[MLSXFRM]: Auto-labeling of child sockets
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/ptrace.h>
25 #include <linux/errno.h>
26 #include <linux/sched.h>
27 #include <linux/security.h>
28 #include <linux/xattr.h>
29 #include <linux/capability.h>
30 #include <linux/unistd.h>
31 #include <linux/mm.h>
32 #include <linux/mman.h>
33 #include <linux/slab.h>
34 #include <linux/pagemap.h>
35 #include <linux/swap.h>
36 #include <linux/smp_lock.h>
37 #include <linux/spinlock.h>
38 #include <linux/syscalls.h>
39 #include <linux/file.h>
40 #include <linux/namei.h>
41 #include <linux/mount.h>
42 #include <linux/ext2_fs.h>
43 #include <linux/proc_fs.h>
44 #include <linux/kd.h>
45 #include <linux/netfilter_ipv4.h>
46 #include <linux/netfilter_ipv6.h>
47 #include <linux/tty.h>
48 #include <net/icmp.h>
49 #include <net/ip.h>             /* for sysctl_local_port_range[] */
50 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
51 #include <asm/uaccess.h>
52 #include <asm/semaphore.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h>    /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/quota.h>
61 #include <linux/un.h>           /* for Unix socket types */
62 #include <net/af_unix.h>        /* for Unix socket types */
63 #include <linux/parser.h>
64 #include <linux/nfs_mount.h>
65 #include <net/ipv6.h>
66 #include <linux/hugetlb.h>
67 #include <linux/personality.h>
68 #include <linux/sysctl.h>
69 #include <linux/audit.h>
70 #include <linux/string.h>
71 #include <linux/selinux.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
84
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
87
88 static int __init enforcing_setup(char *str)
89 {
90         selinux_enforcing = simple_strtol(str,NULL,0);
91         return 1;
92 }
93 __setup("enforcing=", enforcing_setup);
94 #endif
95
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99 static int __init selinux_enabled_setup(char *str)
100 {
101         selinux_enabled = simple_strtol(str, NULL, 0);
102         return 1;
103 }
104 __setup("selinux=", selinux_enabled_setup);
105 #else
106 int selinux_enabled = 1;
107 #endif
108
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
111
112 /* Minimal support for a secondary security module,
113    just to allow the use of the dummy or capability modules.
114    The owlsm module can alternatively be used as a secondary
115    module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
117
118 /* Lists of inode and superblock security structures initialized
119    before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
122
123 static kmem_cache_t *sel_inode_cache;
124
125 /* Return security context for a given sid or just the context 
126    length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128 {
129         char *context;
130         unsigned len;
131         int rc;
132
133         rc = security_sid_to_context(sid, &context, &len);
134         if (rc)
135                 return rc;
136
137         if (!buffer || !size)
138                 goto getsecurity_exit;
139
140         if (size < len) {
141                 len = -ERANGE;
142                 goto getsecurity_exit;
143         }
144         memcpy(buffer, context, len);
145
146 getsecurity_exit:
147         kfree(context);
148         return len;
149 }
150
151 /* Allocate and free functions for each kind of security blob. */
152
153 static int task_alloc_security(struct task_struct *task)
154 {
155         struct task_security_struct *tsec;
156
157         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158         if (!tsec)
159                 return -ENOMEM;
160
161         tsec->task = task;
162         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163         task->security = tsec;
164
165         return 0;
166 }
167
168 static void task_free_security(struct task_struct *task)
169 {
170         struct task_security_struct *tsec = task->security;
171         task->security = NULL;
172         kfree(tsec);
173 }
174
175 static int inode_alloc_security(struct inode *inode)
176 {
177         struct task_security_struct *tsec = current->security;
178         struct inode_security_struct *isec;
179
180         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
181         if (!isec)
182                 return -ENOMEM;
183
184         memset(isec, 0, sizeof(*isec));
185         init_MUTEX(&isec->sem);
186         INIT_LIST_HEAD(&isec->list);
187         isec->inode = inode;
188         isec->sid = SECINITSID_UNLABELED;
189         isec->sclass = SECCLASS_FILE;
190         isec->task_sid = tsec->sid;
191         inode->i_security = isec;
192
193         return 0;
194 }
195
196 static void inode_free_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec = inode->i_security;
199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
201         spin_lock(&sbsec->isec_lock);
202         if (!list_empty(&isec->list))
203                 list_del_init(&isec->list);
204         spin_unlock(&sbsec->isec_lock);
205
206         inode->i_security = NULL;
207         kmem_cache_free(sel_inode_cache, isec);
208 }
209
210 static int file_alloc_security(struct file *file)
211 {
212         struct task_security_struct *tsec = current->security;
213         struct file_security_struct *fsec;
214
215         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
216         if (!fsec)
217                 return -ENOMEM;
218
219         fsec->file = file;
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         init_MUTEX(&sbsec->sem);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         ssec = kzalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         ssec->sk = sk;
277         ssec->peer_sid = SECINITSID_UNLABELED;
278         ssec->sid = SECINITSID_UNLABELED;
279         sk->sk_security = ssec;
280
281         return 0;
282 }
283
284 static void sk_free_security(struct sock *sk)
285 {
286         struct sk_security_struct *ssec = sk->sk_security;
287
288         sk->sk_security = NULL;
289         kfree(ssec);
290 }
291
292 /* The security server must be initialized before
293    any labeling or access decisions can be provided. */
294 extern int ss_initialized;
295
296 /* The file system's label must be initialized prior to use. */
297
298 static char *labeling_behaviors[6] = {
299         "uses xattr",
300         "uses transition SIDs",
301         "uses task SIDs",
302         "uses genfs_contexts",
303         "not configured for labeling",
304         "uses mountpoint labeling",
305 };
306
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309 static inline int inode_doinit(struct inode *inode)
310 {
311         return inode_doinit_with_dentry(inode, NULL);
312 }
313
314 enum {
315         Opt_context = 1,
316         Opt_fscontext = 2,
317         Opt_defcontext = 4,
318         Opt_rootcontext = 8,
319 };
320
321 static match_table_t tokens = {
322         {Opt_context, "context=%s"},
323         {Opt_fscontext, "fscontext=%s"},
324         {Opt_defcontext, "defcontext=%s"},
325         {Opt_rootcontext, "rootcontext=%s"},
326 };
327
328 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
329
330 static int may_context_mount_sb_relabel(u32 sid,
331                         struct superblock_security_struct *sbsec,
332                         struct task_security_struct *tsec)
333 {
334         int rc;
335
336         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
337                           FILESYSTEM__RELABELFROM, NULL);
338         if (rc)
339                 return rc;
340
341         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
342                           FILESYSTEM__RELABELTO, NULL);
343         return rc;
344 }
345
346 static int may_context_mount_inode_relabel(u32 sid,
347                         struct superblock_security_struct *sbsec,
348                         struct task_security_struct *tsec)
349 {
350         int rc;
351         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__RELABELFROM, NULL);
353         if (rc)
354                 return rc;
355
356         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
357                           FILESYSTEM__ASSOCIATE, NULL);
358         return rc;
359 }
360
361 static int try_context_mount(struct super_block *sb, void *data)
362 {
363         char *context = NULL, *defcontext = NULL;
364         char *fscontext = NULL, *rootcontext = NULL;
365         const char *name;
366         u32 sid;
367         int alloc = 0, rc = 0, seen = 0;
368         struct task_security_struct *tsec = current->security;
369         struct superblock_security_struct *sbsec = sb->s_security;
370
371         if (!data)
372                 goto out;
373
374         name = sb->s_type->name;
375
376         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
377
378                 /* NFS we understand. */
379                 if (!strcmp(name, "nfs")) {
380                         struct nfs_mount_data *d = data;
381
382                         if (d->version <  NFS_MOUNT_VERSION)
383                                 goto out;
384
385                         if (d->context[0]) {
386                                 context = d->context;
387                                 seen |= Opt_context;
388                         }
389                 } else
390                         goto out;
391
392         } else {
393                 /* Standard string-based options. */
394                 char *p, *options = data;
395
396                 while ((p = strsep(&options, ",")) != NULL) {
397                         int token;
398                         substring_t args[MAX_OPT_ARGS];
399
400                         if (!*p)
401                                 continue;
402
403                         token = match_token(p, tokens, args);
404
405                         switch (token) {
406                         case Opt_context:
407                                 if (seen & (Opt_context|Opt_defcontext)) {
408                                         rc = -EINVAL;
409                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
410                                         goto out_free;
411                                 }
412                                 context = match_strdup(&args[0]);
413                                 if (!context) {
414                                         rc = -ENOMEM;
415                                         goto out_free;
416                                 }
417                                 if (!alloc)
418                                         alloc = 1;
419                                 seen |= Opt_context;
420                                 break;
421
422                         case Opt_fscontext:
423                                 if (seen & Opt_fscontext) {
424                                         rc = -EINVAL;
425                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
426                                         goto out_free;
427                                 }
428                                 fscontext = match_strdup(&args[0]);
429                                 if (!fscontext) {
430                                         rc = -ENOMEM;
431                                         goto out_free;
432                                 }
433                                 if (!alloc)
434                                         alloc = 1;
435                                 seen |= Opt_fscontext;
436                                 break;
437
438                         case Opt_rootcontext:
439                                 if (seen & Opt_rootcontext) {
440                                         rc = -EINVAL;
441                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
442                                         goto out_free;
443                                 }
444                                 rootcontext = match_strdup(&args[0]);
445                                 if (!rootcontext) {
446                                         rc = -ENOMEM;
447                                         goto out_free;
448                                 }
449                                 if (!alloc)
450                                         alloc = 1;
451                                 seen |= Opt_rootcontext;
452                                 break;
453
454                         case Opt_defcontext:
455                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
456                                         rc = -EINVAL;
457                                         printk(KERN_WARNING "SELinux:  "
458                                                "defcontext option is invalid "
459                                                "for this filesystem type\n");
460                                         goto out_free;
461                                 }
462                                 if (seen & (Opt_context|Opt_defcontext)) {
463                                         rc = -EINVAL;
464                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
465                                         goto out_free;
466                                 }
467                                 defcontext = match_strdup(&args[0]);
468                                 if (!defcontext) {
469                                         rc = -ENOMEM;
470                                         goto out_free;
471                                 }
472                                 if (!alloc)
473                                         alloc = 1;
474                                 seen |= Opt_defcontext;
475                                 break;
476
477                         default:
478                                 rc = -EINVAL;
479                                 printk(KERN_WARNING "SELinux:  unknown mount "
480                                        "option\n");
481                                 goto out_free;
482
483                         }
484                 }
485         }
486
487         if (!seen)
488                 goto out;
489
490         /* sets the context of the superblock for the fs being mounted. */
491         if (fscontext) {
492                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
493                 if (rc) {
494                         printk(KERN_WARNING "SELinux: security_context_to_sid"
495                                "(%s) failed for (dev %s, type %s) errno=%d\n",
496                                fscontext, sb->s_id, name, rc);
497                         goto out_free;
498                 }
499
500                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
501                 if (rc)
502                         goto out_free;
503
504                 sbsec->sid = sid;
505         }
506
507         /*
508          * Switch to using mount point labeling behavior.
509          * sets the label used on all file below the mountpoint, and will set
510          * the superblock context if not already set.
511          */
512         if (context) {
513                 rc = security_context_to_sid(context, strlen(context), &sid);
514                 if (rc) {
515                         printk(KERN_WARNING "SELinux: security_context_to_sid"
516                                "(%s) failed for (dev %s, type %s) errno=%d\n",
517                                context, sb->s_id, name, rc);
518                         goto out_free;
519                 }
520
521                 if (!fscontext) {
522                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
523                         if (rc)
524                                 goto out_free;
525                         sbsec->sid = sid;
526                 } else {
527                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
528                         if (rc)
529                                 goto out_free;
530                 }
531                 sbsec->mntpoint_sid = sid;
532
533                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
534         }
535
536         if (rootcontext) {
537                 struct inode *inode = sb->s_root->d_inode;
538                 struct inode_security_struct *isec = inode->i_security;
539                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
540                 if (rc) {
541                         printk(KERN_WARNING "SELinux: security_context_to_sid"
542                                "(%s) failed for (dev %s, type %s) errno=%d\n",
543                                rootcontext, sb->s_id, name, rc);
544                         goto out_free;
545                 }
546
547                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
548                 if (rc)
549                         goto out_free;
550
551                 isec->sid = sid;
552                 isec->initialized = 1;
553         }
554
555         if (defcontext) {
556                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
557                 if (rc) {
558                         printk(KERN_WARNING "SELinux: security_context_to_sid"
559                                "(%s) failed for (dev %s, type %s) errno=%d\n",
560                                defcontext, sb->s_id, name, rc);
561                         goto out_free;
562                 }
563
564                 if (sid == sbsec->def_sid)
565                         goto out_free;
566
567                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
568                 if (rc)
569                         goto out_free;
570
571                 sbsec->def_sid = sid;
572         }
573
574 out_free:
575         if (alloc) {
576                 kfree(context);
577                 kfree(defcontext);
578                 kfree(fscontext);
579                 kfree(rootcontext);
580         }
581 out:
582         return rc;
583 }
584
585 static int superblock_doinit(struct super_block *sb, void *data)
586 {
587         struct superblock_security_struct *sbsec = sb->s_security;
588         struct dentry *root = sb->s_root;
589         struct inode *inode = root->d_inode;
590         int rc = 0;
591
592         down(&sbsec->sem);
593         if (sbsec->initialized)
594                 goto out;
595
596         if (!ss_initialized) {
597                 /* Defer initialization until selinux_complete_init,
598                    after the initial policy is loaded and the security
599                    server is ready to handle calls. */
600                 spin_lock(&sb_security_lock);
601                 if (list_empty(&sbsec->list))
602                         list_add(&sbsec->list, &superblock_security_head);
603                 spin_unlock(&sb_security_lock);
604                 goto out;
605         }
606
607         /* Determine the labeling behavior to use for this filesystem type. */
608         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
609         if (rc) {
610                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
611                        __FUNCTION__, sb->s_type->name, rc);
612                 goto out;
613         }
614
615         rc = try_context_mount(sb, data);
616         if (rc)
617                 goto out;
618
619         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
620                 /* Make sure that the xattr handler exists and that no
621                    error other than -ENODATA is returned by getxattr on
622                    the root directory.  -ENODATA is ok, as this may be
623                    the first boot of the SELinux kernel before we have
624                    assigned xattr values to the filesystem. */
625                 if (!inode->i_op->getxattr) {
626                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
627                                "xattr support\n", sb->s_id, sb->s_type->name);
628                         rc = -EOPNOTSUPP;
629                         goto out;
630                 }
631                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
632                 if (rc < 0 && rc != -ENODATA) {
633                         if (rc == -EOPNOTSUPP)
634                                 printk(KERN_WARNING "SELinux: (dev %s, type "
635                                        "%s) has no security xattr handler\n",
636                                        sb->s_id, sb->s_type->name);
637                         else
638                                 printk(KERN_WARNING "SELinux: (dev %s, type "
639                                        "%s) getxattr errno %d\n", sb->s_id,
640                                        sb->s_type->name, -rc);
641                         goto out;
642                 }
643         }
644
645         if (strcmp(sb->s_type->name, "proc") == 0)
646                 sbsec->proc = 1;
647
648         sbsec->initialized = 1;
649
650         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
651                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
652                        sb->s_id, sb->s_type->name);
653         }
654         else {
655                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
656                        sb->s_id, sb->s_type->name,
657                        labeling_behaviors[sbsec->behavior-1]);
658         }
659
660         /* Initialize the root inode. */
661         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
662
663         /* Initialize any other inodes associated with the superblock, e.g.
