Linux 2.6.29
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132  * Minimal support for a secondary security module,
133  * just to allow the use of the capability module.
134  */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138    before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146  *
147  * Description:
148  * This function checks the SECMARK reference counter to see if any SECMARK
149  * targets are currently configured, if the reference counter is greater than
150  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
151  * enabled, false (0) if SECMARK is disabled.
152  *
153  */
154 static int selinux_secmark_enabled(void)
155 {
156         return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160  * initialise the security for the init task
161  */
162 static void cred_init_security(void)
163 {
164         struct cred *cred = (struct cred *) current->real_cred;
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 panic("SELinux:  Failed to initialize initial task.\n");
170
171         tsec->osid = tsec->sid = SECINITSID_KERNEL;
172         cred->security = tsec;
173 }
174
175 /*
176  * get the security ID of a set of credentials
177  */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180         const struct task_security_struct *tsec;
181
182         tsec = cred->security;
183         return tsec->sid;
184 }
185
186 /*
187  * get the objective security ID of a task
188  */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191         u32 sid;
192
193         rcu_read_lock();
194         sid = cred_sid(__task_cred(task));
195         rcu_read_unlock();
196         return sid;
197 }
198
199 /*
200  * get the subjective security ID of the current task
201  */
202 static inline u32 current_sid(void)
203 {
204         const struct task_security_struct *tsec = current_cred()->security;
205
206         return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213         struct inode_security_struct *isec;
214         u32 sid = current_sid();
215
216         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217         if (!isec)
218                 return -ENOMEM;
219
220         mutex_init(&isec->lock);
221         INIT_LIST_HEAD(&isec->list);
222         isec->inode = inode;
223         isec->sid = SECINITSID_UNLABELED;
224         isec->sclass = SECCLASS_FILE;
225         isec->task_sid = sid;
226         inode->i_security = isec;
227
228         return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233         struct inode_security_struct *isec = inode->i_security;
234         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236         spin_lock(&sbsec->isec_lock);
237         if (!list_empty(&isec->list))
238                 list_del_init(&isec->list);
239         spin_unlock(&sbsec->isec_lock);
240
241         inode->i_security = NULL;
242         kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247         struct file_security_struct *fsec;
248         u32 sid = current_sid();
249
250         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251         if (!fsec)
252                 return -ENOMEM;
253
254         fsec->sid = sid;
255         fsec->fown_sid = sid;
256         file->f_security = fsec;
257
258         return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263         struct file_security_struct *fsec = file->f_security;
264         file->f_security = NULL;
265         kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270         struct superblock_security_struct *sbsec;
271
272         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273         if (!sbsec)
274                 return -ENOMEM;
275
276         mutex_init(&sbsec->lock);
277         INIT_LIST_HEAD(&sbsec->list);
278         INIT_LIST_HEAD(&sbsec->isec_head);
279         spin_lock_init(&sbsec->isec_lock);
280         sbsec->sb = sb;
281         sbsec->sid = SECINITSID_UNLABELED;
282         sbsec->def_sid = SECINITSID_FILE;
283         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284         sb->s_security = sbsec;
285
286         return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec = sb->s_security;
292
293         spin_lock(&sb_security_lock);
294         if (!list_empty(&sbsec->list))
295                 list_del_init(&sbsec->list);
296         spin_unlock(&sb_security_lock);
297
298         sb->s_security = NULL;
299         kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304         struct sk_security_struct *ssec;
305
306         ssec = kzalloc(sizeof(*ssec), priority);
307         if (!ssec)
308                 return -ENOMEM;
309
310         ssec->peer_sid = SECINITSID_UNLABELED;
311         ssec->sid = SECINITSID_UNLABELED;
312         sk->sk_security = ssec;
313
314         selinux_netlbl_sk_security_reset(ssec, family);
315
316         return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321         struct sk_security_struct *ssec = sk->sk_security;
322
323         sk->sk_security = NULL;
324         selinux_netlbl_sk_security_free(ssec);
325         kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329    any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335         "uses xattr",
336         "uses transition SIDs",
337         "uses task SIDs",
338         "uses genfs_contexts",
339         "not configured for labeling",
340         "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347         return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351         Opt_error = -1,
352         Opt_context = 1,
353         Opt_fscontext = 2,
354         Opt_defcontext = 3,
355         Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359         {Opt_context, CONTEXT_STR "%s"},
360         {Opt_fscontext, FSCONTEXT_STR "%s"},
361         {Opt_defcontext, DEFCONTEXT_STR "%s"},
362         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363         {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369                         struct superblock_security_struct *sbsec,
370                         const struct cred *cred)
371 {
372         const struct task_security_struct *tsec = cred->security;
373         int rc;
374
375         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376                           FILESYSTEM__RELABELFROM, NULL);
377         if (rc)
378                 return rc;
379
380         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381                           FILESYSTEM__RELABELTO, NULL);
382         return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386                         struct superblock_security_struct *sbsec,
387                         const struct cred *cred)
388 {
389         const struct task_security_struct *tsec = cred->security;
390         int rc;
391         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392                           FILESYSTEM__RELABELFROM, NULL);
393         if (rc)
394                 return rc;
395
396         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397                           FILESYSTEM__ASSOCIATE, NULL);
398         return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403         struct superblock_security_struct *sbsec = sb->s_security;
404         struct dentry *root = sb->s_root;
405         struct inode *root_inode = root->d_inode;
406         int rc = 0;
407
408         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409                 /* Make sure that the xattr handler exists and that no
410                    error other than -ENODATA is returned by getxattr on
411                    the root directory.  -ENODATA is ok, as this may be
412                    the first boot of the SELinux kernel before we have
413                    assigned xattr values to the filesystem. */
414                 if (!root_inode->i_op->getxattr) {
415                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416                                "xattr support\n", sb->s_id, sb->s_type->name);
417                         rc = -EOPNOTSUPP;
418                         goto out;
419                 }
420                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421                 if (rc < 0 && rc != -ENODATA) {
422                         if (rc == -EOPNOTSUPP)
423                                 printk(KERN_WARNING "SELinux: (dev %s, type "
424                                        "%s) has no security xattr handler\n",
425                                        sb->s_id, sb->s_type->name);
426                         else
427                                 printk(KERN_WARNING "SELinux: (dev %s, type "
428                                        "%s) getxattr errno %d\n", sb->s_id,
429                                        sb->s_type->name, -rc);
430                         goto out;
431                 }
432         }
433
434         sbsec->initialized = 1;
435
436         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438                        sb->s_id, sb->s_type->name);
439         else
440                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441                        sb->s_id, sb->s_type->name,
442                        labeling_behaviors[sbsec->behavior-1]);
443
444         /* Initialize the root inode. */
445         rc = inode_doinit_with_dentry(root_inode, root);
446
447         /* Initialize any other inodes associated with the superblock, e.g.
448            inodes created prior to initial policy load or inodes created
449            during get_sb by a pseudo filesystem that directly
450            populates itself. */
451         spin_lock(&sbsec->isec_lock);
452 next_inode:
453         if (!list_empty(&sbsec->isec_head)) {
454                 struct inode_security_struct *isec =
455                                 list_entry(sbsec->isec_head.next,
456                                            struct inode_security_struct, list);
457                 struct inode *inode = isec->inode;
458                 spin_unlock(&sbsec->isec_lock);
459                 inode = igrab(inode);
460                 if (inode) {
461                         if (!IS_PRIVATE(inode))
462                                 inode_doinit(inode);
463                         iput(inode);
464                 }
465                 spin_lock(&sbsec->isec_lock);
466                 list_del_init(&isec->list);
467                 goto next_inode;
468         }
469         spin_unlock(&sbsec->isec_lock);
470 out:
471         return rc;
472 }
473
474 /*
475  * This function should allow an FS to ask what it's mount security
476  * options were so it can use those later for submounts, displaying
477  * mount options, or whatever.
478  */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480                                 struct security_mnt_opts *opts)
481 {
482         int rc = 0, i;
483         struct superblock_security_struct *sbsec = sb->s_security;
484         char *context = NULL;
485         u32 len;
486         char tmp;
487
488         security_init_mnt_opts(opts);
489
490         if (!sbsec->initialized)
491                 return -EINVAL;
492
493         if (!ss_initialized)
494                 return -EINVAL;
495
496         /*
497          * if we ever use sbsec flags for anything other than tracking mount
498          * settings this is going to need a mask
499          */
500         tmp = sbsec->flags;
501         /* count the number of mount options for this sb */
502         for (i = 0; i < 8; i++) {
503                 if (tmp & 0x01)
504                         opts->num_mnt_opts++;
505                 tmp >>= 1;
506         }
507
508         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509         if (!opts->mnt_opts) {
510                 rc = -ENOMEM;
511                 goto out_free;
512         }
513
514         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515         if (!opts->mnt_opts_flags) {
516                 rc = -ENOMEM;
517                 goto out_free;
518         }
519
520         i = 0;
521         if (sbsec->flags & FSCONTEXT_MNT) {
522                 rc = security_sid_to_context(sbsec->sid, &context, &len);
523                 if (rc)
524                         goto out_free;
525                 opts->mnt_opts[i] = context;
526                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527         }
528         if (sbsec->flags & CONTEXT_MNT) {
529                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530                 if (rc)
531                         goto out_free;
532                 opts->mnt_opts[i] = context;
533                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534         }
535         if (sbsec->flags & DEFCONTEXT_MNT) {
536                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537                 if (rc)
538                         goto out_free;
539                 opts->mnt_opts[i] = context;
540                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541         }
542         if (sbsec->flags & ROOTCONTEXT_MNT) {
543                 struct inode *root = sbsec->sb->s_root->d_inode;
544                 struct inode_security_struct *isec = root->i_security;
545
546                 rc = security_sid_to_context(isec->sid, &context, &len);
547                 if (rc)
548                         goto out_free;
549                 opts->mnt_opts[i] = context;
550                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551         }
552
553         BUG_ON(i != opts->num_mnt_opts);
554
555         return 0;
556
557 out_free:
558         security_free_mnt_opts(opts);
559         return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563                       u32 old_sid, u32 new_sid)
564 {
565         /* check if the old mount command had the same options */
566         if (sbsec->initialized)
567                 if (!(sbsec->flags & flag) ||
568                     (old_sid != new_sid))
569                         return 1;
570
571         /* check if we were passed the same options twice,
572          * aka someone passed context=a,context=b
573          */
574         if (!sbsec->initialized)
575                 if (sbsec->flags & flag)
576                         return 1;
577         return 0;
578 }
579
580 /*
581  * Allow filesystems with binary mount data to explicitly set mount point
582  * labeling information.
583  */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585                                 struct security_mnt_opts *opts)
586 {
587         const struct cred *cred = current_cred();
588         int rc = 0, i;
589         struct superblock_security_struct *sbsec = sb->s_security;
590         const char *name = sb->s_type->name;
591         struct inode *inode = sbsec->sb->s_root->d_inode;
592         struct inode_security_struct *root_isec = inode->i_security;
593         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594         u32 defcontext_sid = 0;
595         char **mount_options = opts->mnt_opts;
596         int *flags = opts->mnt_opts_flags;
597         int num_opts = opts->num_mnt_opts;
598
599         mutex_lock(&sbsec->lock);
600
601         if (!ss_initialized) {
602                 if (!num_opts) {
603                         /* Defer initialization until selinux_complete_init,
604                            after the initial policy is loaded and the security
605                            server is ready to handle calls. */
606                         spin_lock(&sb_security_lock);
607                         if (list_empty(&sbsec->list))
608                                 list_add(&sbsec->list, &superblock_security_head);
609                         spin_unlock(&sb_security_lock);
610                         goto out;
611                 }
612                 rc = -EINVAL;
613                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614                         "before the security server is initialized\n");
615                 goto out;
616         }
617
618         /*
619          * Binary mount data FS will come through this function twice.  Once
620          * from an explicit call and once from the generic calls from the vfs.
621          * Since the generic VFS calls will not contain any security mount data
622          * we need to skip the double mount verification.
623          *
624          * This does open a hole in which we will not notice if the first
625          * mount using this sb set explict options and a second mount using
626          * this sb does not set any security options.  (The first options
627          * will be used for both mounts)
628          */
629         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630             && (num_opts == 0))
631                 goto out;
632
633         /*
634          * parse the mount options, check if they are valid sids.
635          * also check if someone is trying to mount the same sb more
636          * than once with different security options.
637          */
638         for (i = 0; i < num_opts; i++) {
639                 u32 sid;
640                 rc = security_context_to_sid(mount_options[i],
641                                              strlen(mount_options[i]), &sid);
642                 if (rc) {
643                         printk(KERN_WARNING "SELinux: security_context_to_sid"
644                                "(%s) failed for (dev %s, type %s) errno=%d\n",
645                                mount_options[i], sb->s_id, name, rc);
646                         goto out;
647                 }
648                 switch (flags[i]) {
649                 case FSCONTEXT_MNT:
650                         fscontext_sid = sid;
651
652                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653                                         fscontext_sid))
654                                 goto out_double_mount;
655
656                         sbsec->flags |= FSCONTEXT_MNT;
657                         break;
658                 case CONTEXT_MNT:
659                         context_sid = sid;
660
661                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662                                         context_sid))
663                                 goto out_double_mount;
664
665                         sbsec->flags |= CONTEXT_MNT;
666                         break;
667                 case ROOTCONTEXT_MNT:
668                         rootcontext_sid = sid;
669
670                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671                                         rootcontext_sid))
672                                 goto out_double_mount;
673
674                         sbsec->flags |= ROOTCONTEXT_MNT;
675
676                         break;
677                 case DEFCONTEXT_MNT:
678                         defcontext_sid = sid;
679
680                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681                                         defcontext_sid))
682                                 goto out_double_mount;
683
684                         sbsec->flags |= DEFCONTEXT_MNT;
685
686                         break;
687                 default:
688                         rc = -EINVAL;
689                         goto out;
690                 }
691         }
692
693         if (sbsec->initialized) {
694                 /* previously mounted with options, but not on this attempt? */
695                 if (sbsec->flags && !num_opts)
696                         goto out_double_mount;
697                 rc = 0;
698                 goto out;
699         }
700
701         if (strcmp(sb->s_type->name, "proc") == 0)
702                 sbsec->proc = 1;
703
704         /* Determine the labeling behavior to use for this filesystem type. */
705         rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706         if (rc) {
707                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708                        __func__, sb->s_type->name, rc);
709                 goto out;
710         }
711
712         /* sets the context of the superblock for the fs being mounted. */
713         if (fscontext_sid) {
714                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715                 if (rc)
716                         goto out;
717
718                 sbsec->sid = fscontext_sid;
719         }
720
721         /*
722          * Switch to using mount point labeling behavior.
723          * sets the label used on all file below the mountpoint, and will set
724          * the superblock context if not already set.
