[PATCH] tmpfs: Enable atomic inode security labeling
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         memset(tsec, 0, sizeof(struct task_security_struct));
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         memset(isec, 0, sizeof(struct inode_security_struct));
159         init_MUTEX(&isec->sem);
160         INIT_LIST_HEAD(&isec->list);
161         isec->magic = SELINUX_MAGIC;
162         isec->inode = inode;
163         isec->sid = SECINITSID_UNLABELED;
164         isec->sclass = SECCLASS_FILE;
165         if (tsec && tsec->magic == SELINUX_MAGIC)
166                 isec->task_sid = tsec->sid;
167         else
168                 isec->task_sid = SECINITSID_UNLABELED;
169         inode->i_security = isec;
170
171         return 0;
172 }
173
174 static void inode_free_security(struct inode *inode)
175 {
176         struct inode_security_struct *isec = inode->i_security;
177         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
178
179         if (!isec || isec->magic != SELINUX_MAGIC)
180                 return;
181
182         spin_lock(&sbsec->isec_lock);
183         if (!list_empty(&isec->list))
184                 list_del_init(&isec->list);
185         spin_unlock(&sbsec->isec_lock);
186
187         inode->i_security = NULL;
188         kfree(isec);
189 }
190
191 static int file_alloc_security(struct file *file)
192 {
193         struct task_security_struct *tsec = current->security;
194         struct file_security_struct *fsec;
195
196         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
197         if (!fsec)
198                 return -ENOMEM;
199
200         memset(fsec, 0, sizeof(struct file_security_struct));
201         fsec->magic = SELINUX_MAGIC;
202         fsec->file = file;
203         if (tsec && tsec->magic == SELINUX_MAGIC) {
204                 fsec->sid = tsec->sid;
205                 fsec->fown_sid = tsec->sid;
206         } else {
207                 fsec->sid = SECINITSID_UNLABELED;
208                 fsec->fown_sid = SECINITSID_UNLABELED;
209         }
210         file->f_security = fsec;
211
212         return 0;
213 }
214
215 static void file_free_security(struct file *file)
216 {
217         struct file_security_struct *fsec = file->f_security;
218
219         if (!fsec || fsec->magic != SELINUX_MAGIC)
220                 return;
221
222         file->f_security = NULL;
223         kfree(fsec);
224 }
225
226 static int superblock_alloc_security(struct super_block *sb)
227 {
228         struct superblock_security_struct *sbsec;
229
230         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
231         if (!sbsec)
232                 return -ENOMEM;
233
234         memset(sbsec, 0, sizeof(struct superblock_security_struct));
235         init_MUTEX(&sbsec->sem);
236         INIT_LIST_HEAD(&sbsec->list);
237         INIT_LIST_HEAD(&sbsec->isec_head);
238         spin_lock_init(&sbsec->isec_lock);
239         sbsec->magic = SELINUX_MAGIC;
240         sbsec->sb = sb;
241         sbsec->sid = SECINITSID_UNLABELED;
242         sbsec->def_sid = SECINITSID_FILE;
243         sb->s_security = sbsec;
244
245         return 0;
246 }
247
248 static void superblock_free_security(struct super_block *sb)
249 {
250         struct superblock_security_struct *sbsec = sb->s_security;
251
252         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
253                 return;
254
255         spin_lock(&sb_security_lock);
256         if (!list_empty(&sbsec->list))
257                 list_del_init(&sbsec->list);
258         spin_unlock(&sb_security_lock);
259
260         sb->s_security = NULL;
261         kfree(sbsec);
262 }
263
264 #ifdef CONFIG_SECURITY_NETWORK
265 static int sk_alloc_security(struct sock *sk, int family, int priority)
266 {
267         struct sk_security_struct *ssec;
268
269         if (family != PF_UNIX)
270                 return 0;
271
272         ssec = kmalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         memset(ssec, 0, sizeof(*ssec));
277         ssec->magic = SELINUX_MAGIC;
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295 #endif  /* CONFIG_SECURITY_NETWORK */
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
634 {
635         switch (family) {
636         case PF_UNIX:
637                 switch (type) {
638                 case SOCK_STREAM:
639                 case SOCK_SEQPACKET:
640                         return SECCLASS_UNIX_STREAM_SOCKET;
641                 case SOCK_DGRAM:
642                         return SECCLASS_UNIX_DGRAM_SOCKET;
643                 }
644                 break;
645         case PF_INET:
646         case PF_INET6:
647                 switch (type) {
648                 case SOCK_STREAM:
649                         return SECCLASS_TCP_SOCKET;
650                 case SOCK_DGRAM:
651                         return SECCLASS_UDP_SOCKET;
652                 case SOCK_RAW:
653                         return SECCLASS_RAWIP_SOCKET;
654                 }
655                 break;
656         case PF_NETLINK:
657                 switch (protocol) {
658                 case NETLINK_ROUTE:
659                         return SECCLASS_NETLINK_ROUTE_SOCKET;
660                 case NETLINK_FIREWALL:
661                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
662                 case NETLINK_INET_DIAG:
663                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
664                 case NETLINK_NFLOG:
665                         return SECCLASS_NETLINK_NFLOG_SOCKET;
666                 case NETLINK_XFRM:
667                         return SECCLASS_NETLINK_XFRM_SOCKET;
668                 case NETLINK_SELINUX:
669                         return SECCLASS_NETLINK_SELINUX_SOCKET;
670                 case NETLINK_AUDIT:
671                         return SECCLASS_NETLINK_AUDIT_SOCKET;
672                 case NETLINK_IP6_FW:
673                         return SECCLASS_NETLINK_IP6FW_SOCKET;
674                 case NETLINK_DNRTMSG:
675                         return SECCLASS_NETLINK_DNRT_SOCKET;
676                 case NETLINK_KOBJECT_UEVENT:
677                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
678                 default:
679                         return SECCLASS_NETLINK_SOCKET;
680                 }
681         case PF_PACKET:
682                 return SECCLASS_PACKET_SOCKET;
683         case PF_KEY:
684                 return SECCLASS_KEY_SOCKET;
685         }
686
687         return SECCLASS_SOCKET;
688 }
689
690 #ifdef CONFIG_PROC_FS
691 static int selinux_proc_get_sid(struct proc_dir_entry *de,
692                                 u16 tclass,
693                                 u32 *sid)
694 {
695         int buflen, rc;
696         char *buffer, *path, *end;
697
698         buffer = (char*)__get_free_page(GFP_KERNEL);
699         if (!buffer)
700                 return -ENOMEM;
701
702         buflen = PAGE_SIZE;
703         end = buffer+buflen;
704         *--end = '\0';
705         buflen--;
706         path = end-1;
707         *path = '/';
708         while (de && de != de->parent) {
709                 buflen -= de->namelen + 1;
710                 if (buflen < 0)
711                         break;
712                 end -= de->namelen;
713                 memcpy(end, de->name, de->namelen);
714                 *--end = '/';
715                 path = end;
716                 de = de->parent;
717         }
718         rc = security_genfs_sid("proc", path, tclass, sid);
719         free_page((unsigned long)buffer);
720         return rc;
721 }
722 #else
723 static int selinux_proc_get_sid(struct proc_dir_entry *de,
724                                 u16 tclass,
725                                 u32 *sid)
726 {
727         return -EINVAL;
728 }
729 #endif
730
731 /* The inode's security attributes must be initialized before first use. */
732 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
733 {
734         struct superblock_security_struct *sbsec = NULL;
735         struct inode_security_struct *isec = inode->i_security;
736         u32 sid;
737         struct dentry *dentry;
738 #define INITCONTEXTLEN 255
739         char *context = NULL;
740         unsigned len = 0;
741         int rc = 0;
742         int hold_sem = 0;
743
744         if (isec->initialized)
745                 goto out;
746
747         down(&isec->sem);
748         hold_sem = 1;
749         if (isec->initialized)
750                 goto out;
751
752         sbsec = inode->i_sb->s_security;
753         if (!sbsec->initialized) {
754                 /* Defer initialization until selinux_complete_init,
755                    after the initial policy is loaded and the security
756                    server is ready to handle calls. */
757                 spin_lock(&sbsec->isec_lock);
758                 if (list_empty(&isec->list))
759                         list_add(&isec->list, &sbsec->isec_head);
760                 spin_unlock(&sbsec->isec_lock);
761                 goto out;
762         }
763
764         switch (sbsec->behavior) {
765         case SECURITY_FS_USE_XATTR:
766                 if (!inode->i_op->getxattr) {
767                         isec->sid = sbsec->def_sid;
768                         break;
769                 }
770
771                 /* Need a dentry, since the xattr API requires one.
