457                 return -EINVAL;
458
459         /*
460          * if we ever use sbsec flags for anything other than tracking mount
461          * settings this is going to need a mask
462          */
463         tmp = sbsec->flags;
464         /* count the number of mount options for this sb */
465         for (i = 0; i < 8; i++) {
466                 if (tmp & 0x01)
467                         opts->num_mnt_opts++;
468                 tmp >>= 1;
469         }
470
471         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
472         if (!opts->mnt_opts) {
473                 rc = -ENOMEM;
474                 goto out_free;
475         }
476
477         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
478         if (!opts->mnt_opts_flags) {
479                 rc = -ENOMEM;
480                 goto out_free;
481         }
482
483         i = 0;
484         if (sbsec->flags & FSCONTEXT_MNT) {
485                 rc = security_sid_to_context(sbsec->sid, &context, &len);
486                 if (rc)
487                         goto out_free;
488                 opts->mnt_opts[i] = context;
489                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
490         }
491         if (sbsec->flags & CONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
497         }
498         if (sbsec->flags & DEFCONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
504         }
505         if (sbsec->flags & ROOTCONTEXT_MNT) {
506                 struct inode *root = sbsec->sb->s_root->d_inode;
507                 struct inode_security_struct *isec = root->i_security;
508
509                 rc = security_sid_to_context(isec->sid, &context, &len);
510                 if (rc)
511                         goto out_free;
512                 opts->mnt_opts[i] = context;
513                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
514         }
515
516         BUG_ON(i != opts->num_mnt_opts);
517
518         return 0;
519
520 out_free:
521         security_free_mnt_opts(opts);
522         return rc;
523 }
524
525 static int bad_option(struct superblock_security_struct *sbsec, char flag,
526                       u32 old_sid, u32 new_sid)
527 {
528         /* check if the old mount command had the same options */
529         if (sbsec->initialized)
530                 if (!(sbsec->flags & flag) ||
531                     (old_sid != new_sid))
532                         return 1;
533
534         /* check if we were passed the same options twice,
535          * aka someone passed context=a,context=b
536          */
537         if (!sbsec->initialized)
538                 if (sbsec->flags & flag)
539                         return 1;
540         return 0;
541 }
542
543 /*
544  * Allow filesystems with binary mount data to explicitly set mount point
545  * labeling information.
546  */
547 static int selinux_set_mnt_opts(struct super_block *sb,
548                                 struct security_mnt_opts *opts)
549 {
550         int rc = 0, i;
551         struct task_security_struct *tsec = current->security;
552         struct superblock_security_struct *sbsec = sb->s_security;
553         const char *name = sb->s_type->name;
554         struct inode *inode = sbsec->sb->s_root->d_inode;
555         struct inode_security_struct *root_isec = inode->i_security;
556         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
557         u32 defcontext_sid = 0;
558         char **mount_options = opts->mnt_opts;
559         int *flags = opts->mnt_opts_flags;
560         int num_opts = opts->num_mnt_opts;
561
562         mutex_lock(&sbsec->lock);
563
564         if (!ss_initialized) {
565                 if (!num_opts) {
566                         /* Defer initialization until selinux_complete_init,
567                            after the initial policy is loaded and the security
568                            server is ready to handle calls. */
569                         spin_lock(&sb_security_lock);
570                         if (list_empty(&sbsec->list))
571                                 list_add(&sbsec->list, &superblock_security_head);
572                         spin_unlock(&sb_security_lock);
573                         goto out;
574                 }
575                 rc = -EINVAL;
576                 printk(KERN_WARNING "Unable to set superblock options before "
577                        "the security server is initialized\n");
578                 goto out;
579         }
580
581         /*
582          * Binary mount data FS will come through this function twice.  Once
583          * from an explicit call and once from the generic calls from the vfs.
584          * Since the generic VFS calls will not contain any security mount data
585          * we need to skip the double mount verification.
586          *
587          * This does open a hole in which we will not notice if the first
588          * mount using this sb set explict options and a second mount using
589          * this sb does not set any security options.  (The first options
590          * will be used for both mounts)
591          */
592         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
593             && (num_opts == 0))
594                 goto out;
595
596         /*
597          * parse the mount options, check if they are valid sids.
598          * also check if someone is trying to mount the same sb more
599          * than once with different security options.
600          */
601         for (i = 0; i < num_opts; i++) {
602                 u32 sid;
603                 rc = security_context_to_sid(mount_options[i],
604                                              strlen(mount_options[i]), &sid);
605                 if (rc) {
606                         printk(KERN_WARNING "SELinux: security_context_to_sid"
607                                "(%s) failed for (dev %s, type %s) errno=%d\n",
608                                mount_options[i], sb->s_id, name, rc);
609                         goto out;
610                 }
611                 switch (flags[i]) {
612                 case FSCONTEXT_MNT:
613                         fscontext_sid = sid;
614
615                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
616                                         fscontext_sid))
617                                 goto out_double_mount;
618
619                         sbsec->flags |= FSCONTEXT_MNT;
620                         break;
621                 case CONTEXT_MNT:
622                         context_sid = sid;
623
624                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
625                                         context_sid))
626                                 goto out_double_mount;
627
628                         sbsec->flags |= CONTEXT_MNT;
629                         break;
630                 case ROOTCONTEXT_MNT:
631                         rootcontext_sid = sid;
632
633                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
634                                         rootcontext_sid))
635                                 goto out_double_mount;
636
637                         sbsec->flags |= ROOTCONTEXT_MNT;
638
639                         break;
640                 case DEFCONTEXT_MNT:
641                         defcontext_sid = sid;
642
643                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
644                                         defcontext_sid))
645                                 goto out_double_mount;
646
647                         sbsec->flags |= DEFCONTEXT_MNT;
648
649                         break;
650                 default:
651                         rc = -EINVAL;
652                         goto out;
653                 }
654         }
655
656         if (sbsec->initialized) {
657                 /* previously mounted with options, but not on this attempt? */
658                 if (sbsec->flags && !num_opts)
659                         goto out_double_mount;
660                 rc = 0;
661                 goto out;
662         }
663
664         if (strcmp(sb->s_type->name, "proc") == 0)
665                 sbsec->proc = 1;
666
667         /* Determine the labeling behavior to use for this filesystem type. */
668         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
669         if (rc) {
670                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
671                        __FUNCTION__, sb->s_type->name, rc);
672                 goto out;
673         }
674
675         /* sets the context of the superblock for the fs being mounted. */
676         if (fscontext_sid) {
677
678                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
679                 if (rc)
680                         goto out;
681
682                 sbsec->sid = fscontext_sid;
683         }
684
685         /*
686          * Switch to using mount point labeling behavior.
687          * sets the label used on all file below the mountpoint, and will set
688          * the superblock context if not already set.
689          */
690         if (context_sid) {
691                 if (!fscontext_sid) {
692                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
693                         if (rc)
694                                 goto out;
695                         sbsec->sid = context_sid;
696                 } else {
697                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
698                         if (rc)
699                                 goto out;
700                 }
701                 if (!rootcontext_sid)
702                         rootcontext_sid = context_sid;
703
704                 sbsec->mntpoint_sid = context_sid;
705                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
706         }
707
708         if (rootcontext_sid) {
709                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
710                 if (rc)
711                         goto out;
712
713                 root_isec->sid = rootcontext_sid;
714                 root_isec->initialized = 1;
715         }
716
717         if (defcontext_sid) {
718                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
719                         rc = -EINVAL;
720                         printk(KERN_WARNING "SELinux: defcontext option is "
721                                "invalid for this filesystem type\n");
722                         goto out;
723                 }
724
725                 if (defcontext_sid != sbsec->def_sid) {
726                         rc = may_context_mount_inode_relabel(defcontext_sid,
727                                                              sbsec, tsec);
728                         if (rc)
729                                 goto out;
730                 }
731
732                 sbsec->def_sid = defcontext_sid;
733         }
734
735         rc = sb_finish_set_opts(sb);
736 out:
737         mutex_unlock(&sbsec->lock);
738         return rc;
739 out_double_mount:
740         rc = -EINVAL;
741         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
742                "security settings for (dev %s, type %s)\n", sb->s_id, name);
743         goto out;
744 }
745
746 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
747                                         struct super_block *newsb)
748 {
749         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
750         struct superblock_security_struct *newsbsec = newsb->s_security;
751
752         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
753         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
754         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
755
756         /* we can't error, we can't save the info, this shouldn't get called
757          * this early in the boot process. */
758         BUG_ON(!ss_initialized);
759
760         /* how can we clone if the old one wasn't set up?? */
761         BUG_ON(!oldsbsec->initialized);
762
763         /* if fs is reusing a sb, just let its options stand... */
764         if (newsbsec->initialized)
765                 return;
766
767         mutex_lock(&newsbsec->lock);
768
769         newsbsec->flags = oldsbsec->flags;
770
771         newsbsec->sid = oldsbsec->sid;
772         newsbsec->def_sid = oldsbsec->def_sid;
773         newsbsec->behavior = oldsbsec->behavior;
774
775         if (set_context) {
776                 u32 sid = oldsbsec->mntpoint_sid;
777
778                 if (!set_fscontext)
779                         newsbsec->sid = sid;
780                 if (!set_rootcontext) {
781                         struct inode *newinode = newsb->s_root->d_inode;
782                         struct inode_security_struct *newisec = newinode->i_security;
783                         newisec->sid = sid;
784                 }
785                 newsbsec->mntpoint_sid = sid;
786         }
787         if (set_rootcontext) {
788                 const struct inode *oldinode = oldsb->s_root->d_inode;
789                 const struct inode_security_struct *oldisec = oldinode->i_security;
790                 struct inode *newinode = newsb->s_root->d_inode;
791                 struct inode_security_struct *newisec = newinode->i_security;
792
793                 newisec->sid = oldisec->sid;
794         }
795
796         sb_finish_set_opts(newsb);
797         mutex_unlock(&newsbsec->lock);
798 }
799
800 static int selinux_parse_opts_str(char *options,
801                                   struct security_mnt_opts *opts)
802 {
803         char *p;
804         char *context = NULL, *defcontext = NULL;
805         char *fscontext = NULL, *rootcontext = NULL;
806         int rc, num_mnt_opts = 0;
807
808         opts->num_mnt_opts = 0;
809
810         /* Standard string-based options. */
811         while ((p = strsep(&options, "|")) != NULL) {
812                 int token;
813                 substring_t args[MAX_OPT_ARGS];
814
815                 if (!*p)
816                         continue;
817
818                 token = match_token(p, tokens, args);
819
820                 switch (token) {
821                 case Opt_context:
822                         if (context || defcontext) {
823                                 rc = -EINVAL;
824                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
825                                 goto out_err;
826                         }
827                         context = match_strdup(&args[0]);
828                         if (!context) {
829                                 rc = -ENOMEM;
830                                 goto out_err;
831                         }
832                         break;
833
834                 case Opt_fscontext:
835                         if (fscontext) {
836                                 rc = -EINVAL;
837                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838                                 goto out_err;
839                         }
840                         fscontext = match_strdup(&args[0]);
841                         if (!fscontext) {
842                                 rc = -ENOMEM;
843                                 goto out_err;
844                         }
845                         break;
846
847                 case Opt_rootcontext:
848                         if (rootcontext) {
849                                 rc = -EINVAL;
850                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851                                 goto out_err;
852                         }
853                         rootcontext = match_strdup(&args[0]);
854                         if (!rootcontext) {
855                                 rc = -ENOMEM;
856                                 goto out_err;
857                         }
858                         break;
859
860                 case Opt_defcontext:
861                         if (context || defcontext) {
862                                 rc = -EINVAL;
863                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864                                 goto out_err;
865                         }
866                         defcontext = match_strdup(&args[0]);
867                         if (!defcontext) {
868                                 rc = -ENOMEM;
869                                 goto out_err;
870                         }
871                         break;
872
873                 default:
874                         rc = -EINVAL;
875                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
876                         goto out_err;
877
878                 }
879         }
880
881         rc = -ENOMEM;
882         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
883         if (!opts->mnt_opts)
884                 goto out_err;
885
886         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
887         if (!opts->mnt_opts_flags) {
888                 kfree(opts->mnt_opts);
889                 goto out_err;
890         }
891
892         if (fscontext) {
893                 opts->mnt_opts[num_mnt_opts] = fscontext;
894                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
895         }
896         if (context) {
897                 opts->mnt_opts[num_mnt_opts] = context;
898                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
899         }
900         if (rootcontext) {
901                 opts->mnt_opts[num_mnt_opts] = rootcontext;
902                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
903         }
904         if (defcontext) {
905                 opts->mnt_opts[num_mnt_opts] = defcontext;
906                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
907         }
908
909         opts->num_mnt_opts = num_mnt_opts;
910         return 0;
911
912 out_err:
913         kfree(context);
914         kfree(defcontext);
915         kfree(fscontext);
916         kfree(rootcontext);
917         return rc;
918 }
919 /*
920  * string mount options parsing and call set the sbsec
921  */
922 static int superblock_doinit(struct super_block *sb, void *data)
923 {
924         int rc = 0;
925         char *options = data;
926         struct security_mnt_opts opts;
927
928         security_init_mnt_opts(&opts);
929
930         if (!data)
931                 goto out;
932
933         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
934
935         rc = selinux_parse_opts_str(options, &opts);
936         if (rc)
937                 goto out_err;
938
939 out:
940         rc = selinux_set_mnt_opts(sb, &opts);
941
942 out_err:
943         security_free_mnt_opts(&opts);
944         return rc;
945 }
946
947 static inline u16 inode_mode_to_security_class(umode_t mode)
948 {
949         switch (mode & S_IFMT) {
950         case S_IFSOCK:
951                 return SECCLASS_SOCK_FILE;
952         case S_IFLNK:
953                 return SECCLASS_LNK_FILE;
954         case S_IFREG:
955                 return SECCLASS_FILE;
956         case S_IFBLK:
957                 return SECCLASS_BLK_FILE;
958         case S_IFDIR:
959                 return SECCLASS_DIR;
960         case S_IFCHR:
961                 return SECCLASS_CHR_FILE;
962         case S_IFIFO:
963                 return SECCLASS_FIFO_FILE;
964
965         }
966
967         return SECCLASS_FILE;
968 }
969
970 static inline int default_protocol_stream(int protocol)
971 {
972         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
973 }
974
975 static inline int default_protocol_dgram(int protocol)
976 {
977         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
978 }
979
980 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
981 {
982         switch (family) {
983         case PF_UNIX:
984                 switch (type) {
985                 case SOCK_STREAM:
986                 case SOCK_SEQPACKET:
987                         return SECCLASS_UNIX_STREAM_SOCKET;
988                 case SOCK_DGRAM:
989                         return SECCLASS_UNIX_DGRAM_SOCKET;
990                 }
991                 break;
992         case PF_INET:
993         case PF_INET6:
994                 switch (type) {
995                 case SOCK_STREAM:
996                         if (default_protocol_stream(protocol))
997                                 return SECCLASS_TCP_SOCKET;
998                         else
999                                 return SECCLASS_RAWIP_SOCKET;
1000                 case SOCK_DGRAM:
1001                         if (default_protocol_dgram(protocol))
1002                                 return SECCLASS_UDP_SOCKET;
1003                         else
1004                                 return SECCLASS_RAWIP_SOCKET;
1005                 case SOCK_DCCP:
1006                         return SECCLASS_DCCP_SOCKET;
1007                 default:
1008                         return SECCLASS_RAWIP_SOCKET;
1009                 }
1010                 break;
1011         case PF_NETLINK:
1012                 switch (protocol) {
1013                 case NETLINK_ROUTE:
1014                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1015                 case NETLINK_FIREWALL:
1016                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1017                 case NETLINK_INET_DIAG:
1018                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1019                 case NETLINK_NFLOG:
1020                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1021                 case NETLINK_XFRM:
1022                         return SECCLASS_NETLINK_XFRM_SOCKET;
1023                 case NETLINK_SELINUX:
1024                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1025                 case NETLINK_AUDIT:
1026                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1027                 case NETLINK_IP6_FW:
1028                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1029                 case NETLINK_DNRTMSG:
1030                         return SECCLASS_NETLINK_DNRT_SOCKET;
1031                 case NETLINK_KOBJECT_UEVENT:
1032                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1033                 default:
1034                         return SECCLASS_NETLINK_SOCKET;
1035                 }
1036         case PF_PACKET:
1037                 return SECCLASS_PACKET_SOCKET;
1038         case PF_KEY:
1039                 return SECCLASS_KEY_SOCKET;
1040         case PF_APPLETALK:
1041                 return SECCLASS_APPLETALK_SOCKET;
1042         }
1043
1044         return SECCLASS_SOCKET;
1045 }
1046
1047 #ifdef CONFIG_PROC_FS
1048 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1049                                 u16 tclass,
1050                                 u32 *sid)
1051 {
1052         int buflen, rc;
1053         char *buffer, *path, *end;
1054
1055         buffer = (char*)__get_free_page(GFP_KERNEL);
1056         if (!buffer)
1057                 return -ENOMEM;
1058
1059         buflen = PAGE_SIZE;
1060         end = buffer+buflen;
1061         *--end = '\0';
1062         buflen--;
1063         path = end-1;
1064         *path = '/';
1065         while (de && de != de->parent) {
1066                 buflen -= de->namelen + 1;
1067                 if (buflen < 0)
1068                         break;
1069                 end -= de->namelen;
1070                 memcpy(end, de->name, de->namelen);
1071                 *--end = '/';
1072                 path = end;
1073                 de = de->parent;
1074         }
1075         rc = security_genfs_sid("proc", path, tclass, sid);
1076         free_page((unsigned long)buffer);
1077         return rc;
1078 }
1079 #else
1080 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1081                                 u16 tclass,
1082                                 u32 *sid)
1083 {
1084         return -EINVAL;
1085 }
1086 #endif
1087
1088 /* The inode's security attributes must be initialized before first use. */
1089 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1090 {
1091         struct superblock_security_struct *sbsec = NULL;
1092         struct inode_security_struct *isec = inode->i_security;
1093         u32 sid;
1094         struct dentry *dentry;
1095 #define INITCONTEXTLEN 255
1096         char *context = NULL;
1097         unsigned len = 0;
1098         int rc = 0;
1099
1100         if (isec->initialized)
1101                 goto out;
1102
1103         mutex_lock(&isec->lock);
1104         if (isec->initialized)
1105                 goto out_unlock;
1106
1107         sbsec = inode->i_sb->s_security;
1108         if (!sbsec->initialized) {
1109                 /* Defer initialization until selinux_complete_init,
1110                    after the initial policy is loaded and the security
1111                    server is ready to handle calls. */
1112                 spin_lock(&sbsec->isec_lock);
1113                 if (list_empty(&isec->list))
1114                         list_add(&isec->list, &sbsec->isec_head);
1115                 spin_unlock(&sbsec->isec_lock);
1116                 goto out_unlock;
1117         }
1118
1119         switch (sbsec->behavior) {
1120         case SECURITY_FS_USE_XATTR:
1121                 if (!inode->i_op->getxattr) {
1122                         isec->sid = sbsec->def_sid;
1123                         break;
1124                 }
1125
1126                 /* Need a dentry, since the xattr API requires one.