725          */
726         if (context_sid) {
727                 if (!fscontext_sid) {
728                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
729                                                           cred);
730                         if (rc)
731                                 goto out;
732                         sbsec->sid = context_sid;
733                 } else {
734                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
735                                                              cred);
736                         if (rc)
737                                 goto out;
738                 }
739                 if (!rootcontext_sid)
740                         rootcontext_sid = context_sid;
741
742                 sbsec->mntpoint_sid = context_sid;
743                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744         }
745
746         if (rootcontext_sid) {
747                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748                                                      cred);
749                 if (rc)
750                         goto out;
751
752                 root_isec->sid = rootcontext_sid;
753                 root_isec->initialized = 1;
754         }
755
756         if (defcontext_sid) {
757                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758                         rc = -EINVAL;
759                         printk(KERN_WARNING "SELinux: defcontext option is "
760                                "invalid for this filesystem type\n");
761                         goto out;
762                 }
763
764                 if (defcontext_sid != sbsec->def_sid) {
765                         rc = may_context_mount_inode_relabel(defcontext_sid,
766                                                              sbsec, cred);
767                         if (rc)
768                                 goto out;
769                 }
770
771                 sbsec->def_sid = defcontext_sid;
772         }
773
774         rc = sb_finish_set_opts(sb);
775 out:
776         mutex_unlock(&sbsec->lock);
777         return rc;
778 out_double_mount:
779         rc = -EINVAL;
780         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
781                "security settings for (dev %s, type %s)\n", sb->s_id, name);
782         goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786                                         struct super_block *newsb)
787 {
788         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789         struct superblock_security_struct *newsbsec = newsb->s_security;
790
791         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
792         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
793         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795         /*
796          * if the parent was able to be mounted it clearly had no special lsm
797          * mount options.  thus we can safely put this sb on the list and deal
798          * with it later
799          */
800         if (!ss_initialized) {
801                 spin_lock(&sb_security_lock);
802                 if (list_empty(&newsbsec->list))
803                         list_add(&newsbsec->list, &superblock_security_head);
804                 spin_unlock(&sb_security_lock);
805                 return;
806         }
807
808         /* how can we clone if the old one wasn't set up?? */
809         BUG_ON(!oldsbsec->initialized);
810
811         /* if fs is reusing a sb, just let its options stand... */
812         if (newsbsec->initialized)
813                 return;
814
815         mutex_lock(&newsbsec->lock);
816
817         newsbsec->flags = oldsbsec->flags;
818
819         newsbsec->sid = oldsbsec->sid;
820         newsbsec->def_sid = oldsbsec->def_sid;
821         newsbsec->behavior = oldsbsec->behavior;
822
823         if (set_context) {
824                 u32 sid = oldsbsec->mntpoint_sid;
825
826                 if (!set_fscontext)
827                         newsbsec->sid = sid;
828                 if (!set_rootcontext) {
829                         struct inode *newinode = newsb->s_root->d_inode;
830                         struct inode_security_struct *newisec = newinode->i_security;
831                         newisec->sid = sid;
832                 }
833                 newsbsec->mntpoint_sid = sid;
834         }
835         if (set_rootcontext) {
836                 const struct inode *oldinode = oldsb->s_root->d_inode;
837                 const struct inode_security_struct *oldisec = oldinode->i_security;
838                 struct inode *newinode = newsb->s_root->d_inode;
839                 struct inode_security_struct *newisec = newinode->i_security;
840
841                 newisec->sid = oldisec->sid;
842         }
843
844         sb_finish_set_opts(newsb);
845         mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849                                   struct security_mnt_opts *opts)
850 {
851         char *p;
852         char *context = NULL, *defcontext = NULL;
853         char *fscontext = NULL, *rootcontext = NULL;
854         int rc, num_mnt_opts = 0;
855
856         opts->num_mnt_opts = 0;
857
858         /* Standard string-based options. */
859         while ((p = strsep(&options, "|")) != NULL) {
860                 int token;
861                 substring_t args[MAX_OPT_ARGS];
862
863                 if (!*p)
864                         continue;
865
866                 token = match_token(p, tokens, args);
867
868                 switch (token) {
869                 case Opt_context:
870                         if (context || defcontext) {
871                                 rc = -EINVAL;
872                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873                                 goto out_err;
874                         }
875                         context = match_strdup(&args[0]);
876                         if (!context) {
877                                 rc = -ENOMEM;
878                                 goto out_err;
879                         }
880                         break;
881
882                 case Opt_fscontext:
883                         if (fscontext) {
884                                 rc = -EINVAL;
885                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886                                 goto out_err;
887                         }
888                         fscontext = match_strdup(&args[0]);
889                         if (!fscontext) {
890                                 rc = -ENOMEM;
891                                 goto out_err;
892                         }
893                         break;
894
895                 case Opt_rootcontext:
896                         if (rootcontext) {
897                                 rc = -EINVAL;
898                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899                                 goto out_err;
900                         }
901                         rootcontext = match_strdup(&args[0]);
902                         if (!rootcontext) {
903                                 rc = -ENOMEM;
904                                 goto out_err;
905                         }
906                         break;
907
908                 case Opt_defcontext:
909                         if (context || defcontext) {
910                                 rc = -EINVAL;
911                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912                                 goto out_err;
913                         }
914                         defcontext = match_strdup(&args[0]);
915                         if (!defcontext) {
916                                 rc = -ENOMEM;
917                                 goto out_err;
918                         }
919                         break;
920
921                 default:
922                         rc = -EINVAL;
923                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
924                         goto out_err;
925
926                 }
927         }
928
929         rc = -ENOMEM;
930         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931         if (!opts->mnt_opts)
932                 goto out_err;
933
934         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935         if (!opts->mnt_opts_flags) {
936                 kfree(opts->mnt_opts);
937                 goto out_err;
938         }
939
940         if (fscontext) {
941                 opts->mnt_opts[num_mnt_opts] = fscontext;
942                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943         }
944         if (context) {
945                 opts->mnt_opts[num_mnt_opts] = context;
946                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947         }
948         if (rootcontext) {
949                 opts->mnt_opts[num_mnt_opts] = rootcontext;
950                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951         }
952         if (defcontext) {
953                 opts->mnt_opts[num_mnt_opts] = defcontext;
954                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955         }
956
957         opts->num_mnt_opts = num_mnt_opts;
958         return 0;
959
960 out_err:
961         kfree(context);
962         kfree(defcontext);
963         kfree(fscontext);
964         kfree(rootcontext);
965         return rc;
966 }
967 /*
968  * string mount options parsing and call set the sbsec
969  */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972         int rc = 0;
973         char *options = data;
974         struct security_mnt_opts opts;
975
976         security_init_mnt_opts(&opts);
977
978         if (!data)
979                 goto out;
980
981         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983         rc = selinux_parse_opts_str(options, &opts);
984         if (rc)
985                 goto out_err;
986
987 out:
988         rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991         security_free_mnt_opts(&opts);
992         return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996                                struct security_mnt_opts *opts)
997 {
998         int i;
999         char *prefix;
1000
1001         for (i = 0; i < opts->num_mnt_opts; i++) {
1002                 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004                 switch (opts->mnt_opts_flags[i]) {
1005                 case CONTEXT_MNT:
1006                         prefix = CONTEXT_STR;
1007                         break;
1008                 case FSCONTEXT_MNT:
1009                         prefix = FSCONTEXT_STR;
1010                         break;
1011                 case ROOTCONTEXT_MNT:
1012                         prefix = ROOTCONTEXT_STR;
1013                         break;
1014                 case DEFCONTEXT_MNT:
1015                         prefix = DEFCONTEXT_STR;
1016                         break;
1017                 default:
1018                         BUG();
1019                 };
1020                 /* we need a comma before each option */
1021                 seq_putc(m, ',');
1022                 seq_puts(m, prefix);
1023                 if (has_comma)
1024                         seq_putc(m, '\"');
1025                 seq_puts(m, opts->mnt_opts[i]);
1026                 if (has_comma)
1027                         seq_putc(m, '\"');
1028         }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033         struct security_mnt_opts opts;
1034         int rc;
1035
1036         rc = selinux_get_mnt_opts(sb, &opts);
1037         if (rc) {
1038                 /* before policy load we may get EINVAL, don't show anything */
1039                 if (rc == -EINVAL)
1040                         rc = 0;
1041                 return rc;
1042         }
1043
1044         selinux_write_opts(m, &opts);
1045
1046         security_free_mnt_opts(&opts);
1047
1048         return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053         switch (mode & S_IFMT) {
1054         case S_IFSOCK:
1055                 return SECCLASS_SOCK_FILE;
1056         case S_IFLNK:
1057                 return SECCLASS_LNK_FILE;
1058         case S_IFREG:
1059                 return SECCLASS_FILE;
1060         case S_IFBLK:
1061                 return SECCLASS_BLK_FILE;
1062         case S_IFDIR:
1063                 return SECCLASS_DIR;
1064         case S_IFCHR:
1065                 return SECCLASS_CHR_FILE;
1066         case S_IFIFO:
1067                 return SECCLASS_FIFO_FILE;
1068
1069         }
1070
1071         return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086         switch (family) {
1087         case PF_UNIX:
1088                 switch (type) {
1089                 case SOCK_STREAM:
1090                 case SOCK_SEQPACKET:
1091                         return SECCLASS_UNIX_STREAM_SOCKET;
1092                 case SOCK_DGRAM:
1093                         return SECCLASS_UNIX_DGRAM_SOCKET;
1094                 }
1095                 break;
1096         case PF_INET:
1097         case PF_INET6:
1098                 switch (type) {
1099                 case SOCK_STREAM:
1100                         if (default_protocol_stream(protocol))
1101                                 return SECCLASS_TCP_SOCKET;
1102                         else
1103                                 return SECCLASS_RAWIP_SOCKET;
1104                 case SOCK_DGRAM:
1105                         if (default_protocol_dgram(protocol))
1106                                 return SECCLASS_UDP_SOCKET;
1107                         else
1108                                 return SECCLASS_RAWIP_SOCKET;
1109                 case SOCK_DCCP:
1110                         return SECCLASS_DCCP_SOCKET;
1111                 default:
1112                         return SECCLASS_RAWIP_SOCKET;
1113                 }
1114                 break;
1115         case PF_NETLINK:
1116                 switch (protocol) {
1117                 case NETLINK_ROUTE:
1118                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1119                 case NETLINK_FIREWALL:
1120                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121                 case NETLINK_INET_DIAG:
1122                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123                 case NETLINK_NFLOG:
1124                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1125                 case NETLINK_XFRM:
1126                         return SECCLASS_NETLINK_XFRM_SOCKET;
1127                 case NETLINK_SELINUX:
1128                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1129                 case NETLINK_AUDIT:
1130                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1131                 case NETLINK_IP6_FW:
1132                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1133                 case NETLINK_DNRTMSG:
1134                         return SECCLASS_NETLINK_DNRT_SOCKET;
1135                 case NETLINK_KOBJECT_UEVENT:
1136                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137                 default:
1138                         return SECCLASS_NETLINK_SOCKET;
1139                 }
1140         case PF_PACKET:
1141                 return SECCLASS_PACKET_SOCKET;
1142         case PF_KEY:
1143                 return SECCLASS_KEY_SOCKET;
1144         case PF_APPLETALK:
1145                 return SECCLASS_APPLETALK_SOCKET;
1146         }
1147
1148         return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153                                 u16 tclass,
1154                                 u32 *sid)
1155 {
1156         int buflen, rc;
1157         char *buffer, *path, *end;
1158
1159         buffer = (char *)__get_free_page(GFP_KERNEL);
1160         if (!buffer)
1161                 return -ENOMEM;
1162
1163         buflen = PAGE_SIZE;
1164         end = buffer+buflen;
1165         *--end = '\0';
1166         buflen--;
1167         path = end-1;
1168         *path = '/';
1169         while (de && de != de->parent) {
1170                 buflen -= de->namelen + 1;
1171                 if (buflen < 0)
1172                         break;
1173                 end -= de->namelen;
1174                 memcpy(end, de->name, de->namelen);
1175                 *--end = '/';
1176                 path = end;
1177                 de = de->parent;
1178         }
1179         rc = security_genfs_sid("proc", path, tclass, sid);
1180         free_page((unsigned long)buffer);
1181         return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185                                 u16 tclass,
1186                                 u32 *sid)
1187 {
1188         return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195         struct superblock_security_struct *sbsec = NULL;
1196         struct inode_security_struct *isec = inode->i_security;
1197         u32 sid;
1198         struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200         char *context = NULL;
1201         unsigned len = 0;
1202         int rc = 0;
1203
1204         if (isec->initialized)
1205                 goto out;
1206
1207         mutex_lock(&isec->lock);
1208         if (isec->initialized)
1209                 goto out_unlock;
1210
1211         sbsec = inode->i_sb->s_security;
1212         if (!sbsec->initialized) {
1213                 /* Defer initialization until selinux_complete_init,
1214                    after the initial policy is loaded and the security
1215                    server is ready to handle calls. */
1216                 spin_lock(&sbsec->isec_lock);
1217                 if (list_empty(&isec->list))
1218                         list_add(&isec->list, &sbsec->isec_head);
1219                 spin_unlock(&sbsec->isec_lock);
1220                 goto out_unlock;
1221         }
1222
1223         switch (sbsec->behavior) {
1224         case SECURITY_FS_USE_XATTR:
1225                 if (!inode->i_op->getxattr) {
1226                         isec->sid = sbsec->def_sid;
1227                         break;
1228                 }
1229
1230                 /* Need a dentry, since the xattr API requires one.
1231                    Life would be simpler if we could just pass the inode. */
1232                 if (opt_dentry) {
1233                         /* Called from d_instantiate or d_splice_alias. */
1234                         dentry = dget(opt_dentry);
1235                 } else {
1236                         /* Called from selinux_complete_init, try to find a dentry. */
1237                         dentry = d_find_alias(inode);
1238                 }
1239                 if (!dentry) {
1240                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1241                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1242                                inode->i_ino);
1243                         goto out_unlock;
1244                 }
1245
1246                 len = INITCONTEXTLEN;
1247                 context = kmalloc(len, GFP_NOFS);
1248                 if (!context) {
1249                         rc = -ENOMEM;
1250                         dput(dentry);
1251                         goto out_unlock;
1252                 }
1253                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254                                            context, len);
1255                 if (rc == -ERANGE) {
1256                         /* Need a larger buffer.  Query for the right size. */
1257                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258                                                    NULL, 0);
1259                         if (rc < 0) {
1260                                 dput(dentry);
1261                                 goto out_unlock;
1262                         }
1263                         kfree(context);
1264                         len = rc;
1265                         context = kmalloc(len, GFP_NOFS);
1266                         if (!context) {
1267                                 rc = -ENOMEM;
1268                                 dput(dentry);
1269                                 goto out_unlock;
1270                         }
1271                         rc = inode->i_op->getxattr(dentry,
1272                                                    XATTR_NAME_SELINUX,
1273                                                    context, len);
1274                 }
1275                 dput(dentry);
1276                 if (rc < 0) {
1277                         if (rc != -ENODATA) {
1278                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1279                                        "%d for dev=%s ino=%ld\n", __func__,
1280                                        -rc, inode->i_sb->s_id, inode->i_ino);
1281                                 kfree(context);
1282                                 goto out_unlock;
1283                         }
1284                         /* Map ENODATA to the default file SID */
1285                         sid = sbsec->def_sid;
1286                         rc = 0;
1287                 } else {
1288                         rc = security_context_to_sid_default(context, rc, &sid,
1289                                                              sbsec->def_sid,
1290                                                              GFP_NOFS);
1291                         if (rc) {
1292                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1293                                        "returned %d for dev=%s ino=%ld\n",
1294                                        __func__, context, -rc,
1295                                        inode->i_sb->s_id, inode->i_ino);
1296                                 kfree(context);
1297                                 /* Leave with the unlabeled SID */
1298                                 rc = 0;
1299                                 break;
1300                         }
1301                 }
1302                 kfree(context);
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_TASK:
1306                 isec->sid = isec->task_sid;
1307                 break;
1308         case SECURITY_FS_USE_TRANS:
1309                 /* Default to the fs SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 /* Try to obtain a transition SID. */
1313                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314                 rc = security_transition_sid(isec->task_sid,
1315                                              sbsec->sid,
1316                                              isec->sclass,
1317                                              &sid);
1318                 if (rc)
1319                         goto out_unlock;
1320                 isec->sid = sid;
1321                 break;
1322         case SECURITY_FS_USE_MNTPOINT:
1323                 isec->sid = sbsec->mntpoint_sid;
1324                 break;
1325         default:
1326                 /* Default to the fs superblock SID. */
1327                 isec->sid = sbsec->sid;
1328
1329                 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330                         struct proc_inode *proci = PROC_I(inode);
1331                         if (proci->pde) {
1332                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333                                 rc = selinux_proc_get_sid(proci->pde,
1334                                                           isec->sclass,
1335                                                           &sid);
1336                                 if (rc)
1337                                         goto out_unlock;
1338                                 isec->sid = sid;
1339                         }
1340                 }
1341                 break;
1342         }
1343
1344         isec->initialized = 1;
1345
1346 out_unlock:
1347         mutex_unlock(&isec->lock);
1348 out:
1349         if (isec->sclass == SECCLASS_FILE)
1350                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351         return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357         u32 perm = 0;
1358
1359         switch (sig) {
1360         case SIGCHLD:
1361                 /* Commonly granted from child to parent. */
1362                 perm = PROCESS__SIGCHLD;
1363                 break;
1364         case SIGKILL:
1365                 /* Cannot be caught or ignored */
1366                 perm = PROCESS__SIGKILL;
1367                 break;
1368         case SIGSTOP:
1369                 /* Cannot be caught or ignored */
1370                 perm = PROCESS__SIGSTOP;
1371                 break;
1372         default:
1373                 /* All other signals. */
1374                 perm = PROCESS__SIGNAL;
1375                 break;
1376         }
1377
1378         return perm;
1379 }
1380
1381 /*
1382  * Check permission between a pair of credentials
1383  * fork check, ptrace check, etc.
1384  */
1385 static int cred_has_perm(const struct cred *actor,
1386                          const struct cred *target,
1387                          u32 perms)
1388 {
1389         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395  * Check permission between a pair of tasks, e.g. signal checks,
1396  * fork check, ptrace check, etc.
1397  * tsk1 is the actor and tsk2 is the target
1398  * - this uses the default subjective creds of tsk1
1399  */
1400 static int task_has_perm(const struct task_struct *tsk1,
1401                          const struct task_struct *tsk2,
1402                          u32 perms)
1403 {
1404         const struct task_security_struct *__tsec1, *__tsec2;
1405         u32 sid1, sid2;
1406
1407         rcu_read_lock();
1408         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1409         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1410         rcu_read_unlock();
1411         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 /*
1415  * Check permission between current and another task, e.g. signal checks,
1416  * fork check, ptrace check, etc.
1417  * current is the actor and tsk2 is the target
1418  * - this uses current's subjective creds
1419  */
1420 static int current_has_perm(const struct task_struct *tsk,
1421                             u32 perms)
1422 {
1423         u32 sid, tsid;
1424
1425         sid = current_sid();
1426         tsid = task_sid(tsk);
1427         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1428 }
1429
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1432 #endif
1433
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436                                const struct cred *cred,
1437                                int cap, int audit)
1438 {
1439         struct avc_audit_data ad;
1440         struct av_decision avd;
1441         u16 sclass;
1442         u32 sid = cred_sid(cred);
1443         u32 av = CAP_TO_MASK(cap);
1444         int rc;
1445
1446         AVC_AUDIT_DATA_INIT(&ad, CAP);
1447         ad.tsk = tsk;
1448         ad.u.cap = cap;
1449
1450         switch (CAP_TO_INDEX(cap)) {
1451         case 0:
1452                 sclass = SECCLASS_CAPABILITY;
1453                 break;
1454         case 1:
1455                 sclass = SECCLASS_CAPABILITY2;
1456                 break;
1457         default:
1458                 printk(KERN_ERR
1459                        "SELinux:  out of range capability %d\n", cap);
1460                 BUG();
1461         }
1462
1463         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1464         if (audit == SECURITY_CAP_AUDIT)
1465                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1466         return rc;
1467 }
1468
1469 /* Check whether a task is allowed to use a system operation. */
1470 static int task_has_system(struct task_struct *tsk,
1471                            u32 perms)
1472 {
1473         u32 sid = task_sid(tsk);
1474
1475         return avc_has_perm(sid, SECINITSID_KERNEL,
1476                             SECCLASS_SYSTEM, perms, NULL);
1477 }
1478
1479 /* Check whether a task has a particular permission to an inode.
1480    The 'adp' parameter is optional and allows other audit
1481    data to be passed (e.g. the dentry). */
1482 static int inode_has_perm(const struct cred *cred,
1483                           struct inode *inode,
1484                           u32 perms,
1485                           struct avc_audit_data *adp)
1486 {
1487         struct inode_security_struct *isec;
1488         struct avc_audit_data ad;
1489         u32 sid;
1490
1491         if (unlikely(IS_PRIVATE(inode)))
1492                 return 0;
1493
1494         sid = cred_sid(cred);
1495         isec = inode->i_security;
1496
1497         if (!adp) {
1498                 adp = &ad;
1499                 AVC_AUDIT_DATA_INIT(&ad, FS);
1500                 ad.u.fs.inode = inode;
1501         }
1502
1503         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1504 }
1505
1506 /* Same as inode_has_perm, but pass explicit audit data containing
1507    the dentry to help the auditing code to more easily generate the
1508    pathname if needed. */
1509 static inline int dentry_has_perm(const struct cred *cred,
1510                                   struct vfsmount *mnt,
1511                                   struct dentry *dentry,
1512                                   u32 av)
1513 {
1514         struct inode *inode = dentry->d_inode;
1515         struct avc_audit_data ad;
1516
1517         AVC_AUDIT_DATA_INIT(&ad, FS);
1518         ad.u.fs.path.mnt = mnt;
1519         ad.u.fs.path.dentry = dentry;
1520         return inode_has_perm(cred, inode, av, &ad);
1521 }
1522
1523 /* Check whether a task can use an open file descriptor to
1524    access an inode in a given way.  Check access to the
1525    descriptor itself, and then use dentry_has_perm to
1526    check a particular permission to the file.
1527    Access to the descriptor is implicitly granted if it
1528    has the same SID as the process.  If av is zero, then
1529    access to the file is not checked, e.g. for cases
1530    where only the descriptor is affected like seek. */
1531 static int file_has_perm(const struct cred *cred,
1532                          struct file *file,
1533                          u32 av)
1534 {
1535         struct file_security_struct *fsec = file->f_security;
1536         struct inode *inode = file->f_path.dentry->d_inode;
1537         struct avc_audit_data ad;
1538         u32 sid = cred_sid(cred);
1539         int rc;
1540
1541         AVC_AUDIT_DATA_INIT(&ad, FS);
1542         ad.u.fs.path = file->f_path;
1543
1544         if (sid != fsec->sid) {
1545                 rc = avc_has_perm(sid, fsec->sid,
1546                                   SECCLASS_FD,
1547                                   FD__USE,
1548                                   &ad);
1549                 if (rc)
1550                         goto out;
1551         }
1552
1553         /* av is zero if only checking access to the descriptor. */
1554         rc = 0;
1555         if (av)
1556                 rc = inode_has_perm(cred, inode, av, &ad);
1557
1558 out:
1559         return rc;
1560 }
1561
1562 /* Check whether a task can create a file. */
1563 static int may_create(struct inode *dir,
1564                       struct dentry *dentry,
1565                       u16 tclass)
1566 {
1567         const struct cred *cred = current_cred();
1568         const struct task_security_struct *tsec = cred->security;
1569         struct inode_security_struct *dsec;
1570         struct superblock_security_struct *sbsec;
1571         u32 sid, newsid;
1572         struct avc_audit_data ad;
1573         int rc;
1574
1575         dsec = dir->i_security;
1576         sbsec = dir->i_sb->s_security;
1577
1578         sid = tsec->sid;
1579         newsid = tsec->create_sid;
1580
1581         AVC_AUDIT_DATA_INIT(&ad, FS);
1582         ad.u.fs.path.dentry = dentry;
1583
1584         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1585                           DIR__ADD_NAME | DIR__SEARCH,
1586                           &ad);
1587         if (rc)
1588                 return rc;
1589
1590         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1591                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1592                 if (rc)
1593                         return rc;
1594         }
1595
1596         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1597         if (rc)
1598                 return rc;
1599
1600         return avc_has_perm(newsid, sbsec->sid,
1601                             SECCLASS_FILESYSTEM,
1602                             FILESYSTEM__ASSOCIATE, &ad);
1603 }
1604
1605 /* Check whether a task can create a key. */
1606 static int may_create_key(u32 ksid,
1607                           struct task_struct *ctx)
1608 {
1609         u32 sid = task_sid(ctx);
1610
1611         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1612 }
1613
1614 #define MAY_LINK        0
1615 #define MAY_UNLINK      1
1616 #define MAY_RMDIR       2
1617
1618 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1619 static int may_link(struct inode *dir,
1620                     struct dentry *dentry,
1621                     int kind)
1622
1623 {
1624         struct inode_security_struct *dsec, *isec;
1625         struct avc_audit_data ad;
1626         u32 sid = current_sid();
1627         u32 av;
1628         int rc;
1629
1630         dsec = dir->i_security;
1631         isec = dentry->d_inode->i_security;
1632
1633         AVC_AUDIT_DATA_INIT(&ad, FS);
1634         ad.u.fs.path.dentry = dentry;
1635
1636         av = DIR__SEARCH;
1637         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1638         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1639         if (rc)
1640                 return rc;
1641
1642         switch (kind) {
1643         case MAY_LINK:
1644                 av = FILE__LINK;
1645                 break;
1646         case MAY_UNLINK:
1647                 av = FILE__UNLINK;
1648                 break;
1649         case MAY_RMDIR:
1650                 av = DIR__RMDIR;
1651                 break;
1652         default:
1653                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1654                         __func__, kind);
1655                 return 0;
1656         }
1657
1658         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1659         return rc;
1660 }
1661
1662 static inline int may_rename(struct inode *old_dir,
1663                              struct dentry *old_dentry,
1664                              struct inode *new_dir,
1665                              struct dentry *new_dentry)
1666 {
1667         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1668         struct avc_audit_data ad;
1669         u32 sid = current_sid();
1670         u32 av;
1671         int old_is_dir, new_is_dir;
1672         int rc;
1673
1674         old_dsec = old_dir->i_security;
1675         old_isec = old_dentry->d_inode->i_security;
1676         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1677         new_dsec = new_dir->i_security;
1678
1679         AVC_AUDIT_DATA_INIT(&ad, FS);
1680
1681         ad.u.fs.path.dentry = old_dentry;
1682         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1683                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1684         if (rc)
1685                 return rc;
1686         rc = avc_has_perm(sid, old_isec->sid,
1687                           old_isec->sclass, FILE__RENAME, &ad);
1688         if (rc)
1689                 return rc;
1690         if (old_is_dir && new_dir != old_dir) {
1691                 rc = avc_has_perm(sid, old_isec->sid,
1692                                   old_isec->sclass, DIR__REPARENT, &ad);
1693                 if (rc)
1694                         return rc;
1695         }
1696
1697         ad.u.fs.path.dentry = new_dentry;
1698         av = DIR__ADD_NAME | DIR__SEARCH;
1699         if (new_dentry->d_inode)
1700                 av |= DIR__REMOVE_NAME;
1701         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1702         if (rc)
1703                 return rc;
1704         if (new_dentry->d_inode) {
1705                 new_isec = new_dentry->d_inode->i_security;
1706                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1707                 rc = avc_has_perm(sid, new_isec->sid,
1708                                   new_isec->sclass,
1709                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1710                 if (rc)
1711                         return rc;
1712         }
1713
1714         return 0;
1715 }
1716
1717 /* Check whether a task can perform a filesystem operation. */
1718 static int superblock_has_perm(const struct cred *cred,
1719                                struct super_block *sb,
1720                                u32 perms,
1721                                struct avc_audit_data *ad)
1722 {
1723         struct superblock_security_struct *sbsec;
1724         u32 sid = cred_sid(cred);
1725
1726         sbsec = sb->s_security;
1727         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1728 }
1729
1730 /* Convert a Linux mode and permission mask to an access vector. */
1731 static inline u32 file_mask_to_av(int mode, int mask)
1732 {
1733         u32 av = 0;
1734
1735         if ((mode & S_IFMT) != S_IFDIR) {
1736                 if (mask & MAY_EXEC)
1737                         av |= FILE__EXECUTE;
1738                 if (mask & MAY_READ)
1739                         av |= FILE__READ;
1740
1741                 if (mask & MAY_APPEND)
1742                         av |= FILE__APPEND;
1743                 else if (mask & MAY_WRITE)
1744                         av |= FILE__WRITE;
1745
1746         } else {
1747                 if (mask & MAY_EXEC)
1748                         av |= DIR__SEARCH;
1749                 if (mask & MAY_WRITE)
1750                         av |= DIR__WRITE;
1751                 if (mask & MAY_READ)
1752                         av |= DIR__READ;
1753         }
1754
1755         return av;
1756 }
1757
1758 /* Convert a Linux file to an access vector. */
1759 static inline u32 file_to_av(struct file *file)
1760 {
1761         u32 av = 0;
1762
1763         if (file->f_mode & FMODE_READ)
1764                 av |= FILE__READ;
1765         if (file->f_mode & FMODE_WRITE) {
1766                 if (file->f_flags & O_APPEND)
1767                         av |= FILE__APPEND;
1768                 else
1769                         av |= FILE__WRITE;
1770         }
1771         if (!av) {
1772                 /*
1773                  * Special file opened with flags 3 for ioctl-only use.