664            inodes created prior to initial policy load or inodes created
665            during get_sb by a pseudo filesystem that directly
666            populates itself. */
667         spin_lock(&sbsec->isec_lock);
668 next_inode:
669         if (!list_empty(&sbsec->isec_head)) {
670                 struct inode_security_struct *isec =
671                                 list_entry(sbsec->isec_head.next,
672                                            struct inode_security_struct, list);
673                 struct inode *inode = isec->inode;
674                 spin_unlock(&sbsec->isec_lock);
675                 inode = igrab(inode);
676                 if (inode) {
677                         if (!IS_PRIVATE (inode))
678                                 inode_doinit(inode);
679                         iput(inode);
680                 }
681                 spin_lock(&sbsec->isec_lock);
682                 list_del_init(&isec->list);
683                 goto next_inode;
684         }
685         spin_unlock(&sbsec->isec_lock);
686 out:
687         up(&sbsec->sem);
688         return rc;
689 }
690
691 static inline u16 inode_mode_to_security_class(umode_t mode)
692 {
693         switch (mode & S_IFMT) {
694         case S_IFSOCK:
695                 return SECCLASS_SOCK_FILE;
696         case S_IFLNK:
697                 return SECCLASS_LNK_FILE;
698         case S_IFREG:
699                 return SECCLASS_FILE;
700         case S_IFBLK:
701                 return SECCLASS_BLK_FILE;
702         case S_IFDIR:
703                 return SECCLASS_DIR;
704         case S_IFCHR:
705                 return SECCLASS_CHR_FILE;
706         case S_IFIFO:
707                 return SECCLASS_FIFO_FILE;
708
709         }
710
711         return SECCLASS_FILE;
712 }
713
714 static inline int default_protocol_stream(int protocol)
715 {
716         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
717 }
718
719 static inline int default_protocol_dgram(int protocol)
720 {
721         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
722 }
723
724 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
725 {
726         switch (family) {
727         case PF_UNIX:
728                 switch (type) {
729                 case SOCK_STREAM:
730                 case SOCK_SEQPACKET:
731                         return SECCLASS_UNIX_STREAM_SOCKET;
732                 case SOCK_DGRAM:
733                         return SECCLASS_UNIX_DGRAM_SOCKET;
734                 }
735                 break;
736         case PF_INET:
737         case PF_INET6:
738                 switch (type) {
739                 case SOCK_STREAM:
740                         if (default_protocol_stream(protocol))
741                                 return SECCLASS_TCP_SOCKET;
742                         else
743                                 return SECCLASS_RAWIP_SOCKET;
744                 case SOCK_DGRAM:
745                         if (default_protocol_dgram(protocol))
746                                 return SECCLASS_UDP_SOCKET;
747                         else
748                                 return SECCLASS_RAWIP_SOCKET;
749                 default:
750                         return SECCLASS_RAWIP_SOCKET;
751                 }
752                 break;
753         case PF_NETLINK:
754                 switch (protocol) {
755                 case NETLINK_ROUTE:
756                         return SECCLASS_NETLINK_ROUTE_SOCKET;
757                 case NETLINK_FIREWALL:
758                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
759                 case NETLINK_INET_DIAG:
760                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
761                 case NETLINK_NFLOG:
762                         return SECCLASS_NETLINK_NFLOG_SOCKET;
763                 case NETLINK_XFRM:
764                         return SECCLASS_NETLINK_XFRM_SOCKET;
765                 case NETLINK_SELINUX:
766                         return SECCLASS_NETLINK_SELINUX_SOCKET;
767                 case NETLINK_AUDIT:
768                         return SECCLASS_NETLINK_AUDIT_SOCKET;
769                 case NETLINK_IP6_FW:
770                         return SECCLASS_NETLINK_IP6FW_SOCKET;
771                 case NETLINK_DNRTMSG:
772                         return SECCLASS_NETLINK_DNRT_SOCKET;
773                 case NETLINK_KOBJECT_UEVENT:
774                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
775                 default:
776                         return SECCLASS_NETLINK_SOCKET;
777                 }
778         case PF_PACKET:
779                 return SECCLASS_PACKET_SOCKET;
780         case PF_KEY:
781                 return SECCLASS_KEY_SOCKET;
782         case PF_APPLETALK:
783                 return SECCLASS_APPLETALK_SOCKET;
784         }
785
786         return SECCLASS_SOCKET;
787 }
788
789 #ifdef CONFIG_PROC_FS
790 static int selinux_proc_get_sid(struct proc_dir_entry *de,
791                                 u16 tclass,
792                                 u32 *sid)
793 {
794         int buflen, rc;
795         char *buffer, *path, *end;
796
797         buffer = (char*)__get_free_page(GFP_KERNEL);
798         if (!buffer)
799                 return -ENOMEM;
800
801         buflen = PAGE_SIZE;
802         end = buffer+buflen;
803         *--end = '\0';
804         buflen--;
805         path = end-1;
806         *path = '/';
807         while (de && de != de->parent) {
808                 buflen -= de->namelen + 1;
809                 if (buflen < 0)
810                         break;
811                 end -= de->namelen;
812                 memcpy(end, de->name, de->namelen);
813                 *--end = '/';
814                 path = end;
815                 de = de->parent;
816         }
817         rc = security_genfs_sid("proc", path, tclass, sid);
818         free_page((unsigned long)buffer);
819         return rc;
820 }
821 #else
822 static int selinux_proc_get_sid(struct proc_dir_entry *de,
823                                 u16 tclass,
824                                 u32 *sid)
825 {
826         return -EINVAL;
827 }
828 #endif
829
830 /* The inode's security attributes must be initialized before first use. */
831 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
832 {
833         struct superblock_security_struct *sbsec = NULL;
834         struct inode_security_struct *isec = inode->i_security;
835         u32 sid;
836         struct dentry *dentry;
837 #define INITCONTEXTLEN 255
838         char *context = NULL;
839         unsigned len = 0;
840         int rc = 0;
841         int hold_sem = 0;
842
843         if (isec->initialized)
844                 goto out;
845
846         down(&isec->sem);
847         hold_sem = 1;
848         if (isec->initialized)
849                 goto out;
850
851         sbsec = inode->i_sb->s_security;
852         if (!sbsec->initialized) {
853                 /* Defer initialization until selinux_complete_init,
854                    after the initial policy is loaded and the security
855                    server is ready to handle calls. */
856                 spin_lock(&sbsec->isec_lock);
857                 if (list_empty(&isec->list))
858                         list_add(&isec->list, &sbsec->isec_head);
859                 spin_unlock(&sbsec->isec_lock);
860                 goto out;
861         }
862
863         switch (sbsec->behavior) {
864         case SECURITY_FS_USE_XATTR:
865                 if (!inode->i_op->getxattr) {
866                         isec->sid = sbsec->def_sid;
867                         break;
868                 }
869
870                 /* Need a dentry, since the xattr API requires one.
871                    Life would be simpler if we could just pass the inode. */
872                 if (opt_dentry) {
873                         /* Called from d_instantiate or d_splice_alias. */
874                         dentry = dget(opt_dentry);
875                 } else {
876                         /* Called from selinux_complete_init, try to find a dentry. */
877                         dentry = d_find_alias(inode);
878                 }
879                 if (!dentry) {
880                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
881                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
882                                inode->i_ino);
883                         goto out;
884                 }
885
886                 len = INITCONTEXTLEN;
887                 context = kmalloc(len, GFP_KERNEL);
888                 if (!context) {
889                         rc = -ENOMEM;
890                         dput(dentry);
891                         goto out;
892                 }
893                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
894                                            context, len);
895                 if (rc == -ERANGE) {
896                         /* Need a larger buffer.  Query for the right size. */
897                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
898                                                    NULL, 0);
899                         if (rc < 0) {
900                                 dput(dentry);
901                                 goto out;
902                         }
903                         kfree(context);
904                         len = rc;
905                         context = kmalloc(len, GFP_KERNEL);
906                         if (!context) {
907                                 rc = -ENOMEM;
908                                 dput(dentry);
909                                 goto out;
910                         }
911                         rc = inode->i_op->getxattr(dentry,
912                                                    XATTR_NAME_SELINUX,
913                                                    context, len);
914                 }
915                 dput(dentry);
916                 if (rc < 0) {
917                         if (rc != -ENODATA) {
918                                 printk(KERN_WARNING "%s:  getxattr returned "
919                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
920                                        -rc, inode->i_sb->s_id, inode->i_ino);
921                                 kfree(context);
922                                 goto out;
923                         }
924                         /* Map ENODATA to the default file SID */
925                         sid = sbsec->def_sid;
926                         rc = 0;
927                 } else {
928                         rc = security_context_to_sid_default(context, rc, &sid,
929                                                              sbsec->def_sid);
930                         if (rc) {
931                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
932                                        "returned %d for dev=%s ino=%ld\n",
933                                        __FUNCTION__, context, -rc,
934                                        inode->i_sb->s_id, inode->i_ino);
935                                 kfree(context);
936                                 /* Leave with the unlabeled SID */
937                                 rc = 0;
938                                 break;
939                         }
940                 }
941                 kfree(context);
942                 isec->sid = sid;
943                 break;
944         case SECURITY_FS_USE_TASK:
945                 isec->sid = isec->task_sid;
946                 break;
947         case SECURITY_FS_USE_TRANS:
948                 /* Default to the fs SID. */
949                 isec->sid = sbsec->sid;
950
951                 /* Try to obtain a transition SID. */
952                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
953                 rc = security_transition_sid(isec->task_sid,
954                                              sbsec->sid,
955                                              isec->sclass,
956                                              &sid);
957                 if (rc)
958                         goto out;
959                 isec->sid = sid;
960                 break;
961         case SECURITY_FS_USE_MNTPOINT:
962                 isec->sid = sbsec->mntpoint_sid;
963                 break;
964         default:
965                 /* Default to the fs superblock SID. */
966                 isec->sid = sbsec->sid;
967
968                 if (sbsec->proc) {
969                         struct proc_inode *proci = PROC_I(inode);
970                         if (proci->pde) {
971                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
972                                 rc = selinux_proc_get_sid(proci->pde,
973                                                           isec->sclass,
974                                                           &sid);
975                                 if (rc)
976                                         goto out;
977                                 isec->sid = sid;
978                         }
979                 }
980                 break;
981         }
982
983         isec->initialized = 1;
984
985 out:
986         if (isec->sclass == SECCLASS_FILE)
987                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
988
989         if (hold_sem)
990                 up(&isec->sem);
991         return rc;
992 }
993
994 /* Convert a Linux signal to an access vector. */
995 static inline u32 signal_to_av(int sig)
996 {
997         u32 perm = 0;
998
999         switch (sig) {
1000         case SIGCHLD:
1001                 /* Commonly granted from child to parent. */
1002                 perm = PROCESS__SIGCHLD;
1003                 break;
1004         case SIGKILL:
1005                 /* Cannot be caught or ignored */
1006                 perm = PROCESS__SIGKILL;
1007                 break;
1008         case SIGSTOP:
1009                 /* Cannot be caught or ignored */
1010                 perm = PROCESS__SIGSTOP;
1011                 break;
1012         default:
1013                 /* All other signals. */
1014                 perm = PROCESS__SIGNAL;
1015                 break;
1016         }
1017
1018         return perm;
1019 }
1020
1021 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1022    fork check, ptrace check, etc. */
1023 static int task_has_perm(struct task_struct *tsk1,
1024                          struct task_struct *tsk2,
1025                          u32 perms)
1026 {
1027         struct task_security_struct *tsec1, *tsec2;
1028
1029         tsec1 = tsk1->security;
1030         tsec2 = tsk2->security;
1031         return avc_has_perm(tsec1->sid, tsec2->sid,
1032                             SECCLASS_PROCESS, perms, NULL);
1033 }
1034
1035 /* Check whether a task is allowed to use a capability. */
1036 static int task_has_capability(struct task_struct *tsk,
1037                                int cap)
1038 {
1039         struct task_security_struct *tsec;
1040         struct avc_audit_data ad;
1041
1042         tsec = tsk->security;
1043
1044         AVC_AUDIT_DATA_INIT(&ad,CAP);
1045         ad.tsk = tsk;
1046         ad.u.cap = cap;
1047
1048         return avc_has_perm(tsec->sid, tsec->sid,
1049                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1050 }
1051
1052 /* Check whether a task is allowed to use a system operation. */
1053 static int task_has_system(struct task_struct *tsk,
1054                            u32 perms)
1055 {
1056         struct task_security_struct *tsec;
1057
1058         tsec = tsk->security;
1059
1060         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1061                             SECCLASS_SYSTEM, perms, NULL);
1062 }
1063
1064 /* Check whether a task has a particular permission to an inode.
1065    The 'adp' parameter is optional and allows other audit
1066    data to be passed (e.g. the dentry). */
1067 static int inode_has_perm(struct task_struct *tsk,
1068                           struct inode *inode,
1069                           u32 perms,
1070                           struct avc_audit_data *adp)
1071 {
1072         struct task_security_struct *tsec;
1073         struct inode_security_struct *isec;
1074         struct avc_audit_data ad;
1075
1076         tsec = tsk->security;
1077         isec = inode->i_security;
1078
1079         if (!adp) {
1080                 adp = &ad;
1081                 AVC_AUDIT_DATA_INIT(&ad, FS);
1082                 ad.u.fs.inode = inode;
1083         }
1084
1085         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1086 }
1087
1088 /* Same as inode_has_perm, but pass explicit audit data containing
1089    the dentry to help the auditing code to more easily generate the
1090    pathname if needed. */
1091 static inline int dentry_has_perm(struct task_struct *tsk,
1092                                   struct vfsmount *mnt,
1093                                   struct dentry *dentry,
1094                                   u32 av)
1095 {
1096         struct inode *inode = dentry->d_inode;
1097         struct avc_audit_data ad;
1098         AVC_AUDIT_DATA_INIT(&ad,FS);
1099         ad.u.fs.mnt = mnt;
1100         ad.u.fs.dentry = dentry;
1101         return inode_has_perm(tsk, inode, av, &ad);
1102 }
1103
1104 /* Check whether a task can use an open file descriptor to
1105    access an inode in a given way.  Check access to the
1106    descriptor itself, and then use dentry_has_perm to
1107    check a particular permission to the file.
