[PATCH] selinux: fix sb_lock/sb_security_lock nesting
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #else
105 int selinux_enabled = 1;
106 #endif
107
108 /* Original (dummy) security module. */
109 static struct security_operations *original_ops = NULL;
110
111 /* Minimal support for a secondary security module,
112    just to allow the use of the dummy or capability modules.
113    The owlsm module can alternatively be used as a secondary
114    module as long as CONFIG_OWLSM_FD is not enabled. */
115 static struct security_operations *secondary_ops = NULL;
116
117 /* Lists of inode and superblock security structures initialized
118    before the policy was loaded. */
119 static LIST_HEAD(superblock_security_head);
120 static DEFINE_SPINLOCK(sb_security_lock);
121
122 static kmem_cache_t *sel_inode_cache;
123
124 /* Return security context for a given sid or just the context 
125    length if the buffer is null or length is 0 */
126 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
127 {
128         char *context;
129         unsigned len;
130         int rc;
131
132         rc = security_sid_to_context(sid, &context, &len);
133         if (rc)
134                 return rc;
135
136         if (!buffer || !size)
137                 goto getsecurity_exit;
138
139         if (size < len) {
140                 len = -ERANGE;
141                 goto getsecurity_exit;
142         }
143         memcpy(buffer, context, len);
144
145 getsecurity_exit:
146         kfree(context);
147         return len;
148 }
149
150 /* Allocate and free functions for each kind of security blob. */
151
152 static int task_alloc_security(struct task_struct *task)
153 {
154         struct task_security_struct *tsec;
155
156         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
157         if (!tsec)
158                 return -ENOMEM;
159
160         tsec->task = task;
161         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
162         task->security = tsec;
163
164         return 0;
165 }
166
167 static void task_free_security(struct task_struct *task)
168 {
169         struct task_security_struct *tsec = task->security;
170         task->security = NULL;
171         kfree(tsec);
172 }
173
174 static int inode_alloc_security(struct inode *inode)
175 {
176         struct task_security_struct *tsec = current->security;
177         struct inode_security_struct *isec;
178
179         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
180         if (!isec)
181                 return -ENOMEM;
182
183         memset(isec, 0, sizeof(*isec));
184         init_MUTEX(&isec->sem);
185         INIT_LIST_HEAD(&isec->list);
186         isec->inode = inode;
187         isec->sid = SECINITSID_UNLABELED;
188         isec->sclass = SECCLASS_FILE;
189         isec->task_sid = tsec->sid;
190         inode->i_security = isec;
191
192         return 0;
193 }
194
195 static void inode_free_security(struct inode *inode)
196 {
197         struct inode_security_struct *isec = inode->i_security;
198         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
199
200         spin_lock(&sbsec->isec_lock);
201         if (!list_empty(&isec->list))
202                 list_del_init(&isec->list);
203         spin_unlock(&sbsec->isec_lock);
204
205         inode->i_security = NULL;
206         kmem_cache_free(sel_inode_cache, isec);
207 }
208
209 static int file_alloc_security(struct file *file)
210 {
211         struct task_security_struct *tsec = current->security;
212         struct file_security_struct *fsec;
213
214         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
215         if (!fsec)
216                 return -ENOMEM;
217
218         fsec->file = file;
219         fsec->sid = tsec->sid;
220         fsec->fown_sid = tsec->sid;
221         file->f_security = fsec;
222
223         return 0;
224 }
225
226 static void file_free_security(struct file *file)
227 {
228         struct file_security_struct *fsec = file->f_security;
229         file->f_security = NULL;
230         kfree(fsec);
231 }
232
233 static int superblock_alloc_security(struct super_block *sb)
234 {
235         struct superblock_security_struct *sbsec;
236
237         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
238         if (!sbsec)
239                 return -ENOMEM;
240
241         init_MUTEX(&sbsec->sem);
242         INIT_LIST_HEAD(&sbsec->list);
243         INIT_LIST_HEAD(&sbsec->isec_head);
244         spin_lock_init(&sbsec->isec_lock);
245         sbsec->sb = sb;
246         sbsec->sid = SECINITSID_UNLABELED;
247         sbsec->def_sid = SECINITSID_FILE;
248         sb->s_security = sbsec;
249
250         return 0;
251 }
252
253 static void superblock_free_security(struct super_block *sb)
254 {
255         struct superblock_security_struct *sbsec = sb->s_security;
256
257         spin_lock(&sb_security_lock);
258         if (!list_empty(&sbsec->list))
259                 list_del_init(&sbsec->list);
260         spin_unlock(&sb_security_lock);
261
262         sb->s_security = NULL;
263         kfree(sbsec);
264 }
265
266 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
267 {
268         struct sk_security_struct *ssec;
269
270         if (family != PF_UNIX)
271                 return 0;
272
273         ssec = kzalloc(sizeof(*ssec), priority);
274         if (!ssec)
275                 return -ENOMEM;
276
277         ssec->sk = sk;
278         ssec->peer_sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         return 0;
282 }
283
284 static void sk_free_security(struct sock *sk)
285 {
286         struct sk_security_struct *ssec = sk->sk_security;
287
288         if (sk->sk_family != PF_UNIX)
289                 return;
290
291         sk->sk_security = NULL;
292         kfree(ssec);
293 }
294
295 /* The security server must be initialized before
296    any labeling or access decisions can be provided. */
297 extern int ss_initialized;
298
299 /* The file system's label must be initialized prior to use. */
300
301 static char *labeling_behaviors[6] = {
302         "uses xattr",
303         "uses transition SIDs",
304         "uses task SIDs",
305         "uses genfs_contexts",
306         "not configured for labeling",
307         "uses mountpoint labeling",
308 };
309
310 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311
312 static inline int inode_doinit(struct inode *inode)
313 {
314         return inode_doinit_with_dentry(inode, NULL);
315 }
316
317 enum {
318         Opt_context = 1,
319         Opt_fscontext = 2,
320         Opt_defcontext = 4,
321 };
322
323 static match_table_t tokens = {
324         {Opt_context, "context=%s"},
325         {Opt_fscontext, "fscontext=%s"},
326         {Opt_defcontext, "defcontext=%s"},
327 };
328
329 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
330
331 static int try_context_mount(struct super_block *sb, void *data)
332 {
333         char *context = NULL, *defcontext = NULL;
334         const char *name;
335         u32 sid;
336         int alloc = 0, rc = 0, seen = 0;
337         struct task_security_struct *tsec = current->security;
338         struct superblock_security_struct *sbsec = sb->s_security;
339
340         if (!data)
341                 goto out;
342
343         name = sb->s_type->name;
344
345         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
346
347                 /* NFS we understand. */
348                 if (!strcmp(name, "nfs")) {
349                         struct nfs_mount_data *d = data;
350
351                         if (d->version <  NFS_MOUNT_VERSION)
352                                 goto out;
353
354                         if (d->context[0]) {
355                                 context = d->context;
356                                 seen |= Opt_context;
357                         }
358                 } else
359                         goto out;
360
361         } else {
362                 /* Standard string-based options. */
363                 char *p, *options = data;
364
365                 while ((p = strsep(&options, ",")) != NULL) {
366                         int token;
367                         substring_t args[MAX_OPT_ARGS];
368
369                         if (!*p)
370                                 continue;
371
372                         token = match_token(p, tokens, args);
373
374                         switch (token) {
375                         case Opt_context:
376                                 if (seen) {
377                                         rc = -EINVAL;
378                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
379                                         goto out_free;
380                                 }
381                                 context = match_strdup(&args[0]);
382                                 if (!context) {
383                                         rc = -ENOMEM;
384                                         goto out_free;
385                                 }
386                                 if (!alloc)
387                                         alloc = 1;
388                                 seen |= Opt_context;
389                                 break;
390
391                         case Opt_fscontext:
392                                 if (seen & (Opt_context|Opt_fscontext)) {
393                                         rc = -EINVAL;
394                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
395                                         goto out_free;
396                                 }
397                                 context = match_strdup(&args[0]);
398                                 if (!context) {
399                                         rc = -ENOMEM;
400                                         goto out_free;
401                                 }
402                                 if (!alloc)
403                                         alloc = 1;
404                                 seen |= Opt_fscontext;
405                                 break;
406
407                         case Opt_defcontext:
408                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
409                                         rc = -EINVAL;
410                                         printk(KERN_WARNING "SELinux:  "
411                                                "defcontext option is invalid "
412                                                "for this filesystem type\n");
413                                         goto out_free;
414                                 }
415                                 if (seen & (Opt_context|Opt_defcontext)) {
416                                         rc = -EINVAL;
417                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
418                                         goto out_free;
419                                 }
420                                 defcontext = match_strdup(&args[0]);
421                                 if (!defcontext) {
422                                         rc = -ENOMEM;
423                                         goto out_free;
424                                 }
425                                 if (!alloc)
426                                         alloc = 1;
427                                 seen |= Opt_defcontext;
428                                 break;
429
430                         default:
431                                 rc = -EINVAL;
432                                 printk(KERN_WARNING "SELinux:  unknown mount "
433                                        "option\n");
434                                 goto out_free;
435
436                         }
437                 }
438         }
439
440         if (!seen)
441                 goto out;
442
443         if (context) {
444                 rc = security_context_to_sid(context, strlen(context), &sid);
445                 if (rc) {
446                         printk(KERN_WARNING "SELinux: security_context_to_sid"
447                                "(%s) failed for (dev %s, type %s) errno=%d\n",
448                                context, sb->s_id, name, rc);
449                         goto out_free;
450                 }
451
452                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453                                   FILESYSTEM__RELABELFROM, NULL);
454                 if (rc)
455                         goto out_free;
456
457                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
458                                   FILESYSTEM__RELABELTO, NULL);
459                 if (rc)
460                         goto out_free;
461
462                 sbsec->sid = sid;
463
464                 if (seen & Opt_context)
465                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
466         }
467
468         if (defcontext) {
469                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
470                 if (rc) {
471                         printk(KERN_WARNING "SELinux: security_context_to_sid"
472                                "(%s) failed for (dev %s, type %s) errno=%d\n",
473                                defcontext, sb->s_id, name, rc);
474                         goto out_free;
475                 }
476
477                 if (sid == sbsec->def_sid)
478                         goto out_free;
479
480                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
481                                   FILESYSTEM__RELABELFROM, NULL);
482                 if (rc)
483                         goto out_free;
484
485                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
486                                   FILESYSTEM__ASSOCIATE, NULL);
487                 if (rc)
488                         goto out_free;
489
490                 sbsec->def_sid = sid;
491         }
492
493 out_free:
494         if (alloc) {
495                 kfree(context);
496                 kfree(defcontext);
497         }
498 out:
499         return rc;
500 }
501
502 static int superblock_doinit(struct super_block *sb, void *data)
503 {
504         struct superblock_security_struct *sbsec = sb->s_security;
505         struct dentry *root = sb->s_root;
506         struct inode *inode = root->d_inode;
507         int rc = 0;
508
509         down(&sbsec->sem);
510         if (sbsec->initialized)
511                 goto out;
512
513         if (!ss_initialized) {
514                 /* Defer initialization until selinux_complete_init,
515                    after the initial policy is loaded and the security
516                    server is ready to handle calls. */
517                 spin_lock(&sb_security_lock);
518                 if (list_empty(&sbsec->list))
519                         list_add(&sbsec->list, &superblock_security_head);
520                 spin_unlock(&sb_security_lock);
521                 goto out;
522         }
523
524         /* Determine the labeling behavior to use for this filesystem type. */
525         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
526         if (rc) {
527                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
528                        __FUNCTION__, sb->s_type->name, rc);
529                 goto out;
530         }
531
532         rc = try_context_mount(sb, data);
533         if (rc)
534                 goto out;
535
536         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
537                 /* Make sure that the xattr handler exists and that no
538                    error other than -ENODATA is returned by getxattr on
539                    the root directory.  -ENODATA is ok, as this may be
540                    the first boot of the SELinux kernel before we have
541                    assigned xattr values to the filesystem. */
542                 if (!inode->i_op->getxattr) {
543                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
544                                "xattr support\n", sb->s_id, sb->s_type->name);
545                         rc = -EOPNOTSUPP;
546                         goto out;
547                 }
548                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
549                 if (rc < 0 && rc != -ENODATA) {
550                         if (rc == -EOPNOTSUPP)
551                                 printk(KERN_WARNING "SELinux: (dev %s, type "
552                                        "%s) has no security xattr handler\n",
553                                        sb->s_id, sb->s_type->name);
554                         else
555                                 printk(KERN_WARNING "SELinux: (dev %s, type "
556                                        "%s) getxattr errno %d\n", sb->s_id,
557                                        sb->s_type->name, -rc);
558                         goto out;
559                 }
560         }
561
562         if (strcmp(sb->s_type->name, "proc") == 0)
563                 sbsec->proc = 1;
564
565         sbsec->initialized = 1;
566
567         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
568                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
569                        sb->s_id, sb->s_type->name);
570         }
571         else {
572                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
573                        sb->s_id, sb->s_type->name,
574                        labeling_behaviors[sbsec->behavior-1]);
575         }
576
577         /* Initialize the root inode. */
578         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
579
580         /* Initialize any other inodes associated with the superblock, e.g.