1774                  */
1775                 av = FILE__IOCTL;
1776         }
1777
1778         return av;
1779 }
1780
1781 /*
1782  * Convert a file to an access vector and include the correct open
1783  * open permission.
1784  */
1785 static inline u32 open_file_to_av(struct file *file)
1786 {
1787         u32 av = file_to_av(file);
1788
1789         if (selinux_policycap_openperm) {
1790                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1791                 /*
1792                  * lnk files and socks do not really have an 'open'
1793                  */
1794                 if (S_ISREG(mode))
1795                         av |= FILE__OPEN;
1796                 else if (S_ISCHR(mode))
1797                         av |= CHR_FILE__OPEN;
1798                 else if (S_ISBLK(mode))
1799                         av |= BLK_FILE__OPEN;
1800                 else if (S_ISFIFO(mode))
1801                         av |= FIFO_FILE__OPEN;
1802                 else if (S_ISDIR(mode))
1803                         av |= DIR__OPEN;
1804                 else
1805                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1806                                 "unknown mode:%o\n", __func__, mode);
1807         }
1808         return av;
1809 }
1810
1811 /* Hook functions begin here. */
1812
1813 static int selinux_ptrace_may_access(struct task_struct *child,
1814                                      unsigned int mode)
1815 {
1816         int rc;
1817
1818         rc = secondary_ops->ptrace_may_access(child, mode);
1819         if (rc)
1820                 return rc;
1821
1822         if (mode == PTRACE_MODE_READ) {
1823                 u32 sid = current_sid();
1824                 u32 csid = task_sid(child);
1825                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1826         }
1827
1828         return current_has_perm(child, PROCESS__PTRACE);
1829 }
1830
1831 static int selinux_ptrace_traceme(struct task_struct *parent)
1832 {
1833         int rc;
1834
1835         rc = secondary_ops->ptrace_traceme(parent);
1836         if (rc)
1837                 return rc;
1838
1839         return task_has_perm(parent, current, PROCESS__PTRACE);
1840 }
1841
1842 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1843                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1844 {
1845         int error;
1846
1847         error = current_has_perm(target, PROCESS__GETCAP);
1848         if (error)
1849                 return error;
1850
1851         return secondary_ops->capget(target, effective, inheritable, permitted);
1852 }
1853
1854 static int selinux_capset(struct cred *new, const struct cred *old,
1855                           const kernel_cap_t *effective,
1856                           const kernel_cap_t *inheritable,
1857                           const kernel_cap_t *permitted)
1858 {
1859         int error;
1860
1861         error = secondary_ops->capset(new, old,
1862                                       effective, inheritable, permitted);
1863         if (error)
1864                 return error;
1865
1866         return cred_has_perm(old, new, PROCESS__SETCAP);
1867 }
1868
1869 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1870                            int cap, int audit)
1871 {
1872         int rc;
1873
1874         rc = secondary_ops->capable(tsk, cred, cap, audit);
1875         if (rc)
1876                 return rc;
1877
1878         return task_has_capability(tsk, cred, cap, audit);
1879 }
1880
1881 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1882 {
1883         int buflen, rc;
1884         char *buffer, *path, *end;
1885
1886         rc = -ENOMEM;
1887         buffer = (char *)__get_free_page(GFP_KERNEL);
1888         if (!buffer)
1889                 goto out;
1890
1891         buflen = PAGE_SIZE;
1892         end = buffer+buflen;
1893         *--end = '\0';
1894         buflen--;
1895         path = end-1;
1896         *path = '/';
1897         while (table) {
1898                 const char *name = table->procname;
1899                 size_t namelen = strlen(name);
1900                 buflen -= namelen + 1;
1901                 if (buflen < 0)
1902                         goto out_free;
1903                 end -= namelen;
1904                 memcpy(end, name, namelen);
1905                 *--end = '/';
1906                 path = end;
1907                 table = table->parent;
1908         }
1909         buflen -= 4;
1910         if (buflen < 0)
1911                 goto out_free;
1912         end -= 4;
1913         memcpy(end, "/sys", 4);
1914         path = end;
1915         rc = security_genfs_sid("proc", path, tclass, sid);
1916 out_free:
1917         free_page((unsigned long)buffer);
1918 out:
1919         return rc;
1920 }
1921
1922 static int selinux_sysctl(ctl_table *table, int op)
1923 {
1924         int error = 0;
1925         u32 av;
1926         u32 tsid, sid;
1927         int rc;
1928
1929         rc = secondary_ops->sysctl(table, op);
1930         if (rc)
1931                 return rc;
1932
1933         sid = current_sid();
1934
1935         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1936                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1937         if (rc) {
1938                 /* Default to the well-defined sysctl SID. */
1939                 tsid = SECINITSID_SYSCTL;
1940         }
1941
1942         /* The op values are "defined" in sysctl.c, thereby creating
1943          * a bad coupling between this module and sysctl.c */
1944         if (op == 001) {
1945                 error = avc_has_perm(sid, tsid,
1946                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1947         } else {
1948                 av = 0;
1949                 if (op & 004)
1950                         av |= FILE__READ;
1951                 if (op & 002)
1952                         av |= FILE__WRITE;
1953                 if (av)
1954                         error = avc_has_perm(sid, tsid,
1955                                              SECCLASS_FILE, av, NULL);
1956         }
1957
1958         return error;
1959 }
1960
1961 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1962 {
1963         const struct cred *cred = current_cred();
1964         int rc = 0;
1965
1966         if (!sb)
1967                 return 0;
1968
1969         switch (cmds) {
1970         case Q_SYNC:
1971         case Q_QUOTAON:
1972         case Q_QUOTAOFF:
1973         case Q_SETINFO:
1974         case Q_SETQUOTA:
1975                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1976                 break;
1977         case Q_GETFMT:
1978         case Q_GETINFO:
1979         case Q_GETQUOTA:
1980                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1981                 break;
1982         default:
1983                 rc = 0;  /* let the kernel handle invalid cmds */
1984                 break;
1985         }
1986         return rc;
1987 }
1988
1989 static int selinux_quota_on(struct dentry *dentry)
1990 {
1991         const struct cred *cred = current_cred();
1992
1993         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1994 }
1995
1996 static int selinux_syslog(int type)
1997 {
1998         int rc;
1999
2000         rc = secondary_ops->syslog(type);
2001         if (rc)
2002                 return rc;
2003
2004         switch (type) {
2005         case 3:         /* Read last kernel messages */
2006         case 10:        /* Return size of the log buffer */
2007                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2008                 break;
2009         case 6:         /* Disable logging to console */
2010         case 7:         /* Enable logging to console */
2011         case 8:         /* Set level of messages printed to console */
2012                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2013                 break;
2014         case 0:         /* Close log */
2015         case 1:         /* Open log */
2016         case 2:         /* Read from log */
2017         case 4:         /* Read/clear last kernel messages */
2018         case 5:         /* Clear ring buffer */
2019         default:
2020                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2021                 break;
2022         }
2023         return rc;
2024 }
2025
2026 /*
2027  * Check that a process has enough memory to allocate a new virtual
2028  * mapping. 0 means there is enough memory for the allocation to
2029  * succeed and -ENOMEM implies there is not.
2030  *
2031  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2032  * if the capability is granted, but __vm_enough_memory requires 1 if
2033  * the capability is granted.
2034  *
2035  * Do not audit the selinux permission check, as this is applied to all
2036  * processes that allocate mappings.
2037  */
2038 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2039 {
2040         int rc, cap_sys_admin = 0;
2041
2042         rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
2043                              SECURITY_CAP_NOAUDIT);
2044         if (rc == 0)
2045                 cap_sys_admin = 1;
2046
2047         return __vm_enough_memory(mm, pages, cap_sys_admin);
2048 }
2049
2050 /* binprm security operations */
2051
2052 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2053 {
2054         const struct task_security_struct *old_tsec;
2055         struct task_security_struct *new_tsec;
2056         struct inode_security_struct *isec;
2057         struct avc_audit_data ad;
2058         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2059         int rc;
2060
2061         rc = secondary_ops->bprm_set_creds(bprm);
2062         if (rc)
2063                 return rc;
2064
2065         /* SELinux context only depends on initial program or script and not
2066          * the script interpreter */
2067         if (bprm->cred_prepared)
2068                 return 0;
2069
2070         old_tsec = current_security();
2071         new_tsec = bprm->cred->security;
2072         isec = inode->i_security;
2073
2074         /* Default to the current task SID. */
2075         new_tsec->sid = old_tsec->sid;
2076         new_tsec->osid = old_tsec->sid;
2077
2078         /* Reset fs, key, and sock SIDs on execve. */
2079         new_tsec->create_sid = 0;
2080         new_tsec->keycreate_sid = 0;
2081         new_tsec->sockcreate_sid = 0;
2082
2083         if (old_tsec->exec_sid) {
2084                 new_tsec->sid = old_tsec->exec_sid;
2085                 /* Reset exec SID on execve. */
2086                 new_tsec->exec_sid = 0;
2087         } else {
2088                 /* Check for a default transition on this program. */
2089                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2090                                              SECCLASS_PROCESS, &new_tsec->sid);
2091                 if (rc)
2092                         return rc;
2093         }
2094
2095         AVC_AUDIT_DATA_INIT(&ad, FS);
2096         ad.u.fs.path = bprm->file->f_path;
2097
2098         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2099                 new_tsec->sid = old_tsec->sid;
2100
2101         if (new_tsec->sid == old_tsec->sid) {
2102                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2103                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2104                 if (rc)
2105                         return rc;
2106         } else {
2107                 /* Check permissions for the transition. */
2108                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2109                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2110                 if (rc)
2111                         return rc;
2112
2113                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2114                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2115                 if (rc)
2116                         return rc;
2117
2118                 /* Check for shared state */
2119                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2120                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2121                                           SECCLASS_PROCESS, PROCESS__SHARE,
2122                                           NULL);
2123                         if (rc)
2124                                 return -EPERM;
2125                 }
2126
2127                 /* Make sure that anyone attempting to ptrace over a task that
2128                  * changes its SID has the appropriate permit */
2129                 if (bprm->unsafe &
2130                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2131                         struct task_struct *tracer;
2132                         struct task_security_struct *sec;
2133                         u32 ptsid = 0;
2134
2135                         rcu_read_lock();
2136                         tracer = tracehook_tracer_task(current);
2137                         if (likely(tracer != NULL)) {
2138                                 sec = __task_cred(tracer)->security;
2139                                 ptsid = sec->sid;
2140                         }
2141                         rcu_read_unlock();
2142
2143                         if (ptsid != 0) {
2144                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2145                                                   SECCLASS_PROCESS,
2146                                                   PROCESS__PTRACE, NULL);
2147                                 if (rc)
2148                                         return -EPERM;
2149                         }
2150                 }
2151
2152                 /* Clear any possibly unsafe personality bits on exec: */
2153                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2154         }
2155
2156         return 0;
2157 }
2158
2159 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2160 {
2161         return secondary_ops->bprm_check_security(bprm);
2162 }
2163
2164 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2165 {
2166         const struct cred *cred = current_cred();
2167         const struct task_security_struct *tsec = cred->security;
2168         u32 sid, osid;
2169         int atsecure = 0;
2170
2171         sid = tsec->sid;
2172         osid = tsec->osid;
2173
2174         if (osid != sid) {
2175                 /* Enable secure mode for SIDs transitions unless
2176                    the noatsecure permission is granted between
2177                    the two SIDs, i.e. ahp returns 0. */
2178                 atsecure = avc_has_perm(osid, sid,
2179                                         SECCLASS_PROCESS,
2180                                         PROCESS__NOATSECURE, NULL);
2181         }
2182
2183         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2184 }
2185
2186 extern struct vfsmount *selinuxfs_mount;
2187 extern struct dentry *selinux_null;
2188
2189 /* Derived from fs/exec.c:flush_old_files. */
2190 static inline void flush_unauthorized_files(const struct cred *cred,
2191                                             struct files_struct *files)
2192 {
2193         struct avc_audit_data ad;
2194         struct file *file, *devnull = NULL;
2195         struct tty_struct *tty;
2196         struct fdtable *fdt;
2197         long j = -1;
2198         int drop_tty = 0;
2199
2200         tty = get_current_tty();
2201         if (tty) {
2202                 file_list_lock();
2203                 if (!list_empty(&tty->tty_files)) {
2204                         struct inode *inode;
2205
2206                         /* Revalidate access to controlling tty.
2207                            Use inode_has_perm on the tty inode directly rather
2208                            than using file_has_perm, as this particular open
2209                            file may belong to another process and we are only
2210                            interested in the inode-based check here. */
2211                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2212                         inode = file->f_path.dentry->d_inode;
2213                         if (inode_has_perm(cred, inode,
2214                                            FILE__READ | FILE__WRITE, NULL)) {
2215                                 drop_tty = 1;
2216                         }
2217                 }
2218                 file_list_unlock();
2219                 tty_kref_put(tty);
2220         }
2221         /* Reset controlling tty. */
2222         if (drop_tty)
2223                 no_tty();
2224
2225         /* Revalidate access to inherited open files. */
2226
2227         AVC_AUDIT_DATA_INIT(&ad, FS);
2228
2229         spin_lock(&files->file_lock);
2230         for (;;) {
2231                 unsigned long set, i;
2232                 int fd;
2233
2234                 j++;
2235                 i = j * __NFDBITS;
2236                 fdt = files_fdtable(files);
2237                 if (i >= fdt->max_fds)
2238                         break;
2239                 set = fdt->open_fds->fds_bits[j];
2240                 if (!set)
2241                         continue;
2242                 spin_unlock(&files->file_lock);
2243                 for ( ; set ; i++, set >>= 1) {
2244                         if (set & 1) {
2245                                 file = fget(i);
2246                                 if (!file)
2247                                         continue;
2248                                 if (file_has_perm(cred,
2249                                                   file,
2250                                                   file_to_av(file))) {
2251                                         sys_close(i);
2252                                         fd = get_unused_fd();
2253                                         if (fd != i) {
2254                                                 if (fd >= 0)
2255                                                         put_unused_fd(fd);
2256                                                 fput(file);
2257                                                 continue;
2258                                         }
2259                                         if (devnull) {
2260                                                 get_file(devnull);
2261                                         } else {
2262                                                 devnull = dentry_open(
2263                                                         dget(selinux_null),
2264                                                         mntget(selinuxfs_mount),
2265                                                         O_RDWR, cred);
2266                                                 if (IS_ERR(devnull)) {
2267                                                         devnull = NULL;
2268                                                         put_unused_fd(fd);
2269                                                         fput(file);
2270                                                         continue;
2271                                                 }
2272                                         }
2273                                         fd_install(fd, devnull);
2274                                 }
2275                                 fput(file);
2276                         }
2277                 }
2278                 spin_lock(&files->file_lock);
2279
2280         }
2281         spin_unlock(&files->file_lock);
2282 }
2283
2284 /*
2285  * Prepare a process for imminent new credential changes due to exec
2286  */
2287 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2288 {
2289         struct task_security_struct *new_tsec;
2290         struct rlimit *rlim, *initrlim;
2291         int rc, i;
2292
2293         secondary_ops->bprm_committing_creds(bprm);
2294
2295         new_tsec = bprm->cred->security;
2296         if (new_tsec->sid == new_tsec->osid)
2297                 return;
2298
2299         /* Close files for which the new task SID is not authorized. */
2300         flush_unauthorized_files(bprm->cred, current->files);
2301
2302         /* Always clear parent death signal on SID transitions. */
2303         current->pdeath_signal = 0;
2304
2305         /* Check whether the new SID can inherit resource limits from the old
2306          * SID.  If not, reset all soft limits to the lower of the current
2307          * task's hard limit and the init task's soft limit.
2308          *
2309          * Note that the setting of hard limits (even to lower them) can be
2310          * controlled by the setrlimit check.  The inclusion of the init task's
2311          * soft limit into the computation is to avoid resetting soft limits
2312          * higher than the default soft limit for cases where the default is
2313          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2314          */
2315         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2316                           PROCESS__RLIMITINH, NULL);
2317         if (rc) {
2318                 for (i = 0; i < RLIM_NLIMITS; i++) {
2319                         rlim = current->signal->rlim + i;
2320                         initrlim = init_task.signal->rlim + i;
2321                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2322                 }
2323                 update_rlimit_cpu(rlim->rlim_cur);
2324         }
2325 }
2326
2327 /*
2328  * Clean up the process immediately after the installation of new credentials
2329  * due to exec
2330  */
2331 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2332 {
2333         const struct task_security_struct *tsec = current_security();
2334         struct itimerval itimer;
2335         struct sighand_struct *psig;
2336         u32 osid, sid;
2337         int rc, i;
2338         unsigned long flags;
2339
2340         secondary_ops->bprm_committed_creds(bprm);
2341
2342         osid = tsec->osid;
2343         sid = tsec->sid;
2344
2345         if (sid == osid)
2346                 return;
2347
2348         /* Check whether the new SID can inherit signal state from the old SID.
2349          * If not, clear itimers to avoid subsequent signal generation and
2350          * flush and unblock signals.
2351          *
2352          * This must occur _after_ the task SID has been updated so that any
2353          * kill done after the flush will be checked against the new SID.