1108    Access to the descriptor is implicitly granted if it
1109    has the same SID as the process.  If av is zero, then
1110    access to the file is not checked, e.g. for cases
1111    where only the descriptor is affected like seek. */
1112 static int file_has_perm(struct task_struct *tsk,
1113                                 struct file *file,
1114                                 u32 av)
1115 {
1116         struct task_security_struct *tsec = tsk->security;
1117         struct file_security_struct *fsec = file->f_security;
1118         struct vfsmount *mnt = file->f_vfsmnt;
1119         struct dentry *dentry = file->f_dentry;
1120         struct inode *inode = dentry->d_inode;
1121         struct avc_audit_data ad;
1122         int rc;
1123
1124         AVC_AUDIT_DATA_INIT(&ad, FS);
1125         ad.u.fs.mnt = mnt;
1126         ad.u.fs.dentry = dentry;
1127
1128         if (tsec->sid != fsec->sid) {
1129                 rc = avc_has_perm(tsec->sid, fsec->sid,
1130                                   SECCLASS_FD,
1131                                   FD__USE,
1132                                   &ad);
1133                 if (rc)
1134                         return rc;
1135         }
1136
1137         /* av is zero if only checking access to the descriptor. */
1138         if (av)
1139                 return inode_has_perm(tsk, inode, av, &ad);
1140
1141         return 0;
1142 }
1143
1144 /* Check whether a task can create a file. */
1145 static int may_create(struct inode *dir,
1146                       struct dentry *dentry,
1147                       u16 tclass)
1148 {
1149         struct task_security_struct *tsec;
1150         struct inode_security_struct *dsec;
1151         struct superblock_security_struct *sbsec;
1152         u32 newsid;
1153         struct avc_audit_data ad;
1154         int rc;
1155
1156         tsec = current->security;
1157         dsec = dir->i_security;
1158         sbsec = dir->i_sb->s_security;
1159
1160         AVC_AUDIT_DATA_INIT(&ad, FS);
1161         ad.u.fs.dentry = dentry;
1162
1163         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1164                           DIR__ADD_NAME | DIR__SEARCH,
1165                           &ad);
1166         if (rc)
1167                 return rc;
1168
1169         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1170                 newsid = tsec->create_sid;
1171         } else {
1172                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1173                                              &newsid);
1174                 if (rc)
1175                         return rc;
1176         }
1177
1178         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1179         if (rc)
1180                 return rc;
1181
1182         return avc_has_perm(newsid, sbsec->sid,
1183                             SECCLASS_FILESYSTEM,
1184                             FILESYSTEM__ASSOCIATE, &ad);
1185 }
1186
1187 /* Check whether a task can create a key. */
1188 static int may_create_key(u32 ksid,
1189                           struct task_struct *ctx)
1190 {
1191         struct task_security_struct *tsec;
1192
1193         tsec = ctx->security;
1194
1195         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1196 }
1197
1198 #define MAY_LINK   0
1199 #define MAY_UNLINK 1
1200 #define MAY_RMDIR  2
1201
1202 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1203 static int may_link(struct inode *dir,
1204                     struct dentry *dentry,
1205                     int kind)
1206
1207 {
1208         struct task_security_struct *tsec;
1209         struct inode_security_struct *dsec, *isec;
1210         struct avc_audit_data ad;
1211         u32 av;
1212         int rc;
1213
1214         tsec = current->security;
1215         dsec = dir->i_security;
1216         isec = dentry->d_inode->i_security;
1217
1218         AVC_AUDIT_DATA_INIT(&ad, FS);
1219         ad.u.fs.dentry = dentry;
1220
1221         av = DIR__SEARCH;
1222         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1223         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1224         if (rc)
1225                 return rc;
1226
1227         switch (kind) {
1228         case MAY_LINK:
1229                 av = FILE__LINK;
1230                 break;
1231         case MAY_UNLINK:
1232                 av = FILE__UNLINK;
1233                 break;
1234         case MAY_RMDIR:
1235                 av = DIR__RMDIR;
1236                 break;
1237         default:
1238                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1239                 return 0;
1240         }
1241
1242         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1243         return rc;
1244 }
1245
1246 static inline int may_rename(struct inode *old_dir,
1247                              struct dentry *old_dentry,
1248                              struct inode *new_dir,
1249                              struct dentry *new_dentry)
1250 {
1251         struct task_security_struct *tsec;
1252         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1253         struct avc_audit_data ad;
1254         u32 av;
1255         int old_is_dir, new_is_dir;
1256         int rc;
1257
1258         tsec = current->security;
1259         old_dsec = old_dir->i_security;
1260         old_isec = old_dentry->d_inode->i_security;
1261         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1262         new_dsec = new_dir->i_security;
1263
1264         AVC_AUDIT_DATA_INIT(&ad, FS);
1265
1266         ad.u.fs.dentry = old_dentry;
1267         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1268                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1269         if (rc)
1270                 return rc;
1271         rc = avc_has_perm(tsec->sid, old_isec->sid,
1272                           old_isec->sclass, FILE__RENAME, &ad);
1273         if (rc)
1274                 return rc;
1275         if (old_is_dir && new_dir != old_dir) {
1276                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277                                   old_isec->sclass, DIR__REPARENT, &ad);
1278                 if (rc)
1279                         return rc;
1280         }
1281
1282         ad.u.fs.dentry = new_dentry;
1283         av = DIR__ADD_NAME | DIR__SEARCH;
1284         if (new_dentry->d_inode)
1285                 av |= DIR__REMOVE_NAME;
1286         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1287         if (rc)
1288                 return rc;
1289         if (new_dentry->d_inode) {
1290                 new_isec = new_dentry->d_inode->i_security;
1291                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1292                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1293                                   new_isec->sclass,
1294                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1295                 if (rc)
1296                         return rc;
1297         }
1298
1299         return 0;
1300 }
1301
1302 /* Check whether a task can perform a filesystem operation. */
1303 static int superblock_has_perm(struct task_struct *tsk,
1304                                struct super_block *sb,
1305                                u32 perms,
1306                                struct avc_audit_data *ad)
1307 {
1308         struct task_security_struct *tsec;
1309         struct superblock_security_struct *sbsec;
1310
1311         tsec = tsk->security;
1312         sbsec = sb->s_security;
1313         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1314                             perms, ad);
1315 }
1316
1317 /* Convert a Linux mode and permission mask to an access vector. */
1318 static inline u32 file_mask_to_av(int mode, int mask)
1319 {
1320         u32 av = 0;
1321
1322         if ((mode & S_IFMT) != S_IFDIR) {
1323                 if (mask & MAY_EXEC)
1324                         av |= FILE__EXECUTE;
1325                 if (mask & MAY_READ)
1326                         av |= FILE__READ;
1327
1328                 if (mask & MAY_APPEND)
1329                         av |= FILE__APPEND;
1330                 else if (mask & MAY_WRITE)
1331                         av |= FILE__WRITE;
1332
1333         } else {
1334                 if (mask & MAY_EXEC)
1335                         av |= DIR__SEARCH;
1336                 if (mask & MAY_WRITE)
1337                         av |= DIR__WRITE;
1338                 if (mask & MAY_READ)
1339                         av |= DIR__READ;
1340         }
1341
1342         return av;
1343 }
1344
1345 /* Convert a Linux file to an access vector. */
1346 static inline u32 file_to_av(struct file *file)
1347 {
1348         u32 av = 0;
1349
1350         if (file->f_mode & FMODE_READ)
1351                 av |= FILE__READ;
1352         if (file->f_mode & FMODE_WRITE) {
1353                 if (file->f_flags & O_APPEND)
1354                         av |= FILE__APPEND;
1355                 else
1356                         av |= FILE__WRITE;
1357         }
1358
1359         return av;
1360 }
1361
1362 /* Set an inode's SID to a specified value. */
1363 static int inode_security_set_sid(struct inode *inode, u32 sid)
1364 {
1365         struct inode_security_struct *isec = inode->i_security;
1366         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1367
1368         if (!sbsec->initialized) {
1369                 /* Defer initialization to selinux_complete_init. */
1370                 return 0;
1371         }
1372
1373         down(&isec->sem);
1374         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1375         isec->sid = sid;
1376         isec->initialized = 1;
1377         up(&isec->sem);
1378         return 0;
1379 }
1380
1381 /* Hook functions begin here. */
1382
1383 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1384 {
1385         struct task_security_struct *psec = parent->security;
1386         struct task_security_struct *csec = child->security;
1387         int rc;
1388
1389         rc = secondary_ops->ptrace(parent,child);
1390         if (rc)
1391                 return rc;
1392
1393         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1394         /* Save the SID of the tracing process for later use in apply_creds. */
1395         if (!(child->ptrace & PT_PTRACED) && !rc)
1396                 csec->ptrace_sid = psec->sid;
1397         return rc;
1398 }
1399
1400 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1401                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1402 {
1403         int error;
1404
1405         error = task_has_perm(current, target, PROCESS__GETCAP);
1406         if (error)
1407                 return error;
1408
1409         return secondary_ops->capget(target, effective, inheritable, permitted);
1410 }
1411
1412 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1413                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1414 {
1415         int error;
1416
1417         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1418         if (error)
1419                 return error;
1420
1421         return task_has_perm(current, target, PROCESS__SETCAP);
1422 }
1423
1424 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1425                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1426 {
1427         secondary_ops->capset_set(target, effective, inheritable, permitted);
1428 }
1429
1430 static int selinux_capable(struct task_struct *tsk, int cap)
1431 {
1432         int rc;
1433
1434         rc = secondary_ops->capable(tsk, cap);
1435         if (rc)
1436                 return rc;
1437
1438         return task_has_capability(tsk,cap);
1439 }
1440
1441 static int selinux_sysctl(ctl_table *table, int op)
1442 {
1443         int error = 0;
1444         u32 av;
1445         struct task_security_struct *tsec;
1446         u32 tsid;
1447         int rc;
1448
1449         rc = secondary_ops->sysctl(table, op);
1450         if (rc)
1451                 return rc;
1452
1453         tsec = current->security;
1454
1455         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1456                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1457         if (rc) {
1458                 /* Default to the well-defined sysctl SID. */
1459                 tsid = SECINITSID_SYSCTL;
1460         }
1461
1462         /* The op values are "defined" in sysctl.c, thereby creating
1463          * a bad coupling between this module and sysctl.c */
1464         if(op == 001) {
1465                 error = avc_has_perm(tsec->sid, tsid,
1466                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1467         } else {
1468                 av = 0;
1469                 if (op & 004)
1470                         av |= FILE__READ;
1471                 if (op & 002)
1472                         av |= FILE__WRITE;
1473                 if (av)
1474                         error = avc_has_perm(tsec->sid, tsid,
1475                                              SECCLASS_FILE, av, NULL);
1476         }
1477
1478         return error;
1479 }
1480
1481 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1482 {
1483         int rc = 0;
1484
1485         if (!sb)
1486                 return 0;
1487
1488         switch (cmds) {
1489                 case Q_SYNC:
1490                 case Q_QUOTAON:
1491                 case Q_QUOTAOFF:
1492                 case Q_SETINFO:
1493                 case Q_SETQUOTA:
1494                         rc = superblock_has_perm(current,
1495                                                  sb,
1496                                                  FILESYSTEM__QUOTAMOD, NULL);
1497                         break;
1498                 case Q_GETFMT:
1499                 case Q_GETINFO:
1500                 case Q_GETQUOTA:
1501                         rc = superblock_has_perm(current,
1502                                                  sb,
1503                                                  FILESYSTEM__QUOTAGET, NULL);
1504                         break;
1505                 default:
1506                         rc = 0;  /* let the kernel handle invalid cmds */
1507                         break;
1508         }
1509         return rc;
1510 }
1511
1512 static int selinux_quota_on(struct dentry *dentry)
1513 {
1514         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1515 }
1516
1517 static int selinux_syslog(int type)
1518 {
1519         int rc;
1520
1521         rc = secondary_ops->syslog(type);
1522         if (rc)
1523                 return rc;
1524
1525         switch (type) {
1526                 case 3:         /* Read last kernel messages */
1527                 case 10:        /* Return size of the log buffer */
1528                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1529                         break;
1530                 case 6:         /* Disable logging to console */
1531                 case 7:         /* Enable logging to console */
1532                 case 8:         /* Set level of messages printed to console */
1533                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1534                         break;
1535                 case 0:         /* Close log */
1536                 case 1:         /* Open log */
1537                 case 2:         /* Read from log */
1538                 case 4:         /* Read/clear last kernel messages */
1539                 case 5:         /* Clear ring buffer */
1540                 default:
1541                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1542                         break;
1543         }
1544         return rc;
1545 }
1546
1547 /*
1548  * Check that a process has enough memory to allocate a new virtual
1549  * mapping. 0 means there is enough memory for the allocation to
1550  * succeed and -ENOMEM implies there is not.
1551  *
1552  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1553  * if the capability is granted, but __vm_enough_memory requires 1 if
1554  * the capability is granted.
1555  *
1556  * Do not audit the selinux permission check, as this is applied to all
1557  * processes that allocate mappings.
1558  */
1559 static int selinux_vm_enough_memory(long pages)
1560 {
1561         int rc, cap_sys_admin = 0;
1562         struct task_security_struct *tsec = current->security;
1563
1564         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1565         if (rc == 0)
1566                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1567                                         SECCLASS_CAPABILITY,
1568                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1569                                         NULL);
1570
1571         if (rc == 0)
1572                 cap_sys_admin = 1;
1573
1574         return __vm_enough_memory(pages, cap_sys_admin);
1575 }
1576
1577 /* binprm security operations */
1578
1579 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1580 {
1581         struct bprm_security_struct *bsec;
1582
1583         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1584         if (!bsec)
1585                 return -ENOMEM;
1586
1587         bsec->bprm = bprm;
1588         bsec->sid = SECINITSID_UNLABELED;
1589         bsec->set = 0;
1590
1591         bprm->security = bsec;
1592         return 0;
1593 }
1594
1595 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1596 {
1597         struct task_security_struct *tsec;
1598         struct inode *inode = bprm->file->f_dentry->d_inode;
1599         struct inode_security_struct *isec;
1600         struct bprm_security_struct *bsec;
1601         u32 newsid;
1602         struct avc_audit_data ad;
1603         int rc;
1604
1605         rc = secondary_ops->bprm_set_security(bprm);
1606         if (rc)
1607                 return rc;
1608
1609         bsec = bprm->security;
1610
1611         if (bsec->set)
1612                 return 0;
1613
1614         tsec = current->security;
1615         isec = inode->i_security;
1616
1617         /* Default to the current task SID. */
1618         bsec->sid = tsec->sid;
1619
1620         /* Reset fs, key, and sock SIDs on execve. */
1621         tsec->create_sid = 0;
1622         tsec->keycreate_sid = 0;
1623         tsec->sockcreate_sid = 0;
1624
1625         if (tsec->exec_sid) {
1626                 newsid = tsec->exec_sid;
1627                 /* Reset exec SID on execve. */
1628                 tsec->exec_sid = 0;
1629         } else {
1630                 /* Check for a default transition on this program. */
1631                 rc = security_transition_sid(tsec->sid, isec->sid,
1632                                              SECCLASS_PROCESS, &newsid);
1633                 if (rc)
1634                         return rc;
1635         }
1636
1637         AVC_AUDIT_DATA_INIT(&ad, FS);
1638         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1639         ad.u.fs.dentry = bprm->file->f_dentry;
1640
1641         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1642                 newsid = tsec->sid;
1643
1644         if (tsec->sid == newsid) {
1645                 rc = avc_has_perm(tsec->sid, isec->sid,
1646                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1647                 if (rc)
1648                         return rc;
1649         } else {
1650                 /* Check permissions for the transition. */
1651                 rc = avc_has_perm(tsec->sid, newsid,
1652                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1653                 if (rc)
1654                         return rc;
1655
1656                 rc = avc_has_perm(newsid, isec->sid,
1657                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1658                 if (rc)
1659                         return rc;
1660
1661                 /* Clear any possibly unsafe personality bits on exec: */
1662                 current->personality &= ~PER_CLEAR_ON_SETID;
1663
1664                 /* Set the security field to the new SID. */
1665                 bsec->sid = newsid;
1666         }
1667
1668         bsec->set = 1;
1669         return 0;
1670 }
1671
1672 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1673 {
1674         return secondary_ops->bprm_check_security(bprm);
1675 }
1676
1677
1678 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1679 {
1680         struct task_security_struct *tsec = current->security;
1681         int atsecure = 0;
1682
1683         if (tsec->osid != tsec->sid) {
1684                 /* Enable secure mode for SIDs transitions unless
1685                    the noatsecure permission is granted between
1686                    the two SIDs, i.e. ahp returns 0. */
1687                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1688                                          SECCLASS_PROCESS,
1689                                          PROCESS__NOATSECURE, NULL);
1690         }
1691
1692         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1693 }
1694
1695 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1696 {
1697         kfree(bprm->security);
1698         bprm->security = NULL;
1699 }
1700
1701 extern struct vfsmount *selinuxfs_mount;
1702 extern struct dentry *selinux_null;
1703
1704 /* Derived from fs/exec.c:flush_old_files. */
1705 static inline void flush_unauthorized_files(struct files_struct * files)
1706 {
1707         struct avc_audit_data ad;
1708         struct file *file, *devnull = NULL;
1709         struct tty_struct *tty = current->signal->tty;
1710         struct fdtable *fdt;
1711         long j = -1;
1712
1713         if (tty) {
1714                 file_list_lock();
1715                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1716                 if (file) {
1717                         /* Revalidate access to controlling tty.
1718                            Use inode_has_perm on the tty inode directly rather
1719                            than using file_has_perm, as this particular open
1720                            file may belong to another process and we are only
1721                            interested in the inode-based check here. */
1722                         struct inode *inode = file->f_dentry->d_inode;
1723                         if (inode_has_perm(current, inode,
1724                                            FILE__READ | FILE__WRITE, NULL)) {
1725                                 /* Reset controlling tty. */
1726                                 current->signal->tty = NULL;
1727                                 current->signal->tty_old_pgrp = 0;
1728                         }
1729                 }
1730                 file_list_unlock();
1731         }
1732
1733         /* Revalidate access to inherited open files. */
1734
1735         AVC_AUDIT_DATA_INIT(&ad,FS);
1736
1737         spin_lock(&files->file_lock);
1738         for (;;) {
1739                 unsigned long set, i;
1740                 int fd;
1741
1742                 j++;
1743                 i = j * __NFDBITS;
1744                 fdt = files_fdtable(files);
1745                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1746                         break;
1747                 set = fdt->open_fds->fds_bits[j];
1748                 if (!set)
1749                         continue;
1750                 spin_unlock(&files->file_lock);
1751                 for ( ; set ; i++,set >>= 1) {
1752                         if (set & 1) {
1753                                 file = fget(i);
1754                                 if (!file)
1755                                         continue;
1756                                 if (file_has_perm(current,
1757                                                   file,
1758                                                   file_to_av(file))) {
1759                                         sys_close(i);
1760                                         fd = get_unused_fd();
1761                                         if (fd != i) {
1762                                                 if (fd >= 0)
1763                                                         put_unused_fd(fd);
1764                                                 fput(file);
1765                                                 continue;
1766                                         }
1767                                         if (devnull) {
1768                                                 get_file(devnull);
1769                                         } else {
1770                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1771                                                 if (!devnull) {
1772                                                         put_unused_fd(fd);
1773                                                         fput(file);
1774                                                         continue;
1775                                                 }
1776                                         }
1777                                         fd_install(fd, devnull);
1778                                 }
1779                                 fput(file);
1780                         }
1781                 }
1782                 spin_lock(&files->file_lock);
1783
1784         }
1785         spin_unlock(&files->file_lock);
1786 }
1787
1788 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1789 {
1790         struct task_security_struct *tsec;
1791         struct bprm_security_struct *bsec;
1792         u32 sid;
1793         int rc;
1794
1795         secondary_ops->bprm_apply_creds(bprm, unsafe);
1796
1797         tsec = current->security;
1798
1799         bsec = bprm->security;
1800         sid = bsec->sid;
1801
1802         tsec->osid = tsec->sid;
1803         bsec->unsafe = 0;
1804         if (tsec->sid != sid) {
1805                 /* Check for shared state.  If not ok, leave SID
1806                    unchanged and kill. */
1807                 if (unsafe & LSM_UNSAFE_SHARE) {
1808                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1809                                         PROCESS__SHARE, NULL);
1810                         if (rc) {
1811                                 bsec->unsafe = 1;
1812                                 return;
1813                         }
1814                 }
1815
1816                 /* Check for ptracing, and update the task SID if ok.
1817                    Otherwise, leave SID unchanged and kill. */
1818                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1819                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1820                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1821                                           NULL);
1822                         if (rc) {
1823                                 bsec->unsafe = 1;
1824                                 return;
1825                         }
1826                 }
1827                 tsec->sid = sid;
1828         }
1829 }
1830
1831 /*
1832  * called after apply_creds without the task lock held
1833  */
1834 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1835 {
1836         struct task_security_struct *tsec;
1837         struct rlimit *rlim, *initrlim;
1838         struct itimerval itimer;
1839         struct bprm_security_struct *bsec;
1840         int rc, i;
1841
1842         tsec = current->security;
1843         bsec = bprm->security;
1844
1845         if (bsec->unsafe) {
1846                 force_sig_specific(SIGKILL, current);
1847                 return;
1848         }
1849         if (tsec->osid == tsec->sid)
1850                 return;
1851
1852         /* Close files for which the new task SID is not authorized. */
1853         flush_unauthorized_files(current->files);
1854
1855         /* Check whether the new SID can inherit signal state
1856            from the old SID.  If not, clear itimers to avoid
1857            subsequent signal generation and flush and unblock
1858            signals. This must occur _after_ the task SID has
1859           been updated so that any kill done after the flush
1860           will be checked against the new SID. */
1861         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1862                           PROCESS__SIGINH, NULL);
1863         if (rc) {
1864                 memset(&itimer, 0, sizeof itimer);
1865                 for (i = 0; i < 3; i++)
1866                         do_setitimer(i, &itimer, NULL);
1867                 flush_signals(current);
1868                 spin_lock_irq(&current->sighand->siglock);
1869                 flush_signal_handlers(current, 1);
1870                 sigemptyset(&current->blocked);
1871                 recalc_sigpending();
1872                 spin_unlock_irq(&current->sighand->siglock);
1873         }
1874
1875         /* Check whether the new SID can inherit resource limits
1876            from the old SID.  If not, reset all soft limits to
1877            the lower of the current task's hard limit and the init
1878            task's soft limit.  Note that the setting of hard limits
1879            (even to lower them) can be controlled by the setrlimit
1880            check. The inclusion of the init task's soft limit into
1881            the computation is to avoid resetting soft limits higher
1882            than the default soft limit for cases where the default
1883            is lower than the hard limit, e.g. RLIMIT_CORE or
1884            RLIMIT_STACK.*/
1885         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1886                           PROCESS__RLIMITINH, NULL);
1887         if (rc) {
1888                 for (i = 0; i < RLIM_NLIMITS; i++) {
1889                         rlim = current->signal->rlim + i;
1890                         initrlim = init_task.signal->rlim+i;
1891                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1892                 }
1893                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1894                         /*
1895                          * This will cause RLIMIT_CPU calculations
1896                          * to be refigured.