581            inodes created prior to initial policy load or inodes created
582            during get_sb by a pseudo filesystem that directly
583            populates itself. */
584         spin_lock(&sbsec->isec_lock);
585 next_inode:
586         if (!list_empty(&sbsec->isec_head)) {
587                 struct inode_security_struct *isec =
588                                 list_entry(sbsec->isec_head.next,
589                                            struct inode_security_struct, list);
590                 struct inode *inode = isec->inode;
591                 spin_unlock(&sbsec->isec_lock);
592                 inode = igrab(inode);
593                 if (inode) {
594                         if (!IS_PRIVATE (inode))
595                                 inode_doinit(inode);
596                         iput(inode);
597                 }
598                 spin_lock(&sbsec->isec_lock);
599                 list_del_init(&isec->list);
600                 goto next_inode;
601         }
602         spin_unlock(&sbsec->isec_lock);
603 out:
604         up(&sbsec->sem);
605         return rc;
606 }
607
608 static inline u16 inode_mode_to_security_class(umode_t mode)
609 {
610         switch (mode & S_IFMT) {
611         case S_IFSOCK:
612                 return SECCLASS_SOCK_FILE;
613         case S_IFLNK:
614                 return SECCLASS_LNK_FILE;
615         case S_IFREG:
616                 return SECCLASS_FILE;
617         case S_IFBLK:
618                 return SECCLASS_BLK_FILE;
619         case S_IFDIR:
620                 return SECCLASS_DIR;
621         case S_IFCHR:
622                 return SECCLASS_CHR_FILE;
623         case S_IFIFO:
624                 return SECCLASS_FIFO_FILE;
625
626         }
627
628         return SECCLASS_FILE;
629 }
630
631 static inline int default_protocol_stream(int protocol)
632 {
633         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
634 }
635
636 static inline int default_protocol_dgram(int protocol)
637 {
638         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
639 }
640
641 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
642 {
643         switch (family) {
644         case PF_UNIX:
645                 switch (type) {
646                 case SOCK_STREAM:
647                 case SOCK_SEQPACKET:
648                         return SECCLASS_UNIX_STREAM_SOCKET;
649                 case SOCK_DGRAM:
650                         return SECCLASS_UNIX_DGRAM_SOCKET;
651                 }
652                 break;
653         case PF_INET:
654         case PF_INET6:
655                 switch (type) {
656                 case SOCK_STREAM:
657                         if (default_protocol_stream(protocol))
658                                 return SECCLASS_TCP_SOCKET;
659                         else
660                                 return SECCLASS_RAWIP_SOCKET;
661                 case SOCK_DGRAM:
662                         if (default_protocol_dgram(protocol))
663                                 return SECCLASS_UDP_SOCKET;
664                         else
665                                 return SECCLASS_RAWIP_SOCKET;
666                 default:
667                         return SECCLASS_RAWIP_SOCKET;
668                 }
669                 break;
670         case PF_NETLINK:
671                 switch (protocol) {
672                 case NETLINK_ROUTE:
673                         return SECCLASS_NETLINK_ROUTE_SOCKET;
674                 case NETLINK_FIREWALL:
675                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
676                 case NETLINK_INET_DIAG:
677                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
678                 case NETLINK_NFLOG:
679                         return SECCLASS_NETLINK_NFLOG_SOCKET;
680                 case NETLINK_XFRM:
681                         return SECCLASS_NETLINK_XFRM_SOCKET;
682                 case NETLINK_SELINUX:
683                         return SECCLASS_NETLINK_SELINUX_SOCKET;
684                 case NETLINK_AUDIT:
685                         return SECCLASS_NETLINK_AUDIT_SOCKET;
686                 case NETLINK_IP6_FW:
687                         return SECCLASS_NETLINK_IP6FW_SOCKET;
688                 case NETLINK_DNRTMSG:
689                         return SECCLASS_NETLINK_DNRT_SOCKET;
690                 case NETLINK_KOBJECT_UEVENT:
691                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
692                 default:
693                         return SECCLASS_NETLINK_SOCKET;
694                 }
695         case PF_PACKET:
696                 return SECCLASS_PACKET_SOCKET;
697         case PF_KEY:
698                 return SECCLASS_KEY_SOCKET;
699         }
700
701         return SECCLASS_SOCKET;
702 }
703
704 #ifdef CONFIG_PROC_FS
705 static int selinux_proc_get_sid(struct proc_dir_entry *de,
706                                 u16 tclass,
707                                 u32 *sid)
708 {
709         int buflen, rc;
710         char *buffer, *path, *end;
711
712         buffer = (char*)__get_free_page(GFP_KERNEL);
713         if (!buffer)
714                 return -ENOMEM;
715
716         buflen = PAGE_SIZE;
717         end = buffer+buflen;
718         *--end = '\0';
719         buflen--;
720         path = end-1;
721         *path = '/';
722         while (de && de != de->parent) {
723                 buflen -= de->namelen + 1;
724                 if (buflen < 0)
725                         break;
726                 end -= de->namelen;
727                 memcpy(end, de->name, de->namelen);
728                 *--end = '/';
729                 path = end;
730                 de = de->parent;
731         }
732         rc = security_genfs_sid("proc", path, tclass, sid);
733         free_page((unsigned long)buffer);
734         return rc;
735 }
736 #else
737 static int selinux_proc_get_sid(struct proc_dir_entry *de,
738                                 u16 tclass,
739                                 u32 *sid)
740 {
741         return -EINVAL;
742 }
743 #endif
744
745 /* The inode's security attributes must be initialized before first use. */
746 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
747 {
748         struct superblock_security_struct *sbsec = NULL;
749         struct inode_security_struct *isec = inode->i_security;
750         u32 sid;
751         struct dentry *dentry;
752 #define INITCONTEXTLEN 255
753         char *context = NULL;
754         unsigned len = 0;
755         int rc = 0;
756         int hold_sem = 0;
757
758         if (isec->initialized)
759                 goto out;
760
761         down(&isec->sem);
762         hold_sem = 1;
763         if (isec->initialized)
764                 goto out;
765
766         sbsec = inode->i_sb->s_security;
767         if (!sbsec->initialized) {
768                 /* Defer initialization until selinux_complete_init,
769                    after the initial policy is loaded and the security
770                    server is ready to handle calls. */
771                 spin_lock(&sbsec->isec_lock);
772                 if (list_empty(&isec->list))
773                         list_add(&isec->list, &sbsec->isec_head);
774                 spin_unlock(&sbsec->isec_lock);
775                 goto out;
776         }
777
778         switch (sbsec->behavior) {
779         case SECURITY_FS_USE_XATTR:
780                 if (!inode->i_op->getxattr) {
781                         isec->sid = sbsec->def_sid;
782                         break;
783                 }
784
785                 /* Need a dentry, since the xattr API requires one.
786                    Life would be simpler if we could just pass the inode. */
787                 if (opt_dentry) {
788                         /* Called from d_instantiate or d_splice_alias. */
789                         dentry = dget(opt_dentry);
790                 } else {
791                         /* Called from selinux_complete_init, try to find a dentry. */
792                         dentry = d_find_alias(inode);
793                 }
794                 if (!dentry) {
795                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
796                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
797                                inode->i_ino);
798                         goto out;
799                 }
800
801                 len = INITCONTEXTLEN;
802                 context = kmalloc(len, GFP_KERNEL);
803                 if (!context) {
804                         rc = -ENOMEM;
805                         dput(dentry);
806                         goto out;
807                 }
808                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
809                                            context, len);
810                 if (rc == -ERANGE) {
811                         /* Need a larger buffer.  Query for the right size. */
812                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
813                                                    NULL, 0);
814                         if (rc < 0) {
815                                 dput(dentry);
816                                 goto out;
817                         }
818                         kfree(context);
819                         len = rc;
820                         context = kmalloc(len, GFP_KERNEL);
821                         if (!context) {
822                                 rc = -ENOMEM;
823                                 dput(dentry);
824                                 goto out;
825                         }
826                         rc = inode->i_op->getxattr(dentry,
827                                                    XATTR_NAME_SELINUX,
828                                                    context, len);
829                 }
830                 dput(dentry);
831                 if (rc < 0) {
832                         if (rc != -ENODATA) {
833                                 printk(KERN_WARNING "%s:  getxattr returned "
834                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
835                                        -rc, inode->i_sb->s_id, inode->i_ino);
836                                 kfree(context);
837                                 goto out;
838                         }
839                         /* Map ENODATA to the default file SID */
840                         sid = sbsec->def_sid;
841                         rc = 0;
842                 } else {
843                         rc = security_context_to_sid_default(context, rc, &sid,
844                                                              sbsec->def_sid);
845                         if (rc) {
846                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
847                                        "returned %d for dev=%s ino=%ld\n",
848                                        __FUNCTION__, context, -rc,
849                                        inode->i_sb->s_id, inode->i_ino);
850                                 kfree(context);
851                                 /* Leave with the unlabeled SID */
852                                 rc = 0;
853                                 break;
854                         }
855                 }
856                 kfree(context);
857                 isec->sid = sid;
858                 break;
859         case SECURITY_FS_USE_TASK:
860                 isec->sid = isec->task_sid;
861                 break;
862         case SECURITY_FS_USE_TRANS:
863                 /* Default to the fs SID. */
864                 isec->sid = sbsec->sid;
865
866                 /* Try to obtain a transition SID. */
867                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
868                 rc = security_transition_sid(isec->task_sid,
869                                              sbsec->sid,
870                                              isec->sclass,
871                                              &sid);
872                 if (rc)
873                         goto out;
874                 isec->sid = sid;
875                 break;
876         default:
877                 /* Default to the fs SID. */
878                 isec->sid = sbsec->sid;
879
880                 if (sbsec->proc) {
881                         struct proc_inode *proci = PROC_I(inode);
882                         if (proci->pde) {
883                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
884                                 rc = selinux_proc_get_sid(proci->pde,
885                                                           isec->sclass,
886                                                           &sid);
887                                 if (rc)
888                                         goto out;
889                                 isec->sid = sid;
890                         }
891                 }
892                 break;
893         }
894
895         isec->initialized = 1;
896
897 out:
898         if (isec->sclass == SECCLASS_FILE)
899                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
900
901         if (hold_sem)
902                 up(&isec->sem);
903         return rc;
904 }
905
906 /* Convert a Linux signal to an access vector. */
907 static inline u32 signal_to_av(int sig)
908 {
909         u32 perm = 0;
910
911         switch (sig) {
912         case SIGCHLD:
913                 /* Commonly granted from child to parent. */
914                 perm = PROCESS__SIGCHLD;
915                 break;
916         case SIGKILL:
917                 /* Cannot be caught or ignored */
918                 perm = PROCESS__SIGKILL;
919                 break;
920         case SIGSTOP:
921                 /* Cannot be caught or ignored */
922                 perm = PROCESS__SIGSTOP;
923                 break;
924         default:
925                 /* All other signals. */
926                 perm = PROCESS__SIGNAL;
927                 break;
928         }
929
930         return perm;
931 }
932
933 /* Check permission betweeen a pair of tasks, e.g. signal checks,
934    fork check, ptrace check, etc. */
935 static int task_has_perm(struct task_struct *tsk1,
936                          struct task_struct *tsk2,
937                          u32 perms)
938 {
939         struct task_security_struct *tsec1, *tsec2;
940
941         tsec1 = tsk1->security;
942         tsec2 = tsk2->security;
943         return avc_has_perm(tsec1->sid, tsec2->sid,
944                             SECCLASS_PROCESS, perms, NULL);
945 }
946
947 /* Check whether a task is allowed to use a capability. */
948 static int task_has_capability(struct task_struct *tsk,
949                                int cap)
950 {
951         struct task_security_struct *tsec;
952         struct avc_audit_data ad;
953
954         tsec = tsk->security;
955
956         AVC_AUDIT_DATA_INIT(&ad,CAP);
957         ad.tsk = tsk;
958         ad.u.cap = cap;
959
960         return avc_has_perm(tsec->sid, tsec->sid,
961                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
962 }
963
964 /* Check whether a task is allowed to use a system operation. */
965 static int task_has_system(struct task_struct *tsk,
966                            u32 perms)
967 {
968         struct task_security_struct *tsec;
969
970         tsec = tsk->security;
971
972         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
973                             SECCLASS_SYSTEM, perms, NULL);
974 }
975
976 /* Check whether a task has a particular permission to an inode.
977    The 'adp' parameter is optional and allows other audit
978    data to be passed (e.g. the dentry). */
979 static int inode_has_perm(struct task_struct *tsk,
980                           struct inode *inode,
981                           u32 perms,
982                           struct avc_audit_data *adp)
983 {
984         struct task_security_struct *tsec;
985         struct inode_security_struct *isec;
986         struct avc_audit_data ad;
987
988         tsec = tsk->security;
989         isec = inode->i_security;
990
991         if (!adp) {
992                 adp = &ad;
993                 AVC_AUDIT_DATA_INIT(&ad, FS);
994                 ad.u.fs.inode = inode;
995         }
996
997         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
998 }
999
1000 /* Same as inode_has_perm, but pass explicit audit data containing
1001    the dentry to help the auditing code to more easily generate the
1002    pathname if needed. */
1003 static inline int dentry_has_perm(struct task_struct *tsk,
1004                                   struct vfsmount *mnt,
1005                                   struct dentry *dentry,
1006                                   u32 av)
1007 {
1008         struct inode *inode = dentry->d_inode;
1009         struct avc_audit_data ad;
1010         AVC_AUDIT_DATA_INIT(&ad,FS);
1011         ad.u.fs.mnt = mnt;
1012         ad.u.fs.dentry = dentry;
1013         return inode_has_perm(tsk, inode, av, &ad);
1014 }
1015
1016 /* Check whether a task can use an open file descriptor to
1017    access an inode in a given way.  Check access to the
1018    descriptor itself, and then use dentry_has_perm to
1019    check a particular permission to the file.
1020    Access to the descriptor is implicitly granted if it
1021    has the same SID as the process.  If av is zero, then
1022    access to the file is not checked, e.g. for cases
1023    where only the descriptor is affected like seek. */
1024 static int file_has_perm(struct task_struct *tsk,
1025                                 struct file *file,
1026                                 u32 av)
1027 {
1028         struct task_security_struct *tsec = tsk->security;
1029         struct file_security_struct *fsec = file->f_security;
1030         struct vfsmount *mnt = file->f_vfsmnt;
1031         struct dentry *dentry = file->f_dentry;
1032         struct inode *inode = dentry->d_inode;
1033         struct avc_audit_data ad;
1034         int rc;
1035
1036         AVC_AUDIT_DATA_INIT(&ad, FS);
1037         ad.u.fs.mnt = mnt;
1038         ad.u.fs.dentry = dentry;
1039
1040         if (tsec->sid != fsec->sid) {
1041                 rc = avc_has_perm(tsec->sid, fsec->sid,
1042                                   SECCLASS_FD,
1043                                   FD__USE,
1044                                   &ad);
1045                 if (rc)
1046                         return rc;
1047         }
1048
1049         /* av is zero if only checking access to the descriptor. */
1050         if (av)
1051                 return inode_has_perm(tsk, inode, av, &ad);
1052
1053         return 0;
1054 }
1055
1056 /* Check whether a task can create a file. */
1057 static int may_create(struct inode *dir,
1058                       struct dentry *dentry,
1059                       u16 tclass)
1060 {
1061         struct task_security_struct *tsec;
1062         struct inode_security_struct *dsec;
1063         struct superblock_security_struct *sbsec;
1064         u32 newsid;
1065         struct avc_audit_data ad;
1066         int rc;
1067
1068         tsec = current->security;
1069         dsec = dir->i_security;
1070         sbsec = dir->i_sb->s_security;
1071
1072         AVC_AUDIT_DATA_INIT(&ad, FS);
1073         ad.u.fs.dentry = dentry;
1074
1075         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1076                           DIR__ADD_NAME | DIR__SEARCH,
1077                           &ad);
1078         if (rc)
1079                 return rc;
1080
1081         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1082                 newsid = tsec->create_sid;
1083         } else {
1084                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1085                                              &newsid);
1086                 if (rc)
1087                         return rc;
1088         }
1089
1090         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1091         if (rc)
1092                 return rc;
1093
1094         return avc_has_perm(newsid, sbsec->sid,
1095                             SECCLASS_FILESYSTEM,
1096                             FILESYSTEM__ASSOCIATE, &ad);
1097 }
1098
1099 #define MAY_LINK   0
1100 #define MAY_UNLINK 1
1101 #define MAY_RMDIR  2
1102
1103 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1104 static int may_link(struct inode *dir,
1105                     struct dentry *dentry,
1106                     int kind)
1107
1108 {
1109         struct task_security_struct *tsec;
1110         struct inode_security_struct *dsec, *isec;
1111         struct avc_audit_data ad;
1112         u32 av;
1113         int rc;
1114
1115         tsec = current->security;
1116         dsec = dir->i_security;
1117         isec = dentry->d_inode->i_security;
1118
1119         AVC_AUDIT_DATA_INIT(&ad, FS);
1120         ad.u.fs.dentry = dentry;
1121
1122         av = DIR__SEARCH;
1123         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1124         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1125         if (rc)
1126                 return rc;
1127
1128         switch (kind) {
1129         case MAY_LINK:
1130                 av = FILE__LINK;
1131                 break;
1132         case MAY_UNLINK:
1133                 av = FILE__UNLINK;
1134                 break;
1135         case MAY_RMDIR:
1136                 av = DIR__RMDIR;
1137                 break;
1138         default:
1139                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1140                 return 0;
1141         }
1142
1143         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1144         return rc;