2354          */
2355         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2356         if (rc) {
2357                 memset(&itimer, 0, sizeof itimer);
2358                 for (i = 0; i < 3; i++)
2359                         do_setitimer(i, &itimer, NULL);
2360                 flush_signals(current);
2361                 spin_lock_irq(&current->sighand->siglock);
2362                 flush_signal_handlers(current, 1);
2363                 sigemptyset(&current->blocked);
2364                 recalc_sigpending();
2365                 spin_unlock_irq(&current->sighand->siglock);
2366         }
2367
2368         /* Wake up the parent if it is waiting so that it can recheck
2369          * wait permission to the new task SID. */
2370         read_lock_irq(&tasklist_lock);
2371         psig = current->parent->sighand;
2372         spin_lock_irqsave(&psig->siglock, flags);
2373         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2374         spin_unlock_irqrestore(&psig->siglock, flags);
2375         read_unlock_irq(&tasklist_lock);
2376 }
2377
2378 /* superblock security operations */
2379
2380 static int selinux_sb_alloc_security(struct super_block *sb)
2381 {
2382         return superblock_alloc_security(sb);
2383 }
2384
2385 static void selinux_sb_free_security(struct super_block *sb)
2386 {
2387         superblock_free_security(sb);
2388 }
2389
2390 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2391 {
2392         if (plen > olen)
2393                 return 0;
2394
2395         return !memcmp(prefix, option, plen);
2396 }
2397
2398 static inline int selinux_option(char *option, int len)
2399 {
2400         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2401                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2402                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2403                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2404 }
2405
2406 static inline void take_option(char **to, char *from, int *first, int len)
2407 {
2408         if (!*first) {
2409                 **to = ',';
2410                 *to += 1;
2411         } else
2412                 *first = 0;
2413         memcpy(*to, from, len);
2414         *to += len;
2415 }
2416
2417 static inline void take_selinux_option(char **to, char *from, int *first,
2418                                        int len)
2419 {
2420         int current_size = 0;
2421
2422         if (!*first) {
2423                 **to = '|';
2424                 *to += 1;
2425         } else
2426                 *first = 0;
2427
2428         while (current_size < len) {
2429                 if (*from != '"') {
2430                         **to = *from;
2431                         *to += 1;
2432                 }
2433                 from += 1;
2434                 current_size += 1;
2435         }
2436 }
2437
2438 static int selinux_sb_copy_data(char *orig, char *copy)
2439 {
2440         int fnosec, fsec, rc = 0;
2441         char *in_save, *in_curr, *in_end;
2442         char *sec_curr, *nosec_save, *nosec;
2443         int open_quote = 0;
2444
2445         in_curr = orig;
2446         sec_curr = copy;
2447
2448         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2449         if (!nosec) {
2450                 rc = -ENOMEM;
2451                 goto out;
2452         }
2453
2454         nosec_save = nosec;
2455         fnosec = fsec = 1;
2456         in_save = in_end = orig;
2457
2458         do {
2459                 if (*in_end == '"')
2460                         open_quote = !open_quote;
2461                 if ((*in_end == ',' && open_quote == 0) ||
2462                                 *in_end == '\0') {
2463                         int len = in_end - in_curr;
2464
2465                         if (selinux_option(in_curr, len))
2466                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2467                         else
2468                                 take_option(&nosec, in_curr, &fnosec, len);
2469
2470                         in_curr = in_end + 1;
2471                 }
2472         } while (*in_end++);
2473
2474         strcpy(in_save, nosec_save);
2475         free_page((unsigned long)nosec_save);
2476 out:
2477         return rc;
2478 }
2479
2480 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2481 {
2482         const struct cred *cred = current_cred();
2483         struct avc_audit_data ad;
2484         int rc;
2485
2486         rc = superblock_doinit(sb, data);
2487         if (rc)
2488                 return rc;
2489
2490         /* Allow all mounts performed by the kernel */
2491         if (flags & MS_KERNMOUNT)
2492                 return 0;
2493
2494         AVC_AUDIT_DATA_INIT(&ad, FS);
2495         ad.u.fs.path.dentry = sb->s_root;
2496         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2497 }
2498
2499 static int selinux_sb_statfs(struct dentry *dentry)
2500 {
2501         const struct cred *cred = current_cred();
2502         struct avc_audit_data ad;
2503
2504         AVC_AUDIT_DATA_INIT(&ad, FS);
2505         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2506         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2507 }
2508
2509 static int selinux_mount(char *dev_name,
2510                          struct path *path,
2511                          char *type,
2512                          unsigned long flags,
2513                          void *data)
2514 {
2515         const struct cred *cred = current_cred();
2516         int rc;
2517
2518         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2519         if (rc)
2520                 return rc;
2521
2522         if (flags & MS_REMOUNT)
2523                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2524                                            FILESYSTEM__REMOUNT, NULL);
2525         else
2526                 return dentry_has_perm(cred, path->mnt, path->dentry,
2527                                        FILE__MOUNTON);
2528 }
2529
2530 static int selinux_umount(struct vfsmount *mnt, int flags)
2531 {
2532         const struct cred *cred = current_cred();
2533         int rc;
2534
2535         rc = secondary_ops->sb_umount(mnt, flags);
2536         if (rc)
2537                 return rc;
2538
2539         return superblock_has_perm(cred, mnt->mnt_sb,
2540                                    FILESYSTEM__UNMOUNT, NULL);
2541 }
2542
2543 /* inode security operations */
2544
2545 static int selinux_inode_alloc_security(struct inode *inode)
2546 {
2547         return inode_alloc_security(inode);
2548 }
2549
2550 static void selinux_inode_free_security(struct inode *inode)
2551 {
2552         inode_free_security(inode);
2553 }
2554
2555 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2556                                        char **name, void **value,
2557                                        size_t *len)
2558 {
2559         const struct cred *cred = current_cred();
2560         const struct task_security_struct *tsec = cred->security;
2561         struct inode_security_struct *dsec;
2562         struct superblock_security_struct *sbsec;
2563         u32 sid, newsid, clen;
2564         int rc;
2565         char *namep = NULL, *context;
2566
2567         dsec = dir->i_security;
2568         sbsec = dir->i_sb->s_security;
2569
2570         sid = tsec->sid;
2571         newsid = tsec->create_sid;
2572
2573         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2574                 rc = security_transition_sid(sid, dsec->sid,
2575                                              inode_mode_to_security_class(inode->i_mode),
2576                                              &newsid);
2577                 if (rc) {
2578                         printk(KERN_WARNING "%s:  "
2579                                "security_transition_sid failed, rc=%d (dev=%s "
2580                                "ino=%ld)\n",
2581                                __func__,
2582                                -rc, inode->i_sb->s_id, inode->i_ino);
2583                         return rc;
2584                 }
2585         }
2586
2587         /* Possibly defer initialization to selinux_complete_init. */
2588         if (sbsec->initialized) {
2589                 struct inode_security_struct *isec = inode->i_security;
2590                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2591                 isec->sid = newsid;
2592                 isec->initialized = 1;
2593         }
2594
2595         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2596                 return -EOPNOTSUPP;
2597
2598         if (name) {
2599                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2600                 if (!namep)
2601                         return -ENOMEM;
2602                 *name = namep;
2603         }
2604
2605         if (value && len) {
2606                 rc = security_sid_to_context_force(newsid, &context, &clen);
2607                 if (rc) {
2608                         kfree(namep);
2609                         return rc;
2610                 }
2611                 *value = context;
2612                 *len = clen;
2613         }
2614
2615         return 0;
2616 }
2617
2618 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2619 {
2620         return may_create(dir, dentry, SECCLASS_FILE);
2621 }
2622
2623 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2624 {
2625         int rc;
2626
2627         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2628         if (rc)
2629                 return rc;
2630         return may_link(dir, old_dentry, MAY_LINK);
2631 }
2632
2633 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2634 {
2635         int rc;
2636
2637         rc = secondary_ops->inode_unlink(dir, dentry);
2638         if (rc)
2639                 return rc;
2640         return may_link(dir, dentry, MAY_UNLINK);
2641 }
2642
2643 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2644 {
2645         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2646 }
2647
2648 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2649 {
2650         return may_create(dir, dentry, SECCLASS_DIR);
2651 }
2652
2653 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2654 {
2655         return may_link(dir, dentry, MAY_RMDIR);
2656 }
2657
2658 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2659 {
2660         int rc;
2661
2662         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2663         if (rc)
2664                 return rc;
2665
2666         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2667 }
2668
2669 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2670                                 struct inode *new_inode, struct dentry *new_dentry)
2671 {
2672         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2673 }
2674
2675 static int selinux_inode_readlink(struct dentry *dentry)
2676 {
2677         const struct cred *cred = current_cred();
2678
2679         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2680 }
2681
2682 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2683 {
2684         const struct cred *cred = current_cred();
2685         int rc;
2686
2687         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2688         if (rc)
2689                 return rc;
2690         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2691 }
2692
2693 static int selinux_inode_permission(struct inode *inode, int mask)
2694 {
2695         const struct cred *cred = current_cred();
2696         int rc;
2697
2698         rc = secondary_ops->inode_permission(inode, mask);
2699         if (rc)
2700                 return rc;
2701
2702         if (!mask) {
2703                 /* No permission to check.  Existence test. */
2704                 return 0;
2705         }
2706
2707         return inode_has_perm(cred, inode,
2708                               file_mask_to_av(inode->i_mode, mask), NULL);
2709 }
2710
2711 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2712 {
2713         const struct cred *cred = current_cred();
2714         int rc;
2715
2716         rc = secondary_ops->inode_setattr(dentry, iattr);
2717         if (rc)
2718                 return rc;
2719
2720         if (iattr->ia_valid & ATTR_FORCE)
2721                 return 0;
2722
2723         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2724                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2725                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2726
2727         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2728 }
2729
2730 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2731 {
2732         const struct cred *cred = current_cred();
2733
2734         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2735 }
2736
2737 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2738 {
2739         const struct cred *cred = current_cred();
2740
2741         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2742                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2743                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2744                         if (!capable(CAP_SETFCAP))
2745                                 return -EPERM;
2746                 } else if (!capable(CAP_SYS_ADMIN)) {
2747                         /* A different attribute in the security namespace.
2748                            Restrict to administrator. */
2749                         return -EPERM;
2750                 }
2751         }
2752
2753         /* Not an attribute we recognize, so just check the
2754            ordinary setattr permission. */
2755         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2756 }
2757
2758 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2759                                   const void *value, size_t size, int flags)
2760 {
2761         struct inode *inode = dentry->d_inode;
2762         struct inode_security_struct *isec = inode->i_security;
2763         struct superblock_security_struct *sbsec;
2764         struct avc_audit_data ad;
2765         u32 newsid, sid = current_sid();
2766         int rc = 0;
2767
2768         if (strcmp(name, XATTR_NAME_SELINUX))
2769                 return selinux_inode_setotherxattr(dentry, name);
2770
2771         sbsec = inode->i_sb->s_security;
2772         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2773                 return -EOPNOTSUPP;
2774
2775         if (!is_owner_or_cap(inode))
2776                 return -EPERM;
2777
2778         AVC_AUDIT_DATA_INIT(&ad, FS);
2779         ad.u.fs.path.dentry = dentry;
2780
2781         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2782                           FILE__RELABELFROM, &ad);
2783         if (rc)
2784                 return rc;
2785
2786         rc = security_context_to_sid(value, size, &newsid);
2787         if (rc == -EINVAL) {
2788                 if (!capable(CAP_MAC_ADMIN))
2789                         return rc;
2790                 rc = security_context_to_sid_force(value, size, &newsid);
2791         }
2792         if (rc)
2793                 return rc;
2794
2795         rc = avc_has_perm(sid, newsid, isec->sclass,
2796                           FILE__RELABELTO, &ad);
2797         if (rc)
2798                 return rc;
2799
2800         rc = security_validate_transition(isec->sid, newsid, sid,
2801                                           isec->sclass);
2802         if (rc)
2803                 return rc;
2804
2805         return avc_has_perm(newsid,
2806                             sbsec->sid,
2807                             SECCLASS_FILESYSTEM,
2808                             FILESYSTEM__ASSOCIATE,
2809                             &ad);
2810 }
2811
2812 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2813                                         const void *value, size_t size,
2814                                         int flags)
2815 {
2816         struct inode *inode = dentry->d_inode;
2817         struct inode_security_struct *isec = inode->i_security;
2818         u32 newsid;
2819         int rc;
2820
2821         if (strcmp(name, XATTR_NAME_SELINUX)) {
2822                 /* Not an attribute we recognize, so nothing to do. */
2823                 return;
2824         }
2825
2826         rc = security_context_to_sid_force(value, size, &newsid);
2827         if (rc) {
2828                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2829                        "for (%s, %lu), rc=%d\n",
2830                        inode->i_sb->s_id, inode->i_ino, -rc);
2831                 return;
2832         }
2833
2834         isec->sid = newsid;
2835         return;
2836 }
2837
2838 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2839 {
2840         const struct cred *cred = current_cred();
2841
2842         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2843 }
2844
2845 static int selinux_inode_listxattr(struct dentry *dentry)
2846 {
2847         const struct cred *cred = current_cred();
2848
2849         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2850 }
2851
2852 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2853 {
2854         if (strcmp(name, XATTR_NAME_SELINUX))
2855                 return selinux_inode_setotherxattr(dentry, name);
2856
2857         /* No one is allowed to remove a SELinux security label.
2858            You can change the label, but all data must be labeled. */
2859         return -EACCES;
2860 }
2861
2862 /*
2863  * Copy the inode security context value to the user.
2864  *
2865  * Permission check is handled by selinux_inode_getxattr hook.
2866  */
2867 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2868 {
2869         u32 size;
2870         int error;
2871         char *context = NULL;
2872         struct inode_security_struct *isec = inode->i_security;
2873
2874         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2875                 return -EOPNOTSUPP;
2876
2877         /*
2878          * If the caller has CAP_MAC_ADMIN, then get the raw context
2879          * value even if it is not defined by current policy; otherwise,
2880          * use the in-core value under current policy.
2881          * Use the non-auditing forms of the permission checks since
2882          * getxattr may be called by unprivileged processes commonly
2883          * and lack of permission just means that we fall back to the
2884          * in-core context value, not a denial.
2885          */
2886         error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
2887                                 SECURITY_CAP_NOAUDIT);
2888         if (!error)
2889                 error = security_sid_to_context_force(isec->sid, &context,
2890                                                       &size);
2891         else
2892                 error = security_sid_to_context(isec->sid, &context, &size);
2893         if (error)
2894                 return error;
2895         error = size;
2896         if (alloc) {
2897                 *buffer = context;
2898                 goto out_nofree;
2899         }
2900         kfree(context);
2901 out_nofree:
2902         return error;
2903 }
2904
2905 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2906                                      const void *value, size_t size, int flags)
2907 {
2908         struct inode_security_struct *isec = inode->i_security;
2909         u32 newsid;
2910         int rc;
2911
2912         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2913                 return -EOPNOTSUPP;
2914
2915         if (!value || !size)
2916                 return -EACCES;
2917
2918         rc = security_context_to_sid((void *)value, size, &newsid);
2919         if (rc)
2920                 return rc;
2921
2922         isec->sid = newsid;
2923         return 0;
2924 }
2925
2926 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2927 {
2928         const int len = sizeof(XATTR_NAME_SELINUX);
2929         if (buffer && len <= buffer_size)
2930                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2931         return len;
2932 }
2933
2934 static int selinux_inode_need_killpriv(struct dentry *dentry)
2935 {
2936         return secondary_ops->inode_need_killpriv(dentry);
2937 }
2938
2939 static int selinux_inode_killpriv(struct dentry *dentry)
2940 {
2941         return secondary_ops->inode_killpriv(dentry);
2942 }
2943
2944 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2945 {
2946         struct inode_security_struct *isec = inode->i_security;
2947         *secid = isec->sid;
2948 }
2949
2950 /* file security operations */
2951
2952 static int selinux_revalidate_file_permission(struct file *file, int mask)
2953 {
2954         const struct cred *cred = current_cred();
2955         int rc;
2956         struct inode *inode = file->f_path.dentry->d_inode;
2957
2958         if (!mask) {
2959                 /* No permission to check.  Existence test. */
2960                 return 0;
2961         }
2962
2963         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2964         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2965                 mask |= MAY_APPEND;
2966
2967         rc = file_has_perm(cred, file,
2968                            file_mask_to_av(inode->i_mode, mask));
2969         if (rc)
2970                 return rc;
2971
2972         return selinux_netlbl_inode_permission(inode, mask);
2973 }
2974
2975 static int selinux_file_permission(struct file *file, int mask)
2976 {
2977         struct inode *inode = file->f_path.dentry->d_inode;
2978         struct file_security_struct *fsec = file->f_security;
2979         struct inode_security_struct *isec = inode->i_security;
2980         u32 sid = current_sid();
2981
2982         if (!mask) {
2983                 /* No permission to check.  Existence test. */
2984                 return 0;
2985         }
2986
2987         if (sid == fsec->sid && fsec->isid == isec->sid
2988             && fsec->pseqno == avc_policy_seqno())
2989                 return selinux_netlbl_inode_permission(inode, mask);
2990
2991         return selinux_revalidate_file_permission(file, mask);
2992 }
2993
2994 static int selinux_file_alloc_security(struct file *file)
2995 {
2996         return file_alloc_security(file);
2997 }
2998
2999 static void selinux_file_free_security(struct file *file)
3000 {
3001         file_free_security(file);
3002 }
3003
3004 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3005                               unsigned long arg)
3006 {
3007         const struct cred *cred = current_cred();
3008         u32 av = 0;
3009
3010         if (_IOC_DIR(cmd) & _IOC_WRITE)
3011                 av |= FILE__WRITE;
3012         if (_IOC_DIR(cmd) & _IOC_READ)
3013                 av |= FILE__READ;
3014         if (!av)
3015                 av = FILE__IOCTL;
3016
3017         return file_has_perm(cred, file, av);
3018 }
3019
3020 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3021 {
3022         const struct cred *cred = current_cred();
3023         int rc = 0;
3024
3025 #ifndef CONFIG_PPC32
3026         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3027                 /*
3028                  * We are making executable an anonymous mapping or a
3029                  * private file mapping that will also be writable.
3030                  * This has an additional check.
3031                  */
3032                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3033                 if (rc)
3034                         goto error;
3035         }
3036 #endif
3037
3038         if (file) {
3039                 /* read access is always possible with a mapping */
3040                 u32 av = FILE__READ;
3041
3042                 /* write access only matters if the mapping is shared */
3043                 if (shared && (prot & PROT_WRITE))
3044                         av |= FILE__WRITE;
3045
3046                 if (prot & PROT_EXEC)
3047                         av |= FILE__EXECUTE;
3048
3049                 return file_has_perm(cred, file, av);
3050         }
3051
3052 error:
3053         return rc;
3054 }
3055
3056 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3057                              unsigned long prot, unsigned long flags,
3058                              unsigned long addr, unsigned long addr_only)
3059 {
3060         int rc = 0;
3061         u32 sid = current_sid();
3062
3063         if (addr < mmap_min_addr)
3064                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3065                                   MEMPROTECT__MMAP_ZERO, NULL);
3066         if (rc || addr_only)
3067                 return rc;
3068
3069         if (selinux_checkreqprot)
3070                 prot = reqprot;
3071
3072         return file_map_prot_check(file, prot,
3073                                    (flags & MAP_TYPE) == MAP_SHARED);
3074 }
3075
3076 static int selinux_file_mprotect(struct vm_area_struct *vma,
3077                                  unsigned long reqprot,
3078                                  unsigned long prot)
3079 {
3080         const struct cred *cred = current_cred();
3081         int rc;
3082
3083         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3084         if (rc)
3085                 return rc;
3086
3087         if (selinux_checkreqprot)
3088                 prot = reqprot;
3089
3090 #ifndef CONFIG_PPC32
3091         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3092                 rc = 0;
3093                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3094                     vma->vm_end <= vma->vm_mm->brk) {
3095                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3096                 } else if (!vma->vm_file &&
3097                            vma->vm_start <= vma->vm_mm->start_stack &&
3098                            vma->vm_end >= vma->vm_mm->start_stack) {
3099                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3100                 } else if (vma->vm_file && vma->anon_vma) {
3101                         /*
3102                          * We are making executable a file mapping that has
3103                          * had some COW done. Since pages might have been
3104                          * written, check ability to execute the possibly
3105                          * modified content.  This typically should only
3106                          * occur for text relocations.
