SELinux: Enable dynamic enable/disable of the network access checks
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16  *                     Paul Moore, <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
85
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
88
89 #define NUM_SEL_MNT_OPTS 4
90
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
95
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
98
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
101
102 static int __init enforcing_setup(char *str)
103 {
104         selinux_enforcing = simple_strtol(str,NULL,0);
105         return 1;
106 }
107 __setup("enforcing=", enforcing_setup);
108 #endif
109
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
112
113 static int __init selinux_enabled_setup(char *str)
114 {
115         selinux_enabled = simple_strtol(str, NULL, 0);
116         return 1;
117 }
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
122
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
125
126 /* Minimal support for a secondary security module,
127    just to allow the use of the dummy or capability modules.
128    The owlsm module can alternatively be used as a secondary
129    module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
131
132 /* Lists of inode and superblock security structures initialized
133    before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
136
137 static struct kmem_cache *sel_inode_cache;
138
139 /* Return security context for a given sid or just the context 
140    length if the buffer is null or length is 0 */
141 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
142 {
143         char *context;
144         unsigned len;
145         int rc;
146
147         rc = security_sid_to_context(sid, &context, &len);
148         if (rc)
149                 return rc;
150
151         if (!buffer || !size)
152                 goto getsecurity_exit;
153
154         if (size < len) {
155                 len = -ERANGE;
156                 goto getsecurity_exit;
157         }
158         memcpy(buffer, context, len);
159
160 getsecurity_exit:
161         kfree(context);
162         return len;
163 }
164
165 /**
166  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
167  *
168  * Description:
169  * This function checks the SECMARK reference counter to see if any SECMARK
170  * targets are currently configured, if the reference counter is greater than
171  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
172  * enabled, false (0) if SECMARK is disabled.
173  *
174  */
175 static int selinux_secmark_enabled(void)
176 {
177         return (atomic_read(&selinux_secmark_refcount) > 0);
178 }
179
180 /* Allocate and free functions for each kind of security blob. */
181
182 static int task_alloc_security(struct task_struct *task)
183 {
184         struct task_security_struct *tsec;
185
186         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
187         if (!tsec)
188                 return -ENOMEM;
189
190         tsec->task = task;
191         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
192         task->security = tsec;
193
194         return 0;
195 }
196
197 static void task_free_security(struct task_struct *task)
198 {
199         struct task_security_struct *tsec = task->security;
200         task->security = NULL;
201         kfree(tsec);
202 }
203
204 static int inode_alloc_security(struct inode *inode)
205 {
206         struct task_security_struct *tsec = current->security;
207         struct inode_security_struct *isec;
208
209         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
210         if (!isec)
211                 return -ENOMEM;
212
213         mutex_init(&isec->lock);
214         INIT_LIST_HEAD(&isec->list);
215         isec->inode = inode;
216         isec->sid = SECINITSID_UNLABELED;
217         isec->sclass = SECCLASS_FILE;
218         isec->task_sid = tsec->sid;
219         inode->i_security = isec;
220
221         return 0;
222 }
223
224 static void inode_free_security(struct inode *inode)
225 {
226         struct inode_security_struct *isec = inode->i_security;
227         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
228
229         spin_lock(&sbsec->isec_lock);
230         if (!list_empty(&isec->list))
231                 list_del_init(&isec->list);
232         spin_unlock(&sbsec->isec_lock);
233
234         inode->i_security = NULL;
235         kmem_cache_free(sel_inode_cache, isec);
236 }
237
238 static int file_alloc_security(struct file *file)
239 {
240         struct task_security_struct *tsec = current->security;
241         struct file_security_struct *fsec;
242
243         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
244         if (!fsec)
245                 return -ENOMEM;
246
247         fsec->file = file;
248         fsec->sid = tsec->sid;
249         fsec->fown_sid = tsec->sid;
250         file->f_security = fsec;
251
252         return 0;
253 }
254
255 static void file_free_security(struct file *file)
256 {
257         struct file_security_struct *fsec = file->f_security;
258         file->f_security = NULL;
259         kfree(fsec);
260 }
261
262 static int superblock_alloc_security(struct super_block *sb)
263 {
264         struct superblock_security_struct *sbsec;
265
266         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
267         if (!sbsec)
268                 return -ENOMEM;
269
270         mutex_init(&sbsec->lock);
271         INIT_LIST_HEAD(&sbsec->list);
272         INIT_LIST_HEAD(&sbsec->isec_head);
273         spin_lock_init(&sbsec->isec_lock);
274         sbsec->sb = sb;
275         sbsec->sid = SECINITSID_UNLABELED;
276         sbsec->def_sid = SECINITSID_FILE;
277         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
278         sb->s_security = sbsec;
279
280         return 0;
281 }
282
283 static void superblock_free_security(struct super_block *sb)
284 {
285         struct superblock_security_struct *sbsec = sb->s_security;
286
287         spin_lock(&sb_security_lock);
288         if (!list_empty(&sbsec->list))
289                 list_del_init(&sbsec->list);
290         spin_unlock(&sb_security_lock);
291
292         sb->s_security = NULL;
293         kfree(sbsec);
294 }
295
296 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
297 {
298         struct sk_security_struct *ssec;
299
300         ssec = kzalloc(sizeof(*ssec), priority);
301         if (!ssec)
302                 return -ENOMEM;
303
304         ssec->sk = sk;
305         ssec->peer_sid = SECINITSID_UNLABELED;
306         ssec->sid = SECINITSID_UNLABELED;
307         sk->sk_security = ssec;
308
309         selinux_netlbl_sk_security_init(ssec, family);
310
311         return 0;
312 }
313
314 static void sk_free_security(struct sock *sk)
315 {
316         struct sk_security_struct *ssec = sk->sk_security;
317
318         sk->sk_security = NULL;
319         kfree(ssec);
320 }
321
322 /* The security server must be initialized before
323    any labeling or access decisions can be provided. */
324 extern int ss_initialized;
325
326 /* The file system's label must be initialized prior to use. */
327
328 static char *labeling_behaviors[6] = {
329         "uses xattr",
330         "uses transition SIDs",
331         "uses task SIDs",
332         "uses genfs_contexts",
333         "not configured for labeling",
334         "uses mountpoint labeling",
335 };
336
337 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
338
339 static inline int inode_doinit(struct inode *inode)
340 {
341         return inode_doinit_with_dentry(inode, NULL);
342 }
343
344 enum {
345         Opt_error = -1,
346         Opt_context = 1,
347         Opt_fscontext = 2,
348         Opt_defcontext = 3,
349         Opt_rootcontext = 4,
350 };
351
352 static match_table_t tokens = {
353         {Opt_context, "context=%s"},
354         {Opt_fscontext, "fscontext=%s"},
355         {Opt_defcontext, "defcontext=%s"},
356         {Opt_rootcontext, "rootcontext=%s"},
357         {Opt_error, NULL},
358 };
359
360 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
361
362 static int may_context_mount_sb_relabel(u32 sid,
363                         struct superblock_security_struct *sbsec,
364                         struct task_security_struct *tsec)
365 {
366         int rc;
367
368         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
369                           FILESYSTEM__RELABELFROM, NULL);
370         if (rc)
371                 return rc;
372
373         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
374                           FILESYSTEM__RELABELTO, NULL);
375         return rc;
376 }
377
378 static int may_context_mount_inode_relabel(u32 sid,
379                         struct superblock_security_struct *sbsec,
380                         struct task_security_struct *tsec)
381 {
382         int rc;
383         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
384                           FILESYSTEM__RELABELFROM, NULL);
385         if (rc)
386                 return rc;
387
388         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
389                           FILESYSTEM__ASSOCIATE, NULL);
390         return rc;
391 }
392
393 static int sb_finish_set_opts(struct super_block *sb)
394 {
395         struct superblock_security_struct *sbsec = sb->s_security;
396         struct dentry *root = sb->s_root;
397         struct inode *root_inode = root->d_inode;
398         int rc = 0;
399
400         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
401                 /* Make sure that the xattr handler exists and that no
402                    error other than -ENODATA is returned by getxattr on
403                    the root directory.  -ENODATA is ok, as this may be
404                    the first boot of the SELinux kernel before we have
405                    assigned xattr values to the filesystem. */
406                 if (!root_inode->i_op->getxattr) {
407                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
408                                "xattr support\n", sb->s_id, sb->s_type->name);
409                         rc = -EOPNOTSUPP;
410                         goto out;
411                 }
412                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
413                 if (rc < 0 && rc != -ENODATA) {
414                         if (rc == -EOPNOTSUPP)
415                                 printk(KERN_WARNING "SELinux: (dev %s, type "
416                                        "%s) has no security xattr handler\n",
417                                        sb->s_id, sb->s_type->name);
418                         else
419                                 printk(KERN_WARNING "SELinux: (dev %s, type "
420                                        "%s) getxattr errno %d\n", sb->s_id,
421                                        sb->s_type->name, -rc);
422                         goto out;
423                 }
424         }
425
426         sbsec->initialized = 1;
427
428         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
429                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
430                        sb->s_id, sb->s_type->name);
431         else
432                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
433                        sb->s_id, sb->s_type->name,
434                        labeling_behaviors[sbsec->behavior-1]);
435
436         /* Initialize the root inode. */
437         rc = inode_doinit_with_dentry(root_inode, root);
438
439         /* Initialize any other inodes associated with the superblock, e.g.
440            inodes created prior to initial policy load or inodes created
441            during get_sb by a pseudo filesystem that directly
442            populates itself. */
443         spin_lock(&sbsec->isec_lock);
444 next_inode:
445         if (!list_empty(&sbsec->isec_head)) {
446                 struct inode_security_struct *isec =
447                                 list_entry(sbsec->isec_head.next,
448                                            struct inode_security_struct, list);
449                 struct inode *inode = isec->inode;
450                 spin_unlock(&sbsec->isec_lock);
451                 inode = igrab(inode);
452                 if (inode) {
453                         if (!IS_PRIVATE(inode))
454                                 inode_doinit(inode);
455                         iput(inode);
456                 }
457                 spin_lock(&sbsec->isec_lock);
458                 list_del_init(&isec->list);
459                 goto next_inode;
460         }
461         spin_unlock(&sbsec->isec_lock);
462 out:
463         return rc;
464 }
465
466 /*
467  * This function should allow an FS to ask what it's mount security
468  * options were so it can use those later for submounts, displaying
469  * mount options, or whatever.
470  */
471 static int selinux_get_mnt_opts(const struct super_block *sb,
472                                 char ***mount_options, int **mnt_opts_flags,
473                                 int *num_opts)
474 {
475         int rc = 0, i;
476         struct superblock_security_struct *sbsec = sb->s_security;
477         char *context = NULL;
478         u32 len;
479         char tmp;
480
481         *num_opts = 0;
482         *mount_options = NULL;
483         *mnt_opts_flags = NULL;
484
485         if (!sbsec->initialized)
486                 return -EINVAL;
487
488         if (!ss_initialized)
489                 return -EINVAL;
490
491         /*
492          * if we ever use sbsec flags for anything other than tracking mount
493          * settings this is going to need a mask
494          */
495         tmp = sbsec->flags;
496         /* count the number of mount options for this sb */
497         for (i = 0; i < 8; i++) {
498                 if (tmp & 0x01)
499                         (*num_opts)++;
500                 tmp >>= 1;
501         }
502
503         *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
504         if (!*mount_options) {
505                 rc = -ENOMEM;
506                 goto out_free;
507         }
508
509         *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
510         if (!*mnt_opts_flags) {
511                 rc = -ENOMEM;
512                 goto out_free;
513         }
514
515         i = 0;
516         if (sbsec->flags & FSCONTEXT_MNT) {
517                 rc = security_sid_to_context(sbsec->sid, &context, &len);
518                 if (rc)
519                         goto out_free;
520                 (*mount_options)[i] = context;
521                 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
522         }
523         if (sbsec->flags & CONTEXT_MNT) {
524                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
525                 if (rc)
526                         goto out_free;
527                 (*mount_options)[i] = context;
528                 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
529         }
530         if (sbsec->flags & DEFCONTEXT_MNT) {
531                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
532                 if (rc)
533                         goto out_free;
534                 (*mount_options)[i] = context;
535                 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
536         }
537         if (sbsec->flags & ROOTCONTEXT_MNT) {
538                 struct inode *root = sbsec->sb->s_root->d_inode;
539                 struct inode_security_struct *isec = root->i_security;
540
541                 rc = security_sid_to_context(isec->sid, &context, &len);
542                 if (rc)
543                         goto out_free;
544                 (*mount_options)[i] = context;
545                 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
546         }
547
548         BUG_ON(i != *num_opts);
549
550         return 0;
551
552 out_free:
553         /* don't leak context string if security_sid_to_context had an error */
554         if (*mount_options && i)
555                 for (; i > 0; i--)
556                         kfree((*mount_options)[i-1]);
557         kfree(*mount_options);
558         *mount_options = NULL;
559         kfree(*mnt_opts_flags);
560         *mnt_opts_flags = NULL;
561         *num_opts = 0;
562         return rc;
563 }
564
565 static int bad_option(struct superblock_security_struct *sbsec, char flag,
566                       u32 old_sid, u32 new_sid)
567 {
568         /* check if the old mount command had the same options */
569         if (sbsec->initialized)
570                 if (!(sbsec->flags & flag) ||
571                     (old_sid != new_sid))
572                         return 1;
573
574         /* check if we were passed the same options twice,
575          * aka someone passed context=a,context=b
576          */
577         if (!sbsec->initialized)
578                 if (sbsec->flags & flag)
579                         return 1;
580         return 0;
581 }
582 /*
583  * Allow filesystems with binary mount data to explicitly set mount point
584  * labeling information.
585  */
586 int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
587                                  int *flags, int num_opts)
588 {
589         int rc = 0, i;
590         struct task_security_struct *tsec = current->security;
591         struct superblock_security_struct *sbsec = sb->s_security;
592         const char *name = sb->s_type->name;
593         struct inode *inode = sbsec->sb->s_root->d_inode;
594         struct inode_security_struct *root_isec = inode->i_security;
595         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
596         u32 defcontext_sid = 0;
597
598         mutex_lock(&sbsec->lock);
599
600         if (!ss_initialized) {
601                 if (!num_opts) {
602                         /* Defer initialization until selinux_complete_init,
603                            after the initial policy is loaded and the security
604                            server is ready to handle calls. */
605                         spin_lock(&sb_security_lock);
606                         if (list_empty(&sbsec->list))
607                                 list_add(&sbsec->list, &superblock_security_head);
608                         spin_unlock(&sb_security_lock);
609                         goto out;
610                 }
611                 rc = -EINVAL;
612                 printk(KERN_WARNING "Unable to set superblock options before "
613                        "the security server is initialized\n");
614                 goto out;
615         }
616
617         /*
618          * parse the mount options, check if they are valid sids.
619          * also check if someone is trying to mount the same sb more
620          * than once with different security options.
621          */
622         for (i = 0; i < num_opts; i++) {
623                 u32 sid;
624                 rc = security_context_to_sid(mount_options[i],
625                                              strlen(mount_options[i]), &sid);
626                 if (rc) {
627                         printk(KERN_WARNING "SELinux: security_context_to_sid"
628                                "(%s) failed for (dev %s, type %s) errno=%d\n",
629                                mount_options[i], sb->s_id, name, rc);
630                         goto out;
631                 }
632                 switch (flags[i]) {
633                 case FSCONTEXT_MNT:
634                         fscontext_sid = sid;
635
636                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
637                                         fscontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= FSCONTEXT_MNT;
641                         break;
642                 case CONTEXT_MNT:
643                         context_sid = sid;
644
645                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
646                                         context_sid))
647                                 goto out_double_mount;
648
649                         sbsec->flags |= CONTEXT_MNT;
650                         break;
651                 case ROOTCONTEXT_MNT:
652                         rootcontext_sid = sid;
653
654                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
655                                         rootcontext_sid))
656                                 goto out_double_mount;
657
658                         sbsec->flags |= ROOTCONTEXT_MNT;
659
660                         break;
661                 case DEFCONTEXT_MNT:
662                         defcontext_sid = sid;
663
664                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
665                                         defcontext_sid))
666                                 goto out_double_mount;
667
668                         sbsec->flags |= DEFCONTEXT_MNT;
669
670                         break;
671                 default:
672                         rc = -EINVAL;
673                         goto out;
674                 }
675         }
676
677         if (sbsec->initialized) {
678                 /* previously mounted with options, but not on this attempt? */
679                 if (sbsec->flags && !num_opts)
680                         goto out_double_mount;
681                 rc = 0;
682                 goto out;
683         }
684
685         if (strcmp(sb->s_type->name, "proc") == 0)
686                 sbsec->proc = 1;
687
688         /* Determine the labeling behavior to use for this filesystem type. */
689         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
690         if (rc) {
691                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
692                        __FUNCTION__, sb->s_type->name, rc);
693                 goto out;
694         }
695
696         /* sets the context of the superblock for the fs being mounted. */
697         if (fscontext_sid) {
698
699                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
700                 if (rc)
701                         goto out;
702
703                 sbsec->sid = fscontext_sid;
704         }
705
706         /*
707          * Switch to using mount point labeling behavior.
708          * sets the label used on all file below the mountpoint, and will set
709          * the superblock context if not already set.