1145 }
1146
1147 static inline int may_rename(struct inode *old_dir,
1148                              struct dentry *old_dentry,
1149                              struct inode *new_dir,
1150                              struct dentry *new_dentry)
1151 {
1152         struct task_security_struct *tsec;
1153         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1154         struct avc_audit_data ad;
1155         u32 av;
1156         int old_is_dir, new_is_dir;
1157         int rc;
1158
1159         tsec = current->security;
1160         old_dsec = old_dir->i_security;
1161         old_isec = old_dentry->d_inode->i_security;
1162         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1163         new_dsec = new_dir->i_security;
1164
1165         AVC_AUDIT_DATA_INIT(&ad, FS);
1166
1167         ad.u.fs.dentry = old_dentry;
1168         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1169                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1170         if (rc)
1171                 return rc;
1172         rc = avc_has_perm(tsec->sid, old_isec->sid,
1173                           old_isec->sclass, FILE__RENAME, &ad);
1174         if (rc)
1175                 return rc;
1176         if (old_is_dir && new_dir != old_dir) {
1177                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1178                                   old_isec->sclass, DIR__REPARENT, &ad);
1179                 if (rc)
1180                         return rc;
1181         }
1182
1183         ad.u.fs.dentry = new_dentry;
1184         av = DIR__ADD_NAME | DIR__SEARCH;
1185         if (new_dentry->d_inode)
1186                 av |= DIR__REMOVE_NAME;
1187         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1188         if (rc)
1189                 return rc;
1190         if (new_dentry->d_inode) {
1191                 new_isec = new_dentry->d_inode->i_security;
1192                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1193                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1194                                   new_isec->sclass,
1195                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1196                 if (rc)
1197                         return rc;
1198         }
1199
1200         return 0;
1201 }
1202
1203 /* Check whether a task can perform a filesystem operation. */
1204 static int superblock_has_perm(struct task_struct *tsk,
1205                                struct super_block *sb,
1206                                u32 perms,
1207                                struct avc_audit_data *ad)
1208 {
1209         struct task_security_struct *tsec;
1210         struct superblock_security_struct *sbsec;
1211
1212         tsec = tsk->security;
1213         sbsec = sb->s_security;
1214         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1215                             perms, ad);
1216 }
1217
1218 /* Convert a Linux mode and permission mask to an access vector. */
1219 static inline u32 file_mask_to_av(int mode, int mask)
1220 {
1221         u32 av = 0;
1222
1223         if ((mode & S_IFMT) != S_IFDIR) {
1224                 if (mask & MAY_EXEC)
1225                         av |= FILE__EXECUTE;
1226                 if (mask & MAY_READ)
1227                         av |= FILE__READ;
1228
1229                 if (mask & MAY_APPEND)
1230                         av |= FILE__APPEND;
1231                 else if (mask & MAY_WRITE)
1232                         av |= FILE__WRITE;
1233
1234         } else {
1235                 if (mask & MAY_EXEC)
1236                         av |= DIR__SEARCH;
1237                 if (mask & MAY_WRITE)
1238                         av |= DIR__WRITE;
1239                 if (mask & MAY_READ)
1240                         av |= DIR__READ;
1241         }
1242
1243         return av;
1244 }
1245
1246 /* Convert a Linux file to an access vector. */
1247 static inline u32 file_to_av(struct file *file)
1248 {
1249         u32 av = 0;
1250
1251         if (file->f_mode & FMODE_READ)
1252                 av |= FILE__READ;
1253         if (file->f_mode & FMODE_WRITE) {
1254                 if (file->f_flags & O_APPEND)
1255                         av |= FILE__APPEND;
1256                 else
1257                         av |= FILE__WRITE;
1258         }
1259
1260         return av;
1261 }
1262
1263 /* Set an inode's SID to a specified value. */
1264 static int inode_security_set_sid(struct inode *inode, u32 sid)
1265 {
1266         struct inode_security_struct *isec = inode->i_security;
1267         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1268
1269         if (!sbsec->initialized) {
1270                 /* Defer initialization to selinux_complete_init. */
1271                 return 0;
1272         }
1273
1274         down(&isec->sem);
1275         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1276         isec->sid = sid;
1277         isec->initialized = 1;
1278         up(&isec->sem);
1279         return 0;
1280 }
1281
1282 /* Hook functions begin here. */
1283
1284 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1285 {
1286         struct task_security_struct *psec = parent->security;
1287         struct task_security_struct *csec = child->security;
1288         int rc;
1289
1290         rc = secondary_ops->ptrace(parent,child);
1291         if (rc)
1292                 return rc;
1293
1294         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1295         /* Save the SID of the tracing process for later use in apply_creds. */
1296         if (!(child->ptrace & PT_PTRACED) && !rc)
1297                 csec->ptrace_sid = psec->sid;
1298         return rc;
1299 }
1300
1301 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1302                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1303 {
1304         int error;
1305
1306         error = task_has_perm(current, target, PROCESS__GETCAP);
1307         if (error)
1308                 return error;
1309
1310         return secondary_ops->capget(target, effective, inheritable, permitted);
1311 }
1312
1313 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1314                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1315 {
1316         int error;
1317
1318         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1319         if (error)
1320                 return error;
1321
1322         return task_has_perm(current, target, PROCESS__SETCAP);
1323 }
1324
1325 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1326                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1327 {
1328         secondary_ops->capset_set(target, effective, inheritable, permitted);
1329 }
1330
1331 static int selinux_capable(struct task_struct *tsk, int cap)
1332 {
1333         int rc;
1334
1335         rc = secondary_ops->capable(tsk, cap);
1336         if (rc)
1337                 return rc;
1338
1339         return task_has_capability(tsk,cap);
1340 }
1341
1342 static int selinux_sysctl(ctl_table *table, int op)
1343 {
1344         int error = 0;
1345         u32 av;
1346         struct task_security_struct *tsec;
1347         u32 tsid;
1348         int rc;
1349
1350         rc = secondary_ops->sysctl(table, op);
1351         if (rc)
1352                 return rc;
1353
1354         tsec = current->security;
1355
1356         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1357                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1358         if (rc) {
1359                 /* Default to the well-defined sysctl SID. */
1360                 tsid = SECINITSID_SYSCTL;
1361         }
1362
1363         /* The op values are "defined" in sysctl.c, thereby creating
1364          * a bad coupling between this module and sysctl.c */
1365         if(op == 001) {
1366                 error = avc_has_perm(tsec->sid, tsid,
1367                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1368         } else {
1369                 av = 0;
1370                 if (op & 004)
1371                         av |= FILE__READ;
1372                 if (op & 002)
1373                         av |= FILE__WRITE;
1374                 if (av)
1375                         error = avc_has_perm(tsec->sid, tsid,
1376                                              SECCLASS_FILE, av, NULL);
1377         }
1378
1379         return error;
1380 }
1381
1382 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1383 {
1384         int rc = 0;
1385
1386         if (!sb)
1387                 return 0;
1388
1389         switch (cmds) {
1390                 case Q_SYNC:
1391                 case Q_QUOTAON:
1392                 case Q_QUOTAOFF:
1393                 case Q_SETINFO:
1394                 case Q_SETQUOTA:
1395                         rc = superblock_has_perm(current,
1396                                                  sb,
1397                                                  FILESYSTEM__QUOTAMOD, NULL);
1398                         break;
1399                 case Q_GETFMT:
1400                 case Q_GETINFO:
1401                 case Q_GETQUOTA:
1402                         rc = superblock_has_perm(current,
1403                                                  sb,
1404                                                  FILESYSTEM__QUOTAGET, NULL);
1405                         break;
1406                 default:
1407                         rc = 0;  /* let the kernel handle invalid cmds */
1408                         break;
1409         }
1410         return rc;
1411 }
1412
1413 static int selinux_quota_on(struct dentry *dentry)
1414 {
1415         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1416 }
1417
1418 static int selinux_syslog(int type)
1419 {
1420         int rc;
1421
1422         rc = secondary_ops->syslog(type);
1423         if (rc)
1424                 return rc;
1425
1426         switch (type) {
1427                 case 3:         /* Read last kernel messages */
1428                 case 10:        /* Return size of the log buffer */
1429                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1430                         break;
1431                 case 6:         /* Disable logging to console */
1432                 case 7:         /* Enable logging to console */
1433                 case 8:         /* Set level of messages printed to console */
1434                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1435                         break;
1436                 case 0:         /* Close log */
1437                 case 1:         /* Open log */
1438                 case 2:         /* Read from log */
1439                 case 4:         /* Read/clear last kernel messages */
1440                 case 5:         /* Clear ring buffer */
1441                 default:
1442                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1443                         break;
1444         }
1445         return rc;
1446 }
1447
1448 /*
1449  * Check that a process has enough memory to allocate a new virtual
1450  * mapping. 0 means there is enough memory for the allocation to
1451  * succeed and -ENOMEM implies there is not.
1452  *
1453  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1454  * if the capability is granted, but __vm_enough_memory requires 1 if
1455  * the capability is granted.
1456  *
1457  * Do not audit the selinux permission check, as this is applied to all
1458  * processes that allocate mappings.
1459  */
1460 static int selinux_vm_enough_memory(long pages)
1461 {
1462         int rc, cap_sys_admin = 0;
1463         struct task_security_struct *tsec = current->security;
1464
1465         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1466         if (rc == 0)
1467                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1468                                         SECCLASS_CAPABILITY,
1469                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1470                                         NULL);
1471
1472         if (rc == 0)
1473                 cap_sys_admin = 1;
1474
1475         return __vm_enough_memory(pages, cap_sys_admin);
1476 }
1477
1478 /* binprm security operations */
1479
1480 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1481 {
1482         struct bprm_security_struct *bsec;
1483
1484         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1485         if (!bsec)
1486                 return -ENOMEM;
1487
1488         bsec->bprm = bprm;
1489         bsec->sid = SECINITSID_UNLABELED;
1490         bsec->set = 0;
1491
1492         bprm->security = bsec;
1493         return 0;
1494 }
1495
1496 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1497 {
1498         struct task_security_struct *tsec;
1499         struct inode *inode = bprm->file->f_dentry->d_inode;
1500         struct inode_security_struct *isec;
1501         struct bprm_security_struct *bsec;
1502         u32 newsid;
1503         struct avc_audit_data ad;
1504         int rc;
1505
1506         rc = secondary_ops->bprm_set_security(bprm);
1507         if (rc)
1508                 return rc;
1509
1510         bsec = bprm->security;
1511
1512         if (bsec->set)
1513                 return 0;
1514
1515         tsec = current->security;
1516         isec = inode->i_security;
1517
1518         /* Default to the current task SID. */
1519         bsec->sid = tsec->sid;
1520
1521         /* Reset create SID on execve. */
1522         tsec->create_sid = 0;
1523
1524         if (tsec->exec_sid) {
1525                 newsid = tsec->exec_sid;
1526                 /* Reset exec SID on execve. */
1527                 tsec->exec_sid = 0;
1528         } else {
1529                 /* Check for a default transition on this program. */
1530                 rc = security_transition_sid(tsec->sid, isec->sid,
1531                                              SECCLASS_PROCESS, &newsid);
1532                 if (rc)
1533                         return rc;
1534         }
1535
1536         AVC_AUDIT_DATA_INIT(&ad, FS);
1537         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1538         ad.u.fs.dentry = bprm->file->f_dentry;
1539
1540         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1541                 newsid = tsec->sid;
1542
1543         if (tsec->sid == newsid) {
1544                 rc = avc_has_perm(tsec->sid, isec->sid,
1545                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1546                 if (rc)
1547                         return rc;
1548         } else {
1549                 /* Check permissions for the transition. */
1550                 rc = avc_has_perm(tsec->sid, newsid,
1551                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1552                 if (rc)
1553                         return rc;
1554
1555                 rc = avc_has_perm(newsid, isec->sid,
1556                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1557                 if (rc)
1558                         return rc;
1559
1560                 /* Clear any possibly unsafe personality bits on exec: */
1561                 current->personality &= ~PER_CLEAR_ON_SETID;
1562
1563                 /* Set the security field to the new SID. */
1564                 bsec->sid = newsid;
1565         }
1566
1567         bsec->set = 1;
1568         return 0;
1569 }
1570
1571 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1572 {
1573         return secondary_ops->bprm_check_security(bprm);
1574 }
1575
1576
1577 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1578 {
1579         struct task_security_struct *tsec = current->security;
1580         int atsecure = 0;
1581
1582         if (tsec->osid != tsec->sid) {
1583                 /* Enable secure mode for SIDs transitions unless
1584                    the noatsecure permission is granted between
1585                    the two SIDs, i.e. ahp returns 0. */
1586                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1587                                          SECCLASS_PROCESS,
1588                                          PROCESS__NOATSECURE, NULL);
1589         }
1590
1591         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1592 }
1593
1594 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1595 {
1596         kfree(bprm->security);
1597         bprm->security = NULL;
1598 }
1599
1600 extern struct vfsmount *selinuxfs_mount;
1601 extern struct dentry *selinux_null;
1602
1603 /* Derived from fs/exec.c:flush_old_files. */
1604 static inline void flush_unauthorized_files(struct files_struct * files)
1605 {
1606         struct avc_audit_data ad;
1607         struct file *file, *devnull = NULL;
1608         struct tty_struct *tty = current->signal->tty;
1609         struct fdtable *fdt;
1610         long j = -1;
1611
1612         if (tty) {
1613                 file_list_lock();
1614                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1615                 if (file) {
1616                         /* Revalidate access to controlling tty.
1617                            Use inode_has_perm on the tty inode directly rather
1618                            than using file_has_perm, as this particular open
1619                            file may belong to another process and we are only
1620                            interested in the inode-based check here. */
1621                         struct inode *inode = file->f_dentry->d_inode;
1622                         if (inode_has_perm(current, inode,
1623                                            FILE__READ | FILE__WRITE, NULL)) {
1624                                 /* Reset controlling tty. */
1625                                 current->signal->tty = NULL;
1626                                 current->signal->tty_old_pgrp = 0;
1627                         }
1628                 }
1629                 file_list_unlock();
1630         }
1631
1632         /* Revalidate access to inherited open files. */
1633
1634         AVC_AUDIT_DATA_INIT(&ad,FS);
1635
1636         spin_lock(&files->file_lock);
1637         for (;;) {
1638                 unsigned long set, i;
1639                 int fd;
1640
1641                 j++;
1642                 i = j * __NFDBITS;
1643                 fdt = files_fdtable(files);
1644                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1645                         break;
1646                 set = fdt->open_fds->fds_bits[j];
1647                 if (!set)
1648                         continue;
1649                 spin_unlock(&files->file_lock);
1650                 for ( ; set ; i++,set >>= 1) {
1651                         if (set & 1) {
1652                                 file = fget(i);
1653                                 if (!file)
1654                                         continue;
1655                                 if (file_has_perm(current,
1656                                                   file,
1657                                                   file_to_av(file))) {
1658                                         sys_close(i);
1659                                         fd = get_unused_fd();
1660                                         if (fd != i) {
1661                                                 if (fd >= 0)
1662                                                         put_unused_fd(fd);
1663                                                 fput(file);
1664                                                 continue;
1665                                         }
1666                                         if (devnull) {
1667                                                 get_file(devnull);
1668                                         } else {
1669                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1670                                                 if (!devnull) {
1671                                                         put_unused_fd(fd);
1672                                                         fput(file);
1673                                                         continue;
1674                                                 }
1675                                         }
1676                                         fd_install(fd, devnull);
1677                                 }
1678                                 fput(file);
1679                         }
1680                 }
1681                 spin_lock(&files->file_lock);
1682
1683         }
1684         spin_unlock(&files->file_lock);
1685 }
1686
1687 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1688 {
1689         struct task_security_struct *tsec;
1690         struct bprm_security_struct *bsec;
1691         u32 sid;
1692         int rc;
1693
1694         secondary_ops->bprm_apply_creds(bprm, unsafe);
1695
1696         tsec = current->security;
1697
1698         bsec = bprm->security;
1699         sid = bsec->sid;
1700
1701         tsec->osid = tsec->sid;
1702         bsec->unsafe = 0;
1703         if (tsec->sid != sid) {
1704                 /* Check for shared state.  If not ok, leave SID
1705                    unchanged and kill. */
1706                 if (unsafe & LSM_UNSAFE_SHARE) {
1707                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1708                                         PROCESS__SHARE, NULL);
1709                         if (rc) {
1710                                 bsec->unsafe = 1;
1711                                 return;
1712                         }
1713                 }
1714
1715                 /* Check for ptracing, and update the task SID if ok.