1897                          */
1898                         current->it_prof_expires = jiffies_to_cputime(1);
1899                 }
1900         }
1901
1902         /* Wake up the parent if it is waiting so that it can
1903            recheck wait permission to the new task SID. */
1904         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1905 }
1906
1907 /* superblock security operations */
1908
1909 static int selinux_sb_alloc_security(struct super_block *sb)
1910 {
1911         return superblock_alloc_security(sb);
1912 }
1913
1914 static void selinux_sb_free_security(struct super_block *sb)
1915 {
1916         superblock_free_security(sb);
1917 }
1918
1919 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1920 {
1921         if (plen > olen)
1922                 return 0;
1923
1924         return !memcmp(prefix, option, plen);
1925 }
1926
1927 static inline int selinux_option(char *option, int len)
1928 {
1929         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1930                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1931                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1932                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1933 }
1934
1935 static inline void take_option(char **to, char *from, int *first, int len)
1936 {
1937         if (!*first) {
1938                 **to = ',';
1939                 *to += 1;
1940         }
1941         else
1942                 *first = 0;
1943         memcpy(*to, from, len);
1944         *to += len;
1945 }
1946
1947 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1948 {
1949         int fnosec, fsec, rc = 0;
1950         char *in_save, *in_curr, *in_end;
1951         char *sec_curr, *nosec_save, *nosec;
1952
1953         in_curr = orig;
1954         sec_curr = copy;
1955
1956         /* Binary mount data: just copy */
1957         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1958                 copy_page(sec_curr, in_curr);
1959                 goto out;
1960         }
1961
1962         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1963         if (!nosec) {
1964                 rc = -ENOMEM;
1965                 goto out;
1966         }
1967
1968         nosec_save = nosec;
1969         fnosec = fsec = 1;
1970         in_save = in_end = orig;
1971
1972         do {
1973                 if (*in_end == ',' || *in_end == '\0') {
1974                         int len = in_end - in_curr;
1975
1976                         if (selinux_option(in_curr, len))
1977                                 take_option(&sec_curr, in_curr, &fsec, len);
1978                         else
1979                                 take_option(&nosec, in_curr, &fnosec, len);
1980
1981                         in_curr = in_end + 1;
1982                 }
1983         } while (*in_end++);
1984
1985         strcpy(in_save, nosec_save);
1986         free_page((unsigned long)nosec_save);
1987 out:
1988         return rc;
1989 }
1990
1991 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1992 {
1993         struct avc_audit_data ad;
1994         int rc;
1995
1996         rc = superblock_doinit(sb, data);
1997         if (rc)
1998                 return rc;
1999
2000         AVC_AUDIT_DATA_INIT(&ad,FS);
2001         ad.u.fs.dentry = sb->s_root;
2002         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2003 }
2004
2005 static int selinux_sb_statfs(struct dentry *dentry)
2006 {
2007         struct avc_audit_data ad;
2008
2009         AVC_AUDIT_DATA_INIT(&ad,FS);
2010         ad.u.fs.dentry = dentry->d_sb->s_root;
2011         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2012 }
2013
2014 static int selinux_mount(char * dev_name,
2015                          struct nameidata *nd,
2016                          char * type,
2017                          unsigned long flags,
2018                          void * data)
2019 {
2020         int rc;
2021
2022         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2023         if (rc)
2024                 return rc;
2025
2026         if (flags & MS_REMOUNT)
2027                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2028                                            FILESYSTEM__REMOUNT, NULL);
2029         else
2030                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2031                                        FILE__MOUNTON);
2032 }
2033
2034 static int selinux_umount(struct vfsmount *mnt, int flags)
2035 {
2036         int rc;
2037
2038         rc = secondary_ops->sb_umount(mnt, flags);
2039         if (rc)
2040                 return rc;
2041
2042         return superblock_has_perm(current,mnt->mnt_sb,
2043                                    FILESYSTEM__UNMOUNT,NULL);
2044 }
2045
2046 /* inode security operations */
2047
2048 static int selinux_inode_alloc_security(struct inode *inode)
2049 {
2050         return inode_alloc_security(inode);
2051 }
2052
2053 static void selinux_inode_free_security(struct inode *inode)
2054 {
2055         inode_free_security(inode);
2056 }
2057
2058 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2059                                        char **name, void **value,
2060                                        size_t *len)
2061 {
2062         struct task_security_struct *tsec;
2063         struct inode_security_struct *dsec;
2064         struct superblock_security_struct *sbsec;
2065         u32 newsid, clen;
2066         int rc;
2067         char *namep = NULL, *context;
2068
2069         tsec = current->security;
2070         dsec = dir->i_security;
2071         sbsec = dir->i_sb->s_security;
2072
2073         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2074                 newsid = tsec->create_sid;
2075         } else {
2076                 rc = security_transition_sid(tsec->sid, dsec->sid,
2077                                              inode_mode_to_security_class(inode->i_mode),
2078                                              &newsid);
2079                 if (rc) {
2080                         printk(KERN_WARNING "%s:  "
2081                                "security_transition_sid failed, rc=%d (dev=%s "
2082                                "ino=%ld)\n",
2083                                __FUNCTION__,
2084                                -rc, inode->i_sb->s_id, inode->i_ino);
2085                         return rc;
2086                 }
2087         }
2088
2089         inode_security_set_sid(inode, newsid);
2090
2091         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2092                 return -EOPNOTSUPP;
2093
2094         if (name) {
2095                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2096                 if (!namep)
2097                         return -ENOMEM;
2098                 *name = namep;
2099         }
2100
2101         if (value && len) {
2102                 rc = security_sid_to_context(newsid, &context, &clen);
2103                 if (rc) {
2104                         kfree(namep);
2105                         return rc;
2106                 }
2107                 *value = context;
2108                 *len = clen;
2109         }
2110
2111         return 0;
2112 }
2113
2114 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2115 {
2116         return may_create(dir, dentry, SECCLASS_FILE);
2117 }
2118
2119 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2120 {
2121         int rc;
2122
2123         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2124         if (rc)
2125                 return rc;
2126         return may_link(dir, old_dentry, MAY_LINK);
2127 }
2128
2129 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2130 {
2131         int rc;
2132
2133         rc = secondary_ops->inode_unlink(dir, dentry);
2134         if (rc)
2135                 return rc;
2136         return may_link(dir, dentry, MAY_UNLINK);
2137 }
2138
2139 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2140 {
2141         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2142 }
2143
2144 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2145 {
2146         return may_create(dir, dentry, SECCLASS_DIR);
2147 }
2148
2149 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2150 {
2151         return may_link(dir, dentry, MAY_RMDIR);
2152 }
2153
2154 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2155 {
2156         int rc;
2157
2158         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2159         if (rc)
2160                 return rc;
2161
2162         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2163 }
2164
2165 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2166                                 struct inode *new_inode, struct dentry *new_dentry)
2167 {
2168         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2169 }
2170
2171 static int selinux_inode_readlink(struct dentry *dentry)
2172 {
2173         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2174 }
2175
2176 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2177 {
2178         int rc;
2179
2180         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2181         if (rc)
2182                 return rc;
2183         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2184 }
2185
2186 static int selinux_inode_permission(struct inode *inode, int mask,
2187                                     struct nameidata *nd)
2188 {
2189         int rc;
2190
2191         rc = secondary_ops->inode_permission(inode, mask, nd);
2192         if (rc)
2193                 return rc;
2194
2195         if (!mask) {
2196                 /* No permission to check.  Existence test. */
2197                 return 0;
2198         }
2199
2200         return inode_has_perm(current, inode,
2201                                file_mask_to_av(inode->i_mode, mask), NULL);
2202 }
2203
2204 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2205 {
2206         int rc;
2207
2208         rc = secondary_ops->inode_setattr(dentry, iattr);
2209         if (rc)
2210                 return rc;
2211
2212         if (iattr->ia_valid & ATTR_FORCE)
2213                 return 0;
2214
2215         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2216                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2217                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2218
2219         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2220 }
2221
2222 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2223 {
2224         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2225 }
2226
2227 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2228 {
2229         struct task_security_struct *tsec = current->security;
2230         struct inode *inode = dentry->d_inode;
2231         struct inode_security_struct *isec = inode->i_security;
2232         struct superblock_security_struct *sbsec;
2233         struct avc_audit_data ad;
2234         u32 newsid;
2235         int rc = 0;
2236
2237         if (strcmp(name, XATTR_NAME_SELINUX)) {
2238                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2239                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2240                     !capable(CAP_SYS_ADMIN)) {
2241                         /* A different attribute in the security namespace.
2242                            Restrict to administrator. */
2243                         return -EPERM;
2244                 }
2245
2246                 /* Not an attribute we recognize, so just check the
2247                    ordinary setattr permission. */
2248                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2249         }
2250
2251         sbsec = inode->i_sb->s_security;
2252         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2253                 return -EOPNOTSUPP;
2254
2255         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2256                 return -EPERM;
2257
2258         AVC_AUDIT_DATA_INIT(&ad,FS);
2259         ad.u.fs.dentry = dentry;
2260
2261         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2262                           FILE__RELABELFROM, &ad);
2263         if (rc)
2264                 return rc;
2265
2266         rc = security_context_to_sid(value, size, &newsid);
2267         if (rc)
2268                 return rc;
2269
2270         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2271                           FILE__RELABELTO, &ad);
2272         if (rc)
2273                 return rc;
2274
2275         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2276                                           isec->sclass);
2277         if (rc)
2278                 return rc;
2279
2280         return avc_has_perm(newsid,
2281                             sbsec->sid,
2282                             SECCLASS_FILESYSTEM,
2283                             FILESYSTEM__ASSOCIATE,
2284                             &ad);
2285 }
2286
2287 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2288                                         void *value, size_t size, int flags)
2289 {
2290         struct inode *inode = dentry->d_inode;
2291         struct inode_security_struct *isec = inode->i_security;
2292         u32 newsid;
2293         int rc;
2294
2295         if (strcmp(name, XATTR_NAME_SELINUX)) {
2296                 /* Not an attribute we recognize, so nothing to do. */
2297                 return;
2298         }
2299
2300         rc = security_context_to_sid(value, size, &newsid);
2301         if (rc) {
2302                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2303                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2304                 return;
2305         }
2306
2307         isec->sid = newsid;
2308         return;
2309 }
2310
2311 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2312 {
2313         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2314 }
2315
2316 static int selinux_inode_listxattr (struct dentry *dentry)
2317 {
2318         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2319 }
2320
2321 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2322 {
2323         if (strcmp(name, XATTR_NAME_SELINUX)) {
2324                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2325                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2326                     !capable(CAP_SYS_ADMIN)) {
2327                         /* A different attribute in the security namespace.
2328                            Restrict to administrator. */
2329                         return -EPERM;
2330                 }
2331
2332                 /* Not an attribute we recognize, so just check the
2333                    ordinary setattr permission. Might want a separate
2334                    permission for removexattr. */
2335                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2336         }
2337
2338         /* No one is allowed to remove a SELinux security label.
2339            You can change the label, but all data must be labeled. */
2340         return -EACCES;
2341 }
2342
2343 static const char *selinux_inode_xattr_getsuffix(void)
2344 {
2345       return XATTR_SELINUX_SUFFIX;
2346 }
2347
2348 /*
2349  * Copy the in-core inode security context value to the user.  If the
2350  * getxattr() prior to this succeeded, check to see if we need to
2351  * canonicalize the value to be finally returned to the user.
2352  *
2353  * Permission check is handled by selinux_inode_getxattr hook.
2354  */
2355 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2356 {
2357         struct inode_security_struct *isec = inode->i_security;
2358
2359         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2360                 return -EOPNOTSUPP;
2361
2362         return selinux_getsecurity(isec->sid, buffer, size);
2363 }
2364
2365 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2366                                      const void *value, size_t size, int flags)
2367 {
2368         struct inode_security_struct *isec = inode->i_security;
2369         u32 newsid;
2370         int rc;
2371
2372         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2373                 return -EOPNOTSUPP;
2374
2375         if (!value || !size)
2376                 return -EACCES;
2377
2378         rc = security_context_to_sid((void*)value, size, &newsid);
2379         if (rc)
2380                 return rc;
2381
2382         isec->sid = newsid;
2383         return 0;
2384 }
2385
2386 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2387 {
2388         const int len = sizeof(XATTR_NAME_SELINUX);
2389         if (buffer && len <= buffer_size)
2390                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2391         return len;
2392 }
2393
2394 /* file security operations */
2395
2396 static int selinux_file_permission(struct file *file, int mask)
2397 {
2398         struct inode *inode = file->f_dentry->d_inode;
2399
2400         if (!mask) {
2401                 /* No permission to check.  Existence test. */
2402                 return 0;
2403         }
2404
2405         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2406         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2407                 mask |= MAY_APPEND;
2408
2409         return file_has_perm(current, file,
2410                              file_mask_to_av(inode->i_mode, mask));
2411 }
2412
2413 static int selinux_file_alloc_security(struct file *file)
2414 {
2415         return file_alloc_security(file);
2416 }
2417
2418 static void selinux_file_free_security(struct file *file)
2419 {
2420         file_free_security(file);
2421 }
2422
2423 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2424                               unsigned long arg)
2425 {
2426         int error = 0;
2427
2428         switch (cmd) {
2429                 case FIONREAD:
2430                 /* fall through */
2431                 case FIBMAP:
2432                 /* fall through */
2433                 case FIGETBSZ:
2434                 /* fall through */
2435                 case EXT2_IOC_GETFLAGS:
2436                 /* fall through */
2437                 case EXT2_IOC_GETVERSION:
2438                         error = file_has_perm(current, file, FILE__GETATTR);
2439                         break;
2440
2441                 case EXT2_IOC_SETFLAGS:
2442                 /* fall through */
2443                 case EXT2_IOC_SETVERSION:
2444                         error = file_has_perm(current, file, FILE__SETATTR);
2445                         break;
2446
2447                 /* sys_ioctl() checks */
2448                 case FIONBIO:
2449                 /* fall through */
2450                 case FIOASYNC:
2451                         error = file_has_perm(current, file, 0);
2452                         break;
2453
2454                 case KDSKBENT:
2455                 case KDSKBSENT:
2456                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2457                         break;
2458
2459                 /* default case assumes that the command will go
2460                  * to the file's ioctl() function.
2461                  */
2462                 default:
2463                         error = file_has_perm(current, file, FILE__IOCTL);
2464
2465         }
2466         return error;
2467 }
2468
2469 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2470 {
2471 #ifndef CONFIG_PPC32
2472         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2473                 /*
2474                  * We are making executable an anonymous mapping or a
2475                  * private file mapping that will also be writable.
2476                  * This has an additional check.
2477                  */
2478                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2479                 if (rc)
2480                         return rc;
2481         }
2482 #endif
2483
2484         if (file) {
2485                 /* read access is always possible with a mapping */
2486                 u32 av = FILE__READ;
2487
2488                 /* write access only matters if the mapping is shared */
2489                 if (shared && (prot & PROT_WRITE))
2490                         av |= FILE__WRITE;
2491
2492                 if (prot & PROT_EXEC)
2493                         av |= FILE__EXECUTE;
2494
2495                 return file_has_perm(current, file, av);
2496         }
2497         return 0;
2498 }
2499
2500 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2501                              unsigned long prot, unsigned long flags)
2502 {
2503         int rc;
2504
2505         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2506         if (rc)
2507                 return rc;
2508
2509         if (selinux_checkreqprot)
2510                 prot = reqprot;
2511
2512         return file_map_prot_check(file, prot,
2513                                    (flags & MAP_TYPE) == MAP_SHARED);
2514 }
2515
2516 static int selinux_file_mprotect(struct vm_area_struct *vma,
2517                                  unsigned long reqprot,
2518                                  unsigned long prot)
2519 {
2520         int rc;
2521
2522         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2523         if (rc)
2524                 return rc;
2525
2526         if (selinux_checkreqprot)
2527                 prot = reqprot;
2528
2529 #ifndef CONFIG_PPC32
2530         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2531                 rc = 0;
2532                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2533                     vma->vm_end <= vma->vm_mm->brk) {
2534                         rc = task_has_perm(current, current,
2535                                            PROCESS__EXECHEAP);
2536                 } else if (!vma->vm_file &&
2537                            vma->vm_start <= vma->vm_mm->start_stack &&
2538                            vma->vm_end >= vma->vm_mm->start_stack) {
2539                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2540                 } else if (vma->vm_file && vma->anon_vma) {
2541                         /*
2542                          * We are making executable a file mapping that has
2543                          * had some COW done. Since pages might have been
2544                          * written, check ability to execute the possibly
2545                          * modified content.  This typically should only
2546                          * occur for text relocations.