772                    Life would be simpler if we could just pass the inode. */
773                 if (opt_dentry) {
774                         /* Called from d_instantiate or d_splice_alias. */
775                         dentry = dget(opt_dentry);
776                 } else {
777                         /* Called from selinux_complete_init, try to find a dentry. */
778                         dentry = d_find_alias(inode);
779                 }
780                 if (!dentry) {
781                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
782                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
783                                inode->i_ino);
784                         goto out;
785                 }
786
787                 len = INITCONTEXTLEN;
788                 context = kmalloc(len, GFP_KERNEL);
789                 if (!context) {
790                         rc = -ENOMEM;
791                         dput(dentry);
792                         goto out;
793                 }
794                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
795                                            context, len);
796                 if (rc == -ERANGE) {
797                         /* Need a larger buffer.  Query for the right size. */
798                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
799                                                    NULL, 0);
800                         if (rc < 0) {
801                                 dput(dentry);
802                                 goto out;
803                         }
804                         kfree(context);
805                         len = rc;
806                         context = kmalloc(len, GFP_KERNEL);
807                         if (!context) {
808                                 rc = -ENOMEM;
809                                 dput(dentry);
810                                 goto out;
811                         }
812                         rc = inode->i_op->getxattr(dentry,
813                                                    XATTR_NAME_SELINUX,
814                                                    context, len);
815                 }
816                 dput(dentry);
817                 if (rc < 0) {
818                         if (rc != -ENODATA) {
819                                 printk(KERN_WARNING "%s:  getxattr returned "
820                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
821                                        -rc, inode->i_sb->s_id, inode->i_ino);
822                                 kfree(context);
823                                 goto out;
824                         }
825                         /* Map ENODATA to the default file SID */
826                         sid = sbsec->def_sid;
827                         rc = 0;
828                 } else {
829                         rc = security_context_to_sid_default(context, rc, &sid,
830                                                              sbsec->def_sid);
831                         if (rc) {
832                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
833                                        "returned %d for dev=%s ino=%ld\n",
834                                        __FUNCTION__, context, -rc,
835                                        inode->i_sb->s_id, inode->i_ino);
836                                 kfree(context);
837                                 /* Leave with the unlabeled SID */
838                                 rc = 0;
839                                 break;
840                         }
841                 }
842                 kfree(context);
843                 isec->sid = sid;
844                 break;
845         case SECURITY_FS_USE_TASK:
846                 isec->sid = isec->task_sid;
847                 break;
848         case SECURITY_FS_USE_TRANS:
849                 /* Default to the fs SID. */
850                 isec->sid = sbsec->sid;
851
852                 /* Try to obtain a transition SID. */
853                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
854                 rc = security_transition_sid(isec->task_sid,
855                                              sbsec->sid,
856                                              isec->sclass,
857                                              &sid);
858                 if (rc)
859                         goto out;
860                 isec->sid = sid;
861                 break;
862         default:
863                 /* Default to the fs SID. */
864                 isec->sid = sbsec->sid;
865
866                 if (sbsec->proc) {
867                         struct proc_inode *proci = PROC_I(inode);
868                         if (proci->pde) {
869                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
870                                 rc = selinux_proc_get_sid(proci->pde,
871                                                           isec->sclass,
872                                                           &sid);
873                                 if (rc)
874                                         goto out;
875                                 isec->sid = sid;
876                         }
877                 }
878                 break;
879         }
880
881         isec->initialized = 1;
882
883 out:
884         if (isec->sclass == SECCLASS_FILE)
885                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
886
887         if (hold_sem)
888                 up(&isec->sem);
889         return rc;
890 }
891
892 /* Convert a Linux signal to an access vector. */
893 static inline u32 signal_to_av(int sig)
894 {
895         u32 perm = 0;
896
897         switch (sig) {
898         case SIGCHLD:
899                 /* Commonly granted from child to parent. */
900                 perm = PROCESS__SIGCHLD;
901                 break;
902         case SIGKILL:
903                 /* Cannot be caught or ignored */
904                 perm = PROCESS__SIGKILL;
905                 break;
906         case SIGSTOP:
907                 /* Cannot be caught or ignored */
908                 perm = PROCESS__SIGSTOP;
909                 break;
910         default:
911                 /* All other signals. */
912                 perm = PROCESS__SIGNAL;
913                 break;
914         }
915
916         return perm;
917 }
918
919 /* Check permission betweeen a pair of tasks, e.g. signal checks,
920    fork check, ptrace check, etc. */
921 static int task_has_perm(struct task_struct *tsk1,
922                          struct task_struct *tsk2,
923                          u32 perms)
924 {
925         struct task_security_struct *tsec1, *tsec2;
926
927         tsec1 = tsk1->security;
928         tsec2 = tsk2->security;
929         return avc_has_perm(tsec1->sid, tsec2->sid,
930                             SECCLASS_PROCESS, perms, NULL);
931 }
932
933 /* Check whether a task is allowed to use a capability. */
934 static int task_has_capability(struct task_struct *tsk,
935                                int cap)
936 {
937         struct task_security_struct *tsec;
938         struct avc_audit_data ad;
939
940         tsec = tsk->security;
941
942         AVC_AUDIT_DATA_INIT(&ad,CAP);
943         ad.tsk = tsk;
944         ad.u.cap = cap;
945
946         return avc_has_perm(tsec->sid, tsec->sid,
947                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
948 }
949
950 /* Check whether a task is allowed to use a system operation. */
951 static int task_has_system(struct task_struct *tsk,
952                            u32 perms)
953 {
954         struct task_security_struct *tsec;
955
956         tsec = tsk->security;
957
958         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
959                             SECCLASS_SYSTEM, perms, NULL);
960 }
961
962 /* Check whether a task has a particular permission to an inode.
963    The 'adp' parameter is optional and allows other audit
964    data to be passed (e.g. the dentry). */
965 static int inode_has_perm(struct task_struct *tsk,
966                           struct inode *inode,
967                           u32 perms,
968                           struct avc_audit_data *adp)
969 {
970         struct task_security_struct *tsec;
971         struct inode_security_struct *isec;
972         struct avc_audit_data ad;
973
974         tsec = tsk->security;
975         isec = inode->i_security;
976
977         if (!adp) {
978                 adp = &ad;
979                 AVC_AUDIT_DATA_INIT(&ad, FS);
980                 ad.u.fs.inode = inode;
981         }
982
983         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
984 }
985
986 /* Same as inode_has_perm, but pass explicit audit data containing
987    the dentry to help the auditing code to more easily generate the
988    pathname if needed. */
989 static inline int dentry_has_perm(struct task_struct *tsk,
990                                   struct vfsmount *mnt,
991                                   struct dentry *dentry,
992                                   u32 av)
993 {
994         struct inode *inode = dentry->d_inode;
995         struct avc_audit_data ad;
996         AVC_AUDIT_DATA_INIT(&ad,FS);
997         ad.u.fs.mnt = mnt;
998         ad.u.fs.dentry = dentry;
999         return inode_has_perm(tsk, inode, av, &ad);
1000 }
1001
1002 /* Check whether a task can use an open file descriptor to
1003    access an inode in a given way.  Check access to the
1004    descriptor itself, and then use dentry_has_perm to
1005    check a particular permission to the file.