3107                          */
3108                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3109                 }
3110                 if (rc)
3111                         return rc;
3112         }
3113 #endif
3114
3115         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3116 }
3117
3118 static int selinux_file_lock(struct file *file, unsigned int cmd)
3119 {
3120         const struct cred *cred = current_cred();
3121
3122         return file_has_perm(cred, file, FILE__LOCK);
3123 }
3124
3125 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3126                               unsigned long arg)
3127 {
3128         const struct cred *cred = current_cred();
3129         int err = 0;
3130
3131         switch (cmd) {
3132         case F_SETFL:
3133                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3134                         err = -EINVAL;
3135                         break;
3136                 }
3137
3138                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3139                         err = file_has_perm(cred, file, FILE__WRITE);
3140                         break;
3141                 }
3142                 /* fall through */
3143         case F_SETOWN:
3144         case F_SETSIG:
3145         case F_GETFL:
3146         case F_GETOWN:
3147         case F_GETSIG:
3148                 /* Just check FD__USE permission */
3149                 err = file_has_perm(cred, file, 0);
3150                 break;
3151         case F_GETLK:
3152         case F_SETLK:
3153         case F_SETLKW:
3154 #if BITS_PER_LONG == 32
3155         case F_GETLK64:
3156         case F_SETLK64:
3157         case F_SETLKW64:
3158 #endif
3159                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3160                         err = -EINVAL;
3161                         break;
3162                 }
3163                 err = file_has_perm(cred, file, FILE__LOCK);
3164                 break;
3165         }
3166
3167         return err;
3168 }
3169
3170 static int selinux_file_set_fowner(struct file *file)
3171 {
3172         struct file_security_struct *fsec;
3173
3174         fsec = file->f_security;
3175         fsec->fown_sid = current_sid();
3176
3177         return 0;
3178 }
3179
3180 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3181                                        struct fown_struct *fown, int signum)
3182 {
3183         struct file *file;
3184         u32 sid = current_sid();
3185         u32 perm;
3186         struct file_security_struct *fsec;
3187
3188         /* struct fown_struct is never outside the context of a struct file */
3189         file = container_of(fown, struct file, f_owner);
3190
3191         fsec = file->f_security;
3192
3193         if (!signum)
3194                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3195         else
3196                 perm = signal_to_av(signum);
3197
3198         return avc_has_perm(fsec->fown_sid, sid,
3199                             SECCLASS_PROCESS, perm, NULL);
3200 }
3201
3202 static int selinux_file_receive(struct file *file)
3203 {
3204         const struct cred *cred = current_cred();
3205
3206         return file_has_perm(cred, file, file_to_av(file));
3207 }
3208
3209 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3210 {
3211         struct file_security_struct *fsec;
3212         struct inode *inode;
3213         struct inode_security_struct *isec;
3214
3215         inode = file->f_path.dentry->d_inode;
3216         fsec = file->f_security;
3217         isec = inode->i_security;
3218         /*
3219          * Save inode label and policy sequence number
3220          * at open-time so that selinux_file_permission
3221          * can determine whether revalidation is necessary.
3222          * Task label is already saved in the file security
3223          * struct as its SID.
3224          */
3225         fsec->isid = isec->sid;
3226         fsec->pseqno = avc_policy_seqno();
3227         /*
3228          * Since the inode label or policy seqno may have changed
3229          * between the selinux_inode_permission check and the saving
3230          * of state above, recheck that access is still permitted.
3231          * Otherwise, access might never be revalidated against the
3232          * new inode label or new policy.
3233          * This check is not redundant - do not remove.
3234          */
3235         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3236 }
3237
3238 /* task security operations */
3239
3240 static int selinux_task_create(unsigned long clone_flags)
3241 {
3242         int rc;
3243
3244         rc = secondary_ops->task_create(clone_flags);
3245         if (rc)
3246                 return rc;
3247
3248         return current_has_perm(current, PROCESS__FORK);
3249 }
3250
3251 /*
3252  * detach and free the LSM part of a set of credentials
3253  */
3254 static void selinux_cred_free(struct cred *cred)
3255 {
3256         struct task_security_struct *tsec = cred->security;
3257         cred->security = NULL;
3258         kfree(tsec);
3259 }
3260
3261 /*
3262  * prepare a new set of credentials for modification
3263  */
3264 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3265                                 gfp_t gfp)
3266 {
3267         const struct task_security_struct *old_tsec;
3268         struct task_security_struct *tsec;
3269
3270         old_tsec = old->security;
3271
3272         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3273         if (!tsec)
3274                 return -ENOMEM;
3275
3276         new->security = tsec;
3277         return 0;
3278 }
3279
3280 /*
3281  * commit new credentials
3282  */
3283 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3284 {
3285         secondary_ops->cred_commit(new, old);
3286 }
3287
3288 /*
3289  * set the security data for a kernel service
3290  * - all the creation contexts are set to unlabelled
3291  */
3292 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3293 {
3294         struct task_security_struct *tsec = new->security;
3295         u32 sid = current_sid();
3296         int ret;
3297
3298         ret = avc_has_perm(sid, secid,
3299                            SECCLASS_KERNEL_SERVICE,
3300                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3301                            NULL);
3302         if (ret == 0) {
3303                 tsec->sid = secid;
3304                 tsec->create_sid = 0;
3305                 tsec->keycreate_sid = 0;
3306                 tsec->sockcreate_sid = 0;
3307         }
3308         return ret;
3309 }
3310
3311 /*
3312  * set the file creation context in a security record to the same as the
3313  * objective context of the specified inode
3314  */
3315 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3316 {
3317         struct inode_security_struct *isec = inode->i_security;
3318         struct task_security_struct *tsec = new->security;
3319         u32 sid = current_sid();
3320         int ret;
3321
3322         ret = avc_has_perm(sid, isec->sid,
3323                            SECCLASS_KERNEL_SERVICE,
3324                            KERNEL_SERVICE__CREATE_FILES_AS,
3325                            NULL);
3326
3327         if (ret == 0)
3328                 tsec->create_sid = isec->sid;
3329         return 0;
3330 }
3331
3332 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3333 {
3334         /* Since setuid only affects the current process, and
3335            since the SELinux controls are not based on the Linux
3336            identity attributes, SELinux does not need to control
3337            this operation.  However, SELinux does control the use
3338            of the CAP_SETUID and CAP_SETGID capabilities using the
3339            capable hook. */
3340         return 0;
3341 }
3342
3343 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3344                                    int flags)
3345 {
3346         return secondary_ops->task_fix_setuid(new, old, flags);
3347 }
3348
3349 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3350 {
3351         /* See the comment for setuid above. */
3352         return 0;
3353 }
3354
3355 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3356 {
3357         return current_has_perm(p, PROCESS__SETPGID);
3358 }
3359
3360 static int selinux_task_getpgid(struct task_struct *p)
3361 {
3362         return current_has_perm(p, PROCESS__GETPGID);
3363 }
3364
3365 static int selinux_task_getsid(struct task_struct *p)
3366 {
3367         return current_has_perm(p, PROCESS__GETSESSION);
3368 }
3369
3370 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3371 {
3372         *secid = task_sid(p);
3373 }
3374
3375 static int selinux_task_setgroups(struct group_info *group_info)
3376 {
3377         /* See the comment for setuid above. */
3378         return 0;
3379 }
3380
3381 static int selinux_task_setnice(struct task_struct *p, int nice)
3382 {
3383         int rc;
3384
3385         rc = secondary_ops->task_setnice(p, nice);
3386         if (rc)
3387                 return rc;
3388
3389         return current_has_perm(p, PROCESS__SETSCHED);
3390 }
3391
3392 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3393 {
3394         int rc;
3395
3396         rc = secondary_ops->task_setioprio(p, ioprio);
3397         if (rc)
3398                 return rc;
3399
3400         return current_has_perm(p, PROCESS__SETSCHED);
3401 }
3402
3403 static int selinux_task_getioprio(struct task_struct *p)
3404 {
3405         return current_has_perm(p, PROCESS__GETSCHED);
3406 }
3407
3408 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3409 {
3410         struct rlimit *old_rlim = current->signal->rlim + resource;
3411         int rc;
3412
3413         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3414         if (rc)
3415                 return rc;
3416
3417         /* Control the ability to change the hard limit (whether
3418            lowering or raising it), so that the hard limit can
3419            later be used as a safe reset point for the soft limit
3420            upon context transitions.  See selinux_bprm_committing_creds. */
3421         if (old_rlim->rlim_max != new_rlim->rlim_max)
3422                 return current_has_perm(current, PROCESS__SETRLIMIT);
3423
3424         return 0;
3425 }
3426
3427 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3428 {
3429         int rc;
3430
3431         rc = secondary_ops->task_setscheduler(p, policy, lp);
3432         if (rc)
3433                 return rc;
3434
3435         return current_has_perm(p, PROCESS__SETSCHED);
3436 }
3437
3438 static int selinux_task_getscheduler(struct task_struct *p)
3439 {
3440         return current_has_perm(p, PROCESS__GETSCHED);
3441 }
3442
3443 static int selinux_task_movememory(struct task_struct *p)
3444 {
3445         return current_has_perm(p, PROCESS__SETSCHED);
3446 }
3447
3448 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3449                                 int sig, u32 secid)
3450 {
3451         u32 perm;
3452         int rc;
3453
3454         rc = secondary_ops->task_kill(p, info, sig, secid);
3455         if (rc)
3456                 return rc;
3457
3458         if (!sig)
3459                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3460         else
3461                 perm = signal_to_av(sig);
3462         if (secid)
3463                 rc = avc_has_perm(secid, task_sid(p),
3464                                   SECCLASS_PROCESS, perm, NULL);
3465         else
3466                 rc = current_has_perm(p, perm);
3467         return rc;
3468 }
3469
3470 static int selinux_task_prctl(int option,
3471                               unsigned long arg2,
3472                               unsigned long arg3,
3473                               unsigned long arg4,
3474                               unsigned long arg5)
3475 {
3476         /* The current prctl operations do not appear to require
3477            any SELinux controls since they merely observe or modify
3478            the state of the current process. */
3479         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3480 }
3481
3482 static int selinux_task_wait(struct task_struct *p)
3483 {
3484         return task_has_perm(p, current, PROCESS__SIGCHLD);
3485 }
3486
3487 static void selinux_task_to_inode(struct task_struct *p,
3488                                   struct inode *inode)
3489 {
3490         struct inode_security_struct *isec = inode->i_security;
3491         u32 sid = task_sid(p);
3492
3493         isec->sid = sid;
3494         isec->initialized = 1;
3495 }
3496
3497 /* Returns error only if unable to parse addresses */
3498 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3499                         struct avc_audit_data *ad, u8 *proto)
3500 {
3501         int offset, ihlen, ret = -EINVAL;
3502         struct iphdr _iph, *ih;
3503
3504         offset = skb_network_offset(skb);
3505         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3506         if (ih == NULL)
3507                 goto out;
3508
3509         ihlen = ih->ihl * 4;
3510         if (ihlen < sizeof(_iph))
3511                 goto out;
3512
3513         ad->u.net.v4info.saddr = ih->saddr;
3514         ad->u.net.v4info.daddr = ih->daddr;
3515         ret = 0;
3516
3517         if (proto)
3518                 *proto = ih->protocol;
3519
3520         switch (ih->protocol) {
3521         case IPPROTO_TCP: {
3522                 struct tcphdr _tcph, *th;
3523
3524                 if (ntohs(ih->frag_off) & IP_OFFSET)
3525                         break;
3526
3527                 offset += ihlen;
3528                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3529                 if (th == NULL)
3530                         break;
3531
3532                 ad->u.net.sport = th->source;
3533                 ad->u.net.dport = th->dest;
3534                 break;
3535         }
3536
3537         case IPPROTO_UDP: {
3538                 struct udphdr _udph, *uh;
3539
3540                 if (ntohs(ih->frag_off) & IP_OFFSET)
3541                         break;
3542
3543                 offset += ihlen;
3544                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3545                 if (uh == NULL)
3546                         break;
3547
3548                 ad->u.net.sport = uh->source;
3549                 ad->u.net.dport = uh->dest;
3550                 break;
3551         }
3552
3553         case IPPROTO_DCCP: {
3554                 struct dccp_hdr _dccph, *dh;
3555
3556                 if (ntohs(ih->frag_off) & IP_OFFSET)
3557                         break;
3558
3559                 offset += ihlen;
3560                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3561                 if (dh == NULL)
3562                         break;
3563
3564                 ad->u.net.sport = dh->dccph_sport;
3565                 ad->u.net.dport = dh->dccph_dport;
3566                 break;
3567         }
3568
3569         default:
3570                 break;
3571         }
3572 out:
3573         return ret;
3574 }
3575
3576 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3577
3578 /* Returns error only if unable to parse addresses */
3579 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3580                         struct avc_audit_data *ad, u8 *proto)
3581 {
3582         u8 nexthdr;
3583         int ret = -EINVAL, offset;
3584         struct ipv6hdr _ipv6h, *ip6;
3585
3586         offset = skb_network_offset(skb);
3587         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3588         if (ip6 == NULL)
3589                 goto out;
3590
3591         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3592         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3593         ret = 0;
3594
3595         nexthdr = ip6->nexthdr;
3596         offset += sizeof(_ipv6h);
3597         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3598         if (offset < 0)
3599                 goto out;
3600
3601         if (proto)
3602                 *proto = nexthdr;
3603
3604         switch (nexthdr) {
3605         case IPPROTO_TCP: {
3606                 struct tcphdr _tcph, *th;
3607
3608                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3609                 if (th == NULL)
3610                         break;
3611
3612                 ad->u.net.sport = th->source;
3613                 ad->u.net.dport = th->dest;
3614                 break;
3615         }
3616
3617         case IPPROTO_UDP: {
3618                 struct udphdr _udph, *uh;
3619
3620                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3621                 if (uh == NULL)
3622                         break;
3623
3624                 ad->u.net.sport = uh->source;
3625                 ad->u.net.dport = uh->dest;
3626                 break;
3627         }
3628
3629         case IPPROTO_DCCP: {
3630                 struct dccp_hdr _dccph, *dh;
3631
3632                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3633                 if (dh == NULL)
3634                         break;
3635
3636                 ad->u.net.sport = dh->dccph_sport;
3637                 ad->u.net.dport = dh->dccph_dport;
3638                 break;
3639         }
3640
3641         /* includes fragments */
3642         default:
3643                 break;
3644         }
3645 out:
3646         return ret;
3647 }
3648
3649 #endif /* IPV6 */
3650
3651 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3652                              char **_addrp, int src, u8 *proto)
3653 {
3654         char *addrp;
3655         int ret;
3656
3657         switch (ad->u.net.family) {
3658         case PF_INET:
3659                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3660                 if (ret)
3661                         goto parse_error;
3662                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3663                                        &ad->u.net.v4info.daddr);
3664                 goto okay;
3665
3666 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3667         case PF_INET6:
3668                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3669                 if (ret)
3670                         goto parse_error;
3671                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3672                                        &ad->u.net.v6info.daddr);
3673                 goto okay;
3674 #endif  /* IPV6 */
3675         default:
3676                 addrp = NULL;
3677                 goto okay;
3678         }
3679
3680 parse_error:
3681         printk(KERN_WARNING
3682                "SELinux: failure in selinux_parse_skb(),"
3683                " unable to parse packet\n");
3684         return ret;
3685
3686 okay:
3687         if (_addrp)
3688                 *_addrp = addrp;
3689         return 0;
3690 }
3691
3692 /**
3693  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3694  * @skb: the packet
3695  * @family: protocol family
3696  * @sid: the packet's peer label SID
3697  *
3698  * Description:
3699  * Check the various different forms of network peer labeling and determine
3700  * the peer label/SID for the packet; most of the magic actually occurs in
3701  * the security server function security_net_peersid_cmp().  The function
3702  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3703  * or -EACCES if @sid is invalid due to inconsistencies with the different
3704  * peer labels.
3705  *
3706  */
3707 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3708 {
3709         int err;
3710         u32 xfrm_sid;
3711         u32 nlbl_sid;
3712         u32 nlbl_type;
3713
3714         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3715         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3716
3717         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3718         if (unlikely(err)) {
3719                 printk(KERN_WARNING
3720                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3721                        " unable to determine packet's peer label\n");
3722                 return -EACCES;
3723         }
3724
3725         return 0;
3726 }
3727
3728 /* socket security operations */
3729 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3730                            u32 perms)
3731 {
3732         struct inode_security_struct *isec;
3733         struct avc_audit_data ad;
3734         u32 sid;
3735         int err = 0;
3736
3737         isec = SOCK_INODE(sock)->i_security;
3738
3739         if (isec->sid == SECINITSID_KERNEL)
3740                 goto out;
3741         sid = task_sid(task);
3742
3743         AVC_AUDIT_DATA_INIT(&ad, NET);
3744         ad.u.net.sk = sock->sk;
3745         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3746
3747 out:
3748         return err;
3749 }
3750
3751 static int selinux_socket_create(int family, int type,
3752                                  int protocol, int kern)
3753 {
3754         const struct cred *cred = current_cred();
3755         const struct task_security_struct *tsec = cred->security;
3756         u32 sid, newsid;
3757         u16 secclass;
3758         int err = 0;
3759
3760         if (kern)
3761                 goto out;
3762
3763         sid = tsec->sid;
3764         newsid = tsec->sockcreate_sid ?: sid;
3765
3766         secclass = socket_type_to_security_class(family, type, protocol);
3767         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3768
3769 out:
3770         return err;
3771 }
3772
3773 static int selinux_socket_post_create(struct socket *sock, int family,
3774                                       int type, int protocol, int kern)
3775 {
3776         const struct cred *cred = current_cred();
3777         const struct task_security_struct *tsec = cred->security;
3778         struct inode_security_struct *isec;
3779         struct sk_security_struct *sksec;
3780         u32 sid, newsid;
3781         int err = 0;
3782
3783         sid = tsec->sid;
3784         newsid = tsec->sockcreate_sid;
3785
3786         isec = SOCK_INODE(sock)->i_security;
3787
3788         if (kern)
3789                 isec->sid = SECINITSID_KERNEL;
3790         else if (newsid)
3791                 isec->sid = newsid;
3792         else
3793                 isec->sid = sid;
3794
3795         isec->sclass = socket_type_to_security_class(family, type, protocol);
3796         isec->initialized = 1;
3797
3798         if (sock->sk) {
3799                 sksec = sock->sk->sk_security;
3800                 sksec->sid = isec->sid;
3801                 sksec->sclass = isec->sclass;
3802                 err = selinux_netlbl_socket_post_create(sock);
3803         }
3804
3805         return err;
3806 }
3807
3808 /* Range of port numbers used to automatically bind.
3809    Need to determine whether we should perform a name_bind
3810    permission check between the socket and the port number. */
3811
3812 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3813 {
3814         u16 family;
3815         int err;
3816
3817         err = socket_has_perm(current, sock, SOCKET__BIND);
3818         if (err)
3819                 goto out;
3820
3821         /*
3822          * If PF_INET or PF_INET6, check name_bind permission for the port.
3823          * Multiple address binding for SCTP is not supported yet: we just
3824          * check the first address now.
3825          */
3826         family = sock->sk->sk_family;
3827         if (family == PF_INET || family == PF_INET6) {
3828                 char *addrp;
3829                 struct inode_security_struct *isec;
3830                 struct avc_audit_data ad;
3831                 struct sockaddr_in *addr4 = NULL;
3832                 struct sockaddr_in6 *addr6 = NULL;
3833                 unsigned short snum;
3834                 struct sock *sk = sock->sk;
3835                 u32 sid, node_perm;
3836
3837                 isec = SOCK_INODE(sock)->i_security;
3838
3839                 if (family == PF_INET) {
3840                         addr4 = (struct sockaddr_in *)address;
3841                         snum = ntohs(addr4->sin_port);
3842                         addrp = (char *)&addr4->sin_addr.s_addr;
3843                 } else {
3844                         addr6 = (struct sockaddr_in6 *)address;
3845                         snum = ntohs(addr6->sin6_port);
3846                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3847                 }
3848
3849                 if (snum) {
3850                         int low, high;
3851
3852                         inet_get_local_port_range(&low, &high);
3853
3854                         if (snum < max(PROT_SOCK, low) || snum > high) {
3855                                 err = sel_netport_sid(sk->sk_protocol,
3856                                                       snum, &sid);
3857                                 if (err)
3858                                         goto out;
3859                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3860                                 ad.u.net.sport = htons(snum);
3861                                 ad.u.net.family = family;
3862                                 err = avc_has_perm(isec->sid, sid,
3863                                                    isec->sclass,
3864                                                    SOCKET__NAME_BIND, &ad);
3865                                 if (err)
3866                                         goto out;
3867                         }
3868                 }
3869
3870                 switch (isec->sclass) {
3871                 case SECCLASS_TCP_SOCKET:
3872                         node_perm = TCP_SOCKET__NODE_BIND;
3873                         break;
3874
3875                 case SECCLASS_UDP_SOCKET:
3876                         node_perm = UDP_SOCKET__NODE_BIND;
3877                         break;
3878
3879                 case SECCLASS_DCCP_SOCKET:
3880                         node_perm = DCCP_SOCKET__NODE_BIND;
3881                         break;
3882
3883                 default:
3884                         node_perm = RAWIP_SOCKET__NODE_BIND;
3885                         break;
3886                 }
3887
3888                 err = sel_netnode_sid(addrp, family, &sid);
3889                 if (err)
3890                         goto out;
3891
3892                 AVC_AUDIT_DATA_INIT(&ad, NET);
3893                 ad.u.net.sport = htons(snum);
3894                 ad.u.net.family = family;
3895
3896                 if (family == PF_INET)
3897                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3898                 else
3899                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3900
3901                 err = avc_has_perm(isec->sid, sid,
3902                                    isec->sclass, node_perm, &ad);
3903                 if (err)
3904                         goto out;
3905         }
3906 out:
3907         return err;
3908 }
3909
3910 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3911 {
3912         struct sock *sk = sock->sk;
3913         struct inode_security_struct *isec;
3914         int err;
3915
3916         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3917         if (err)
3918                 return err;
3919
3920         /*
3921          * If a TCP or DCCP socket, check name_connect permission for the port.