2547                          */
2548                         rc = file_has_perm(current, vma->vm_file,
2549                                            FILE__EXECMOD);
2550                 }
2551                 if (rc)
2552                         return rc;
2553         }
2554 #endif
2555
2556         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2557 }
2558
2559 static int selinux_file_lock(struct file *file, unsigned int cmd)
2560 {
2561         return file_has_perm(current, file, FILE__LOCK);
2562 }
2563
2564 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2565                               unsigned long arg)
2566 {
2567         int err = 0;
2568
2569         switch (cmd) {
2570                 case F_SETFL:
2571                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2572                                 err = -EINVAL;
2573                                 break;
2574                         }
2575
2576                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2577                                 err = file_has_perm(current, file,FILE__WRITE);
2578                                 break;
2579                         }
2580                         /* fall through */
2581                 case F_SETOWN:
2582                 case F_SETSIG:
2583                 case F_GETFL:
2584                 case F_GETOWN:
2585                 case F_GETSIG:
2586                         /* Just check FD__USE permission */
2587                         err = file_has_perm(current, file, 0);
2588                         break;
2589                 case F_GETLK:
2590                 case F_SETLK:
2591                 case F_SETLKW:
2592 #if BITS_PER_LONG == 32
2593                 case F_GETLK64:
2594                 case F_SETLK64:
2595                 case F_SETLKW64:
2596 #endif
2597                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2598                                 err = -EINVAL;
2599                                 break;
2600                         }
2601                         err = file_has_perm(current, file, FILE__LOCK);
2602                         break;
2603         }
2604
2605         return err;
2606 }
2607
2608 static int selinux_file_set_fowner(struct file *file)
2609 {
2610         struct task_security_struct *tsec;
2611         struct file_security_struct *fsec;
2612
2613         tsec = current->security;
2614         fsec = file->f_security;
2615         fsec->fown_sid = tsec->sid;
2616
2617         return 0;
2618 }
2619
2620 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2621                                        struct fown_struct *fown, int signum)
2622 {
2623         struct file *file;
2624         u32 perm;
2625         struct task_security_struct *tsec;
2626         struct file_security_struct *fsec;
2627
2628         /* struct fown_struct is never outside the context of a struct file */
2629         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2630
2631         tsec = tsk->security;
2632         fsec = file->f_security;
2633
2634         if (!signum)
2635                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2636         else
2637                 perm = signal_to_av(signum);
2638
2639         return avc_has_perm(fsec->fown_sid, tsec->sid,
2640                             SECCLASS_PROCESS, perm, NULL);
2641 }
2642
2643 static int selinux_file_receive(struct file *file)
2644 {
2645         return file_has_perm(current, file, file_to_av(file));
2646 }
2647
2648 /* task security operations */
2649
2650 static int selinux_task_create(unsigned long clone_flags)
2651 {
2652         int rc;
2653
2654         rc = secondary_ops->task_create(clone_flags);
2655         if (rc)
2656                 return rc;
2657
2658         return task_has_perm(current, current, PROCESS__FORK);
2659 }
2660
2661 static int selinux_task_alloc_security(struct task_struct *tsk)
2662 {
2663         struct task_security_struct *tsec1, *tsec2;
2664         int rc;
2665
2666         tsec1 = current->security;
2667
2668         rc = task_alloc_security(tsk);
2669         if (rc)
2670                 return rc;
2671         tsec2 = tsk->security;
2672
2673         tsec2->osid = tsec1->osid;
2674         tsec2->sid = tsec1->sid;
2675
2676         /* Retain the exec, fs, key, and sock SIDs across fork */
2677         tsec2->exec_sid = tsec1->exec_sid;
2678         tsec2->create_sid = tsec1->create_sid;
2679         tsec2->keycreate_sid = tsec1->keycreate_sid;
2680         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2681
2682         /* Retain ptracer SID across fork, if any.
2683            This will be reset by the ptrace hook upon any
2684            subsequent ptrace_attach operations. */
2685         tsec2->ptrace_sid = tsec1->ptrace_sid;
2686
2687         return 0;
2688 }
2689
2690 static void selinux_task_free_security(struct task_struct *tsk)
2691 {
2692         task_free_security(tsk);
2693 }
2694
2695 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2696 {
2697         /* Since setuid only affects the current process, and
2698            since the SELinux controls are not based on the Linux
2699            identity attributes, SELinux does not need to control
2700            this operation.  However, SELinux does control the use
2701            of the CAP_SETUID and CAP_SETGID capabilities using the
2702            capable hook. */
2703         return 0;
2704 }
2705
2706 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2707 {
2708         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2709 }
2710
2711 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2712 {
2713         /* See the comment for setuid above. */
2714         return 0;
2715 }
2716
2717 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2718 {
2719         return task_has_perm(current, p, PROCESS__SETPGID);
2720 }
2721
2722 static int selinux_task_getpgid(struct task_struct *p)
2723 {
2724         return task_has_perm(current, p, PROCESS__GETPGID);
2725 }
2726
2727 static int selinux_task_getsid(struct task_struct *p)
2728 {
2729         return task_has_perm(current, p, PROCESS__GETSESSION);
2730 }
2731
2732 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2733 {
2734         selinux_get_task_sid(p, secid);
2735 }
2736
2737 static int selinux_task_setgroups(struct group_info *group_info)
2738 {
2739         /* See the comment for setuid above. */
2740         return 0;
2741 }
2742
2743 static int selinux_task_setnice(struct task_struct *p, int nice)
2744 {
2745         int rc;
2746
2747         rc = secondary_ops->task_setnice(p, nice);
2748         if (rc)
2749                 return rc;
2750
2751         return task_has_perm(current,p, PROCESS__SETSCHED);
2752 }
2753
2754 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2755 {
2756         return task_has_perm(current, p, PROCESS__SETSCHED);
2757 }
2758
2759 static int selinux_task_getioprio(struct task_struct *p)
2760 {
2761         return task_has_perm(current, p, PROCESS__GETSCHED);
2762 }
2763
2764 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2765 {
2766         struct rlimit *old_rlim = current->signal->rlim + resource;
2767         int rc;
2768
2769         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2770         if (rc)
2771                 return rc;
2772
2773         /* Control the ability to change the hard limit (whether
2774            lowering or raising it), so that the hard limit can
2775            later be used as a safe reset point for the soft limit
2776            upon context transitions. See selinux_bprm_apply_creds. */
2777         if (old_rlim->rlim_max != new_rlim->rlim_max)
2778                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2779
2780         return 0;
2781 }
2782
2783 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2784 {
2785         return task_has_perm(current, p, PROCESS__SETSCHED);
2786 }
2787
2788 static int selinux_task_getscheduler(struct task_struct *p)
2789 {
2790         return task_has_perm(current, p, PROCESS__GETSCHED);
2791 }
2792
2793 static int selinux_task_movememory(struct task_struct *p)
2794 {
2795         return task_has_perm(current, p, PROCESS__SETSCHED);
2796 }
2797
2798 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2799                                 int sig, u32 secid)
2800 {
2801         u32 perm;
2802         int rc;
2803         struct task_security_struct *tsec;
2804
2805         rc = secondary_ops->task_kill(p, info, sig, secid);
2806         if (rc)
2807                 return rc;
2808
2809         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2810                 return 0;
2811
2812         if (!sig)
2813                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2814         else
2815                 perm = signal_to_av(sig);
2816         tsec = p->security;
2817         if (secid)
2818                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2819         else
2820                 rc = task_has_perm(current, p, perm);
2821         return rc;
2822 }
2823
2824 static int selinux_task_prctl(int option,
2825                               unsigned long arg2,
2826                               unsigned long arg3,
2827                               unsigned long arg4,
2828                               unsigned long arg5)
2829 {
2830         /* The current prctl operations do not appear to require
2831            any SELinux controls since they merely observe or modify
2832            the state of the current process. */
2833         return 0;
2834 }
2835
2836 static int selinux_task_wait(struct task_struct *p)
2837 {
2838         u32 perm;
2839
2840         perm = signal_to_av(p->exit_signal);
2841
2842         return task_has_perm(p, current, perm);
2843 }
2844
2845 static void selinux_task_reparent_to_init(struct task_struct *p)
2846 {
2847         struct task_security_struct *tsec;
2848
2849         secondary_ops->task_reparent_to_init(p);
2850
2851         tsec = p->security;
2852         tsec->osid = tsec->sid;
2853         tsec->sid = SECINITSID_KERNEL;
2854         return;
2855 }
2856
2857 static void selinux_task_to_inode(struct task_struct *p,
2858                                   struct inode *inode)
2859 {
2860         struct task_security_struct *tsec = p->security;
2861         struct inode_security_struct *isec = inode->i_security;
2862
2863         isec->sid = tsec->sid;
2864         isec->initialized = 1;
2865         return;
2866 }
2867
2868 /* Returns error only if unable to parse addresses */
2869 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2870 {
2871         int offset, ihlen, ret = -EINVAL;
2872         struct iphdr _iph, *ih;
2873
2874         offset = skb->nh.raw - skb->data;
2875         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2876         if (ih == NULL)
2877                 goto out;
2878
2879         ihlen = ih->ihl * 4;
2880         if (ihlen < sizeof(_iph))
2881                 goto out;
2882
2883         ad->u.net.v4info.saddr = ih->saddr;
2884         ad->u.net.v4info.daddr = ih->daddr;
2885         ret = 0;
2886
2887         switch (ih->protocol) {
2888         case IPPROTO_TCP: {
2889                 struct tcphdr _tcph, *th;
2890
2891                 if (ntohs(ih->frag_off) & IP_OFFSET)
2892                         break;
2893
2894                 offset += ihlen;
2895                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2896                 if (th == NULL)
2897                         break;
2898
2899                 ad->u.net.sport = th->source;
2900                 ad->u.net.dport = th->dest;
2901                 break;
2902         }
2903         
2904         case IPPROTO_UDP: {
2905                 struct udphdr _udph, *uh;
2906                 
2907                 if (ntohs(ih->frag_off) & IP_OFFSET)
2908                         break;
2909                         
2910                 offset += ihlen;
2911                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2912                 if (uh == NULL)
2913                         break;  
2914
2915                 ad->u.net.sport = uh->source;
2916                 ad->u.net.dport = uh->dest;
2917                 break;
2918         }
2919
2920         default:
2921                 break;
2922         }
2923 out:
2924         return ret;
2925 }
2926
2927 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2928
2929 /* Returns error only if unable to parse addresses */
2930 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2931 {
2932         u8 nexthdr;
2933         int ret = -EINVAL, offset;
2934         struct ipv6hdr _ipv6h, *ip6;
2935
2936         offset = skb->nh.raw - skb->data;
2937         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2938         if (ip6 == NULL)
2939                 goto out;
2940
2941         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2942         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2943         ret = 0;
2944
2945         nexthdr = ip6->nexthdr;
2946         offset += sizeof(_ipv6h);
2947         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2948         if (offset < 0)
2949                 goto out;
2950
2951         switch (nexthdr) {
2952         case IPPROTO_TCP: {
2953                 struct tcphdr _tcph, *th;
2954
2955                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2956                 if (th == NULL)
2957                         break;
2958
2959                 ad->u.net.sport = th->source;
2960                 ad->u.net.dport = th->dest;
2961                 break;
2962         }
2963
2964         case IPPROTO_UDP: {
2965                 struct udphdr _udph, *uh;
2966
2967                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2968                 if (uh == NULL)
2969                         break;
2970
2971                 ad->u.net.sport = uh->source;
2972                 ad->u.net.dport = uh->dest;
2973                 break;
2974         }
2975
2976         /* includes fragments */
2977         default:
2978                 break;
2979         }
2980 out:
2981         return ret;
2982 }
2983
2984 #endif /* IPV6 */
2985
2986 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2987                              char **addrp, int *len, int src)
2988 {
2989         int ret = 0;
2990
2991         switch (ad->u.net.family) {
2992         case PF_INET:
2993                 ret = selinux_parse_skb_ipv4(skb, ad);
2994                 if (ret || !addrp)
2995                         break;
2996                 *len = 4;
2997                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2998                                         &ad->u.net.v4info.daddr);
2999                 break;
3000
3001 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3002         case PF_INET6:
3003                 ret = selinux_parse_skb_ipv6(skb, ad);
3004                 if (ret || !addrp)
3005                         break;
3006                 *len = 16;
3007                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3008                                         &ad->u.net.v6info.daddr);
3009                 break;
3010 #endif  /* IPV6 */
3011         default:
3012                 break;
3013         }
3014
3015         return ret;
3016 }
3017
3018 /* socket security operations */
3019 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3020                            u32 perms)
3021 {
3022         struct inode_security_struct *isec;
3023         struct task_security_struct *tsec;
3024         struct avc_audit_data ad;
3025         int err = 0;
3026
3027         tsec = task->security;
3028         isec = SOCK_INODE(sock)->i_security;
3029
3030         if (isec->sid == SECINITSID_KERNEL)
3031                 goto out;
3032
3033         AVC_AUDIT_DATA_INIT(&ad,NET);
3034         ad.u.net.sk = sock->sk;
3035         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3036
3037 out:
3038         return err;
3039 }
3040
3041 static int selinux_socket_create(int family, int type,
3042                                  int protocol, int kern)
3043 {
3044         int err = 0;
3045         struct task_security_struct *tsec;
3046         u32 newsid;
3047
3048         if (kern)
3049                 goto out;
3050
3051         tsec = current->security;
3052         newsid = tsec->sockcreate_sid ? : tsec->sid;
3053         err = avc_has_perm(tsec->sid, newsid,
3054                            socket_type_to_security_class(family, type,
3055                            protocol), SOCKET__CREATE, NULL);
3056
3057 out:
3058         return err;
3059 }
3060
3061 static void selinux_socket_post_create(struct socket *sock, int family,
3062                                        int type, int protocol, int kern)
3063 {
3064         struct inode_security_struct *isec;
3065         struct task_security_struct *tsec;
3066         struct sk_security_struct *sksec;
3067         u32 newsid;
3068
3069         isec = SOCK_INODE(sock)->i_security;
3070
3071         tsec = current->security;
3072         newsid = tsec->sockcreate_sid ? : tsec->sid;
3073         isec->sclass = socket_type_to_security_class(family, type, protocol);
3074         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3075         isec->initialized = 1;
3076
3077         if (sock->sk) {
3078                 sksec = sock->sk->sk_security;
3079                 sksec->sid = isec->sid;
3080         }
3081
3082         return;
3083 }
3084
3085 /* Range of port numbers used to automatically bind.
3086    Need to determine whether we should perform a name_bind
3087    permission check between the socket and the port number. */
3088 #define ip_local_port_range_0 sysctl_local_port_range[0]
3089 #define ip_local_port_range_1 sysctl_local_port_range[1]
3090
3091 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3092 {
3093         u16 family;
3094         int err;
3095
3096         err = socket_has_perm(current, sock, SOCKET__BIND);
3097         if (err)
3098                 goto out;
3099
3100         /*
3101          * If PF_INET or PF_INET6, check name_bind permission for the port.
3102          * Multiple address binding for SCTP is not supported yet: we just
3103          * check the first address now.
3104          */
3105         family = sock->sk->sk_family;
3106         if (family == PF_INET || family == PF_INET6) {
3107                 char *addrp;
3108                 struct inode_security_struct *isec;
3109                 struct task_security_struct *tsec;
3110                 struct avc_audit_data ad;
3111                 struct sockaddr_in *addr4 = NULL;
3112                 struct sockaddr_in6 *addr6 = NULL;
3113                 unsigned short snum;
3114                 struct sock *sk = sock->sk;
3115                 u32 sid, node_perm, addrlen;
3116
3117                 tsec = current->security;
3118                 isec = SOCK_INODE(sock)->i_security;
3119
3120                 if (family == PF_INET) {
3121                         addr4 = (struct sockaddr_in *)address;
3122                         snum = ntohs(addr4->sin_port);
3123                         addrlen = sizeof(addr4->sin_addr.s_addr);
3124                         addrp = (char *)&addr4->sin_addr.s_addr;
3125                 } else {
3126                         addr6 = (struct sockaddr_in6 *)address;
3127                         snum = ntohs(addr6->sin6_port);
3128                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3129                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3130                 }
3131
3132                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3133                            snum > ip_local_port_range_1)) {
3134                         err = security_port_sid(sk->sk_family, sk->sk_type,
3135                                                 sk->sk_protocol, snum, &sid);
3136                         if (err)
3137                                 goto out;
3138                         AVC_AUDIT_DATA_INIT(&ad,NET);
3139                         ad.u.net.sport = htons(snum);
3140                         ad.u.net.family = family;
3141                         err = avc_has_perm(isec->sid, sid,
3142                                            isec->sclass,
3143                                            SOCKET__NAME_BIND, &ad);
3144                         if (err)
3145                                 goto out;
3146                 }
3147                 
3148                 switch(isec->sclass) {
3149                 case SECCLASS_TCP_SOCKET:
3150                         node_perm = TCP_SOCKET__NODE_BIND;
3151                         break;
3152                         
3153                 case SECCLASS_UDP_SOCKET:
3154                         node_perm = UDP_SOCKET__NODE_BIND;
3155                         break;
3156                         
3157                 default:
3158                         node_perm = RAWIP_SOCKET__NODE_BIND;
3159                         break;
3160                 }
3161                 
3162                 err = security_node_sid(family, addrp, addrlen, &sid);
3163                 if (err)
3164                         goto out;
3165                 
3166                 AVC_AUDIT_DATA_INIT(&ad,NET);
3167                 ad.u.net.sport = htons(snum);
3168                 ad.u.net.family = family;
3169
3170                 if (family == PF_INET)
3171                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3172                 else
3173                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3174
3175                 err = avc_has_perm(isec->sid, sid,
3176                                    isec->sclass, node_perm, &ad);
3177                 if (err)
3178                         goto out;
3179         }
3180 out:
3181         return err;
3182 }
3183
3184 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3185 {
3186         struct inode_security_struct *isec;
3187         int err;
3188
3189         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3190         if (err)
3191                 return err;
3192
3193         /*
3194          * If a TCP socket, check name_connect permission for the port.