1006    Access to the descriptor is implicitly granted if it
1007    has the same SID as the process.  If av is zero, then
1008    access to the file is not checked, e.g. for cases
1009    where only the descriptor is affected like seek. */
1010 static inline int file_has_perm(struct task_struct *tsk,
1011                                 struct file *file,
1012                                 u32 av)
1013 {
1014         struct task_security_struct *tsec = tsk->security;
1015         struct file_security_struct *fsec = file->f_security;
1016         struct vfsmount *mnt = file->f_vfsmnt;
1017         struct dentry *dentry = file->f_dentry;
1018         struct inode *inode = dentry->d_inode;
1019         struct avc_audit_data ad;
1020         int rc;
1021
1022         AVC_AUDIT_DATA_INIT(&ad, FS);
1023         ad.u.fs.mnt = mnt;
1024         ad.u.fs.dentry = dentry;
1025
1026         if (tsec->sid != fsec->sid) {
1027                 rc = avc_has_perm(tsec->sid, fsec->sid,
1028                                   SECCLASS_FD,
1029                                   FD__USE,
1030                                   &ad);
1031                 if (rc)
1032                         return rc;
1033         }
1034
1035         /* av is zero if only checking access to the descriptor. */
1036         if (av)
1037                 return inode_has_perm(tsk, inode, av, &ad);
1038
1039         return 0;
1040 }
1041
1042 /* Check whether a task can create a file. */
1043 static int may_create(struct inode *dir,
1044                       struct dentry *dentry,
1045                       u16 tclass)
1046 {
1047         struct task_security_struct *tsec;
1048         struct inode_security_struct *dsec;
1049         struct superblock_security_struct *sbsec;
1050         u32 newsid;
1051         struct avc_audit_data ad;
1052         int rc;
1053
1054         tsec = current->security;
1055         dsec = dir->i_security;
1056         sbsec = dir->i_sb->s_security;
1057
1058         AVC_AUDIT_DATA_INIT(&ad, FS);
1059         ad.u.fs.dentry = dentry;
1060
1061         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1062                           DIR__ADD_NAME | DIR__SEARCH,
1063                           &ad);
1064         if (rc)
1065                 return rc;
1066
1067         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1068                 newsid = tsec->create_sid;
1069         } else {
1070                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1071                                              &newsid);
1072                 if (rc)
1073                         return rc;
1074         }
1075
1076         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1077         if (rc)
1078                 return rc;
1079
1080         return avc_has_perm(newsid, sbsec->sid,
1081                             SECCLASS_FILESYSTEM,
1082                             FILESYSTEM__ASSOCIATE, &ad);
1083 }
1084
1085 #define MAY_LINK   0
1086 #define MAY_UNLINK 1
1087 #define MAY_RMDIR  2
1088
1089 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1090 static int may_link(struct inode *dir,
1091                     struct dentry *dentry,
1092                     int kind)
1093
1094 {
1095         struct task_security_struct *tsec;
1096         struct inode_security_struct *dsec, *isec;
1097         struct avc_audit_data ad;
1098         u32 av;
1099         int rc;
1100
1101         tsec = current->security;
1102         dsec = dir->i_security;
1103         isec = dentry->d_inode->i_security;
1104
1105         AVC_AUDIT_DATA_INIT(&ad, FS);
1106         ad.u.fs.dentry = dentry;
1107
1108         av = DIR__SEARCH;
1109         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1110         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1111         if (rc)
1112                 return rc;
1113
1114         switch (kind) {
1115         case MAY_LINK:
1116                 av = FILE__LINK;
1117                 break;
1118         case MAY_UNLINK:
1119                 av = FILE__UNLINK;
1120                 break;
1121         case MAY_RMDIR:
1122                 av = DIR__RMDIR;
1123                 break;
1124         default:
1125                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1126                 return 0;
1127         }
1128
1129         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1130         return rc;
1131 }
1132
1133 static inline int may_rename(struct inode *old_dir,
1134                              struct dentry *old_dentry,
1135                              struct inode *new_dir,
1136                              struct dentry *new_dentry)
1137 {
1138         struct task_security_struct *tsec;
1139         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1140         struct avc_audit_data ad;
1141         u32 av;
1142         int old_is_dir, new_is_dir;
1143         int rc;
1144
1145         tsec = current->security;
1146         old_dsec = old_dir->i_security;
1147         old_isec = old_dentry->d_inode->i_security;
1148         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1149         new_dsec = new_dir->i_security;
1150
1151         AVC_AUDIT_DATA_INIT(&ad, FS);
1152
1153         ad.u.fs.dentry = old_dentry;
1154         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1155                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1156         if (rc)
1157                 return rc;
1158         rc = avc_has_perm(tsec->sid, old_isec->sid,
1159                           old_isec->sclass, FILE__RENAME, &ad);
1160         if (rc)
1161                 return rc;
1162         if (old_is_dir && new_dir != old_dir) {
1163                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1164                                   old_isec->sclass, DIR__REPARENT, &ad);
1165                 if (rc)
1166                         return rc;
1167         }
1168
1169         ad.u.fs.dentry = new_dentry;
1170         av = DIR__ADD_NAME | DIR__SEARCH;
1171         if (new_dentry->d_inode)
1172                 av |= DIR__REMOVE_NAME;
1173         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1174         if (rc)
1175                 return rc;
1176         if (new_dentry->d_inode) {
1177                 new_isec = new_dentry->d_inode->i_security;
1178                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1179                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1180                                   new_isec->sclass,
1181                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1182                 if (rc)
1183                         return rc;
1184         }
1185
1186         return 0;
1187 }
1188
1189 /* Check whether a task can perform a filesystem operation. */
1190 static int superblock_has_perm(struct task_struct *tsk,
1191                                struct super_block *sb,
1192                                u32 perms,
1193                                struct avc_audit_data *ad)
1194 {
1195         struct task_security_struct *tsec;
1196         struct superblock_security_struct *sbsec;
1197
1198         tsec = tsk->security;
1199         sbsec = sb->s_security;
1200         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1201                             perms, ad);
1202 }
1203
1204 /* Convert a Linux mode and permission mask to an access vector. */
1205 static inline u32 file_mask_to_av(int mode, int mask)
1206 {
1207         u32 av = 0;
1208
1209         if ((mode & S_IFMT) != S_IFDIR) {
1210                 if (mask & MAY_EXEC)
1211                         av |= FILE__EXECUTE;
1212                 if (mask & MAY_READ)
1213                         av |= FILE__READ;
1214
1215                 if (mask & MAY_APPEND)
1216                         av |= FILE__APPEND;
1217                 else if (mask & MAY_WRITE)
1218                         av |= FILE__WRITE;
1219
1220         } else {
1221                 if (mask & MAY_EXEC)
1222                         av |= DIR__SEARCH;
1223                 if (mask & MAY_WRITE)
1224                         av |= DIR__WRITE;
1225                 if (mask & MAY_READ)
1226                         av |= DIR__READ;
1227         }
1228
1229         return av;
1230 }
1231
1232 /* Convert a Linux file to an access vector. */
1233 static inline u32 file_to_av(struct file *file)
1234 {
1235         u32 av = 0;
1236
1237         if (file->f_mode & FMODE_READ)
1238                 av |= FILE__READ;
1239         if (file->f_mode & FMODE_WRITE) {
1240                 if (file->f_flags & O_APPEND)
1241                         av |= FILE__APPEND;
1242                 else
1243                         av |= FILE__WRITE;
1244         }
1245
1246         return av;
1247 }
1248
1249 /* Set an inode's SID to a specified value. */
1250 static int inode_security_set_sid(struct inode *inode, u32 sid)
1251 {
1252         struct inode_security_struct *isec = inode->i_security;
1253         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1254
1255         if (!sbsec->initialized) {
1256                 /* Defer initialization to selinux_complete_init. */
1257                 return 0;
1258         }
1259
1260         down(&isec->sem);
1261         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1262         isec->sid = sid;
1263         isec->initialized = 1;
1264         up(&isec->sem);
1265         return 0;
1266 }
1267
1268 /* Set the security attributes on a newly created file. */
1269 static int post_create(struct inode *dir,
1270                        struct dentry *dentry)
1271 {
1272
1273         struct task_security_struct *tsec;
1274         struct inode *inode;
1275         struct inode_security_struct *dsec;