3922          */
3923         isec = SOCK_INODE(sock)->i_security;
3924         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3925             isec->sclass == SECCLASS_DCCP_SOCKET) {
3926                 struct avc_audit_data ad;
3927                 struct sockaddr_in *addr4 = NULL;
3928                 struct sockaddr_in6 *addr6 = NULL;
3929                 unsigned short snum;
3930                 u32 sid, perm;
3931
3932                 if (sk->sk_family == PF_INET) {
3933                         addr4 = (struct sockaddr_in *)address;
3934                         if (addrlen < sizeof(struct sockaddr_in))
3935                                 return -EINVAL;
3936                         snum = ntohs(addr4->sin_port);
3937                 } else {
3938                         addr6 = (struct sockaddr_in6 *)address;
3939                         if (addrlen < SIN6_LEN_RFC2133)
3940                                 return -EINVAL;
3941                         snum = ntohs(addr6->sin6_port);
3942                 }
3943
3944                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3945                 if (err)
3946                         goto out;
3947
3948                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3949                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3950
3951                 AVC_AUDIT_DATA_INIT(&ad, NET);
3952                 ad.u.net.dport = htons(snum);
3953                 ad.u.net.family = sk->sk_family;
3954                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3955                 if (err)
3956                         goto out;
3957         }
3958
3959         err = selinux_netlbl_socket_connect(sk, address);
3960
3961 out:
3962         return err;
3963 }
3964
3965 static int selinux_socket_listen(struct socket *sock, int backlog)
3966 {
3967         return socket_has_perm(current, sock, SOCKET__LISTEN);
3968 }
3969
3970 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3971 {
3972         int err;
3973         struct inode_security_struct *isec;
3974         struct inode_security_struct *newisec;
3975
3976         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3977         if (err)
3978                 return err;
3979
3980         newisec = SOCK_INODE(newsock)->i_security;
3981
3982         isec = SOCK_INODE(sock)->i_security;
3983         newisec->sclass = isec->sclass;
3984         newisec->sid = isec->sid;
3985         newisec->initialized = 1;
3986
3987         return 0;
3988 }
3989
3990 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3991                                   int size)
3992 {
3993         int rc;
3994
3995         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3996         if (rc)
3997                 return rc;
3998
3999         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
4000 }
4001
4002 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4003                                   int size, int flags)
4004 {
4005         return socket_has_perm(current, sock, SOCKET__READ);
4006 }
4007
4008 static int selinux_socket_getsockname(struct socket *sock)
4009 {
4010         return socket_has_perm(current, sock, SOCKET__GETATTR);
4011 }
4012
4013 static int selinux_socket_getpeername(struct socket *sock)
4014 {
4015         return socket_has_perm(current, sock, SOCKET__GETATTR);
4016 }
4017
4018 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4019 {
4020         int err;
4021
4022         err = socket_has_perm(current, sock, SOCKET__SETOPT);
4023         if (err)
4024                 return err;
4025
4026         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4027 }
4028
4029 static int selinux_socket_getsockopt(struct socket *sock, int level,
4030                                      int optname)
4031 {
4032         return socket_has_perm(current, sock, SOCKET__GETOPT);
4033 }
4034
4035 static int selinux_socket_shutdown(struct socket *sock, int how)
4036 {
4037         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4038 }
4039
4040 static int selinux_socket_unix_stream_connect(struct socket *sock,
4041                                               struct socket *other,
4042                                               struct sock *newsk)
4043 {
4044         struct sk_security_struct *ssec;
4045         struct inode_security_struct *isec;
4046         struct inode_security_struct *other_isec;
4047         struct avc_audit_data ad;
4048         int err;
4049
4050         err = secondary_ops->unix_stream_connect(sock, other, newsk);
4051         if (err)
4052                 return err;
4053
4054         isec = SOCK_INODE(sock)->i_security;
4055         other_isec = SOCK_INODE(other)->i_security;
4056
4057         AVC_AUDIT_DATA_INIT(&ad, NET);
4058         ad.u.net.sk = other->sk;
4059
4060         err = avc_has_perm(isec->sid, other_isec->sid,
4061                            isec->sclass,
4062                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4063         if (err)
4064                 return err;
4065
4066         /* connecting socket */
4067         ssec = sock->sk->sk_security;
4068         ssec->peer_sid = other_isec->sid;
4069
4070         /* server child socket */
4071         ssec = newsk->sk_security;
4072         ssec->peer_sid = isec->sid;
4073         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4074
4075         return err;
4076 }
4077
4078 static int selinux_socket_unix_may_send(struct socket *sock,
4079                                         struct socket *other)
4080 {
4081         struct inode_security_struct *isec;
4082         struct inode_security_struct *other_isec;
4083         struct avc_audit_data ad;
4084         int err;
4085
4086         isec = SOCK_INODE(sock)->i_security;
4087         other_isec = SOCK_INODE(other)->i_security;
4088
4089         AVC_AUDIT_DATA_INIT(&ad, NET);
4090         ad.u.net.sk = other->sk;
4091
4092         err = avc_has_perm(isec->sid, other_isec->sid,
4093                            isec->sclass, SOCKET__SENDTO, &ad);
4094         if (err)
4095                 return err;
4096
4097         return 0;
4098 }
4099
4100 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4101                                     u32 peer_sid,
4102                                     struct avc_audit_data *ad)
4103 {
4104         int err;
4105         u32 if_sid;
4106         u32 node_sid;
4107
4108         err = sel_netif_sid(ifindex, &if_sid);
4109         if (err)
4110                 return err;
4111         err = avc_has_perm(peer_sid, if_sid,
4112                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4113         if (err)
4114                 return err;
4115
4116         err = sel_netnode_sid(addrp, family, &node_sid);
4117         if (err)
4118                 return err;
4119         return avc_has_perm(peer_sid, node_sid,
4120                             SECCLASS_NODE, NODE__RECVFROM, ad);
4121 }
4122
4123 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4124                                                 struct sk_buff *skb,
4125                                                 struct avc_audit_data *ad,
4126                                                 u16 family,
4127                                                 char *addrp)
4128 {
4129         int err;
4130         struct sk_security_struct *sksec = sk->sk_security;
4131         u16 sk_class;
4132         u32 netif_perm, node_perm, recv_perm;
4133         u32 port_sid, node_sid, if_sid, sk_sid;
4134
4135         sk_sid = sksec->sid;
4136         sk_class = sksec->sclass;
4137
4138         switch (sk_class) {
4139         case SECCLASS_UDP_SOCKET:
4140                 netif_perm = NETIF__UDP_RECV;
4141                 node_perm = NODE__UDP_RECV;
4142                 recv_perm = UDP_SOCKET__RECV_MSG;
4143                 break;
4144         case SECCLASS_TCP_SOCKET:
4145                 netif_perm = NETIF__TCP_RECV;
4146                 node_perm = NODE__TCP_RECV;
4147                 recv_perm = TCP_SOCKET__RECV_MSG;
4148                 break;
4149         case SECCLASS_DCCP_SOCKET:
4150                 netif_perm = NETIF__DCCP_RECV;
4151                 node_perm = NODE__DCCP_RECV;
4152                 recv_perm = DCCP_SOCKET__RECV_MSG;
4153                 break;
4154         default:
4155                 netif_perm = NETIF__RAWIP_RECV;
4156                 node_perm = NODE__RAWIP_RECV;
4157                 recv_perm = 0;
4158                 break;
4159         }
4160
4161         err = sel_netif_sid(skb->iif, &if_sid);
4162         if (err)
4163                 return err;
4164         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4165         if (err)
4166                 return err;
4167
4168         err = sel_netnode_sid(addrp, family, &node_sid);
4169         if (err)
4170                 return err;
4171         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4172         if (err)
4173                 return err;
4174
4175         if (!recv_perm)
4176                 return 0;
4177         err = sel_netport_sid(sk->sk_protocol,
4178                               ntohs(ad->u.net.sport), &port_sid);
4179         if (unlikely(err)) {
4180                 printk(KERN_WARNING
4181                        "SELinux: failure in"
4182                        " selinux_sock_rcv_skb_iptables_compat(),"
4183                        " network port label not found\n");
4184                 return err;
4185         }
4186         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4187 }
4188
4189 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4190                                        u16 family)
4191 {
4192         int err = 0;
4193         struct sk_security_struct *sksec = sk->sk_security;
4194         u32 peer_sid;
4195         u32 sk_sid = sksec->sid;
4196         struct avc_audit_data ad;
4197         char *addrp;
4198
4199         AVC_AUDIT_DATA_INIT(&ad, NET);
4200         ad.u.net.netif = skb->iif;
4201         ad.u.net.family = family;
4202         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4203         if (err)
4204                 return err;
4205
4206         if (selinux_compat_net)
4207                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4208                                                            family, addrp);
4209         else if (selinux_secmark_enabled())
4210                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4211                                    PACKET__RECV, &ad);
4212         if (err)
4213                 return err;
4214
4215         if (selinux_policycap_netpeer) {
4216                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4217                 if (err)
4218                         return err;
4219                 err = avc_has_perm(sk_sid, peer_sid,
4220                                    SECCLASS_PEER, PEER__RECV, &ad);
4221                 if (err)
4222                         selinux_netlbl_err(skb, err, 0);
4223         } else {
4224                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4225                 if (err)
4226                         return err;
4227                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4228         }
4229
4230         return err;
4231 }
4232
4233 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4234 {
4235         int err;
4236         struct sk_security_struct *sksec = sk->sk_security;
4237         u16 family = sk->sk_family;
4238         u32 sk_sid = sksec->sid;
4239         struct avc_audit_data ad;
4240         char *addrp;
4241         u8 secmark_active;
4242         u8 peerlbl_active;
4243
4244         if (family != PF_INET && family != PF_INET6)
4245                 return 0;
4246
4247         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4248         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4249                 family = PF_INET;
4250
4251         /* If any sort of compatibility mode is enabled then handoff processing
4252          * to the selinux_sock_rcv_skb_compat() function to deal with the
4253          * special handling.  We do this in an attempt to keep this function
4254          * as fast and as clean as possible. */
4255         if (selinux_compat_net || !selinux_policycap_netpeer)
4256                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4257
4258         secmark_active = selinux_secmark_enabled();
4259         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4260         if (!secmark_active && !peerlbl_active)
4261                 return 0;
4262
4263         AVC_AUDIT_DATA_INIT(&ad, NET);
4264         ad.u.net.netif = skb->iif;
4265         ad.u.net.family = family;
4266         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4267         if (err)
4268                 return err;
4269
4270         if (peerlbl_active) {
4271                 u32 peer_sid;
4272
4273                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4274                 if (err)
4275                         return err;
4276                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4277                                                peer_sid, &ad);
4278                 if (err) {
4279                         selinux_netlbl_err(skb, err, 0);
4280                         return err;
4281                 }
4282                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4283                                    PEER__RECV, &ad);
4284                 if (err)
4285                         selinux_netlbl_err(skb, err, 0);
4286         }
4287
4288         if (secmark_active) {
4289                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4290                                    PACKET__RECV, &ad);
4291                 if (err)
4292                         return err;
4293         }
4294
4295         return err;
4296 }
4297
4298 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4299                                             int __user *optlen, unsigned len)
4300 {
4301         int err = 0;
4302         char *scontext;
4303         u32 scontext_len;
4304         struct sk_security_struct *ssec;
4305         struct inode_security_struct *isec;
4306         u32 peer_sid = SECSID_NULL;
4307
4308         isec = SOCK_INODE(sock)->i_security;
4309
4310         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4311             isec->sclass == SECCLASS_TCP_SOCKET) {
4312                 ssec = sock->sk->sk_security;
4313                 peer_sid = ssec->peer_sid;
4314         }
4315         if (peer_sid == SECSID_NULL) {
4316                 err = -ENOPROTOOPT;
4317                 goto out;
4318         }
4319
4320         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4321
4322         if (err)
4323                 goto out;
4324
4325         if (scontext_len > len) {
4326                 err = -ERANGE;
4327                 goto out_len;
4328         }
4329
4330         if (copy_to_user(optval, scontext, scontext_len))
4331                 err = -EFAULT;
4332
4333 out_len:
4334         if (put_user(scontext_len, optlen))
4335                 err = -EFAULT;
4336
4337         kfree(scontext);
4338 out:
4339         return err;
4340 }
4341
4342 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4343 {
4344         u32 peer_secid = SECSID_NULL;
4345         u16 family;
4346
4347         if (skb && skb->protocol == htons(ETH_P_IP))
4348                 family = PF_INET;
4349         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4350                 family = PF_INET6;
4351         else if (sock)
4352                 family = sock->sk->sk_family;
4353         else
4354                 goto out;
4355
4356         if (sock && family == PF_UNIX)
4357                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4358         else if (skb)
4359                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4360
4361 out:
4362         *secid = peer_secid;
4363         if (peer_secid == SECSID_NULL)
4364                 return -EINVAL;
4365         return 0;
4366 }
4367
4368 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4369 {
4370         return sk_alloc_security(sk, family, priority);
4371 }
4372
4373 static void selinux_sk_free_security(struct sock *sk)
4374 {
4375         sk_free_security(sk);
4376 }
4377
4378 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4379 {
4380         struct sk_security_struct *ssec = sk->sk_security;
4381         struct sk_security_struct *newssec = newsk->sk_security;
4382
4383         newssec->sid = ssec->sid;
4384         newssec->peer_sid = ssec->peer_sid;
4385         newssec->sclass = ssec->sclass;
4386
4387         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4388 }
4389
4390 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4391 {
4392         if (!sk)
4393                 *secid = SECINITSID_ANY_SOCKET;
4394         else {
4395                 struct sk_security_struct *sksec = sk->sk_security;
4396
4397                 *secid = sksec->sid;
4398         }
4399 }
4400
4401 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4402 {
4403         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4404         struct sk_security_struct *sksec = sk->sk_security;
4405
4406         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4407             sk->sk_family == PF_UNIX)
4408                 isec->sid = sksec->sid;
4409         sksec->sclass = isec->sclass;
4410 }
4411
4412 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4413                                      struct request_sock *req)
4414 {
4415         struct sk_security_struct *sksec = sk->sk_security;
4416         int err;
4417         u16 family = sk->sk_family;
4418         u32 newsid;
4419         u32 peersid;
4420
4421         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4422         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4423                 family = PF_INET;
4424
4425         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4426         if (err)
4427                 return err;
4428         if (peersid == SECSID_NULL) {
4429                 req->secid = sksec->sid;
4430                 req->peer_secid = SECSID_NULL;
4431                 return 0;
4432         }
4433
4434         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4435         if (err)
4436                 return err;
4437
4438         req->secid = newsid;
4439         req->peer_secid = peersid;
4440         return 0;
4441 }
4442
4443 static void selinux_inet_csk_clone(struct sock *newsk,
4444                                    const struct request_sock *req)
4445 {
4446         struct sk_security_struct *newsksec = newsk->sk_security;
4447
4448         newsksec->sid = req->secid;
4449         newsksec->peer_sid = req->peer_secid;
4450         /* NOTE: Ideally, we should also get the isec->sid for the
4451            new socket in sync, but we don't have the isec available yet.
4452            So we will wait until sock_graft to do it, by which
4453            time it will have been created and available. */
4454
4455         /* We don't need to take any sort of lock here as we are the only
4456          * thread with access to newsksec */
4457         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4458 }
4459
4460 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4461 {
4462         u16 family = sk->sk_family;
4463         struct sk_security_struct *sksec = sk->sk_security;
4464
4465         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4466         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4467                 family = PF_INET;
4468
4469         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4470
4471         selinux_netlbl_inet_conn_established(sk, family);
4472 }
4473
4474 static void selinux_req_classify_flow(const struct request_sock *req,
4475                                       struct flowi *fl)
4476 {
4477         fl->secid = req->secid;
4478 }
4479
4480 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4481 {
4482         int err = 0;
4483         u32 perm;
4484         struct nlmsghdr *nlh;
4485         struct socket *sock = sk->sk_socket;
4486         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4487
4488         if (skb->len < NLMSG_SPACE(0)) {
4489                 err = -EINVAL;
4490                 goto out;
4491         }
4492         nlh = nlmsg_hdr(skb);
4493
4494         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4495         if (err) {
4496                 if (err == -EINVAL) {
4497                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4498                                   "SELinux:  unrecognized netlink message"
4499                                   " type=%hu for sclass=%hu\n",
4500                                   nlh->nlmsg_type, isec->sclass);
4501                         if (!selinux_enforcing || security_get_allow_unknown())
4502                                 err = 0;
4503                 }
4504
4505                 /* Ignore */
4506                 if (err == -ENOENT)
4507                         err = 0;
4508                 goto out;
4509         }
4510
4511         err = socket_has_perm(current, sock, perm);
4512 out:
4513         return err;
4514 }
4515
4516 #ifdef CONFIG_NETFILTER
4517
4518 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4519                                        u16 family)
4520 {
4521         int err;
4522         char *addrp;
4523         u32 peer_sid;
4524         struct avc_audit_data ad;
4525         u8 secmark_active;
4526         u8 netlbl_active;
4527         u8 peerlbl_active;
4528
4529         if (!selinux_policycap_netpeer)
4530                 return NF_ACCEPT;
4531
4532         secmark_active = selinux_secmark_enabled();
4533         netlbl_active = netlbl_enabled();
4534         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4535         if (!secmark_active && !peerlbl_active)
4536                 return NF_ACCEPT;
4537
4538         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4539                 return NF_DROP;
4540
4541         AVC_AUDIT_DATA_INIT(&ad, NET);
4542         ad.u.net.netif = ifindex;
4543         ad.u.net.family = family;
4544         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4545                 return NF_DROP;
4546
4547         if (peerlbl_active) {
4548                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4549                                                peer_sid, &ad);
4550                 if (err) {
4551                         selinux_netlbl_err(skb, err, 1);
4552                         return NF_DROP;
4553                 }
4554         }
4555
4556         if (secmark_active)
4557                 if (avc_has_perm(peer_sid, skb->secmark,
4558                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4559                         return NF_DROP;
4560
4561         if (netlbl_active)
4562                 /* we do this in the FORWARD path and not the POST_ROUTING
4563                  * path because we want to make sure we apply the necessary
4564                  * labeling before IPsec is applied so we can leverage AH
4565                  * protection */
4566                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4567                         return NF_DROP;
4568
4569         return NF_ACCEPT;
4570 }
4571
4572 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4573                                          struct sk_buff *skb,
4574                                          const struct net_device *in,
4575                                          const struct net_device *out,
4576                                          int (*okfn)(struct sk_buff *))
4577 {
4578         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4579 }
4580
4581 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4582 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4583                                          struct sk_buff *skb,
4584                                          const struct net_device *in,
4585                                          const struct net_device *out,
4586                                          int (*okfn)(struct sk_buff *))
4587 {
4588         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4589 }
4590 #endif  /* IPV6 */
4591
4592 static unsigned int selinux_ip_output(struct sk_buff *skb,
4593                                       u16 family)
4594 {
4595         u32 sid;
4596
4597         if (!netlbl_enabled())
4598                 return NF_ACCEPT;
4599
4600         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4601          * because we want to make sure we apply the necessary labeling
4602          * before IPsec is applied so we can leverage AH protection */
4603         if (skb->sk) {
4604                 struct sk_security_struct *sksec = skb->sk->sk_security;
4605                 sid = sksec->sid;
4606         } else
4607                 sid = SECINITSID_KERNEL;
4608         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4609                 return NF_DROP;
4610
4611         return NF_ACCEPT;
4612 }
4613
4614 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4615                                         struct sk_buff *skb,
4616                                         const struct net_device *in,
4617                                         const struct net_device *out,
4618                                         int (*okfn)(struct sk_buff *))
4619 {
4620         return selinux_ip_output(skb, PF_INET);
4621 }
4622
4623 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4624                                                 int ifindex,
4625                                                 struct avc_audit_data *ad,
4626                                                 u16 family, char *addrp)
4627 {
4628         int err;
4629         struct sk_security_struct *sksec = sk->sk_security;
4630         u16 sk_class;
4631         u32 netif_perm, node_perm, send_perm;
4632         u32 port_sid, node_sid, if_sid, sk_sid;
4633
4634         sk_sid = sksec->sid;
4635         sk_class = sksec->sclass;
4636
4637         switch (sk_class) {
4638         case SECCLASS_UDP_SOCKET:
4639                 netif_perm = NETIF__UDP_SEND;
4640                 node_perm = NODE__UDP_SEND;
4641                 send_perm = UDP_SOCKET__SEND_MSG;
4642                 break;
4643         case SECCLASS_TCP_SOCKET:
4644                 netif_perm = NETIF__TCP_SEND;
4645                 node_perm = NODE__TCP_SEND;
4646                 send_perm = TCP_SOCKET__SEND_MSG;
4647                 break;
4648         case SECCLASS_DCCP_SOCKET:
4649                 netif_perm = NETIF__DCCP_SEND;
4650                 node_perm = NODE__DCCP_SEND;
4651                 send_perm = DCCP_SOCKET__SEND_MSG;
4652                 break;
4653         default:
4654                 netif_perm = NETIF__RAWIP_SEND;
4655                 node_perm = NODE__RAWIP_SEND;
4656                 send_perm = 0;
4657                 break;
4658         }
4659
4660         err = sel_netif_sid(ifindex, &if_sid);
4661         if (err)
4662                 return err;
4663         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4664                 return err;
4665
4666         err = sel_netnode_sid(addrp, family, &node_sid);
4667         if (err)
4668                 return err;
4669         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4670         if (err)
4671                 return err;
4672
4673         if (send_perm != 0)
4674                 return 0;
4675
4676         err = sel_netport_sid(sk->sk_protocol,
4677                               ntohs(ad->u.net.dport), &port_sid);
4678         if (unlikely(err)) {
4679                 printk(KERN_WARNING
4680                        "SELinux: failure in"
4681                        " selinux_ip_postroute_iptables_compat(),"
4682                        " network port label not found\n");
4683                 return err;
4684         }
4685         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4686 }
4687
4688 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4689                                                 int ifindex,
4690                                                 u16 family)
4691 {
4692         struct sock *sk = skb->sk;
4693         struct sk_security_struct *sksec;
4694         struct avc_audit_data ad;
4695         char *addrp;
4696         u8 proto;
4697
4698         if (sk == NULL)
4699                 return NF_ACCEPT;
4700         sksec = sk->sk_security;
4701
4702         AVC_AUDIT_DATA_INIT(&ad, NET);
4703         ad.u.net.netif = ifindex;
4704         ad.u.net.family = family;
4705         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4706                 return NF_DROP;
4707
4708         if (selinux_compat_net) {
4709                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4710                                                          &ad, family, addrp))
4711                         return NF_DROP;
4712         } else if (selinux_secmark_enabled()) {
4713                 if (avc_has_perm(sksec->sid, skb->secmark,
4714                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4715                         return NF_DROP;
4716         }
4717
4718         if (selinux_policycap_netpeer)
4719                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4720                         return NF_DROP;
4721
4722         return NF_ACCEPT;
4723 }
4724
4725 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4726                                          u16 family)
4727 {
4728         u32 secmark_perm;
4729         u32 peer_sid;
4730         struct sock *sk;
4731         struct avc_audit_data ad;
4732         char *addrp;
4733         u8 secmark_active;
4734         u8 peerlbl_active;
4735
4736         /* If any sort of compatibility mode is enabled then handoff processing
4737          * to the selinux_ip_postroute_compat() function to deal with the
4738          * special handling.  We do this in an attempt to keep this function
4739          * as fast and as clean as possible. */
4740         if (selinux_compat_net || !selinux_policycap_netpeer)
4741                 return selinux_ip_postroute_compat(skb, ifindex, family);
4742 #ifdef CONFIG_XFRM
4743         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4744          * packet transformation so allow the packet to pass without any checks
4745          * since we'll have another chance to perform access control checks
4746          * when the packet is on it's final way out.