1127                    Life would be simpler if we could just pass the inode. */
1128                 if (opt_dentry) {
1129                         /* Called from d_instantiate or d_splice_alias. */
1130                         dentry = dget(opt_dentry);
1131                 } else {
1132                         /* Called from selinux_complete_init, try to find a dentry. */
1133                         dentry = d_find_alias(inode);
1134                 }
1135                 if (!dentry) {
1136                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1137                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1138                                inode->i_ino);
1139                         goto out_unlock;
1140                 }
1141
1142                 len = INITCONTEXTLEN;
1143                 context = kmalloc(len, GFP_NOFS);
1144                 if (!context) {
1145                         rc = -ENOMEM;
1146                         dput(dentry);
1147                         goto out_unlock;
1148                 }
1149                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1150                                            context, len);
1151                 if (rc == -ERANGE) {
1152                         /* Need a larger buffer.  Query for the right size. */
1153                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1154                                                    NULL, 0);
1155                         if (rc < 0) {
1156                                 dput(dentry);
1157                                 goto out_unlock;
1158                         }
1159                         kfree(context);
1160                         len = rc;
1161                         context = kmalloc(len, GFP_NOFS);
1162                         if (!context) {
1163                                 rc = -ENOMEM;
1164                                 dput(dentry);
1165                                 goto out_unlock;
1166                         }
1167                         rc = inode->i_op->getxattr(dentry,
1168                                                    XATTR_NAME_SELINUX,
1169                                                    context, len);
1170                 }
1171                 dput(dentry);
1172                 if (rc < 0) {
1173                         if (rc != -ENODATA) {
1174                                 printk(KERN_WARNING "%s:  getxattr returned "
1175                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1176                                        -rc, inode->i_sb->s_id, inode->i_ino);
1177                                 kfree(context);
1178                                 goto out_unlock;
1179                         }
1180                         /* Map ENODATA to the default file SID */
1181                         sid = sbsec->def_sid;
1182                         rc = 0;
1183                 } else {
1184                         rc = security_context_to_sid_default(context, rc, &sid,
1185                                                              sbsec->def_sid,
1186                                                              GFP_NOFS);
1187                         if (rc) {
1188                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1189                                        "returned %d for dev=%s ino=%ld\n",
1190                                        __FUNCTION__, context, -rc,
1191                                        inode->i_sb->s_id, inode->i_ino);
1192                                 kfree(context);
1193                                 /* Leave with the unlabeled SID */
1194                                 rc = 0;
1195                                 break;
1196                         }
1197                 }
1198                 kfree(context);
1199                 isec->sid = sid;
1200                 break;
1201         case SECURITY_FS_USE_TASK:
1202                 isec->sid = isec->task_sid;
1203                 break;
1204         case SECURITY_FS_USE_TRANS:
1205                 /* Default to the fs SID. */
1206                 isec->sid = sbsec->sid;
1207
1208                 /* Try to obtain a transition SID. */
1209                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1210                 rc = security_transition_sid(isec->task_sid,
1211                                              sbsec->sid,
1212                                              isec->sclass,
1213                                              &sid);
1214                 if (rc)
1215                         goto out_unlock;
1216                 isec->sid = sid;
1217                 break;
1218         case SECURITY_FS_USE_MNTPOINT:
1219                 isec->sid = sbsec->mntpoint_sid;
1220                 break;
1221         default:
1222                 /* Default to the fs superblock SID. */
1223                 isec->sid = sbsec->sid;
1224
1225                 if (sbsec->proc) {
1226                         struct proc_inode *proci = PROC_I(inode);
1227                         if (proci->pde) {
1228                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1229                                 rc = selinux_proc_get_sid(proci->pde,
1230                                                           isec->sclass,
1231                                                           &sid);
1232                                 if (rc)
1233                                         goto out_unlock;
1234                                 isec->sid = sid;
1235                         }
1236                 }
1237                 break;
1238         }
1239
1240         isec->initialized = 1;
1241
1242 out_unlock:
1243         mutex_unlock(&isec->lock);
1244 out:
1245         if (isec->sclass == SECCLASS_FILE)
1246                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1247         return rc;
1248 }
1249
1250 /* Convert a Linux signal to an access vector. */
1251 static inline u32 signal_to_av(int sig)
1252 {
1253         u32 perm = 0;
1254
1255         switch (sig) {
1256         case SIGCHLD:
1257                 /* Commonly granted from child to parent. */
1258                 perm = PROCESS__SIGCHLD;
1259                 break;
1260         case SIGKILL:
1261                 /* Cannot be caught or ignored */
1262                 perm = PROCESS__SIGKILL;
1263                 break;
1264         case SIGSTOP:
1265                 /* Cannot be caught or ignored */
1266                 perm = PROCESS__SIGSTOP;
1267                 break;
1268         default:
1269                 /* All other signals. */
1270                 perm = PROCESS__SIGNAL;
1271                 break;
1272         }
1273
1274         return perm;
1275 }
1276
1277 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1278    fork check, ptrace check, etc. */
1279 static int task_has_perm(struct task_struct *tsk1,
1280                          struct task_struct *tsk2,
1281                          u32 perms)
1282 {
1283         struct task_security_struct *tsec1, *tsec2;
1284
1285         tsec1 = tsk1->security;
1286         tsec2 = tsk2->security;
1287         return avc_has_perm(tsec1->sid, tsec2->sid,
1288                             SECCLASS_PROCESS, perms, NULL);
1289 }
1290
1291 #if CAP_LAST_CAP > 63
1292 #error Fix SELinux to handle capabilities > 63.
1293 #endif
1294
1295 /* Check whether a task is allowed to use a capability. */
1296 static int task_has_capability(struct task_struct *tsk,
1297                                int cap)
1298 {
1299         struct task_security_struct *tsec;
1300         struct avc_audit_data ad;
1301         u16 sclass;
1302         u32 av = CAP_TO_MASK(cap);
1303
1304         tsec = tsk->security;
1305
1306         AVC_AUDIT_DATA_INIT(&ad,CAP);
1307         ad.tsk = tsk;
1308         ad.u.cap = cap;
1309
1310         switch (CAP_TO_INDEX(cap)) {
1311         case 0:
1312                 sclass = SECCLASS_CAPABILITY;
1313                 break;
1314         case 1:
1315                 sclass = SECCLASS_CAPABILITY2;
1316                 break;
1317         default:
1318                 printk(KERN_ERR
1319                        "SELinux:  out of range capability %d\n", cap);
1320                 BUG();
1321         }
1322         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1323 }
1324
1325 /* Check whether a task is allowed to use a system operation. */
1326 static int task_has_system(struct task_struct *tsk,
1327                            u32 perms)
1328 {
1329         struct task_security_struct *tsec;
1330
1331         tsec = tsk->security;
1332
1333         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1334                             SECCLASS_SYSTEM, perms, NULL);
1335 }
1336
1337 /* Check whether a task has a particular permission to an inode.
1338    The 'adp' parameter is optional and allows other audit
1339    data to be passed (e.g. the dentry). */
1340 static int inode_has_perm(struct task_struct *tsk,
1341                           struct inode *inode,
1342                           u32 perms,
1343                           struct avc_audit_data *adp)
1344 {
1345         struct task_security_struct *tsec;
1346         struct inode_security_struct *isec;
1347         struct avc_audit_data ad;
1348
1349         if (unlikely (IS_PRIVATE (inode)))
1350                 return 0;
1351
1352         tsec = tsk->security;
1353         isec = inode->i_security;
1354
1355         if (!adp) {
1356                 adp = &ad;
1357                 AVC_AUDIT_DATA_INIT(&ad, FS);
1358                 ad.u.fs.inode = inode;
1359         }
1360
1361         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1362 }
1363
1364 /* Same as inode_has_perm, but pass explicit audit data containing
1365    the dentry to help the auditing code to more easily generate the
1366    pathname if needed. */
1367 static inline int dentry_has_perm(struct task_struct *tsk,
1368                                   struct vfsmount *mnt,
1369                                   struct dentry *dentry,
1370                                   u32 av)
1371 {
1372         struct inode *inode = dentry->d_inode;
1373         struct avc_audit_data ad;
1374         AVC_AUDIT_DATA_INIT(&ad,FS);
1375         ad.u.fs.path.mnt = mnt;
1376         ad.u.fs.path.dentry = dentry;
1377         return inode_has_perm(tsk, inode, av, &ad);
1378 }
1379
1380 /* Check whether a task can use an open file descriptor to
1381    access an inode in a given way.  Check access to the
1382    descriptor itself, and then use dentry_has_perm to
1383    check a particular permission to the file.
1384    Access to the descriptor is implicitly granted if it
1385    has the same SID as the process.  If av is zero, then
1386    access to the file is not checked, e.g. for cases
1387    where only the descriptor is affected like seek. */
1388 static int file_has_perm(struct task_struct *tsk,
1389                                 struct file *file,
1390                                 u32 av)
1391 {
1392         struct task_security_struct *tsec = tsk->security;
1393         struct file_security_struct *fsec = file->f_security;
1394         struct inode *inode = file->f_path.dentry->d_inode;
1395         struct avc_audit_data ad;
1396         int rc;
1397
1398         AVC_AUDIT_DATA_INIT(&ad, FS);
1399         ad.u.fs.path = file->f_path;
1400
1401         if (tsec->sid != fsec->sid) {
1402                 rc = avc_has_perm(tsec->sid, fsec->sid,
1403                                   SECCLASS_FD,
1404                                   FD__USE,
1405                                   &ad);
1406                 if (rc)
1407                         return rc;
1408         }
1409
1410         /* av is zero if only checking access to the descriptor. */
1411         if (av)
1412                 return inode_has_perm(tsk, inode, av, &ad);
1413
1414         return 0;
1415 }
1416
1417 /* Check whether a task can create a file. */
1418 static int may_create(struct inode *dir,
1419                       struct dentry *dentry,
1420                       u16 tclass)
1421 {
1422         struct task_security_struct *tsec;
1423         struct inode_security_struct *dsec;
1424         struct superblock_security_struct *sbsec;
1425         u32 newsid;
1426         struct avc_audit_data ad;
1427         int rc;
1428
1429         tsec = current->security;
1430         dsec = dir->i_security;
1431         sbsec = dir->i_sb->s_security;
1432
1433         AVC_AUDIT_DATA_INIT(&ad, FS);
1434         ad.u.fs.path.dentry = dentry;
1435
1436         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1437                           DIR__ADD_NAME | DIR__SEARCH,
1438                           &ad);
1439         if (rc)
1440                 return rc;
1441
1442         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1443                 newsid = tsec->create_sid;
1444         } else {
1445                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1446                                              &newsid);
1447                 if (rc)
1448                         return rc;
1449         }
1450
1451         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1452         if (rc)
1453                 return rc;
1454
1455         return avc_has_perm(newsid, sbsec->sid,
1456                             SECCLASS_FILESYSTEM,
1457                             FILESYSTEM__ASSOCIATE, &ad);
1458 }
1459
1460 /* Check whether a task can create a key. */
1461 static int may_create_key(u32 ksid,
1462                           struct task_struct *ctx)
1463 {
1464         struct task_security_struct *tsec;
1465
1466         tsec = ctx->security;
1467
1468         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1469 }
1470
1471 #define MAY_LINK   0
1472 #define MAY_UNLINK 1
1473 #define MAY_RMDIR  2
1474
1475 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1476 static int may_link(struct inode *dir,
1477                     struct dentry *dentry,
1478                     int kind)
1479
1480 {
1481         struct task_security_struct *tsec;
1482         struct inode_security_struct *dsec, *isec;
1483         struct avc_audit_data ad;
1484         u32 av;
1485         int rc;
1486
1487         tsec = current->security;
1488         dsec = dir->i_security;
1489         isec = dentry->d_inode->i_security;
1490
1491         AVC_AUDIT_DATA_INIT(&ad, FS);
1492         ad.u.fs.path.dentry = dentry;
1493
1494         av = DIR__SEARCH;
1495         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1496         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1497         if (rc)
1498                 return rc;
1499
1500         switch (kind) {
1501         case MAY_LINK:
1502                 av = FILE__LINK;
1503                 break;
1504         case MAY_UNLINK:
1505                 av = FILE__UNLINK;
1506                 break;
1507         case MAY_RMDIR:
1508                 av = DIR__RMDIR;
1509                 break;
1510         default:
1511                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1512                 return 0;
1513         }
1514
1515         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1516         return rc;
1517 }
1518
1519 static inline int may_rename(struct inode *old_dir,
1520                              struct dentry *old_dentry,
1521                              struct inode *new_dir,
1522                              struct dentry *new_dentry)
1523 {
1524         struct task_security_struct *tsec;
1525         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1526         struct avc_audit_data ad;
1527         u32 av;
1528         int old_is_dir, new_is_dir;
1529         int rc;
1530
1531         tsec = current->security;
1532         old_dsec = old_dir->i_security;
1533         old_isec = old_dentry->d_inode->i_security;
1534         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1535         new_dsec = new_dir->i_security;
1536
1537         AVC_AUDIT_DATA_INIT(&ad, FS);
1538
1539         ad.u.fs.path.dentry = old_dentry;
1540         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1541                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1542         if (rc)
1543                 return rc;
1544         rc = avc_has_perm(tsec->sid, old_isec->sid,
1545                           old_isec->sclass, FILE__RENAME, &ad);
1546         if (rc)
1547                 return rc;
1548         if (old_is_dir && new_dir != old_dir) {
1549                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1550                                   old_isec->sclass, DIR__REPARENT, &ad);
1551                 if (rc)
1552                         return rc;
1553         }
1554
1555         ad.u.fs.path.dentry = new_dentry;
1556         av = DIR__ADD_NAME | DIR__SEARCH;
1557         if (new_dentry->d_inode)
1558                 av |= DIR__REMOVE_NAME;
1559         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1560         if (rc)
1561                 return rc;
1562         if (new_dentry->d_inode) {
1563                 new_isec = new_dentry->d_inode->i_security;
1564                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1565                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1566                                   new_isec->sclass,
1567                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1568                 if (rc)
1569                         return rc;
1570         }
1571
1572         return 0;
1573 }
1574
1575 /* Check whether a task can perform a filesystem operation. */
1576 static int superblock_has_perm(struct task_struct *tsk,
1577                                struct super_block *sb,
1578                                u32 perms,
1579                                struct avc_audit_data *ad)
1580 {
1581         struct task_security_struct *tsec;
1582         struct superblock_security_struct *sbsec;
1583
1584         tsec = tsk->security;
1585         sbsec = sb->s_security;
1586         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1587                             perms, ad);
1588 }
1589
1590 /* Convert a Linux mode and permission mask to an access vector. */
1591 static inline u32 file_mask_to_av(int mode, int mask)
1592 {
1593         u32 av = 0;
1594
1595         if ((mode & S_IFMT) != S_IFDIR) {
1596                 if (mask & MAY_EXEC)
1597                         av |= FILE__EXECUTE;
1598                 if (mask & MAY_READ)
1599                         av |= FILE__READ;
1600
1601                 if (mask & MAY_APPEND)
1602                         av |= FILE__APPEND;
1603                 else if (mask & MAY_WRITE)
1604                         av |= FILE__WRITE;
1605
1606         } else {
1607                 if (mask & MAY_EXEC)
1608                         av |= DIR__SEARCH;
1609                 if (mask & MAY_WRITE)
1610                         av |= DIR__WRITE;
1611                 if (mask & MAY_READ)
1612                         av |= DIR__READ;
1613         }
1614
1615         return av;
1616 }
1617
1618 /*
1619  * Convert a file mask to an access vector and include the correct open
1620  * open permission.
1621  */
1622 static inline u32 open_file_mask_to_av(int mode, int mask)
1623 {
1624         u32 av = file_mask_to_av(mode, mask);
1625
1626         if (selinux_policycap_openperm) {
1627                 /*
1628                  * lnk files and socks do not really have an 'open'
1629                  */
1630                 if (S_ISREG(mode))
1631                         av |= FILE__OPEN;
1632                 else if (S_ISCHR(mode))
1633                         av |= CHR_FILE__OPEN;
1634                 else if (S_ISBLK(mode))
1635                         av |= BLK_FILE__OPEN;
1636                 else if (S_ISFIFO(mode))
1637                         av |= FIFO_FILE__OPEN;
1638                 else if (S_ISDIR(mode))
1639                         av |= DIR__OPEN;
1640                 else
1641                         printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1642                                 "with unknown mode:%x\n", mode);
1643         }
1644         return av;
1645 }
1646
1647 /* Convert a Linux file to an access vector. */
1648 static inline u32 file_to_av(struct file *file)
1649 {
1650         u32 av = 0;
1651
1652         if (file->f_mode & FMODE_READ)
1653                 av |= FILE__READ;
1654         if (file->f_mode & FMODE_WRITE) {
1655                 if (file->f_flags & O_APPEND)
1656                         av |= FILE__APPEND;
1657                 else
1658                         av |= FILE__WRITE;
1659         }
1660         if (!av) {
1661                 /*
1662                  * Special file opened with flags 3 for ioctl-only use.