1276         struct superblock_security_struct *sbsec;
1277         struct inode_security_struct *isec;
1278         u32 newsid;
1279         char *context;
1280         unsigned int len;
1281         int rc;
1282
1283         tsec = current->security;
1284         dsec = dir->i_security;
1285         sbsec = dir->i_sb->s_security;
1286
1287         inode = dentry->d_inode;
1288         if (!inode) {
1289                 /* Some file system types (e.g. NFS) may not instantiate
1290                    a dentry for all create operations (e.g. symlink),
1291                    so we have to check to see if the inode is non-NULL. */
1292                 printk(KERN_WARNING "post_create:  no inode, dir (dev=%s, "
1293                        "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1294                 return 0;
1295         }
1296
1297         isec = inode->i_security;
1298
1299         if (isec->security_attr_init)
1300                 return 0;
1301
1302         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1303                 newsid = tsec->create_sid;
1304         } else {
1305                 rc = security_transition_sid(tsec->sid, dsec->sid,
1306                                              inode_mode_to_security_class(inode->i_mode),
1307                                              &newsid);
1308                 if (rc) {
1309                         printk(KERN_WARNING "post_create:  "
1310                                "security_transition_sid failed, rc=%d (dev=%s "
1311                                "ino=%ld)\n",
1312                                -rc, inode->i_sb->s_id, inode->i_ino);
1313                         return rc;
1314                 }
1315         }
1316
1317         rc = inode_security_set_sid(inode, newsid);
1318         if (rc) {
1319                 printk(KERN_WARNING "post_create:  inode_security_set_sid "
1320                        "failed, rc=%d (dev=%s ino=%ld)\n",
1321                        -rc, inode->i_sb->s_id, inode->i_ino);
1322                 return rc;
1323         }
1324
1325         if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1326             inode->i_op->setxattr) {
1327                 /* Use extended attributes. */
1328                 rc = security_sid_to_context(newsid, &context, &len);
1329                 if (rc) {
1330                         printk(KERN_WARNING "post_create:  sid_to_context "
1331                                "failed, rc=%d (dev=%s ino=%ld)\n",
1332                                -rc, inode->i_sb->s_id, inode->i_ino);
1333                         return rc;
1334                 }
1335                 down(&inode->i_sem);
1336                 rc = inode->i_op->setxattr(dentry,
1337                                            XATTR_NAME_SELINUX,
1338                                            context, len, 0);
1339                 up(&inode->i_sem);
1340                 kfree(context);
1341                 if (rc < 0) {
1342                         printk(KERN_WARNING "post_create:  setxattr failed, "
1343                                "rc=%d (dev=%s ino=%ld)\n",
1344                                -rc, inode->i_sb->s_id, inode->i_ino);
1345                         return rc;
1346                 }
1347         }
1348
1349         return 0;
1350 }
1351
1352
1353 /* Hook functions begin here. */
1354
1355 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1356 {
1357         struct task_security_struct *psec = parent->security;
1358         struct task_security_struct *csec = child->security;
1359         int rc;
1360
1361         rc = secondary_ops->ptrace(parent,child);
1362         if (rc)
1363                 return rc;
1364
1365         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1366         /* Save the SID of the tracing process for later use in apply_creds. */
1367         if (!rc)
1368                 csec->ptrace_sid = psec->sid;
1369         return rc;
1370 }
1371
1372 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1373                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1374 {
1375         int error;
1376
1377         error = task_has_perm(current, target, PROCESS__GETCAP);
1378         if (error)
1379                 return error;
1380
1381         return secondary_ops->capget(target, effective, inheritable, permitted);
1382 }
1383
1384 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1385                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1386 {
1387         int error;
1388
1389         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1390         if (error)
1391                 return error;
1392
1393         return task_has_perm(current, target, PROCESS__SETCAP);
1394 }
1395
1396 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1397                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1398 {
1399         secondary_ops->capset_set(target, effective, inheritable, permitted);
1400 }
1401
1402 static int selinux_capable(struct task_struct *tsk, int cap)
1403 {
1404         int rc;
1405
1406         rc = secondary_ops->capable(tsk, cap);
1407         if (rc)
1408                 return rc;
1409
1410         return task_has_capability(tsk,cap);
1411 }
1412
1413 static int selinux_sysctl(ctl_table *table, int op)
1414 {
1415         int error = 0;
1416         u32 av;
1417         struct task_security_struct *tsec;
1418         u32 tsid;
1419         int rc;
1420
1421         rc = secondary_ops->sysctl(table, op);
1422         if (rc)
1423                 return rc;
1424
1425         tsec = current->security;
1426
1427         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1428                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1429         if (rc) {
1430                 /* Default to the well-defined sysctl SID. */
1431                 tsid = SECINITSID_SYSCTL;
1432         }
1433
1434         /* The op values are "defined" in sysctl.c, thereby creating
1435          * a bad coupling between this module and sysctl.c */
1436         if(op == 001) {
1437                 error = avc_has_perm(tsec->sid, tsid,
1438                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1439         } else {
1440                 av = 0;
1441                 if (op & 004)
1442                         av |= FILE__READ;
1443                 if (op & 002)
1444                         av |= FILE__WRITE;
1445                 if (av)
1446                         error = avc_has_perm(tsec->sid, tsid,
1447                                              SECCLASS_FILE, av, NULL);
1448         }
1449
1450         return error;
1451 }
1452
1453 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1454 {
1455         int rc = 0;
1456
1457         if (!sb)
1458                 return 0;
1459
1460         switch (cmds) {
1461                 case Q_SYNC:
1462                 case Q_QUOTAON:
1463                 case Q_QUOTAOFF:
1464                 case Q_SETINFO:
1465                 case Q_SETQUOTA:
1466                         rc = superblock_has_perm(current,
1467                                                  sb,
1468                                                  FILESYSTEM__QUOTAMOD, NULL);
1469                         break;
1470                 case Q_GETFMT:
1471                 case Q_GETINFO:
1472                 case Q_GETQUOTA:
1473                         rc = superblock_has_perm(current,
1474                                                  sb,
1475                                                  FILESYSTEM__QUOTAGET, NULL);
1476                         break;
1477                 default:
1478                         rc = 0;  /* let the kernel handle invalid cmds */
1479                         break;
1480         }
1481         return rc;
1482 }
1483
1484 static int selinux_quota_on(struct dentry *dentry)
1485 {
1486         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1487 }
1488
1489 static int selinux_syslog(int type)
1490 {
1491         int rc;
1492
1493         rc = secondary_ops->syslog(type);
1494         if (rc)
1495                 return rc;
1496
1497         switch (type) {
1498                 case 3:         /* Read last kernel messages */
1499                 case 10:        /* Return size of the log buffer */
1500                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1501                         break;
1502                 case 6:         /* Disable logging to console */
1503                 case 7:         /* Enable logging to console */
1504                 case 8:         /* Set level of messages printed to console */
1505                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1506                         break;
1507                 case 0:         /* Close log */
1508                 case 1:         /* Open log */
1509                 case 2:         /* Read from log */
1510                 case 4:         /* Read/clear last kernel messages */
1511                 case 5:         /* Clear ring buffer */
1512                 default:
1513                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1514                         break;
1515         }
1516         return rc;
1517 }
1518
1519 /*
1520  * Check that a process has enough memory to allocate a new virtual
1521  * mapping. 0 means there is enough memory for the allocation to
1522  * succeed and -ENOMEM implies there is not.
1523  *
1524  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1525  * if the capability is granted, but __vm_enough_memory requires 1 if
1526  * the capability is granted.
1527  *
1528  * Do not audit the selinux permission check, as this is applied to all
1529  * processes that allocate mappings.