710          */
711         if (context_sid) {
712                 if (!fscontext_sid) {
713                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
714                         if (rc)
715                                 goto out;
716                         sbsec->sid = context_sid;
717                 } else {
718                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
719                         if (rc)
720                                 goto out;
721                 }
722                 if (!rootcontext_sid)
723                         rootcontext_sid = context_sid;
724
725                 sbsec->mntpoint_sid = context_sid;
726                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
727         }
728
729         if (rootcontext_sid) {
730                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
731                 if (rc)
732                         goto out;
733
734                 root_isec->sid = rootcontext_sid;
735                 root_isec->initialized = 1;
736         }
737
738         if (defcontext_sid) {
739                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
740                         rc = -EINVAL;
741                         printk(KERN_WARNING "SELinux: defcontext option is "
742                                "invalid for this filesystem type\n");
743                         goto out;
744                 }
745
746                 if (defcontext_sid != sbsec->def_sid) {
747                         rc = may_context_mount_inode_relabel(defcontext_sid,
748                                                              sbsec, tsec);
749                         if (rc)
750                                 goto out;
751                 }
752
753                 sbsec->def_sid = defcontext_sid;
754         }
755
756         rc = sb_finish_set_opts(sb);
757 out:
758         mutex_unlock(&sbsec->lock);
759         return rc;
760 out_double_mount:
761         rc = -EINVAL;
762         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
763                "security settings for (dev %s, type %s)\n", sb->s_id, name);
764         goto out;
765 }
766
767 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
768                                         struct super_block *newsb)
769 {
770         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
771         struct superblock_security_struct *newsbsec = newsb->s_security;
772
773         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
774         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
775         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
776
777         /* we can't error, we can't save the info, this shouldn't get called
778          * this early in the boot process. */
779         BUG_ON(!ss_initialized);
780
781         /* this might go away sometime down the line if there is a new user
782          * of clone, but for now, nfs better not get here... */
783         BUG_ON(newsbsec->initialized);
784
785         /* how can we clone if the old one wasn't set up?? */
786         BUG_ON(!oldsbsec->initialized);
787
788         mutex_lock(&newsbsec->lock);
789
790         newsbsec->flags = oldsbsec->flags;
791
792         newsbsec->sid = oldsbsec->sid;
793         newsbsec->def_sid = oldsbsec->def_sid;
794         newsbsec->behavior = oldsbsec->behavior;
795
796         if (set_context) {
797                 u32 sid = oldsbsec->mntpoint_sid;
798
799                 if (!set_fscontext)
800                         newsbsec->sid = sid;
801                 if (!set_rootcontext) {
802                         struct inode *newinode = newsb->s_root->d_inode;
803                         struct inode_security_struct *newisec = newinode->i_security;
804                         newisec->sid = sid;
805                 }
806                 newsbsec->mntpoint_sid = sid;
807         }
808         if (set_rootcontext) {
809                 const struct inode *oldinode = oldsb->s_root->d_inode;
810                 const struct inode_security_struct *oldisec = oldinode->i_security;
811                 struct inode *newinode = newsb->s_root->d_inode;
812                 struct inode_security_struct *newisec = newinode->i_security;
813
814                 newisec->sid = oldisec->sid;
815         }
816
817         sb_finish_set_opts(newsb);
818         mutex_unlock(&newsbsec->lock);
819 }
820
821 /*
822  * string mount options parsing and call set the sbsec
823  */
824 static int superblock_doinit(struct super_block *sb, void *data)
825 {
826         char *context = NULL, *defcontext = NULL;
827         char *fscontext = NULL, *rootcontext = NULL;
828         int rc = 0;
829         char *p, *options = data;
830         /* selinux only know about a fixed number of mount options */
831         char *mnt_opts[NUM_SEL_MNT_OPTS];
832         int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
833
834         if (!data)
835                 goto out;
836
837         /* with the nfs patch this will become a goto out; */
838         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
839                 const char *name = sb->s_type->name;
840                 /* NFS we understand. */
841                 if (!strcmp(name, "nfs")) {
842                         struct nfs_mount_data *d = data;
843
844                         if (d->version !=  NFS_MOUNT_VERSION)
845                                 goto out;
846
847                         if (d->context[0]) {
848                                 context = kstrdup(d->context, GFP_KERNEL);
849                                 if (!context) {
850                                         rc = -ENOMEM;
851                                         goto out;
852                                 }
853                         }
854                         goto build_flags;
855                 } else
856                         goto out;
857         }
858
859         /* Standard string-based options. */
860         while ((p = strsep(&options, "|")) != NULL) {
861                 int token;
862                 substring_t args[MAX_OPT_ARGS];
863
864                 if (!*p)
865                         continue;
866
867                 token = match_token(p, tokens, args);
868
869                 switch (token) {
870                 case Opt_context:
871                         if (context || defcontext) {
872                                 rc = -EINVAL;
873                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
874                                 goto out_err;
875                         }
876                         context = match_strdup(&args[0]);
877                         if (!context) {
878                                 rc = -ENOMEM;
879                                 goto out_err;
880                         }
881                         break;
882
883                 case Opt_fscontext:
884                         if (fscontext) {
885                                 rc = -EINVAL;
886                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
887                                 goto out_err;
888                         }
889                         fscontext = match_strdup(&args[0]);
890                         if (!fscontext) {
891                                 rc = -ENOMEM;
892                                 goto out_err;
893                         }
894                         break;
895
896                 case Opt_rootcontext:
897                         if (rootcontext) {
898                                 rc = -EINVAL;
899                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
900                                 goto out_err;
901                         }
902                         rootcontext = match_strdup(&args[0]);
903                         if (!rootcontext) {
904                                 rc = -ENOMEM;
905                                 goto out_err;
906                         }
907                         break;
908
909                 case Opt_defcontext:
910                         if (context || defcontext) {
911                                 rc = -EINVAL;
912                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
913                                 goto out_err;
914                         }
915                         defcontext = match_strdup(&args[0]);
916                         if (!defcontext) {
917                                 rc = -ENOMEM;
918                                 goto out_err;
919                         }
920                         break;
921
922                 default:
923                         rc = -EINVAL;
924                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
925                         goto out_err;
926
927                 }
928         }
929
930 build_flags:
931         if (fscontext) {
932                 mnt_opts[num_mnt_opts] = fscontext;
933                 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
934         }
935         if (context) {
936                 mnt_opts[num_mnt_opts] = context;
937                 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
938         }
939         if (rootcontext) {
940                 mnt_opts[num_mnt_opts] = rootcontext;
941                 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
942         }
943         if (defcontext) {
944                 mnt_opts[num_mnt_opts] = defcontext;
945                 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
946         }
947
948 out:
949         rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
950 out_err:
951         kfree(context);
952         kfree(defcontext);
953         kfree(fscontext);
954         kfree(rootcontext);
955         return rc;
956 }
957
958 static inline u16 inode_mode_to_security_class(umode_t mode)
959 {
960         switch (mode & S_IFMT) {
961         case S_IFSOCK:
962                 return SECCLASS_SOCK_FILE;
963         case S_IFLNK:
964                 return SECCLASS_LNK_FILE;
965         case S_IFREG:
966                 return SECCLASS_FILE;
967         case S_IFBLK:
968                 return SECCLASS_BLK_FILE;
969         case S_IFDIR:
970                 return SECCLASS_DIR;
971         case S_IFCHR:
972                 return SECCLASS_CHR_FILE;
973         case S_IFIFO:
974                 return SECCLASS_FIFO_FILE;
975
976         }
977
978         return SECCLASS_FILE;
979 }
980
981 static inline int default_protocol_stream(int protocol)
982 {
983         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
984 }
985
986 static inline int default_protocol_dgram(int protocol)
987 {
988         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
989 }
990
991 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
992 {
993         switch (family) {
994         case PF_UNIX:
995                 switch (type) {
996                 case SOCK_STREAM:
997                 case SOCK_SEQPACKET:
998                         return SECCLASS_UNIX_STREAM_SOCKET;
999                 case SOCK_DGRAM:
1000                         return SECCLASS_UNIX_DGRAM_SOCKET;
1001                 }
1002                 break;
1003         case PF_INET:
1004         case PF_INET6:
1005                 switch (type) {
1006                 case SOCK_STREAM:
1007                         if (default_protocol_stream(protocol))
1008                                 return SECCLASS_TCP_SOCKET;
1009                         else
1010                                 return SECCLASS_RAWIP_SOCKET;
1011                 case SOCK_DGRAM:
1012                         if (default_protocol_dgram(protocol))
1013                                 return SECCLASS_UDP_SOCKET;
1014                         else
1015                                 return SECCLASS_RAWIP_SOCKET;
1016                 case SOCK_DCCP:
1017                         return SECCLASS_DCCP_SOCKET;
1018                 default:
1019                         return SECCLASS_RAWIP_SOCKET;
1020                 }
1021                 break;
1022         case PF_NETLINK:
1023                 switch (protocol) {
1024                 case NETLINK_ROUTE:
1025                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1026                 case NETLINK_FIREWALL:
1027                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1028                 case NETLINK_INET_DIAG:
1029                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1030                 case NETLINK_NFLOG:
1031                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1032                 case NETLINK_XFRM:
1033                         return SECCLASS_NETLINK_XFRM_SOCKET;
1034                 case NETLINK_SELINUX:
1035                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1036                 case NETLINK_AUDIT:
1037                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1038                 case NETLINK_IP6_FW:
1039                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1040                 case NETLINK_DNRTMSG:
1041                         return SECCLASS_NETLINK_DNRT_SOCKET;
1042                 case NETLINK_KOBJECT_UEVENT:
1043                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1044                 default:
1045                         return SECCLASS_NETLINK_SOCKET;
1046                 }
1047         case PF_PACKET:
1048                 return SECCLASS_PACKET_SOCKET;
1049         case PF_KEY:
1050                 return SECCLASS_KEY_SOCKET;
1051         case PF_APPLETALK:
1052                 return SECCLASS_APPLETALK_SOCKET;
1053         }
1054
1055         return SECCLASS_SOCKET;
1056 }
1057
1058 #ifdef CONFIG_PROC_FS
1059 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1060                                 u16 tclass,
1061                                 u32 *sid)
1062 {
1063         int buflen, rc;
1064         char *buffer, *path, *end;
1065
1066         buffer = (char*)__get_free_page(GFP_KERNEL);
1067         if (!buffer)
1068                 return -ENOMEM;
1069
1070         buflen = PAGE_SIZE;
1071         end = buffer+buflen;
1072         *--end = '\0';
1073         buflen--;
1074         path = end-1;
1075         *path = '/';
1076         while (de && de != de->parent) {
1077                 buflen -= de->namelen + 1;
1078                 if (buflen < 0)
1079                         break;
1080                 end -= de->namelen;
1081                 memcpy(end, de->name, de->namelen);
1082                 *--end = '/';
1083                 path = end;
1084                 de = de->parent;
1085         }
1086         rc = security_genfs_sid("proc", path, tclass, sid);
1087         free_page((unsigned long)buffer);
1088         return rc;
1089 }
1090 #else
1091 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1092                                 u16 tclass,
1093                                 u32 *sid)
1094 {
1095         return -EINVAL;
1096 }
1097 #endif
1098
1099 /* The inode's security attributes must be initialized before first use. */
1100 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1101 {
1102         struct superblock_security_struct *sbsec = NULL;
1103         struct inode_security_struct *isec = inode->i_security;
1104         u32 sid;
1105         struct dentry *dentry;
1106 #define INITCONTEXTLEN 255
1107         char *context = NULL;
1108         unsigned len = 0;
1109         int rc = 0;
1110
1111         if (isec->initialized)
1112                 goto out;
1113
1114         mutex_lock(&isec->lock);
1115         if (isec->initialized)
1116                 goto out_unlock;
1117
1118         sbsec = inode->i_sb->s_security;
1119         if (!sbsec->initialized) {
1120                 /* Defer initialization until selinux_complete_init,
1121                    after the initial policy is loaded and the security
1122                    server is ready to handle calls. */
1123                 spin_lock(&sbsec->isec_lock);
1124                 if (list_empty(&isec->list))
1125                         list_add(&isec->list, &sbsec->isec_head);
1126                 spin_unlock(&sbsec->isec_lock);
1127                 goto out_unlock;
1128         }
1129
1130         switch (sbsec->behavior) {
1131         case SECURITY_FS_USE_XATTR:
1132                 if (!inode->i_op->getxattr) {
1133                         isec->sid = sbsec->def_sid;
1134                         break;
1135                 }
1136
1137                 /* Need a dentry, since the xattr API requires one.
1138                    Life would be simpler if we could just pass the inode. */
1139                 if (opt_dentry) {
1140                         /* Called from d_instantiate or d_splice_alias. */
1141                         dentry = dget(opt_dentry);
1142                 } else {
1143                         /* Called from selinux_complete_init, try to find a dentry. */
1144                         dentry = d_find_alias(inode);
1145                 }
1146                 if (!dentry) {
1147                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
1148                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1149                                inode->i_ino);
1150                         goto out_unlock;
1151                 }
1152
1153                 len = INITCONTEXTLEN;
1154                 context = kmalloc(len, GFP_KERNEL);
1155                 if (!context) {
1156                         rc = -ENOMEM;
1157                         dput(dentry);
1158                         goto out_unlock;
1159                 }
1160                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1161                                            context, len);
1162                 if (rc == -ERANGE) {
1163                         /* Need a larger buffer.  Query for the right size. */
1164                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1165                                                    NULL, 0);
1166                         if (rc < 0) {
1167                                 dput(dentry);
1168                                 goto out_unlock;
1169                         }
1170                         kfree(context);
1171                         len = rc;
1172                         context = kmalloc(len, GFP_KERNEL);
1173                         if (!context) {
1174                                 rc = -ENOMEM;
1175                                 dput(dentry);
1176                                 goto out_unlock;
1177                         }
1178                         rc = inode->i_op->getxattr(dentry,
1179                                                    XATTR_NAME_SELINUX,
1180                                                    context, len);
1181                 }
1182                 dput(dentry);
1183                 if (rc < 0) {
1184                         if (rc != -ENODATA) {
1185                                 printk(KERN_WARNING "%s:  getxattr returned "
1186                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
1187                                        -rc, inode->i_sb->s_id, inode->i_ino);
1188                                 kfree(context);
1189                                 goto out_unlock;
1190                         }
1191                         /* Map ENODATA to the default file SID */
1192                         sid = sbsec->def_sid;
1193                         rc = 0;
1194                 } else {
1195                         rc = security_context_to_sid_default(context, rc, &sid,
1196                                                              sbsec->def_sid);
1197                         if (rc) {
1198                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
1199                                        "returned %d for dev=%s ino=%ld\n",
1200                                        __FUNCTION__, context, -rc,
1201                                        inode->i_sb->s_id, inode->i_ino);
1202                                 kfree(context);
1203                                 /* Leave with the unlabeled SID */
1204                                 rc = 0;
1205                                 break;
1206                         }
1207                 }
1208                 kfree(context);
1209                 isec->sid = sid;
1210                 break;
1211         case SECURITY_FS_USE_TASK:
1212                 isec->sid = isec->task_sid;
1213                 break;
1214         case SECURITY_FS_USE_TRANS:
1215                 /* Default to the fs SID. */
1216                 isec->sid = sbsec->sid;
1217
1218                 /* Try to obtain a transition SID. */
1219                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1220                 rc = security_transition_sid(isec->task_sid,
1221                                              sbsec->sid,
1222                                              isec->sclass,
1223                                              &sid);
1224                 if (rc)
1225                         goto out_unlock;
1226                 isec->sid = sid;
1227                 break;
1228         case SECURITY_FS_USE_MNTPOINT:
1229                 isec->sid = sbsec->mntpoint_sid;
1230                 break;
1231         default:
1232                 /* Default to the fs superblock SID. */
1233                 isec->sid = sbsec->sid;
1234
1235                 if (sbsec->proc) {
1236                         struct proc_inode *proci = PROC_I(inode);
1237                         if (proci->pde) {
1238                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1239                                 rc = selinux_proc_get_sid(proci->pde,
1240                                                           isec->sclass,
1241                                                           &sid);
1242                                 if (rc)
1243                                         goto out_unlock;
1244                                 isec->sid = sid;
1245                         }
1246                 }
1247                 break;
1248         }
1249
1250         isec->initialized = 1;
1251
1252 out_unlock:
1253         mutex_unlock(&isec->lock);
1254 out:
1255         if (isec->sclass == SECCLASS_FILE)
1256                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1257         return rc;
1258 }
1259
1260 /* Convert a Linux signal to an access vector. */
1261 static inline u32 signal_to_av(int sig)
1262 {
1263         u32 perm = 0;
1264
1265         switch (sig) {
1266         case SIGCHLD:
1267                 /* Commonly granted from child to parent. */
1268                 perm = PROCESS__SIGCHLD;
1269                 break;
1270         case SIGKILL:
1271                 /* Cannot be caught or ignored */
1272                 perm = PROCESS__SIGKILL;
1273                 break;
1274         case SIGSTOP:
1275                 /* Cannot be caught or ignored */
1276                 perm = PROCESS__SIGSTOP;
1277                 break;
1278         default:
1279                 /* All other signals. */
1280                 perm = PROCESS__SIGNAL;
1281                 break;
1282         }
1283
1284         return perm;
1285 }
1286
1287 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1288    fork check, ptrace check, etc. */
1289 static int task_has_perm(struct task_struct *tsk1,
1290                          struct task_struct *tsk2,
1291                          u32 perms)
1292 {
1293         struct task_security_struct *tsec1, *tsec2;
1294
1295         tsec1 = tsk1->security;
1296         tsec2 = tsk2->security;
1297         return avc_has_perm(tsec1->sid, tsec2->sid,
1298                             SECCLASS_PROCESS, perms, NULL);
1299 }
1300
1301 /* Check whether a task is allowed to use a capability. */
1302 static int task_has_capability(struct task_struct *tsk,
1303                                int cap)
1304 {
1305         struct task_security_struct *tsec;
1306         struct avc_audit_data ad;
1307
1308         tsec = tsk->security;
1309
1310         AVC_AUDIT_DATA_INIT(&ad,CAP);
1311         ad.tsk = tsk;
1312         ad.u.cap = cap;
1313
1314         return avc_has_perm(tsec->sid, tsec->sid,
1315                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1316 }
1317
1318 /* Check whether a task is allowed to use a system operation. */
1319 static int task_has_system(struct task_struct *tsk,
1320                            u32 perms)
1321 {
1322         struct task_security_struct *tsec;
1323
1324         tsec = tsk->security;
1325
1326         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1327                             SECCLASS_SYSTEM, perms, NULL);
1328 }
1329
1330 /* Check whether a task has a particular permission to an inode.
1331    The 'adp' parameter is optional and allows other audit
1332    data to be passed (e.g. the dentry). */
1333 static int inode_has_perm(struct task_struct *tsk,
1334                           struct inode *inode,
1335                           u32 perms,
1336                           struct avc_audit_data *adp)
1337 {
1338         struct task_security_struct *tsec;
1339         struct inode_security_struct *isec;
1340         struct avc_audit_data ad;
1341
1342         if (unlikely (IS_PRIVATE (inode)))
1343                 return 0;
1344
1345         tsec = tsk->security;
1346         isec = inode->i_security;
1347
1348         if (!adp) {
1349                 adp = &ad;
1350                 AVC_AUDIT_DATA_INIT(&ad, FS);
1351                 ad.u.fs.inode = inode;
1352         }
1353
1354         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1355 }
1356
1357 /* Same as inode_has_perm, but pass explicit audit data containing
1358    the dentry to help the auditing code to more easily generate the
1359    pathname if needed. */
1360 static inline int dentry_has_perm(struct task_struct *tsk,
1361                                   struct vfsmount *mnt,
1362                                   struct dentry *dentry,
1363                                   u32 av)
1364 {
1365         struct inode *inode = dentry->d_inode;
1366         struct avc_audit_data ad;
1367         AVC_AUDIT_DATA_INIT(&ad,FS);
1368         ad.u.fs.mnt = mnt;
1369         ad.u.fs.dentry = dentry;
1370         return inode_has_perm(tsk, inode, av, &ad);
1371 }
1372
1373 /* Check whether a task can use an open file descriptor to
1374    access an inode in a given way.  Check access to the
1375    descriptor itself, and then use dentry_has_perm to
1376    check a particular permission to the file.