1663                  */
1664                 av = FILE__IOCTL;
1665         }
1666
1667         return av;
1668 }
1669
1670 /* Hook functions begin here. */
1671
1672 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1673 {
1674         struct task_security_struct *psec = parent->security;
1675         struct task_security_struct *csec = child->security;
1676         int rc;
1677
1678         rc = secondary_ops->ptrace(parent,child);
1679         if (rc)
1680                 return rc;
1681
1682         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1683         /* Save the SID of the tracing process for later use in apply_creds. */
1684         if (!(child->ptrace & PT_PTRACED) && !rc)
1685                 csec->ptrace_sid = psec->sid;
1686         return rc;
1687 }
1688
1689 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1690                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1691 {
1692         int error;
1693
1694         error = task_has_perm(current, target, PROCESS__GETCAP);
1695         if (error)
1696                 return error;
1697
1698         return secondary_ops->capget(target, effective, inheritable, permitted);
1699 }
1700
1701 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1702                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1703 {
1704         int error;
1705
1706         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1707         if (error)
1708                 return error;
1709
1710         return task_has_perm(current, target, PROCESS__SETCAP);
1711 }
1712
1713 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1714                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1715 {
1716         secondary_ops->capset_set(target, effective, inheritable, permitted);
1717 }
1718
1719 static int selinux_capable(struct task_struct *tsk, int cap)
1720 {
1721         int rc;
1722
1723         rc = secondary_ops->capable(tsk, cap);
1724         if (rc)
1725                 return rc;
1726
1727         return task_has_capability(tsk,cap);
1728 }
1729
1730 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1731 {
1732         int buflen, rc;
1733         char *buffer, *path, *end;
1734
1735         rc = -ENOMEM;
1736         buffer = (char*)__get_free_page(GFP_KERNEL);
1737         if (!buffer)
1738                 goto out;
1739
1740         buflen = PAGE_SIZE;
1741         end = buffer+buflen;
1742         *--end = '\0';
1743         buflen--;
1744         path = end-1;
1745         *path = '/';
1746         while (table) {
1747                 const char *name = table->procname;
1748                 size_t namelen = strlen(name);
1749                 buflen -= namelen + 1;
1750                 if (buflen < 0)
1751                         goto out_free;
1752                 end -= namelen;
1753                 memcpy(end, name, namelen);
1754                 *--end = '/';
1755                 path = end;
1756                 table = table->parent;
1757         }
1758         buflen -= 4;
1759         if (buflen < 0)
1760                 goto out_free;
1761         end -= 4;
1762         memcpy(end, "/sys", 4);
1763         path = end;
1764         rc = security_genfs_sid("proc", path, tclass, sid);
1765 out_free:
1766         free_page((unsigned long)buffer);
1767 out:
1768         return rc;
1769 }
1770
1771 static int selinux_sysctl(ctl_table *table, int op)
1772 {
1773         int error = 0;
1774         u32 av;
1775         struct task_security_struct *tsec;
1776         u32 tsid;
1777         int rc;
1778
1779         rc = secondary_ops->sysctl(table, op);
1780         if (rc)
1781                 return rc;
1782
1783         tsec = current->security;
1784
1785         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1786                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1787         if (rc) {
1788                 /* Default to the well-defined sysctl SID. */
1789                 tsid = SECINITSID_SYSCTL;
1790         }
1791
1792         /* The op values are "defined" in sysctl.c, thereby creating
1793          * a bad coupling between this module and sysctl.c */
1794         if(op == 001) {
1795                 error = avc_has_perm(tsec->sid, tsid,
1796                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1797         } else {
1798                 av = 0;
1799                 if (op & 004)
1800                         av |= FILE__READ;
1801                 if (op & 002)
1802                         av |= FILE__WRITE;
1803                 if (av)
1804                         error = avc_has_perm(tsec->sid, tsid,
1805                                              SECCLASS_FILE, av, NULL);
1806         }
1807
1808         return error;
1809 }
1810
1811 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1812 {
1813         int rc = 0;
1814
1815         if (!sb)
1816                 return 0;
1817
1818         switch (cmds) {
1819                 case Q_SYNC:
1820                 case Q_QUOTAON:
1821                 case Q_QUOTAOFF:
1822                 case Q_SETINFO:
1823                 case Q_SETQUOTA:
1824                         rc = superblock_has_perm(current,
1825                                                  sb,
1826                                                  FILESYSTEM__QUOTAMOD, NULL);
1827                         break;
1828                 case Q_GETFMT:
1829                 case Q_GETINFO:
1830                 case Q_GETQUOTA:
1831                         rc = superblock_has_perm(current,
1832                                                  sb,
1833                                                  FILESYSTEM__QUOTAGET, NULL);
1834                         break;
1835                 default:
1836                         rc = 0;  /* let the kernel handle invalid cmds */
1837                         break;
1838         }
1839         return rc;
1840 }
1841
1842 static int selinux_quota_on(struct dentry *dentry)
1843 {
1844         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1845 }
1846
1847 static int selinux_syslog(int type)
1848 {
1849         int rc;
1850
1851         rc = secondary_ops->syslog(type);
1852         if (rc)
1853                 return rc;
1854
1855         switch (type) {
1856                 case 3:         /* Read last kernel messages */
1857                 case 10:        /* Return size of the log buffer */
1858                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1859                         break;
1860                 case 6:         /* Disable logging to console */
1861                 case 7:         /* Enable logging to console */
1862                 case 8:         /* Set level of messages printed to console */
1863                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1864                         break;
1865                 case 0:         /* Close log */
1866                 case 1:         /* Open log */
1867                 case 2:         /* Read from log */
1868                 case 4:         /* Read/clear last kernel messages */
1869                 case 5:         /* Clear ring buffer */
1870                 default:
1871                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1872                         break;
1873         }
1874         return rc;
1875 }
1876
1877 /*
1878  * Check that a process has enough memory to allocate a new virtual
1879  * mapping. 0 means there is enough memory for the allocation to
1880  * succeed and -ENOMEM implies there is not.
1881  *
1882  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1883  * if the capability is granted, but __vm_enough_memory requires 1 if
1884  * the capability is granted.
1885  *
1886  * Do not audit the selinux permission check, as this is applied to all
1887  * processes that allocate mappings.
1888  */
1889 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1890 {
1891         int rc, cap_sys_admin = 0;
1892         struct task_security_struct *tsec = current->security;
1893
1894         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1895         if (rc == 0)
1896                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1897                                           SECCLASS_CAPABILITY,
1898                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1899                                           0,
1900                                           NULL);
1901
1902         if (rc == 0)
1903                 cap_sys_admin = 1;
1904
1905         return __vm_enough_memory(mm, pages, cap_sys_admin);
1906 }
1907
1908 /* binprm security operations */
1909
1910 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1911 {
1912         struct bprm_security_struct *bsec;
1913
1914         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1915         if (!bsec)
1916                 return -ENOMEM;
1917
1918         bsec->sid = SECINITSID_UNLABELED;
1919         bsec->set = 0;
1920
1921         bprm->security = bsec;
1922         return 0;
1923 }
1924
1925 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1926 {
1927         struct task_security_struct *tsec;
1928         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1929         struct inode_security_struct *isec;
1930         struct bprm_security_struct *bsec;
1931         u32 newsid;
1932         struct avc_audit_data ad;
1933         int rc;
1934
1935         rc = secondary_ops->bprm_set_security(bprm);
1936         if (rc)
1937                 return rc;
1938
1939         bsec = bprm->security;
1940
1941         if (bsec->set)
1942                 return 0;
1943
1944         tsec = current->security;
1945         isec = inode->i_security;
1946
1947         /* Default to the current task SID. */
1948         bsec->sid = tsec->sid;
1949
1950         /* Reset fs, key, and sock SIDs on execve. */
1951         tsec->create_sid = 0;
1952         tsec->keycreate_sid = 0;
1953         tsec->sockcreate_sid = 0;
1954
1955         if (tsec->exec_sid) {
1956                 newsid = tsec->exec_sid;
1957                 /* Reset exec SID on execve. */
1958                 tsec->exec_sid = 0;
1959         } else {
1960                 /* Check for a default transition on this program. */
1961                 rc = security_transition_sid(tsec->sid, isec->sid,
1962                                              SECCLASS_PROCESS, &newsid);
1963                 if (rc)
1964                         return rc;
1965         }
1966
1967         AVC_AUDIT_DATA_INIT(&ad, FS);
1968         ad.u.fs.path = bprm->file->f_path;
1969
1970         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1971                 newsid = tsec->sid;
1972
1973         if (tsec->sid == newsid) {
1974                 rc = avc_has_perm(tsec->sid, isec->sid,
1975                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1976                 if (rc)
1977                         return rc;
1978         } else {
1979                 /* Check permissions for the transition. */
1980                 rc = avc_has_perm(tsec->sid, newsid,
1981                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1982                 if (rc)
1983                         return rc;
1984
1985                 rc = avc_has_perm(newsid, isec->sid,
1986                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1987                 if (rc)
1988                         return rc;
1989
1990                 /* Clear any possibly unsafe personality bits on exec: */
1991                 current->personality &= ~PER_CLEAR_ON_SETID;
1992
1993                 /* Set the security field to the new SID. */
1994                 bsec->sid = newsid;
1995         }
1996
1997         bsec->set = 1;
1998         return 0;
1999 }
2000
2001 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2002 {
2003         return secondary_ops->bprm_check_security(bprm);
2004 }
2005
2006
2007 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2008 {
2009         struct task_security_struct *tsec = current->security;
2010         int atsecure = 0;
2011
2012         if (tsec->osid != tsec->sid) {
2013                 /* Enable secure mode for SIDs transitions unless
2014                    the noatsecure permission is granted between
2015                    the two SIDs, i.e. ahp returns 0. */
2016                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2017                                          SECCLASS_PROCESS,
2018                                          PROCESS__NOATSECURE, NULL);
2019         }
2020
2021         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2022 }
2023
2024 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2025 {
2026         kfree(bprm->security);
2027         bprm->security = NULL;
2028 }
2029
2030 extern struct vfsmount *selinuxfs_mount;
2031 extern struct dentry *selinux_null;
2032
2033 /* Derived from fs/exec.c:flush_old_files. */
2034 static inline void flush_unauthorized_files(struct files_struct * files)
2035 {
2036         struct avc_audit_data ad;
2037         struct file *file, *devnull = NULL;
2038         struct tty_struct *tty;
2039         struct fdtable *fdt;
2040         long j = -1;
2041         int drop_tty = 0;
2042
2043         mutex_lock(&tty_mutex);
2044         tty = get_current_tty();
2045         if (tty) {
2046                 file_list_lock();
2047                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2048                 if (file) {
2049                         /* Revalidate access to controlling tty.
2050                            Use inode_has_perm on the tty inode directly rather
2051                            than using file_has_perm, as this particular open
2052                            file may belong to another process and we are only
2053                            interested in the inode-based check here. */
2054                         struct inode *inode = file->f_path.dentry->d_inode;
2055                         if (inode_has_perm(current, inode,
2056                                            FILE__READ | FILE__WRITE, NULL)) {
2057                                 drop_tty = 1;
2058                         }
2059                 }
2060                 file_list_unlock();
2061         }
2062         mutex_unlock(&tty_mutex);
2063         /* Reset controlling tty. */
2064         if (drop_tty)
2065                 no_tty();
2066
2067         /* Revalidate access to inherited open files. */
2068
2069         AVC_AUDIT_DATA_INIT(&ad,FS);
2070
2071         spin_lock(&files->file_lock);
2072         for (;;) {
2073                 unsigned long set, i;
2074                 int fd;
2075
2076                 j++;
2077                 i = j * __NFDBITS;
2078                 fdt = files_fdtable(files);
2079                 if (i >= fdt->max_fds)
2080                         break;
2081                 set = fdt->open_fds->fds_bits[j];
2082                 if (!set)
2083                         continue;
2084                 spin_unlock(&files->file_lock);
2085                 for ( ; set ; i++,set >>= 1) {
2086                         if (set & 1) {
2087                                 file = fget(i);
2088                                 if (!file)
2089                                         continue;
2090                                 if (file_has_perm(current,
2091                                                   file,
2092                                                   file_to_av(file))) {
2093                                         sys_close(i);
2094                                         fd = get_unused_fd();
2095                                         if (fd != i) {
2096                                                 if (fd >= 0)
2097                                                         put_unused_fd(fd);
2098                                                 fput(file);
2099                                                 continue;
2100                                         }
2101                                         if (devnull) {
2102                                                 get_file(devnull);
2103                                         } else {
2104                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2105                                                 if (IS_ERR(devnull)) {
2106                                                         devnull = NULL;
2107                                                         put_unused_fd(fd);
2108                                                         fput(file);
2109                                                         continue;
2110                                                 }
2111                                         }
2112                                         fd_install(fd, devnull);
2113                                 }
2114                                 fput(file);
2115                         }
2116                 }
2117                 spin_lock(&files->file_lock);
2118
2119         }
2120         spin_unlock(&files->file_lock);
2121 }
2122
2123 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2124 {
2125         struct task_security_struct *tsec;
2126         struct bprm_security_struct *bsec;
2127         u32 sid;
2128         int rc;
2129
2130         secondary_ops->bprm_apply_creds(bprm, unsafe);
2131
2132         tsec = current->security;
2133
2134         bsec = bprm->security;
2135         sid = bsec->sid;
2136
2137         tsec->osid = tsec->sid;
2138         bsec->unsafe = 0;
2139         if (tsec->sid != sid) {
2140                 /* Check for shared state.  If not ok, leave SID
2141                    unchanged and kill. */
2142                 if (unsafe & LSM_UNSAFE_SHARE) {
2143                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2144                                         PROCESS__SHARE, NULL);
2145                         if (rc) {
2146                                 bsec->unsafe = 1;
2147                                 return;
2148                         }
2149                 }
2150
2151                 /* Check for ptracing, and update the task SID if ok.
2152                    Otherwise, leave SID unchanged and kill. */
2153                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2154                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2155                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2156                                           NULL);
2157                         if (rc) {
2158                                 bsec->unsafe = 1;
2159                                 return;
2160                         }
2161                 }
2162                 tsec->sid = sid;
2163         }
2164 }
2165
2166 /*
2167  * called after apply_creds without the task lock held
2168  */
2169 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2170 {
2171         struct task_security_struct *tsec;
2172         struct rlimit *rlim, *initrlim;
2173         struct itimerval itimer;
2174         struct bprm_security_struct *bsec;
2175         int rc, i;
2176
2177         tsec = current->security;
2178         bsec = bprm->security;
2179
2180         if (bsec->unsafe) {
2181                 force_sig_specific(SIGKILL, current);
2182                 return;
2183         }
2184         if (tsec->osid == tsec->sid)
2185                 return;
2186
2187         /* Close files for which the new task SID is not authorized. */
2188         flush_unauthorized_files(current->files);
2189
2190         /* Check whether the new SID can inherit signal state
2191            from the old SID.  If not, clear itimers to avoid
2192            subsequent signal generation and flush and unblock
2193            signals. This must occur _after_ the task SID has
2194           been updated so that any kill done after the flush
2195           will be checked against the new SID. */
2196         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2197                           PROCESS__SIGINH, NULL);
2198         if (rc) {
2199                 memset(&itimer, 0, sizeof itimer);
2200                 for (i = 0; i < 3; i++)
2201                         do_setitimer(i, &itimer, NULL);
2202                 flush_signals(current);
2203                 spin_lock_irq(&current->sighand->siglock);
2204                 flush_signal_handlers(current, 1);
2205                 sigemptyset(&current->blocked);
2206                 recalc_sigpending();
2207                 spin_unlock_irq(&current->sighand->siglock);
2208         }
2209
2210         /* Always clear parent death signal on SID transitions. */
2211         current->pdeath_signal = 0;
2212
2213         /* Check whether the new SID can inherit resource limits
2214            from the old SID.  If not, reset all soft limits to
2215            the lower of the current task's hard limit and the init
2216            task's soft limit.  Note that the setting of hard limits
2217            (even to lower them) can be controlled by the setrlimit
2218            check. The inclusion of the init task's soft limit into
2219            the computation is to avoid resetting soft limits higher
2220            than the default soft limit for cases where the default
2221            is lower than the hard limit, e.g. RLIMIT_CORE or
2222            RLIMIT_STACK.*/
2223         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2224                           PROCESS__RLIMITINH, NULL);
2225         if (rc) {
2226                 for (i = 0; i < RLIM_NLIMITS; i++) {
2227                         rlim = current->signal->rlim + i;
2228                         initrlim = init_task.signal->rlim+i;
2229                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2230                 }
2231                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2232                         /*
2233                          * This will cause RLIMIT_CPU calculations
2234                          * to be refigured.