1530  */
1531 static int selinux_vm_enough_memory(long pages)
1532 {
1533         int rc, cap_sys_admin = 0;
1534         struct task_security_struct *tsec = current->security;
1535
1536         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1537         if (rc == 0)
1538                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1539                                         SECCLASS_CAPABILITY,
1540                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1541                                         NULL);
1542
1543         if (rc == 0)
1544                 cap_sys_admin = 1;
1545
1546         return __vm_enough_memory(pages, cap_sys_admin);
1547 }
1548
1549 /* binprm security operations */
1550
1551 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1552 {
1553         struct bprm_security_struct *bsec;
1554
1555         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1556         if (!bsec)
1557                 return -ENOMEM;
1558
1559         memset(bsec, 0, sizeof *bsec);
1560         bsec->magic = SELINUX_MAGIC;
1561         bsec->bprm = bprm;
1562         bsec->sid = SECINITSID_UNLABELED;
1563         bsec->set = 0;
1564
1565         bprm->security = bsec;
1566         return 0;
1567 }
1568
1569 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1570 {
1571         struct task_security_struct *tsec;
1572         struct inode *inode = bprm->file->f_dentry->d_inode;
1573         struct inode_security_struct *isec;
1574         struct bprm_security_struct *bsec;
1575         u32 newsid;
1576         struct avc_audit_data ad;
1577         int rc;
1578
1579         rc = secondary_ops->bprm_set_security(bprm);
1580         if (rc)
1581                 return rc;
1582
1583         bsec = bprm->security;
1584
1585         if (bsec->set)
1586                 return 0;
1587
1588         tsec = current->security;
1589         isec = inode->i_security;
1590
1591         /* Default to the current task SID. */
1592         bsec->sid = tsec->sid;
1593
1594         /* Reset create SID on execve. */
1595         tsec->create_sid = 0;
1596
1597         if (tsec->exec_sid) {
1598                 newsid = tsec->exec_sid;
1599                 /* Reset exec SID on execve. */
1600                 tsec->exec_sid = 0;
1601         } else {
1602                 /* Check for a default transition on this program. */
1603                 rc = security_transition_sid(tsec->sid, isec->sid,
1604                                              SECCLASS_PROCESS, &newsid);
1605                 if (rc)
1606                         return rc;
1607         }
1608
1609         AVC_AUDIT_DATA_INIT(&ad, FS);
1610         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1611         ad.u.fs.dentry = bprm->file->f_dentry;
1612
1613         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1614                 newsid = tsec->sid;
1615
1616         if (tsec->sid == newsid) {
1617                 rc = avc_has_perm(tsec->sid, isec->sid,
1618                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1619                 if (rc)
1620                         return rc;
1621         } else {
1622                 /* Check permissions for the transition. */
1623                 rc = avc_has_perm(tsec->sid, newsid,
1624                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1625                 if (rc)
1626                         return rc;
1627
1628                 rc = avc_has_perm(newsid, isec->sid,
1629                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1630                 if (rc)
1631                         return rc;
1632
1633                 /* Clear any possibly unsafe personality bits on exec: */
1634                 current->personality &= ~PER_CLEAR_ON_SETID;
1635
1636                 /* Set the security field to the new SID. */
1637                 bsec->sid = newsid;
1638         }
1639
1640         bsec->set = 1;
1641         return 0;
1642 }
1643
1644 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1645 {
1646         return secondary_ops->bprm_check_security(bprm);
1647 }
1648
1649
1650 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1651 {
1652         struct task_security_struct *tsec = current->security;
1653         int atsecure = 0;
1654
1655         if (tsec->osid != tsec->sid) {
1656                 /* Enable secure mode for SIDs transitions unless
1657                    the noatsecure permission is granted between
1658                    the two SIDs, i.e. ahp returns 0. */
1659                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1660                                          SECCLASS_PROCESS,
1661                                          PROCESS__NOATSECURE, NULL);
1662         }
1663
1664         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1665 }
1666
1667 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1668 {
1669         kfree(bprm->security);
1670         bprm->security = NULL;
1671 }
1672
1673 extern struct vfsmount *selinuxfs_mount;
1674 extern struct dentry *selinux_null;
1675
1676 /* Derived from fs/exec.c:flush_old_files. */
1677 static inline void flush_unauthorized_files(struct files_struct * files)
1678 {
1679         struct avc_audit_data ad;
1680         struct file *file, *devnull = NULL;
1681         struct tty_struct *tty = current->signal->tty;
1682         long j = -1;
1683
1684         if (tty) {
1685                 file_list_lock();
1686                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1687                 if (file) {
1688                         /* Revalidate access to controlling tty.
1689                            Use inode_has_perm on the tty inode directly rather
1690                            than using file_has_perm, as this particular open
1691                            file may belong to another process and we are only
1692                            interested in the inode-based check here. */
1693                         struct inode *inode = file->f_dentry->d_inode;
1694                         if (inode_has_perm(current, inode,
1695                                            FILE__READ | FILE__WRITE, NULL)) {
1696                                 /* Reset controlling tty. */
1697                                 current->signal->tty = NULL;
1698                                 current->signal->tty_old_pgrp = 0;
1699                         }
1700                 }
1701                 file_list_unlock();
1702         }
1703
1704         /* Revalidate access to inherited open files. */
1705
1706         AVC_AUDIT_DATA_INIT(&ad,FS);
1707
1708         spin_lock(&files->file_lock);
1709         for (;;) {
1710                 unsigned long set, i;
1711                 int fd;
1712
1713                 j++;
1714                 i = j * __NFDBITS;
1715                 if (i >= files->max_fds || i >= files->max_fdset)
1716                         break;
1717                 set = files->open_fds->fds_bits[j];
1718                 if (!set)
1719                         continue;
1720                 spin_unlock(&files->file_lock);
1721                 for ( ; set ; i++,set >>= 1) {
1722                         if (set & 1) {
1723                                 file = fget(i);
1724                                 if (!file)
1725                                         continue;
1726                                 if (file_has_perm(current,
1727                                                   file,
1728                                                   file_to_av(file))) {
1729                                         sys_close(i);
1730                                         fd = get_unused_fd();
1731                                         if (fd != i) {
1732                                                 if (fd >= 0)
1733                                                         put_unused_fd(fd);
1734                                                 fput(file);
1735                                                 continue;
1736                                         }
1737                                         if (devnull) {
1738                                                 atomic_inc(&devnull->f_count);
1739                                         } else {
1740                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1741                                                 if (!devnull) {
1742                                                         put_unused_fd(fd);
1743                                                         fput(file);
1744                                                         continue;
1745                                                 }
1746                                         }
1747                                         fd_install(fd, devnull);
1748                                 }
1749                                 fput(file);
1750                         }
1751                 }
1752                 spin_lock(&files->file_lock);
1753
1754         }
1755         spin_unlock(&files->file_lock);
1756 }
1757
1758 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1759 {
1760         struct task_security_struct *tsec;
1761         struct bprm_security_struct *bsec;
1762         u32 sid;
1763         int rc;
1764
1765         secondary_ops->bprm_apply_creds(bprm, unsafe);
1766
1767         tsec = current->security;
1768
1769         bsec = bprm->security;
1770         sid = bsec->sid;
1771
1772         tsec->osid = tsec->sid;
1773         bsec->unsafe = 0;
1774         if (tsec->sid != sid) {
1775                 /* Check for shared state.  If not ok, leave SID
1776                    unchanged and kill. */
1777                 if (unsafe & LSM_UNSAFE_SHARE) {
1778                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1779                                         PROCESS__SHARE, NULL);
1780                         if (rc) {
1781                                 bsec->unsafe = 1;
1782                                 return;
1783                         }
1784                 }
1785
1786                 /* Check for ptracing, and update the task SID if ok.