1377    Access to the descriptor is implicitly granted if it
1378    has the same SID as the process.  If av is zero, then
1379    access to the file is not checked, e.g. for cases
1380    where only the descriptor is affected like seek. */
1381 static int file_has_perm(struct task_struct *tsk,
1382                                 struct file *file,
1383                                 u32 av)
1384 {
1385         struct task_security_struct *tsec = tsk->security;
1386         struct file_security_struct *fsec = file->f_security;
1387         struct vfsmount *mnt = file->f_path.mnt;
1388         struct dentry *dentry = file->f_path.dentry;
1389         struct inode *inode = dentry->d_inode;
1390         struct avc_audit_data ad;
1391         int rc;
1392
1393         AVC_AUDIT_DATA_INIT(&ad, FS);
1394         ad.u.fs.mnt = mnt;
1395         ad.u.fs.dentry = dentry;
1396
1397         if (tsec->sid != fsec->sid) {
1398                 rc = avc_has_perm(tsec->sid, fsec->sid,
1399                                   SECCLASS_FD,
1400                                   FD__USE,
1401                                   &ad);
1402                 if (rc)
1403                         return rc;
1404         }
1405
1406         /* av is zero if only checking access to the descriptor. */
1407         if (av)
1408                 return inode_has_perm(tsk, inode, av, &ad);
1409
1410         return 0;
1411 }
1412
1413 /* Check whether a task can create a file. */
1414 static int may_create(struct inode *dir,
1415                       struct dentry *dentry,
1416                       u16 tclass)
1417 {
1418         struct task_security_struct *tsec;
1419         struct inode_security_struct *dsec;
1420         struct superblock_security_struct *sbsec;
1421         u32 newsid;
1422         struct avc_audit_data ad;
1423         int rc;
1424
1425         tsec = current->security;
1426         dsec = dir->i_security;
1427         sbsec = dir->i_sb->s_security;
1428
1429         AVC_AUDIT_DATA_INIT(&ad, FS);
1430         ad.u.fs.dentry = dentry;
1431
1432         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1433                           DIR__ADD_NAME | DIR__SEARCH,
1434                           &ad);
1435         if (rc)
1436                 return rc;
1437
1438         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1439                 newsid = tsec->create_sid;
1440         } else {
1441                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1442                                              &newsid);
1443                 if (rc)
1444                         return rc;
1445         }
1446
1447         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1448         if (rc)
1449                 return rc;
1450
1451         return avc_has_perm(newsid, sbsec->sid,
1452                             SECCLASS_FILESYSTEM,
1453                             FILESYSTEM__ASSOCIATE, &ad);
1454 }
1455
1456 /* Check whether a task can create a key. */
1457 static int may_create_key(u32 ksid,
1458                           struct task_struct *ctx)
1459 {
1460         struct task_security_struct *tsec;
1461
1462         tsec = ctx->security;
1463
1464         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1465 }
1466
1467 #define MAY_LINK   0
1468 #define MAY_UNLINK 1
1469 #define MAY_RMDIR  2
1470
1471 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1472 static int may_link(struct inode *dir,
1473                     struct dentry *dentry,
1474                     int kind)
1475
1476 {
1477         struct task_security_struct *tsec;
1478         struct inode_security_struct *dsec, *isec;
1479         struct avc_audit_data ad;
1480         u32 av;
1481         int rc;
1482
1483         tsec = current->security;
1484         dsec = dir->i_security;
1485         isec = dentry->d_inode->i_security;
1486
1487         AVC_AUDIT_DATA_INIT(&ad, FS);
1488         ad.u.fs.dentry = dentry;
1489
1490         av = DIR__SEARCH;
1491         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1492         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1493         if (rc)
1494                 return rc;
1495
1496         switch (kind) {
1497         case MAY_LINK:
1498                 av = FILE__LINK;
1499                 break;
1500         case MAY_UNLINK:
1501                 av = FILE__UNLINK;
1502                 break;
1503         case MAY_RMDIR:
1504                 av = DIR__RMDIR;
1505                 break;
1506         default:
1507                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1508                 return 0;
1509         }
1510
1511         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1512         return rc;
1513 }
1514
1515 static inline int may_rename(struct inode *old_dir,
1516                              struct dentry *old_dentry,
1517                              struct inode *new_dir,
1518                              struct dentry *new_dentry)
1519 {
1520         struct task_security_struct *tsec;
1521         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1522         struct avc_audit_data ad;
1523         u32 av;
1524         int old_is_dir, new_is_dir;
1525         int rc;
1526
1527         tsec = current->security;
1528         old_dsec = old_dir->i_security;
1529         old_isec = old_dentry->d_inode->i_security;
1530         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1531         new_dsec = new_dir->i_security;
1532
1533         AVC_AUDIT_DATA_INIT(&ad, FS);
1534
1535         ad.u.fs.dentry = old_dentry;
1536         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1537                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1538         if (rc)
1539                 return rc;
1540         rc = avc_has_perm(tsec->sid, old_isec->sid,
1541                           old_isec->sclass, FILE__RENAME, &ad);
1542         if (rc)
1543                 return rc;
1544         if (old_is_dir && new_dir != old_dir) {
1545                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1546                                   old_isec->sclass, DIR__REPARENT, &ad);
1547                 if (rc)
1548                         return rc;
1549         }
1550
1551         ad.u.fs.dentry = new_dentry;
1552         av = DIR__ADD_NAME | DIR__SEARCH;
1553         if (new_dentry->d_inode)
1554                 av |= DIR__REMOVE_NAME;
1555         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1556         if (rc)
1557                 return rc;
1558         if (new_dentry->d_inode) {
1559                 new_isec = new_dentry->d_inode->i_security;
1560                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1561                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1562                                   new_isec->sclass,
1563                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1564                 if (rc)
1565                         return rc;
1566         }
1567
1568         return 0;
1569 }
1570
1571 /* Check whether a task can perform a filesystem operation. */
1572 static int superblock_has_perm(struct task_struct *tsk,
1573                                struct super_block *sb,
1574                                u32 perms,
1575                                struct avc_audit_data *ad)
1576 {
1577         struct task_security_struct *tsec;
1578         struct superblock_security_struct *sbsec;
1579
1580         tsec = tsk->security;
1581         sbsec = sb->s_security;
1582         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1583                             perms, ad);
1584 }
1585
1586 /* Convert a Linux mode and permission mask to an access vector. */
1587 static inline u32 file_mask_to_av(int mode, int mask)
1588 {
1589         u32 av = 0;
1590
1591         if ((mode & S_IFMT) != S_IFDIR) {
1592                 if (mask & MAY_EXEC)
1593                         av |= FILE__EXECUTE;
1594                 if (mask & MAY_READ)
1595                         av |= FILE__READ;
1596
1597                 if (mask & MAY_APPEND)
1598                         av |= FILE__APPEND;
1599                 else if (mask & MAY_WRITE)
1600                         av |= FILE__WRITE;
1601
1602         } else {
1603                 if (mask & MAY_EXEC)
1604                         av |= DIR__SEARCH;
1605                 if (mask & MAY_WRITE)
1606                         av |= DIR__WRITE;
1607                 if (mask & MAY_READ)
1608                         av |= DIR__READ;
1609         }
1610
1611         return av;
1612 }
1613
1614 /* Convert a Linux file to an access vector. */
1615 static inline u32 file_to_av(struct file *file)
1616 {
1617         u32 av = 0;
1618
1619         if (file->f_mode & FMODE_READ)
1620                 av |= FILE__READ;
1621         if (file->f_mode & FMODE_WRITE) {
1622                 if (file->f_flags & O_APPEND)
1623                         av |= FILE__APPEND;
1624                 else
1625                         av |= FILE__WRITE;
1626         }
1627
1628         return av;
1629 }
1630
1631 /* Hook functions begin here. */
1632
1633 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1634 {
1635         struct task_security_struct *psec = parent->security;
1636         struct task_security_struct *csec = child->security;
1637         int rc;
1638
1639         rc = secondary_ops->ptrace(parent,child);
1640         if (rc)
1641                 return rc;
1642
1643         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1644         /* Save the SID of the tracing process for later use in apply_creds. */
1645         if (!(child->ptrace & PT_PTRACED) && !rc)
1646                 csec->ptrace_sid = psec->sid;
1647         return rc;
1648 }
1649
1650 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1651                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1652 {
1653         int error;
1654
1655         error = task_has_perm(current, target, PROCESS__GETCAP);
1656         if (error)
1657                 return error;
1658
1659         return secondary_ops->capget(target, effective, inheritable, permitted);
1660 }
1661
1662 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1663                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1664 {
1665         int error;
1666
1667         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1668         if (error)
1669                 return error;
1670
1671         return task_has_perm(current, target, PROCESS__SETCAP);
1672 }
1673
1674 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1675                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1676 {
1677         secondary_ops->capset_set(target, effective, inheritable, permitted);
1678 }
1679
1680 static int selinux_capable(struct task_struct *tsk, int cap)
1681 {
1682         int rc;
1683
1684         rc = secondary_ops->capable(tsk, cap);
1685         if (rc)
1686                 return rc;
1687
1688         return task_has_capability(tsk,cap);
1689 }
1690
1691 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1692 {
1693         int buflen, rc;
1694         char *buffer, *path, *end;
1695
1696         rc = -ENOMEM;
1697         buffer = (char*)__get_free_page(GFP_KERNEL);
1698         if (!buffer)
1699                 goto out;
1700
1701         buflen = PAGE_SIZE;
1702         end = buffer+buflen;
1703         *--end = '\0';
1704         buflen--;
1705         path = end-1;
1706         *path = '/';
1707         while (table) {
1708                 const char *name = table->procname;
1709                 size_t namelen = strlen(name);
1710                 buflen -= namelen + 1;
1711                 if (buflen < 0)
1712                         goto out_free;
1713                 end -= namelen;
1714                 memcpy(end, name, namelen);
1715                 *--end = '/';
1716                 path = end;
1717                 table = table->parent;
1718         }
1719         buflen -= 4;
1720         if (buflen < 0)
1721                 goto out_free;
1722         end -= 4;
1723         memcpy(end, "/sys", 4);
1724         path = end;
1725         rc = security_genfs_sid("proc", path, tclass, sid);
1726 out_free:
1727         free_page((unsigned long)buffer);
1728 out:
1729         return rc;
1730 }
1731
1732 static int selinux_sysctl(ctl_table *table, int op)
1733 {
1734         int error = 0;
1735         u32 av;
1736         struct task_security_struct *tsec;
1737         u32 tsid;
1738         int rc;
1739
1740         rc = secondary_ops->sysctl(table, op);
1741         if (rc)
1742                 return rc;
1743
1744         tsec = current->security;
1745
1746         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1747                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1748         if (rc) {
1749                 /* Default to the well-defined sysctl SID. */
1750                 tsid = SECINITSID_SYSCTL;
1751         }
1752
1753         /* The op values are "defined" in sysctl.c, thereby creating
1754          * a bad coupling between this module and sysctl.c */
1755         if(op == 001) {
1756                 error = avc_has_perm(tsec->sid, tsid,
1757                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1758         } else {
1759                 av = 0;
1760                 if (op & 004)
1761                         av |= FILE__READ;
1762                 if (op & 002)
1763                         av |= FILE__WRITE;
1764                 if (av)
1765                         error = avc_has_perm(tsec->sid, tsid,
1766                                              SECCLASS_FILE, av, NULL);
1767         }
1768
1769         return error;
1770 }
1771
1772 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1773 {
1774         int rc = 0;
1775
1776         if (!sb)
1777                 return 0;
1778
1779         switch (cmds) {
1780                 case Q_SYNC:
1781                 case Q_QUOTAON:
1782                 case Q_QUOTAOFF:
1783                 case Q_SETINFO:
1784                 case Q_SETQUOTA:
1785                         rc = superblock_has_perm(current,
1786                                                  sb,
1787                                                  FILESYSTEM__QUOTAMOD, NULL);
1788                         break;
1789                 case Q_GETFMT:
1790                 case Q_GETINFO:
1791                 case Q_GETQUOTA:
1792                         rc = superblock_has_perm(current,
1793                                                  sb,
1794                                                  FILESYSTEM__QUOTAGET, NULL);
1795                         break;
1796                 default:
1797                         rc = 0;  /* let the kernel handle invalid cmds */
1798                         break;
1799         }
1800         return rc;
1801 }
1802
1803 static int selinux_quota_on(struct dentry *dentry)
1804 {
1805         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1806 }
1807
1808 static int selinux_syslog(int type)
1809 {
1810         int rc;
1811
1812         rc = secondary_ops->syslog(type);
1813         if (rc)
1814                 return rc;
1815
1816         switch (type) {
1817                 case 3:         /* Read last kernel messages */
1818                 case 10:        /* Return size of the log buffer */
1819                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1820                         break;
1821                 case 6:         /* Disable logging to console */
1822                 case 7:         /* Enable logging to console */
1823                 case 8:         /* Set level of messages printed to console */
1824                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1825                         break;
1826                 case 0:         /* Close log */
1827                 case 1:         /* Open log */
1828                 case 2:         /* Read from log */
1829                 case 4:         /* Read/clear last kernel messages */
1830                 case 5:         /* Clear ring buffer */
1831                 default:
1832                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1833                         break;
1834         }
1835         return rc;
1836 }
1837
1838 /*
1839  * Check that a process has enough memory to allocate a new virtual
1840  * mapping. 0 means there is enough memory for the allocation to
1841  * succeed and -ENOMEM implies there is not.
1842  *
1843  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1844  * if the capability is granted, but __vm_enough_memory requires 1 if
1845  * the capability is granted.
1846  *
1847  * Do not audit the selinux permission check, as this is applied to all
1848  * processes that allocate mappings.
1849  */
1850 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1851 {
1852         int rc, cap_sys_admin = 0;
1853         struct task_security_struct *tsec = current->security;
1854
1855         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1856         if (rc == 0)
1857                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1858                                           SECCLASS_CAPABILITY,
1859                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1860                                           0,
1861                                           NULL);
1862
1863         if (rc == 0)
1864                 cap_sys_admin = 1;
1865
1866         return __vm_enough_memory(mm, pages, cap_sys_admin);
1867 }
1868
1869 /* binprm security operations */
1870
1871 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1872 {
1873         struct bprm_security_struct *bsec;
1874
1875         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1876         if (!bsec)
1877                 return -ENOMEM;
1878
1879         bsec->bprm = bprm;
1880         bsec->sid = SECINITSID_UNLABELED;
1881         bsec->set = 0;
1882
1883         bprm->security = bsec;
1884         return 0;
1885 }
1886
1887 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1888 {
1889         struct task_security_struct *tsec;
1890         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1891         struct inode_security_struct *isec;
1892         struct bprm_security_struct *bsec;
1893         u32 newsid;
1894         struct avc_audit_data ad;
1895         int rc;
1896
1897         rc = secondary_ops->bprm_set_security(bprm);
1898         if (rc)
1899                 return rc;
1900
1901         bsec = bprm->security;
1902
1903         if (bsec->set)
1904                 return 0;
1905
1906         tsec = current->security;
1907         isec = inode->i_security;
1908
1909         /* Default to the current task SID. */
1910         bsec->sid = tsec->sid;
1911
1912         /* Reset fs, key, and sock SIDs on execve. */
1913         tsec->create_sid = 0;
1914         tsec->keycreate_sid = 0;
1915         tsec->sockcreate_sid = 0;
1916
1917         if (tsec->exec_sid) {
1918                 newsid = tsec->exec_sid;
1919                 /* Reset exec SID on execve. */
1920                 tsec->exec_sid = 0;
1921         } else {
1922                 /* Check for a default transition on this program. */
1923                 rc = security_transition_sid(tsec->sid, isec->sid,
1924                                              SECCLASS_PROCESS, &newsid);
1925                 if (rc)
1926                         return rc;
1927         }
1928
1929         AVC_AUDIT_DATA_INIT(&ad, FS);
1930         ad.u.fs.mnt = bprm->file->f_path.mnt;
1931         ad.u.fs.dentry = bprm->file->f_path.dentry;
1932
1933         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1934                 newsid = tsec->sid;
1935
1936         if (tsec->sid == newsid) {
1937                 rc = avc_has_perm(tsec->sid, isec->sid,
1938                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1939                 if (rc)
1940                         return rc;
1941         } else {
1942                 /* Check permissions for the transition. */
1943                 rc = avc_has_perm(tsec->sid, newsid,
1944                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1945                 if (rc)
1946                         return rc;
1947
1948                 rc = avc_has_perm(newsid, isec->sid,
1949                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1950                 if (rc)
1951                         return rc;
1952
1953                 /* Clear any possibly unsafe personality bits on exec: */
1954                 current->personality &= ~PER_CLEAR_ON_SETID;
1955
1956                 /* Set the security field to the new SID. */
1957                 bsec->sid = newsid;
1958         }
1959
1960         bsec->set = 1;
1961         return 0;
1962 }
1963
1964 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1965 {
1966         return secondary_ops->bprm_check_security(bprm);
1967 }
1968
1969
1970 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1971 {
1972         struct task_security_struct *tsec = current->security;
1973         int atsecure = 0;
1974
1975         if (tsec->osid != tsec->sid) {
1976                 /* Enable secure mode for SIDs transitions unless
1977                    the noatsecure permission is granted between
1978                    the two SIDs, i.e. ahp returns 0. */
1979                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1980                                          SECCLASS_PROCESS,
1981                                          PROCESS__NOATSECURE, NULL);
1982         }
1983
1984         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1985 }
1986
1987 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1988 {
1989         kfree(bprm->security);
1990         bprm->security = NULL;
1991 }
1992
1993 extern struct vfsmount *selinuxfs_mount;
1994 extern struct dentry *selinux_null;
1995
1996 /* Derived from fs/exec.c:flush_old_files. */
1997 static inline void flush_unauthorized_files(struct files_struct * files)
1998 {
1999         struct avc_audit_data ad;
2000         struct file *file, *devnull = NULL;
2001         struct tty_struct *tty;
2002         struct fdtable *fdt;
2003         long j = -1;
2004         int drop_tty = 0;
2005
2006         mutex_lock(&tty_mutex);
2007         tty = get_current_tty();
2008         if (tty) {
2009                 file_list_lock();
2010                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2011                 if (file) {
2012                         /* Revalidate access to controlling tty.
2013                            Use inode_has_perm on the tty inode directly rather
2014                            than using file_has_perm, as this particular open
2015                            file may belong to another process and we are only
2016                            interested in the inode-based check here. */
2017                         struct inode *inode = file->f_path.dentry->d_inode;
2018                         if (inode_has_perm(current, inode,
2019                                            FILE__READ | FILE__WRITE, NULL)) {
2020                                 drop_tty = 1;
2021                         }
2022                 }
2023                 file_list_unlock();
2024         }
2025         mutex_unlock(&tty_mutex);
2026         /* Reset controlling tty. */
2027         if (drop_tty)
2028                 no_tty();
2029
2030         /* Revalidate access to inherited open files. */
2031
2032         AVC_AUDIT_DATA_INIT(&ad,FS);
2033
2034         spin_lock(&files->file_lock);
2035         for (;;) {
2036                 unsigned long set, i;
2037                 int fd;
2038
2039                 j++;
2040                 i = j * __NFDBITS;
2041                 fdt = files_fdtable(files);
2042                 if (i >= fdt->max_fds)
2043                         break;
2044                 set = fdt->open_fds->fds_bits[j];
2045                 if (!set)
2046                         continue;
2047                 spin_unlock(&files->file_lock);
2048                 for ( ; set ; i++,set >>= 1) {
2049                         if (set & 1) {
2050                                 file = fget(i);
2051                                 if (!file)
2052                                         continue;
2053                                 if (file_has_perm(current,
2054                                                   file,
2055                                                   file_to_av(file))) {
2056                                         sys_close(i);
2057                                         fd = get_unused_fd();
2058                                         if (fd != i) {
2059                                                 if (fd >= 0)
2060                                                         put_unused_fd(fd);
2061                                                 fput(file);
2062                                                 continue;
2063                                         }
2064                                         if (devnull) {
2065                                                 get_file(devnull);
2066                                         } else {
2067                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2068                                                 if (IS_ERR(devnull)) {
2069                                                         devnull = NULL;
2070                                                         put_unused_fd(fd);
2071                                                         fput(file);
2072                                                         continue;
2073                                                 }
2074                                         }
2075                                         fd_install(fd, devnull);
2076                                 }
2077                                 fput(file);
2078                         }
2079                 }
2080                 spin_lock(&files->file_lock);
2081
2082         }
2083         spin_unlock(&files->file_lock);
2084 }
2085
2086 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2087 {
2088         struct task_security_struct *tsec;
2089         struct bprm_security_struct *bsec;
2090         u32 sid;
2091         int rc;
2092
2093         secondary_ops->bprm_apply_creds(bprm, unsafe);
2094
2095         tsec = current->security;
2096
2097         bsec = bprm->security;
2098         sid = bsec->sid;
2099
2100         tsec->osid = tsec->sid;
2101         bsec->unsafe = 0;
2102         if (tsec->sid != sid) {
2103                 /* Check for shared state.  If not ok, leave SID
2104                    unchanged and kill. */
2105                 if (unsafe & LSM_UNSAFE_SHARE) {
2106                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2107                                         PROCESS__SHARE, NULL);
2108                         if (rc) {
2109                                 bsec->unsafe = 1;
2110                                 return;
2111                         }
2112                 }
2113
2114                 /* Check for ptracing, and update the task SID if ok.