1716                    Otherwise, leave SID unchanged and kill. */
1717                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1718                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1719                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1720                                           NULL);
1721                         if (rc) {
1722                                 bsec->unsafe = 1;
1723                                 return;
1724                         }
1725                 }
1726                 tsec->sid = sid;
1727         }
1728 }
1729
1730 /*
1731  * called after apply_creds without the task lock held
1732  */
1733 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1734 {
1735         struct task_security_struct *tsec;
1736         struct rlimit *rlim, *initrlim;
1737         struct itimerval itimer;
1738         struct bprm_security_struct *bsec;
1739         int rc, i;
1740
1741         tsec = current->security;
1742         bsec = bprm->security;
1743
1744         if (bsec->unsafe) {
1745                 force_sig_specific(SIGKILL, current);
1746                 return;
1747         }
1748         if (tsec->osid == tsec->sid)
1749                 return;
1750
1751         /* Close files for which the new task SID is not authorized. */
1752         flush_unauthorized_files(current->files);
1753
1754         /* Check whether the new SID can inherit signal state
1755            from the old SID.  If not, clear itimers to avoid
1756            subsequent signal generation and flush and unblock
1757            signals. This must occur _after_ the task SID has
1758           been updated so that any kill done after the flush
1759           will be checked against the new SID. */
1760         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1761                           PROCESS__SIGINH, NULL);
1762         if (rc) {
1763                 memset(&itimer, 0, sizeof itimer);
1764                 for (i = 0; i < 3; i++)
1765                         do_setitimer(i, &itimer, NULL);
1766                 flush_signals(current);
1767                 spin_lock_irq(&current->sighand->siglock);
1768                 flush_signal_handlers(current, 1);
1769                 sigemptyset(&current->blocked);
1770                 recalc_sigpending();
1771                 spin_unlock_irq(&current->sighand->siglock);
1772         }
1773
1774         /* Check whether the new SID can inherit resource limits
1775            from the old SID.  If not, reset all soft limits to
1776            the lower of the current task's hard limit and the init
1777            task's soft limit.  Note that the setting of hard limits
1778            (even to lower them) can be controlled by the setrlimit
1779            check. The inclusion of the init task's soft limit into
1780            the computation is to avoid resetting soft limits higher
1781            than the default soft limit for cases where the default
1782            is lower than the hard limit, e.g. RLIMIT_CORE or
1783            RLIMIT_STACK.*/
1784         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1785                           PROCESS__RLIMITINH, NULL);
1786         if (rc) {
1787                 for (i = 0; i < RLIM_NLIMITS; i++) {
1788                         rlim = current->signal->rlim + i;
1789                         initrlim = init_task.signal->rlim+i;
1790                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1791                 }
1792                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1793                         /*
1794                          * This will cause RLIMIT_CPU calculations
1795                          * to be refigured.
1796                          */
1797                         current->it_prof_expires = jiffies_to_cputime(1);
1798                 }
1799         }
1800
1801         /* Wake up the parent if it is waiting so that it can
1802            recheck wait permission to the new task SID. */
1803         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1804 }
1805
1806 /* superblock security operations */
1807
1808 static int selinux_sb_alloc_security(struct super_block *sb)
1809 {
1810         return superblock_alloc_security(sb);
1811 }
1812
1813 static void selinux_sb_free_security(struct super_block *sb)
1814 {
1815         superblock_free_security(sb);
1816 }
1817
1818 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1819 {
1820         if (plen > olen)
1821                 return 0;
1822
1823         return !memcmp(prefix, option, plen);
1824 }
1825
1826 static inline int selinux_option(char *option, int len)
1827 {
1828         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1829                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1830                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1831 }
1832
1833 static inline void take_option(char **to, char *from, int *first, int len)
1834 {
1835         if (!*first) {
1836                 **to = ',';
1837                 *to += 1;
1838         }
1839         else
1840                 *first = 0;
1841         memcpy(*to, from, len);
1842         *to += len;
1843 }
1844
1845 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1846 {
1847         int fnosec, fsec, rc = 0;
1848         char *in_save, *in_curr, *in_end;
1849         char *sec_curr, *nosec_save, *nosec;
1850
1851         in_curr = orig;
1852         sec_curr = copy;
1853
1854         /* Binary mount data: just copy */
1855         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1856                 copy_page(sec_curr, in_curr);
1857                 goto out;
1858         }
1859
1860         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1861         if (!nosec) {
1862                 rc = -ENOMEM;
1863                 goto out;
1864         }
1865
1866         nosec_save = nosec;
1867         fnosec = fsec = 1;
1868         in_save = in_end = orig;
1869
1870         do {
1871                 if (*in_end == ',' || *in_end == '\0') {
1872                         int len = in_end - in_curr;
1873
1874                         if (selinux_option(in_curr, len))
1875                                 take_option(&sec_curr, in_curr, &fsec, len);
1876                         else
1877                                 take_option(&nosec, in_curr, &fnosec, len);
1878
1879                         in_curr = in_end + 1;
1880                 }
1881         } while (*in_end++);
1882
1883         strcpy(in_save, nosec_save);
1884         free_page((unsigned long)nosec_save);
1885 out:
1886         return rc;
1887 }
1888
1889 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1890 {
1891         struct avc_audit_data ad;
1892         int rc;
1893
1894         rc = superblock_doinit(sb, data);
1895         if (rc)
1896                 return rc;
1897
1898         AVC_AUDIT_DATA_INIT(&ad,FS);
1899         ad.u.fs.dentry = sb->s_root;
1900         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1901 }
1902
1903 static int selinux_sb_statfs(struct super_block *sb)
1904 {
1905         struct avc_audit_data ad;
1906
1907         AVC_AUDIT_DATA_INIT(&ad,FS);
1908         ad.u.fs.dentry = sb->s_root;
1909         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1910 }
1911
1912 static int selinux_mount(char * dev_name,
1913                          struct nameidata *nd,
1914                          char * type,
1915                          unsigned long flags,
1916                          void * data)
1917 {
1918         int rc;
1919
1920         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1921         if (rc)
1922                 return rc;
1923
1924         if (flags & MS_REMOUNT)
1925                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1926                                            FILESYSTEM__REMOUNT, NULL);
1927         else
1928                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1929                                        FILE__MOUNTON);
1930 }
1931
1932 static int selinux_umount(struct vfsmount *mnt, int flags)
1933 {
1934         int rc;
1935
1936         rc = secondary_ops->sb_umount(mnt, flags);
1937         if (rc)
1938                 return rc;
1939
1940         return superblock_has_perm(current,mnt->mnt_sb,
1941                                    FILESYSTEM__UNMOUNT,NULL);
1942 }
1943
1944 /* inode security operations */
1945
1946 static int selinux_inode_alloc_security(struct inode *inode)
1947 {
1948         return inode_alloc_security(inode);
1949 }
1950
1951 static void selinux_inode_free_security(struct inode *inode)
1952 {
1953         inode_free_security(inode);
1954 }
1955
1956 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1957                                        char **name, void **value,
1958                                        size_t *len)
1959 {
1960         struct task_security_struct *tsec;
1961         struct inode_security_struct *dsec;
1962         struct superblock_security_struct *sbsec;
1963         u32 newsid, clen;
1964         int rc;
1965         char *namep = NULL, *context;
1966
1967         tsec = current->security;
1968         dsec = dir->i_security;
1969         sbsec = dir->i_sb->s_security;
1970
1971         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1972                 newsid = tsec->create_sid;
1973         } else {
1974                 rc = security_transition_sid(tsec->sid, dsec->sid,
1975                                              inode_mode_to_security_class(inode->i_mode),
1976                                              &newsid);
1977                 if (rc) {
1978                         printk(KERN_WARNING "%s:  "
1979                                "security_transition_sid failed, rc=%d (dev=%s "
1980                                "ino=%ld)\n",
1981                                __FUNCTION__,
1982                                -rc, inode->i_sb->s_id, inode->i_ino);
1983                         return rc;
1984                 }
1985         }
1986
1987         inode_security_set_sid(inode, newsid);
1988
1989         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1990                 return -EOPNOTSUPP;
1991
1992         if (name) {
1993                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1994                 if (!namep)
1995                         return -ENOMEM;
1996                 *name = namep;
1997         }
1998
1999         if (value && len) {
2000                 rc = security_sid_to_context(newsid, &context, &clen);
2001                 if (rc) {
2002                         kfree(namep);
2003                         return rc;
2004                 }
2005                 *value = context;
2006                 *len = clen;
2007         }
2008
2009         return 0;
2010 }
2011
2012 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2013 {
2014         return may_create(dir, dentry, SECCLASS_FILE);
2015 }
2016
2017 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2018 {
2019         int rc;
2020
2021         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2022         if (rc)
2023                 return rc;
2024         return may_link(dir, old_dentry, MAY_LINK);
2025 }
2026
2027 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2028 {
2029         int rc;
2030
2031         rc = secondary_ops->inode_unlink(dir, dentry);
2032         if (rc)
2033                 return rc;
2034         return may_link(dir, dentry, MAY_UNLINK);
2035 }
2036
2037 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2038 {
2039         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2040 }
2041
2042 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2043 {
2044         return may_create(dir, dentry, SECCLASS_DIR);
2045 }
2046
2047 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2048 {
2049         return may_link(dir, dentry, MAY_RMDIR);
2050 }
2051
2052 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2053 {
2054         int rc;
2055
2056         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2057         if (rc)
2058                 return rc;
2059
2060         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2061 }
2062
2063 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2064                                 struct inode *new_inode, struct dentry *new_dentry)
2065 {
2066         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2067 }
2068
2069 static int selinux_inode_readlink(struct dentry *dentry)
2070 {
2071         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2072 }
2073
2074 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2075 {
2076         int rc;
2077
2078         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2079         if (rc)
2080                 return rc;
2081         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2082 }
2083
2084 static int selinux_inode_permission(struct inode *inode, int mask,
2085                                     struct nameidata *nd)
2086 {
2087         int rc;
2088
2089         rc = secondary_ops->inode_permission(inode, mask, nd);
2090         if (rc)
2091                 return rc;
2092
2093         if (!mask) {
2094                 /* No permission to check.  Existence test. */
2095                 return 0;
2096         }
2097
2098         return inode_has_perm(current, inode,
2099                                file_mask_to_av(inode->i_mode, mask), NULL);
2100 }
2101
2102 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2103 {
2104         int rc;
2105
2106         rc = secondary_ops->inode_setattr(dentry, iattr);
2107         if (rc)
2108                 return rc;
2109
2110         if (iattr->ia_valid & ATTR_FORCE)
2111                 return 0;
2112
2113         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2114                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2115                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2116
2117         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2118 }
2119
2120 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2121 {
2122         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2123 }
2124
2125 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2126 {
2127         struct task_security_struct *tsec = current->security;
2128         struct inode *inode = dentry->d_inode;
2129         struct inode_security_struct *isec = inode->i_security;
2130         struct superblock_security_struct *sbsec;
2131         struct avc_audit_data ad;
2132         u32 newsid;
2133         int rc = 0;
2134
2135         if (strcmp(name, XATTR_NAME_SELINUX)) {
2136                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2137                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2138                     !capable(CAP_SYS_ADMIN)) {
2139                         /* A different attribute in the security namespace.
2140                            Restrict to administrator. */
2141                         return -EPERM;
2142                 }
2143
2144                 /* Not an attribute we recognize, so just check the
2145                    ordinary setattr permission. */
2146                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2147         }
2148
2149         sbsec = inode->i_sb->s_security;
2150         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2151                 return -EOPNOTSUPP;
2152
2153         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2154                 return -EPERM;
2155
2156         AVC_AUDIT_DATA_INIT(&ad,FS);
2157         ad.u.fs.dentry = dentry;
2158
2159         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2160                           FILE__RELABELFROM, &ad);
2161         if (rc)
2162                 return rc;
2163
2164         rc = security_context_to_sid(value, size, &newsid);
2165         if (rc)
2166                 return rc;
2167
2168         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2169                           FILE__RELABELTO, &ad);
2170         if (rc)
2171                 return rc;
2172
2173         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2174                                           isec->sclass);
2175         if (rc)
2176                 return rc;
2177
2178         return avc_has_perm(newsid,
2179                             sbsec->sid,
2180                             SECCLASS_FILESYSTEM,
2181                             FILESYSTEM__ASSOCIATE,
2182                             &ad);
2183 }
2184
2185 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2186                                         void *value, size_t size, int flags)
2187 {
2188         struct inode *inode = dentry->d_inode;
2189         struct inode_security_struct *isec = inode->i_security;
2190         u32 newsid;
2191         int rc;
2192
2193         if (strcmp(name, XATTR_NAME_SELINUX)) {
2194                 /* Not an attribute we recognize, so nothing to do. */
2195                 return;
2196         }
2197
2198         rc = security_context_to_sid(value, size, &newsid);
2199         if (rc) {
2200                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2201                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2202                 return;
2203         }
2204
2205         isec->sid = newsid;
2206         return;
2207 }
2208
2209 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2210 {
2211         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2212 }
2213
2214 static int selinux_inode_listxattr (struct dentry *dentry)
2215 {
2216         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2217 }
2218
2219 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2220 {
2221         if (strcmp(name, XATTR_NAME_SELINUX)) {
2222                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2223                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2224                     !capable(CAP_SYS_ADMIN)) {
2225                         /* A different attribute in the security namespace.
2226                            Restrict to administrator. */
2227                         return -EPERM;
2228                 }
2229
2230                 /* Not an attribute we recognize, so just check the
2231                    ordinary setattr permission. Might want a separate
2232                    permission for removexattr. */
2233                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2234         }
2235
2236         /* No one is allowed to remove a SELinux security label.
2237            You can change the label, but all data must be labeled. */
2238         return -EACCES;
2239 }
2240
2241 static const char *selinux_inode_xattr_getsuffix(void)
2242 {
2243       return XATTR_SELINUX_SUFFIX;
2244 }
2245
2246 /*
2247  * Copy the in-core inode security context value to the user.  If the
2248  * getxattr() prior to this succeeded, check to see if we need to
2249  * canonicalize the value to be finally returned to the user.
2250  *
2251  * Permission check is handled by selinux_inode_getxattr hook.
2252  */
2253 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2254 {
2255         struct inode_security_struct *isec = inode->i_security;
2256
2257         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2258                 return -EOPNOTSUPP;
2259
2260         return selinux_getsecurity(isec->sid, buffer, size);
2261 }
2262
2263 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264                                      const void *value, size_t size, int flags)
2265 {
2266         struct inode_security_struct *isec = inode->i_security;
2267         u32 newsid;
2268         int rc;
2269
2270         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2271                 return -EOPNOTSUPP;
2272
2273         if (!value || !size)
2274                 return -EACCES;
2275
2276         rc = security_context_to_sid((void*)value, size, &newsid);
2277         if (rc)
2278                 return rc;
2279
2280         isec->sid = newsid;
2281         return 0;
2282 }
2283
2284 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285 {
2286         const int len = sizeof(XATTR_NAME_SELINUX);
2287         if (buffer && len <= buffer_size)
2288                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289         return len;
2290 }
2291
2292 /* file security operations */
2293
2294 static int selinux_file_permission(struct file *file, int mask)
2295 {
2296         struct inode *inode = file->f_dentry->d_inode;
2297
2298         if (!mask) {
2299                 /* No permission to check.  Existence test. */
2300                 return 0;
2301         }
2302
2303         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2305                 mask |= MAY_APPEND;
2306
2307         return file_has_perm(current, file,
2308                              file_mask_to_av(inode->i_mode, mask));
2309 }
2310
2311 static int selinux_file_alloc_security(struct file *file)
2312 {
2313         return file_alloc_security(file);
2314 }
2315
2316 static void selinux_file_free_security(struct file *file)
2317 {
2318         file_free_security(file);
2319 }
2320
2321 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2322                               unsigned long arg)
2323 {
2324         int error = 0;
2325
2326         switch (cmd) {
2327                 case FIONREAD:
2328                 /* fall through */
2329                 case FIBMAP:
2330                 /* fall through */
2331                 case FIGETBSZ:
2332                 /* fall through */
2333                 case EXT2_IOC_GETFLAGS:
2334                 /* fall through */
2335                 case EXT2_IOC_GETVERSION:
2336                         error = file_has_perm(current, file, FILE__GETATTR);
2337                         break;
2338
2339                 case EXT2_IOC_SETFLAGS:
2340                 /* fall through */
2341                 case EXT2_IOC_SETVERSION:
2342                         error = file_has_perm(current, file, FILE__SETATTR);
2343                         break;
2344
2345                 /* sys_ioctl() checks */
2346                 case FIONBIO:
2347                 /* fall through */
2348                 case FIOASYNC:
2349                         error = file_has_perm(current, file, 0);
2350                         break;
2351
2352                 case KDSKBENT:
2353                 case KDSKBSENT:
2354                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2355                         break;
2356
2357                 /* default case assumes that the command will go
2358                  * to the file's ioctl() function.
2359                  */
2360                 default:
2361                         error = file_has_perm(current, file, FILE__IOCTL);
2362
2363         }
2364         return error;
2365 }
2366
2367 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368 {
2369 #ifndef CONFIG_PPC32
2370         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371                 /*
2372                  * We are making executable an anonymous mapping or a
2373                  * private file mapping that will also be writable.