3195          */
3196         isec = SOCK_INODE(sock)->i_security;
3197         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3198                 struct sock *sk = sock->sk;
3199                 struct avc_audit_data ad;
3200                 struct sockaddr_in *addr4 = NULL;
3201                 struct sockaddr_in6 *addr6 = NULL;
3202                 unsigned short snum;
3203                 u32 sid;
3204
3205                 if (sk->sk_family == PF_INET) {
3206                         addr4 = (struct sockaddr_in *)address;
3207                         if (addrlen < sizeof(struct sockaddr_in))
3208                                 return -EINVAL;
3209                         snum = ntohs(addr4->sin_port);
3210                 } else {
3211                         addr6 = (struct sockaddr_in6 *)address;
3212                         if (addrlen < SIN6_LEN_RFC2133)
3213                                 return -EINVAL;
3214                         snum = ntohs(addr6->sin6_port);
3215                 }
3216
3217                 err = security_port_sid(sk->sk_family, sk->sk_type,
3218                                         sk->sk_protocol, snum, &sid);
3219                 if (err)
3220                         goto out;
3221
3222                 AVC_AUDIT_DATA_INIT(&ad,NET);
3223                 ad.u.net.dport = htons(snum);
3224                 ad.u.net.family = sk->sk_family;
3225                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3226                                    TCP_SOCKET__NAME_CONNECT, &ad);
3227                 if (err)
3228                         goto out;
3229         }
3230
3231 out:
3232         return err;
3233 }
3234
3235 static int selinux_socket_listen(struct socket *sock, int backlog)
3236 {
3237         return socket_has_perm(current, sock, SOCKET__LISTEN);
3238 }
3239
3240 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3241 {
3242         int err;
3243         struct inode_security_struct *isec;
3244         struct inode_security_struct *newisec;
3245
3246         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3247         if (err)
3248                 return err;
3249
3250         newisec = SOCK_INODE(newsock)->i_security;
3251
3252         isec = SOCK_INODE(sock)->i_security;
3253         newisec->sclass = isec->sclass;
3254         newisec->sid = isec->sid;
3255         newisec->initialized = 1;
3256
3257         return 0;
3258 }
3259
3260 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3261                                   int size)
3262 {
3263         return socket_has_perm(current, sock, SOCKET__WRITE);
3264 }
3265
3266 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3267                                   int size, int flags)
3268 {
3269         return socket_has_perm(current, sock, SOCKET__READ);
3270 }
3271
3272 static int selinux_socket_getsockname(struct socket *sock)
3273 {
3274         return socket_has_perm(current, sock, SOCKET__GETATTR);
3275 }
3276
3277 static int selinux_socket_getpeername(struct socket *sock)
3278 {
3279         return socket_has_perm(current, sock, SOCKET__GETATTR);
3280 }
3281
3282 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3283 {
3284         return socket_has_perm(current, sock, SOCKET__SETOPT);
3285 }
3286
3287 static int selinux_socket_getsockopt(struct socket *sock, int level,
3288                                      int optname)
3289 {
3290         return socket_has_perm(current, sock, SOCKET__GETOPT);
3291 }
3292
3293 static int selinux_socket_shutdown(struct socket *sock, int how)
3294 {
3295         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3296 }
3297
3298 static int selinux_socket_unix_stream_connect(struct socket *sock,
3299                                               struct socket *other,
3300                                               struct sock *newsk)
3301 {
3302         struct sk_security_struct *ssec;
3303         struct inode_security_struct *isec;
3304         struct inode_security_struct *other_isec;
3305         struct avc_audit_data ad;
3306         int err;
3307
3308         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3309         if (err)
3310                 return err;
3311
3312         isec = SOCK_INODE(sock)->i_security;
3313         other_isec = SOCK_INODE(other)->i_security;
3314
3315         AVC_AUDIT_DATA_INIT(&ad,NET);
3316         ad.u.net.sk = other->sk;
3317
3318         err = avc_has_perm(isec->sid, other_isec->sid,
3319                            isec->sclass,
3320                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3321         if (err)
3322                 return err;
3323
3324         /* connecting socket */
3325         ssec = sock->sk->sk_security;
3326         ssec->peer_sid = other_isec->sid;
3327         
3328         /* server child socket */
3329         ssec = newsk->sk_security;
3330         ssec->peer_sid = isec->sid;
3331         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3332
3333         return err;
3334 }
3335
3336 static int selinux_socket_unix_may_send(struct socket *sock,
3337                                         struct socket *other)
3338 {
3339         struct inode_security_struct *isec;
3340         struct inode_security_struct *other_isec;
3341         struct avc_audit_data ad;
3342         int err;
3343
3344         isec = SOCK_INODE(sock)->i_security;
3345         other_isec = SOCK_INODE(other)->i_security;
3346
3347         AVC_AUDIT_DATA_INIT(&ad,NET);
3348         ad.u.net.sk = other->sk;
3349
3350         err = avc_has_perm(isec->sid, other_isec->sid,
3351                            isec->sclass, SOCKET__SENDTO, &ad);
3352         if (err)
3353                 return err;
3354
3355         return 0;
3356 }
3357
3358 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3359                 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3360 {
3361         int err = 0;
3362         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3363         struct socket *sock;
3364         u16 sock_class = 0;
3365         u32 sock_sid = 0;
3366
3367         read_lock_bh(&sk->sk_callback_lock);
3368         sock = sk->sk_socket;
3369         if (sock) {
3370                 struct inode *inode;
3371                 inode = SOCK_INODE(sock);
3372                 if (inode) {
3373                         struct inode_security_struct *isec;
3374                         isec = inode->i_security;
3375                         sock_sid = isec->sid;
3376                         sock_class = isec->sclass;
3377                 }
3378         }
3379         read_unlock_bh(&sk->sk_callback_lock);
3380         if (!sock_sid)
3381                 goto out;
3382
3383         if (!skb->dev)
3384                 goto out;
3385
3386         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3387         if (err)
3388                 goto out;
3389
3390         switch (sock_class) {
3391         case SECCLASS_UDP_SOCKET:
3392                 netif_perm = NETIF__UDP_RECV;
3393                 node_perm = NODE__UDP_RECV;
3394                 recv_perm = UDP_SOCKET__RECV_MSG;
3395                 break;
3396         
3397         case SECCLASS_TCP_SOCKET:
3398                 netif_perm = NETIF__TCP_RECV;
3399                 node_perm = NODE__TCP_RECV;
3400                 recv_perm = TCP_SOCKET__RECV_MSG;
3401                 break;
3402         
3403         default:
3404                 netif_perm = NETIF__RAWIP_RECV;
3405                 node_perm = NODE__RAWIP_RECV;
3406                 break;
3407         }
3408
3409         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3410         if (err)
3411                 goto out;
3412         
3413         err = security_node_sid(family, addrp, len, &node_sid);
3414         if (err)
3415                 goto out;
3416         
3417         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3418         if (err)
3419                 goto out;
3420
3421         if (recv_perm) {
3422                 u32 port_sid;
3423
3424                 err = security_port_sid(sk->sk_family, sk->sk_type,
3425                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3426                                         &port_sid);
3427                 if (err)
3428                         goto out;
3429
3430                 err = avc_has_perm(sock_sid, port_sid,
3431                                    sock_class, recv_perm, ad);
3432         }
3433
3434 out:
3435         return err;
3436 }
3437
3438 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3439 {
3440         u16 family;
3441         char *addrp;
3442         int len, err = 0;
3443         struct avc_audit_data ad;
3444         struct sk_security_struct *sksec = sk->sk_security;
3445
3446         family = sk->sk_family;
3447         if (family != PF_INET && family != PF_INET6)
3448                 goto out;
3449
3450         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3451         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3452                 family = PF_INET;
3453
3454         AVC_AUDIT_DATA_INIT(&ad, NET);
3455         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3456         ad.u.net.family = family;
3457
3458         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3459         if (err)
3460                 goto out;
3461
3462         if (selinux_compat_net)
3463                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3464                                                   addrp, len);
3465         else
3466                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3467                                    PACKET__RECV, &ad);
3468         if (err)
3469                 goto out;
3470
3471         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3472 out:    
3473         return err;
3474 }
3475
3476 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3477                                             int __user *optlen, unsigned len)
3478 {
3479         int err = 0;
3480         char *scontext;
3481         u32 scontext_len;
3482         struct sk_security_struct *ssec;
3483         struct inode_security_struct *isec;
3484         u32 peer_sid = 0;
3485
3486         isec = SOCK_INODE(sock)->i_security;
3487
3488         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3489         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3490                 ssec = sock->sk->sk_security;
3491                 peer_sid = ssec->peer_sid;
3492         }
3493         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3494                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3495
3496                 if (peer_sid == SECSID_NULL) {
3497                         err = -ENOPROTOOPT;
3498                         goto out;
3499                 }
3500         }
3501         else {
3502                 err = -ENOPROTOOPT;
3503                 goto out;
3504         }
3505
3506         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3507
3508         if (err)
3509                 goto out;
3510
3511         if (scontext_len > len) {
3512                 err = -ERANGE;
3513                 goto out_len;
3514         }
3515
3516         if (copy_to_user(optval, scontext, scontext_len))
3517                 err = -EFAULT;
3518
3519 out_len:
3520         if (put_user(scontext_len, optlen))
3521                 err = -EFAULT;
3522
3523         kfree(scontext);
3524 out:    
3525         return err;
3526 }
3527
3528 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3529 {
3530         u32 peer_secid = SECSID_NULL;
3531         int err = 0;
3532
3533         if (sock && (sock->sk->sk_family == PF_UNIX))
3534                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3535         else if (skb)
3536                 peer_secid = selinux_socket_getpeer_dgram(skb);
3537
3538         if (peer_secid == SECSID_NULL)
3539                 err = -EINVAL;
3540         *secid = peer_secid;
3541
3542         return err;
3543 }
3544
3545 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3546 {
3547         return sk_alloc_security(sk, family, priority);
3548 }
3549
3550 static void selinux_sk_free_security(struct sock *sk)
3551 {
3552         sk_free_security(sk);
3553 }
3554
3555 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3556 {
3557         struct sk_security_struct *ssec = sk->sk_security;
3558         struct sk_security_struct *newssec = newsk->sk_security;
3559
3560         newssec->sid = ssec->sid;
3561         newssec->peer_sid = ssec->peer_sid;
3562 }
3563
3564 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3565 {
3566         if (!sk)
3567                 *secid = SECINITSID_ANY_SOCKET;
3568         else {
3569                 struct sk_security_struct *sksec = sk->sk_security;
3570
3571                 *secid = sksec->sid;
3572         }
3573 }
3574
3575 void selinux_sock_graft(struct sock* sk, struct socket *parent)
3576 {
3577         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3578         struct sk_security_struct *sksec = sk->sk_security;
3579
3580         isec->sid = sksec->sid;
3581 }
3582
3583 int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3584                                            struct request_sock *req)
3585 {
3586         struct sk_security_struct *sksec = sk->sk_security;
3587         int err;
3588         u32 newsid = 0;
3589         u32 peersid;
3590
3591         err = selinux_xfrm_decode_session(skb, &peersid, 0);
3592         BUG_ON(err);
3593
3594         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3595         if (err)
3596                 return err;
3597
3598         req->secid = newsid;
3599         return 0;
3600 }
3601
3602 void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req)
3603 {
3604         struct sk_security_struct *newsksec = newsk->sk_security;
3605
3606         newsksec->sid = req->secid;
3607         /* NOTE: Ideally, we should also get the isec->sid for the
3608            new socket in sync, but we don't have the isec available yet.