2115                    Otherwise, leave SID unchanged and kill. */
2116                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2117                         rc = avc_has_perm(tsec->ptrace_sid, sid,
2118                                           SECCLASS_PROCESS, PROCESS__PTRACE,
2119                                           NULL);
2120                         if (rc) {
2121                                 bsec->unsafe = 1;
2122                                 return;
2123                         }
2124                 }
2125                 tsec->sid = sid;
2126         }
2127 }
2128
2129 /*
2130  * called after apply_creds without the task lock held
2131  */
2132 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2133 {
2134         struct task_security_struct *tsec;
2135         struct rlimit *rlim, *initrlim;
2136         struct itimerval itimer;
2137         struct bprm_security_struct *bsec;
2138         int rc, i;
2139
2140         tsec = current->security;
2141         bsec = bprm->security;
2142
2143         if (bsec->unsafe) {
2144                 force_sig_specific(SIGKILL, current);
2145                 return;
2146         }
2147         if (tsec->osid == tsec->sid)
2148                 return;
2149
2150         /* Close files for which the new task SID is not authorized. */
2151         flush_unauthorized_files(current->files);
2152
2153         /* Check whether the new SID can inherit signal state
2154            from the old SID.  If not, clear itimers to avoid
2155            subsequent signal generation and flush and unblock
2156            signals. This must occur _after_ the task SID has
2157           been updated so that any kill done after the flush
2158           will be checked against the new SID. */
2159         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2160                           PROCESS__SIGINH, NULL);
2161         if (rc) {
2162                 memset(&itimer, 0, sizeof itimer);
2163                 for (i = 0; i < 3; i++)
2164                         do_setitimer(i, &itimer, NULL);
2165                 flush_signals(current);
2166                 spin_lock_irq(&current->sighand->siglock);
2167                 flush_signal_handlers(current, 1);
2168                 sigemptyset(&current->blocked);
2169                 recalc_sigpending();
2170                 spin_unlock_irq(&current->sighand->siglock);
2171         }
2172
2173         /* Always clear parent death signal on SID transitions. */
2174         current->pdeath_signal = 0;
2175
2176         /* Check whether the new SID can inherit resource limits
2177            from the old SID.  If not, reset all soft limits to
2178            the lower of the current task's hard limit and the init
2179            task's soft limit.  Note that the setting of hard limits
2180            (even to lower them) can be controlled by the setrlimit
2181            check. The inclusion of the init task's soft limit into
2182            the computation is to avoid resetting soft limits higher
2183            than the default soft limit for cases where the default
2184            is lower than the hard limit, e.g. RLIMIT_CORE or
2185            RLIMIT_STACK.*/
2186         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2187                           PROCESS__RLIMITINH, NULL);
2188         if (rc) {
2189                 for (i = 0; i < RLIM_NLIMITS; i++) {
2190                         rlim = current->signal->rlim + i;
2191                         initrlim = init_task.signal->rlim+i;
2192                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2193                 }
2194                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2195                         /*
2196                          * This will cause RLIMIT_CPU calculations
2197                          * to be refigured.
2198                          */
2199                         current->it_prof_expires = jiffies_to_cputime(1);
2200                 }
2201         }
2202
2203         /* Wake up the parent if it is waiting so that it can
2204            recheck wait permission to the new task SID. */
2205         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2206 }
2207
2208 /* superblock security operations */
2209
2210 static int selinux_sb_alloc_security(struct super_block *sb)
2211 {
2212         return superblock_alloc_security(sb);
2213 }
2214
2215 static void selinux_sb_free_security(struct super_block *sb)
2216 {
2217         superblock_free_security(sb);
2218 }
2219
2220 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2221 {
2222         if (plen > olen)
2223                 return 0;
2224
2225         return !memcmp(prefix, option, plen);
2226 }
2227
2228 static inline int selinux_option(char *option, int len)
2229 {
2230         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2231                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2232                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2233                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2234 }
2235
2236 static inline void take_option(char **to, char *from, int *first, int len)
2237 {
2238         if (!*first) {
2239                 **to = ',';
2240                 *to += 1;
2241         } else
2242                 *first = 0;
2243         memcpy(*to, from, len);
2244         *to += len;
2245 }
2246
2247 static inline void take_selinux_option(char **to, char *from, int *first, 
2248                                        int len)
2249 {
2250         int current_size = 0;
2251
2252         if (!*first) {
2253                 **to = '|';
2254                 *to += 1;
2255         }
2256         else
2257                 *first = 0;
2258
2259         while (current_size < len) {
2260                 if (*from != '"') {
2261                         **to = *from;
2262                         *to += 1;
2263                 }
2264                 from += 1;
2265                 current_size += 1;
2266         }
2267 }
2268
2269 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2270 {
2271         int fnosec, fsec, rc = 0;
2272         char *in_save, *in_curr, *in_end;
2273         char *sec_curr, *nosec_save, *nosec;
2274         int open_quote = 0;
2275
2276         in_curr = orig;
2277         sec_curr = copy;
2278
2279         /* Binary mount data: just copy */
2280         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2281                 copy_page(sec_curr, in_curr);
2282                 goto out;
2283         }
2284
2285         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2286         if (!nosec) {
2287                 rc = -ENOMEM;
2288                 goto out;
2289         }
2290
2291         nosec_save = nosec;
2292         fnosec = fsec = 1;
2293         in_save = in_end = orig;
2294
2295         do {
2296                 if (*in_end == '"')
2297                         open_quote = !open_quote;
2298                 if ((*in_end == ',' && open_quote == 0) ||
2299                                 *in_end == '\0') {
2300                         int len = in_end - in_curr;
2301
2302                         if (selinux_option(in_curr, len))
2303                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2304                         else
2305                                 take_option(&nosec, in_curr, &fnosec, len);
2306
2307                         in_curr = in_end + 1;
2308                 }
2309         } while (*in_end++);
2310
2311         strcpy(in_save, nosec_save);
2312         free_page((unsigned long)nosec_save);
2313 out:
2314         return rc;
2315 }
2316
2317 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2318 {
2319         struct avc_audit_data ad;
2320         int rc;
2321
2322         rc = superblock_doinit(sb, data);
2323         if (rc)
2324                 return rc;
2325
2326         AVC_AUDIT_DATA_INIT(&ad,FS);
2327         ad.u.fs.dentry = sb->s_root;
2328         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2329 }
2330
2331 static int selinux_sb_statfs(struct dentry *dentry)
2332 {
2333         struct avc_audit_data ad;
2334
2335         AVC_AUDIT_DATA_INIT(&ad,FS);
2336         ad.u.fs.dentry = dentry->d_sb->s_root;
2337         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2338 }
2339
2340 static int selinux_mount(char * dev_name,
2341                          struct nameidata *nd,
2342                          char * type,
2343                          unsigned long flags,
2344                          void * data)
2345 {
2346         int rc;
2347
2348         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2349         if (rc)
2350                 return rc;
2351
2352         if (flags & MS_REMOUNT)
2353                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2354                                            FILESYSTEM__REMOUNT, NULL);
2355         else
2356                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2357                                        FILE__MOUNTON);
2358 }
2359
2360 static int selinux_umount(struct vfsmount *mnt, int flags)
2361 {
2362         int rc;
2363
2364         rc = secondary_ops->sb_umount(mnt, flags);
2365         if (rc)
2366                 return rc;
2367
2368         return superblock_has_perm(current,mnt->mnt_sb,
2369                                    FILESYSTEM__UNMOUNT,NULL);
2370 }
2371
2372 /* inode security operations */
2373
2374 static int selinux_inode_alloc_security(struct inode *inode)
2375 {
2376         return inode_alloc_security(inode);
2377 }
2378
2379 static void selinux_inode_free_security(struct inode *inode)
2380 {
2381         inode_free_security(inode);
2382 }
2383
2384 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2385                                        char **name, void **value,
2386                                        size_t *len)
2387 {
2388         struct task_security_struct *tsec;
2389         struct inode_security_struct *dsec;
2390         struct superblock_security_struct *sbsec;
2391         u32 newsid, clen;
2392         int rc;
2393         char *namep = NULL, *context;
2394
2395         tsec = current->security;
2396         dsec = dir->i_security;
2397         sbsec = dir->i_sb->s_security;
2398
2399         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2400                 newsid = tsec->create_sid;
2401         } else {
2402                 rc = security_transition_sid(tsec->sid, dsec->sid,
2403                                              inode_mode_to_security_class(inode->i_mode),
2404                                              &newsid);
2405                 if (rc) {
2406                         printk(KERN_WARNING "%s:  "
2407                                "security_transition_sid failed, rc=%d (dev=%s "
2408                                "ino=%ld)\n",
2409                                __FUNCTION__,
2410                                -rc, inode->i_sb->s_id, inode->i_ino);
2411                         return rc;
2412                 }
2413         }
2414
2415         /* Possibly defer initialization to selinux_complete_init. */
2416         if (sbsec->initialized) {
2417                 struct inode_security_struct *isec = inode->i_security;
2418                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2419                 isec->sid = newsid;
2420                 isec->initialized = 1;
2421         }
2422
2423         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2424                 return -EOPNOTSUPP;
2425
2426         if (name) {
2427                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2428                 if (!namep)
2429                         return -ENOMEM;
2430                 *name = namep;
2431         }
2432
2433         if (value && len) {
2434                 rc = security_sid_to_context(newsid, &context, &clen);
2435                 if (rc) {
2436                         kfree(namep);
2437                         return rc;
2438                 }
2439                 *value = context;
2440                 *len = clen;
2441         }
2442
2443         return 0;
2444 }
2445
2446 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2447 {
2448         return may_create(dir, dentry, SECCLASS_FILE);
2449 }
2450
2451 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2452 {
2453         int rc;
2454
2455         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2456         if (rc)
2457                 return rc;
2458         return may_link(dir, old_dentry, MAY_LINK);
2459 }
2460
2461 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2462 {
2463         int rc;
2464
2465         rc = secondary_ops->inode_unlink(dir, dentry);
2466         if (rc)
2467                 return rc;
2468         return may_link(dir, dentry, MAY_UNLINK);
2469 }
2470
2471 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2472 {
2473         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2474 }
2475
2476 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2477 {
2478         return may_create(dir, dentry, SECCLASS_DIR);
2479 }
2480
2481 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2482 {
2483         return may_link(dir, dentry, MAY_RMDIR);
2484 }
2485
2486 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2487 {
2488         int rc;
2489
2490         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2491         if (rc)
2492                 return rc;
2493
2494         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2495 }
2496
2497 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2498                                 struct inode *new_inode, struct dentry *new_dentry)
2499 {
2500         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2501 }
2502
2503 static int selinux_inode_readlink(struct dentry *dentry)
2504 {
2505         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2506 }
2507
2508 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2509 {
2510         int rc;
2511
2512         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2513         if (rc)
2514                 return rc;
2515         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2516 }
2517
2518 static int selinux_inode_permission(struct inode *inode, int mask,
2519                                     struct nameidata *nd)
2520 {
2521         int rc;
2522
2523         rc = secondary_ops->inode_permission(inode, mask, nd);
2524         if (rc)
2525                 return rc;
2526
2527         if (!mask) {
2528                 /* No permission to check.  Existence test. */
2529                 return 0;
2530         }
2531
2532         return inode_has_perm(current, inode,
2533                                file_mask_to_av(inode->i_mode, mask), NULL);
2534 }
2535
2536 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2537 {
2538         int rc;
2539
2540         rc = secondary_ops->inode_setattr(dentry, iattr);
2541         if (rc)
2542                 return rc;
2543
2544         if (iattr->ia_valid & ATTR_FORCE)
2545                 return 0;
2546
2547         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2548                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2549                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2550
2551         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2552 }
2553
2554 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2555 {
2556         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2557 }
2558
2559 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2560 {
2561         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2562                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2563                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2564                         if (!capable(CAP_SETFCAP))
2565                                 return -EPERM;
2566                 } else if (!capable(CAP_SYS_ADMIN)) {
2567                         /* A different attribute in the security namespace.
2568                            Restrict to administrator. */
2569                         return -EPERM;
2570                 }
2571         }
2572
2573         /* Not an attribute we recognize, so just check the
2574            ordinary setattr permission. */
2575         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2576 }
2577
2578 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2579 {
2580         struct task_security_struct *tsec = current->security;
2581         struct inode *inode = dentry->d_inode;
2582         struct inode_security_struct *isec = inode->i_security;
2583         struct superblock_security_struct *sbsec;
2584         struct avc_audit_data ad;
2585         u32 newsid;
2586         int rc = 0;
2587
2588         if (strcmp(name, XATTR_NAME_SELINUX))
2589                 return selinux_inode_setotherxattr(dentry, name);
2590
2591         sbsec = inode->i_sb->s_security;
2592         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2593                 return -EOPNOTSUPP;
2594
2595         if (!is_owner_or_cap(inode))
2596                 return -EPERM;
2597
2598         AVC_AUDIT_DATA_INIT(&ad,FS);
2599         ad.u.fs.dentry = dentry;
2600
2601         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2602                           FILE__RELABELFROM, &ad);
2603         if (rc)
2604                 return rc;
2605
2606         rc = security_context_to_sid(value, size, &newsid);
2607         if (rc)
2608                 return rc;
2609
2610         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2611                           FILE__RELABELTO, &ad);
2612         if (rc)
2613                 return rc;
2614
2615         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2616                                           isec->sclass);
2617         if (rc)
2618                 return rc;
2619
2620         return avc_has_perm(newsid,
2621                             sbsec->sid,
2622                             SECCLASS_FILESYSTEM,
2623                             FILESYSTEM__ASSOCIATE,
2624                             &ad);
2625 }
2626
2627 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2628                                         void *value, size_t size, int flags)
2629 {
2630         struct inode *inode = dentry->d_inode;
2631         struct inode_security_struct *isec = inode->i_security;
2632         u32 newsid;
2633         int rc;
2634
2635         if (strcmp(name, XATTR_NAME_SELINUX)) {
2636                 /* Not an attribute we recognize, so nothing to do. */
2637                 return;
2638         }
2639
2640         rc = security_context_to_sid(value, size, &newsid);
2641         if (rc) {
2642                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2643                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2644                 return;
2645         }
2646
2647         isec->sid = newsid;
2648         return;
2649 }
2650
2651 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2652 {
2653         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2654 }
2655
2656 static int selinux_inode_listxattr (struct dentry *dentry)
2657 {
2658         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2659 }
2660
2661 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2662 {
2663         if (strcmp(name, XATTR_NAME_SELINUX))
2664                 return selinux_inode_setotherxattr(dentry, name);
2665
2666         /* No one is allowed to remove a SELinux security label.
2667            You can change the label, but all data must be labeled. */
2668         return -EACCES;
2669 }
2670
2671 /*
2672  * Copy the in-core inode security context value to the user.  If the
2673  * getxattr() prior to this succeeded, check to see if we need to
2674  * canonicalize the value to be finally returned to the user.
2675  *
2676  * Permission check is handled by selinux_inode_getxattr hook.
2677  */
2678 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2679 {
2680         struct inode_security_struct *isec = inode->i_security;
2681
2682         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2683                 return -EOPNOTSUPP;
2684
2685         return selinux_getsecurity(isec->sid, buffer, size);
2686 }
2687
2688 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2689                                      const void *value, size_t size, int flags)
2690 {
2691         struct inode_security_struct *isec = inode->i_security;
2692         u32 newsid;
2693         int rc;
2694
2695         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2696                 return -EOPNOTSUPP;
2697
2698         if (!value || !size)
2699                 return -EACCES;
2700
2701         rc = security_context_to_sid((void*)value, size, &newsid);
2702         if (rc)
2703                 return rc;
2704
2705         isec->sid = newsid;
2706         return 0;
2707 }
2708
2709 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2710 {
2711         const int len = sizeof(XATTR_NAME_SELINUX);
2712         if (buffer && len <= buffer_size)
2713                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2714         return len;
2715 }
2716
2717 static int selinux_inode_need_killpriv(struct dentry *dentry)
2718 {
2719         return secondary_ops->inode_need_killpriv(dentry);
2720 }
2721
2722 static int selinux_inode_killpriv(struct dentry *dentry)
2723 {
2724         return secondary_ops->inode_killpriv(dentry);
2725 }
2726
2727 /* file security operations */
2728
2729 static int selinux_revalidate_file_permission(struct file *file, int mask)
2730 {
2731         int rc;
2732         struct inode *inode = file->f_path.dentry->d_inode;
2733
2734         if (!mask) {
2735                 /* No permission to check.  Existence test. */
2736                 return 0;
2737         }
2738
2739         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2740         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2741                 mask |= MAY_APPEND;
2742
2743         rc = file_has_perm(current, file,
2744                            file_mask_to_av(inode->i_mode, mask));
2745         if (rc)
2746                 return rc;
2747
2748         return selinux_netlbl_inode_permission(inode, mask);
2749 }
2750
2751 static int selinux_file_permission(struct file *file, int mask)
2752 {
2753         struct inode *inode = file->f_path.dentry->d_inode;
2754         struct task_security_struct *tsec = current->security;
2755         struct file_security_struct *fsec = file->f_security;
2756         struct inode_security_struct *isec = inode->i_security;
2757
2758         if (!mask) {
2759                 /* No permission to check.  Existence test. */
2760                 return 0;
2761         }
2762
2763         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2764             && fsec->pseqno == avc_policy_seqno())
2765                 return selinux_netlbl_inode_permission(inode, mask);
2766
2767         return selinux_revalidate_file_permission(file, mask);
2768 }
2769
2770 static int selinux_file_alloc_security(struct file *file)
2771 {
2772         return file_alloc_security(file);
2773 }
2774
2775 static void selinux_file_free_security(struct file *file)
2776 {
2777         file_free_security(file);
2778 }
2779
2780 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2781                               unsigned long arg)
2782 {
2783         int error = 0;
2784
2785         switch (cmd) {
2786                 case FIONREAD:
2787                 /* fall through */
2788                 case FIBMAP:
2789                 /* fall through */
2790                 case FIGETBSZ:
2791                 /* fall through */
2792                 case EXT2_IOC_GETFLAGS:
2793                 /* fall through */
2794                 case EXT2_IOC_GETVERSION:
2795                         error = file_has_perm(current, file, FILE__GETATTR);
2796                         break;
2797
2798                 case EXT2_IOC_SETFLAGS:
2799                 /* fall through */
2800                 case EXT2_IOC_SETVERSION:
2801                         error = file_has_perm(current, file, FILE__SETATTR);
2802                         break;
2803
2804                 /* sys_ioctl() checks */
2805                 case FIONBIO:
2806                 /* fall through */
2807                 case FIOASYNC:
2808                         error = file_has_perm(current, file, 0);
2809                         break;
2810
2811                 case KDSKBENT:
2812                 case KDSKBSENT:
2813                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2814                         break;
2815
2816                 /* default case assumes that the command will go
2817                  * to the file's ioctl() function.