2374                  * This has an additional check.
2375                  */
2376                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2377                 if (rc)
2378                         return rc;
2379         }
2380 #endif
2381
2382         if (file) {
2383                 /* read access is always possible with a mapping */
2384                 u32 av = FILE__READ;
2385
2386                 /* write access only matters if the mapping is shared */
2387                 if (shared && (prot & PROT_WRITE))
2388                         av |= FILE__WRITE;
2389
2390                 if (prot & PROT_EXEC)
2391                         av |= FILE__EXECUTE;
2392
2393                 return file_has_perm(current, file, av);
2394         }
2395         return 0;
2396 }
2397
2398 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399                              unsigned long prot, unsigned long flags)
2400 {
2401         int rc;
2402
2403         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404         if (rc)
2405                 return rc;
2406
2407         if (selinux_checkreqprot)
2408                 prot = reqprot;
2409
2410         return file_map_prot_check(file, prot,
2411                                    (flags & MAP_TYPE) == MAP_SHARED);
2412 }
2413
2414 static int selinux_file_mprotect(struct vm_area_struct *vma,
2415                                  unsigned long reqprot,
2416                                  unsigned long prot)
2417 {
2418         int rc;
2419
2420         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421         if (rc)
2422                 return rc;
2423
2424         if (selinux_checkreqprot)
2425                 prot = reqprot;
2426
2427 #ifndef CONFIG_PPC32
2428         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2429                 rc = 0;
2430                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2431                     vma->vm_end <= vma->vm_mm->brk) {
2432                         rc = task_has_perm(current, current,
2433                                            PROCESS__EXECHEAP);
2434                 } else if (!vma->vm_file &&
2435                            vma->vm_start <= vma->vm_mm->start_stack &&
2436                            vma->vm_end >= vma->vm_mm->start_stack) {
2437                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2438                 } else if (vma->vm_file && vma->anon_vma) {
2439                         /*
2440                          * We are making executable a file mapping that has
2441                          * had some COW done. Since pages might have been
2442                          * written, check ability to execute the possibly
2443                          * modified content.  This typically should only
2444                          * occur for text relocations.
2445                          */
2446                         rc = file_has_perm(current, vma->vm_file,
2447                                            FILE__EXECMOD);
2448                 }
2449                 if (rc)
2450                         return rc;
2451         }
2452 #endif
2453
2454         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2455 }
2456
2457 static int selinux_file_lock(struct file *file, unsigned int cmd)
2458 {
2459         return file_has_perm(current, file, FILE__LOCK);
2460 }
2461
2462 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2463                               unsigned long arg)
2464 {
2465         int err = 0;
2466
2467         switch (cmd) {
2468                 case F_SETFL:
2469                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2470                                 err = -EINVAL;
2471                                 break;
2472                         }
2473
2474                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2475                                 err = file_has_perm(current, file,FILE__WRITE);
2476                                 break;
2477                         }
2478                         /* fall through */
2479                 case F_SETOWN:
2480                 case F_SETSIG:
2481                 case F_GETFL:
2482                 case F_GETOWN:
2483                 case F_GETSIG:
2484                         /* Just check FD__USE permission */
2485                         err = file_has_perm(current, file, 0);
2486                         break;
2487                 case F_GETLK:
2488                 case F_SETLK:
2489                 case F_SETLKW:
2490 #if BITS_PER_LONG == 32
2491                 case F_GETLK64:
2492                 case F_SETLK64:
2493                 case F_SETLKW64:
2494 #endif
2495                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2496                                 err = -EINVAL;
2497                                 break;
2498                         }
2499                         err = file_has_perm(current, file, FILE__LOCK);
2500                         break;
2501         }
2502
2503         return err;
2504 }
2505
2506 static int selinux_file_set_fowner(struct file *file)
2507 {
2508         struct task_security_struct *tsec;
2509         struct file_security_struct *fsec;
2510
2511         tsec = current->security;
2512         fsec = file->f_security;
2513         fsec->fown_sid = tsec->sid;
2514
2515         return 0;
2516 }
2517
2518 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2519                                        struct fown_struct *fown, int signum)
2520 {
2521         struct file *file;
2522         u32 perm;
2523         struct task_security_struct *tsec;
2524         struct file_security_struct *fsec;
2525
2526         /* struct fown_struct is never outside the context of a struct file */
2527         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2528
2529         tsec = tsk->security;
2530         fsec = file->f_security;
2531
2532         if (!signum)
2533                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2534         else
2535                 perm = signal_to_av(signum);
2536
2537         return avc_has_perm(fsec->fown_sid, tsec->sid,
2538                             SECCLASS_PROCESS, perm, NULL);
2539 }
2540
2541 static int selinux_file_receive(struct file *file)
2542 {
2543         return file_has_perm(current, file, file_to_av(file));
2544 }
2545
2546 /* task security operations */
2547
2548 static int selinux_task_create(unsigned long clone_flags)
2549 {
2550         int rc;
2551
2552         rc = secondary_ops->task_create(clone_flags);
2553         if (rc)
2554                 return rc;
2555
2556         return task_has_perm(current, current, PROCESS__FORK);
2557 }
2558
2559 static int selinux_task_alloc_security(struct task_struct *tsk)
2560 {
2561         struct task_security_struct *tsec1, *tsec2;
2562         int rc;
2563
2564         tsec1 = current->security;
2565
2566         rc = task_alloc_security(tsk);
2567         if (rc)
2568                 return rc;
2569         tsec2 = tsk->security;
2570
2571         tsec2->osid = tsec1->osid;
2572         tsec2->sid = tsec1->sid;
2573
2574         /* Retain the exec and create SIDs across fork */
2575         tsec2->exec_sid = tsec1->exec_sid;
2576         tsec2->create_sid = tsec1->create_sid;
2577
2578         /* Retain ptracer SID across fork, if any.
2579            This will be reset by the ptrace hook upon any
2580            subsequent ptrace_attach operations. */
2581         tsec2->ptrace_sid = tsec1->ptrace_sid;
2582
2583         return 0;
2584 }
2585
2586 static void selinux_task_free_security(struct task_struct *tsk)
2587 {
2588         task_free_security(tsk);
2589 }
2590
2591 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2592 {
2593         /* Since setuid only affects the current process, and
2594            since the SELinux controls are not based on the Linux
2595            identity attributes, SELinux does not need to control
2596            this operation.  However, SELinux does control the use
2597            of the CAP_SETUID and CAP_SETGID capabilities using the
2598            capable hook. */
2599         return 0;
2600 }
2601
2602 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2603 {
2604         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2605 }
2606
2607 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2608 {
2609         /* See the comment for setuid above. */
2610         return 0;
2611 }
2612
2613 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2614 {
2615         return task_has_perm(current, p, PROCESS__SETPGID);
2616 }
2617
2618 static int selinux_task_getpgid(struct task_struct *p)
2619 {
2620         return task_has_perm(current, p, PROCESS__GETPGID);
2621 }
2622
2623 static int selinux_task_getsid(struct task_struct *p)
2624 {
2625         return task_has_perm(current, p, PROCESS__GETSESSION);
2626 }
2627
2628 static int selinux_task_setgroups(struct group_info *group_info)
2629 {
2630         /* See the comment for setuid above. */
2631         return 0;
2632 }
2633
2634 static int selinux_task_setnice(struct task_struct *p, int nice)
2635 {
2636         int rc;
2637
2638         rc = secondary_ops->task_setnice(p, nice);
2639         if (rc)
2640                 return rc;
2641
2642         return task_has_perm(current,p, PROCESS__SETSCHED);
2643 }
2644
2645 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2646 {
2647         struct rlimit *old_rlim = current->signal->rlim + resource;
2648         int rc;
2649
2650         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2651         if (rc)
2652                 return rc;
2653
2654         /* Control the ability to change the hard limit (whether
2655            lowering or raising it), so that the hard limit can
2656            later be used as a safe reset point for the soft limit
2657            upon context transitions. See selinux_bprm_apply_creds. */
2658         if (old_rlim->rlim_max != new_rlim->rlim_max)
2659                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2660
2661         return 0;
2662 }
2663
2664 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2665 {
2666         return task_has_perm(current, p, PROCESS__SETSCHED);
2667 }
2668
2669 static int selinux_task_getscheduler(struct task_struct *p)
2670 {
2671         return task_has_perm(current, p, PROCESS__GETSCHED);
2672 }
2673
2674 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2675 {
2676         u32 perm;
2677         int rc;
2678
2679         rc = secondary_ops->task_kill(p, info, sig);
2680         if (rc)
2681                 return rc;
2682
2683         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2684                 return 0;
2685
2686         if (!sig)
2687                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2688         else
2689                 perm = signal_to_av(sig);
2690
2691         return task_has_perm(current, p, perm);
2692 }
2693
2694 static int selinux_task_prctl(int option,
2695                               unsigned long arg2,
2696                               unsigned long arg3,
2697                               unsigned long arg4,
2698                               unsigned long arg5)
2699 {
2700         /* The current prctl operations do not appear to require
2701            any SELinux controls since they merely observe or modify
2702            the state of the current process. */
2703         return 0;
2704 }
2705
2706 static int selinux_task_wait(struct task_struct *p)
2707 {
2708         u32 perm;
2709
2710         perm = signal_to_av(p->exit_signal);
2711
2712         return task_has_perm(p, current, perm);
2713 }
2714
2715 static void selinux_task_reparent_to_init(struct task_struct *p)
2716 {
2717         struct task_security_struct *tsec;
2718
2719         secondary_ops->task_reparent_to_init(p);
2720
2721         tsec = p->security;
2722         tsec->osid = tsec->sid;
2723         tsec->sid = SECINITSID_KERNEL;
2724         return;
2725 }
2726
2727 static void selinux_task_to_inode(struct task_struct *p,
2728                                   struct inode *inode)
2729 {
2730         struct task_security_struct *tsec = p->security;
2731         struct inode_security_struct *isec = inode->i_security;
2732
2733         isec->sid = tsec->sid;
2734         isec->initialized = 1;
2735         return;
2736 }
2737
2738 /* Returns error only if unable to parse addresses */
2739 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2740 {
2741         int offset, ihlen, ret = -EINVAL;
2742         struct iphdr _iph, *ih;
2743
2744         offset = skb->nh.raw - skb->data;
2745         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2746         if (ih == NULL)
2747                 goto out;
2748
2749         ihlen = ih->ihl * 4;
2750         if (ihlen < sizeof(_iph))
2751                 goto out;
2752
2753         ad->u.net.v4info.saddr = ih->saddr;
2754         ad->u.net.v4info.daddr = ih->daddr;
2755         ret = 0;
2756
2757         switch (ih->protocol) {
2758         case IPPROTO_TCP: {
2759                 struct tcphdr _tcph, *th;
2760
2761                 if (ntohs(ih->frag_off) & IP_OFFSET)
2762                         break;
2763
2764                 offset += ihlen;
2765                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2766                 if (th == NULL)
2767                         break;
2768
2769                 ad->u.net.sport = th->source;
2770                 ad->u.net.dport = th->dest;
2771                 break;
2772         }
2773         
2774         case IPPROTO_UDP: {
2775                 struct udphdr _udph, *uh;
2776                 
2777                 if (ntohs(ih->frag_off) & IP_OFFSET)
2778                         break;
2779                         
2780                 offset += ihlen;
2781                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2782                 if (uh == NULL)
2783                         break;  
2784
2785                 ad->u.net.sport = uh->source;
2786                 ad->u.net.dport = uh->dest;
2787                 break;
2788         }
2789
2790         default:
2791                 break;
2792         }
2793 out:
2794         return ret;
2795 }
2796
2797 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2798
2799 /* Returns error only if unable to parse addresses */
2800 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2801 {
2802         u8 nexthdr;
2803         int ret = -EINVAL, offset;
2804         struct ipv6hdr _ipv6h, *ip6;
2805
2806         offset = skb->nh.raw - skb->data;
2807         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2808         if (ip6 == NULL)
2809                 goto out;
2810
2811         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2812         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2813         ret = 0;
2814
2815         nexthdr = ip6->nexthdr;
2816         offset += sizeof(_ipv6h);
2817         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2818         if (offset < 0)
2819                 goto out;
2820
2821         switch (nexthdr) {
2822         case IPPROTO_TCP: {
2823                 struct tcphdr _tcph, *th;
2824
2825                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2826                 if (th == NULL)
2827                         break;
2828
2829                 ad->u.net.sport = th->source;
2830                 ad->u.net.dport = th->dest;
2831                 break;
2832         }
2833
2834         case IPPROTO_UDP: {
2835                 struct udphdr _udph, *uh;
2836
2837                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2838                 if (uh == NULL)
2839                         break;
2840
2841                 ad->u.net.sport = uh->source;
2842                 ad->u.net.dport = uh->dest;
2843                 break;
2844         }
2845
2846         /* includes fragments */
2847         default:
2848                 break;
2849         }
2850 out:
2851         return ret;
2852 }
2853
2854 #endif /* IPV6 */
2855
2856 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2857                              char **addrp, int *len, int src)
2858 {
2859         int ret = 0;
2860
2861         switch (ad->u.net.family) {
2862         case PF_INET:
2863                 ret = selinux_parse_skb_ipv4(skb, ad);
2864                 if (ret || !addrp)
2865                         break;
2866                 *len = 4;
2867                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2868                                         &ad->u.net.v4info.daddr);
2869                 break;
2870
2871 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2872         case PF_INET6:
2873                 ret = selinux_parse_skb_ipv6(skb, ad);
2874                 if (ret || !addrp)
2875                         break;
2876                 *len = 16;
2877                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2878                                         &ad->u.net.v6info.daddr);
2879                 break;
2880 #endif  /* IPV6 */
2881         default:
2882                 break;
2883         }
2884
2885         return ret;
2886 }
2887
2888 /* socket security operations */
2889 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2890                            u32 perms)
2891 {
2892         struct inode_security_struct *isec;
2893         struct task_security_struct *tsec;
2894         struct avc_audit_data ad;
2895         int err = 0;
2896
2897         tsec = task->security;
2898         isec = SOCK_INODE(sock)->i_security;
2899
2900         if (isec->sid == SECINITSID_KERNEL)
2901                 goto out;
2902
2903         AVC_AUDIT_DATA_INIT(&ad,NET);
2904         ad.u.net.sk = sock->sk;
2905         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2906
2907 out:
2908         return err;
2909 }
2910
2911 static int selinux_socket_create(int family, int type,
2912                                  int protocol, int kern)
2913 {
2914         int err = 0;
2915         struct task_security_struct *tsec;
2916
2917         if (kern)
2918                 goto out;
2919
2920         tsec = current->security;
2921         err = avc_has_perm(tsec->sid, tsec->sid,
2922                            socket_type_to_security_class(family, type,
2923                            protocol), SOCKET__CREATE, NULL);
2924
2925 out:
2926         return err;
2927 }
2928
2929 static void selinux_socket_post_create(struct socket *sock, int family,
2930                                        int type, int protocol, int kern)
2931 {
2932         struct inode_security_struct *isec;
2933         struct task_security_struct *tsec;
2934
2935         isec = SOCK_INODE(sock)->i_security;
2936
2937         tsec = current->security;
2938         isec->sclass = socket_type_to_security_class(family, type, protocol);
2939         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2940         isec->initialized = 1;
2941
2942         return;
2943 }
2944
2945 /* Range of port numbers used to automatically bind.
2946    Need to determine whether we should perform a name_bind
2947    permission check between the socket and the port number. */
2948 #define ip_local_port_range_0 sysctl_local_port_range[0]
2949 #define ip_local_port_range_1 sysctl_local_port_range[1]
2950
2951 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2952 {
2953         u16 family;
2954         int err;
2955
2956         err = socket_has_perm(current, sock, SOCKET__BIND);
2957         if (err)
2958                 goto out;
2959
2960         /*
2961          * If PF_INET or PF_INET6, check name_bind permission for the port.
2962          * Multiple address binding for SCTP is not supported yet: we just
2963          * check the first address now.