2235                          */
2236                         current->it_prof_expires = jiffies_to_cputime(1);
2237                 }
2238         }
2239
2240         /* Wake up the parent if it is waiting so that it can
2241            recheck wait permission to the new task SID. */
2242         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2243 }
2244
2245 /* superblock security operations */
2246
2247 static int selinux_sb_alloc_security(struct super_block *sb)
2248 {
2249         return superblock_alloc_security(sb);
2250 }
2251
2252 static void selinux_sb_free_security(struct super_block *sb)
2253 {
2254         superblock_free_security(sb);
2255 }
2256
2257 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2258 {
2259         if (plen > olen)
2260                 return 0;
2261
2262         return !memcmp(prefix, option, plen);
2263 }
2264
2265 static inline int selinux_option(char *option, int len)
2266 {
2267         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2268                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2269                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2270                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2271 }
2272
2273 static inline void take_option(char **to, char *from, int *first, int len)
2274 {
2275         if (!*first) {
2276                 **to = ',';
2277                 *to += 1;
2278         } else
2279                 *first = 0;
2280         memcpy(*to, from, len);
2281         *to += len;
2282 }
2283
2284 static inline void take_selinux_option(char **to, char *from, int *first, 
2285                                        int len)
2286 {
2287         int current_size = 0;
2288
2289         if (!*first) {
2290                 **to = '|';
2291                 *to += 1;
2292         }
2293         else
2294                 *first = 0;
2295
2296         while (current_size < len) {
2297                 if (*from != '"') {
2298                         **to = *from;
2299                         *to += 1;
2300                 }
2301                 from += 1;
2302                 current_size += 1;
2303         }
2304 }
2305
2306 static int selinux_sb_copy_data(char *orig, char *copy)
2307 {
2308         int fnosec, fsec, rc = 0;
2309         char *in_save, *in_curr, *in_end;
2310         char *sec_curr, *nosec_save, *nosec;
2311         int open_quote = 0;
2312
2313         in_curr = orig;
2314         sec_curr = copy;
2315
2316         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2317         if (!nosec) {
2318                 rc = -ENOMEM;
2319                 goto out;
2320         }
2321
2322         nosec_save = nosec;
2323         fnosec = fsec = 1;
2324         in_save = in_end = orig;
2325
2326         do {
2327                 if (*in_end == '"')
2328                         open_quote = !open_quote;
2329                 if ((*in_end == ',' && open_quote == 0) ||
2330                                 *in_end == '\0') {
2331                         int len = in_end - in_curr;
2332
2333                         if (selinux_option(in_curr, len))
2334                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2335                         else
2336                                 take_option(&nosec, in_curr, &fnosec, len);
2337
2338                         in_curr = in_end + 1;
2339                 }
2340         } while (*in_end++);
2341
2342         strcpy(in_save, nosec_save);
2343         free_page((unsigned long)nosec_save);
2344 out:
2345         return rc;
2346 }
2347
2348 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2349 {
2350         struct avc_audit_data ad;
2351         int rc;
2352
2353         rc = superblock_doinit(sb, data);
2354         if (rc)
2355                 return rc;
2356
2357         AVC_AUDIT_DATA_INIT(&ad,FS);
2358         ad.u.fs.path.dentry = sb->s_root;
2359         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2360 }
2361
2362 static int selinux_sb_statfs(struct dentry *dentry)
2363 {
2364         struct avc_audit_data ad;
2365
2366         AVC_AUDIT_DATA_INIT(&ad,FS);
2367         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2368         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2369 }
2370
2371 static int selinux_mount(char * dev_name,
2372                          struct nameidata *nd,
2373                          char * type,
2374                          unsigned long flags,
2375                          void * data)
2376 {
2377         int rc;
2378
2379         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2380         if (rc)
2381                 return rc;
2382
2383         if (flags & MS_REMOUNT)
2384                 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2385                                            FILESYSTEM__REMOUNT, NULL);
2386         else
2387                 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2388                                        FILE__MOUNTON);
2389 }
2390
2391 static int selinux_umount(struct vfsmount *mnt, int flags)
2392 {
2393         int rc;
2394
2395         rc = secondary_ops->sb_umount(mnt, flags);
2396         if (rc)
2397                 return rc;
2398
2399         return superblock_has_perm(current,mnt->mnt_sb,
2400                                    FILESYSTEM__UNMOUNT,NULL);
2401 }
2402
2403 /* inode security operations */
2404
2405 static int selinux_inode_alloc_security(struct inode *inode)
2406 {
2407         return inode_alloc_security(inode);
2408 }
2409
2410 static void selinux_inode_free_security(struct inode *inode)
2411 {
2412         inode_free_security(inode);
2413 }
2414
2415 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2416                                        char **name, void **value,
2417                                        size_t *len)
2418 {
2419         struct task_security_struct *tsec;
2420         struct inode_security_struct *dsec;
2421         struct superblock_security_struct *sbsec;
2422         u32 newsid, clen;
2423         int rc;
2424         char *namep = NULL, *context;
2425
2426         tsec = current->security;
2427         dsec = dir->i_security;
2428         sbsec = dir->i_sb->s_security;
2429
2430         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2431                 newsid = tsec->create_sid;
2432         } else {
2433                 rc = security_transition_sid(tsec->sid, dsec->sid,
2434                                              inode_mode_to_security_class(inode->i_mode),
2435                                              &newsid);
2436                 if (rc) {
2437                         printk(KERN_WARNING "%s:  "
2438                                "security_transition_sid failed, rc=%d (dev=%s "
2439                                "ino=%ld)\n",
2440                                __FUNCTION__,
2441                                -rc, inode->i_sb->s_id, inode->i_ino);
2442                         return rc;
2443                 }
2444         }
2445
2446         /* Possibly defer initialization to selinux_complete_init. */
2447         if (sbsec->initialized) {
2448                 struct inode_security_struct *isec = inode->i_security;
2449                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2450                 isec->sid = newsid;
2451                 isec->initialized = 1;
2452         }
2453
2454         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2455                 return -EOPNOTSUPP;
2456
2457         if (name) {
2458                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2459                 if (!namep)
2460                         return -ENOMEM;
2461                 *name = namep;
2462         }
2463
2464         if (value && len) {
2465                 rc = security_sid_to_context(newsid, &context, &clen);
2466                 if (rc) {
2467                         kfree(namep);
2468                         return rc;
2469                 }
2470                 *value = context;
2471                 *len = clen;
2472         }
2473
2474         return 0;
2475 }
2476
2477 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2478 {
2479         return may_create(dir, dentry, SECCLASS_FILE);
2480 }
2481
2482 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2483 {
2484         int rc;
2485
2486         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2487         if (rc)
2488                 return rc;
2489         return may_link(dir, old_dentry, MAY_LINK);
2490 }
2491
2492 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2493 {
2494         int rc;
2495
2496         rc = secondary_ops->inode_unlink(dir, dentry);
2497         if (rc)
2498                 return rc;
2499         return may_link(dir, dentry, MAY_UNLINK);
2500 }
2501
2502 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2503 {
2504         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2505 }
2506
2507 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2508 {
2509         return may_create(dir, dentry, SECCLASS_DIR);
2510 }
2511
2512 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2513 {
2514         return may_link(dir, dentry, MAY_RMDIR);
2515 }
2516
2517 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2518 {
2519         int rc;
2520
2521         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2522         if (rc)
2523                 return rc;
2524
2525         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2526 }
2527
2528 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2529                                 struct inode *new_inode, struct dentry *new_dentry)
2530 {
2531         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2532 }
2533
2534 static int selinux_inode_readlink(struct dentry *dentry)
2535 {
2536         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2537 }
2538
2539 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2540 {
2541         int rc;
2542
2543         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2544         if (rc)
2545                 return rc;
2546         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2547 }
2548
2549 static int selinux_inode_permission(struct inode *inode, int mask,
2550                                     struct nameidata *nd)
2551 {
2552         int rc;
2553
2554         rc = secondary_ops->inode_permission(inode, mask, nd);
2555         if (rc)
2556                 return rc;
2557
2558         if (!mask) {
2559                 /* No permission to check.  Existence test. */
2560                 return 0;
2561         }
2562
2563         return inode_has_perm(current, inode,
2564                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2565 }
2566
2567 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2568 {
2569         int rc;
2570
2571         rc = secondary_ops->inode_setattr(dentry, iattr);
2572         if (rc)
2573                 return rc;
2574
2575         if (iattr->ia_valid & ATTR_FORCE)
2576                 return 0;
2577
2578         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2579                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2580                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2581
2582         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2583 }
2584
2585 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2586 {
2587         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2588 }
2589
2590 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2591 {
2592         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2593                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2594                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2595                         if (!capable(CAP_SETFCAP))
2596                                 return -EPERM;
2597                 } else if (!capable(CAP_SYS_ADMIN)) {
2598                         /* A different attribute in the security namespace.
2599                            Restrict to administrator. */
2600                         return -EPERM;
2601                 }
2602         }
2603
2604         /* Not an attribute we recognize, so just check the
2605            ordinary setattr permission. */
2606         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2607 }
2608
2609 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2610 {
2611         struct task_security_struct *tsec = current->security;
2612         struct inode *inode = dentry->d_inode;
2613         struct inode_security_struct *isec = inode->i_security;
2614         struct superblock_security_struct *sbsec;
2615         struct avc_audit_data ad;
2616         u32 newsid;
2617         int rc = 0;
2618
2619         if (strcmp(name, XATTR_NAME_SELINUX))
2620                 return selinux_inode_setotherxattr(dentry, name);
2621
2622         sbsec = inode->i_sb->s_security;
2623         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2624                 return -EOPNOTSUPP;
2625
2626         if (!is_owner_or_cap(inode))
2627                 return -EPERM;
2628
2629         AVC_AUDIT_DATA_INIT(&ad,FS);
2630         ad.u.fs.path.dentry = dentry;
2631
2632         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2633                           FILE__RELABELFROM, &ad);
2634         if (rc)
2635                 return rc;
2636
2637         rc = security_context_to_sid(value, size, &newsid);
2638         if (rc)
2639                 return rc;
2640
2641         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2642                           FILE__RELABELTO, &ad);
2643         if (rc)
2644                 return rc;
2645
2646         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2647                                           isec->sclass);
2648         if (rc)
2649                 return rc;
2650
2651         return avc_has_perm(newsid,
2652                             sbsec->sid,
2653                             SECCLASS_FILESYSTEM,
2654                             FILESYSTEM__ASSOCIATE,
2655                             &ad);
2656 }
2657
2658 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2659                                         void *value, size_t size, int flags)
2660 {
2661         struct inode *inode = dentry->d_inode;
2662         struct inode_security_struct *isec = inode->i_security;
2663         u32 newsid;
2664         int rc;
2665
2666         if (strcmp(name, XATTR_NAME_SELINUX)) {
2667                 /* Not an attribute we recognize, so nothing to do. */
2668                 return;
2669         }
2670
2671         rc = security_context_to_sid(value, size, &newsid);
2672         if (rc) {
2673                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2674                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2675                 return;
2676         }
2677
2678         isec->sid = newsid;
2679         return;
2680 }
2681
2682 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2683 {
2684         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2685 }
2686
2687 static int selinux_inode_listxattr (struct dentry *dentry)
2688 {
2689         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2690 }
2691
2692 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2693 {
2694         if (strcmp(name, XATTR_NAME_SELINUX))
2695                 return selinux_inode_setotherxattr(dentry, name);
2696
2697         /* No one is allowed to remove a SELinux security label.
2698            You can change the label, but all data must be labeled. */
2699         return -EACCES;
2700 }
2701
2702 /*
2703  * Copy the in-core inode security context value to the user.  If the
2704  * getxattr() prior to this succeeded, check to see if we need to
2705  * canonicalize the value to be finally returned to the user.
2706  *
2707  * Permission check is handled by selinux_inode_getxattr hook.
2708  */
2709 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2710 {
2711         u32 size;
2712         int error;
2713         char *context = NULL;
2714         struct inode_security_struct *isec = inode->i_security;
2715
2716         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2717                 return -EOPNOTSUPP;
2718
2719         error = security_sid_to_context(isec->sid, &context, &size);
2720         if (error)
2721                 return error;
2722         error = size;
2723         if (alloc) {
2724                 *buffer = context;
2725                 goto out_nofree;
2726         }
2727         kfree(context);
2728 out_nofree:
2729         return error;
2730 }
2731
2732 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2733                                      const void *value, size_t size, int flags)
2734 {
2735         struct inode_security_struct *isec = inode->i_security;
2736         u32 newsid;
2737         int rc;
2738
2739         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2740                 return -EOPNOTSUPP;
2741
2742         if (!value || !size)
2743                 return -EACCES;
2744
2745         rc = security_context_to_sid((void*)value, size, &newsid);
2746         if (rc)
2747                 return rc;
2748
2749         isec->sid = newsid;
2750         return 0;
2751 }
2752
2753 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2754 {
2755         const int len = sizeof(XATTR_NAME_SELINUX);
2756         if (buffer && len <= buffer_size)
2757                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2758         return len;
2759 }
2760
2761 static int selinux_inode_need_killpriv(struct dentry *dentry)
2762 {
2763         return secondary_ops->inode_need_killpriv(dentry);
2764 }
2765
2766 static int selinux_inode_killpriv(struct dentry *dentry)
2767 {
2768         return secondary_ops->inode_killpriv(dentry);
2769 }
2770
2771 /* file security operations */
2772
2773 static int selinux_revalidate_file_permission(struct file *file, int mask)
2774 {
2775         int rc;
2776         struct inode *inode = file->f_path.dentry->d_inode;
2777
2778         if (!mask) {
2779                 /* No permission to check.  Existence test. */
2780                 return 0;
2781         }
2782
2783         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2784         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2785                 mask |= MAY_APPEND;
2786
2787         rc = file_has_perm(current, file,
2788                            file_mask_to_av(inode->i_mode, mask));
2789         if (rc)
2790                 return rc;
2791
2792         return selinux_netlbl_inode_permission(inode, mask);
2793 }
2794
2795 static int selinux_file_permission(struct file *file, int mask)
2796 {
2797         struct inode *inode = file->f_path.dentry->d_inode;
2798         struct task_security_struct *tsec = current->security;
2799         struct file_security_struct *fsec = file->f_security;
2800         struct inode_security_struct *isec = inode->i_security;
2801
2802         if (!mask) {
2803                 /* No permission to check.  Existence test. */
2804                 return 0;
2805         }
2806
2807         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2808             && fsec->pseqno == avc_policy_seqno())
2809                 return selinux_netlbl_inode_permission(inode, mask);
2810
2811         return selinux_revalidate_file_permission(file, mask);
2812 }
2813
2814 static int selinux_file_alloc_security(struct file *file)
2815 {
2816         return file_alloc_security(file);
2817 }
2818
2819 static void selinux_file_free_security(struct file *file)
2820 {
2821         file_free_security(file);
2822 }
2823
2824 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2825                               unsigned long arg)
2826 {
2827         int error = 0;
2828
2829         switch (cmd) {
2830                 case FIONREAD:
2831                 /* fall through */
2832                 case FIBMAP:
2833                 /* fall through */
2834                 case FIGETBSZ:
2835                 /* fall through */
2836                 case EXT2_IOC_GETFLAGS:
2837                 /* fall through */
2838                 case EXT2_IOC_GETVERSION:
2839                         error = file_has_perm(current, file, FILE__GETATTR);
2840                         break;
2841
2842                 case EXT2_IOC_SETFLAGS:
2843                 /* fall through */
2844                 case EXT2_IOC_SETVERSION:
2845                         error = file_has_perm(current, file, FILE__SETATTR);
2846                         break;
2847
2848                 /* sys_ioctl() checks */
2849                 case FIONBIO:
2850                 /* fall through */
2851                 case FIOASYNC:
2852                         error = file_has_perm(current, file, 0);
2853                         break;
2854
2855                 case KDSKBENT:
2856                 case KDSKBSENT:
2857                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2858                         break;
2859
2860                 /* default case assumes that the command will go
2861                  * to the file's ioctl() function.
2862                  */
2863                 default:
2864                         error = file_has_perm(current, file, FILE__IOCTL);
2865
2866         }
2867         return error;
2868 }
2869
2870 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2871 {
2872 #ifndef CONFIG_PPC32
2873         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2874                 /*
2875                  * We are making executable an anonymous mapping or a
2876                  * private file mapping that will also be writable.
2877                  * This has an additional check.
2878                  */
2879                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2880                 if (rc)
2881                         return rc;
2882         }
2883 #endif
2884
2885         if (file) {
2886                 /* read access is always possible with a mapping */
2887                 u32 av = FILE__READ;
2888
2889                 /* write access only matters if the mapping is shared */
2890                 if (shared && (prot & PROT_WRITE))
2891                         av |= FILE__WRITE;
2892
2893                 if (prot & PROT_EXEC)
2894                         av |= FILE__EXECUTE;
2895
2896                 return file_has_perm(current, file, av);
2897         }
2898         return 0;
2899 }
2900
2901 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2902                              unsigned long prot, unsigned long flags,
2903                              unsigned long addr, unsigned long addr_only)
2904 {
2905         int rc = 0;
2906         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2907
2908         if (addr < mmap_min_addr)
2909                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2910                                   MEMPROTECT__MMAP_ZERO, NULL);
2911         if (rc || addr_only)
2912                 return rc;
2913
2914         if (selinux_checkreqprot)
2915                 prot = reqprot;
2916
2917         return file_map_prot_check(file, prot,
2918                                    (flags & MAP_TYPE) == MAP_SHARED);
2919 }
2920
2921 static int selinux_file_mprotect(struct vm_area_struct *vma,
2922                                  unsigned long reqprot,
2923                                  unsigned long prot)
2924 {
2925         int rc;
2926
2927         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2928         if (rc)
2929                 return rc;
2930
2931         if (selinux_checkreqprot)
2932                 prot = reqprot;
2933
2934 #ifndef CONFIG_PPC32
2935         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2936                 rc = 0;
2937                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2938                     vma->vm_end <= vma->vm_mm->brk) {
2939                         rc = task_has_perm(current, current,
2940                                            PROCESS__EXECHEAP);
2941                 } else if (!vma->vm_file &&
2942                            vma->vm_start <= vma->vm_mm->start_stack &&
2943                            vma->vm_end >= vma->vm_mm->start_stack) {
2944                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2945                 } else if (vma->vm_file && vma->anon_vma) {
2946                         /*
2947                          * We are making executable a file mapping that has
2948                          * had some COW done. Since pages might have been
2949                          * written, check ability to execute the possibly
2950                          * modified content.  This typically should only
2951                          * occur for text relocations.
2952                          */
2953                         rc = file_has_perm(current, vma->vm_file,
2954                                            FILE__EXECMOD);
2955                 }
2956                 if (rc)
2957                         return rc;
2958         }
2959 #endif
2960
2961         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2962 }
2963
2964 static int selinux_file_lock(struct file *file, unsigned int cmd)
2965 {
2966         return file_has_perm(current, file, FILE__LOCK);
2967 }
2968
2969 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2970                               unsigned long arg)
2971 {
2972         int err = 0;
2973
2974         switch (cmd) {
2975                 case F_SETFL:
2976                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2977                                 err = -EINVAL;
2978                                 break;
2979                         }
2980
2981                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2982                                 err = file_has_perm(current, file,FILE__WRITE);
2983                                 break;
2984                         }
2985                         /* fall through */
2986                 case F_SETOWN:
2987                 case F_SETSIG:
2988                 case F_GETFL:
2989                 case F_GETOWN:
2990                 case F_GETSIG:
2991                         /* Just check FD__USE permission */
2992                         err = file_has_perm(current, file, 0);
2993                         break;
2994                 case F_GETLK:
2995                 case F_SETLK:
2996                 case F_SETLKW:
2997 #if BITS_PER_LONG == 32
2998                 case F_GETLK64:
2999                 case F_SETLK64:
3000                 case F_SETLKW64:
3001 #endif
3002                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3003                                 err = -EINVAL;
3004                                 break;
3005                         }
3006                         err = file_has_perm(current, file, FILE__LOCK);
3007                         break;
3008         }
3009
3010         return err;
3011 }
3012
3013 static int selinux_file_set_fowner(struct file *file)
3014 {
3015         struct task_security_struct *tsec;
3016         struct file_security_struct *fsec;
3017
3018         tsec = current->security;
3019         fsec = file->f_security;
3020         fsec->fown_sid = tsec->sid;
3021
3022         return 0;
3023 }
3024
3025 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3026                                        struct fown_struct *fown, int signum)
3027 {
3028         struct file *file;
3029         u32 perm;
3030         struct task_security_struct *tsec;
3031         struct file_security_struct *fsec;
3032
3033         /* struct fown_struct is never outside the context of a struct file */
3034         file = container_of(fown, struct file, f_owner);
3035
3036         tsec = tsk->security;
3037         fsec = file->f_security;
3038
3039         if (!signum)
3040                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3041         else
3042                 perm = signal_to_av(signum);
3043
3044         return avc_has_perm(fsec->fown_sid, tsec->sid,
3045                             SECCLASS_PROCESS, perm, NULL);
3046 }
3047
3048 static int selinux_file_receive(struct file *file)
3049 {
3050         return file_has_perm(current, file, file_to_av(file));
3051 }
3052
3053 static int selinux_dentry_open(struct file *file)
3054 {
3055         struct file_security_struct *fsec;
3056         struct inode *inode;
3057         struct inode_security_struct *isec;
3058         inode = file->f_path.dentry->d_inode;
3059         fsec = file->f_security;
3060         isec = inode->i_security;
3061         /*
3062          * Save inode label and policy sequence number
3063          * at open-time so that selinux_file_permission
3064          * can determine whether revalidation is necessary.
3065          * Task label is already saved in the file security
3066          * struct as its SID.
3067          */
3068         fsec->isid = isec->sid;
3069         fsec->pseqno = avc_policy_seqno();
3070         /*
3071          * Since the inode label or policy seqno may have changed
3072          * between the selinux_inode_permission check and the saving
3073          * of state above, recheck that access is still permitted.
3074          * Otherwise, access might never be revalidated against the
3075          * new inode label or new policy.
3076          * This check is not redundant - do not remove.
3077          */
3078         return inode_has_perm(current, inode, file_to_av(file), NULL);
3079 }
3080
3081 /* task security operations */
3082
3083 static int selinux_task_create(unsigned long clone_flags)
3084 {
3085         int rc;
3086
3087         rc = secondary_ops->task_create(clone_flags);
3088         if (rc)
3089                 return rc;
3090
3091         return task_has_perm(current, current, PROCESS__FORK);
3092 }
3093
3094 static int selinux_task_alloc_security(struct task_struct *tsk)
3095 {
3096         struct task_security_struct *tsec1, *tsec2;
3097         int rc;
3098
3099         tsec1 = current->security;
3100
3101         rc = task_alloc_security(tsk);
3102         if (rc)
3103                 return rc;
3104         tsec2 = tsk->security;
3105
3106         tsec2->osid = tsec1->osid;
3107         tsec2->sid = tsec1->sid;
3108
3109         /* Retain the exec, fs, key, and sock SIDs across fork */
3110         tsec2->exec_sid = tsec1->exec_sid;
3111         tsec2->create_sid = tsec1->create_sid;
3112         tsec2->keycreate_sid = tsec1->keycreate_sid;
3113         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3114
3115         /* Retain ptracer SID across fork, if any.