2818                  */
2819                 default:
2820                         error = file_has_perm(current, file, FILE__IOCTL);
2821
2822         }
2823         return error;
2824 }
2825
2826 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2827 {
2828 #ifndef CONFIG_PPC32
2829         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2830                 /*
2831                  * We are making executable an anonymous mapping or a
2832                  * private file mapping that will also be writable.
2833                  * This has an additional check.
2834                  */
2835                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2836                 if (rc)
2837                         return rc;
2838         }
2839 #endif
2840
2841         if (file) {
2842                 /* read access is always possible with a mapping */
2843                 u32 av = FILE__READ;
2844
2845                 /* write access only matters if the mapping is shared */
2846                 if (shared && (prot & PROT_WRITE))
2847                         av |= FILE__WRITE;
2848
2849                 if (prot & PROT_EXEC)
2850                         av |= FILE__EXECUTE;
2851
2852                 return file_has_perm(current, file, av);
2853         }
2854         return 0;
2855 }
2856
2857 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2858                              unsigned long prot, unsigned long flags,
2859                              unsigned long addr, unsigned long addr_only)
2860 {
2861         int rc = 0;
2862         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2863
2864         if (addr < mmap_min_addr)
2865                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2866                                   MEMPROTECT__MMAP_ZERO, NULL);
2867         if (rc || addr_only)
2868                 return rc;
2869
2870         if (selinux_checkreqprot)
2871                 prot = reqprot;
2872
2873         return file_map_prot_check(file, prot,
2874                                    (flags & MAP_TYPE) == MAP_SHARED);
2875 }
2876
2877 static int selinux_file_mprotect(struct vm_area_struct *vma,
2878                                  unsigned long reqprot,
2879                                  unsigned long prot)
2880 {
2881         int rc;
2882
2883         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2884         if (rc)
2885                 return rc;
2886
2887         if (selinux_checkreqprot)
2888                 prot = reqprot;
2889
2890 #ifndef CONFIG_PPC32
2891         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2892                 rc = 0;
2893                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2894                     vma->vm_end <= vma->vm_mm->brk) {
2895                         rc = task_has_perm(current, current,
2896                                            PROCESS__EXECHEAP);
2897                 } else if (!vma->vm_file &&
2898                            vma->vm_start <= vma->vm_mm->start_stack &&
2899                            vma->vm_end >= vma->vm_mm->start_stack) {
2900                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2901                 } else if (vma->vm_file && vma->anon_vma) {
2902                         /*
2903                          * We are making executable a file mapping that has
2904                          * had some COW done. Since pages might have been
2905                          * written, check ability to execute the possibly
2906                          * modified content.  This typically should only
2907                          * occur for text relocations.
2908                          */
2909                         rc = file_has_perm(current, vma->vm_file,
2910                                            FILE__EXECMOD);
2911                 }
2912                 if (rc)
2913                         return rc;
2914         }
2915 #endif
2916
2917         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2918 }
2919
2920 static int selinux_file_lock(struct file *file, unsigned int cmd)
2921 {
2922         return file_has_perm(current, file, FILE__LOCK);
2923 }
2924
2925 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2926                               unsigned long arg)
2927 {
2928         int err = 0;
2929
2930         switch (cmd) {
2931                 case F_SETFL:
2932                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2933                                 err = -EINVAL;
2934                                 break;
2935                         }
2936
2937                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2938                                 err = file_has_perm(current, file,FILE__WRITE);
2939                                 break;
2940                         }
2941                         /* fall through */
2942                 case F_SETOWN:
2943                 case F_SETSIG:
2944                 case F_GETFL:
2945                 case F_GETOWN:
2946                 case F_GETSIG:
2947                         /* Just check FD__USE permission */
2948                         err = file_has_perm(current, file, 0);
2949                         break;
2950                 case F_GETLK:
2951                 case F_SETLK:
2952                 case F_SETLKW:
2953 #if BITS_PER_LONG == 32
2954                 case F_GETLK64:
2955                 case F_SETLK64:
2956                 case F_SETLKW64:
2957 #endif
2958                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2959                                 err = -EINVAL;
2960                                 break;
2961                         }
2962                         err = file_has_perm(current, file, FILE__LOCK);
2963                         break;
2964         }
2965
2966         return err;
2967 }
2968
2969 static int selinux_file_set_fowner(struct file *file)
2970 {
2971         struct task_security_struct *tsec;
2972         struct file_security_struct *fsec;
2973
2974         tsec = current->security;
2975         fsec = file->f_security;
2976         fsec->fown_sid = tsec->sid;
2977
2978         return 0;
2979 }
2980
2981 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2982                                        struct fown_struct *fown, int signum)
2983 {
2984         struct file *file;
2985         u32 perm;
2986         struct task_security_struct *tsec;
2987         struct file_security_struct *fsec;
2988
2989         /* struct fown_struct is never outside the context of a struct file */
2990         file = container_of(fown, struct file, f_owner);
2991
2992         tsec = tsk->security;
2993         fsec = file->f_security;
2994
2995         if (!signum)
2996                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2997         else
2998                 perm = signal_to_av(signum);
2999
3000         return avc_has_perm(fsec->fown_sid, tsec->sid,
3001                             SECCLASS_PROCESS, perm, NULL);
3002 }
3003
3004 static int selinux_file_receive(struct file *file)
3005 {
3006         return file_has_perm(current, file, file_to_av(file));
3007 }
3008
3009 static int selinux_dentry_open(struct file *file)
3010 {
3011         struct file_security_struct *fsec;
3012         struct inode *inode;
3013         struct inode_security_struct *isec;
3014         inode = file->f_path.dentry->d_inode;
3015         fsec = file->f_security;
3016         isec = inode->i_security;
3017         /*
3018          * Save inode label and policy sequence number
3019          * at open-time so that selinux_file_permission
3020          * can determine whether revalidation is necessary.
3021          * Task label is already saved in the file security
3022          * struct as its SID.
3023          */
3024         fsec->isid = isec->sid;
3025         fsec->pseqno = avc_policy_seqno();
3026         /*
3027          * Since the inode label or policy seqno may have changed
3028          * between the selinux_inode_permission check and the saving
3029          * of state above, recheck that access is still permitted.
3030          * Otherwise, access might never be revalidated against the
3031          * new inode label or new policy.
3032          * This check is not redundant - do not remove.
3033          */
3034         return inode_has_perm(current, inode, file_to_av(file), NULL);
3035 }
3036
3037 /* task security operations */
3038
3039 static int selinux_task_create(unsigned long clone_flags)
3040 {
3041         int rc;
3042
3043         rc = secondary_ops->task_create(clone_flags);
3044         if (rc)
3045                 return rc;
3046
3047         return task_has_perm(current, current, PROCESS__FORK);
3048 }
3049
3050 static int selinux_task_alloc_security(struct task_struct *tsk)
3051 {
3052         struct task_security_struct *tsec1, *tsec2;
3053         int rc;
3054
3055         tsec1 = current->security;
3056
3057         rc = task_alloc_security(tsk);
3058         if (rc)
3059                 return rc;
3060         tsec2 = tsk->security;
3061
3062         tsec2->osid = tsec1->osid;
3063         tsec2->sid = tsec1->sid;
3064
3065         /* Retain the exec, fs, key, and sock SIDs across fork */
3066         tsec2->exec_sid = tsec1->exec_sid;
3067         tsec2->create_sid = tsec1->create_sid;
3068         tsec2->keycreate_sid = tsec1->keycreate_sid;
3069         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3070
3071         /* Retain ptracer SID across fork, if any.
3072            This will be reset by the ptrace hook upon any
3073            subsequent ptrace_attach operations. */
3074         tsec2->ptrace_sid = tsec1->ptrace_sid;
3075
3076         return 0;
3077 }
3078
3079 static void selinux_task_free_security(struct task_struct *tsk)
3080 {
3081         task_free_security(tsk);
3082 }
3083
3084 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3085 {
3086         /* Since setuid only affects the current process, and
3087            since the SELinux controls are not based on the Linux
3088            identity attributes, SELinux does not need to control
3089            this operation.  However, SELinux does control the use
3090            of the CAP_SETUID and CAP_SETGID capabilities using the
3091            capable hook. */
3092         return 0;
3093 }
3094
3095 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3096 {
3097         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3098 }
3099
3100 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3101 {
3102         /* See the comment for setuid above. */
3103         return 0;
3104 }
3105
3106 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3107 {
3108         return task_has_perm(current, p, PROCESS__SETPGID);
3109 }
3110
3111 static int selinux_task_getpgid(struct task_struct *p)
3112 {
3113         return task_has_perm(current, p, PROCESS__GETPGID);
3114 }
3115
3116 static int selinux_task_getsid(struct task_struct *p)
3117 {
3118         return task_has_perm(current, p, PROCESS__GETSESSION);
3119 }
3120
3121 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3122 {
3123         selinux_get_task_sid(p, secid);
3124 }
3125
3126 static int selinux_task_setgroups(struct group_info *group_info)
3127 {
3128         /* See the comment for setuid above. */
3129         return 0;
3130 }
3131
3132 static int selinux_task_setnice(struct task_struct *p, int nice)
3133 {
3134         int rc;
3135
3136         rc = secondary_ops->task_setnice(p, nice);
3137         if (rc)
3138                 return rc;
3139
3140         return task_has_perm(current,p, PROCESS__SETSCHED);
3141 }
3142
3143 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3144 {
3145         int rc;
3146
3147         rc = secondary_ops->task_setioprio(p, ioprio);
3148         if (rc)
3149                 return rc;
3150
3151         return task_has_perm(current, p, PROCESS__SETSCHED);
3152 }
3153
3154 static int selinux_task_getioprio(struct task_struct *p)
3155 {
3156         return task_has_perm(current, p, PROCESS__GETSCHED);
3157 }
3158
3159 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3160 {
3161         struct rlimit *old_rlim = current->signal->rlim + resource;
3162         int rc;
3163
3164         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3165         if (rc)
3166                 return rc;
3167
3168         /* Control the ability to change the hard limit (whether
3169            lowering or raising it), so that the hard limit can
3170            later be used as a safe reset point for the soft limit
3171            upon context transitions. See selinux_bprm_apply_creds. */
3172         if (old_rlim->rlim_max != new_rlim->rlim_max)
3173                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3174
3175         return 0;
3176 }
3177
3178 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3179 {
3180         int rc;
3181
3182         rc = secondary_ops->task_setscheduler(p, policy, lp);
3183         if (rc)
3184                 return rc;
3185
3186         return task_has_perm(current, p, PROCESS__SETSCHED);
3187 }
3188
3189 static int selinux_task_getscheduler(struct task_struct *p)
3190 {
3191         return task_has_perm(current, p, PROCESS__GETSCHED);
3192 }
3193
3194 static int selinux_task_movememory(struct task_struct *p)
3195 {
3196         return task_has_perm(current, p, PROCESS__SETSCHED);
3197 }
3198
3199 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3200                                 int sig, u32 secid)
3201 {
3202         u32 perm;
3203         int rc;
3204         struct task_security_struct *tsec;
3205
3206         rc = secondary_ops->task_kill(p, info, sig, secid);
3207         if (rc)
3208                 return rc;
3209
3210         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3211                 return 0;
3212
3213         if (!sig)
3214                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3215         else
3216                 perm = signal_to_av(sig);
3217         tsec = p->security;
3218         if (secid)
3219                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3220         else
3221                 rc = task_has_perm(current, p, perm);
3222         return rc;
3223 }
3224
3225 static int selinux_task_prctl(int option,
3226                               unsigned long arg2,
3227                               unsigned long arg3,
3228                               unsigned long arg4,
3229                               unsigned long arg5)
3230 {
3231         /* The current prctl operations do not appear to require
3232            any SELinux controls since they merely observe or modify
3233            the state of the current process. */
3234         return 0;
3235 }
3236
3237 static int selinux_task_wait(struct task_struct *p)
3238 {
3239         return task_has_perm(p, current, PROCESS__SIGCHLD);
3240 }
3241
3242 static void selinux_task_reparent_to_init(struct task_struct *p)
3243 {
3244         struct task_security_struct *tsec;
3245
3246         secondary_ops->task_reparent_to_init(p);
3247
3248         tsec = p->security;
3249         tsec->osid = tsec->sid;
3250         tsec->sid = SECINITSID_KERNEL;
3251         return;
3252 }
3253
3254 static void selinux_task_to_inode(struct task_struct *p,
3255                                   struct inode *inode)
3256 {
3257         struct task_security_struct *tsec = p->security;
3258         struct inode_security_struct *isec = inode->i_security;
3259
3260         isec->sid = tsec->sid;
3261         isec->initialized = 1;
3262         return;
3263 }
3264
3265 /* Returns error only if unable to parse addresses */
3266 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3267                         struct avc_audit_data *ad, u8 *proto)
3268 {
3269         int offset, ihlen, ret = -EINVAL;
3270         struct iphdr _iph, *ih;
3271
3272         offset = skb_network_offset(skb);
3273         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3274         if (ih == NULL)
3275                 goto out;
3276
3277         ihlen = ih->ihl * 4;
3278         if (ihlen < sizeof(_iph))
3279                 goto out;
3280
3281         ad->u.net.v4info.saddr = ih->saddr;
3282         ad->u.net.v4info.daddr = ih->daddr;
3283         ret = 0;
3284
3285         if (proto)
3286                 *proto = ih->protocol;
3287
3288         switch (ih->protocol) {
3289         case IPPROTO_TCP: {
3290                 struct tcphdr _tcph, *th;
3291
3292                 if (ntohs(ih->frag_off) & IP_OFFSET)
3293                         break;
3294
3295                 offset += ihlen;
3296                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3297                 if (th == NULL)
3298                         break;
3299
3300                 ad->u.net.sport = th->source;
3301                 ad->u.net.dport = th->dest;
3302                 break;
3303         }
3304         
3305         case IPPROTO_UDP: {
3306                 struct udphdr _udph, *uh;
3307                 
3308                 if (ntohs(ih->frag_off) & IP_OFFSET)
3309                         break;
3310                         
3311                 offset += ihlen;
3312                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3313                 if (uh == NULL)
3314                         break;  
3315
3316                 ad->u.net.sport = uh->source;
3317                 ad->u.net.dport = uh->dest;
3318                 break;
3319         }
3320
3321         case IPPROTO_DCCP: {
3322                 struct dccp_hdr _dccph, *dh;
3323
3324                 if (ntohs(ih->frag_off) & IP_OFFSET)
3325                         break;
3326
3327                 offset += ihlen;
3328                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3329                 if (dh == NULL)
3330                         break;
3331
3332                 ad->u.net.sport = dh->dccph_sport;
3333                 ad->u.net.dport = dh->dccph_dport;
3334                 break;
3335         }
3336
3337         default:
3338                 break;
3339         }
3340 out:
3341         return ret;
3342 }
3343
3344 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3345
3346 /* Returns error only if unable to parse addresses */
3347 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3348                         struct avc_audit_data *ad, u8 *proto)
3349 {
3350         u8 nexthdr;
3351         int ret = -EINVAL, offset;
3352         struct ipv6hdr _ipv6h, *ip6;
3353
3354         offset = skb_network_offset(skb);
3355         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3356         if (ip6 == NULL)
3357                 goto out;
3358
3359         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3360         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3361         ret = 0;
3362
3363         nexthdr = ip6->nexthdr;
3364         offset += sizeof(_ipv6h);
3365         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3366         if (offset < 0)
3367                 goto out;
3368
3369         if (proto)
3370                 *proto = nexthdr;
3371
3372         switch (nexthdr) {
3373         case IPPROTO_TCP: {
3374                 struct tcphdr _tcph, *th;
3375
3376                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3377                 if (th == NULL)
3378                         break;
3379
3380                 ad->u.net.sport = th->source;
3381                 ad->u.net.dport = th->dest;
3382                 break;
3383         }
3384
3385         case IPPROTO_UDP: {
3386                 struct udphdr _udph, *uh;
3387
3388                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3389                 if (uh == NULL)
3390                         break;
3391
3392                 ad->u.net.sport = uh->source;
3393                 ad->u.net.dport = uh->dest;
3394                 break;
3395         }
3396
3397         case IPPROTO_DCCP: {
3398                 struct dccp_hdr _dccph, *dh;
3399
3400                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3401                 if (dh == NULL)
3402                         break;
3403
3404                 ad->u.net.sport = dh->dccph_sport;
3405                 ad->u.net.dport = dh->dccph_dport;
3406                 break;
3407         }
3408
3409         /* includes fragments */
3410         default:
3411                 break;
3412         }
3413 out:
3414         return ret;
3415 }
3416
3417 #endif /* IPV6 */
3418
3419 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3420                              char **addrp, int src, u8 *proto)
3421 {
3422         int ret = 0;
3423
3424         switch (ad->u.net.family) {
3425         case PF_INET:
3426                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3427                 if (ret || !addrp)
3428                         break;
3429                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3430                                         &ad->u.net.v4info.daddr);
3431                 break;
3432
3433 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3434         case PF_INET6:
3435                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3436                 if (ret || !addrp)
3437                         break;
3438                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3439                                         &ad->u.net.v6info.daddr);
3440                 break;
3441 #endif  /* IPV6 */
3442         default:
3443                 break;
3444         }
3445
3446         return ret;
3447 }
3448
3449 /**
3450  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3451  * @skb: the packet
3452  * @family: protocol family
3453  * @sid: the packet's peer label SID
3454  *
3455  * Description:
3456  * Check the various different forms of network peer labeling and determine
3457  * the peer label/SID for the packet; most of the magic actually occurs in
3458  * the security server function security_net_peersid_cmp().  The function
3459  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3460  * or -EACCES if @sid is invalid due to inconsistencies with the different
3461  * peer labels.
3462  *
3463  */
3464 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3465 {
3466         u32 xfrm_sid;
3467         u32 nlbl_sid;
3468         u32 nlbl_type;
3469
3470         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3471         selinux_netlbl_skbuff_getsid(skb,
3472                                      family,
3473                                      SECINITSID_NETMSG,
3474                                      &nlbl_type,
3475                                      &nlbl_sid);
3476
3477         if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
3478                                          xfrm_sid,
3479                                          sid) != 0)
3480                 return -EACCES;
3481
3482         return 0;
3483 }
3484
3485 /* socket security operations */
3486 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3487                            u32 perms)
3488 {
3489         struct inode_security_struct *isec;
3490         struct task_security_struct *tsec;
3491         struct avc_audit_data ad;
3492         int err = 0;
3493
3494         tsec = task->security;
3495         isec = SOCK_INODE(sock)->i_security;
3496
3497         if (isec->sid == SECINITSID_KERNEL)
3498                 goto out;
3499
3500         AVC_AUDIT_DATA_INIT(&ad,NET);
3501         ad.u.net.sk = sock->sk;
3502         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3503
3504 out:
3505         return err;
3506 }
3507
3508 static int selinux_socket_create(int family, int type,
3509                                  int protocol, int kern)
3510 {
3511         int err = 0;
3512         struct task_security_struct *tsec;
3513         u32 newsid;
3514
3515         if (kern)
3516                 goto out;
3517
3518         tsec = current->security;
3519         newsid = tsec->sockcreate_sid ? : tsec->sid;
3520         err = avc_has_perm(tsec->sid, newsid,
3521                            socket_type_to_security_class(family, type,
3522                            protocol), SOCKET__CREATE, NULL);
3523
3524 out:
3525         return err;
3526 }
3527
3528 static int selinux_socket_post_create(struct socket *sock, int family,
3529                                       int type, int protocol, int kern)
3530 {
3531         int err = 0;
3532         struct inode_security_struct *isec;
3533         struct task_security_struct *tsec;
3534         struct sk_security_struct *sksec;
3535         u32 newsid;
3536
3537         isec = SOCK_INODE(sock)->i_security;
3538
3539         tsec = current->security;
3540         newsid = tsec->sockcreate_sid ? : tsec->sid;
3541         isec->sclass = socket_type_to_security_class(family, type, protocol);
3542         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3543         isec->initialized = 1;
3544
3545         if (sock->sk) {
3546                 sksec = sock->sk->sk_security;
3547                 sksec->sid = isec->sid;
3548                 sksec->sclass = isec->sclass;
3549                 err = selinux_netlbl_socket_post_create(sock);
3550         }
3551
3552         return err;
3553 }
3554
3555 /* Range of port numbers used to automatically bind.