2964          */
2965         family = sock->sk->sk_family;
2966         if (family == PF_INET || family == PF_INET6) {
2967                 char *addrp;
2968                 struct inode_security_struct *isec;
2969                 struct task_security_struct *tsec;
2970                 struct avc_audit_data ad;
2971                 struct sockaddr_in *addr4 = NULL;
2972                 struct sockaddr_in6 *addr6 = NULL;
2973                 unsigned short snum;
2974                 struct sock *sk = sock->sk;
2975                 u32 sid, node_perm, addrlen;
2976
2977                 tsec = current->security;
2978                 isec = SOCK_INODE(sock)->i_security;
2979
2980                 if (family == PF_INET) {
2981                         addr4 = (struct sockaddr_in *)address;
2982                         snum = ntohs(addr4->sin_port);
2983                         addrlen = sizeof(addr4->sin_addr.s_addr);
2984                         addrp = (char *)&addr4->sin_addr.s_addr;
2985                 } else {
2986                         addr6 = (struct sockaddr_in6 *)address;
2987                         snum = ntohs(addr6->sin6_port);
2988                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
2989                         addrp = (char *)&addr6->sin6_addr.s6_addr;
2990                 }
2991
2992                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2993                            snum > ip_local_port_range_1)) {
2994                         err = security_port_sid(sk->sk_family, sk->sk_type,
2995                                                 sk->sk_protocol, snum, &sid);
2996                         if (err)
2997                                 goto out;
2998                         AVC_AUDIT_DATA_INIT(&ad,NET);
2999                         ad.u.net.sport = htons(snum);
3000                         ad.u.net.family = family;
3001                         err = avc_has_perm(isec->sid, sid,
3002                                            isec->sclass,
3003                                            SOCKET__NAME_BIND, &ad);
3004                         if (err)
3005                                 goto out;
3006                 }
3007                 
3008                 switch(isec->sclass) {
3009                 case SECCLASS_TCP_SOCKET:
3010                         node_perm = TCP_SOCKET__NODE_BIND;
3011                         break;
3012                         
3013                 case SECCLASS_UDP_SOCKET:
3014                         node_perm = UDP_SOCKET__NODE_BIND;
3015                         break;
3016                         
3017                 default:
3018                         node_perm = RAWIP_SOCKET__NODE_BIND;
3019                         break;
3020                 }
3021                 
3022                 err = security_node_sid(family, addrp, addrlen, &sid);
3023                 if (err)
3024                         goto out;
3025                 
3026                 AVC_AUDIT_DATA_INIT(&ad,NET);
3027                 ad.u.net.sport = htons(snum);
3028                 ad.u.net.family = family;
3029
3030                 if (family == PF_INET)
3031                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3032                 else
3033                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3034
3035                 err = avc_has_perm(isec->sid, sid,
3036                                    isec->sclass, node_perm, &ad);
3037                 if (err)
3038                         goto out;
3039         }
3040 out:
3041         return err;
3042 }
3043
3044 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3045 {
3046         struct inode_security_struct *isec;
3047         int err;
3048
3049         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3050         if (err)
3051                 return err;
3052
3053         /*
3054          * If a TCP socket, check name_connect permission for the port.
3055          */
3056         isec = SOCK_INODE(sock)->i_security;
3057         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3058                 struct sock *sk = sock->sk;
3059                 struct avc_audit_data ad;
3060                 struct sockaddr_in *addr4 = NULL;
3061                 struct sockaddr_in6 *addr6 = NULL;
3062                 unsigned short snum;
3063                 u32 sid;
3064
3065                 if (sk->sk_family == PF_INET) {
3066                         addr4 = (struct sockaddr_in *)address;
3067                         if (addrlen < sizeof(struct sockaddr_in))
3068                                 return -EINVAL;
3069                         snum = ntohs(addr4->sin_port);
3070                 } else {
3071                         addr6 = (struct sockaddr_in6 *)address;
3072                         if (addrlen < SIN6_LEN_RFC2133)
3073                                 return -EINVAL;
3074                         snum = ntohs(addr6->sin6_port);
3075                 }
3076
3077                 err = security_port_sid(sk->sk_family, sk->sk_type,
3078                                         sk->sk_protocol, snum, &sid);
3079                 if (err)
3080                         goto out;
3081
3082                 AVC_AUDIT_DATA_INIT(&ad,NET);
3083                 ad.u.net.dport = htons(snum);
3084                 ad.u.net.family = sk->sk_family;
3085                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3086                                    TCP_SOCKET__NAME_CONNECT, &ad);
3087                 if (err)
3088                         goto out;
3089         }
3090
3091 out:
3092         return err;
3093 }
3094
3095 static int selinux_socket_listen(struct socket *sock, int backlog)
3096 {
3097         return socket_has_perm(current, sock, SOCKET__LISTEN);
3098 }
3099
3100 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3101 {
3102         int err;
3103         struct inode_security_struct *isec;
3104         struct inode_security_struct *newisec;
3105
3106         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3107         if (err)
3108                 return err;
3109
3110         newisec = SOCK_INODE(newsock)->i_security;
3111
3112         isec = SOCK_INODE(sock)->i_security;
3113         newisec->sclass = isec->sclass;
3114         newisec->sid = isec->sid;
3115         newisec->initialized = 1;
3116
3117         return 0;
3118 }
3119
3120 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3121                                   int size)
3122 {
3123         return socket_has_perm(current, sock, SOCKET__WRITE);
3124 }
3125
3126 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3127                                   int size, int flags)
3128 {
3129         return socket_has_perm(current, sock, SOCKET__READ);
3130 }
3131
3132 static int selinux_socket_getsockname(struct socket *sock)
3133 {
3134         return socket_has_perm(current, sock, SOCKET__GETATTR);
3135 }
3136
3137 static int selinux_socket_getpeername(struct socket *sock)
3138 {
3139         return socket_has_perm(current, sock, SOCKET__GETATTR);
3140 }
3141
3142 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3143 {
3144         return socket_has_perm(current, sock, SOCKET__SETOPT);
3145 }
3146
3147 static int selinux_socket_getsockopt(struct socket *sock, int level,
3148                                      int optname)
3149 {
3150         return socket_has_perm(current, sock, SOCKET__GETOPT);
3151 }
3152
3153 static int selinux_socket_shutdown(struct socket *sock, int how)
3154 {
3155         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3156 }
3157
3158 static int selinux_socket_unix_stream_connect(struct socket *sock,
3159                                               struct socket *other,
3160                                               struct sock *newsk)
3161 {
3162         struct sk_security_struct *ssec;
3163         struct inode_security_struct *isec;
3164         struct inode_security_struct *other_isec;
3165         struct avc_audit_data ad;
3166         int err;
3167
3168         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3169         if (err)
3170                 return err;
3171
3172         isec = SOCK_INODE(sock)->i_security;
3173         other_isec = SOCK_INODE(other)->i_security;
3174
3175         AVC_AUDIT_DATA_INIT(&ad,NET);
3176         ad.u.net.sk = other->sk;
3177
3178         err = avc_has_perm(isec->sid, other_isec->sid,
3179                            isec->sclass,
3180                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3181         if (err)
3182                 return err;
3183
3184         /* connecting socket */
3185         ssec = sock->sk->sk_security;
3186         ssec->peer_sid = other_isec->sid;
3187         
3188         /* server child socket */
3189         ssec = newsk->sk_security;
3190         ssec->peer_sid = isec->sid;
3191         
3192         return 0;
3193 }
3194
3195 static int selinux_socket_unix_may_send(struct socket *sock,
3196                                         struct socket *other)
3197 {
3198         struct inode_security_struct *isec;
3199         struct inode_security_struct *other_isec;
3200         struct avc_audit_data ad;
3201         int err;
3202
3203         isec = SOCK_INODE(sock)->i_security;
3204         other_isec = SOCK_INODE(other)->i_security;
3205
3206         AVC_AUDIT_DATA_INIT(&ad,NET);
3207         ad.u.net.sk = other->sk;
3208
3209         err = avc_has_perm(isec->sid, other_isec->sid,
3210                            isec->sclass, SOCKET__SENDTO, &ad);
3211         if (err)
3212                 return err;
3213
3214         return 0;
3215 }
3216
3217 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3218 {
3219         u16 family;
3220         char *addrp;
3221         int len, err = 0;
3222         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3223         u32 sock_sid = 0;
3224         u16 sock_class = 0;
3225         struct socket *sock;
3226         struct net_device *dev;
3227         struct avc_audit_data ad;
3228
3229         family = sk->sk_family;
3230         if (family != PF_INET && family != PF_INET6)
3231                 goto out;
3232
3233         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3234         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3235                 family = PF_INET;
3236
3237         read_lock_bh(&sk->sk_callback_lock);
3238         sock = sk->sk_socket;
3239         if (sock) {
3240                 struct inode *inode;
3241                 inode = SOCK_INODE(sock);
3242                 if (inode) {
3243                         struct inode_security_struct *isec;
3244                         isec = inode->i_security;
3245                         sock_sid = isec->sid;
3246                         sock_class = isec->sclass;
3247                 }
3248         }
3249         read_unlock_bh(&sk->sk_callback_lock);
3250         if (!sock_sid)
3251                 goto out;
3252
3253         dev = skb->dev;
3254         if (!dev)
3255                 goto out;
3256
3257         err = sel_netif_sids(dev, &if_sid, NULL);
3258         if (err)
3259                 goto out;
3260
3261         switch (sock_class) {
3262         case SECCLASS_UDP_SOCKET:
3263                 netif_perm = NETIF__UDP_RECV;
3264                 node_perm = NODE__UDP_RECV;
3265                 recv_perm = UDP_SOCKET__RECV_MSG;
3266                 break;
3267         
3268         case SECCLASS_TCP_SOCKET:
3269                 netif_perm = NETIF__TCP_RECV;
3270                 node_perm = NODE__TCP_RECV;
3271                 recv_perm = TCP_SOCKET__RECV_MSG;
3272                 break;
3273         
3274         default:
3275                 netif_perm = NETIF__RAWIP_RECV;
3276                 node_perm = NODE__RAWIP_RECV;
3277                 break;
3278         }
3279
3280         AVC_AUDIT_DATA_INIT(&ad, NET);
3281         ad.u.net.netif = dev->name;
3282         ad.u.net.family = family;
3283
3284         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3285         if (err)
3286                 goto out;
3287
3288         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3289         if (err)
3290                 goto out;
3291         
3292         /* Fixme: this lookup is inefficient */
3293         err = security_node_sid(family, addrp, len, &node_sid);
3294         if (err)
3295                 goto out;
3296         
3297         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3298         if (err)
3299                 goto out;
3300
3301         if (recv_perm) {
3302                 u32 port_sid;
3303
3304                 /* Fixme: make this more efficient */
3305                 err = security_port_sid(sk->sk_family, sk->sk_type,
3306                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3307                                         &port_sid);
3308                 if (err)
3309                         goto out;
3310
3311                 err = avc_has_perm(sock_sid, port_sid,
3312                                    sock_class, recv_perm, &ad);
3313         }
3314
3315         if (!err)
3316                 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3317
3318 out:    
3319         return err;
3320 }
3321
3322 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3323                                             int __user *optlen, unsigned len)
3324 {
3325         int err = 0;
3326         char *scontext;
3327         u32 scontext_len;
3328         struct sk_security_struct *ssec;
3329         struct inode_security_struct *isec;
3330         u32 peer_sid = 0;
3331
3332         isec = SOCK_INODE(sock)->i_security;
3333
3334         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3335         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3336                 ssec = sock->sk->sk_security;
3337                 peer_sid = ssec->peer_sid;
3338         }
3339         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3340                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3341
3342                 if (peer_sid == SECSID_NULL) {
3343                         err = -ENOPROTOOPT;
3344                         goto out;
3345                 }
3346         }
3347         else {
3348                 err = -ENOPROTOOPT;
3349                 goto out;
3350         }
3351
3352         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3353
3354         if (err)
3355                 goto out;
3356
3357         if (scontext_len > len) {
3358                 err = -ERANGE;
3359                 goto out_len;
3360         }
3361
3362         if (copy_to_user(optval, scontext, scontext_len))
3363                 err = -EFAULT;
3364
3365 out_len:
3366         if (put_user(scontext_len, optlen))
3367                 err = -EFAULT;
3368
3369         kfree(scontext);
3370 out:    
3371         return err;
3372 }
3373
3374 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3375 {
3376         int err = 0;
3377         u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3378
3379         if (peer_sid == SECSID_NULL)
3380                 return -EINVAL;
3381
3382         err = security_sid_to_context(peer_sid, secdata, seclen);
3383         if (err)
3384                 return err;
3385
3386         return 0;
3387 }
3388
3389
3390
3391 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3392 {
3393         return sk_alloc_security(sk, family, priority);
3394 }
3395
3396 static void selinux_sk_free_security(struct sock *sk)
3397 {
3398         sk_free_security(sk);
3399 }
3400
3401 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3402 {
3403         struct inode_security_struct *isec;
3404         u32 sock_sid = SECINITSID_ANY_SOCKET;
3405
3406         if (!sk)
3407                 return selinux_no_sk_sid(fl);
3408
3409         read_lock_bh(&sk->sk_callback_lock);
3410         isec = get_sock_isec(sk);
3411
3412         if (isec)
3413                 sock_sid = isec->sid;
3414
3415         read_unlock_bh(&sk->sk_callback_lock);
3416         return sock_sid;
3417 }
3418
3419 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3420 {
3421         int err = 0;
3422         u32 perm;
3423         struct nlmsghdr *nlh;
3424         struct socket *sock = sk->sk_socket;
3425         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3426         
3427         if (skb->len < NLMSG_SPACE(0)) {
3428                 err = -EINVAL;
3429                 goto out;
3430         }
3431         nlh = (struct nlmsghdr *)skb->data;
3432         
3433         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3434         if (err) {
3435                 if (err == -EINVAL) {
3436                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3437                                   "SELinux:  unrecognized netlink message"
3438                                   " type=%hu for sclass=%hu\n",
3439                                   nlh->nlmsg_type, isec->sclass);
3440                         if (!selinux_enforcing)
3441                                 err = 0;
3442                 }
3443
3444                 /* Ignore */
3445                 if (err == -ENOENT)
3446                         err = 0;
3447                 goto out;
3448         }
3449
3450         err = socket_has_perm(current, sock, perm);
3451 out:
3452         return err;
3453 }
3454
3455 #ifdef CONFIG_NETFILTER
3456
3457 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3458                                               struct sk_buff **pskb,
3459                                               const struct net_device *in,
3460                                               const struct net_device *out,
3461                                               int (*okfn)(struct sk_buff *),
3462                                               u16 family)
3463 {
3464         char *addrp;
3465         int len, err = NF_ACCEPT;
3466         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3467         struct sock *sk;
3468         struct socket *sock;
3469         struct inode *inode;
3470         struct sk_buff *skb = *pskb;
3471         struct inode_security_struct *isec;
3472         struct avc_audit_data ad;
3473         struct net_device *dev = (struct net_device *)out;
3474         
3475         sk = skb->sk;
3476         if (!sk)
3477                 goto out;
3478                 
3479         sock = sk->sk_socket;
3480         if (!sock)
3481                 goto out;
3482                 
3483         inode = SOCK_INODE(sock);
3484         if (!inode)
3485                 goto out;
3486
3487         err = sel_netif_sids(dev, &if_sid, NULL);
3488         if (err)
3489                 goto out;
3490
3491         isec = inode->i_security;
3492         
3493         switch (isec->sclass) {
3494         case SECCLASS_UDP_SOCKET:
3495                 netif_perm = NETIF__UDP_SEND;
3496                 node_perm = NODE__UDP_SEND;
3497                 send_perm = UDP_SOCKET__SEND_MSG;
3498                 break;
3499         
3500         case SECCLASS_TCP_SOCKET:
3501                 netif_perm = NETIF__TCP_SEND;
3502                 node_perm = NODE__TCP_SEND;
3503                 send_perm = TCP_SOCKET__SEND_MSG;
3504                 break;
3505         
3506         default:
3507                 netif_perm = NETIF__RAWIP_SEND;
3508                 node_perm = NODE__RAWIP_SEND;
3509                 break;
3510         }
3511
3512
3513         AVC_AUDIT_DATA_INIT(&ad, NET);
3514         ad.u.net.netif = dev->name;
3515         ad.u.net.family = family;
3516
3517         err = selinux_parse_skb(skb, &ad, &addrp,
3518                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3519         if (err != NF_ACCEPT)
3520                 goto out;
3521
3522         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3523                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3524         if (err != NF_ACCEPT)
3525                 goto out;
3526                 
3527         /* Fixme: this lookup is inefficient */