3116            This will be reset by the ptrace hook upon any
3117            subsequent ptrace_attach operations. */
3118         tsec2->ptrace_sid = tsec1->ptrace_sid;
3119
3120         return 0;
3121 }
3122
3123 static void selinux_task_free_security(struct task_struct *tsk)
3124 {
3125         task_free_security(tsk);
3126 }
3127
3128 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3129 {
3130         /* Since setuid only affects the current process, and
3131            since the SELinux controls are not based on the Linux
3132            identity attributes, SELinux does not need to control
3133            this operation.  However, SELinux does control the use
3134            of the CAP_SETUID and CAP_SETGID capabilities using the
3135            capable hook. */
3136         return 0;
3137 }
3138
3139 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3140 {
3141         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3142 }
3143
3144 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3145 {
3146         /* See the comment for setuid above. */
3147         return 0;
3148 }
3149
3150 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3151 {
3152         return task_has_perm(current, p, PROCESS__SETPGID);
3153 }
3154
3155 static int selinux_task_getpgid(struct task_struct *p)
3156 {
3157         return task_has_perm(current, p, PROCESS__GETPGID);
3158 }
3159
3160 static int selinux_task_getsid(struct task_struct *p)
3161 {
3162         return task_has_perm(current, p, PROCESS__GETSESSION);
3163 }
3164
3165 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3166 {
3167         selinux_get_task_sid(p, secid);
3168 }
3169
3170 static int selinux_task_setgroups(struct group_info *group_info)
3171 {
3172         /* See the comment for setuid above. */
3173         return 0;
3174 }
3175
3176 static int selinux_task_setnice(struct task_struct *p, int nice)
3177 {
3178         int rc;
3179
3180         rc = secondary_ops->task_setnice(p, nice);
3181         if (rc)
3182                 return rc;
3183
3184         return task_has_perm(current,p, PROCESS__SETSCHED);
3185 }
3186
3187 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3188 {
3189         int rc;
3190
3191         rc = secondary_ops->task_setioprio(p, ioprio);
3192         if (rc)
3193                 return rc;
3194
3195         return task_has_perm(current, p, PROCESS__SETSCHED);
3196 }
3197
3198 static int selinux_task_getioprio(struct task_struct *p)
3199 {
3200         return task_has_perm(current, p, PROCESS__GETSCHED);
3201 }
3202
3203 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3204 {
3205         struct rlimit *old_rlim = current->signal->rlim + resource;
3206         int rc;
3207
3208         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3209         if (rc)
3210                 return rc;
3211
3212         /* Control the ability to change the hard limit (whether
3213            lowering or raising it), so that the hard limit can
3214            later be used as a safe reset point for the soft limit
3215            upon context transitions. See selinux_bprm_apply_creds. */
3216         if (old_rlim->rlim_max != new_rlim->rlim_max)
3217                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3218
3219         return 0;
3220 }
3221
3222 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3223 {
3224         int rc;
3225
3226         rc = secondary_ops->task_setscheduler(p, policy, lp);
3227         if (rc)
3228                 return rc;
3229
3230         return task_has_perm(current, p, PROCESS__SETSCHED);
3231 }
3232
3233 static int selinux_task_getscheduler(struct task_struct *p)
3234 {
3235         return task_has_perm(current, p, PROCESS__GETSCHED);
3236 }
3237
3238 static int selinux_task_movememory(struct task_struct *p)
3239 {
3240         return task_has_perm(current, p, PROCESS__SETSCHED);
3241 }
3242
3243 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3244                                 int sig, u32 secid)
3245 {
3246         u32 perm;
3247         int rc;
3248         struct task_security_struct *tsec;
3249
3250         rc = secondary_ops->task_kill(p, info, sig, secid);
3251         if (rc)
3252                 return rc;
3253
3254         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3255                 return 0;
3256
3257         if (!sig)
3258                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3259         else
3260                 perm = signal_to_av(sig);
3261         tsec = p->security;
3262         if (secid)
3263                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3264         else
3265                 rc = task_has_perm(current, p, perm);
3266         return rc;
3267 }
3268
3269 static int selinux_task_prctl(int option,
3270                               unsigned long arg2,
3271                               unsigned long arg3,
3272                               unsigned long arg4,
3273                               unsigned long arg5)
3274 {
3275         /* The current prctl operations do not appear to require
3276            any SELinux controls since they merely observe or modify
3277            the state of the current process. */
3278         return 0;
3279 }
3280
3281 static int selinux_task_wait(struct task_struct *p)
3282 {
3283         return task_has_perm(p, current, PROCESS__SIGCHLD);
3284 }
3285
3286 static void selinux_task_reparent_to_init(struct task_struct *p)
3287 {
3288         struct task_security_struct *tsec;
3289
3290         secondary_ops->task_reparent_to_init(p);
3291
3292         tsec = p->security;
3293         tsec->osid = tsec->sid;
3294         tsec->sid = SECINITSID_KERNEL;
3295         return;
3296 }
3297
3298 static void selinux_task_to_inode(struct task_struct *p,
3299                                   struct inode *inode)
3300 {
3301         struct task_security_struct *tsec = p->security;
3302         struct inode_security_struct *isec = inode->i_security;
3303
3304         isec->sid = tsec->sid;
3305         isec->initialized = 1;
3306         return;
3307 }
3308
3309 /* Returns error only if unable to parse addresses */
3310 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3311                         struct avc_audit_data *ad, u8 *proto)
3312 {
3313         int offset, ihlen, ret = -EINVAL;
3314         struct iphdr _iph, *ih;
3315
3316         offset = skb_network_offset(skb);
3317         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3318         if (ih == NULL)
3319                 goto out;
3320
3321         ihlen = ih->ihl * 4;
3322         if (ihlen < sizeof(_iph))
3323                 goto out;
3324
3325         ad->u.net.v4info.saddr = ih->saddr;
3326         ad->u.net.v4info.daddr = ih->daddr;
3327         ret = 0;
3328
3329         if (proto)
3330                 *proto = ih->protocol;
3331
3332         switch (ih->protocol) {
3333         case IPPROTO_TCP: {
3334                 struct tcphdr _tcph, *th;
3335
3336                 if (ntohs(ih->frag_off) & IP_OFFSET)
3337                         break;
3338
3339                 offset += ihlen;
3340                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3341                 if (th == NULL)
3342                         break;
3343
3344                 ad->u.net.sport = th->source;
3345                 ad->u.net.dport = th->dest;
3346                 break;
3347         }
3348         
3349         case IPPROTO_UDP: {
3350                 struct udphdr _udph, *uh;
3351                 
3352                 if (ntohs(ih->frag_off) & IP_OFFSET)
3353                         break;
3354                         
3355                 offset += ihlen;
3356                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3357                 if (uh == NULL)
3358                         break;  
3359
3360                 ad->u.net.sport = uh->source;
3361                 ad->u.net.dport = uh->dest;
3362                 break;
3363         }
3364
3365         case IPPROTO_DCCP: {
3366                 struct dccp_hdr _dccph, *dh;
3367
3368                 if (ntohs(ih->frag_off) & IP_OFFSET)
3369                         break;
3370
3371                 offset += ihlen;
3372                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3373                 if (dh == NULL)
3374                         break;
3375
3376                 ad->u.net.sport = dh->dccph_sport;
3377                 ad->u.net.dport = dh->dccph_dport;
3378                 break;
3379         }
3380
3381         default:
3382                 break;
3383         }
3384 out:
3385         return ret;
3386 }
3387
3388 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3389
3390 /* Returns error only if unable to parse addresses */
3391 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3392                         struct avc_audit_data *ad, u8 *proto)
3393 {
3394         u8 nexthdr;
3395         int ret = -EINVAL, offset;
3396         struct ipv6hdr _ipv6h, *ip6;
3397
3398         offset = skb_network_offset(skb);
3399         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3400         if (ip6 == NULL)
3401                 goto out;
3402
3403         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3404         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3405         ret = 0;
3406
3407         nexthdr = ip6->nexthdr;
3408         offset += sizeof(_ipv6h);
3409         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3410         if (offset < 0)
3411                 goto out;
3412
3413         if (proto)
3414                 *proto = nexthdr;
3415
3416         switch (nexthdr) {
3417         case IPPROTO_TCP: {
3418                 struct tcphdr _tcph, *th;
3419
3420                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3421                 if (th == NULL)
3422                         break;
3423
3424                 ad->u.net.sport = th->source;
3425                 ad->u.net.dport = th->dest;
3426                 break;
3427         }
3428
3429         case IPPROTO_UDP: {
3430                 struct udphdr _udph, *uh;
3431
3432                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3433                 if (uh == NULL)
3434                         break;
3435
3436                 ad->u.net.sport = uh->source;
3437                 ad->u.net.dport = uh->dest;
3438                 break;
3439         }
3440
3441         case IPPROTO_DCCP: {
3442                 struct dccp_hdr _dccph, *dh;
3443
3444                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3445                 if (dh == NULL)
3446                         break;
3447
3448                 ad->u.net.sport = dh->dccph_sport;
3449                 ad->u.net.dport = dh->dccph_dport;
3450                 break;
3451         }
3452
3453         /* includes fragments */
3454         default:
3455                 break;
3456         }
3457 out:
3458         return ret;
3459 }
3460
3461 #endif /* IPV6 */
3462
3463 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3464                              char **addrp, int src, u8 *proto)
3465 {
3466         int ret = 0;
3467
3468         switch (ad->u.net.family) {
3469         case PF_INET:
3470                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3471                 if (ret || !addrp)
3472                         break;
3473                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3474                                         &ad->u.net.v4info.daddr);
3475                 break;
3476
3477 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3478         case PF_INET6:
3479                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3480                 if (ret || !addrp)
3481                         break;
3482                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3483                                         &ad->u.net.v6info.daddr);
3484                 break;
3485 #endif  /* IPV6 */
3486         default:
3487                 break;
3488         }
3489
3490         if (unlikely(ret))
3491                 printk(KERN_WARNING
3492                        "SELinux: failure in selinux_parse_skb(),"
3493                        " unable to parse packet\n");
3494
3495         return ret;
3496 }
3497
3498 /**
3499  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3500  * @skb: the packet
3501  * @family: protocol family
3502  * @sid: the packet's peer label SID
3503  *
3504  * Description:
3505  * Check the various different forms of network peer labeling and determine
3506  * the peer label/SID for the packet; most of the magic actually occurs in
3507  * the security server function security_net_peersid_cmp().  The function
3508  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3509  * or -EACCES if @sid is invalid due to inconsistencies with the different
3510  * peer labels.
3511  *
3512  */
3513 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3514 {
3515         int err;
3516         u32 xfrm_sid;
3517         u32 nlbl_sid;
3518         u32 nlbl_type;
3519
3520         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3521         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3522
3523         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3524         if (unlikely(err)) {
3525                 printk(KERN_WARNING
3526                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3527                        " unable to determine packet's peer label\n");
3528                 return -EACCES;
3529         }
3530
3531         return 0;
3532 }
3533
3534 /* socket security operations */
3535 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3536                            u32 perms)
3537 {
3538         struct inode_security_struct *isec;
3539         struct task_security_struct *tsec;
3540         struct avc_audit_data ad;
3541         int err = 0;
3542
3543         tsec = task->security;
3544         isec = SOCK_INODE(sock)->i_security;
3545
3546         if (isec->sid == SECINITSID_KERNEL)
3547                 goto out;
3548
3549         AVC_AUDIT_DATA_INIT(&ad,NET);
3550         ad.u.net.sk = sock->sk;
3551         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3552
3553 out:
3554         return err;
3555 }
3556
3557 static int selinux_socket_create(int family, int type,
3558                                  int protocol, int kern)
3559 {
3560         int err = 0;
3561         struct task_security_struct *tsec;
3562         u32 newsid;
3563
3564         if (kern)
3565                 goto out;
3566
3567         tsec = current->security;
3568         newsid = tsec->sockcreate_sid ? : tsec->sid;
3569         err = avc_has_perm(tsec->sid, newsid,
3570                            socket_type_to_security_class(family, type,
3571                            protocol), SOCKET__CREATE, NULL);
3572
3573 out:
3574         return err;
3575 }
3576
3577 static int selinux_socket_post_create(struct socket *sock, int family,
3578                                       int type, int protocol, int kern)
3579 {
3580         int err = 0;
3581         struct inode_security_struct *isec;
3582         struct task_security_struct *tsec;
3583         struct sk_security_struct *sksec;
3584         u32 newsid;
3585
3586         isec = SOCK_INODE(sock)->i_security;
3587
3588         tsec = current->security;
3589         newsid = tsec->sockcreate_sid ? : tsec->sid;
3590         isec->sclass = socket_type_to_security_class(family, type, protocol);
3591         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3592         isec->initialized = 1;
3593
3594         if (sock->sk) {
3595                 sksec = sock->sk->sk_security;
3596                 sksec->sid = isec->sid;
3597                 sksec->sclass = isec->sclass;
3598                 err = selinux_netlbl_socket_post_create(sock);
3599         }
3600
3601         return err;
3602 }
3603
3604 /* Range of port numbers used to automatically bind.
3605    Need to determine whether we should perform a name_bind
3606    permission check between the socket and the port number. */
3607
3608 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3609 {
3610         u16 family;
3611         int err;
3612
3613         err = socket_has_perm(current, sock, SOCKET__BIND);
3614         if (err)
3615                 goto out;
3616
3617         /*
3618          * If PF_INET or PF_INET6, check name_bind permission for the port.
3619          * Multiple address binding for SCTP is not supported yet: we just
3620          * check the first address now.
3621          */
3622         family = sock->sk->sk_family;
3623         if (family == PF_INET || family == PF_INET6) {
3624                 char *addrp;
3625                 struct inode_security_struct *isec;
3626                 struct task_security_struct *tsec;
3627                 struct avc_audit_data ad;
3628                 struct sockaddr_in *addr4 = NULL;
3629                 struct sockaddr_in6 *addr6 = NULL;
3630                 unsigned short snum;
3631                 struct sock *sk = sock->sk;
3632                 u32 sid, node_perm, addrlen;
3633
3634                 tsec = current->security;
3635                 isec = SOCK_INODE(sock)->i_security;
3636
3637                 if (family == PF_INET) {
3638                         addr4 = (struct sockaddr_in *)address;
3639                         snum = ntohs(addr4->sin_port);
3640                         addrlen = sizeof(addr4->sin_addr.s_addr);
3641                         addrp = (char *)&addr4->sin_addr.s_addr;
3642                 } else {
3643                         addr6 = (struct sockaddr_in6 *)address;
3644                         snum = ntohs(addr6->sin6_port);
3645                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3646                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3647                 }
3648
3649                 if (snum) {
3650                         int low, high;
3651
3652                         inet_get_local_port_range(&low, &high);
3653
3654                         if (snum < max(PROT_SOCK, low) || snum > high) {
3655                                 err = security_port_sid(sk->sk_family,
3656                                                         sk->sk_type,
3657                                                         sk->sk_protocol, snum,
3658                                                         &sid);
3659                                 if (err)
3660                                         goto out;
3661                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3662                                 ad.u.net.sport = htons(snum);
3663                                 ad.u.net.family = family;
3664                                 err = avc_has_perm(isec->sid, sid,
3665                                                    isec->sclass,
3666                                                    SOCKET__NAME_BIND, &ad);
3667                                 if (err)
3668                                         goto out;
3669                         }
3670                 }
3671                 
3672                 switch(isec->sclass) {
3673                 case SECCLASS_TCP_SOCKET:
3674                         node_perm = TCP_SOCKET__NODE_BIND;
3675                         break;
3676                         
3677                 case SECCLASS_UDP_SOCKET:
3678                         node_perm = UDP_SOCKET__NODE_BIND;
3679                         break;
3680
3681                 case SECCLASS_DCCP_SOCKET:
3682                         node_perm = DCCP_SOCKET__NODE_BIND;
3683                         break;
3684
3685                 default:
3686                         node_perm = RAWIP_SOCKET__NODE_BIND;
3687                         break;
3688                 }
3689                 
3690                 err = sel_netnode_sid(addrp, family, &sid);
3691                 if (err)
3692                         goto out;
3693                 
3694                 AVC_AUDIT_DATA_INIT(&ad,NET);
3695                 ad.u.net.sport = htons(snum);
3696                 ad.u.net.family = family;
3697
3698                 if (family == PF_INET)
3699                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3700                 else
3701                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3702
3703                 err = avc_has_perm(isec->sid, sid,
3704                                    isec->sclass, node_perm, &ad);
3705                 if (err)
3706                         goto out;
3707         }
3708 out:
3709         return err;
3710 }
3711
3712 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3713 {
3714         struct inode_security_struct *isec;
3715         int err;
3716
3717         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3718         if (err)
3719                 return err;
3720
3721         /*
3722          * If a TCP or DCCP socket, check name_connect permission for the port.