3556    Need to determine whether we should perform a name_bind
3557    permission check between the socket and the port number. */
3558
3559 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3560 {
3561         u16 family;
3562         int err;
3563
3564         err = socket_has_perm(current, sock, SOCKET__BIND);
3565         if (err)
3566                 goto out;
3567
3568         /*
3569          * If PF_INET or PF_INET6, check name_bind permission for the port.
3570          * Multiple address binding for SCTP is not supported yet: we just
3571          * check the first address now.
3572          */
3573         family = sock->sk->sk_family;
3574         if (family == PF_INET || family == PF_INET6) {
3575                 char *addrp;
3576                 struct inode_security_struct *isec;
3577                 struct task_security_struct *tsec;
3578                 struct avc_audit_data ad;
3579                 struct sockaddr_in *addr4 = NULL;
3580                 struct sockaddr_in6 *addr6 = NULL;
3581                 unsigned short snum;
3582                 struct sock *sk = sock->sk;
3583                 u32 sid, node_perm, addrlen;
3584
3585                 tsec = current->security;
3586                 isec = SOCK_INODE(sock)->i_security;
3587
3588                 if (family == PF_INET) {
3589                         addr4 = (struct sockaddr_in *)address;
3590                         snum = ntohs(addr4->sin_port);
3591                         addrlen = sizeof(addr4->sin_addr.s_addr);
3592                         addrp = (char *)&addr4->sin_addr.s_addr;
3593                 } else {
3594                         addr6 = (struct sockaddr_in6 *)address;
3595                         snum = ntohs(addr6->sin6_port);
3596                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3597                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3598                 }
3599
3600                 if (snum) {
3601                         int low, high;
3602
3603                         inet_get_local_port_range(&low, &high);
3604
3605                         if (snum < max(PROT_SOCK, low) || snum > high) {
3606                                 err = security_port_sid(sk->sk_family,
3607                                                         sk->sk_type,
3608                                                         sk->sk_protocol, snum,
3609                                                         &sid);
3610                                 if (err)
3611                                         goto out;
3612                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3613                                 ad.u.net.sport = htons(snum);
3614                                 ad.u.net.family = family;
3615                                 err = avc_has_perm(isec->sid, sid,
3616                                                    isec->sclass,
3617                                                    SOCKET__NAME_BIND, &ad);
3618                                 if (err)
3619                                         goto out;
3620                         }
3621                 }
3622                 
3623                 switch(isec->sclass) {
3624                 case SECCLASS_TCP_SOCKET:
3625                         node_perm = TCP_SOCKET__NODE_BIND;
3626                         break;
3627                         
3628                 case SECCLASS_UDP_SOCKET:
3629                         node_perm = UDP_SOCKET__NODE_BIND;
3630                         break;
3631
3632                 case SECCLASS_DCCP_SOCKET:
3633                         node_perm = DCCP_SOCKET__NODE_BIND;
3634                         break;
3635
3636                 default:
3637                         node_perm = RAWIP_SOCKET__NODE_BIND;
3638                         break;
3639                 }
3640                 
3641                 err = sel_netnode_sid(addrp, family, &sid);
3642                 if (err)
3643                         goto out;
3644                 
3645                 AVC_AUDIT_DATA_INIT(&ad,NET);
3646                 ad.u.net.sport = htons(snum);
3647                 ad.u.net.family = family;
3648
3649                 if (family == PF_INET)
3650                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3651                 else
3652                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3653
3654                 err = avc_has_perm(isec->sid, sid,
3655                                    isec->sclass, node_perm, &ad);
3656                 if (err)
3657                         goto out;
3658         }
3659 out:
3660         return err;
3661 }
3662
3663 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3664 {
3665         struct inode_security_struct *isec;
3666         int err;
3667
3668         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3669         if (err)
3670                 return err;
3671
3672         /*
3673          * If a TCP or DCCP socket, check name_connect permission for the port.
3674          */
3675         isec = SOCK_INODE(sock)->i_security;
3676         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3677             isec->sclass == SECCLASS_DCCP_SOCKET) {
3678                 struct sock *sk = sock->sk;
3679                 struct avc_audit_data ad;
3680                 struct sockaddr_in *addr4 = NULL;
3681                 struct sockaddr_in6 *addr6 = NULL;
3682                 unsigned short snum;
3683                 u32 sid, perm;
3684
3685                 if (sk->sk_family == PF_INET) {
3686                         addr4 = (struct sockaddr_in *)address;
3687                         if (addrlen < sizeof(struct sockaddr_in))
3688                                 return -EINVAL;
3689                         snum = ntohs(addr4->sin_port);
3690                 } else {
3691                         addr6 = (struct sockaddr_in6 *)address;
3692                         if (addrlen < SIN6_LEN_RFC2133)
3693                                 return -EINVAL;
3694                         snum = ntohs(addr6->sin6_port);
3695                 }
3696
3697                 err = security_port_sid(sk->sk_family, sk->sk_type,
3698                                         sk->sk_protocol, snum, &sid);
3699                 if (err)
3700                         goto out;
3701
3702                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3703                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3704
3705                 AVC_AUDIT_DATA_INIT(&ad,NET);
3706                 ad.u.net.dport = htons(snum);
3707                 ad.u.net.family = sk->sk_family;
3708                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3709                 if (err)
3710                         goto out;
3711         }
3712
3713 out:
3714         return err;
3715 }
3716
3717 static int selinux_socket_listen(struct socket *sock, int backlog)
3718 {
3719         return socket_has_perm(current, sock, SOCKET__LISTEN);
3720 }
3721
3722 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3723 {
3724         int err;
3725         struct inode_security_struct *isec;
3726         struct inode_security_struct *newisec;
3727
3728         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3729         if (err)
3730                 return err;
3731
3732         newisec = SOCK_INODE(newsock)->i_security;
3733
3734         isec = SOCK_INODE(sock)->i_security;
3735         newisec->sclass = isec->sclass;
3736         newisec->sid = isec->sid;
3737         newisec->initialized = 1;
3738
3739         return 0;
3740 }
3741
3742 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3743                                   int size)
3744 {
3745         int rc;
3746
3747         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3748         if (rc)
3749                 return rc;
3750
3751         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3752 }
3753
3754 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3755                                   int size, int flags)
3756 {
3757         return socket_has_perm(current, sock, SOCKET__READ);
3758 }
3759
3760 static int selinux_socket_getsockname(struct socket *sock)
3761 {
3762         return socket_has_perm(current, sock, SOCKET__GETATTR);
3763 }
3764
3765 static int selinux_socket_getpeername(struct socket *sock)
3766 {
3767         return socket_has_perm(current, sock, SOCKET__GETATTR);
3768 }
3769
3770 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3771 {
3772         int err;
3773
3774         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3775         if (err)
3776                 return err;
3777
3778         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3779 }
3780
3781 static int selinux_socket_getsockopt(struct socket *sock, int level,
3782                                      int optname)
3783 {
3784         return socket_has_perm(current, sock, SOCKET__GETOPT);
3785 }
3786
3787 static int selinux_socket_shutdown(struct socket *sock, int how)
3788 {
3789         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3790 }
3791
3792 static int selinux_socket_unix_stream_connect(struct socket *sock,
3793                                               struct socket *other,
3794                                               struct sock *newsk)
3795 {
3796         struct sk_security_struct *ssec;
3797         struct inode_security_struct *isec;
3798         struct inode_security_struct *other_isec;
3799         struct avc_audit_data ad;
3800         int err;
3801
3802         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3803         if (err)
3804                 return err;
3805
3806         isec = SOCK_INODE(sock)->i_security;
3807         other_isec = SOCK_INODE(other)->i_security;
3808
3809         AVC_AUDIT_DATA_INIT(&ad,NET);
3810         ad.u.net.sk = other->sk;
3811
3812         err = avc_has_perm(isec->sid, other_isec->sid,
3813                            isec->sclass,
3814                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3815         if (err)
3816                 return err;
3817
3818         /* connecting socket */
3819         ssec = sock->sk->sk_security;
3820         ssec->peer_sid = other_isec->sid;
3821         
3822         /* server child socket */
3823         ssec = newsk->sk_security;
3824         ssec->peer_sid = isec->sid;
3825         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3826
3827         return err;
3828 }
3829
3830 static int selinux_socket_unix_may_send(struct socket *sock,
3831                                         struct socket *other)
3832 {
3833         struct inode_security_struct *isec;
3834         struct inode_security_struct *other_isec;
3835         struct avc_audit_data ad;
3836         int err;
3837
3838         isec = SOCK_INODE(sock)->i_security;
3839         other_isec = SOCK_INODE(other)->i_security;
3840
3841         AVC_AUDIT_DATA_INIT(&ad,NET);
3842         ad.u.net.sk = other->sk;
3843
3844         err = avc_has_perm(isec->sid, other_isec->sid,
3845                            isec->sclass, SOCKET__SENDTO, &ad);
3846         if (err)
3847                 return err;
3848
3849         return 0;
3850 }
3851
3852 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3853                                                 struct sk_buff *skb,
3854                                                 struct avc_audit_data *ad,
3855                                                 u16 family,
3856                                                 char *addrp)
3857 {
3858         int err;
3859         struct sk_security_struct *sksec = sk->sk_security;
3860         u16 sk_class;
3861         u32 netif_perm, node_perm, recv_perm;
3862         u32 port_sid, node_sid, if_sid, sk_sid;
3863
3864         sk_sid = sksec->sid;
3865         sk_class = sksec->sclass;
3866
3867         switch (sk_class) {
3868         case SECCLASS_UDP_SOCKET:
3869                 netif_perm = NETIF__UDP_RECV;
3870                 node_perm = NODE__UDP_RECV;
3871                 recv_perm = UDP_SOCKET__RECV_MSG;
3872                 break;
3873         case SECCLASS_TCP_SOCKET:
3874                 netif_perm = NETIF__TCP_RECV;
3875                 node_perm = NODE__TCP_RECV;
3876                 recv_perm = TCP_SOCKET__RECV_MSG;
3877                 break;
3878         case SECCLASS_DCCP_SOCKET:
3879                 netif_perm = NETIF__DCCP_RECV;
3880                 node_perm = NODE__DCCP_RECV;
3881                 recv_perm = DCCP_SOCKET__RECV_MSG;
3882                 break;
3883         default:
3884                 netif_perm = NETIF__RAWIP_RECV;
3885                 node_perm = NODE__RAWIP_RECV;
3886                 recv_perm = 0;
3887                 break;
3888         }
3889
3890         err = sel_netif_sid(skb->iif, &if_sid);
3891         if (err)
3892                 return err;
3893         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3894         if (err)
3895                 return err;
3896         
3897         err = sel_netnode_sid(addrp, family, &node_sid);
3898         if (err)
3899                 return err;
3900         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3901         if (err)
3902                 return err;
3903
3904         if (!recv_perm)
3905                 return 0;
3906         err = security_port_sid(sk->sk_family, sk->sk_type,
3907                                 sk->sk_protocol, ntohs(ad->u.net.sport),
3908                                 &port_sid);
3909         if (err)
3910                 return err;
3911         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3912 }
3913
3914 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3915                                        struct avc_audit_data *ad,
3916                                        u16 family, char *addrp)
3917 {
3918         int err;
3919         struct sk_security_struct *sksec = sk->sk_security;
3920         u32 peer_sid;
3921         u32 sk_sid = sksec->sid;
3922
3923         if (selinux_compat_net)
3924                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3925                                                            family, addrp);
3926         else
3927                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3928                                    PACKET__RECV, ad);
3929         if (err)
3930                 return err;
3931
3932         if (selinux_policycap_netpeer) {
3933                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3934                 if (err)
3935                         return err;
3936                 err = avc_has_perm(sk_sid, peer_sid,
3937                                    SECCLASS_PEER, PEER__RECV, ad);
3938         } else {
3939                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3940                 if (err)
3941                         return err;
3942                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3943         }
3944
3945         return err;
3946 }
3947
3948 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3949 {
3950         int err;
3951         struct sk_security_struct *sksec = sk->sk_security;
3952         u16 family = sk->sk_family;
3953         u32 sk_sid = sksec->sid;
3954         struct avc_audit_data ad;
3955         char *addrp;
3956
3957         if (family != PF_INET && family != PF_INET6)
3958                 return 0;
3959
3960         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3961         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3962                 family = PF_INET;
3963
3964         AVC_AUDIT_DATA_INIT(&ad, NET);
3965         ad.u.net.netif = skb->iif;
3966         ad.u.net.family = family;
3967         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3968         if (err)
3969                 return err;
3970
3971         /* If any sort of compatibility mode is enabled then handoff processing
3972          * to the selinux_sock_rcv_skb_compat() function to deal with the
3973          * special handling.  We do this in an attempt to keep this function
3974          * as fast and as clean as possible. */
3975         if (selinux_compat_net || !selinux_policycap_netpeer)
3976                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
3977                                                    family, addrp);
3978
3979         if (selinux_secmark_enabled()) {
3980                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3981                                    PACKET__RECV, &ad);
3982                 if (err)
3983                         return err;
3984         }
3985
3986         if (netlbl_enabled() || selinux_xfrm_enabled()) {
3987                 u32 peer_sid;
3988
3989                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3990                 if (err)
3991                         return err;
3992                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
3993                                    PEER__RECV, &ad);
3994         }
3995
3996         return err;
3997 }
3998
3999 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4000                                             int __user *optlen, unsigned len)
4001 {
4002         int err = 0;
4003         char *scontext;
4004         u32 scontext_len;
4005         struct sk_security_struct *ssec;
4006         struct inode_security_struct *isec;
4007         u32 peer_sid = SECSID_NULL;
4008
4009         isec = SOCK_INODE(sock)->i_security;
4010
4011         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4012             isec->sclass == SECCLASS_TCP_SOCKET) {
4013                 ssec = sock->sk->sk_security;
4014                 peer_sid = ssec->peer_sid;
4015         }
4016         if (peer_sid == SECSID_NULL) {
4017                 err = -ENOPROTOOPT;
4018                 goto out;
4019         }
4020
4021         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4022
4023         if (err)
4024                 goto out;
4025
4026         if (scontext_len > len) {
4027                 err = -ERANGE;
4028                 goto out_len;
4029         }
4030
4031         if (copy_to_user(optval, scontext, scontext_len))
4032                 err = -EFAULT;
4033
4034 out_len:
4035         if (put_user(scontext_len, optlen))
4036                 err = -EFAULT;
4037
4038         kfree(scontext);
4039 out:    
4040         return err;
4041 }
4042
4043 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4044 {
4045         u32 peer_secid = SECSID_NULL;
4046         u16 family;
4047
4048         if (sock)
4049                 family = sock->sk->sk_family;
4050         else if (skb && skb->sk)
4051                 family = skb->sk->sk_family;
4052         else
4053                 goto out;
4054
4055         if (sock && family == PF_UNIX)
4056                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4057         else if (skb)
4058                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4059
4060 out:
4061         *secid = peer_secid;
4062         if (peer_secid == SECSID_NULL)
4063                 return -EINVAL;
4064         return 0;
4065 }
4066
4067 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4068 {
4069         return sk_alloc_security(sk, family, priority);
4070 }
4071
4072 static void selinux_sk_free_security(struct sock *sk)
4073 {
4074         sk_free_security(sk);
4075 }
4076
4077 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4078 {
4079         struct sk_security_struct *ssec = sk->sk_security;
4080         struct sk_security_struct *newssec = newsk->sk_security;
4081
4082         newssec->sid = ssec->sid;
4083         newssec->peer_sid = ssec->peer_sid;
4084         newssec->sclass = ssec->sclass;
4085
4086         selinux_netlbl_sk_security_clone(ssec, newssec);
4087 }
4088
4089 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4090 {
4091         if (!sk)
4092                 *secid = SECINITSID_ANY_SOCKET;
4093         else {
4094                 struct sk_security_struct *sksec = sk->sk_security;
4095
4096                 *secid = sksec->sid;
4097         }
4098 }
4099
4100 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4101 {
4102         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4103         struct sk_security_struct *sksec = sk->sk_security;
4104
4105         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4106             sk->sk_family == PF_UNIX)
4107                 isec->sid = sksec->sid;
4108         sksec->sclass = isec->sclass;
4109
4110         selinux_netlbl_sock_graft(sk, parent);
4111 }
4112
4113 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4114                                      struct request_sock *req)
4115 {
4116         struct sk_security_struct *sksec = sk->sk_security;
4117         int err;
4118         u32 newsid;
4119         u32 peersid;
4120
4121         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4122         if (err)
4123                 return err;
4124         if (peersid == SECSID_NULL) {
4125                 req->secid = sksec->sid;
4126                 req->peer_secid = SECSID_NULL;
4127                 return 0;
4128         }
4129
4130         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4131         if (err)
4132                 return err;
4133
4134         req->secid = newsid;
4135         req->peer_secid = peersid;
4136         return 0;
4137 }
4138
4139 static void selinux_inet_csk_clone(struct sock *newsk,
4140                                    const struct request_sock *req)
4141 {
4142         struct sk_security_struct *newsksec = newsk->sk_security;
4143
4144         newsksec->sid = req->secid;
4145         newsksec->peer_sid = req->peer_secid;
4146         /* NOTE: Ideally, we should also get the isec->sid for the
4147            new socket in sync, but we don't have the isec available yet.