3528         err = security_node_sid(family, addrp, len,
3529                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3530         if (err != NF_ACCEPT)
3531                 goto out;
3532         
3533         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3534                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3535         if (err != NF_ACCEPT)
3536                 goto out;
3537
3538         if (send_perm) {
3539                 u32 port_sid;
3540                 
3541                 /* Fixme: make this more efficient */
3542                 err = security_port_sid(sk->sk_family,
3543                                         sk->sk_type,
3544                                         sk->sk_protocol,
3545                                         ntohs(ad.u.net.dport),
3546                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3547                 if (err != NF_ACCEPT)
3548                         goto out;
3549
3550                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3551                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3552         }
3553
3554         if (err != NF_ACCEPT)
3555                 goto out;
3556
3557         err = selinux_xfrm_postroute_last(isec->sid, skb);
3558
3559 out:
3560         return err;
3561 }
3562
3563 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3564                                                 struct sk_buff **pskb,
3565                                                 const struct net_device *in,
3566                                                 const struct net_device *out,
3567                                                 int (*okfn)(struct sk_buff *))
3568 {
3569         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3570 }
3571
3572 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3573
3574 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3575                                                 struct sk_buff **pskb,
3576                                                 const struct net_device *in,
3577                                                 const struct net_device *out,
3578                                                 int (*okfn)(struct sk_buff *))
3579 {
3580         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3581 }
3582
3583 #endif  /* IPV6 */
3584
3585 #endif  /* CONFIG_NETFILTER */
3586
3587 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3588 {
3589         struct task_security_struct *tsec;
3590         struct av_decision avd;
3591         int err;
3592
3593         err = secondary_ops->netlink_send(sk, skb);
3594         if (err)
3595                 return err;
3596
3597         tsec = current->security;
3598
3599         avd.allowed = 0;
3600         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3601                                 SECCLASS_CAPABILITY, ~0, &avd);
3602         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3603
3604         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3605                 err = selinux_nlmsg_perm(sk, skb);
3606
3607         return err;
3608 }
3609
3610 static int selinux_netlink_recv(struct sk_buff *skb)
3611 {
3612         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3613                 return -EPERM;
3614         return 0;
3615 }
3616
3617 static int ipc_alloc_security(struct task_struct *task,
3618                               struct kern_ipc_perm *perm,
3619                               u16 sclass)
3620 {
3621         struct task_security_struct *tsec = task->security;
3622         struct ipc_security_struct *isec;
3623
3624         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3625         if (!isec)
3626                 return -ENOMEM;
3627
3628         isec->sclass = sclass;
3629         isec->ipc_perm = perm;
3630         isec->sid = tsec->sid;
3631         perm->security = isec;
3632
3633         return 0;
3634 }
3635
3636 static void ipc_free_security(struct kern_ipc_perm *perm)
3637 {
3638         struct ipc_security_struct *isec = perm->security;
3639         perm->security = NULL;
3640         kfree(isec);
3641 }
3642
3643 static int msg_msg_alloc_security(struct msg_msg *msg)
3644 {
3645         struct msg_security_struct *msec;
3646
3647         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3648         if (!msec)
3649                 return -ENOMEM;
3650
3651         msec->msg = msg;
3652         msec->sid = SECINITSID_UNLABELED;
3653         msg->security = msec;
3654
3655         return 0;
3656 }
3657
3658 static void msg_msg_free_security(struct msg_msg *msg)
3659 {
3660         struct msg_security_struct *msec = msg->security;
3661
3662         msg->security = NULL;
3663         kfree(msec);
3664 }
3665
3666 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3667                         u32 perms)
3668 {
3669         struct task_security_struct *tsec;
3670         struct ipc_security_struct *isec;
3671         struct avc_audit_data ad;
3672
3673         tsec = current->security;
3674         isec = ipc_perms->security;
3675
3676         AVC_AUDIT_DATA_INIT(&ad, IPC);
3677         ad.u.ipc_id = ipc_perms->key;
3678
3679         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3680 }
3681
3682 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3683 {
3684         return msg_msg_alloc_security(msg);
3685 }
3686
3687 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3688 {
3689         msg_msg_free_security(msg);
3690 }
3691
3692 /* message queue security operations */
3693 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3694 {
3695         struct task_security_struct *tsec;
3696         struct ipc_security_struct *isec;
3697         struct avc_audit_data ad;
3698         int rc;
3699
3700         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3701         if (rc)
3702                 return rc;
3703
3704         tsec = current->security;
3705         isec = msq->q_perm.security;
3706
3707         AVC_AUDIT_DATA_INIT(&ad, IPC);
3708         ad.u.ipc_id = msq->q_perm.key;
3709
3710         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3711                           MSGQ__CREATE, &ad);
3712         if (rc) {
3713                 ipc_free_security(&msq->q_perm);
3714                 return rc;
3715         }
3716         return 0;
3717 }
3718
3719 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3720 {
3721         ipc_free_security(&msq->q_perm);
3722 }
3723
3724 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3725 {
3726         struct task_security_struct *tsec;
3727         struct ipc_security_struct *isec;
3728         struct avc_audit_data ad;
3729
3730         tsec = current->security;
3731         isec = msq->q_perm.security;
3732
3733         AVC_AUDIT_DATA_INIT(&ad, IPC);
3734         ad.u.ipc_id = msq->q_perm.key;
3735
3736         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3737                             MSGQ__ASSOCIATE, &ad);
3738 }
3739
3740 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3741 {
3742         int err;
3743         int perms;
3744
3745         switch(cmd) {
3746         case IPC_INFO:
3747         case MSG_INFO:
3748                 /* No specific object, just general system-wide information. */
3749                 return task_has_system(current, SYSTEM__IPC_INFO);
3750         case IPC_STAT:
3751         case MSG_STAT:
3752                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3753                 break;
3754         case IPC_SET:
3755                 perms = MSGQ__SETATTR;
3756                 break;
3757         case IPC_RMID:
3758                 perms = MSGQ__DESTROY;
3759                 break;
3760         default:
3761                 return 0;
3762         }
3763
3764         err = ipc_has_perm(&msq->q_perm, perms);
3765         return err;
3766 }
3767
3768 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3769 {
3770         struct task_security_struct *tsec;
3771         struct ipc_security_struct *isec;
3772         struct msg_security_struct *msec;
3773         struct avc_audit_data ad;
3774         int rc;
3775
3776         tsec = current->security;
3777         isec = msq->q_perm.security;
3778         msec = msg->security;
3779
3780         /*
3781          * First time through, need to assign label to the message
3782          */
3783         if (msec->sid == SECINITSID_UNLABELED) {
3784                 /*
3785                  * Compute new sid based on current process and
3786                  * message queue this message will be stored in
3787                  */
3788                 rc = security_transition_sid(tsec->sid,
3789                                              isec->sid,
3790                                              SECCLASS_MSG,
3791                                              &msec->sid);
3792                 if (rc)
3793                         return rc;
3794         }
3795
3796         AVC_AUDIT_DATA_INIT(&ad, IPC);
3797         ad.u.ipc_id = msq->q_perm.key;
3798
3799         /* Can this process write to the queue? */
3800         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3801                           MSGQ__WRITE, &ad);
3802         if (!rc)
3803                 /* Can this process send the message */
3804                 rc = avc_has_perm(tsec->sid, msec->sid,
3805                                   SECCLASS_MSG, MSG__SEND, &ad);
3806         if (!rc)
3807                 /* Can the message be put in the queue? */
3808                 rc = avc_has_perm(msec->sid, isec->sid,
3809                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3810
3811         return rc;
3812 }
3813
3814 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3815                                     struct task_struct *target,
3816                                     long type, int mode)
3817 {
3818         struct task_security_struct *tsec;
3819         struct ipc_security_struct *isec;
3820         struct msg_security_struct *msec;
3821         struct avc_audit_data ad;
3822         int rc;
3823
3824         tsec = target->security;
3825         isec = msq->q_perm.security;
3826         msec = msg->security;
3827
3828         AVC_AUDIT_DATA_INIT(&ad, IPC);
3829         ad.u.ipc_id = msq->q_perm.key;
3830
3831         rc = avc_has_perm(tsec->sid, isec->sid,
3832                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3833         if (!rc)
3834                 rc = avc_has_perm(tsec->sid, msec->sid,
3835                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3836         return rc;
3837 }
3838
3839 /* Shared Memory security operations */
3840 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3841 {
3842         struct task_security_struct *tsec;
3843         struct ipc_security_struct *isec;
3844         struct avc_audit_data ad;
3845         int rc;
3846
3847         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3848         if (rc)
3849                 return rc;
3850
3851         tsec = current->security;
3852         isec = shp->shm_perm.security;
3853
3854         AVC_AUDIT_DATA_INIT(&ad, IPC);
3855         ad.u.ipc_id = shp->shm_perm.key;
3856
3857         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3858                           SHM__CREATE, &ad);
3859         if (rc) {
3860                 ipc_free_security(&shp->shm_perm);
3861                 return rc;
3862         }
3863         return 0;
3864 }
3865
3866 static void selinux_shm_free_security(struct shmid_kernel *shp)
3867 {
3868         ipc_free_security(&shp->shm_perm);
3869 }
3870
3871 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3872 {
3873         struct task_security_struct *tsec;
3874         struct ipc_security_struct *isec;
3875         struct avc_audit_data ad;
3876
3877         tsec = current->security;
3878         isec = shp->shm_perm.security;
3879
3880         AVC_AUDIT_DATA_INIT(&ad, IPC);
3881         ad.u.ipc_id = shp->shm_perm.key;
3882
3883         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3884                             SHM__ASSOCIATE, &ad);
3885 }
3886
3887 /* Note, at this point, shp is locked down */
3888 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3889 {
3890         int perms;
3891         int err;
3892
3893         switch(cmd) {
3894         case IPC_INFO:
3895         case SHM_INFO:
3896                 /* No specific object, just general system-wide information. */
3897                 return task_has_system(current, SYSTEM__IPC_INFO);
3898         case IPC_STAT:
3899         case SHM_STAT:
3900                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3901                 break;
3902         case IPC_SET:
3903                 perms = SHM__SETATTR;
3904                 break;
3905         case SHM_LOCK:
3906         case SHM_UNLOCK:
3907                 perms = SHM__LOCK;
3908                 break;
3909         case IPC_RMID:
3910                 perms = SHM__DESTROY;
3911                 break;
3912         default:
3913                 return 0;
3914         }
3915
3916         err = ipc_has_perm(&shp->shm_perm, perms);
3917         return err;
3918 }
3919
3920 static int selinux_shm_shmat(struct shmid_kernel *shp,
3921                              char __user *shmaddr, int shmflg)
3922 {
3923         u32 perms;
3924         int rc;
3925
3926         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3927         if (rc)
3928                 return rc;
3929
3930         if (shmflg & SHM_RDONLY)
3931                 perms = SHM__READ;
3932         else
3933                 perms = SHM__READ | SHM__WRITE;
3934
3935         return ipc_has_perm(&shp->shm_perm, perms);
3936 }
3937
3938 /* Semaphore security operations */
3939 static int selinux_sem_alloc_security(struct sem_array *sma)
3940 {
3941         struct task_security_struct *tsec;
3942         struct ipc_security_struct *isec;
3943         struct avc_audit_data ad;
3944         int rc;
3945
3946         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3947         if (rc)
3948                 return rc;
3949
3950         tsec = current->security;
3951         isec = sma->sem_perm.security;
3952
3953         AVC_AUDIT_DATA_INIT(&ad, IPC);
3954         ad.u.ipc_id = sma->sem_perm.key;
3955
3956         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3957                           SEM__CREATE, &ad);
3958         if (rc) {
3959                 ipc_free_security(&sma->sem_perm);
3960                 return rc;
3961         }
3962         return 0;
3963 }
3964
3965 static void selinux_sem_free_security(struct sem_array *sma)
3966 {
3967         ipc_free_security(&sma->sem_perm);
3968 }
3969
3970 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3971 {
3972         struct task_security_struct *tsec;
3973         struct ipc_security_struct *isec;
3974         struct avc_audit_data ad;
3975
3976         tsec = current->security;
3977         isec = sma->sem_perm.security;
3978
3979         AVC_AUDIT_DATA_INIT(&ad, IPC);
3980         ad.u.ipc_id = sma->sem_perm.key;
3981
3982         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3983                             SEM__ASSOCIATE, &ad);
3984 }
3985
3986 /* Note, at this point, sma is locked down */
3987 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3988 {
3989         int err;
3990         u32 perms;
3991
3992         switch(cmd) {
3993         case IPC_INFO:
3994         case SEM_INFO:
3995                 /* No specific object, just general system-wide information. */
3996                 return task_has_system(current, SYSTEM__IPC_INFO);
3997         case GETPID:
3998         case GETNCNT:
3999         case GETZCNT:
4000                 perms = SEM__GETATTR;
4001                 break;
4002         case GETVAL:
4003         case GETALL:
4004                 perms = SEM__READ;
4005                 break;
4006         case SETVAL:
4007         case SETALL:
4008                 perms = SEM__WRITE;
4009                 break;
4010         case IPC_RMID:
4011                 perms = SEM__DESTROY;
4012                 break;
4013         case IPC_SET:
4014                 perms = SEM__SETATTR;
4015                 break;
4016         case IPC_STAT:
4017         case SEM_STAT:
4018                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4019                 break;
4020         default:
4021                 return 0;
4022         }
4023
4024         err = ipc_has_perm(&sma->sem_perm, perms);
4025         return err;
4026 }
4027
4028 static int selinux_sem_semop(struct sem_array *sma,
4029                              struct sembuf *sops, unsigned nsops, int alter)
4030 {
4031         u32 perms;
4032
4033         if (alter)
4034                 perms = SEM__READ | SEM__WRITE;
4035         else
4036                 perms = SEM__READ;
4037
4038         return ipc_has_perm(&sma->sem_perm, perms);
4039 }
4040
4041 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4042 {
4043         u32 av = 0;
4044
4045         av = 0;
4046         if (flag & S_IRUGO)
4047                 av |= IPC__UNIX_READ;
4048         if (flag & S_IWUGO)
4049                 av |= IPC__UNIX_WRITE;
4050
4051         if (av == 0)
4052                 return 0;
4053
4054         return ipc_has_perm(ipcp, av);
4055 }
4056
4057 /* module stacking operations */
4058 static int selinux_register_security (const char *name, struct security_operations *ops)
4059 {
4060         if (secondary_ops != original_ops) {
4061                 printk(KERN_INFO "%s:  There is already a secondary security "
4062                        "module registered.\n", __FUNCTION__);
4063                 return -EINVAL;
4064         }
4065
4066         secondary_ops = ops;
4067
4068         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4069                __FUNCTION__,
4070                name);
4071
4072         return 0;
4073 }
4074
4075 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4076 {
4077         if (ops != secondary_ops) {
4078                 printk (KERN_INFO "%s:  trying to unregister a security module "
4079                         "that is not registered.\n", __FUNCTION__);
4080                 return -EINVAL;
4081         }
4082
4083         secondary_ops = original_ops;
4084
4085         return 0;
4086 }
4087
4088 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4089 {
4090         if (inode)
4091                 inode_doinit_with_dentry(inode, dentry);
4092 }
4093
4094 static int selinux_getprocattr(struct task_struct *p,
4095                                char *name, void *value, size_t size)
4096 {
4097         struct task_security_struct *tsec;
4098         u32 sid;
4099         int error;
4100
4101         if (current != p) {
4102                 error = task_has_perm(current, p, PROCESS__GETATTR);
4103                 if (error)
4104                         return error;
4105         }
4106
4107         tsec = p->security;
4108
4109         if (!strcmp(name, "current"))
4110                 sid = tsec->sid;
4111         else if (!strcmp(name, "prev"))
4112                 sid = tsec->osid;
4113         else if (!strcmp(name, "exec"))
4114                 sid = tsec->exec_sid;
4115         else if (!strcmp(name, "fscreate"))
4116                 sid = tsec->create_sid;
4117         else
4118                 return -EINVAL;
4119
4120         if (!sid)
4121                 return 0;
4122
4123         return selinux_getsecurity(sid, value, size);
4124 }
4125
4126 static int selinux_setprocattr(struct task_struct *p,
4127                                char *name, void *value, size_t size)
4128 {
4129         struct task_security_struct *tsec;
4130         u32 sid = 0;
4131         int error;
4132         char *str = value;
4133
4134         if (current != p) {
4135                 /* SELinux only allows a process to change its own
4136                    security attributes. */
4137                 return -EACCES;
4138         }
4139
4140         /*
4141          * Basic control over ability to set these attributes at all.