1787                    Otherwise, leave SID unchanged and kill. */
1788                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1789                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1790                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1791                                           NULL);
1792                         if (rc) {
1793                                 bsec->unsafe = 1;
1794                                 return;
1795                         }
1796                 }
1797                 tsec->sid = sid;
1798         }
1799 }
1800
1801 /*
1802  * called after apply_creds without the task lock held
1803  */
1804 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1805 {
1806         struct task_security_struct *tsec;
1807         struct rlimit *rlim, *initrlim;
1808         struct itimerval itimer;
1809         struct bprm_security_struct *bsec;
1810         int rc, i;
1811
1812         tsec = current->security;
1813         bsec = bprm->security;
1814
1815         if (bsec->unsafe) {
1816                 force_sig_specific(SIGKILL, current);
1817                 return;
1818         }
1819         if (tsec->osid == tsec->sid)
1820                 return;
1821
1822         /* Close files for which the new task SID is not authorized. */
1823         flush_unauthorized_files(current->files);
1824
1825         /* Check whether the new SID can inherit signal state
1826            from the old SID.  If not, clear itimers to avoid
1827            subsequent signal generation and flush and unblock
1828            signals. This must occur _after_ the task SID has
1829           been updated so that any kill done after the flush
1830           will be checked against the new SID. */
1831         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1832                           PROCESS__SIGINH, NULL);
1833         if (rc) {
1834                 memset(&itimer, 0, sizeof itimer);
1835                 for (i = 0; i < 3; i++)
1836                         do_setitimer(i, &itimer, NULL);
1837                 flush_signals(current);
1838                 spin_lock_irq(&current->sighand->siglock);
1839                 flush_signal_handlers(current, 1);
1840                 sigemptyset(&current->blocked);
1841                 recalc_sigpending();
1842                 spin_unlock_irq(&current->sighand->siglock);
1843         }
1844
1845         /* Check whether the new SID can inherit resource limits
1846            from the old SID.  If not, reset all soft limits to
1847            the lower of the current task's hard limit and the init
1848            task's soft limit.  Note that the setting of hard limits
1849            (even to lower them) can be controlled by the setrlimit
1850            check. The inclusion of the init task's soft limit into
1851            the computation is to avoid resetting soft limits higher
1852            than the default soft limit for cases where the default
1853            is lower than the hard limit, e.g. RLIMIT_CORE or
1854            RLIMIT_STACK.*/
1855         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1856                           PROCESS__RLIMITINH, NULL);
1857         if (rc) {
1858                 for (i = 0; i < RLIM_NLIMITS; i++) {
1859                         rlim = current->signal->rlim + i;
1860                         initrlim = init_task.signal->rlim+i;
1861                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1862                 }
1863                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1864                         /*
1865                          * This will cause RLIMIT_CPU calculations
1866                          * to be refigured.
1867                          */
1868                         current->it_prof_expires = jiffies_to_cputime(1);
1869                 }
1870         }
1871
1872         /* Wake up the parent if it is waiting so that it can
1873            recheck wait permission to the new task SID. */
1874         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1875 }
1876
1877 /* superblock security operations */
1878
1879 static int selinux_sb_alloc_security(struct super_block *sb)
1880 {
1881         return superblock_alloc_security(sb);
1882 }
1883
1884 static void selinux_sb_free_security(struct super_block *sb)
1885 {
1886         superblock_free_security(sb);
1887 }
1888
1889 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1890 {
1891         if (plen > olen)
1892                 return 0;
1893
1894         return !memcmp(prefix, option, plen);
1895 }
1896
1897 static inline int selinux_option(char *option, int len)
1898 {
1899         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1900                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1901                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1902 }
1903
1904 static inline void take_option(char **to, char *from, int *first, int len)
1905 {
1906         if (!*first) {
1907                 **to = ',';
1908                 *to += 1;
1909         }
1910         else
1911                 *first = 0;
1912         memcpy(*to, from, len);
1913         *to += len;
1914 }
1915
1916 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1917 {
1918         int fnosec, fsec, rc = 0;
1919         char *in_save, *in_curr, *in_end;
1920         char *sec_curr, *nosec_save, *nosec;
1921
1922         in_curr = orig;
1923         sec_curr = copy;
1924
1925         /* Binary mount data: just copy */
1926         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1927                 copy_page(sec_curr, in_curr);
1928                 goto out;
1929         }
1930
1931         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1932         if (!nosec) {
1933                 rc = -ENOMEM;
1934                 goto out;
1935         }
1936
1937         nosec_save = nosec;
1938         fnosec = fsec = 1;
1939         in_save = in_end = orig;
1940
1941         do {
1942                 if (*in_end == ',' || *in_end == '\0') {
1943                         int len = in_end - in_curr;
1944
1945                         if (selinux_option(in_curr, len))
1946                                 take_option(&sec_curr, in_curr, &fsec, len);
1947                         else
1948                                 take_option(&nosec, in_curr, &fnosec, len);
1949
1950                         in_curr = in_end + 1;
1951                 }
1952         } while (*in_end++);
1953
1954         strcpy(in_save, nosec_save);
1955         free_page((unsigned long)nosec_save);
1956 out:
1957         return rc;
1958 }
1959
1960 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1961 {
1962         struct avc_audit_data ad;
1963         int rc;
1964
1965         rc = superblock_doinit(sb, data);
1966         if (rc)
1967                 return rc;
1968
1969         AVC_AUDIT_DATA_INIT(&ad,FS);
1970         ad.u.fs.dentry = sb->s_root;
1971         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1972 }
1973
1974 static int selinux_sb_statfs(struct super_block *sb)
1975 {
1976         struct avc_audit_data ad;
1977
1978         AVC_AUDIT_DATA_INIT(&ad,FS);
1979         ad.u.fs.dentry = sb->s_root;
1980         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1981 }
1982
1983 static int selinux_mount(char * dev_name,
1984                          struct nameidata *nd,
1985                          char * type,
1986                          unsigned long flags,
1987                          void * data)
1988 {
1989         int rc;
1990
1991         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1992         if (rc)
1993                 return rc;
1994
1995         if (flags & MS_REMOUNT)
1996                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1997                                            FILESYSTEM__REMOUNT, NULL);
1998         else
1999                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2000                                        FILE__MOUNTON);
2001 }
2002
2003 static int selinux_umount(struct vfsmount *mnt, int flags)
2004 {
2005         int rc;
2006
2007         rc = secondary_ops->sb_umount(mnt, flags);
2008         if (rc)
2009                 return rc;
2010
2011         return superblock_has_perm(current,mnt->mnt_sb,
2012                                    FILESYSTEM__UNMOUNT,NULL);
2013 }
2014
2015 /* inode security operations */
2016
2017 static int selinux_inode_alloc_security(struct inode *inode)
2018 {
2019         return inode_alloc_security(inode);
2020 }
2021
2022 static void selinux_inode_free_security(struct inode *inode)
2023 {
2024         inode_free_security(inode);
2025 }
2026
2027 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2028                                        char **name, void **value,
2029                                        size_t *len)
2030 {
2031         struct task_security_struct *tsec;
2032         struct inode_security_struct *dsec;
2033         struct superblock_security_struct *sbsec;
2034         struct inode_security_struct *isec;
2035         u32 newsid, clen;
2036         int rc;
2037         char *namep = NULL, *context;
2038
2039         tsec = current->security;
2040         dsec = dir->i_security;
2041         sbsec = dir->i_sb->s_security;
2042         isec = inode->i_security;
2043
2044         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2045                 newsid = tsec->create_sid;
2046         } else {
2047                 rc = security_transition_sid(tsec->sid, dsec->sid,
2048                                              inode_mode_to_security_class(inode->i_mode),
2049                                              &newsid);
2050                 if (rc) {
2051                         printk(KERN_WARNING "%s:  "
2052                                "security_transition_sid failed, rc=%d (dev=%s "
2053                                "ino=%ld)\n",
2054                                __FUNCTION__,
2055                                -rc, inode->i_sb->s_id, inode->i_ino);
2056                         return rc;
2057                 }
2058         }
2059
2060         inode_security_set_sid(inode, newsid);
2061
2062         if (name) {
2063                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2064                 if (!namep)
2065                         return -ENOMEM;
2066                 *name = namep;
2067         }
2068
2069         if (value && len) {
2070                 rc = security_sid_to_context(newsid, &context, &clen);
2071                 if (rc) {
2072                         kfree(namep);
2073                         return rc;
2074                 }
2075                 *value = context;
2076                 *len = clen;
2077         }
2078
2079         isec->security_attr_init = 1;
2080
2081         return 0;
2082 }
2083
2084 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2085 {
2086         return may_create(dir, dentry, SECCLASS_FILE);
2087 }
2088
2089 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2090 {
2091         post_create(dir, dentry);
2092 }
2093
2094 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2095 {
2096         int rc;
2097
2098         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2099         if (rc)
2100                 return rc;
2101         return may_link(dir, old_dentry, MAY_LINK);
2102 }
2103
2104 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2105 {
2106         return;
2107 }
2108
2109 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2110 {
2111         int rc;
2112
2113         rc = secondary_ops->inode_unlink(dir, dentry);
2114         if (rc)
2115                 return rc;
2116         return may_link(dir, dentry, MAY_UNLINK);
2117 }
2118
2119 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2120 {
2121         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2122 }
2123
2124 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2125 {