4148            So we will wait until sock_graft to do it, by which
4149            time it will have been created and available. */
4150
4151         /* We don't need to take any sort of lock here as we are the only
4152          * thread with access to newsksec */
4153         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4154 }
4155
4156 static void selinux_inet_conn_established(struct sock *sk,
4157                                 struct sk_buff *skb)
4158 {
4159         struct sk_security_struct *sksec = sk->sk_security;
4160
4161         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4162 }
4163
4164 static void selinux_req_classify_flow(const struct request_sock *req,
4165                                       struct flowi *fl)
4166 {
4167         fl->secid = req->secid;
4168 }
4169
4170 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4171 {
4172         int err = 0;
4173         u32 perm;
4174         struct nlmsghdr *nlh;
4175         struct socket *sock = sk->sk_socket;
4176         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4177         
4178         if (skb->len < NLMSG_SPACE(0)) {
4179                 err = -EINVAL;
4180                 goto out;
4181         }
4182         nlh = nlmsg_hdr(skb);
4183         
4184         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4185         if (err) {
4186                 if (err == -EINVAL) {
4187                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4188                                   "SELinux:  unrecognized netlink message"
4189                                   " type=%hu for sclass=%hu\n",
4190                                   nlh->nlmsg_type, isec->sclass);
4191                         if (!selinux_enforcing)
4192                                 err = 0;
4193                 }
4194
4195                 /* Ignore */
4196                 if (err == -ENOENT)
4197                         err = 0;
4198                 goto out;
4199         }
4200
4201         err = socket_has_perm(current, sock, perm);
4202 out:
4203         return err;
4204 }
4205
4206 #ifdef CONFIG_NETFILTER
4207
4208 static int selinux_ip_postroute_last_compat(struct sock *sk,
4209                                             struct net_device *dev,
4210                                             struct avc_audit_data *ad,
4211                                             u16 family,
4212                                             char *addrp)
4213 {
4214         int err = 0;
4215         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
4216         struct socket *sock;
4217         struct inode *inode;
4218         struct inode_security_struct *isec;
4219
4220         sock = sk->sk_socket;
4221         if (!sock)
4222                 goto out;
4223
4224         inode = SOCK_INODE(sock);
4225         if (!inode)
4226                 goto out;
4227
4228         isec = inode->i_security;
4229         
4230         err = sel_netif_sid(dev->ifindex, &if_sid);
4231         if (err)
4232                 goto out;
4233
4234         switch (isec->sclass) {
4235         case SECCLASS_UDP_SOCKET:
4236                 netif_perm = NETIF__UDP_SEND;
4237                 node_perm = NODE__UDP_SEND;
4238                 send_perm = UDP_SOCKET__SEND_MSG;
4239                 break;
4240         
4241         case SECCLASS_TCP_SOCKET:
4242                 netif_perm = NETIF__TCP_SEND;
4243                 node_perm = NODE__TCP_SEND;
4244                 send_perm = TCP_SOCKET__SEND_MSG;
4245                 break;
4246
4247         case SECCLASS_DCCP_SOCKET:
4248                 netif_perm = NETIF__DCCP_SEND;
4249                 node_perm = NODE__DCCP_SEND;
4250                 send_perm = DCCP_SOCKET__SEND_MSG;
4251                 break;
4252
4253         default:
4254                 netif_perm = NETIF__RAWIP_SEND;
4255                 node_perm = NODE__RAWIP_SEND;
4256                 break;
4257         }
4258
4259         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4260         if (err)
4261                 goto out;
4262                 
4263         err = sel_netnode_sid(addrp, family, &node_sid);
4264         if (err)
4265                 goto out;
4266         
4267         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
4268         if (err)
4269                 goto out;
4270
4271         if (send_perm) {
4272                 u32 port_sid;
4273                 
4274                 err = security_port_sid(sk->sk_family,
4275                                         sk->sk_type,
4276                                         sk->sk_protocol,
4277                                         ntohs(ad->u.net.dport),
4278                                         &port_sid);
4279                 if (err)
4280                         goto out;
4281
4282                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
4283                                    send_perm, ad);
4284         }
4285 out:
4286         return err;
4287 }
4288
4289 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
4290                                               struct sk_buff *skb,
4291                                               const struct net_device *in,
4292                                               const struct net_device *out,
4293                                               int (*okfn)(struct sk_buff *),
4294                                               u16 family)
4295 {
4296         char *addrp;
4297         int err = 0;
4298         struct sock *sk;
4299         struct avc_audit_data ad;
4300         struct net_device *dev = (struct net_device *)out;
4301         struct sk_security_struct *sksec;
4302         u8 proto;
4303
4304         sk = skb->sk;
4305         if (!sk)
4306                 goto out;
4307
4308         sksec = sk->sk_security;
4309
4310         AVC_AUDIT_DATA_INIT(&ad, NET);
4311         ad.u.net.netif = dev->ifindex;
4312         ad.u.net.family = family;
4313
4314         err = selinux_parse_skb(skb, &ad, &addrp, 0, &proto);
4315         if (err)
4316                 goto out;
4317
4318         if (selinux_compat_net)
4319                 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
4320                                                        family, addrp);
4321         else
4322                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
4323                                    PACKET__SEND, &ad);
4324
4325         if (err)
4326                 goto out;
4327
4328         err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
4329 out:
4330         return err ? NF_DROP : NF_ACCEPT;
4331 }
4332
4333 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
4334                                                 struct sk_buff *skb,
4335                                                 const struct net_device *in,
4336                                                 const struct net_device *out,
4337                                                 int (*okfn)(struct sk_buff *))
4338 {
4339         return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET);
4340 }
4341
4342 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4343
4344 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
4345                                                 struct sk_buff *skb,
4346                                                 const struct net_device *in,
4347                                                 const struct net_device *out,
4348                                                 int (*okfn)(struct sk_buff *))
4349 {
4350         return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET6);
4351 }
4352
4353 #endif  /* IPV6 */
4354
4355 #endif  /* CONFIG_NETFILTER */
4356
4357 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4358 {
4359         int err;
4360
4361         err = secondary_ops->netlink_send(sk, skb);
4362         if (err)
4363                 return err;
4364
4365         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4366                 err = selinux_nlmsg_perm(sk, skb);
4367
4368         return err;
4369 }
4370
4371 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4372 {
4373         int err;
4374         struct avc_audit_data ad;
4375
4376         err = secondary_ops->netlink_recv(skb, capability);
4377         if (err)
4378                 return err;
4379
4380         AVC_AUDIT_DATA_INIT(&ad, CAP);
4381         ad.u.cap = capability;
4382
4383         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4384                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4385 }
4386
4387 static int ipc_alloc_security(struct task_struct *task,
4388                               struct kern_ipc_perm *perm,
4389                               u16 sclass)
4390 {
4391         struct task_security_struct *tsec = task->security;
4392         struct ipc_security_struct *isec;
4393
4394         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4395         if (!isec)
4396                 return -ENOMEM;
4397
4398         isec->sclass = sclass;
4399         isec->ipc_perm = perm;
4400         isec->sid = tsec->sid;
4401         perm->security = isec;
4402
4403         return 0;
4404 }
4405
4406 static void ipc_free_security(struct kern_ipc_perm *perm)
4407 {
4408         struct ipc_security_struct *isec = perm->security;
4409         perm->security = NULL;
4410         kfree(isec);
4411 }
4412
4413 static int msg_msg_alloc_security(struct msg_msg *msg)
4414 {
4415         struct msg_security_struct *msec;
4416
4417         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4418         if (!msec)
4419                 return -ENOMEM;
4420
4421         msec->msg = msg;
4422         msec->sid = SECINITSID_UNLABELED;
4423         msg->security = msec;
4424
4425         return 0;
4426 }
4427
4428 static void msg_msg_free_security(struct msg_msg *msg)
4429 {
4430         struct msg_security_struct *msec = msg->security;
4431
4432         msg->security = NULL;
4433         kfree(msec);
4434 }
4435
4436 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4437                         u32 perms)
4438 {
4439         struct task_security_struct *tsec;
4440         struct ipc_security_struct *isec;
4441         struct avc_audit_data ad;
4442
4443         tsec = current->security;
4444         isec = ipc_perms->security;
4445
4446         AVC_AUDIT_DATA_INIT(&ad, IPC);
4447         ad.u.ipc_id = ipc_perms->key;
4448
4449         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4450 }
4451
4452 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4453 {
4454         return msg_msg_alloc_security(msg);
4455 }
4456
4457 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4458 {
4459         msg_msg_free_security(msg);
4460 }
4461
4462 /* message queue security operations */
4463 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4464 {
4465         struct task_security_struct *tsec;
4466         struct ipc_security_struct *isec;
4467         struct avc_audit_data ad;
4468         int rc;
4469
4470         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4471         if (rc)
4472                 return rc;
4473
4474         tsec = current->security;
4475         isec = msq->q_perm.security;
4476
4477         AVC_AUDIT_DATA_INIT(&ad, IPC);
4478         ad.u.ipc_id = msq->q_perm.key;
4479
4480         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4481                           MSGQ__CREATE, &ad);
4482         if (rc) {
4483                 ipc_free_security(&msq->q_perm);
4484                 return rc;
4485         }
4486         return 0;
4487 }
4488
4489 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4490 {
4491         ipc_free_security(&msq->q_perm);
4492 }
4493
4494 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4495 {
4496         struct task_security_struct *tsec;
4497         struct ipc_security_struct *isec;
4498         struct avc_audit_data ad;
4499
4500         tsec = current->security;
4501         isec = msq->q_perm.security;
4502
4503         AVC_AUDIT_DATA_INIT(&ad, IPC);
4504         ad.u.ipc_id = msq->q_perm.key;
4505
4506         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4507                             MSGQ__ASSOCIATE, &ad);
4508 }
4509
4510 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4511 {
4512         int err;
4513         int perms;
4514
4515         switch(cmd) {
4516         case IPC_INFO:
4517         case MSG_INFO:
4518                 /* No specific object, just general system-wide information. */
4519                 return task_has_system(current, SYSTEM__IPC_INFO);
4520         case IPC_STAT:
4521         case MSG_STAT:
4522                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4523                 break;
4524         case IPC_SET:
4525                 perms = MSGQ__SETATTR;
4526                 break;
4527         case IPC_RMID:
4528                 perms = MSGQ__DESTROY;
4529                 break;
4530         default:
4531                 return 0;
4532         }
4533
4534         err = ipc_has_perm(&msq->q_perm, perms);
4535         return err;
4536 }
4537
4538 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4539 {
4540         struct task_security_struct *tsec;
4541         struct ipc_security_struct *isec;
4542         struct msg_security_struct *msec;
4543         struct avc_audit_data ad;
4544         int rc;
4545
4546         tsec = current->security;
4547         isec = msq->q_perm.security;
4548         msec = msg->security;
4549
4550         /*
4551          * First time through, need to assign label to the message
4552          */
4553         if (msec->sid == SECINITSID_UNLABELED) {
4554                 /*
4555                  * Compute new sid based on current process and
4556                  * message queue this message will be stored in
4557                  */
4558                 rc = security_transition_sid(tsec->sid,
4559                                              isec->sid,
4560                                              SECCLASS_MSG,
4561                                              &msec->sid);
4562                 if (rc)
4563                         return rc;
4564         }
4565
4566         AVC_AUDIT_DATA_INIT(&ad, IPC);
4567         ad.u.ipc_id = msq->q_perm.key;
4568
4569         /* Can this process write to the queue? */
4570         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4571                           MSGQ__WRITE, &ad);
4572         if (!rc)
4573                 /* Can this process send the message */
4574                 rc = avc_has_perm(tsec->sid, msec->sid,
4575                                   SECCLASS_MSG, MSG__SEND, &ad);
4576         if (!rc)
4577                 /* Can the message be put in the queue? */
4578                 rc = avc_has_perm(msec->sid, isec->sid,
4579                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4580
4581         return rc;
4582 }
4583
4584 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4585                                     struct task_struct *target,
4586                                     long type, int mode)
4587 {
4588         struct task_security_struct *tsec;
4589         struct ipc_security_struct *isec;
4590         struct msg_security_struct *msec;
4591         struct avc_audit_data ad;
4592         int rc;
4593
4594         tsec = target->security;
4595         isec = msq->q_perm.security;
4596         msec = msg->security;
4597
4598         AVC_AUDIT_DATA_INIT(&ad, IPC);
4599         ad.u.ipc_id = msq->q_perm.key;
4600
4601         rc = avc_has_perm(tsec->sid, isec->sid,
4602                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4603         if (!rc)
4604                 rc = avc_has_perm(tsec->sid, msec->sid,
4605                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4606         return rc;
4607 }
4608
4609 /* Shared Memory security operations */
4610 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4611 {
4612         struct task_security_struct *tsec;
4613         struct ipc_security_struct *isec;
4614         struct avc_audit_data ad;
4615         int rc;
4616
4617         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4618         if (rc)
4619                 return rc;
4620
4621         tsec = current->security;
4622         isec = shp->shm_perm.security;
4623
4624         AVC_AUDIT_DATA_INIT(&ad, IPC);
4625         ad.u.ipc_id = shp->shm_perm.key;
4626
4627         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4628                           SHM__CREATE, &ad);
4629         if (rc) {
4630                 ipc_free_security(&shp->shm_perm);
4631                 return rc;
4632         }
4633         return 0;
4634 }
4635
4636 static void selinux_shm_free_security(struct shmid_kernel *shp)
4637 {
4638         ipc_free_security(&shp->shm_perm);
4639 }
4640
4641 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4642 {
4643         struct task_security_struct *tsec;
4644         struct ipc_security_struct *isec;
4645         struct avc_audit_data ad;
4646
4647         tsec = current->security;
4648         isec = shp->shm_perm.security;
4649
4650         AVC_AUDIT_DATA_INIT(&ad, IPC);
4651         ad.u.ipc_id = shp->shm_perm.key;
4652
4653         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4654                             SHM__ASSOCIATE, &ad);
4655 }
4656
4657 /* Note, at this point, shp is locked down */
4658 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4659 {
4660         int perms;
4661         int err;
4662
4663         switch(cmd) {
4664         case IPC_INFO:
4665         case SHM_INFO:
4666                 /* No specific object, just general system-wide information. */
4667                 return task_has_system(current, SYSTEM__IPC_INFO);
4668         case IPC_STAT:
4669         case SHM_STAT:
4670                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4671                 break;
4672         case IPC_SET:
4673                 perms = SHM__SETATTR;
4674                 break;
4675         case SHM_LOCK:
4676         case SHM_UNLOCK:
4677                 perms = SHM__LOCK;
4678                 break;
4679         case IPC_RMID:
4680                 perms = SHM__DESTROY;
4681                 break;
4682         default:
4683                 return 0;
4684         }
4685
4686         err = ipc_has_perm(&shp->shm_perm, perms);
4687         return err;
4688 }
4689
4690 static int selinux_shm_shmat(struct shmid_kernel *shp,
4691                              char __user *shmaddr, int shmflg)
4692 {
4693         u32 perms;
4694         int rc;
4695
4696         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4697         if (rc)
4698                 return rc;
4699
4700         if (shmflg & SHM_RDONLY)
4701                 perms = SHM__READ;
4702         else
4703                 perms = SHM__READ | SHM__WRITE;
4704
4705         return ipc_has_perm(&shp->shm_perm, perms);
4706 }
4707
4708 /* Semaphore security operations */
4709 static int selinux_sem_alloc_security(struct sem_array *sma)
4710 {
4711         struct task_security_struct *tsec;
4712         struct ipc_security_struct *isec;
4713         struct avc_audit_data ad;
4714         int rc;
4715
4716         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4717         if (rc)
4718                 return rc;
4719
4720         tsec = current->security;
4721         isec = sma->sem_perm.security;
4722
4723         AVC_AUDIT_DATA_INIT(&ad, IPC);
4724         ad.u.ipc_id = sma->sem_perm.key;
4725
4726         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4727                           SEM__CREATE, &ad);
4728         if (rc) {
4729                 ipc_free_security(&sma->sem_perm);
4730                 return rc;
4731         }
4732         return 0;
4733 }
4734
4735 static void selinux_sem_free_security(struct sem_array *sma)
4736 {
4737         ipc_free_security(&sma->sem_perm);
4738 }
4739
4740 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4741 {
4742         struct task_security_struct *tsec;
4743         struct ipc_security_struct *isec;
4744         struct avc_audit_data ad;
4745
4746         tsec = current->security;
4747         isec = sma->sem_perm.security;
4748
4749         AVC_AUDIT_DATA_INIT(&ad, IPC);
4750         ad.u.ipc_id = sma->sem_perm.key;
4751
4752         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4753                             SEM__ASSOCIATE, &ad);
4754 }
4755
4756 /* Note, at this point, sma is locked down */
4757 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4758 {
4759         int err;
4760         u32 perms;
4761
4762         switch(cmd) {
4763         case IPC_INFO:
4764         case SEM_INFO:
4765                 /* No specific object, just general system-wide information. */
4766                 return task_has_system(current, SYSTEM__IPC_INFO);
4767         case GETPID:
4768         case GETNCNT:
4769         case GETZCNT:
4770                 perms = SEM__GETATTR;
4771                 break;
4772         case GETVAL:
4773         case GETALL:
4774                 perms = SEM__READ;
4775                 break;
4776         case SETVAL:
4777         case SETALL:
4778                 perms = SEM__WRITE;
4779                 break;
4780         case IPC_RMID:
4781                 perms = SEM__DESTROY;
4782                 break;
4783         case IPC_SET:
4784                 perms = SEM__SETATTR;
4785                 break;
4786         case IPC_STAT:
4787         case SEM_STAT:
4788                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4789                 break;
4790         default:
4791                 return 0;
4792         }
4793
4794         err = ipc_has_perm(&sma->sem_perm, perms);
4795         return err;
4796 }
4797
4798 static int selinux_sem_semop(struct sem_array *sma,
4799                              struct sembuf *sops, unsigned nsops, int alter)
4800 {
4801         u32 perms;
4802
4803         if (alter)
4804                 perms = SEM__READ | SEM__WRITE;
4805         else
4806                 perms = SEM__READ;
4807
4808         return ipc_has_perm(&sma->sem_perm, perms);
4809 }
4810
4811 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4812 {
4813         u32 av = 0;
4814
4815         av = 0;
4816         if (flag & S_IRUGO)
4817                 av |= IPC__UNIX_READ;
4818         if (flag & S_IWUGO)
4819                 av |= IPC__UNIX_WRITE;
4820
4821         if (av == 0)
4822                 return 0;
4823
4824         return ipc_has_perm(ipcp, av);
4825 }
4826
4827 /* module stacking operations */
4828 static int selinux_register_security (const char *name, struct security_operations *ops)
4829 {
4830         if (secondary_ops != original_ops) {
4831                 printk(KERN_ERR "%s:  There is already a secondary security "
4832                        "module registered.\n", __FUNCTION__);
4833                 return -EINVAL;
4834         }
4835
4836         secondary_ops = ops;
4837
4838         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4839                __FUNCTION__,
4840                name);
4841
4842         return 0;
4843 }
4844
4845 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4846 {
4847         if (inode)
4848                 inode_doinit_with_dentry(inode, dentry);
4849 }
4850
4851 static int selinux_getprocattr(struct task_struct *p,
4852                                char *name, char **value)
4853 {
4854         struct task_security_struct *tsec;
4855         u32 sid;
4856         int error;
4857         unsigned len;
4858
4859         if (current != p) {
4860                 error = task_has_perm(current, p, PROCESS__GETATTR);
4861                 if (error)
4862                         return error;
4863         }
4864
4865         tsec = p->security;
4866
4867         if (!strcmp(name, "current"))
4868                 sid = tsec->sid;
4869         else if (!strcmp(name, "prev"))
4870                 sid = tsec->osid;
4871         else if (!strcmp(name, "exec"))
4872                 sid = tsec->exec_sid;
4873         else if (!strcmp(name, "fscreate"))
4874                 sid = tsec->create_sid;
4875         else if (!strcmp(name, "keycreate"))
4876                 sid = tsec->keycreate_sid;
4877         else if (!strcmp(name, "sockcreate"))
4878                 sid = tsec->sockcreate_sid;
4879         else
4880                 return -EINVAL;
4881
4882         if (!sid)
4883                 return 0;
4884
4885         error = security_sid_to_context(sid, value, &len);
4886         if (error)
4887                 return error;
4888         return len;
4889 }
4890
4891 static int selinux_setprocattr(struct task_struct *p,
4892                                char *name, void *value, size_t size)
4893 {
4894         struct task_security_struct *tsec;
4895         u32 sid = 0;
4896         int error;
4897         char *str = value;
4898
4899         if (current != p) {
4900                 /* SELinux only allows a process to change its own
4901                    security attributes. */
4902                 return -EACCES;
4903         }
4904
4905         /*
4906          * Basic control over ability to set these attributes at all.