4747          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4748          *       is NULL, in this case go ahead and apply access control. */
4749         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4750                 return NF_ACCEPT;
4751 #endif
4752         secmark_active = selinux_secmark_enabled();
4753         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4754         if (!secmark_active && !peerlbl_active)
4755                 return NF_ACCEPT;
4756
4757         /* if the packet is being forwarded then get the peer label from the
4758          * packet itself; otherwise check to see if it is from a local
4759          * application or the kernel, if from an application get the peer label
4760          * from the sending socket, otherwise use the kernel's sid */
4761         sk = skb->sk;
4762         if (sk == NULL) {
4763                 switch (family) {
4764                 case PF_INET:
4765                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4766                                 secmark_perm = PACKET__FORWARD_OUT;
4767                         else
4768                                 secmark_perm = PACKET__SEND;
4769                         break;
4770                 case PF_INET6:
4771                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4772                                 secmark_perm = PACKET__FORWARD_OUT;
4773                         else
4774                                 secmark_perm = PACKET__SEND;
4775                         break;
4776                 default:
4777                         return NF_DROP;
4778                 }
4779                 if (secmark_perm == PACKET__FORWARD_OUT) {
4780                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4781                                 return NF_DROP;
4782                 } else
4783                         peer_sid = SECINITSID_KERNEL;
4784         } else {
4785                 struct sk_security_struct *sksec = sk->sk_security;
4786                 peer_sid = sksec->sid;
4787                 secmark_perm = PACKET__SEND;
4788         }
4789
4790         AVC_AUDIT_DATA_INIT(&ad, NET);
4791         ad.u.net.netif = ifindex;
4792         ad.u.net.family = family;
4793         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4794                 return NF_DROP;
4795
4796         if (secmark_active)
4797                 if (avc_has_perm(peer_sid, skb->secmark,
4798                                  SECCLASS_PACKET, secmark_perm, &ad))
4799                         return NF_DROP;
4800
4801         if (peerlbl_active) {
4802                 u32 if_sid;
4803                 u32 node_sid;
4804
4805                 if (sel_netif_sid(ifindex, &if_sid))
4806                         return NF_DROP;
4807                 if (avc_has_perm(peer_sid, if_sid,
4808                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4809                         return NF_DROP;
4810
4811                 if (sel_netnode_sid(addrp, family, &node_sid))
4812                         return NF_DROP;
4813                 if (avc_has_perm(peer_sid, node_sid,
4814                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4815                         return NF_DROP;
4816         }
4817
4818         return NF_ACCEPT;
4819 }
4820
4821 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4822                                            struct sk_buff *skb,
4823                                            const struct net_device *in,
4824                                            const struct net_device *out,
4825                                            int (*okfn)(struct sk_buff *))
4826 {
4827         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4828 }
4829
4830 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4831 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4832                                            struct sk_buff *skb,
4833                                            const struct net_device *in,
4834                                            const struct net_device *out,
4835                                            int (*okfn)(struct sk_buff *))
4836 {
4837         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4838 }
4839 #endif  /* IPV6 */
4840
4841 #endif  /* CONFIG_NETFILTER */
4842
4843 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4844 {
4845         int err;
4846
4847         err = secondary_ops->netlink_send(sk, skb);
4848         if (err)
4849                 return err;
4850
4851         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4852                 err = selinux_nlmsg_perm(sk, skb);
4853
4854         return err;
4855 }
4856
4857 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4858 {
4859         int err;
4860         struct avc_audit_data ad;
4861
4862         err = secondary_ops->netlink_recv(skb, capability);
4863         if (err)
4864                 return err;
4865
4866         AVC_AUDIT_DATA_INIT(&ad, CAP);
4867         ad.u.cap = capability;
4868
4869         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4870                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4871 }
4872
4873 static int ipc_alloc_security(struct task_struct *task,
4874                               struct kern_ipc_perm *perm,
4875                               u16 sclass)
4876 {
4877         struct ipc_security_struct *isec;
4878         u32 sid;
4879
4880         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4881         if (!isec)
4882                 return -ENOMEM;
4883
4884         sid = task_sid(task);
4885         isec->sclass = sclass;
4886         isec->sid = sid;
4887         perm->security = isec;
4888
4889         return 0;
4890 }
4891
4892 static void ipc_free_security(struct kern_ipc_perm *perm)
4893 {
4894         struct ipc_security_struct *isec = perm->security;
4895         perm->security = NULL;
4896         kfree(isec);
4897 }
4898
4899 static int msg_msg_alloc_security(struct msg_msg *msg)
4900 {
4901         struct msg_security_struct *msec;
4902
4903         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4904         if (!msec)
4905                 return -ENOMEM;
4906
4907         msec->sid = SECINITSID_UNLABELED;
4908         msg->security = msec;
4909
4910         return 0;
4911 }
4912
4913 static void msg_msg_free_security(struct msg_msg *msg)
4914 {
4915         struct msg_security_struct *msec = msg->security;
4916
4917         msg->security = NULL;
4918         kfree(msec);
4919 }
4920
4921 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4922                         u32 perms)
4923 {
4924         struct ipc_security_struct *isec;
4925         struct avc_audit_data ad;
4926         u32 sid = current_sid();
4927
4928         isec = ipc_perms->security;
4929
4930         AVC_AUDIT_DATA_INIT(&ad, IPC);
4931         ad.u.ipc_id = ipc_perms->key;
4932
4933         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4934 }
4935
4936 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4937 {
4938         return msg_msg_alloc_security(msg);
4939 }
4940
4941 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4942 {
4943         msg_msg_free_security(msg);
4944 }
4945
4946 /* message queue security operations */
4947 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4948 {
4949         struct ipc_security_struct *isec;
4950         struct avc_audit_data ad;
4951         u32 sid = current_sid();
4952         int rc;
4953
4954         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4955         if (rc)
4956                 return rc;
4957
4958         isec = msq->q_perm.security;
4959
4960         AVC_AUDIT_DATA_INIT(&ad, IPC);
4961         ad.u.ipc_id = msq->q_perm.key;
4962
4963         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4964                           MSGQ__CREATE, &ad);
4965         if (rc) {
4966                 ipc_free_security(&msq->q_perm);
4967                 return rc;
4968         }
4969         return 0;
4970 }
4971
4972 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4973 {
4974         ipc_free_security(&msq->q_perm);
4975 }
4976
4977 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4978 {
4979         struct ipc_security_struct *isec;
4980         struct avc_audit_data ad;
4981         u32 sid = current_sid();
4982
4983         isec = msq->q_perm.security;
4984
4985         AVC_AUDIT_DATA_INIT(&ad, IPC);
4986         ad.u.ipc_id = msq->q_perm.key;
4987
4988         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4989                             MSGQ__ASSOCIATE, &ad);
4990 }
4991
4992 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4993 {
4994         int err;
4995         int perms;
4996
4997         switch (cmd) {
4998         case IPC_INFO:
4999         case MSG_INFO:
5000                 /* No specific object, just general system-wide information. */
5001                 return task_has_system(current, SYSTEM__IPC_INFO);
5002         case IPC_STAT:
5003         case MSG_STAT:
5004                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5005                 break;
5006         case IPC_SET:
5007                 perms = MSGQ__SETATTR;
5008                 break;
5009         case IPC_RMID:
5010                 perms = MSGQ__DESTROY;
5011                 break;
5012         default:
5013                 return 0;
5014         }
5015
5016         err = ipc_has_perm(&msq->q_perm, perms);
5017         return err;
5018 }
5019
5020 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5021 {
5022         struct ipc_security_struct *isec;
5023         struct msg_security_struct *msec;
5024         struct avc_audit_data ad;
5025         u32 sid = current_sid();
5026         int rc;
5027
5028         isec = msq->q_perm.security;
5029         msec = msg->security;
5030
5031         /*
5032          * First time through, need to assign label to the message
5033          */
5034         if (msec->sid == SECINITSID_UNLABELED) {
5035                 /*
5036                  * Compute new sid based on current process and
5037                  * message queue this message will be stored in
5038                  */
5039                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5040                                              &msec->sid);
5041                 if (rc)
5042                         return rc;
5043         }
5044
5045         AVC_AUDIT_DATA_INIT(&ad, IPC);
5046         ad.u.ipc_id = msq->q_perm.key;
5047
5048         /* Can this process write to the queue? */
5049         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5050                           MSGQ__WRITE, &ad);
5051         if (!rc)
5052                 /* Can this process send the message */
5053                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5054                                   MSG__SEND, &ad);
5055         if (!rc)
5056                 /* Can the message be put in the queue? */
5057                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5058                                   MSGQ__ENQUEUE, &ad);
5059
5060         return rc;
5061 }
5062
5063 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5064                                     struct task_struct *target,
5065                                     long type, int mode)
5066 {
5067         struct ipc_security_struct *isec;
5068         struct msg_security_struct *msec;
5069         struct avc_audit_data ad;
5070         u32 sid = task_sid(target);
5071         int rc;
5072
5073         isec = msq->q_perm.security;
5074         msec = msg->security;
5075
5076         AVC_AUDIT_DATA_INIT(&ad, IPC);
5077         ad.u.ipc_id = msq->q_perm.key;
5078
5079         rc = avc_has_perm(sid, isec->sid,
5080                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5081         if (!rc)
5082                 rc = avc_has_perm(sid, msec->sid,
5083                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5084         return rc;
5085 }
5086
5087 /* Shared Memory security operations */
5088 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5089 {
5090         struct ipc_security_struct *isec;
5091         struct avc_audit_data ad;
5092         u32 sid = current_sid();
5093         int rc;
5094
5095         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5096         if (rc)
5097                 return rc;
5098
5099         isec = shp->shm_perm.security;
5100
5101         AVC_AUDIT_DATA_INIT(&ad, IPC);
5102         ad.u.ipc_id = shp->shm_perm.key;
5103
5104         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5105                           SHM__CREATE, &ad);
5106         if (rc) {
5107                 ipc_free_security(&shp->shm_perm);
5108                 return rc;
5109         }
5110         return 0;
5111 }
5112
5113 static void selinux_shm_free_security(struct shmid_kernel *shp)
5114 {
5115         ipc_free_security(&shp->shm_perm);
5116 }
5117
5118 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5119 {
5120         struct ipc_security_struct *isec;
5121         struct avc_audit_data ad;
5122         u32 sid = current_sid();
5123
5124         isec = shp->shm_perm.security;
5125
5126         AVC_AUDIT_DATA_INIT(&ad, IPC);
5127         ad.u.ipc_id = shp->shm_perm.key;
5128
5129         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5130                             SHM__ASSOCIATE, &ad);
5131 }
5132
5133 /* Note, at this point, shp is locked down */
5134 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5135 {
5136         int perms;
5137         int err;
5138
5139         switch (cmd) {
5140         case IPC_INFO:
5141         case SHM_INFO:
5142                 /* No specific object, just general system-wide information. */
5143                 return task_has_system(current, SYSTEM__IPC_INFO);
5144         case IPC_STAT:
5145         case SHM_STAT:
5146                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5147                 break;
5148         case IPC_SET:
5149                 perms = SHM__SETATTR;
5150                 break;
5151         case SHM_LOCK:
5152         case SHM_UNLOCK:
5153                 perms = SHM__LOCK;
5154                 break;
5155         case IPC_RMID:
5156                 perms = SHM__DESTROY;
5157                 break;
5158         default:
5159                 return 0;
5160         }
5161
5162         err = ipc_has_perm(&shp->shm_perm, perms);
5163         return err;
5164 }
5165
5166 static int selinux_shm_shmat(struct shmid_kernel *shp,
5167                              char __user *shmaddr, int shmflg)
5168 {
5169         u32 perms;
5170         int rc;
5171
5172         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5173         if (rc)
5174                 return rc;
5175
5176         if (shmflg & SHM_RDONLY)
5177                 perms = SHM__READ;
5178         else
5179                 perms = SHM__READ | SHM__WRITE;
5180
5181         return ipc_has_perm(&shp->shm_perm, perms);
5182 }
5183
5184 /* Semaphore security operations */
5185 static int selinux_sem_alloc_security(struct sem_array *sma)
5186 {
5187         struct ipc_security_struct *isec;
5188         struct avc_audit_data ad;
5189         u32 sid = current_sid();
5190         int rc;
5191
5192         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5193         if (rc)
5194                 return rc;
5195
5196         isec = sma->sem_perm.security;
5197
5198         AVC_AUDIT_DATA_INIT(&ad, IPC);
5199         ad.u.ipc_id = sma->sem_perm.key;
5200
5201         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5202                           SEM__CREATE, &ad);
5203         if (rc) {
5204                 ipc_free_security(&sma->sem_perm);
5205                 return rc;
5206         }
5207         return 0;
5208 }
5209
5210 static void selinux_sem_free_security(struct sem_array *sma)
5211 {
5212         ipc_free_security(&sma->sem_perm);
5213 }
5214
5215 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5216 {
5217         struct ipc_security_struct *isec;
5218         struct avc_audit_data ad;
5219         u32 sid = current_sid();
5220
5221         isec = sma->sem_perm.security;
5222
5223         AVC_AUDIT_DATA_INIT(&ad, IPC);
5224         ad.u.ipc_id = sma->sem_perm.key;
5225
5226         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5227                             SEM__ASSOCIATE, &ad);
5228 }
5229
5230 /* Note, at this point, sma is locked down */
5231 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5232 {
5233         int err;
5234         u32 perms;
5235
5236         switch (cmd) {
5237         case IPC_INFO:
5238         case SEM_INFO:
5239                 /* No specific object, just general system-wide information. */
5240                 return task_has_system(current, SYSTEM__IPC_INFO);
5241         case GETPID:
5242         case GETNCNT:
5243         case GETZCNT:
5244                 perms = SEM__GETATTR;
5245                 break;
5246         case GETVAL:
5247         case GETALL:
5248                 perms = SEM__READ;
5249                 break;
5250         case SETVAL:
5251         case SETALL:
5252                 perms = SEM__WRITE;
5253                 break;
5254         case IPC_RMID:
5255                 perms = SEM__DESTROY;
5256                 break;
5257         case IPC_SET:
5258                 perms = SEM__SETATTR;
5259                 break;
5260         case IPC_STAT:
5261         case SEM_STAT:
5262                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5263                 break;
5264         default:
5265                 return 0;
5266         }
5267
5268         err = ipc_has_perm(&sma->sem_perm, perms);
5269         return err;
5270 }
5271
5272 static int selinux_sem_semop(struct sem_array *sma,
5273                              struct sembuf *sops, unsigned nsops, int alter)
5274 {
5275         u32 perms;
5276
5277         if (alter)
5278                 perms = SEM__READ | SEM__WRITE;
5279         else
5280                 perms = SEM__READ;
5281
5282         return ipc_has_perm(&sma->sem_perm, perms);
5283 }
5284
5285 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5286 {
5287         u32 av = 0;
5288
5289         av = 0;
5290         if (flag & S_IRUGO)
5291                 av |= IPC__UNIX_READ;
5292         if (flag & S_IWUGO)
5293                 av |= IPC__UNIX_WRITE;
5294
5295         if (av == 0)
5296                 return 0;
5297
5298         return ipc_has_perm(ipcp, av);
5299 }
5300
5301 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5302 {
5303         struct ipc_security_struct *isec = ipcp->security;
5304         *secid = isec->sid;
5305 }
5306
5307 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5308 {
5309         if (inode)
5310                 inode_doinit_with_dentry(inode, dentry);
5311 }
5312
5313 static int selinux_getprocattr(struct task_struct *p,
5314                                char *name, char **value)
5315 {
5316         const struct task_security_struct *__tsec;
5317         u32 sid;
5318         int error;
5319         unsigned len;
5320
5321         if (current != p) {
5322                 error = current_has_perm(p, PROCESS__GETATTR);
5323                 if (error)
5324                         return error;
5325         }
5326
5327         rcu_read_lock();
5328         __tsec = __task_cred(p)->security;
5329
5330         if (!strcmp(name, "current"))
5331                 sid = __tsec->sid;
5332         else if (!strcmp(name, "prev"))
5333                 sid = __tsec->osid;
5334         else if (!strcmp(name, "exec"))
5335                 sid = __tsec->exec_sid;
5336         else if (!strcmp(name, "fscreate"))
5337                 sid = __tsec->create_sid;
5338         else if (!strcmp(name, "keycreate"))
5339                 sid = __tsec->keycreate_sid;
5340         else if (!strcmp(name, "sockcreate"))
5341                 sid = __tsec->sockcreate_sid;
5342         else
5343                 goto invalid;
5344         rcu_read_unlock();
5345
5346         if (!sid)
5347                 return 0;
5348
5349         error = security_sid_to_context(sid, value, &len);
5350         if (error)
5351                 return error;
5352         return len;
5353
5354 invalid:
5355         rcu_read_unlock();
5356         return -EINVAL;
5357 }
5358
5359 static int selinux_setprocattr(struct task_struct *p,
5360                                char *name, void *value, size_t size)
5361 {
5362         struct task_security_struct *tsec;
5363         struct task_struct *tracer;
5364         struct cred *new;
5365         u32 sid = 0, ptsid;
5366         int error;
5367         char *str = value;
5368
5369         if (current != p) {
5370                 /* SELinux only allows a process to change its own
5371                    security attributes. */
5372                 return -EACCES;
5373         }
5374
5375         /*
5376          * Basic control over ability to set these attributes at all.