3723          */
3724         isec = SOCK_INODE(sock)->i_security;
3725         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3726             isec->sclass == SECCLASS_DCCP_SOCKET) {
3727                 struct sock *sk = sock->sk;
3728                 struct avc_audit_data ad;
3729                 struct sockaddr_in *addr4 = NULL;
3730                 struct sockaddr_in6 *addr6 = NULL;
3731                 unsigned short snum;
3732                 u32 sid, perm;
3733
3734                 if (sk->sk_family == PF_INET) {
3735                         addr4 = (struct sockaddr_in *)address;
3736                         if (addrlen < sizeof(struct sockaddr_in))
3737                                 return -EINVAL;
3738                         snum = ntohs(addr4->sin_port);
3739                 } else {
3740                         addr6 = (struct sockaddr_in6 *)address;
3741                         if (addrlen < SIN6_LEN_RFC2133)
3742                                 return -EINVAL;
3743                         snum = ntohs(addr6->sin6_port);
3744                 }
3745
3746                 err = security_port_sid(sk->sk_family, sk->sk_type,
3747                                         sk->sk_protocol, snum, &sid);
3748                 if (err)
3749                         goto out;
3750
3751                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3752                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3753
3754                 AVC_AUDIT_DATA_INIT(&ad,NET);
3755                 ad.u.net.dport = htons(snum);
3756                 ad.u.net.family = sk->sk_family;
3757                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3758                 if (err)
3759                         goto out;
3760         }
3761
3762 out:
3763         return err;
3764 }
3765
3766 static int selinux_socket_listen(struct socket *sock, int backlog)
3767 {
3768         return socket_has_perm(current, sock, SOCKET__LISTEN);
3769 }
3770
3771 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3772 {
3773         int err;
3774         struct inode_security_struct *isec;
3775         struct inode_security_struct *newisec;
3776
3777         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3778         if (err)
3779                 return err;
3780
3781         newisec = SOCK_INODE(newsock)->i_security;
3782
3783         isec = SOCK_INODE(sock)->i_security;
3784         newisec->sclass = isec->sclass;
3785         newisec->sid = isec->sid;
3786         newisec->initialized = 1;
3787
3788         return 0;
3789 }
3790
3791 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3792                                   int size)
3793 {
3794         int rc;
3795
3796         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3797         if (rc)
3798                 return rc;
3799
3800         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3801 }
3802
3803 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3804                                   int size, int flags)
3805 {
3806         return socket_has_perm(current, sock, SOCKET__READ);
3807 }
3808
3809 static int selinux_socket_getsockname(struct socket *sock)
3810 {
3811         return socket_has_perm(current, sock, SOCKET__GETATTR);
3812 }
3813
3814 static int selinux_socket_getpeername(struct socket *sock)
3815 {
3816         return socket_has_perm(current, sock, SOCKET__GETATTR);
3817 }
3818
3819 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3820 {
3821         int err;
3822
3823         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3824         if (err)
3825                 return err;
3826
3827         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3828 }
3829
3830 static int selinux_socket_getsockopt(struct socket *sock, int level,
3831                                      int optname)
3832 {
3833         return socket_has_perm(current, sock, SOCKET__GETOPT);
3834 }
3835
3836 static int selinux_socket_shutdown(struct socket *sock, int how)
3837 {
3838         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3839 }
3840
3841 static int selinux_socket_unix_stream_connect(struct socket *sock,
3842                                               struct socket *other,
3843                                               struct sock *newsk)
3844 {
3845         struct sk_security_struct *ssec;
3846         struct inode_security_struct *isec;
3847         struct inode_security_struct *other_isec;
3848         struct avc_audit_data ad;
3849         int err;
3850
3851         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3852         if (err)
3853                 return err;
3854
3855         isec = SOCK_INODE(sock)->i_security;
3856         other_isec = SOCK_INODE(other)->i_security;
3857
3858         AVC_AUDIT_DATA_INIT(&ad,NET);
3859         ad.u.net.sk = other->sk;
3860
3861         err = avc_has_perm(isec->sid, other_isec->sid,
3862                            isec->sclass,
3863                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3864         if (err)
3865                 return err;
3866
3867         /* connecting socket */
3868         ssec = sock->sk->sk_security;
3869         ssec->peer_sid = other_isec->sid;
3870         
3871         /* server child socket */
3872         ssec = newsk->sk_security;
3873         ssec->peer_sid = isec->sid;
3874         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3875
3876         return err;
3877 }
3878
3879 static int selinux_socket_unix_may_send(struct socket *sock,
3880                                         struct socket *other)
3881 {
3882         struct inode_security_struct *isec;
3883         struct inode_security_struct *other_isec;
3884         struct avc_audit_data ad;
3885         int err;
3886
3887         isec = SOCK_INODE(sock)->i_security;
3888         other_isec = SOCK_INODE(other)->i_security;
3889
3890         AVC_AUDIT_DATA_INIT(&ad,NET);
3891         ad.u.net.sk = other->sk;
3892
3893         err = avc_has_perm(isec->sid, other_isec->sid,
3894                            isec->sclass, SOCKET__SENDTO, &ad);
3895         if (err)
3896                 return err;
3897
3898         return 0;
3899 }
3900
3901 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3902                                     u32 peer_sid,
3903                                     struct avc_audit_data *ad)
3904 {
3905         int err;
3906         u32 if_sid;
3907         u32 node_sid;
3908
3909         err = sel_netif_sid(ifindex, &if_sid);
3910         if (err)
3911                 return err;
3912         err = avc_has_perm(peer_sid, if_sid,
3913                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3914         if (err)
3915                 return err;
3916
3917         err = sel_netnode_sid(addrp, family, &node_sid);
3918         if (err)
3919                 return err;
3920         return avc_has_perm(peer_sid, node_sid,
3921                             SECCLASS_NODE, NODE__RECVFROM, ad);
3922 }
3923
3924 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3925                                                 struct sk_buff *skb,
3926                                                 struct avc_audit_data *ad,
3927                                                 u16 family,
3928                                                 char *addrp)
3929 {
3930         int err;
3931         struct sk_security_struct *sksec = sk->sk_security;
3932         u16 sk_class;
3933         u32 netif_perm, node_perm, recv_perm;
3934         u32 port_sid, node_sid, if_sid, sk_sid;
3935
3936         sk_sid = sksec->sid;
3937         sk_class = sksec->sclass;
3938
3939         switch (sk_class) {
3940         case SECCLASS_UDP_SOCKET:
3941                 netif_perm = NETIF__UDP_RECV;
3942                 node_perm = NODE__UDP_RECV;
3943                 recv_perm = UDP_SOCKET__RECV_MSG;
3944                 break;
3945         case SECCLASS_TCP_SOCKET:
3946                 netif_perm = NETIF__TCP_RECV;
3947                 node_perm = NODE__TCP_RECV;
3948                 recv_perm = TCP_SOCKET__RECV_MSG;
3949                 break;
3950         case SECCLASS_DCCP_SOCKET:
3951                 netif_perm = NETIF__DCCP_RECV;
3952                 node_perm = NODE__DCCP_RECV;
3953                 recv_perm = DCCP_SOCKET__RECV_MSG;
3954                 break;
3955         default:
3956                 netif_perm = NETIF__RAWIP_RECV;
3957                 node_perm = NODE__RAWIP_RECV;
3958                 recv_perm = 0;
3959                 break;
3960         }
3961
3962         err = sel_netif_sid(skb->iif, &if_sid);
3963         if (err)
3964                 return err;
3965         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3966         if (err)
3967                 return err;
3968         
3969         err = sel_netnode_sid(addrp, family, &node_sid);
3970         if (err)
3971                 return err;
3972         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3973         if (err)
3974                 return err;
3975
3976         if (!recv_perm)
3977                 return 0;
3978         err = security_port_sid(sk->sk_family, sk->sk_type,
3979                                 sk->sk_protocol, ntohs(ad->u.net.sport),
3980                                 &port_sid);
3981         if (unlikely(err)) {
3982                 printk(KERN_WARNING
3983                        "SELinux: failure in"
3984                        " selinux_sock_rcv_skb_iptables_compat(),"
3985                        " network port label not found\n");
3986                 return err;
3987         }
3988         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3989 }
3990
3991 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3992                                        struct avc_audit_data *ad,
3993                                        u16 family, char *addrp)
3994 {
3995         int err;
3996         struct sk_security_struct *sksec = sk->sk_security;
3997         u32 peer_sid;
3998         u32 sk_sid = sksec->sid;
3999
4000         if (selinux_compat_net)
4001                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4002                                                            family, addrp);
4003         else
4004                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4005                                    PACKET__RECV, ad);
4006         if (err)
4007                 return err;
4008
4009         if (selinux_policycap_netpeer) {
4010                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4011                 if (err)
4012                         return err;
4013                 err = avc_has_perm(sk_sid, peer_sid,
4014                                    SECCLASS_PEER, PEER__RECV, ad);
4015         } else {
4016                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4017                 if (err)
4018                         return err;
4019                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4020         }
4021
4022         return err;
4023 }
4024
4025 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4026 {
4027         int err;
4028         struct sk_security_struct *sksec = sk->sk_security;
4029         u16 family = sk->sk_family;
4030         u32 sk_sid = sksec->sid;
4031         struct avc_audit_data ad;
4032         char *addrp;
4033
4034         if (family != PF_INET && family != PF_INET6)
4035                 return 0;
4036
4037         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4038         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4039                 family = PF_INET;
4040
4041         AVC_AUDIT_DATA_INIT(&ad, NET);
4042         ad.u.net.netif = skb->iif;
4043         ad.u.net.family = family;
4044         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4045         if (err)
4046                 return err;
4047
4048         /* If any sort of compatibility mode is enabled then handoff processing
4049          * to the selinux_sock_rcv_skb_compat() function to deal with the
4050          * special handling.  We do this in an attempt to keep this function
4051          * as fast and as clean as possible. */
4052         if (selinux_compat_net || !selinux_policycap_netpeer)
4053                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4054                                                    family, addrp);
4055
4056         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4057                 u32 peer_sid;
4058
4059                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4060                 if (err)
4061                         return err;
4062                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4063                                                peer_sid, &ad);
4064                 if (err)
4065                         return err;
4066                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4067                                    PEER__RECV, &ad);
4068         }
4069
4070         if (selinux_secmark_enabled()) {
4071                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4072                                    PACKET__RECV, &ad);
4073                 if (err)
4074                         return err;
4075         }
4076
4077         return err;
4078 }
4079
4080 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4081                                             int __user *optlen, unsigned len)
4082 {
4083         int err = 0;
4084         char *scontext;
4085         u32 scontext_len;
4086         struct sk_security_struct *ssec;
4087         struct inode_security_struct *isec;
4088         u32 peer_sid = SECSID_NULL;
4089
4090         isec = SOCK_INODE(sock)->i_security;
4091
4092         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4093             isec->sclass == SECCLASS_TCP_SOCKET) {
4094                 ssec = sock->sk->sk_security;
4095                 peer_sid = ssec->peer_sid;
4096         }
4097         if (peer_sid == SECSID_NULL) {
4098                 err = -ENOPROTOOPT;
4099                 goto out;
4100         }
4101
4102         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4103
4104         if (err)
4105                 goto out;
4106
4107         if (scontext_len > len) {
4108                 err = -ERANGE;
4109                 goto out_len;
4110         }
4111
4112         if (copy_to_user(optval, scontext, scontext_len))
4113                 err = -EFAULT;
4114
4115 out_len:
4116         if (put_user(scontext_len, optlen))
4117                 err = -EFAULT;
4118
4119         kfree(scontext);
4120 out:    
4121         return err;
4122 }
4123
4124 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4125 {
4126         u32 peer_secid = SECSID_NULL;
4127         u16 family;
4128
4129         if (sock)
4130                 family = sock->sk->sk_family;
4131         else if (skb && skb->sk)
4132                 family = skb->sk->sk_family;
4133         else
4134                 goto out;
4135
4136         if (sock && family == PF_UNIX)
4137                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4138         else if (skb)
4139                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4140
4141 out:
4142         *secid = peer_secid;
4143         if (peer_secid == SECSID_NULL)
4144                 return -EINVAL;
4145         return 0;
4146 }
4147
4148 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4149 {
4150         return sk_alloc_security(sk, family, priority);
4151 }
4152
4153 static void selinux_sk_free_security(struct sock *sk)
4154 {
4155         sk_free_security(sk);
4156 }
4157
4158 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4159 {
4160         struct sk_security_struct *ssec = sk->sk_security;
4161         struct sk_security_struct *newssec = newsk->sk_security;
4162
4163         newssec->sid = ssec->sid;
4164         newssec->peer_sid = ssec->peer_sid;
4165         newssec->sclass = ssec->sclass;
4166
4167         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4168 }
4169
4170 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4171 {
4172         if (!sk)
4173                 *secid = SECINITSID_ANY_SOCKET;
4174         else {
4175                 struct sk_security_struct *sksec = sk->sk_security;
4176
4177                 *secid = sksec->sid;
4178         }
4179 }
4180
4181 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4182 {
4183         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4184         struct sk_security_struct *sksec = sk->sk_security;
4185
4186         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4187             sk->sk_family == PF_UNIX)
4188                 isec->sid = sksec->sid;
4189         sksec->sclass = isec->sclass;
4190
4191         selinux_netlbl_sock_graft(sk, parent);
4192 }
4193
4194 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4195                                      struct request_sock *req)
4196 {
4197         struct sk_security_struct *sksec = sk->sk_security;
4198         int err;
4199         u32 newsid;
4200         u32 peersid;
4201
4202         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4203         if (err)
4204                 return err;
4205         if (peersid == SECSID_NULL) {
4206                 req->secid = sksec->sid;
4207                 req->peer_secid = SECSID_NULL;
4208                 return 0;
4209         }
4210
4211         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4212         if (err)
4213                 return err;
4214
4215         req->secid = newsid;
4216         req->peer_secid = peersid;
4217         return 0;
4218 }
4219
4220 static void selinux_inet_csk_clone(struct sock *newsk,
4221                                    const struct request_sock *req)
4222 {
4223         struct sk_security_struct *newsksec = newsk->sk_security;
4224
4225         newsksec->sid = req->secid;
4226         newsksec->peer_sid = req->peer_secid;
4227         /* NOTE: Ideally, we should also get the isec->sid for the
4228            new socket in sync, but we don't have the isec available yet.
4229            So we will wait until sock_graft to do it, by which
4230            time it will have been created and available. */
4231
4232         /* We don't need to take any sort of lock here as we are the only
4233          * thread with access to newsksec */
4234         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4235 }
4236
4237 static void selinux_inet_conn_established(struct sock *sk,
4238                                 struct sk_buff *skb)
4239 {
4240         struct sk_security_struct *sksec = sk->sk_security;
4241
4242         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4243 }
4244
4245 static void selinux_req_classify_flow(const struct request_sock *req,
4246                                       struct flowi *fl)
4247 {
4248         fl->secid = req->secid;
4249 }
4250
4251 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4252 {
4253         int err = 0;
4254         u32 perm;
4255         struct nlmsghdr *nlh;
4256         struct socket *sock = sk->sk_socket;
4257         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4258         
4259         if (skb->len < NLMSG_SPACE(0)) {
4260                 err = -EINVAL;
4261                 goto out;
4262         }
4263         nlh = nlmsg_hdr(skb);
4264         
4265         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4266         if (err) {
4267                 if (err == -EINVAL) {
4268                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4269                                   "SELinux:  unrecognized netlink message"
4270                                   " type=%hu for sclass=%hu\n",
4271                                   nlh->nlmsg_type, isec->sclass);
4272                         if (!selinux_enforcing)
4273                                 err = 0;
4274                 }
4275
4276                 /* Ignore */
4277                 if (err == -ENOENT)
4278                         err = 0;
4279                 goto out;
4280         }
4281
4282         err = socket_has_perm(current, sock, perm);
4283 out:
4284         return err;
4285 }
4286
4287 #ifdef CONFIG_NETFILTER
4288
4289 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4290                                        u16 family)
4291 {
4292         char *addrp;
4293         u32 peer_sid;
4294         struct avc_audit_data ad;
4295         u8 secmark_active;
4296         u8 peerlbl_active;
4297
4298         if (!selinux_policycap_netpeer)
4299                 return NF_ACCEPT;
4300
4301         secmark_active = selinux_secmark_enabled();
4302         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4303         if (!secmark_active && !peerlbl_active)
4304                 return NF_ACCEPT;
4305
4306         AVC_AUDIT_DATA_INIT(&ad, NET);
4307         ad.u.net.netif = ifindex;
4308         ad.u.net.family = family;
4309         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4310                 return NF_DROP;
4311
4312         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4313                 return NF_DROP;
4314
4315         if (peerlbl_active)
4316                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4317                                              peer_sid, &ad) != 0)
4318                         return NF_DROP;
4319
4320         if (secmark_active)
4321                 if (avc_has_perm(peer_sid, skb->secmark,
4322                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4323                         return NF_DROP;
4324
4325         return NF_ACCEPT;
4326 }
4327
4328 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4329                                          struct sk_buff *skb,
4330                                          const struct net_device *in,
4331                                          const struct net_device *out,
4332                                          int (*okfn)(struct sk_buff *))
4333 {
4334         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4335 }
4336
4337 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4338 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4339                                          struct sk_buff *skb,
4340                                          const struct net_device *in,
4341                                          const struct net_device *out,
4342                                          int (*okfn)(struct sk_buff *))
4343 {
4344         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4345 }
4346 #endif  /* IPV6 */
4347
4348 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4349                                                 int ifindex,
4350                                                 struct avc_audit_data *ad,
4351                                                 u16 family, char *addrp)
4352 {
4353         int err;
4354         struct sk_security_struct *sksec = sk->sk_security;
4355         u16 sk_class;
4356         u32 netif_perm, node_perm, send_perm;
4357         u32 port_sid, node_sid, if_sid, sk_sid;
4358
4359         sk_sid = sksec->sid;
4360         sk_class = sksec->sclass;
4361
4362         switch (sk_class) {
4363         case SECCLASS_UDP_SOCKET:
4364                 netif_perm = NETIF__UDP_SEND;
4365                 node_perm = NODE__UDP_SEND;
4366                 send_perm = UDP_SOCKET__SEND_MSG;
4367                 break;
4368         case SECCLASS_TCP_SOCKET:
4369                 netif_perm = NETIF__TCP_SEND;
4370                 node_perm = NODE__TCP_SEND;
4371                 send_perm = TCP_SOCKET__SEND_MSG;
4372                 break;
4373         case SECCLASS_DCCP_SOCKET:
4374                 netif_perm = NETIF__DCCP_SEND;
4375                 node_perm = NODE__DCCP_SEND;
4376                 send_perm = DCCP_SOCKET__SEND_MSG;
4377                 break;
4378         default:
4379                 netif_perm = NETIF__RAWIP_SEND;
4380                 node_perm = NODE__RAWIP_SEND;
4381                 send_perm = 0;
4382                 break;
4383         }
4384
4385         err = sel_netif_sid(ifindex, &if_sid);
4386         if (err)
4387                 return err;
4388         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4389                 return err;
4390                 
4391         err = sel_netnode_sid(addrp, family, &node_sid);
4392         if (err)
4393                 return err;
4394         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4395         if (err)
4396                 return err;
4397
4398         if (send_perm != 0)
4399                 return 0;
4400
4401         err = security_port_sid(sk->sk_family, sk->sk_type,
4402                                 sk->sk_protocol, ntohs(ad->u.net.dport),
4403                                 &port_sid);
4404         if (unlikely(err)) {
4405                 printk(KERN_WARNING
4406                        "SELinux: failure in"
4407                        " selinux_ip_postroute_iptables_compat(),"
4408                        " network port label not found\n");
4409                 return err;
4410         }
4411         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4412 }
4413
4414 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4415                                                 int ifindex,
4416                                                 struct avc_audit_data *ad,
4417                                                 u16 family,
4418                                                 char *addrp,
4419                                                 u8 proto)
4420 {
4421         struct sock *sk = skb->sk;
4422         struct sk_security_struct *sksec;
4423
4424         if (sk == NULL)
4425                 return NF_ACCEPT;
4426         sksec = sk->sk_security;
4427
4428         if (selinux_compat_net) {
4429                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4430                                                          ad, family, addrp))
4431                         return NF_DROP;
4432         } else {
4433                 if (avc_has_perm(sksec->sid, skb->secmark,
4434                                  SECCLASS_PACKET, PACKET__SEND, ad))
4435                         return NF_DROP;
4436         }
4437
4438         if (selinux_policycap_netpeer)
4439                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4440                         return NF_DROP;
4441
4442         return NF_ACCEPT;
4443 }
4444
4445 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4446                                          u16 family)
4447 {
4448         u32 secmark_perm;
4449         u32 peer_sid;
4450         struct sock *sk;
4451         struct avc_audit_data ad;
4452         char *addrp;
4453         u8 proto;
4454         u8 secmark_active;
4455         u8 peerlbl_active;
4456
4457         AVC_AUDIT_DATA_INIT(&ad, NET);
4458         ad.u.net.netif = ifindex;
4459         ad.u.net.family = family;
4460         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4461                 return NF_DROP;
4462
4463         /* If any sort of compatibility mode is enabled then handoff processing
4464          * to the selinux_ip_postroute_compat() function to deal with the
4465          * special handling.  We do this in an attempt to keep this function
4466          * as fast and as clean as possible. */
4467         if (selinux_compat_net || !selinux_policycap_netpeer)
4468                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4469                                                    family, addrp, proto);
4470
4471         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4472          * packet transformation so allow the packet to pass without any checks
4473          * since we'll have another chance to perform access control checks
4474          * when the packet is on it's final way out.