3609            So we will wait until sock_graft to do it, by which
3610            time it will have been created and available. */
3611 }
3612
3613 void selinux_req_classify_flow(const struct request_sock *req, struct flowi *fl)
3614 {
3615         fl->secid = req->secid;
3616 }
3617
3618 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3619 {
3620         int err = 0;
3621         u32 perm;
3622         struct nlmsghdr *nlh;
3623         struct socket *sock = sk->sk_socket;
3624         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3625         
3626         if (skb->len < NLMSG_SPACE(0)) {
3627                 err = -EINVAL;
3628                 goto out;
3629         }
3630         nlh = (struct nlmsghdr *)skb->data;
3631         
3632         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3633         if (err) {
3634                 if (err == -EINVAL) {
3635                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3636                                   "SELinux:  unrecognized netlink message"
3637                                   " type=%hu for sclass=%hu\n",
3638                                   nlh->nlmsg_type, isec->sclass);
3639                         if (!selinux_enforcing)
3640                                 err = 0;
3641                 }
3642
3643                 /* Ignore */
3644                 if (err == -ENOENT)
3645                         err = 0;
3646                 goto out;
3647         }
3648
3649         err = socket_has_perm(current, sock, perm);
3650 out:
3651         return err;
3652 }
3653
3654 #ifdef CONFIG_NETFILTER
3655
3656 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3657                                             struct avc_audit_data *ad,
3658                                             u16 family, char *addrp, int len)
3659 {
3660         int err = 0;
3661         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3662         struct socket *sock;
3663         struct inode *inode;
3664         struct inode_security_struct *isec;
3665
3666         sock = sk->sk_socket;
3667         if (!sock)
3668                 goto out;
3669
3670         inode = SOCK_INODE(sock);
3671         if (!inode)
3672                 goto out;
3673
3674         isec = inode->i_security;
3675         
3676         err = sel_netif_sids(dev, &if_sid, NULL);
3677         if (err)
3678                 goto out;
3679
3680         switch (isec->sclass) {
3681         case SECCLASS_UDP_SOCKET:
3682                 netif_perm = NETIF__UDP_SEND;
3683                 node_perm = NODE__UDP_SEND;
3684                 send_perm = UDP_SOCKET__SEND_MSG;
3685                 break;
3686         
3687         case SECCLASS_TCP_SOCKET:
3688                 netif_perm = NETIF__TCP_SEND;
3689                 node_perm = NODE__TCP_SEND;
3690                 send_perm = TCP_SOCKET__SEND_MSG;
3691                 break;
3692         
3693         default:
3694                 netif_perm = NETIF__RAWIP_SEND;
3695                 node_perm = NODE__RAWIP_SEND;
3696                 break;
3697         }
3698
3699         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3700         if (err)
3701                 goto out;
3702                 
3703         err = security_node_sid(family, addrp, len, &node_sid);
3704         if (err)
3705                 goto out;
3706         
3707         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3708         if (err)
3709                 goto out;
3710
3711         if (send_perm) {
3712                 u32 port_sid;
3713                 
3714                 err = security_port_sid(sk->sk_family,
3715                                         sk->sk_type,
3716                                         sk->sk_protocol,
3717                                         ntohs(ad->u.net.dport),
3718                                         &port_sid);
3719                 if (err)
3720                         goto out;
3721
3722                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3723                                    send_perm, ad);
3724         }
3725 out:
3726         return err;
3727 }
3728
3729 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3730                                               struct sk_buff **pskb,
3731                                               const struct net_device *in,
3732                                               const struct net_device *out,
3733                                               int (*okfn)(struct sk_buff *),
3734                                               u16 family)
3735 {
3736         char *addrp;
3737         int len, err = 0;
3738         struct sock *sk;
3739         struct sk_buff *skb = *pskb;
3740         struct avc_audit_data ad;
3741         struct net_device *dev = (struct net_device *)out;
3742         struct sk_security_struct *sksec;
3743
3744         sk = skb->sk;
3745         if (!sk)
3746                 goto out;
3747
3748         sksec = sk->sk_security;
3749
3750         AVC_AUDIT_DATA_INIT(&ad, NET);
3751         ad.u.net.netif = dev->name;
3752         ad.u.net.family = family;
3753
3754         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3755         if (err)
3756                 goto out;
3757
3758         if (selinux_compat_net)
3759                 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
3760                                                        family, addrp, len);
3761         else
3762                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3763                                    PACKET__SEND, &ad);
3764
3765         if (err)
3766                 goto out;
3767
3768         err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad);
3769 out:
3770         return err ? NF_DROP : NF_ACCEPT;
3771 }
3772
3773 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3774                                                 struct sk_buff **pskb,
3775                                                 const struct net_device *in,
3776                                                 const struct net_device *out,
3777                                                 int (*okfn)(struct sk_buff *))
3778 {
3779         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3780 }
3781
3782 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3783
3784 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3785                                                 struct sk_buff **pskb,
3786                                                 const struct net_device *in,
3787                                                 const struct net_device *out,
3788                                                 int (*okfn)(struct sk_buff *))
3789 {
3790         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3791 }
3792
3793 #endif  /* IPV6 */
3794
3795 #endif  /* CONFIG_NETFILTER */
3796
3797 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3798 {
3799         int err;
3800
3801         err = secondary_ops->netlink_send(sk, skb);
3802         if (err)
3803                 return err;
3804
3805         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3806                 err = selinux_nlmsg_perm(sk, skb);
3807
3808         return err;
3809 }
3810
3811 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3812 {
3813         int err;
3814         struct avc_audit_data ad;
3815
3816         err = secondary_ops->netlink_recv(skb, capability);
3817         if (err)
3818                 return err;
3819
3820         AVC_AUDIT_DATA_INIT(&ad, CAP);
3821         ad.u.cap = capability;
3822
3823         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3824                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3825 }
3826
3827 static int ipc_alloc_security(struct task_struct *task,
3828                               struct kern_ipc_perm *perm,
3829                               u16 sclass)
3830 {
3831         struct task_security_struct *tsec = task->security;
3832         struct ipc_security_struct *isec;
3833
3834         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3835         if (!isec)
3836                 return -ENOMEM;
3837
3838         isec->sclass = sclass;
3839         isec->ipc_perm = perm;
3840         isec->sid = tsec->sid;
3841         perm->security = isec;
3842
3843         return 0;
3844 }
3845
3846 static void ipc_free_security(struct kern_ipc_perm *perm)
3847 {
3848         struct ipc_security_struct *isec = perm->security;
3849         perm->security = NULL;
3850         kfree(isec);
3851 }
3852
3853 static int msg_msg_alloc_security(struct msg_msg *msg)
3854 {
3855         struct msg_security_struct *msec;
3856
3857         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3858         if (!msec)
3859                 return -ENOMEM;
3860
3861         msec->msg = msg;
3862         msec->sid = SECINITSID_UNLABELED;
3863         msg->security = msec;
3864
3865         return 0;
3866 }
3867
3868 static void msg_msg_free_security(struct msg_msg *msg)
3869 {
3870         struct msg_security_struct *msec = msg->security;
3871
3872         msg->security = NULL;
3873         kfree(msec);
3874 }
3875
3876 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3877                         u32 perms)
3878 {
3879         struct task_security_struct *tsec;
3880         struct ipc_security_struct *isec;
3881         struct avc_audit_data ad;
3882
3883         tsec = current->security;
3884         isec = ipc_perms->security;
3885
3886         AVC_AUDIT_DATA_INIT(&ad, IPC);
3887         ad.u.ipc_id = ipc_perms->key;
3888
3889         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3890 }
3891
3892 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3893 {
3894         return msg_msg_alloc_security(msg);
3895 }
3896
3897 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3898 {
3899         msg_msg_free_security(msg);
3900 }
3901
3902 /* message queue security operations */
3903 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3904 {
3905         struct task_security_struct *tsec;
3906         struct ipc_security_struct *isec;
3907         struct avc_audit_data ad;
3908         int rc;
3909
3910         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3911         if (rc)
3912                 return rc;
3913
3914         tsec = current->security;
3915         isec = msq->q_perm.security;
3916
3917         AVC_AUDIT_DATA_INIT(&ad, IPC);
3918         ad.u.ipc_id = msq->q_perm.key;
3919
3920         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3921                           MSGQ__CREATE, &ad);
3922         if (rc) {
3923                 ipc_free_security(&msq->q_perm);
3924                 return rc;
3925         }
3926         return 0;
3927 }
3928
3929 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3930 {
3931         ipc_free_security(&msq->q_perm);
3932 }
3933
3934 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3935 {
3936         struct task_security_struct *tsec;
3937         struct ipc_security_struct *isec;
3938         struct avc_audit_data ad;
3939
3940         tsec = current->security;
3941         isec = msq->q_perm.security;
3942
3943         AVC_AUDIT_DATA_INIT(&ad, IPC);
3944         ad.u.ipc_id = msq->q_perm.key;
3945
3946         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3947                             MSGQ__ASSOCIATE, &ad);
3948 }
3949
3950 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3951 {
3952         int err;
3953         int perms;
3954
3955         switch(cmd) {
3956         case IPC_INFO:
3957         case MSG_INFO:
3958                 /* No specific object, just general system-wide information. */
3959                 return task_has_system(current, SYSTEM__IPC_INFO);
3960         case IPC_STAT:
3961         case MSG_STAT:
3962                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3963                 break;
3964         case IPC_SET:
3965                 perms = MSGQ__SETATTR;
3966                 break;
3967         case IPC_RMID:
3968                 perms = MSGQ__DESTROY;
3969                 break;
3970         default:
3971                 return 0;
3972         }
3973
3974         err = ipc_has_perm(&msq->q_perm, perms);
3975         return err;
3976 }
3977
3978 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3979 {
3980         struct task_security_struct *tsec;
3981         struct ipc_security_struct *isec;
3982         struct msg_security_struct *msec;
3983         struct avc_audit_data ad;
3984         int rc;
3985
3986         tsec = current->security;
3987         isec = msq->q_perm.security;
3988         msec = msg->security;
3989
3990         /*
3991          * First time through, need to assign label to the message
3992          */
3993         if (msec->sid == SECINITSID_UNLABELED) {
3994                 /*
3995                  * Compute new sid based on current process and
3996                  * message queue this message will be stored in
3997                  */
3998                 rc = security_transition_sid(tsec->sid,
3999                                              isec->sid,
4000                                              SECCLASS_MSG,
4001                                              &msec->sid);
4002                 if (rc)
4003                         return rc;
4004         }
4005
4006         AVC_AUDIT_DATA_INIT(&ad, IPC);
4007         ad.u.ipc_id = msq->q_perm.key;
4008
4009         /* Can this process write to the queue? */
4010         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4011                           MSGQ__WRITE, &ad);
4012         if (!rc)
4013                 /* Can this process send the message */
4014                 rc = avc_has_perm(tsec->sid, msec->sid,
4015                                   SECCLASS_MSG, MSG__SEND, &ad);
4016         if (!rc)
4017                 /* Can the message be put in the queue? */
4018                 rc = avc_has_perm(msec->sid, isec->sid,
4019                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4020
4021         return rc;
4022 }
4023
4024 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4025                                     struct task_struct *target,
4026                                     long type, int mode)
4027 {
4028         struct task_security_struct *tsec;
4029         struct ipc_security_struct *isec;
4030         struct msg_security_struct *msec;
4031         struct avc_audit_data ad;
4032         int rc;
4033
4034         tsec = target->security;
4035         isec = msq->q_perm.security;
4036         msec = msg->security;
4037
4038         AVC_AUDIT_DATA_INIT(&ad, IPC);
4039         ad.u.ipc_id = msq->q_perm.key;
4040
4041         rc = avc_has_perm(tsec->sid, isec->sid,
4042                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4043         if (!rc)
4044                 rc = avc_has_perm(tsec->sid, msec->sid,
4045                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4046         return rc;
4047 }
4048
4049 /* Shared Memory security operations */
4050 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4051 {
4052         struct task_security_struct *tsec;
4053         struct ipc_security_struct *isec;
4054         struct avc_audit_data ad;
4055         int rc;
4056
4057         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4058         if (rc)
4059                 return rc;
4060
4061         tsec = current->security;
4062         isec = shp->shm_perm.security;
4063
4064         AVC_AUDIT_DATA_INIT(&ad, IPC);
4065         ad.u.ipc_id = shp->shm_perm.key;
4066
4067         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4068                           SHM__CREATE, &ad);
4069         if (rc) {
4070                 ipc_free_security(&shp->shm_perm);
4071                 return rc;
4072         }
4073         return 0;
4074 }
4075
4076 static void selinux_shm_free_security(struct shmid_kernel *shp)
4077 {
4078         ipc_free_security(&shp->shm_perm);
4079 }
4080
4081 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4082 {
4083         struct task_security_struct *tsec;
4084         struct ipc_security_struct *isec;
4085         struct avc_audit_data ad;
4086
4087         tsec = current->security;
4088         isec = shp->shm_perm.security;
4089
4090         AVC_AUDIT_DATA_INIT(&ad, IPC);
4091         ad.u.ipc_id = shp->shm_perm.key;
4092
4093         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4094                             SHM__ASSOCIATE, &ad);
4095 }
4096
4097 /* Note, at this point, shp is locked down */
4098 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4099 {
4100         int perms;
4101         int err;
4102
4103         switch(cmd) {
4104         case IPC_INFO:
4105         case SHM_INFO:
4106                 /* No specific object, just general system-wide information. */
4107                 return task_has_system(current, SYSTEM__IPC_INFO);
4108         case IPC_STAT:
4109         case SHM_STAT:
4110                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4111                 break;
4112         case IPC_SET:
4113                 perms = SHM__SETATTR;
4114                 break;
4115         case SHM_LOCK:
4116         case SHM_UNLOCK:
4117                 perms = SHM__LOCK;
4118                 break;
4119         case IPC_RMID:
4120                 perms = SHM__DESTROY;
4121                 break;
4122         default:
4123                 return 0;
4124         }
4125
4126         err = ipc_has_perm(&shp->shm_perm, perms);
4127         return err;
4128 }
4129
4130 static int selinux_shm_shmat(struct shmid_kernel *shp,
4131                              char __user *shmaddr, int shmflg)
4132 {
4133         u32 perms;
4134         int rc;
4135
4136         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4137         if (rc)
4138                 return rc;
4139
4140         if (shmflg & SHM_RDONLY)
4141                 perms = SHM__READ;
4142         else
4143                 perms = SHM__READ | SHM__WRITE;
4144
4145         return ipc_has_perm(&shp->shm_perm, perms);
4146 }
4147
4148 /* Semaphore security operations */
4149 static int selinux_sem_alloc_security(struct sem_array *sma)
4150 {
4151         struct task_security_struct *tsec;
4152         struct ipc_security_struct *isec;
4153         struct avc_audit_data ad;
4154         int rc;
4155
4156         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4157         if (rc)
4158                 return rc;
4159
4160         tsec = current->security;
4161         isec = sma->sem_perm.security;
4162
4163         AVC_AUDIT_DATA_INIT(&ad, IPC);
4164         ad.u.ipc_id = sma->sem_perm.key;
4165
4166         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4167                           SEM__CREATE, &ad);
4168         if (rc) {
4169                 ipc_free_security(&sma->sem_perm);
4170                 return rc;
4171         }
4172         return 0;
4173 }
4174
4175 static void selinux_sem_free_security(struct sem_array *sma)
4176 {
4177         ipc_free_security(&sma->sem_perm);
4178 }
4179
4180 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4181 {
4182         struct task_security_struct *tsec;
4183         struct ipc_security_struct *isec;
4184         struct avc_audit_data ad;
4185
4186         tsec = current->security;
4187         isec = sma->sem_perm.security;
4188
4189         AVC_AUDIT_DATA_INIT(&ad, IPC);
4190         ad.u.ipc_id = sma->sem_perm.key;
4191
4192         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4193                             SEM__ASSOCIATE, &ad);
4194 }
4195
4196 /* Note, at this point, sma is locked down */
4197 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4198 {
4199         int err;
4200         u32 perms;
4201
4202         switch(cmd) {
4203         case IPC_INFO:
4204         case SEM_INFO:
4205                 /* No specific object, just general system-wide information. */
4206                 return task_has_system(current, SYSTEM__IPC_INFO);
4207         case GETPID:
4208         case GETNCNT:
4209         case GETZCNT:
4210                 perms = SEM__GETATTR;
4211                 break;
4212         case GETVAL:
4213         case GETALL:
4214                 perms = SEM__READ;
4215                 break;
4216         case SETVAL:
4217         case SETALL:
4218                 perms = SEM__WRITE;
4219                 break;
4220         case IPC_RMID:
4221                 perms = SEM__DESTROY;
4222                 break;
4223         case IPC_SET:
4224                 perms = SEM__SETATTR;
4225                 break;
4226         case IPC_STAT:
4227         case SEM_STAT:
4228                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4229                 break;
4230         default:
4231                 return 0;
4232         }
4233
4234         err = ipc_has_perm(&sma->sem_perm, perms);
4235         return err;
4236 }
4237
4238 static int selinux_sem_semop(struct sem_array *sma,
4239                              struct sembuf *sops, unsigned nsops, int alter)
4240 {
4241         u32 perms;
4242
4243         if (alter)
4244                 perms = SEM__READ | SEM__WRITE;
4245         else
4246                 perms = SEM__READ;
4247
4248         return ipc_has_perm(&sma->sem_perm, perms);
4249 }
4250
4251 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4252 {
4253         u32 av = 0;
4254
4255         av = 0;
4256         if (flag & S_IRUGO)
4257                 av |= IPC__UNIX_READ;
4258         if (flag & S_IWUGO)
4259                 av |= IPC__UNIX_WRITE;
4260
4261         if (av == 0)
4262                 return 0;
4263
4264         return ipc_has_perm(ipcp, av);
4265 }
4266
4267 /* module stacking operations */
4268 static int selinux_register_security (const char *name, struct security_operations *ops)
4269 {
4270         if (secondary_ops != original_ops) {
4271                 printk(KERN_INFO "%s:  There is already a secondary security "
4272                        "module registered.\n", __FUNCTION__);
4273                 return -EINVAL;
4274         }
4275
4276         secondary_ops = ops;
4277
4278         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4279                __FUNCTION__,
4280                name);
4281
4282         return 0;
4283 }
4284
4285 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4286 {
4287         if (ops != secondary_ops) {
4288                 printk (KERN_INFO "%s:  trying to unregister a security module "
4289                         "that is not registered.\n", __FUNCTION__);
4290                 return -EINVAL;
4291         }
4292
4293         secondary_ops = original_ops;
4294
4295         return 0;
4296 }
4297
4298 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4299 {
4300         if (inode)
4301                 inode_doinit_with_dentry(inode, dentry);
4302 }
4303
4304 static int selinux_getprocattr(struct task_struct *p,
4305                                char *name, void *value, size_t size)
4306 {
4307         struct task_security_struct *tsec;
4308         u32 sid;
4309         int error;
4310
4311         if (current != p) {
4312                 error = task_has_perm(current, p, PROCESS__GETATTR);
4313                 if (error)
4314                         return error;
4315         }
4316
4317         tsec = p->security;
4318
4319         if (!strcmp(name, "current"))
4320                 sid = tsec->sid;
4321         else if (!strcmp(name, "prev"))
4322                 sid = tsec->osid;
4323         else if (!strcmp(name, "exec"))
4324                 sid = tsec->exec_sid;
4325         else if (!strcmp(name, "fscreate"))
4326                 sid = tsec->create_sid;
4327         else if (!strcmp(name, "keycreate"))
4328                 sid = tsec->keycreate_sid;
4329         else if (!strcmp(name, "sockcreate"))
4330                 sid = tsec->sockcreate_sid;
4331         else
4332                 return -EINVAL;
4333
4334         if (!sid)
4335                 return 0;
4336
4337         return selinux_getsecurity(sid, value, size);
4338 }
4339
4340 static int selinux_setprocattr(struct task_struct *p,
4341                                char *name, void *value, size_t size)
4342 {
4343         struct task_security_struct *tsec;
4344         u32 sid = 0;
4345         int error;
4346         char *str = value;
4347
4348         if (current != p) {
4349                 /* SELinux only allows a process to change its own
4350                    security attributes. */
4351                 return -EACCES;
4352         }
4353
4354         /*
4355          * Basic control over ability to set these attributes at all.
4356          * current == p, but we'll pass them separately in case the
4357          * above restriction is ever removed.
4358          */
4359         if (!strcmp(name, "exec"))
4360                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4361         else if (!strcmp(name, "fscreate"))
4362                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4363         else if (!strcmp(name, "keycreate"))
4364                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4365         else if (!strcmp(name, "sockcreate"))
4366                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4367         else if (!strcmp(name, "current"))
4368                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4369         else
4370                 error = -EINVAL;
4371         if (error)
4372                 return error;
4373
4374         /* Obtain a SID for the context, if one was specified. */
4375         if (size && str[1] && str[1] != '\n') {
4376                 if (str[size-1] == '\n') {
4377                         str[size-1] = 0;
4378                         size--;
4379                 }
4380                 error = security_context_to_sid(value, size, &sid);
4381                 if (error)
4382                         return error;
4383         }
4384
4385         /* Permission checking based on the specified context is
4386            performed during the actual operation (execve,
4387            open/mkdir/...), when we know the full context of the
4388            operation.  See selinux_bprm_set_security for the execve
4389            checks and may_create for the file creation checks. The
4390            operation will then fail if the context is not permitted. */
4391         tsec = p->security;
4392         if (!strcmp(name, "exec"))
4393                 tsec->exec_sid = sid;
4394         else if (!strcmp(name, "fscreate"))
4395                 tsec->create_sid = sid;
4396         else if (!strcmp(name, "keycreate")) {
4397                 error = may_create_key(sid, p);
4398                 if (error)
4399                         return error;
4400                 tsec->keycreate_sid = sid;
4401         } else if (!strcmp(name, "sockcreate"))
4402                 tsec->sockcreate_sid = sid;
4403         else if (!strcmp(name, "current")) {
4404                 struct av_decision avd;
4405
4406                 if (sid == 0)
4407                         return -EINVAL;
4408
4409                 /* Only allow single threaded processes to change context */
4410                 if (atomic_read(&p->mm->mm_users) != 1) {
4411                         struct task_struct *g, *t;
4412                         struct mm_struct *mm = p->mm;
4413                         read_lock(&tasklist_lock);
4414                         do_each_thread(g, t)
4415                                 if (t->mm == mm && t != p) {
4416                                         read_unlock(&tasklist_lock);
4417                                         return -EPERM;
4418                                 }
4419                         while_each_thread(g, t);
4420                         read_unlock(&tasklist_lock);
4421                 }
4422
4423                 /* Check permissions for the transition. */
4424                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4425                                      PROCESS__DYNTRANSITION, NULL);
4426                 if (error)
4427                         return error;
4428
4429                 /* Check for ptracing, and update the task SID if ok.