2126         post_create(dir, dentry);
2127 }
2128
2129 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2130 {
2131         return may_create(dir, dentry, SECCLASS_DIR);
2132 }
2133
2134 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2135 {
2136         post_create(dir, dentry);
2137 }
2138
2139 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2140 {
2141         return may_link(dir, dentry, MAY_RMDIR);
2142 }
2143
2144 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2145 {
2146         int rc;
2147
2148         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2149         if (rc)
2150                 return rc;
2151
2152         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2153 }
2154
2155 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2156 {
2157         post_create(dir, dentry);
2158 }
2159
2160 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2161                                 struct inode *new_inode, struct dentry *new_dentry)
2162 {
2163         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2164 }
2165
2166 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2167                                       struct inode *new_inode, struct dentry *new_dentry)
2168 {
2169         return;
2170 }
2171
2172 static int selinux_inode_readlink(struct dentry *dentry)
2173 {
2174         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2175 }
2176
2177 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2178 {
2179         int rc;
2180
2181         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2182         if (rc)
2183                 return rc;
2184         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2185 }
2186
2187 static int selinux_inode_permission(struct inode *inode, int mask,
2188                                     struct nameidata *nd)
2189 {
2190         int rc;
2191
2192         rc = secondary_ops->inode_permission(inode, mask, nd);
2193         if (rc)
2194                 return rc;
2195
2196         if (!mask) {
2197                 /* No permission to check.  Existence test. */
2198                 return 0;
2199         }
2200
2201         return inode_has_perm(current, inode,
2202                                file_mask_to_av(inode->i_mode, mask), NULL);
2203 }
2204
2205 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2206 {
2207         int rc;
2208
2209         rc = secondary_ops->inode_setattr(dentry, iattr);
2210         if (rc)
2211                 return rc;
2212
2213         if (iattr->ia_valid & ATTR_FORCE)
2214                 return 0;
2215
2216         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2217                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2218                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2219
2220         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2221 }
2222
2223 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2224 {
2225         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2226 }
2227
2228 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2229 {
2230         struct task_security_struct *tsec = current->security;
2231         struct inode *inode = dentry->d_inode;
2232         struct inode_security_struct *isec = inode->i_security;
2233         struct superblock_security_struct *sbsec;
2234         struct avc_audit_data ad;
2235         u32 newsid;
2236         int rc = 0;
2237
2238         if (strcmp(name, XATTR_NAME_SELINUX)) {
2239                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2240                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2241                     !capable(CAP_SYS_ADMIN)) {
2242                         /* A different attribute in the security namespace.
2243                            Restrict to administrator. */
2244                         return -EPERM;
2245                 }
2246
2247                 /* Not an attribute we recognize, so just check the
2248                    ordinary setattr permission. */
2249                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2250         }
2251
2252         sbsec = inode->i_sb->s_security;
2253         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2254                 return -EOPNOTSUPP;
2255
2256         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2257                 return -EPERM;
2258
2259         AVC_AUDIT_DATA_INIT(&ad,FS);
2260         ad.u.fs.dentry = dentry;
2261
2262         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2263                           FILE__RELABELFROM, &ad);
2264         if (rc)
2265                 return rc;
2266
2267         rc = security_context_to_sid(value, size, &newsid);
2268         if (rc)
2269                 return rc;
2270
2271         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2272                           FILE__RELABELTO, &ad);
2273         if (rc)
2274                 return rc;
2275
2276         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2277                                           isec->sclass);
2278         if (rc)
2279                 return rc;
2280
2281         return avc_has_perm(newsid,
2282                             sbsec->sid,
2283                             SECCLASS_FILESYSTEM,
2284                             FILESYSTEM__ASSOCIATE,
2285                             &ad);
2286 }
2287
2288 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2289                                         void *value, size_t size, int flags)
2290 {
2291         struct inode *inode = dentry->d_inode;
2292         struct inode_security_struct *isec = inode->i_security;
2293         u32 newsid;
2294         int rc;
2295
2296         if (strcmp(name, XATTR_NAME_SELINUX)) {
2297                 /* Not an attribute we recognize, so nothing to do. */
2298                 return;
2299         }
2300
2301         rc = security_context_to_sid(value, size, &newsid);
2302         if (rc) {
2303                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2304                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2305                 return;
2306         }
2307
2308         isec->sid = newsid;
2309         return;
2310 }
2311
2312 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2313 {
2314         struct inode *inode = dentry->d_inode;
2315         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2316
2317         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2318                 return -EOPNOTSUPP;
2319
2320         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2321 }
2322
2323 static int selinux_inode_listxattr (struct dentry *dentry)
2324 {
2325         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2326 }
2327
2328 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2329 {
2330         if (strcmp(name, XATTR_NAME_SELINUX)) {
2331                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2332                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2333                     !capable(CAP_SYS_ADMIN)) {
2334                         /* A different attribute in the security namespace.
2335                            Restrict to administrator. */
2336                         return -EPERM;
2337                 }
2338
2339                 /* Not an attribute we recognize, so just check the
2340                    ordinary setattr permission. Might want a separate
2341                    permission for removexattr. */
2342                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2343         }
2344
2345         /* No one is allowed to remove a SELinux security label.
2346            You can change the label, but all data must be labeled. */
2347         return -EACCES;
2348 }
2349
2350 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2351 {
2352         struct inode_security_struct *isec = inode->i_security;
2353         char *context;
2354         unsigned len;
2355         int rc;
2356
2357         /* Permission check handled by selinux_inode_getxattr hook.*/
2358
2359         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2360                 return -EOPNOTSUPP;
2361
2362         rc = security_sid_to_context(isec->sid, &context, &len);
2363         if (rc)
2364                 return rc;
2365
2366         if (!buffer || !size) {
2367                 kfree(context);
2368                 return len;
2369         }
2370         if (size < len) {
2371                 kfree(context);
2372                 return -ERANGE;
2373         }
2374         memcpy(buffer, context, len);
2375         kfree(context);
2376         return len;
2377 }
2378
2379 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2380                                      const void *value, size_t size, int flags)
2381 {
2382         struct inode_security_struct *isec = inode->i_security;
2383         u32 newsid;
2384         int rc;
2385
2386         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2387                 return -EOPNOTSUPP;
2388
2389         if (!value || !size)
2390                 return -EACCES;
2391
2392         rc = security_context_to_sid((void*)value, size, &newsid);
2393         if (rc)
2394                 return rc;
2395
2396         isec->sid = newsid;
2397         return 0;
2398 }
2399
2400 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2401 {
2402         const int len = sizeof(XATTR_NAME_SELINUX);
2403         if (buffer && len <= buffer_size)
2404                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2405         return len;
2406 }
2407
2408 /* file security operations */
2409
2410 static int selinux_file_permission(struct file *file, int mask)
2411 {
2412         struct inode *inode = file->f_dentry->d_inode;
2413
2414         if (!mask) {
2415                 /* No permission to check.  Existence test. */
2416                 return 0;
2417         }
2418
2419         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2420         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2421                 mask |= MAY_APPEND;
2422
2423         return file_has_perm(current, file,
2424                              file_mask_to_av(inode->i_mode, mask));
2425 }
2426
2427 static int selinux_file_alloc_security(struct file *file)
2428 {
2429         return file_alloc_security(file);
2430 }
2431
2432 static void selinux_file_free_security(struct file *file)
2433 {
2434         file_free_security(file);
2435 }
2436
2437 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2438                               unsigned long arg)
2439 {
2440         int error = 0;
2441
2442         switch (cmd) {
2443                 case FIONREAD:
2444                 /* fall through */
2445                 case FIBMAP:
2446                 /* fall through */
2447                 case FIGETBSZ:
2448                 /* fall through */
2449                 case EXT2_IOC_GETFLAGS:
2450                 /* fall through */
2451                 case EXT2_IOC_GETVERSION:
2452                         error = file_has_perm(current, file, FILE__GETATTR);
2453                         break;
2454
2455                 case EXT2_IOC_SETFLAGS:
2456                 /* fall through */
2457                 case EXT2_IOC_SETVERSION:
2458                         error = file_has_perm(current, file, FILE__SETATTR);
2459                         break;
2460
2461                 /* sys_ioctl() checks */
2462                 case FIONBIO:
2463                 /* fall through */
2464                 case FIOASYNC:
2465                         error = file_has_perm(current, file, 0);
2466                         break;
2467
2468                 case KDSKBENT:
2469                 case KDSKBSENT:
2470                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2471                         break;
2472
2473                 /* default case assumes that the command will go
2474                  * to the file's ioctl() function.