4475          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4476          *       is NULL, in this case go ahead and apply access control. */
4477         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4478                 return NF_ACCEPT;
4479
4480         secmark_active = selinux_secmark_enabled();
4481         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4482         if (!secmark_active && !peerlbl_active)
4483                 return NF_ACCEPT;
4484
4485         /* if the packet is locally generated (skb->sk != NULL) then use the
4486          * socket's label as the peer label, otherwise the packet is being
4487          * forwarded through this system and we need to fetch the peer label
4488          * directly from the packet */
4489         sk = skb->sk;
4490         if (sk) {
4491                 struct sk_security_struct *sksec = sk->sk_security;
4492                 peer_sid = sksec->sid;
4493                 secmark_perm = PACKET__SEND;
4494         } else {
4495                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4496                                 return NF_DROP;
4497                 secmark_perm = PACKET__FORWARD_OUT;
4498         }
4499
4500         if (secmark_active)
4501                 if (avc_has_perm(peer_sid, skb->secmark,
4502                                  SECCLASS_PACKET, secmark_perm, &ad))
4503                         return NF_DROP;
4504
4505         if (peerlbl_active) {
4506                 u32 if_sid;
4507                 u32 node_sid;
4508
4509                 if (sel_netif_sid(ifindex, &if_sid))
4510                         return NF_DROP;
4511                 if (avc_has_perm(peer_sid, if_sid,
4512                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4513                         return NF_DROP;
4514
4515                 if (sel_netnode_sid(addrp, family, &node_sid))
4516                         return NF_DROP;
4517                 if (avc_has_perm(peer_sid, node_sid,
4518                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4519                         return NF_DROP;
4520         }
4521
4522         return NF_ACCEPT;
4523 }
4524
4525 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4526                                            struct sk_buff *skb,
4527                                            const struct net_device *in,
4528                                            const struct net_device *out,
4529                                            int (*okfn)(struct sk_buff *))
4530 {
4531         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4532 }
4533
4534 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4535 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4536                                            struct sk_buff *skb,
4537                                            const struct net_device *in,
4538                                            const struct net_device *out,
4539                                            int (*okfn)(struct sk_buff *))
4540 {
4541         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4542 }
4543 #endif  /* IPV6 */
4544
4545 #endif  /* CONFIG_NETFILTER */
4546
4547 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4548 {
4549         int err;
4550
4551         err = secondary_ops->netlink_send(sk, skb);
4552         if (err)
4553                 return err;
4554
4555         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4556                 err = selinux_nlmsg_perm(sk, skb);
4557
4558         return err;
4559 }
4560
4561 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4562 {
4563         int err;
4564         struct avc_audit_data ad;
4565
4566         err = secondary_ops->netlink_recv(skb, capability);
4567         if (err)
4568                 return err;
4569
4570         AVC_AUDIT_DATA_INIT(&ad, CAP);
4571         ad.u.cap = capability;
4572
4573         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4574                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4575 }
4576
4577 static int ipc_alloc_security(struct task_struct *task,
4578                               struct kern_ipc_perm *perm,
4579                               u16 sclass)
4580 {
4581         struct task_security_struct *tsec = task->security;
4582         struct ipc_security_struct *isec;
4583
4584         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4585         if (!isec)
4586                 return -ENOMEM;
4587
4588         isec->sclass = sclass;
4589         isec->sid = tsec->sid;
4590         perm->security = isec;
4591
4592         return 0;
4593 }
4594
4595 static void ipc_free_security(struct kern_ipc_perm *perm)
4596 {
4597         struct ipc_security_struct *isec = perm->security;
4598         perm->security = NULL;
4599         kfree(isec);
4600 }
4601
4602 static int msg_msg_alloc_security(struct msg_msg *msg)
4603 {
4604         struct msg_security_struct *msec;
4605
4606         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4607         if (!msec)
4608                 return -ENOMEM;
4609
4610         msec->sid = SECINITSID_UNLABELED;
4611         msg->security = msec;
4612
4613         return 0;
4614 }
4615
4616 static void msg_msg_free_security(struct msg_msg *msg)
4617 {
4618         struct msg_security_struct *msec = msg->security;
4619
4620         msg->security = NULL;
4621         kfree(msec);
4622 }
4623
4624 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4625                         u32 perms)
4626 {
4627         struct task_security_struct *tsec;
4628         struct ipc_security_struct *isec;
4629         struct avc_audit_data ad;
4630
4631         tsec = current->security;
4632         isec = ipc_perms->security;
4633
4634         AVC_AUDIT_DATA_INIT(&ad, IPC);
4635         ad.u.ipc_id = ipc_perms->key;
4636
4637         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4638 }
4639
4640 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4641 {
4642         return msg_msg_alloc_security(msg);
4643 }
4644
4645 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4646 {
4647         msg_msg_free_security(msg);
4648 }
4649
4650 /* message queue security operations */
4651 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4652 {
4653         struct task_security_struct *tsec;
4654         struct ipc_security_struct *isec;
4655         struct avc_audit_data ad;
4656         int rc;
4657
4658         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4659         if (rc)
4660                 return rc;
4661
4662         tsec = current->security;
4663         isec = msq->q_perm.security;
4664
4665         AVC_AUDIT_DATA_INIT(&ad, IPC);
4666         ad.u.ipc_id = msq->q_perm.key;
4667
4668         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4669                           MSGQ__CREATE, &ad);
4670         if (rc) {
4671                 ipc_free_security(&msq->q_perm);
4672                 return rc;
4673         }
4674         return 0;
4675 }
4676
4677 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4678 {
4679         ipc_free_security(&msq->q_perm);
4680 }
4681
4682 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4683 {
4684         struct task_security_struct *tsec;
4685         struct ipc_security_struct *isec;
4686         struct avc_audit_data ad;
4687
4688         tsec = current->security;
4689         isec = msq->q_perm.security;
4690
4691         AVC_AUDIT_DATA_INIT(&ad, IPC);
4692         ad.u.ipc_id = msq->q_perm.key;
4693
4694         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4695                             MSGQ__ASSOCIATE, &ad);
4696 }
4697
4698 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4699 {
4700         int err;
4701         int perms;
4702
4703         switch(cmd) {
4704         case IPC_INFO:
4705         case MSG_INFO:
4706                 /* No specific object, just general system-wide information. */
4707                 return task_has_system(current, SYSTEM__IPC_INFO);
4708         case IPC_STAT:
4709         case MSG_STAT:
4710                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4711                 break;
4712         case IPC_SET:
4713                 perms = MSGQ__SETATTR;
4714                 break;
4715         case IPC_RMID:
4716                 perms = MSGQ__DESTROY;
4717                 break;
4718         default:
4719                 return 0;
4720         }
4721
4722         err = ipc_has_perm(&msq->q_perm, perms);
4723         return err;
4724 }
4725
4726 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4727 {
4728         struct task_security_struct *tsec;
4729         struct ipc_security_struct *isec;
4730         struct msg_security_struct *msec;
4731         struct avc_audit_data ad;
4732         int rc;
4733
4734         tsec = current->security;
4735         isec = msq->q_perm.security;
4736         msec = msg->security;
4737
4738         /*
4739          * First time through, need to assign label to the message
4740          */
4741         if (msec->sid == SECINITSID_UNLABELED) {
4742                 /*
4743                  * Compute new sid based on current process and
4744                  * message queue this message will be stored in
4745                  */
4746                 rc = security_transition_sid(tsec->sid,
4747                                              isec->sid,
4748                                              SECCLASS_MSG,
4749                                              &msec->sid);
4750                 if (rc)
4751                         return rc;
4752         }
4753
4754         AVC_AUDIT_DATA_INIT(&ad, IPC);
4755         ad.u.ipc_id = msq->q_perm.key;
4756
4757         /* Can this process write to the queue? */
4758         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4759                           MSGQ__WRITE, &ad);
4760         if (!rc)
4761                 /* Can this process send the message */
4762                 rc = avc_has_perm(tsec->sid, msec->sid,
4763                                   SECCLASS_MSG, MSG__SEND, &ad);
4764         if (!rc)
4765                 /* Can the message be put in the queue? */
4766                 rc = avc_has_perm(msec->sid, isec->sid,
4767                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4768
4769         return rc;
4770 }
4771
4772 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4773                                     struct task_struct *target,
4774                                     long type, int mode)
4775 {
4776         struct task_security_struct *tsec;
4777         struct ipc_security_struct *isec;
4778         struct msg_security_struct *msec;
4779         struct avc_audit_data ad;
4780         int rc;
4781
4782         tsec = target->security;
4783         isec = msq->q_perm.security;
4784         msec = msg->security;
4785
4786         AVC_AUDIT_DATA_INIT(&ad, IPC);
4787         ad.u.ipc_id = msq->q_perm.key;
4788
4789         rc = avc_has_perm(tsec->sid, isec->sid,
4790                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4791         if (!rc)
4792                 rc = avc_has_perm(tsec->sid, msec->sid,
4793                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4794         return rc;
4795 }
4796
4797 /* Shared Memory security operations */
4798 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4799 {
4800         struct task_security_struct *tsec;
4801         struct ipc_security_struct *isec;
4802         struct avc_audit_data ad;
4803         int rc;
4804
4805         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4806         if (rc)
4807                 return rc;
4808
4809         tsec = current->security;
4810         isec = shp->shm_perm.security;
4811
4812         AVC_AUDIT_DATA_INIT(&ad, IPC);
4813         ad.u.ipc_id = shp->shm_perm.key;
4814
4815         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4816                           SHM__CREATE, &ad);
4817         if (rc) {
4818                 ipc_free_security(&shp->shm_perm);
4819                 return rc;
4820         }
4821         return 0;
4822 }
4823
4824 static void selinux_shm_free_security(struct shmid_kernel *shp)
4825 {
4826         ipc_free_security(&shp->shm_perm);
4827 }
4828
4829 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4830 {
4831         struct task_security_struct *tsec;
4832         struct ipc_security_struct *isec;
4833         struct avc_audit_data ad;
4834
4835         tsec = current->security;
4836         isec = shp->shm_perm.security;
4837
4838         AVC_AUDIT_DATA_INIT(&ad, IPC);
4839         ad.u.ipc_id = shp->shm_perm.key;
4840
4841         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4842                             SHM__ASSOCIATE, &ad);
4843 }
4844
4845 /* Note, at this point, shp is locked down */
4846 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4847 {
4848         int perms;
4849         int err;
4850
4851         switch(cmd) {
4852         case IPC_INFO:
4853         case SHM_INFO:
4854                 /* No specific object, just general system-wide information. */
4855                 return task_has_system(current, SYSTEM__IPC_INFO);
4856         case IPC_STAT:
4857         case SHM_STAT:
4858                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4859                 break;
4860         case IPC_SET:
4861                 perms = SHM__SETATTR;
4862                 break;
4863         case SHM_LOCK:
4864         case SHM_UNLOCK:
4865                 perms = SHM__LOCK;
4866                 break;
4867         case IPC_RMID:
4868                 perms = SHM__DESTROY;
4869                 break;
4870         default:
4871                 return 0;
4872         }
4873
4874         err = ipc_has_perm(&shp->shm_perm, perms);
4875         return err;
4876 }
4877
4878 static int selinux_shm_shmat(struct shmid_kernel *shp,
4879                              char __user *shmaddr, int shmflg)
4880 {
4881         u32 perms;
4882         int rc;
4883
4884         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4885         if (rc)
4886                 return rc;
4887
4888         if (shmflg & SHM_RDONLY)
4889                 perms = SHM__READ;
4890         else
4891                 perms = SHM__READ | SHM__WRITE;
4892
4893         return ipc_has_perm(&shp->shm_perm, perms);
4894 }
4895
4896 /* Semaphore security operations */
4897 static int selinux_sem_alloc_security(struct sem_array *sma)
4898 {
4899         struct task_security_struct *tsec;
4900         struct ipc_security_struct *isec;
4901         struct avc_audit_data ad;
4902         int rc;
4903
4904         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4905         if (rc)
4906                 return rc;
4907
4908         tsec = current->security;
4909         isec = sma->sem_perm.security;
4910
4911         AVC_AUDIT_DATA_INIT(&ad, IPC);
4912         ad.u.ipc_id = sma->sem_perm.key;
4913
4914         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4915                           SEM__CREATE, &ad);
4916         if (rc) {
4917                 ipc_free_security(&sma->sem_perm);
4918                 return rc;
4919         }
4920         return 0;
4921 }
4922
4923 static void selinux_sem_free_security(struct sem_array *sma)
4924 {
4925         ipc_free_security(&sma->sem_perm);
4926 }
4927
4928 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4929 {
4930         struct task_security_struct *tsec;
4931         struct ipc_security_struct *isec;
4932         struct avc_audit_data ad;
4933
4934         tsec = current->security;
4935         isec = sma->sem_perm.security;
4936
4937         AVC_AUDIT_DATA_INIT(&ad, IPC);
4938         ad.u.ipc_id = sma->sem_perm.key;
4939
4940         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4941                             SEM__ASSOCIATE, &ad);
4942 }
4943
4944 /* Note, at this point, sma is locked down */
4945 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4946 {
4947         int err;
4948         u32 perms;
4949
4950         switch(cmd) {
4951         case IPC_INFO:
4952         case SEM_INFO:
4953                 /* No specific object, just general system-wide information. */
4954                 return task_has_system(current, SYSTEM__IPC_INFO);
4955         case GETPID:
4956         case GETNCNT:
4957         case GETZCNT:
4958                 perms = SEM__GETATTR;
4959                 break;
4960         case GETVAL:
4961         case GETALL:
4962                 perms = SEM__READ;
4963                 break;
4964         case SETVAL:
4965         case SETALL:
4966                 perms = SEM__WRITE;
4967                 break;
4968         case IPC_RMID:
4969                 perms = SEM__DESTROY;
4970                 break;
4971         case IPC_SET:
4972                 perms = SEM__SETATTR;
4973                 break;
4974         case IPC_STAT:
4975         case SEM_STAT:
4976                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4977                 break;
4978         default:
4979                 return 0;
4980         }
4981
4982         err = ipc_has_perm(&sma->sem_perm, perms);
4983         return err;
4984 }
4985
4986 static int selinux_sem_semop(struct sem_array *sma,
4987                              struct sembuf *sops, unsigned nsops, int alter)
4988 {
4989         u32 perms;
4990
4991         if (alter)
4992                 perms = SEM__READ | SEM__WRITE;
4993         else
4994                 perms = SEM__READ;
4995
4996         return ipc_has_perm(&sma->sem_perm, perms);
4997 }
4998
4999 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5000 {
5001         u32 av = 0;
5002
5003         av = 0;
5004         if (flag & S_IRUGO)
5005                 av |= IPC__UNIX_READ;
5006         if (flag & S_IWUGO)
5007                 av |= IPC__UNIX_WRITE;
5008
5009         if (av == 0)
5010                 return 0;
5011
5012         return ipc_has_perm(ipcp, av);
5013 }
5014
5015 /* module stacking operations */
5016 static int selinux_register_security (const char *name, struct security_operations *ops)
5017 {
5018         if (secondary_ops != original_ops) {
5019                 printk(KERN_ERR "%s:  There is already a secondary security "
5020                        "module registered.\n", __FUNCTION__);
5021                 return -EINVAL;
5022         }
5023
5024         secondary_ops = ops;
5025
5026         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5027                __FUNCTION__,
5028                name);
5029
5030         return 0;
5031 }
5032
5033 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5034 {
5035         if (inode)
5036                 inode_doinit_with_dentry(inode, dentry);
5037 }
5038
5039 static int selinux_getprocattr(struct task_struct *p,
5040                                char *name, char **value)
5041 {
5042         struct task_security_struct *tsec;
5043         u32 sid;
5044         int error;
5045         unsigned len;
5046
5047         if (current != p) {
5048                 error = task_has_perm(current, p, PROCESS__GETATTR);
5049                 if (error)
5050                         return error;
5051         }
5052
5053         tsec = p->security;
5054
5055         if (!strcmp(name, "current"))
5056                 sid = tsec->sid;
5057         else if (!strcmp(name, "prev"))
5058                 sid = tsec->osid;
5059         else if (!strcmp(name, "exec"))
5060                 sid = tsec->exec_sid;
5061         else if (!strcmp(name, "fscreate"))
5062                 sid = tsec->create_sid;
5063         else if (!strcmp(name, "keycreate"))
5064                 sid = tsec->keycreate_sid;
5065         else if (!strcmp(name, "sockcreate"))
5066                 sid = tsec->sockcreate_sid;
5067         else
5068                 return -EINVAL;
5069
5070         if (!sid)
5071                 return 0;
5072
5073         error = security_sid_to_context(sid, value, &len);
5074         if (error)
5075                 return error;
5076         return len;
5077 }
5078
5079 static int selinux_setprocattr(struct task_struct *p,
5080                                char *name, void *value, size_t size)
5081 {
5082         struct task_security_struct *tsec;
5083         u32 sid = 0;
5084         int error;
5085         char *str = value;
5086
5087         if (current != p) {
5088                 /* SELinux only allows a process to change its own
5089                    security attributes. */
5090                 return -EACCES;
5091         }
5092
5093         /*
5094          * Basic control over ability to set these attributes at all.
5095          * current == p, but we'll pass them separately in case the
5096          * above restriction is ever removed.