5377          * current == p, but we'll pass them separately in case the
5378          * above restriction is ever removed.
5379          */
5380         if (!strcmp(name, "exec"))
5381                 error = current_has_perm(p, PROCESS__SETEXEC);
5382         else if (!strcmp(name, "fscreate"))
5383                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5384         else if (!strcmp(name, "keycreate"))
5385                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5386         else if (!strcmp(name, "sockcreate"))
5387                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5388         else if (!strcmp(name, "current"))
5389                 error = current_has_perm(p, PROCESS__SETCURRENT);
5390         else
5391                 error = -EINVAL;
5392         if (error)
5393                 return error;
5394
5395         /* Obtain a SID for the context, if one was specified. */
5396         if (size && str[1] && str[1] != '\n') {
5397                 if (str[size-1] == '\n') {
5398                         str[size-1] = 0;
5399                         size--;
5400                 }
5401                 error = security_context_to_sid(value, size, &sid);
5402                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5403                         if (!capable(CAP_MAC_ADMIN))
5404                                 return error;
5405                         error = security_context_to_sid_force(value, size,
5406                                                               &sid);
5407                 }
5408                 if (error)
5409                         return error;
5410         }
5411
5412         new = prepare_creds();
5413         if (!new)
5414                 return -ENOMEM;
5415
5416         /* Permission checking based on the specified context is
5417            performed during the actual operation (execve,
5418            open/mkdir/...), when we know the full context of the
5419            operation.  See selinux_bprm_set_creds for the execve
5420            checks and may_create for the file creation checks. The
5421            operation will then fail if the context is not permitted. */
5422         tsec = new->security;
5423         if (!strcmp(name, "exec")) {
5424                 tsec->exec_sid = sid;
5425         } else if (!strcmp(name, "fscreate")) {
5426                 tsec->create_sid = sid;
5427         } else if (!strcmp(name, "keycreate")) {
5428                 error = may_create_key(sid, p);
5429                 if (error)
5430                         goto abort_change;
5431                 tsec->keycreate_sid = sid;
5432         } else if (!strcmp(name, "sockcreate")) {
5433                 tsec->sockcreate_sid = sid;
5434         } else if (!strcmp(name, "current")) {
5435                 error = -EINVAL;
5436                 if (sid == 0)
5437                         goto abort_change;
5438
5439                 /* Only allow single threaded processes to change context */
5440                 error = -EPERM;
5441                 if (!is_single_threaded(p)) {
5442                         error = security_bounded_transition(tsec->sid, sid);
5443                         if (error)
5444                                 goto abort_change;
5445                 }
5446
5447                 /* Check permissions for the transition. */
5448                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5449                                      PROCESS__DYNTRANSITION, NULL);
5450                 if (error)
5451                         goto abort_change;
5452
5453                 /* Check for ptracing, and update the task SID if ok.
5454                    Otherwise, leave SID unchanged and fail. */
5455                 ptsid = 0;
5456                 task_lock(p);
5457                 tracer = tracehook_tracer_task(p);
5458                 if (tracer)
5459                         ptsid = task_sid(tracer);
5460                 task_unlock(p);
5461
5462                 if (tracer) {
5463                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5464                                              PROCESS__PTRACE, NULL);
5465                         if (error)
5466                                 goto abort_change;
5467                 }
5468
5469                 tsec->sid = sid;
5470         } else {
5471                 error = -EINVAL;
5472                 goto abort_change;
5473         }
5474
5475         commit_creds(new);
5476         return size;
5477
5478 abort_change:
5479         abort_creds(new);
5480         return error;
5481 }
5482
5483 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5484 {
5485         return security_sid_to_context(secid, secdata, seclen);
5486 }
5487
5488 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5489 {
5490         return security_context_to_sid(secdata, seclen, secid);
5491 }
5492
5493 static void selinux_release_secctx(char *secdata, u32 seclen)
5494 {
5495         kfree(secdata);
5496 }
5497
5498 #ifdef CONFIG_KEYS
5499
5500 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5501                              unsigned long flags)
5502 {
5503         const struct task_security_struct *tsec;
5504         struct key_security_struct *ksec;
5505
5506         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5507         if (!ksec)
5508                 return -ENOMEM;
5509
5510         tsec = cred->security;
5511         if (tsec->keycreate_sid)
5512                 ksec->sid = tsec->keycreate_sid;
5513         else
5514                 ksec->sid = tsec->sid;
5515
5516         k->security = ksec;
5517         return 0;
5518 }
5519
5520 static void selinux_key_free(struct key *k)
5521 {
5522         struct key_security_struct *ksec = k->security;
5523
5524         k->security = NULL;
5525         kfree(ksec);
5526 }
5527
5528 static int selinux_key_permission(key_ref_t key_ref,
5529                                   const struct cred *cred,
5530                                   key_perm_t perm)
5531 {
5532         struct key *key;
5533         struct key_security_struct *ksec;
5534         u32 sid;
5535
5536         /* if no specific permissions are requested, we skip the
5537            permission check. No serious, additional covert channels
5538            appear to be created. */
5539         if (perm == 0)
5540                 return 0;
5541
5542         sid = cred_sid(cred);
5543
5544         key = key_ref_to_ptr(key_ref);
5545         ksec = key->security;
5546
5547         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5548 }
5549
5550 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5551 {
5552         struct key_security_struct *ksec = key->security;
5553         char *context = NULL;
5554         unsigned len;
5555         int rc;
5556
5557         rc = security_sid_to_context(ksec->sid, &context, &len);
5558         if (!rc)
5559                 rc = len;
5560         *_buffer = context;
5561         return rc;
5562 }
5563
5564 #endif
5565
5566 static struct security_operations selinux_ops = {
5567         .name =                         "selinux",
5568
5569         .ptrace_may_access =            selinux_ptrace_may_access,
5570         .ptrace_traceme =               selinux_ptrace_traceme,
5571         .capget =                       selinux_capget,
5572         .capset =                       selinux_capset,
5573         .sysctl =                       selinux_sysctl,
5574         .capable =                      selinux_capable,
5575         .quotactl =                     selinux_quotactl,
5576         .quota_on =                     selinux_quota_on,
5577         .syslog =                       selinux_syslog,
5578         .vm_enough_memory =             selinux_vm_enough_memory,
5579
5580         .netlink_send =                 selinux_netlink_send,
5581         .netlink_recv =                 selinux_netlink_recv,
5582
5583         .bprm_set_creds =               selinux_bprm_set_creds,
5584         .bprm_check_security =          selinux_bprm_check_security,
5585         .bprm_committing_creds =        selinux_bprm_committing_creds,
5586         .bprm_committed_creds =         selinux_bprm_committed_creds,
5587         .bprm_secureexec =              selinux_bprm_secureexec,
5588
5589         .sb_alloc_security =            selinux_sb_alloc_security,
5590         .sb_free_security =             selinux_sb_free_security,
5591         .sb_copy_data =                 selinux_sb_copy_data,
5592         .sb_kern_mount =                selinux_sb_kern_mount,
5593         .sb_show_options =              selinux_sb_show_options,
5594         .sb_statfs =                    selinux_sb_statfs,
5595         .sb_mount =                     selinux_mount,
5596         .sb_umount =                    selinux_umount,
5597         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5598         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5599         .sb_parse_opts_str =            selinux_parse_opts_str,
5600
5601
5602         .inode_alloc_security =         selinux_inode_alloc_security,
5603         .inode_free_security =          selinux_inode_free_security,
5604         .inode_init_security =          selinux_inode_init_security,
5605         .inode_create =                 selinux_inode_create,
5606         .inode_link =                   selinux_inode_link,
5607         .inode_unlink =                 selinux_inode_unlink,
5608         .inode_symlink =                selinux_inode_symlink,
5609         .inode_mkdir =                  selinux_inode_mkdir,
5610         .inode_rmdir =                  selinux_inode_rmdir,
5611         .inode_mknod =                  selinux_inode_mknod,
5612         .inode_rename =                 selinux_inode_rename,
5613         .inode_readlink =               selinux_inode_readlink,
5614         .inode_follow_link =            selinux_inode_follow_link,
5615         .inode_permission =             selinux_inode_permission,
5616         .inode_setattr =                selinux_inode_setattr,
5617         .inode_getattr =                selinux_inode_getattr,
5618         .inode_setxattr =               selinux_inode_setxattr,
5619         .inode_post_setxattr =          selinux_inode_post_setxattr,
5620         .inode_getxattr =               selinux_inode_getxattr,
5621         .inode_listxattr =              selinux_inode_listxattr,
5622         .inode_removexattr =            selinux_inode_removexattr,
5623         .inode_getsecurity =            selinux_inode_getsecurity,
5624         .inode_setsecurity =            selinux_inode_setsecurity,
5625         .inode_listsecurity =           selinux_inode_listsecurity,
5626         .inode_need_killpriv =          selinux_inode_need_killpriv,
5627         .inode_killpriv =               selinux_inode_killpriv,
5628         .inode_getsecid =               selinux_inode_getsecid,
5629
5630         .file_permission =              selinux_file_permission,
5631         .file_alloc_security =          selinux_file_alloc_security,
5632         .file_free_security =           selinux_file_free_security,
5633         .file_ioctl =                   selinux_file_ioctl,
5634         .file_mmap =                    selinux_file_mmap,
5635         .file_mprotect =                selinux_file_mprotect,
5636         .file_lock =                    selinux_file_lock,
5637         .file_fcntl =                   selinux_file_fcntl,
5638         .file_set_fowner =              selinux_file_set_fowner,
5639         .file_send_sigiotask =          selinux_file_send_sigiotask,
5640         .file_receive =                 selinux_file_receive,
5641
5642         .dentry_open =                  selinux_dentry_open,
5643
5644         .task_create =                  selinux_task_create,
5645         .cred_free =                    selinux_cred_free,
5646         .cred_prepare =                 selinux_cred_prepare,
5647         .cred_commit =                  selinux_cred_commit,
5648         .kernel_act_as =                selinux_kernel_act_as,
5649         .kernel_create_files_as =       selinux_kernel_create_files_as,
5650         .task_setuid =                  selinux_task_setuid,
5651         .task_fix_setuid =              selinux_task_fix_setuid,
5652         .task_setgid =                  selinux_task_setgid,
5653         .task_setpgid =                 selinux_task_setpgid,
5654         .task_getpgid =                 selinux_task_getpgid,
5655         .task_getsid =                  selinux_task_getsid,
5656         .task_getsecid =                selinux_task_getsecid,
5657         .task_setgroups =               selinux_task_setgroups,
5658         .task_setnice =                 selinux_task_setnice,
5659         .task_setioprio =               selinux_task_setioprio,
5660         .task_getioprio =               selinux_task_getioprio,
5661         .task_setrlimit =               selinux_task_setrlimit,
5662         .task_setscheduler =            selinux_task_setscheduler,
5663         .task_getscheduler =            selinux_task_getscheduler,
5664         .task_movememory =              selinux_task_movememory,
5665         .task_kill =                    selinux_task_kill,
5666         .task_wait =                    selinux_task_wait,
5667         .task_prctl =                   selinux_task_prctl,
5668         .task_to_inode =                selinux_task_to_inode,
5669
5670         .ipc_permission =               selinux_ipc_permission,
5671         .ipc_getsecid =                 selinux_ipc_getsecid,
5672
5673         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5674         .msg_msg_free_security =        selinux_msg_msg_free_security,
5675
5676         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5677         .msg_queue_free_security =      selinux_msg_queue_free_security,
5678         .msg_queue_associate =          selinux_msg_queue_associate,
5679         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5680         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5681         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5682
5683         .shm_alloc_security =           selinux_shm_alloc_security,
5684         .shm_free_security =            selinux_shm_free_security,
5685         .shm_associate =                selinux_shm_associate,
5686         .shm_shmctl =                   selinux_shm_shmctl,
5687         .shm_shmat =                    selinux_shm_shmat,
5688
5689         .sem_alloc_security =           selinux_sem_alloc_security,
5690         .sem_free_security =            selinux_sem_free_security,
5691         .sem_associate =                selinux_sem_associate,
5692         .sem_semctl =                   selinux_sem_semctl,
5693         .sem_semop =                    selinux_sem_semop,
5694
5695         .d_instantiate =                selinux_d_instantiate,
5696
5697         .getprocattr =                  selinux_getprocattr,
5698         .setprocattr =                  selinux_setprocattr,
5699
5700         .secid_to_secctx =              selinux_secid_to_secctx,
5701         .secctx_to_secid =              selinux_secctx_to_secid,
5702         .release_secctx =               selinux_release_secctx,
5703
5704         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5705         .unix_may_send =                selinux_socket_unix_may_send,
5706
5707         .socket_create =                selinux_socket_create,
5708         .socket_post_create =           selinux_socket_post_create,
5709         .socket_bind =                  selinux_socket_bind,
5710         .socket_connect =               selinux_socket_connect,
5711         .socket_listen =                selinux_socket_listen,
5712         .socket_accept =                selinux_socket_accept,
5713         .socket_sendmsg =               selinux_socket_sendmsg,
5714         .socket_recvmsg =               selinux_socket_recvmsg,
5715         .socket_getsockname =           selinux_socket_getsockname,
5716         .socket_getpeername =           selinux_socket_getpeername,
5717         .socket_getsockopt =            selinux_socket_getsockopt,
5718         .socket_setsockopt =            selinux_socket_setsockopt,
5719         .socket_shutdown =              selinux_socket_shutdown,
5720         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5721         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5722         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5723         .sk_alloc_security =            selinux_sk_alloc_security,
5724         .sk_free_security =             selinux_sk_free_security,
5725         .sk_clone_security =            selinux_sk_clone_security,
5726         .sk_getsecid =                  selinux_sk_getsecid,
5727         .sock_graft =                   selinux_sock_graft,
5728         .inet_conn_request =            selinux_inet_conn_request,
5729         .inet_csk_clone =               selinux_inet_csk_clone,
5730         .inet_conn_established =        selinux_inet_conn_established,
5731         .req_classify_flow =            selinux_req_classify_flow,
5732
5733 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5734         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5735         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5736         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5737         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5738         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5739         .xfrm_state_free_security =     selinux_xfrm_state_free,
5740         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5741         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5742         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5743         .xfrm_decode_session =          selinux_xfrm_decode_session,
5744 #endif
5745
5746 #ifdef CONFIG_KEYS
5747         .key_alloc =                    selinux_key_alloc,
5748         .key_free =                     selinux_key_free,
5749         .key_permission =               selinux_key_permission,
5750         .key_getsecurity =              selinux_key_getsecurity,
5751 #endif
5752
5753 #ifdef CONFIG_AUDIT
5754         .audit_rule_init =              selinux_audit_rule_init,
5755         .audit_rule_known =             selinux_audit_rule_known,
5756         .audit_rule_match =             selinux_audit_rule_match,
5757         .audit_rule_free =              selinux_audit_rule_free,
5758 #endif
5759 };
5760
5761 static __init int selinux_init(void)
5762 {
5763         if (!security_module_enable(&selinux_ops)) {
5764                 selinux_enabled = 0;
5765                 return 0;
5766         }
5767
5768         if (!selinux_enabled) {
5769                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5770                 return 0;
5771         }
5772
5773         printk(KERN_INFO "SELinux:  Initializing.\n");
5774
5775         /* Set the security state for the initial task. */
5776         cred_init_security();
5777
5778         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5779                                             sizeof(struct inode_security_struct),
5780                                             0, SLAB_PANIC, NULL);
5781         avc_init();
5782
5783         secondary_ops = security_ops;
5784         if (!secondary_ops)
5785                 panic("SELinux: No initial security operations\n");
5786         if (register_security(&selinux_ops))
5787                 panic("SELinux: Unable to register with kernel.\n");
5788
5789         if (selinux_enforcing)
5790                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5791         else
5792                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5793
5794         return 0;
5795 }
5796
5797 void selinux_complete_init(void)
5798 {
5799         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5800
5801         /* Set up any superblocks initialized prior to the policy load. */
5802         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5803         spin_lock(&sb_lock);
5804         spin_lock(&sb_security_lock);
5805 next_sb:
5806         if (!list_empty(&superblock_security_head)) {
5807                 struct superblock_security_struct *sbsec =
5808                                 list_entry(superblock_security_head.next,
5809                                            struct superblock_security_struct,
5810                                            list);
5811                 struct super_block *sb = sbsec->sb;
5812                 sb->s_count++;
5813                 spin_unlock(&sb_security_lock);
5814                 spin_unlock(&sb_lock);
5815                 down_read(&sb->s_umount);
5816                 if (sb->s_root)
5817                         superblock_doinit(sb, NULL);
5818                 drop_super(sb);
5819                 spin_lock(&sb_lock);
5820                 spin_lock(&sb_security_lock);
5821                 list_del_init(&sbsec->list);
5822                 goto next_sb;
5823         }
5824         spin_unlock(&sb_security_lock);
5825         spin_unlock(&sb_lock);
5826 }
5827
5828 /* SELinux requires early initialization in order to label
5829    all processes and objects when they are created. */
5830 security_initcall(selinux_init);
5831
5832 #if defined(CONFIG_NETFILTER)
5833
5834 static struct nf_hook_ops selinux_ipv4_ops[] = {
5835         {
5836                 .hook =         selinux_ipv4_postroute,
5837                 .owner =        THIS_MODULE,
5838                 .pf =           PF_INET,
5839                 .hooknum =      NF_INET_POST_ROUTING,
5840                 .priority =     NF_IP_PRI_SELINUX_LAST,
5841         },
5842         {
5843                 .hook =         selinux_ipv4_forward,
5844                 .owner =        THIS_MODULE,
5845                 .pf =           PF_INET,
5846                 .hooknum =      NF_INET_FORWARD,
5847                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5848         },
5849         {
5850                 .hook =         selinux_ipv4_output,
5851                 .owner =        THIS_MODULE,
5852                 .pf =           PF_INET,
5853                 .hooknum =      NF_INET_LOCAL_OUT,
5854                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5855         }
5856 };
5857
5858 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5859
5860 static struct nf_hook_ops selinux_ipv6_ops[] = {
5861         {
5862                 .hook =         selinux_ipv6_postroute,
5863                 .owner =        THIS_MODULE,
5864                 .pf =           PF_INET6,
5865                 .hooknum =      NF_INET_POST_ROUTING,
5866                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5867         },
5868         {
5869                 .hook =         selinux_ipv6_forward,
5870                 .owner =        THIS_MODULE,
5871                 .pf =           PF_INET6,
5872                 .hooknum =      NF_INET_FORWARD,
5873                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5874         }
5875 };
5876
5877 #endif  /* IPV6 */
5878
5879 static int __init selinux_nf_ip_init(void)
5880 {
5881         int err = 0;
5882
5883         if (!selinux_enabled)
5884                 goto out;
5885
5886         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5887
5888         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5889         if (err)
5890                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5891
5892 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5893         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5894         if (err)
5895                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5896 #endif  /* IPV6 */
5897
5898 out:
5899         return err;
5900 }
5901
5902 __initcall(selinux_nf_ip_init);
5903
5904 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5905 static void selinux_nf_ip_exit(void)
5906 {
5907         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5908
5909         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5910 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5911         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5912 #endif  /* IPV6 */
5913 }
5914 #endif
5915
5916 #else /* CONFIG_NETFILTER */
5917
5918 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5919 #define selinux_nf_ip_exit()
5920 #endif
5921
5922 #endif /* CONFIG_NETFILTER */
5923
5924 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5925 static int selinux_disabled;
5926
5927 int selinux_disable(void)
5928 {
5929         extern void exit_sel_fs(void);
5930
5931         if (ss_initialized) {
5932                 /* Not permitted after initial policy load. */
5933                 return -EINVAL;
5934         }
5935
5936         if (selinux_disabled) {
5937                 /* Only do this once. */
5938                 return -EINVAL;
5939         }
5940
5941         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5942
5943         selinux_disabled = 1;
5944         selinux_enabled = 0;
5945
5946         /* Reset security_ops to the secondary module, dummy or capability. */
5947         security_ops = secondary_ops;
5948
5949         /* Unregister netfilter hooks. */
5950         selinux_nf_ip_exit();
5951
5952         /* Unregister selinuxfs. */
5953         exit_sel_fs();
5954
5955         return 0;
5956 }
5957 #endif