4430                    Otherwise, leave SID unchanged and fail. */
4431                 task_lock(p);
4432                 if (p->ptrace & PT_PTRACED) {
4433                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4434                                                      SECCLASS_PROCESS,
4435                                                      PROCESS__PTRACE, &avd);
4436                         if (!error)
4437                                 tsec->sid = sid;
4438                         task_unlock(p);
4439                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4440                                   PROCESS__PTRACE, &avd, error, NULL);
4441                         if (error)
4442                                 return error;
4443                 } else {
4444                         tsec->sid = sid;
4445                         task_unlock(p);
4446                 }
4447         }
4448         else
4449                 return -EINVAL;
4450
4451         return size;
4452 }
4453
4454 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4455 {
4456         return security_sid_to_context(secid, secdata, seclen);
4457 }
4458
4459 static void selinux_release_secctx(char *secdata, u32 seclen)
4460 {
4461         if (secdata)
4462                 kfree(secdata);
4463 }
4464
4465 #ifdef CONFIG_KEYS
4466
4467 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4468                              unsigned long flags)
4469 {
4470         struct task_security_struct *tsec = tsk->security;
4471         struct key_security_struct *ksec;
4472
4473         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4474         if (!ksec)
4475                 return -ENOMEM;
4476
4477         ksec->obj = k;
4478         if (tsec->keycreate_sid)
4479                 ksec->sid = tsec->keycreate_sid;
4480         else
4481                 ksec->sid = tsec->sid;
4482         k->security = ksec;
4483
4484         return 0;
4485 }
4486
4487 static void selinux_key_free(struct key *k)
4488 {
4489         struct key_security_struct *ksec = k->security;
4490
4491         k->security = NULL;
4492         kfree(ksec);
4493 }
4494
4495 static int selinux_key_permission(key_ref_t key_ref,
4496                             struct task_struct *ctx,
4497                             key_perm_t perm)
4498 {
4499         struct key *key;
4500         struct task_security_struct *tsec;
4501         struct key_security_struct *ksec;
4502
4503         key = key_ref_to_ptr(key_ref);
4504
4505         tsec = ctx->security;
4506         ksec = key->security;
4507
4508         /* if no specific permissions are requested, we skip the
4509            permission check. No serious, additional covert channels
4510            appear to be created. */
4511         if (perm == 0)
4512                 return 0;
4513
4514         return avc_has_perm(tsec->sid, ksec->sid,
4515                             SECCLASS_KEY, perm, NULL);
4516 }
4517
4518 #endif
4519
4520 static struct security_operations selinux_ops = {
4521         .ptrace =                       selinux_ptrace,
4522         .capget =                       selinux_capget,
4523         .capset_check =                 selinux_capset_check,
4524         .capset_set =                   selinux_capset_set,
4525         .sysctl =                       selinux_sysctl,
4526         .capable =                      selinux_capable,
4527         .quotactl =                     selinux_quotactl,
4528         .quota_on =                     selinux_quota_on,
4529         .syslog =                       selinux_syslog,
4530         .vm_enough_memory =             selinux_vm_enough_memory,
4531
4532         .netlink_send =                 selinux_netlink_send,
4533         .netlink_recv =                 selinux_netlink_recv,
4534
4535         .bprm_alloc_security =          selinux_bprm_alloc_security,
4536         .bprm_free_security =           selinux_bprm_free_security,
4537         .bprm_apply_creds =             selinux_bprm_apply_creds,
4538         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4539         .bprm_set_security =            selinux_bprm_set_security,
4540         .bprm_check_security =          selinux_bprm_check_security,
4541         .bprm_secureexec =              selinux_bprm_secureexec,
4542
4543         .sb_alloc_security =            selinux_sb_alloc_security,
4544         .sb_free_security =             selinux_sb_free_security,
4545         .sb_copy_data =                 selinux_sb_copy_data,
4546         .sb_kern_mount =                selinux_sb_kern_mount,
4547         .sb_statfs =                    selinux_sb_statfs,
4548         .sb_mount =                     selinux_mount,
4549         .sb_umount =                    selinux_umount,
4550
4551         .inode_alloc_security =         selinux_inode_alloc_security,
4552         .inode_free_security =          selinux_inode_free_security,
4553         .inode_init_security =          selinux_inode_init_security,
4554         .inode_create =                 selinux_inode_create,
4555         .inode_link =                   selinux_inode_link,
4556         .inode_unlink =                 selinux_inode_unlink,
4557         .inode_symlink =                selinux_inode_symlink,
4558         .inode_mkdir =                  selinux_inode_mkdir,
4559         .inode_rmdir =                  selinux_inode_rmdir,
4560         .inode_mknod =                  selinux_inode_mknod,
4561         .inode_rename =                 selinux_inode_rename,
4562         .inode_readlink =               selinux_inode_readlink,
4563         .inode_follow_link =            selinux_inode_follow_link,
4564         .inode_permission =             selinux_inode_permission,
4565         .inode_setattr =                selinux_inode_setattr,
4566         .inode_getattr =                selinux_inode_getattr,
4567         .inode_setxattr =               selinux_inode_setxattr,
4568         .inode_post_setxattr =          selinux_inode_post_setxattr,
4569         .inode_getxattr =               selinux_inode_getxattr,
4570         .inode_listxattr =              selinux_inode_listxattr,
4571         .inode_removexattr =            selinux_inode_removexattr,
4572         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4573         .inode_getsecurity =            selinux_inode_getsecurity,
4574         .inode_setsecurity =            selinux_inode_setsecurity,
4575         .inode_listsecurity =           selinux_inode_listsecurity,
4576
4577         .file_permission =              selinux_file_permission,
4578         .file_alloc_security =          selinux_file_alloc_security,
4579         .file_free_security =           selinux_file_free_security,
4580         .file_ioctl =                   selinux_file_ioctl,
4581         .file_mmap =                    selinux_file_mmap,
4582         .file_mprotect =                selinux_file_mprotect,
4583         .file_lock =                    selinux_file_lock,
4584         .file_fcntl =                   selinux_file_fcntl,
4585         .file_set_fowner =              selinux_file_set_fowner,
4586         .file_send_sigiotask =          selinux_file_send_sigiotask,
4587         .file_receive =                 selinux_file_receive,
4588
4589         .task_create =                  selinux_task_create,
4590         .task_alloc_security =          selinux_task_alloc_security,
4591         .task_free_security =           selinux_task_free_security,
4592         .task_setuid =                  selinux_task_setuid,
4593         .task_post_setuid =             selinux_task_post_setuid,
4594         .task_setgid =                  selinux_task_setgid,
4595         .task_setpgid =                 selinux_task_setpgid,
4596         .task_getpgid =                 selinux_task_getpgid,
4597         .task_getsid =                  selinux_task_getsid,
4598         .task_getsecid =                selinux_task_getsecid,
4599         .task_setgroups =               selinux_task_setgroups,
4600         .task_setnice =                 selinux_task_setnice,
4601         .task_setioprio =               selinux_task_setioprio,
4602         .task_getioprio =               selinux_task_getioprio,
4603         .task_setrlimit =               selinux_task_setrlimit,
4604         .task_setscheduler =            selinux_task_setscheduler,
4605         .task_getscheduler =            selinux_task_getscheduler,
4606         .task_movememory =              selinux_task_movememory,
4607         .task_kill =                    selinux_task_kill,
4608         .task_wait =                    selinux_task_wait,
4609         .task_prctl =                   selinux_task_prctl,
4610         .task_reparent_to_init =        selinux_task_reparent_to_init,
4611         .task_to_inode =                selinux_task_to_inode,
4612
4613         .ipc_permission =               selinux_ipc_permission,
4614
4615         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4616         .msg_msg_free_security =        selinux_msg_msg_free_security,
4617
4618         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4619         .msg_queue_free_security =      selinux_msg_queue_free_security,
4620         .msg_queue_associate =          selinux_msg_queue_associate,
4621         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4622         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4623         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4624
4625         .shm_alloc_security =           selinux_shm_alloc_security,
4626         .shm_free_security =            selinux_shm_free_security,
4627         .shm_associate =                selinux_shm_associate,
4628         .shm_shmctl =                   selinux_shm_shmctl,
4629         .shm_shmat =                    selinux_shm_shmat,
4630
4631         .sem_alloc_security =           selinux_sem_alloc_security,
4632         .sem_free_security =            selinux_sem_free_security,
4633         .sem_associate =                selinux_sem_associate,
4634         .sem_semctl =                   selinux_sem_semctl,
4635         .sem_semop =                    selinux_sem_semop,
4636
4637         .register_security =            selinux_register_security,
4638         .unregister_security =          selinux_unregister_security,
4639
4640         .d_instantiate =                selinux_d_instantiate,
4641
4642         .getprocattr =                  selinux_getprocattr,
4643         .setprocattr =                  selinux_setprocattr,
4644
4645         .secid_to_secctx =              selinux_secid_to_secctx,
4646         .release_secctx =               selinux_release_secctx,
4647
4648         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4649         .unix_may_send =                selinux_socket_unix_may_send,
4650
4651         .socket_create =                selinux_socket_create,
4652         .socket_post_create =           selinux_socket_post_create,
4653         .socket_bind =                  selinux_socket_bind,
4654         .socket_connect =               selinux_socket_connect,
4655         .socket_listen =                selinux_socket_listen,
4656         .socket_accept =                selinux_socket_accept,
4657         .socket_sendmsg =               selinux_socket_sendmsg,
4658         .socket_recvmsg =               selinux_socket_recvmsg,
4659         .socket_getsockname =           selinux_socket_getsockname,
4660         .socket_getpeername =           selinux_socket_getpeername,
4661         .socket_getsockopt =            selinux_socket_getsockopt,
4662         .socket_setsockopt =            selinux_socket_setsockopt,
4663         .socket_shutdown =              selinux_socket_shutdown,
4664         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4665         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4666         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4667         .sk_alloc_security =            selinux_sk_alloc_security,
4668         .sk_free_security =             selinux_sk_free_security,
4669         .sk_clone_security =            selinux_sk_clone_security,
4670         .sk_getsecid =                  selinux_sk_getsecid,
4671         .sock_graft =                   selinux_sock_graft,
4672         .inet_conn_request =            selinux_inet_conn_request,
4673         .inet_csk_clone =               selinux_inet_csk_clone,
4674         .req_classify_flow =            selinux_req_classify_flow,
4675
4676 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4677         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4678         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4679         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4680         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4681         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4682         .xfrm_state_free_security =     selinux_xfrm_state_free,
4683         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4684         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4685         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
4686         .xfrm_flow_state_match =        selinux_xfrm_flow_state_match,
4687         .xfrm_decode_session =          selinux_xfrm_decode_session,
4688 #endif
4689
4690 #ifdef CONFIG_KEYS
4691         .key_alloc =                    selinux_key_alloc,
4692         .key_free =                     selinux_key_free,
4693         .key_permission =               selinux_key_permission,
4694 #endif
4695 };
4696
4697 static __init int selinux_init(void)
4698 {
4699         struct task_security_struct *tsec;
4700
4701         if (!selinux_enabled) {
4702                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4703                 return 0;
4704         }
4705
4706         printk(KERN_INFO "SELinux:  Initializing.\n");
4707
4708         /* Set the security state for the initial task. */
4709         if (task_alloc_security(current))
4710                 panic("SELinux:  Failed to initialize initial task.\n");
4711         tsec = current->security;
4712         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4713
4714         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4715                                             sizeof(struct inode_security_struct),
4716                                             0, SLAB_PANIC, NULL, NULL);
4717         avc_init();
4718
4719         original_ops = secondary_ops = security_ops;
4720         if (!secondary_ops)
4721                 panic ("SELinux: No initial security operations\n");
4722         if (register_security (&selinux_ops))
4723                 panic("SELinux: Unable to register with kernel.\n");
4724
4725         if (selinux_enforcing) {
4726                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4727         } else {
4728                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4729         }
4730
4731 #ifdef CONFIG_KEYS
4732         /* Add security information to initial keyrings */
4733         selinux_key_alloc(&root_user_keyring, current,
4734                           KEY_ALLOC_NOT_IN_QUOTA);
4735         selinux_key_alloc(&root_session_keyring, current,
4736                           KEY_ALLOC_NOT_IN_QUOTA);
4737 #endif
4738
4739         return 0;
4740 }
4741
4742 void selinux_complete_init(void)
4743 {
4744         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4745
4746         /* Set up any superblocks initialized prior to the policy load. */
4747         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4748         spin_lock(&sb_lock);
4749         spin_lock(&sb_security_lock);
4750 next_sb:
4751         if (!list_empty(&superblock_security_head)) {
4752                 struct superblock_security_struct *sbsec =
4753                                 list_entry(superblock_security_head.next,
4754                                            struct superblock_security_struct,
4755                                            list);
4756                 struct super_block *sb = sbsec->sb;
4757                 sb->s_count++;
4758                 spin_unlock(&sb_security_lock);
4759                 spin_unlock(&sb_lock);
4760                 down_read(&sb->s_umount);
4761                 if (sb->s_root)
4762                         superblock_doinit(sb, NULL);
4763                 drop_super(sb);
4764                 spin_lock(&sb_lock);
4765                 spin_lock(&sb_security_lock);
4766                 list_del_init(&sbsec->list);
4767                 goto next_sb;
4768         }
4769         spin_unlock(&sb_security_lock);
4770         spin_unlock(&sb_lock);
4771 }
4772
4773 /* SELinux requires early initialization in order to label
4774    all processes and objects when they are created. */
4775 security_initcall(selinux_init);
4776
4777 #if defined(CONFIG_NETFILTER)
4778
4779 static struct nf_hook_ops selinux_ipv4_op = {
4780         .hook =         selinux_ipv4_postroute_last,
4781         .owner =        THIS_MODULE,
4782         .pf =           PF_INET,
4783         .hooknum =      NF_IP_POST_ROUTING,
4784         .priority =     NF_IP_PRI_SELINUX_LAST,
4785 };
4786
4787 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4788
4789 static struct nf_hook_ops selinux_ipv6_op = {
4790         .hook =         selinux_ipv6_postroute_last,
4791         .owner =        THIS_MODULE,
4792         .pf =           PF_INET6,
4793         .hooknum =      NF_IP6_POST_ROUTING,
4794         .priority =     NF_IP6_PRI_SELINUX_LAST,
4795 };
4796
4797 #endif  /* IPV6 */
4798
4799 static int __init selinux_nf_ip_init(void)
4800 {
4801         int err = 0;
4802
4803         if (!selinux_enabled)
4804                 goto out;
4805                 
4806         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4807         
4808         err = nf_register_hook(&selinux_ipv4_op);
4809         if (err)
4810                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4811
4812 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4813
4814         err = nf_register_hook(&selinux_ipv6_op);
4815         if (err)
4816                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4817
4818 #endif  /* IPV6 */
4819
4820 out:
4821         return err;
4822 }
4823
4824 __initcall(selinux_nf_ip_init);
4825
4826 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4827 static void selinux_nf_ip_exit(void)
4828 {
4829         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4830
4831         nf_unregister_hook(&selinux_ipv4_op);
4832 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4833         nf_unregister_hook(&selinux_ipv6_op);
4834 #endif  /* IPV6 */
4835 }
4836 #endif
4837
4838 #else /* CONFIG_NETFILTER */
4839
4840 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4841 #define selinux_nf_ip_exit()
4842 #endif
4843
4844 #endif /* CONFIG_NETFILTER */
4845
4846 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4847 int selinux_disable(void)
4848 {
4849         extern void exit_sel_fs(void);
4850         static int selinux_disabled = 0;
4851
4852         if (ss_initialized) {
4853                 /* Not permitted after initial policy load. */
4854                 return -EINVAL;
4855         }
4856
4857         if (selinux_disabled) {
4858                 /* Only do this once. */
4859                 return -EINVAL;
4860         }
4861
4862         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4863
4864         selinux_disabled = 1;
4865         selinux_enabled = 0;
4866
4867         /* Reset security_ops to the secondary module, dummy or capability. */
4868         security_ops = secondary_ops;
4869
4870         /* Unregister netfilter hooks. */
4871         selinux_nf_ip_exit();
4872
4873         /* Unregister selinuxfs. */
4874         exit_sel_fs();
4875
4876         return 0;
4877 }
4878 #endif
4879
4880