5097          */
5098         if (!strcmp(name, "exec"))
5099                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5100         else if (!strcmp(name, "fscreate"))
5101                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5102         else if (!strcmp(name, "keycreate"))
5103                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5104         else if (!strcmp(name, "sockcreate"))
5105                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5106         else if (!strcmp(name, "current"))
5107                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5108         else
5109                 error = -EINVAL;
5110         if (error)
5111                 return error;
5112
5113         /* Obtain a SID for the context, if one was specified. */
5114         if (size && str[1] && str[1] != '\n') {
5115                 if (str[size-1] == '\n') {
5116                         str[size-1] = 0;
5117                         size--;
5118                 }
5119                 error = security_context_to_sid(value, size, &sid);
5120                 if (error)
5121                         return error;
5122         }
5123
5124         /* Permission checking based on the specified context is
5125            performed during the actual operation (execve,
5126            open/mkdir/...), when we know the full context of the
5127            operation.  See selinux_bprm_set_security for the execve
5128            checks and may_create for the file creation checks. The
5129            operation will then fail if the context is not permitted. */
5130         tsec = p->security;
5131         if (!strcmp(name, "exec"))
5132                 tsec->exec_sid = sid;
5133         else if (!strcmp(name, "fscreate"))
5134                 tsec->create_sid = sid;
5135         else if (!strcmp(name, "keycreate")) {
5136                 error = may_create_key(sid, p);
5137                 if (error)
5138                         return error;
5139                 tsec->keycreate_sid = sid;
5140         } else if (!strcmp(name, "sockcreate"))
5141                 tsec->sockcreate_sid = sid;
5142         else if (!strcmp(name, "current")) {
5143                 struct av_decision avd;
5144
5145                 if (sid == 0)
5146                         return -EINVAL;
5147
5148                 /* Only allow single threaded processes to change context */
5149                 if (atomic_read(&p->mm->mm_users) != 1) {
5150                         struct task_struct *g, *t;
5151                         struct mm_struct *mm = p->mm;
5152                         read_lock(&tasklist_lock);
5153                         do_each_thread(g, t)
5154                                 if (t->mm == mm && t != p) {
5155                                         read_unlock(&tasklist_lock);
5156                                         return -EPERM;
5157                                 }
5158                         while_each_thread(g, t);
5159                         read_unlock(&tasklist_lock);
5160                 }
5161
5162                 /* Check permissions for the transition. */
5163                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5164                                      PROCESS__DYNTRANSITION, NULL);
5165                 if (error)
5166                         return error;
5167
5168                 /* Check for ptracing, and update the task SID if ok.
5169                    Otherwise, leave SID unchanged and fail. */
5170                 task_lock(p);
5171                 if (p->ptrace & PT_PTRACED) {
5172                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5173                                                      SECCLASS_PROCESS,
5174                                                      PROCESS__PTRACE, 0, &avd);
5175                         if (!error)
5176                                 tsec->sid = sid;
5177                         task_unlock(p);
5178                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5179                                   PROCESS__PTRACE, &avd, error, NULL);
5180                         if (error)
5181                                 return error;
5182                 } else {
5183                         tsec->sid = sid;
5184                         task_unlock(p);
5185                 }
5186         }
5187         else
5188                 return -EINVAL;
5189
5190         return size;
5191 }
5192
5193 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5194 {
5195         return security_sid_to_context(secid, secdata, seclen);
5196 }
5197
5198 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5199 {
5200         return security_context_to_sid(secdata, seclen, secid);
5201 }
5202
5203 static void selinux_release_secctx(char *secdata, u32 seclen)
5204 {
5205         kfree(secdata);
5206 }
5207
5208 #ifdef CONFIG_KEYS
5209
5210 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5211                              unsigned long flags)
5212 {
5213         struct task_security_struct *tsec = tsk->security;
5214         struct key_security_struct *ksec;
5215
5216         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5217         if (!ksec)
5218                 return -ENOMEM;
5219
5220         if (tsec->keycreate_sid)
5221                 ksec->sid = tsec->keycreate_sid;
5222         else
5223                 ksec->sid = tsec->sid;
5224         k->security = ksec;
5225
5226         return 0;
5227 }
5228
5229 static void selinux_key_free(struct key *k)
5230 {
5231         struct key_security_struct *ksec = k->security;
5232
5233         k->security = NULL;
5234         kfree(ksec);
5235 }
5236
5237 static int selinux_key_permission(key_ref_t key_ref,
5238                             struct task_struct *ctx,
5239                             key_perm_t perm)
5240 {
5241         struct key *key;
5242         struct task_security_struct *tsec;
5243         struct key_security_struct *ksec;
5244
5245         key = key_ref_to_ptr(key_ref);
5246
5247         tsec = ctx->security;
5248         ksec = key->security;
5249
5250         /* if no specific permissions are requested, we skip the
5251            permission check. No serious, additional covert channels
5252            appear to be created. */
5253         if (perm == 0)
5254                 return 0;
5255
5256         return avc_has_perm(tsec->sid, ksec->sid,
5257                             SECCLASS_KEY, perm, NULL);
5258 }
5259
5260 #endif
5261
5262 static struct security_operations selinux_ops = {
5263         .ptrace =                       selinux_ptrace,
5264         .capget =                       selinux_capget,
5265         .capset_check =                 selinux_capset_check,
5266         .capset_set =                   selinux_capset_set,
5267         .sysctl =                       selinux_sysctl,
5268         .capable =                      selinux_capable,
5269         .quotactl =                     selinux_quotactl,
5270         .quota_on =                     selinux_quota_on,
5271         .syslog =                       selinux_syslog,
5272         .vm_enough_memory =             selinux_vm_enough_memory,
5273
5274         .netlink_send =                 selinux_netlink_send,
5275         .netlink_recv =                 selinux_netlink_recv,
5276
5277         .bprm_alloc_security =          selinux_bprm_alloc_security,
5278         .bprm_free_security =           selinux_bprm_free_security,
5279         .bprm_apply_creds =             selinux_bprm_apply_creds,
5280         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5281         .bprm_set_security =            selinux_bprm_set_security,
5282         .bprm_check_security =          selinux_bprm_check_security,
5283         .bprm_secureexec =              selinux_bprm_secureexec,
5284
5285         .sb_alloc_security =            selinux_sb_alloc_security,
5286         .sb_free_security =             selinux_sb_free_security,
5287         .sb_copy_data =                 selinux_sb_copy_data,
5288         .sb_kern_mount =                selinux_sb_kern_mount,
5289         .sb_statfs =                    selinux_sb_statfs,
5290         .sb_mount =                     selinux_mount,
5291         .sb_umount =                    selinux_umount,
5292         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5293         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5294         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5295         .sb_parse_opts_str =            selinux_parse_opts_str,
5296
5297
5298         .inode_alloc_security =         selinux_inode_alloc_security,
5299         .inode_free_security =          selinux_inode_free_security,
5300         .inode_init_security =          selinux_inode_init_security,
5301         .inode_create =                 selinux_inode_create,
5302         .inode_link =                   selinux_inode_link,
5303         .inode_unlink =                 selinux_inode_unlink,
5304         .inode_symlink =                selinux_inode_symlink,
5305         .inode_mkdir =                  selinux_inode_mkdir,
5306         .inode_rmdir =                  selinux_inode_rmdir,
5307         .inode_mknod =                  selinux_inode_mknod,
5308         .inode_rename =                 selinux_inode_rename,
5309         .inode_readlink =               selinux_inode_readlink,
5310         .inode_follow_link =            selinux_inode_follow_link,
5311         .inode_permission =             selinux_inode_permission,
5312         .inode_setattr =                selinux_inode_setattr,
5313         .inode_getattr =                selinux_inode_getattr,
5314         .inode_setxattr =               selinux_inode_setxattr,
5315         .inode_post_setxattr =          selinux_inode_post_setxattr,
5316         .inode_getxattr =               selinux_inode_getxattr,
5317         .inode_listxattr =              selinux_inode_listxattr,
5318         .inode_removexattr =            selinux_inode_removexattr,
5319         .inode_getsecurity =            selinux_inode_getsecurity,
5320         .inode_setsecurity =            selinux_inode_setsecurity,
5321         .inode_listsecurity =           selinux_inode_listsecurity,
5322         .inode_need_killpriv =          selinux_inode_need_killpriv,
5323         .inode_killpriv =               selinux_inode_killpriv,
5324
5325         .file_permission =              selinux_file_permission,
5326         .file_alloc_security =          selinux_file_alloc_security,
5327         .file_free_security =           selinux_file_free_security,
5328         .file_ioctl =                   selinux_file_ioctl,
5329         .file_mmap =                    selinux_file_mmap,
5330         .file_mprotect =                selinux_file_mprotect,
5331         .file_lock =                    selinux_file_lock,
5332         .file_fcntl =                   selinux_file_fcntl,
5333         .file_set_fowner =              selinux_file_set_fowner,
5334         .file_send_sigiotask =          selinux_file_send_sigiotask,
5335         .file_receive =                 selinux_file_receive,
5336
5337         .dentry_open =                  selinux_dentry_open,
5338
5339         .task_create =                  selinux_task_create,
5340         .task_alloc_security =          selinux_task_alloc_security,
5341         .task_free_security =           selinux_task_free_security,
5342         .task_setuid =                  selinux_task_setuid,
5343         .task_post_setuid =             selinux_task_post_setuid,
5344         .task_setgid =                  selinux_task_setgid,
5345         .task_setpgid =                 selinux_task_setpgid,
5346         .task_getpgid =                 selinux_task_getpgid,
5347         .task_getsid =                  selinux_task_getsid,
5348         .task_getsecid =                selinux_task_getsecid,
5349         .task_setgroups =               selinux_task_setgroups,
5350         .task_setnice =                 selinux_task_setnice,
5351         .task_setioprio =               selinux_task_setioprio,
5352         .task_getioprio =               selinux_task_getioprio,
5353         .task_setrlimit =               selinux_task_setrlimit,
5354         .task_setscheduler =            selinux_task_setscheduler,
5355         .task_getscheduler =            selinux_task_getscheduler,
5356         .task_movememory =              selinux_task_movememory,
5357         .task_kill =                    selinux_task_kill,
5358         .task_wait =                    selinux_task_wait,
5359         .task_prctl =                   selinux_task_prctl,
5360         .task_reparent_to_init =        selinux_task_reparent_to_init,
5361         .task_to_inode =                selinux_task_to_inode,
5362
5363         .ipc_permission =               selinux_ipc_permission,
5364
5365         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5366         .msg_msg_free_security =        selinux_msg_msg_free_security,
5367
5368         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5369         .msg_queue_free_security =      selinux_msg_queue_free_security,
5370         .msg_queue_associate =          selinux_msg_queue_associate,
5371         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5372         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5373         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5374
5375         .shm_alloc_security =           selinux_shm_alloc_security,
5376         .shm_free_security =            selinux_shm_free_security,
5377         .shm_associate =                selinux_shm_associate,
5378         .shm_shmctl =                   selinux_shm_shmctl,
5379         .shm_shmat =                    selinux_shm_shmat,
5380
5381         .sem_alloc_security =           selinux_sem_alloc_security,
5382         .sem_free_security =            selinux_sem_free_security,
5383         .sem_associate =                selinux_sem_associate,
5384         .sem_semctl =                   selinux_sem_semctl,
5385         .sem_semop =                    selinux_sem_semop,
5386
5387         .register_security =            selinux_register_security,
5388
5389         .d_instantiate =                selinux_d_instantiate,
5390
5391         .getprocattr =                  selinux_getprocattr,
5392         .setprocattr =                  selinux_setprocattr,
5393
5394         .secid_to_secctx =              selinux_secid_to_secctx,
5395         .secctx_to_secid =              selinux_secctx_to_secid,
5396         .release_secctx =               selinux_release_secctx,
5397
5398         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5399         .unix_may_send =                selinux_socket_unix_may_send,
5400
5401         .socket_create =                selinux_socket_create,
5402         .socket_post_create =           selinux_socket_post_create,
5403         .socket_bind =                  selinux_socket_bind,
5404         .socket_connect =               selinux_socket_connect,
5405         .socket_listen =                selinux_socket_listen,
5406         .socket_accept =                selinux_socket_accept,
5407         .socket_sendmsg =               selinux_socket_sendmsg,
5408         .socket_recvmsg =               selinux_socket_recvmsg,
5409         .socket_getsockname =           selinux_socket_getsockname,
5410         .socket_getpeername =           selinux_socket_getpeername,
5411         .socket_getsockopt =            selinux_socket_getsockopt,
5412         .socket_setsockopt =            selinux_socket_setsockopt,
5413         .socket_shutdown =              selinux_socket_shutdown,
5414         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5415         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5416         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5417         .sk_alloc_security =            selinux_sk_alloc_security,
5418         .sk_free_security =             selinux_sk_free_security,
5419         .sk_clone_security =            selinux_sk_clone_security,
5420         .sk_getsecid =                  selinux_sk_getsecid,
5421         .sock_graft =                   selinux_sock_graft,
5422         .inet_conn_request =            selinux_inet_conn_request,
5423         .inet_csk_clone =               selinux_inet_csk_clone,
5424         .inet_conn_established =        selinux_inet_conn_established,
5425         .req_classify_flow =            selinux_req_classify_flow,
5426
5427 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5428         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5429         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5430         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5431         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5432         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5433         .xfrm_state_free_security =     selinux_xfrm_state_free,
5434         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5435         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5436         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5437         .xfrm_decode_session =          selinux_xfrm_decode_session,
5438 #endif
5439
5440 #ifdef CONFIG_KEYS
5441         .key_alloc =                    selinux_key_alloc,
5442         .key_free =                     selinux_key_free,
5443         .key_permission =               selinux_key_permission,
5444 #endif
5445 };
5446
5447 static __init int selinux_init(void)
5448 {
5449         struct task_security_struct *tsec;
5450
5451         if (!selinux_enabled) {
5452                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5453                 return 0;
5454         }
5455
5456         printk(KERN_INFO "SELinux:  Initializing.\n");
5457
5458         /* Set the security state for the initial task. */
5459         if (task_alloc_security(current))
5460                 panic("SELinux:  Failed to initialize initial task.\n");
5461         tsec = current->security;
5462         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5463
5464         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5465                                             sizeof(struct inode_security_struct),
5466                                             0, SLAB_PANIC, NULL);
5467         avc_init();
5468
5469         original_ops = secondary_ops = security_ops;
5470         if (!secondary_ops)
5471                 panic ("SELinux: No initial security operations\n");
5472         if (register_security (&selinux_ops))
5473                 panic("SELinux: Unable to register with kernel.\n");
5474
5475         if (selinux_enforcing) {
5476                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5477         } else {
5478                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5479         }
5480
5481 #ifdef CONFIG_KEYS
5482         /* Add security information to initial keyrings */
5483         selinux_key_alloc(&root_user_keyring, current,
5484                           KEY_ALLOC_NOT_IN_QUOTA);
5485         selinux_key_alloc(&root_session_keyring, current,
5486                           KEY_ALLOC_NOT_IN_QUOTA);
5487 #endif
5488
5489         return 0;
5490 }
5491
5492 void selinux_complete_init(void)
5493 {
5494         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5495
5496         /* Set up any superblocks initialized prior to the policy load. */
5497         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5498         spin_lock(&sb_lock);
5499         spin_lock(&sb_security_lock);
5500 next_sb:
5501         if (!list_empty(&superblock_security_head)) {
5502                 struct superblock_security_struct *sbsec =
5503                                 list_entry(superblock_security_head.next,
5504                                            struct superblock_security_struct,
5505                                            list);
5506                 struct super_block *sb = sbsec->sb;
5507                 sb->s_count++;
5508                 spin_unlock(&sb_security_lock);
5509                 spin_unlock(&sb_lock);
5510                 down_read(&sb->s_umount);
5511                 if (sb->s_root)
5512                         superblock_doinit(sb, NULL);
5513                 drop_super(sb);
5514                 spin_lock(&sb_lock);
5515                 spin_lock(&sb_security_lock);
5516                 list_del_init(&sbsec->list);
5517                 goto next_sb;
5518         }
5519         spin_unlock(&sb_security_lock);
5520         spin_unlock(&sb_lock);
5521 }
5522
5523 /* SELinux requires early initialization in order to label
5524    all processes and objects when they are created. */
5525 security_initcall(selinux_init);
5526
5527 #if defined(CONFIG_NETFILTER)
5528
5529 static struct nf_hook_ops selinux_ipv4_ops[] = {
5530         {
5531                 .hook =         selinux_ipv4_postroute,
5532                 .owner =        THIS_MODULE,
5533                 .pf =           PF_INET,
5534                 .hooknum =      NF_INET_POST_ROUTING,
5535                 .priority =     NF_IP_PRI_SELINUX_LAST,
5536         },
5537         {
5538                 .hook =         selinux_ipv4_forward,
5539                 .owner =        THIS_MODULE,
5540                 .pf =           PF_INET,
5541                 .hooknum =      NF_INET_FORWARD,
5542                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5543         }
5544 };
5545
5546 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5547
5548 static struct nf_hook_ops selinux_ipv6_ops[] = {
5549         {
5550                 .hook =         selinux_ipv6_postroute,
5551                 .owner =        THIS_MODULE,
5552                 .pf =           PF_INET6,
5553                 .hooknum =      NF_INET_POST_ROUTING,
5554                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5555         },
5556         {
5557                 .hook =         selinux_ipv6_forward,
5558                 .owner =        THIS_MODULE,
5559                 .pf =           PF_INET6,
5560                 .hooknum =      NF_INET_FORWARD,
5561                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5562         }
5563 };
5564
5565 #endif  /* IPV6 */
5566
5567 static int __init selinux_nf_ip_init(void)
5568 {
5569         int err = 0;
5570         u32 iter;
5571
5572         if (!selinux_enabled)
5573                 goto out;
5574
5575         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5576
5577         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5578                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5579                 if (err)
5580                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5581                               err);
5582         }
5583
5584 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5585         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5586                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5587                 if (err)
5588                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5589                               err);
5590         }
5591 #endif  /* IPV6 */
5592
5593 out:
5594         return err;
5595 }
5596
5597 __initcall(selinux_nf_ip_init);
5598
5599 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5600 static void selinux_nf_ip_exit(void)
5601 {
5602         u32 iter;
5603
5604         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5605
5606         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5607                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5608 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5609         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5610                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5611 #endif  /* IPV6 */
5612 }
5613 #endif
5614
5615 #else /* CONFIG_NETFILTER */
5616
5617 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5618 #define selinux_nf_ip_exit()
5619 #endif
5620
5621 #endif /* CONFIG_NETFILTER */
5622
5623 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5624 int selinux_disable(void)
5625 {
5626         extern void exit_sel_fs(void);
5627         static int selinux_disabled = 0;
5628
5629         if (ss_initialized) {
5630                 /* Not permitted after initial policy load. */
5631                 return -EINVAL;
5632         }
5633
5634         if (selinux_disabled) {
5635                 /* Only do this once. */
5636                 return -EINVAL;
5637         }
5638
5639         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5640
5641         selinux_disabled = 1;
5642         selinux_enabled = 0;
5643
5644         /* Reset security_ops to the secondary module, dummy or capability. */
5645         security_ops = secondary_ops;
5646
5647         /* Unregister netfilter hooks. */
5648         selinux_nf_ip_exit();
5649
5650         /* Unregister selinuxfs. */
5651         exit_sel_fs();
5652
5653         return 0;
5654 }
5655 #endif
5656
5657