4142          * current == p, but we'll pass them separately in case the
4143          * above restriction is ever removed.
4144          */
4145         if (!strcmp(name, "exec"))
4146                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4147         else if (!strcmp(name, "fscreate"))
4148                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4149         else if (!strcmp(name, "current"))
4150                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4151         else
4152                 error = -EINVAL;
4153         if (error)
4154                 return error;
4155
4156         /* Obtain a SID for the context, if one was specified. */
4157         if (size && str[1] && str[1] != '\n') {
4158                 if (str[size-1] == '\n') {
4159                         str[size-1] = 0;
4160                         size--;
4161                 }
4162                 error = security_context_to_sid(value, size, &sid);
4163                 if (error)
4164                         return error;
4165         }
4166
4167         /* Permission checking based on the specified context is
4168            performed during the actual operation (execve,
4169            open/mkdir/...), when we know the full context of the
4170            operation.  See selinux_bprm_set_security for the execve
4171            checks and may_create for the file creation checks. The
4172            operation will then fail if the context is not permitted. */
4173         tsec = p->security;
4174         if (!strcmp(name, "exec"))
4175                 tsec->exec_sid = sid;
4176         else if (!strcmp(name, "fscreate"))
4177                 tsec->create_sid = sid;
4178         else if (!strcmp(name, "current")) {
4179                 struct av_decision avd;
4180
4181                 if (sid == 0)
4182                         return -EINVAL;
4183
4184                 /* Only allow single threaded processes to change context */
4185                 if (atomic_read(&p->mm->mm_users) != 1) {
4186                         struct task_struct *g, *t;
4187                         struct mm_struct *mm = p->mm;
4188                         read_lock(&tasklist_lock);
4189                         do_each_thread(g, t)
4190                                 if (t->mm == mm && t != p) {
4191                                         read_unlock(&tasklist_lock);
4192                                         return -EPERM;
4193                                 }
4194                         while_each_thread(g, t);
4195                         read_unlock(&tasklist_lock);
4196                 }
4197
4198                 /* Check permissions for the transition. */
4199                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4200                                      PROCESS__DYNTRANSITION, NULL);
4201                 if (error)
4202                         return error;
4203
4204                 /* Check for ptracing, and update the task SID if ok.
4205                    Otherwise, leave SID unchanged and fail. */
4206                 task_lock(p);
4207                 if (p->ptrace & PT_PTRACED) {
4208                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4209                                                      SECCLASS_PROCESS,
4210                                                      PROCESS__PTRACE, &avd);
4211                         if (!error)
4212                                 tsec->sid = sid;
4213                         task_unlock(p);
4214                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4215                                   PROCESS__PTRACE, &avd, error, NULL);
4216                         if (error)
4217                                 return error;
4218                 } else {
4219                         tsec->sid = sid;
4220                         task_unlock(p);
4221                 }
4222         }
4223         else
4224                 return -EINVAL;
4225
4226         return size;
4227 }
4228
4229 static struct security_operations selinux_ops = {
4230         .ptrace =                       selinux_ptrace,
4231         .capget =                       selinux_capget,
4232         .capset_check =                 selinux_capset_check,
4233         .capset_set =                   selinux_capset_set,
4234         .sysctl =                       selinux_sysctl,
4235         .capable =                      selinux_capable,
4236         .quotactl =                     selinux_quotactl,
4237         .quota_on =                     selinux_quota_on,
4238         .syslog =                       selinux_syslog,
4239         .vm_enough_memory =             selinux_vm_enough_memory,
4240
4241         .netlink_send =                 selinux_netlink_send,
4242         .netlink_recv =                 selinux_netlink_recv,
4243
4244         .bprm_alloc_security =          selinux_bprm_alloc_security,
4245         .bprm_free_security =           selinux_bprm_free_security,
4246         .bprm_apply_creds =             selinux_bprm_apply_creds,
4247         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4248         .bprm_set_security =            selinux_bprm_set_security,
4249         .bprm_check_security =          selinux_bprm_check_security,
4250         .bprm_secureexec =              selinux_bprm_secureexec,
4251
4252         .sb_alloc_security =            selinux_sb_alloc_security,
4253         .sb_free_security =             selinux_sb_free_security,
4254         .sb_copy_data =                 selinux_sb_copy_data,
4255         .sb_kern_mount =                selinux_sb_kern_mount,
4256         .sb_statfs =                    selinux_sb_statfs,
4257         .sb_mount =                     selinux_mount,
4258         .sb_umount =                    selinux_umount,
4259
4260         .inode_alloc_security =         selinux_inode_alloc_security,
4261         .inode_free_security =          selinux_inode_free_security,
4262         .inode_init_security =          selinux_inode_init_security,
4263         .inode_create =                 selinux_inode_create,
4264         .inode_link =                   selinux_inode_link,
4265         .inode_unlink =                 selinux_inode_unlink,
4266         .inode_symlink =                selinux_inode_symlink,
4267         .inode_mkdir =                  selinux_inode_mkdir,
4268         .inode_rmdir =                  selinux_inode_rmdir,
4269         .inode_mknod =                  selinux_inode_mknod,
4270         .inode_rename =                 selinux_inode_rename,
4271         .inode_readlink =               selinux_inode_readlink,
4272         .inode_follow_link =            selinux_inode_follow_link,
4273         .inode_permission =             selinux_inode_permission,
4274         .inode_setattr =                selinux_inode_setattr,
4275         .inode_getattr =                selinux_inode_getattr,
4276         .inode_setxattr =               selinux_inode_setxattr,
4277         .inode_post_setxattr =          selinux_inode_post_setxattr,
4278         .inode_getxattr =               selinux_inode_getxattr,
4279         .inode_listxattr =              selinux_inode_listxattr,
4280         .inode_removexattr =            selinux_inode_removexattr,
4281         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4282         .inode_getsecurity =            selinux_inode_getsecurity,
4283         .inode_setsecurity =            selinux_inode_setsecurity,
4284         .inode_listsecurity =           selinux_inode_listsecurity,
4285
4286         .file_permission =              selinux_file_permission,
4287         .file_alloc_security =          selinux_file_alloc_security,
4288         .file_free_security =           selinux_file_free_security,
4289         .file_ioctl =                   selinux_file_ioctl,
4290         .file_mmap =                    selinux_file_mmap,
4291         .file_mprotect =                selinux_file_mprotect,
4292         .file_lock =                    selinux_file_lock,
4293         .file_fcntl =                   selinux_file_fcntl,
4294         .file_set_fowner =              selinux_file_set_fowner,
4295         .file_send_sigiotask =          selinux_file_send_sigiotask,
4296         .file_receive =                 selinux_file_receive,
4297
4298         .task_create =                  selinux_task_create,
4299         .task_alloc_security =          selinux_task_alloc_security,
4300         .task_free_security =           selinux_task_free_security,
4301         .task_setuid =                  selinux_task_setuid,
4302         .task_post_setuid =             selinux_task_post_setuid,
4303         .task_setgid =                  selinux_task_setgid,
4304         .task_setpgid =                 selinux_task_setpgid,
4305         .task_getpgid =                 selinux_task_getpgid,
4306         .task_getsid =                  selinux_task_getsid,
4307         .task_setgroups =               selinux_task_setgroups,
4308         .task_setnice =                 selinux_task_setnice,
4309         .task_setrlimit =               selinux_task_setrlimit,
4310         .task_setscheduler =            selinux_task_setscheduler,
4311         .task_getscheduler =            selinux_task_getscheduler,
4312         .task_kill =                    selinux_task_kill,
4313         .task_wait =                    selinux_task_wait,
4314         .task_prctl =                   selinux_task_prctl,
4315         .task_reparent_to_init =        selinux_task_reparent_to_init,
4316         .task_to_inode =                selinux_task_to_inode,
4317
4318         .ipc_permission =               selinux_ipc_permission,
4319
4320         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4321         .msg_msg_free_security =        selinux_msg_msg_free_security,
4322
4323         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4324         .msg_queue_free_security =      selinux_msg_queue_free_security,
4325         .msg_queue_associate =          selinux_msg_queue_associate,
4326         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4327         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4328         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4329
4330         .shm_alloc_security =           selinux_shm_alloc_security,
4331         .shm_free_security =            selinux_shm_free_security,
4332         .shm_associate =                selinux_shm_associate,
4333         .shm_shmctl =                   selinux_shm_shmctl,
4334         .shm_shmat =                    selinux_shm_shmat,
4335
4336         .sem_alloc_security =           selinux_sem_alloc_security,
4337         .sem_free_security =            selinux_sem_free_security,
4338         .sem_associate =                selinux_sem_associate,
4339         .sem_semctl =                   selinux_sem_semctl,
4340         .sem_semop =                    selinux_sem_semop,
4341
4342         .register_security =            selinux_register_security,
4343         .unregister_security =          selinux_unregister_security,
4344
4345         .d_instantiate =                selinux_d_instantiate,
4346
4347         .getprocattr =                  selinux_getprocattr,
4348         .setprocattr =                  selinux_setprocattr,
4349
4350         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4351         .unix_may_send =                selinux_socket_unix_may_send,
4352
4353         .socket_create =                selinux_socket_create,
4354         .socket_post_create =           selinux_socket_post_create,
4355         .socket_bind =                  selinux_socket_bind,
4356         .socket_connect =               selinux_socket_connect,
4357         .socket_listen =                selinux_socket_listen,
4358         .socket_accept =                selinux_socket_accept,
4359         .socket_sendmsg =               selinux_socket_sendmsg,
4360         .socket_recvmsg =               selinux_socket_recvmsg,
4361         .socket_getsockname =           selinux_socket_getsockname,
4362         .socket_getpeername =           selinux_socket_getpeername,
4363         .socket_getsockopt =            selinux_socket_getsockopt,
4364         .socket_setsockopt =            selinux_socket_setsockopt,
4365         .socket_shutdown =              selinux_socket_shutdown,
4366         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4367         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4368         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4369         .sk_alloc_security =            selinux_sk_alloc_security,
4370         .sk_free_security =             selinux_sk_free_security,
4371         .sk_getsid =                    selinux_sk_getsid_security,
4372
4373 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4374         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4375         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4376         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4377         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4378         .xfrm_state_free_security =     selinux_xfrm_state_free,
4379         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4380 #endif
4381 };
4382
4383 static __init int selinux_init(void)
4384 {
4385         struct task_security_struct *tsec;
4386
4387         if (!selinux_enabled) {
4388                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4389                 return 0;
4390         }
4391
4392         printk(KERN_INFO "SELinux:  Initializing.\n");
4393
4394         /* Set the security state for the initial task. */
4395         if (task_alloc_security(current))
4396                 panic("SELinux:  Failed to initialize initial task.\n");
4397         tsec = current->security;
4398         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4399
4400         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4401                                             sizeof(struct inode_security_struct),
4402                                             0, SLAB_PANIC, NULL, NULL);
4403         avc_init();
4404
4405         original_ops = secondary_ops = security_ops;
4406         if (!secondary_ops)
4407                 panic ("SELinux: No initial security operations\n");
4408         if (register_security (&selinux_ops))
4409                 panic("SELinux: Unable to register with kernel.\n");
4410
4411         if (selinux_enforcing) {
4412                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4413         } else {
4414                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4415         }
4416         return 0;
4417 }
4418
4419 void selinux_complete_init(void)
4420 {
4421         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4422
4423         /* Set up any superblocks initialized prior to the policy load. */
4424         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4425         spin_lock(&sb_lock);
4426         spin_lock(&sb_security_lock);
4427 next_sb:
4428         if (!list_empty(&superblock_security_head)) {
4429                 struct superblock_security_struct *sbsec =
4430                                 list_entry(superblock_security_head.next,
4431                                            struct superblock_security_struct,
4432                                            list);
4433                 struct super_block *sb = sbsec->sb;
4434                 sb->s_count++;
4435                 spin_unlock(&sb_security_lock);
4436                 spin_unlock(&sb_lock);
4437                 down_read(&sb->s_umount);
4438                 if (sb->s_root)
4439                         superblock_doinit(sb, NULL);
4440                 drop_super(sb);
4441                 spin_lock(&sb_lock);
4442                 spin_lock(&sb_security_lock);
4443                 list_del_init(&sbsec->list);
4444                 goto next_sb;
4445         }
4446         spin_unlock(&sb_security_lock);
4447         spin_unlock(&sb_lock);
4448 }
4449
4450 /* SELinux requires early initialization in order to label
4451    all processes and objects when they are created. */
4452 security_initcall(selinux_init);
4453
4454 #if defined(CONFIG_NETFILTER)
4455
4456 static struct nf_hook_ops selinux_ipv4_op = {
4457         .hook =         selinux_ipv4_postroute_last,
4458         .owner =        THIS_MODULE,
4459         .pf =           PF_INET,
4460         .hooknum =      NF_IP_POST_ROUTING,
4461         .priority =     NF_IP_PRI_SELINUX_LAST,
4462 };
4463
4464 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4465
4466 static struct nf_hook_ops selinux_ipv6_op = {
4467         .hook =         selinux_ipv6_postroute_last,
4468         .owner =        THIS_MODULE,
4469         .pf =           PF_INET6,
4470         .hooknum =      NF_IP6_POST_ROUTING,
4471         .priority =     NF_IP6_PRI_SELINUX_LAST,
4472 };
4473
4474 #endif  /* IPV6 */
4475
4476 static int __init selinux_nf_ip_init(void)
4477 {
4478         int err = 0;
4479
4480         if (!selinux_enabled)
4481                 goto out;
4482                 
4483         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4484         
4485         err = nf_register_hook(&selinux_ipv4_op);
4486         if (err)
4487                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4488
4489 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4490
4491         err = nf_register_hook(&selinux_ipv6_op);
4492         if (err)
4493                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4494
4495 #endif  /* IPV6 */
4496
4497 out:
4498         return err;
4499 }
4500
4501 __initcall(selinux_nf_ip_init);
4502
4503 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4504 static void selinux_nf_ip_exit(void)
4505 {
4506         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4507
4508         nf_unregister_hook(&selinux_ipv4_op);
4509 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4510         nf_unregister_hook(&selinux_ipv6_op);
4511 #endif  /* IPV6 */
4512 }
4513 #endif
4514
4515 #else /* CONFIG_NETFILTER */
4516
4517 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4518 #define selinux_nf_ip_exit()
4519 #endif
4520
4521 #endif /* CONFIG_NETFILTER */
4522
4523 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4524 int selinux_disable(void)
4525 {
4526         extern void exit_sel_fs(void);
4527         static int selinux_disabled = 0;
4528
4529         if (ss_initialized) {
4530                 /* Not permitted after initial policy load. */
4531                 return -EINVAL;
4532         }
4533
4534         if (selinux_disabled) {
4535                 /* Only do this once. */
4536                 return -EINVAL;
4537         }
4538
4539         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4540
4541         selinux_disabled = 1;
4542         selinux_enabled = 0;
4543
4544         /* Reset security_ops to the secondary module, dummy or capability. */
4545         security_ops = secondary_ops;
4546
4547         /* Unregister netfilter hooks. */
4548         selinux_nf_ip_exit();
4549
4550         /* Unregister selinuxfs. */
4551         exit_sel_fs();
4552
4553         return 0;
4554 }
4555 #endif
4556
4557