4907          * current == p, but we'll pass them separately in case the
4908          * above restriction is ever removed.
4909          */
4910         if (!strcmp(name, "exec"))
4911                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4912         else if (!strcmp(name, "fscreate"))
4913                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4914         else if (!strcmp(name, "keycreate"))
4915                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4916         else if (!strcmp(name, "sockcreate"))
4917                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4918         else if (!strcmp(name, "current"))
4919                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4920         else
4921                 error = -EINVAL;
4922         if (error)
4923                 return error;
4924
4925         /* Obtain a SID for the context, if one was specified. */
4926         if (size && str[1] && str[1] != '\n') {
4927                 if (str[size-1] == '\n') {
4928                         str[size-1] = 0;
4929                         size--;
4930                 }
4931                 error = security_context_to_sid(value, size, &sid);
4932                 if (error)
4933                         return error;
4934         }
4935
4936         /* Permission checking based on the specified context is
4937            performed during the actual operation (execve,
4938            open/mkdir/...), when we know the full context of the
4939            operation.  See selinux_bprm_set_security for the execve
4940            checks and may_create for the file creation checks. The
4941            operation will then fail if the context is not permitted. */
4942         tsec = p->security;
4943         if (!strcmp(name, "exec"))
4944                 tsec->exec_sid = sid;
4945         else if (!strcmp(name, "fscreate"))
4946                 tsec->create_sid = sid;
4947         else if (!strcmp(name, "keycreate")) {
4948                 error = may_create_key(sid, p);
4949                 if (error)
4950                         return error;
4951                 tsec->keycreate_sid = sid;
4952         } else if (!strcmp(name, "sockcreate"))
4953                 tsec->sockcreate_sid = sid;
4954         else if (!strcmp(name, "current")) {
4955                 struct av_decision avd;
4956
4957                 if (sid == 0)
4958                         return -EINVAL;
4959
4960                 /* Only allow single threaded processes to change context */
4961                 if (atomic_read(&p->mm->mm_users) != 1) {
4962                         struct task_struct *g, *t;
4963                         struct mm_struct *mm = p->mm;
4964                         read_lock(&tasklist_lock);
4965                         do_each_thread(g, t)
4966                                 if (t->mm == mm && t != p) {
4967                                         read_unlock(&tasklist_lock);
4968                                         return -EPERM;
4969                                 }
4970                         while_each_thread(g, t);
4971                         read_unlock(&tasklist_lock);
4972                 }
4973
4974                 /* Check permissions for the transition. */
4975                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4976                                      PROCESS__DYNTRANSITION, NULL);
4977                 if (error)
4978                         return error;
4979
4980                 /* Check for ptracing, and update the task SID if ok.
4981                    Otherwise, leave SID unchanged and fail. */
4982                 task_lock(p);
4983                 if (p->ptrace & PT_PTRACED) {
4984                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4985                                                      SECCLASS_PROCESS,
4986                                                      PROCESS__PTRACE, 0, &avd);
4987                         if (!error)
4988                                 tsec->sid = sid;
4989                         task_unlock(p);
4990                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4991                                   PROCESS__PTRACE, &avd, error, NULL);
4992                         if (error)
4993                                 return error;
4994                 } else {
4995                         tsec->sid = sid;
4996                         task_unlock(p);
4997                 }
4998         }
4999         else
5000                 return -EINVAL;
5001
5002         return size;
5003 }
5004
5005 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5006 {
5007         return security_sid_to_context(secid, secdata, seclen);
5008 }
5009
5010 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5011 {
5012         return security_context_to_sid(secdata, seclen, secid);
5013 }
5014
5015 static void selinux_release_secctx(char *secdata, u32 seclen)
5016 {
5017         kfree(secdata);
5018 }
5019
5020 #ifdef CONFIG_KEYS
5021
5022 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5023                              unsigned long flags)
5024 {
5025         struct task_security_struct *tsec = tsk->security;
5026         struct key_security_struct *ksec;
5027
5028         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5029         if (!ksec)
5030                 return -ENOMEM;
5031
5032         ksec->obj = k;
5033         if (tsec->keycreate_sid)
5034                 ksec->sid = tsec->keycreate_sid;
5035         else
5036                 ksec->sid = tsec->sid;
5037         k->security = ksec;
5038
5039         return 0;
5040 }
5041
5042 static void selinux_key_free(struct key *k)
5043 {
5044         struct key_security_struct *ksec = k->security;
5045
5046         k->security = NULL;
5047         kfree(ksec);
5048 }
5049
5050 static int selinux_key_permission(key_ref_t key_ref,
5051                             struct task_struct *ctx,
5052                             key_perm_t perm)
5053 {
5054         struct key *key;
5055         struct task_security_struct *tsec;
5056         struct key_security_struct *ksec;
5057
5058         key = key_ref_to_ptr(key_ref);
5059
5060         tsec = ctx->security;
5061         ksec = key->security;
5062
5063         /* if no specific permissions are requested, we skip the
5064            permission check. No serious, additional covert channels
5065            appear to be created. */
5066         if (perm == 0)
5067                 return 0;
5068
5069         return avc_has_perm(tsec->sid, ksec->sid,
5070                             SECCLASS_KEY, perm, NULL);
5071 }
5072
5073 #endif
5074
5075 static struct security_operations selinux_ops = {
5076         .ptrace =                       selinux_ptrace,
5077         .capget =                       selinux_capget,
5078         .capset_check =                 selinux_capset_check,
5079         .capset_set =                   selinux_capset_set,
5080         .sysctl =                       selinux_sysctl,
5081         .capable =                      selinux_capable,
5082         .quotactl =                     selinux_quotactl,
5083         .quota_on =                     selinux_quota_on,
5084         .syslog =                       selinux_syslog,
5085         .vm_enough_memory =             selinux_vm_enough_memory,
5086
5087         .netlink_send =                 selinux_netlink_send,
5088         .netlink_recv =                 selinux_netlink_recv,
5089
5090         .bprm_alloc_security =          selinux_bprm_alloc_security,
5091         .bprm_free_security =           selinux_bprm_free_security,
5092         .bprm_apply_creds =             selinux_bprm_apply_creds,
5093         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5094         .bprm_set_security =            selinux_bprm_set_security,
5095         .bprm_check_security =          selinux_bprm_check_security,
5096         .bprm_secureexec =              selinux_bprm_secureexec,
5097
5098         .sb_alloc_security =            selinux_sb_alloc_security,
5099         .sb_free_security =             selinux_sb_free_security,
5100         .sb_copy_data =                 selinux_sb_copy_data,
5101         .sb_kern_mount =                selinux_sb_kern_mount,
5102         .sb_statfs =                    selinux_sb_statfs,
5103         .sb_mount =                     selinux_mount,
5104         .sb_umount =                    selinux_umount,
5105         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5106         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5107         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5108
5109         .inode_alloc_security =         selinux_inode_alloc_security,
5110         .inode_free_security =          selinux_inode_free_security,
5111         .inode_init_security =          selinux_inode_init_security,
5112         .inode_create =                 selinux_inode_create,
5113         .inode_link =                   selinux_inode_link,
5114         .inode_unlink =                 selinux_inode_unlink,
5115         .inode_symlink =                selinux_inode_symlink,
5116         .inode_mkdir =                  selinux_inode_mkdir,
5117         .inode_rmdir =                  selinux_inode_rmdir,
5118         .inode_mknod =                  selinux_inode_mknod,
5119         .inode_rename =                 selinux_inode_rename,
5120         .inode_readlink =               selinux_inode_readlink,
5121         .inode_follow_link =            selinux_inode_follow_link,
5122         .inode_permission =             selinux_inode_permission,
5123         .inode_setattr =                selinux_inode_setattr,
5124         .inode_getattr =                selinux_inode_getattr,
5125         .inode_setxattr =               selinux_inode_setxattr,
5126         .inode_post_setxattr =          selinux_inode_post_setxattr,
5127         .inode_getxattr =               selinux_inode_getxattr,
5128         .inode_listxattr =              selinux_inode_listxattr,
5129         .inode_removexattr =            selinux_inode_removexattr,
5130         .inode_getsecurity =            selinux_inode_getsecurity,
5131         .inode_setsecurity =            selinux_inode_setsecurity,
5132         .inode_listsecurity =           selinux_inode_listsecurity,
5133         .inode_need_killpriv =          selinux_inode_need_killpriv,
5134         .inode_killpriv =               selinux_inode_killpriv,
5135
5136         .file_permission =              selinux_file_permission,
5137         .file_alloc_security =          selinux_file_alloc_security,
5138         .file_free_security =           selinux_file_free_security,
5139         .file_ioctl =                   selinux_file_ioctl,
5140         .file_mmap =                    selinux_file_mmap,
5141         .file_mprotect =                selinux_file_mprotect,
5142         .file_lock =                    selinux_file_lock,
5143         .file_fcntl =                   selinux_file_fcntl,
5144         .file_set_fowner =              selinux_file_set_fowner,
5145         .file_send_sigiotask =          selinux_file_send_sigiotask,
5146         .file_receive =                 selinux_file_receive,
5147
5148         .dentry_open =                  selinux_dentry_open,
5149
5150         .task_create =                  selinux_task_create,
5151         .task_alloc_security =          selinux_task_alloc_security,
5152         .task_free_security =           selinux_task_free_security,
5153         .task_setuid =                  selinux_task_setuid,
5154         .task_post_setuid =             selinux_task_post_setuid,
5155         .task_setgid =                  selinux_task_setgid,
5156         .task_setpgid =                 selinux_task_setpgid,
5157         .task_getpgid =                 selinux_task_getpgid,
5158         .task_getsid =                  selinux_task_getsid,
5159         .task_getsecid =                selinux_task_getsecid,
5160         .task_setgroups =               selinux_task_setgroups,
5161         .task_setnice =                 selinux_task_setnice,
5162         .task_setioprio =               selinux_task_setioprio,
5163         .task_getioprio =               selinux_task_getioprio,
5164         .task_setrlimit =               selinux_task_setrlimit,
5165         .task_setscheduler =            selinux_task_setscheduler,
5166         .task_getscheduler =            selinux_task_getscheduler,
5167         .task_movememory =              selinux_task_movememory,
5168         .task_kill =                    selinux_task_kill,
5169         .task_wait =                    selinux_task_wait,
5170         .task_prctl =                   selinux_task_prctl,
5171         .task_reparent_to_init =        selinux_task_reparent_to_init,
5172         .task_to_inode =                selinux_task_to_inode,
5173
5174         .ipc_permission =               selinux_ipc_permission,
5175
5176         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5177         .msg_msg_free_security =        selinux_msg_msg_free_security,
5178
5179         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5180         .msg_queue_free_security =      selinux_msg_queue_free_security,
5181         .msg_queue_associate =          selinux_msg_queue_associate,
5182         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5183         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5184         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5185
5186         .shm_alloc_security =           selinux_shm_alloc_security,
5187         .shm_free_security =            selinux_shm_free_security,
5188         .shm_associate =                selinux_shm_associate,
5189         .shm_shmctl =                   selinux_shm_shmctl,
5190         .shm_shmat =                    selinux_shm_shmat,
5191
5192         .sem_alloc_security =           selinux_sem_alloc_security,
5193         .sem_free_security =            selinux_sem_free_security,
5194         .sem_associate =                selinux_sem_associate,
5195         .sem_semctl =                   selinux_sem_semctl,
5196         .sem_semop =                    selinux_sem_semop,
5197
5198         .register_security =            selinux_register_security,
5199
5200         .d_instantiate =                selinux_d_instantiate,
5201
5202         .getprocattr =                  selinux_getprocattr,
5203         .setprocattr =                  selinux_setprocattr,
5204
5205         .secid_to_secctx =              selinux_secid_to_secctx,
5206         .secctx_to_secid =              selinux_secctx_to_secid,
5207         .release_secctx =               selinux_release_secctx,
5208
5209         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5210         .unix_may_send =                selinux_socket_unix_may_send,
5211
5212         .socket_create =                selinux_socket_create,
5213         .socket_post_create =           selinux_socket_post_create,
5214         .socket_bind =                  selinux_socket_bind,
5215         .socket_connect =               selinux_socket_connect,
5216         .socket_listen =                selinux_socket_listen,
5217         .socket_accept =                selinux_socket_accept,
5218         .socket_sendmsg =               selinux_socket_sendmsg,
5219         .socket_recvmsg =               selinux_socket_recvmsg,
5220         .socket_getsockname =           selinux_socket_getsockname,
5221         .socket_getpeername =           selinux_socket_getpeername,
5222         .socket_getsockopt =            selinux_socket_getsockopt,
5223         .socket_setsockopt =            selinux_socket_setsockopt,
5224         .socket_shutdown =              selinux_socket_shutdown,
5225         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5226         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5227         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5228         .sk_alloc_security =            selinux_sk_alloc_security,
5229         .sk_free_security =             selinux_sk_free_security,
5230         .sk_clone_security =            selinux_sk_clone_security,
5231         .sk_getsecid =                  selinux_sk_getsecid,
5232         .sock_graft =                   selinux_sock_graft,
5233         .inet_conn_request =            selinux_inet_conn_request,
5234         .inet_csk_clone =               selinux_inet_csk_clone,
5235         .inet_conn_established =        selinux_inet_conn_established,
5236         .req_classify_flow =            selinux_req_classify_flow,
5237
5238 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5239         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5240         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5241         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5242         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5243         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5244         .xfrm_state_free_security =     selinux_xfrm_state_free,
5245         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5246         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5247         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5248         .xfrm_decode_session =          selinux_xfrm_decode_session,
5249 #endif
5250
5251 #ifdef CONFIG_KEYS
5252         .key_alloc =                    selinux_key_alloc,
5253         .key_free =                     selinux_key_free,
5254         .key_permission =               selinux_key_permission,
5255 #endif
5256 };
5257
5258 static __init int selinux_init(void)
5259 {
5260         struct task_security_struct *tsec;
5261
5262         if (!selinux_enabled) {
5263                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5264                 return 0;
5265         }
5266
5267         printk(KERN_INFO "SELinux:  Initializing.\n");
5268
5269         /* Set the security state for the initial task. */
5270         if (task_alloc_security(current))
5271                 panic("SELinux:  Failed to initialize initial task.\n");
5272         tsec = current->security;
5273         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5274
5275         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5276                                             sizeof(struct inode_security_struct),
5277                                             0, SLAB_PANIC, NULL);
5278         avc_init();
5279
5280         original_ops = secondary_ops = security_ops;
5281         if (!secondary_ops)
5282                 panic ("SELinux: No initial security operations\n");
5283         if (register_security (&selinux_ops))
5284                 panic("SELinux: Unable to register with kernel.\n");
5285
5286         if (selinux_enforcing) {
5287                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5288         } else {
5289                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5290         }
5291
5292 #ifdef CONFIG_KEYS
5293         /* Add security information to initial keyrings */
5294         selinux_key_alloc(&root_user_keyring, current,
5295                           KEY_ALLOC_NOT_IN_QUOTA);
5296         selinux_key_alloc(&root_session_keyring, current,
5297                           KEY_ALLOC_NOT_IN_QUOTA);
5298 #endif
5299
5300         return 0;
5301 }
5302
5303 void selinux_complete_init(void)
5304 {
5305         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5306
5307         /* Set up any superblocks initialized prior to the policy load. */
5308         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5309         spin_lock(&sb_lock);
5310         spin_lock(&sb_security_lock);
5311 next_sb:
5312         if (!list_empty(&superblock_security_head)) {
5313                 struct superblock_security_struct *sbsec =
5314                                 list_entry(superblock_security_head.next,
5315                                            struct superblock_security_struct,
5316                                            list);
5317                 struct super_block *sb = sbsec->sb;
5318                 sb->s_count++;
5319                 spin_unlock(&sb_security_lock);
5320                 spin_unlock(&sb_lock);
5321                 down_read(&sb->s_umount);
5322                 if (sb->s_root)
5323                         superblock_doinit(sb, NULL);
5324                 drop_super(sb);
5325                 spin_lock(&sb_lock);
5326                 spin_lock(&sb_security_lock);
5327                 list_del_init(&sbsec->list);
5328                 goto next_sb;
5329         }
5330         spin_unlock(&sb_security_lock);
5331         spin_unlock(&sb_lock);
5332 }
5333
5334 /* SELinux requires early initialization in order to label
5335    all processes and objects when they are created. */
5336 security_initcall(selinux_init);
5337
5338 #if defined(CONFIG_NETFILTER)
5339
5340 static struct nf_hook_ops selinux_ipv4_op = {
5341         .hook =         selinux_ipv4_postroute_last,
5342         .owner =        THIS_MODULE,
5343         .pf =           PF_INET,
5344         .hooknum =      NF_INET_POST_ROUTING,
5345         .priority =     NF_IP_PRI_SELINUX_LAST,
5346 };
5347
5348 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5349
5350 static struct nf_hook_ops selinux_ipv6_op = {
5351         .hook =         selinux_ipv6_postroute_last,
5352         .owner =        THIS_MODULE,
5353         .pf =           PF_INET6,
5354         .hooknum =      NF_INET_POST_ROUTING,
5355         .priority =     NF_IP6_PRI_SELINUX_LAST,
5356 };
5357
5358 #endif  /* IPV6 */
5359
5360 static int __init selinux_nf_ip_init(void)
5361 {
5362         int err = 0;
5363
5364         if (!selinux_enabled)
5365                 goto out;
5366
5367         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5368
5369         err = nf_register_hook(&selinux_ipv4_op);
5370         if (err)
5371                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
5372
5373 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5374
5375         err = nf_register_hook(&selinux_ipv6_op);
5376         if (err)
5377                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
5378
5379 #endif  /* IPV6 */
5380
5381 out:
5382         return err;
5383 }
5384
5385 __initcall(selinux_nf_ip_init);
5386
5387 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5388 static void selinux_nf_ip_exit(void)
5389 {
5390         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5391
5392         nf_unregister_hook(&selinux_ipv4_op);
5393 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5394         nf_unregister_hook(&selinux_ipv6_op);
5395 #endif  /* IPV6 */
5396 }
5397 #endif
5398
5399 #else /* CONFIG_NETFILTER */
5400
5401 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5402 #define selinux_nf_ip_exit()
5403 #endif
5404
5405 #endif /* CONFIG_NETFILTER */
5406
5407 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5408 int selinux_disable(void)
5409 {
5410         extern void exit_sel_fs(void);
5411         static int selinux_disabled = 0;
5412
5413         if (ss_initialized) {
5414                 /* Not permitted after initial policy load. */
5415                 return -EINVAL;
5416         }
5417
5418         if (selinux_disabled) {
5419                 /* Only do this once. */
5420                 return -EINVAL;
5421         }
5422
5423         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5424
5425         selinux_disabled = 1;
5426         selinux_enabled = 0;
5427
5428         /* Reset security_ops to the secondary module, dummy or capability. */
5429         security_ops = secondary_ops;
5430
5431         /* Unregister netfilter hooks. */
5432         selinux_nf_ip_exit();
5433
5434         /* Unregister selinuxfs. */
5435         exit_sel_fs();
5436
5437         return 0;
5438 }
5439 #endif
5440
5441