2475                  */
2476                 default:
2477                         error = file_has_perm(current, file, FILE__IOCTL);
2478
2479         }
2480         return error;
2481 }
2482
2483 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2484 {
2485 #ifndef CONFIG_PPC32
2486         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2487                 /*
2488                  * We are making executable an anonymous mapping or a
2489                  * private file mapping that will also be writable.
2490                  * This has an additional check.
2491                  */
2492                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2493                 if (rc)
2494                         return rc;
2495         }
2496 #endif
2497
2498         if (file) {
2499                 /* read access is always possible with a mapping */
2500                 u32 av = FILE__READ;
2501
2502                 /* write access only matters if the mapping is shared */
2503                 if (shared && (prot & PROT_WRITE))
2504                         av |= FILE__WRITE;
2505
2506                 if (prot & PROT_EXEC)
2507                         av |= FILE__EXECUTE;
2508
2509                 return file_has_perm(current, file, av);
2510         }
2511         return 0;
2512 }
2513
2514 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2515                              unsigned long prot, unsigned long flags)
2516 {
2517         int rc;
2518
2519         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2520         if (rc)
2521                 return rc;
2522
2523         if (selinux_checkreqprot)
2524                 prot = reqprot;
2525
2526         return file_map_prot_check(file, prot,
2527                                    (flags & MAP_TYPE) == MAP_SHARED);
2528 }
2529
2530 static int selinux_file_mprotect(struct vm_area_struct *vma,
2531                                  unsigned long reqprot,
2532                                  unsigned long prot)
2533 {
2534         int rc;
2535
2536         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2537         if (rc)
2538                 return rc;
2539
2540         if (selinux_checkreqprot)
2541                 prot = reqprot;
2542
2543 #ifndef CONFIG_PPC32
2544         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2545            (vma->vm_start >= vma->vm_mm->start_brk &&
2546             vma->vm_end <= vma->vm_mm->brk)) {
2547                 /*
2548                  * We are making an executable mapping in the brk region.
2549                  * This has an additional execheap check.
2550                  */
2551                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2552                 if (rc)
2553                         return rc;
2554         }
2555         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2556                 /*
2557                  * We are making executable a file mapping that has
2558                  * had some COW done. Since pages might have been written,
2559                  * check ability to execute the possibly modified content.
2560                  * This typically should only occur for text relocations.
2561                  */
2562                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2563                 if (rc)
2564                         return rc;
2565         }
2566         if (!vma->vm_file && (prot & PROT_EXEC) &&
2567                 vma->vm_start <= vma->vm_mm->start_stack &&
2568                 vma->vm_end >= vma->vm_mm->start_stack) {
2569                 /* Attempt to make the process stack executable.
2570                  * This has an additional execstack check.
2571                  */
2572                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2573                 if (rc)
2574                         return rc;
2575         }
2576 #endif
2577
2578         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2579 }
2580
2581 static int selinux_file_lock(struct file *file, unsigned int cmd)
2582 {
2583         return file_has_perm(current, file, FILE__LOCK);
2584 }
2585
2586 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2587                               unsigned long arg)
2588 {
2589         int err = 0;
2590
2591         switch (cmd) {
2592                 case F_SETFL:
2593                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2594                                 err = -EINVAL;
2595                                 break;
2596                         }
2597
2598                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2599                                 err = file_has_perm(current, file,FILE__WRITE);
2600                                 break;
2601                         }
2602                         /* fall through */
2603                 case F_SETOWN:
2604                 case F_SETSIG:
2605                 case F_GETFL:
2606                 case F_GETOWN:
2607                 case F_GETSIG:
2608                         /* Just check FD__USE permission */
2609                         err = file_has_perm(current, file, 0);
2610                         break;
2611                 case F_GETLK:
2612                 case F_SETLK:
2613                 case F_SETLKW:
2614 #if BITS_PER_LONG == 32
2615                 case F_GETLK64:
2616                 case F_SETLK64:
2617                 case F_SETLKW64:
2618 #endif
2619                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2620                                 err = -EINVAL;
2621                                 break;
2622                         }
2623                         err = file_has_perm(current, file, FILE__LOCK);
2624                         break;
2625         }
2626
2627         return err;
2628 }
2629
2630 static int selinux_file_set_fowner(struct file *file)
2631 {
2632         struct task_security_struct *tsec;
2633         struct file_security_struct *fsec;
2634
2635         tsec = current->security;
2636         fsec = file->f_security;
2637         fsec->fown_sid = tsec->sid;
2638
2639         return 0;
2640 }
2641
2642 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2643                                        struct fown_struct *fown, int signum)
2644 {
2645         struct file *file;
2646         u32 perm;
2647         struct task_security_struct *tsec;
2648         struct file_security_struct *fsec;
2649
2650         /* struct fown_struct is never outside the context of a struct file */
2651         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2652
2653         tsec = tsk->security;
2654         fsec = file->f_security;
2655
2656         if (!signum)
2657                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2658         else
2659                 perm = signal_to_av(signum);
2660
2661         return avc_has_perm(fsec->fown_sid, tsec->sid,
2662                             SECCLASS_PROCESS, perm, NULL);
2663 }
2664
2665 static int selinux_file_receive(struct file *file)
2666 {
2667         return file_has_perm(current, file, file_to_av(file));
2668 }
2669
2670 /* task security operations */
2671
2672 static int selinux_task_create(unsigned long clone_flags)
2673 {
2674         int rc;
2675
2676         rc = secondary_ops->task_create(clone_flags);
2677         if (rc)
2678                 return rc;
2679
2680         return task_has_perm(current, current, PROCESS__FORK);
2681 }
2682
2683 static int selinux_task_alloc_security(struct task_struct *tsk)
2684 {
2685         struct task_security_struct *tsec1, *tsec2;
2686         int rc;
2687
2688         tsec1 = current->security;
2689
2690         rc = task_alloc_security(tsk);
2691         if (rc)
2692                 return rc;
2693         tsec2 = tsk->security;
2694
2695         tsec2->osid = tsec1->osid;
2696         tsec2->sid = tsec1->sid;
2697
2698         /* Retain the exec and create SIDs across fork */
2699         tsec2->exec_sid = tsec1->exec_sid;
2700         tsec2->create_sid = tsec1->create_sid;
2701
2702         /* Retain ptracer SID across fork, if any.
2703            This will be reset by the ptrace hook upon any
2704            subsequent ptrace_attach operations. */
2705         tsec2->ptrace_sid = tsec1->ptrace_sid;
2706
2707         return 0;
2708 }
2709
2710 static void selinux_task_free_security(struct task_struct *tsk)
2711 {
2712         task_free_security(tsk);
2713 }
2714
2715 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2716 {
2717         /* Since setuid only affects the current process, and
2718            since the SELinux controls are not based on the Linux
2719            identity attributes, SELinux does not need to control
2720            this operation.  However, SELinux does control the use
2721            of the CAP_SETUID and CAP_SETGID capabilities using the
2722            capable hook. */
2723         return 0;
2724 }
2725
2726 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2727 {
2728         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2729 }
2730
2731 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2732 {
2733         /* See the comment for setuid above. */
2734         return 0;
2735 }
2736
2737 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2738 {
2739         return task_has_perm(current, p, PROCESS__SETPGID);
2740 }
2741
2742 static int selinux_task_getpgid(struct task_struct *p)
2743 {
2744         return task_has_perm(current, p, PROCESS__GETPGID);
2745 }
2746
2747 static int selinux_task_getsid(struct task_struct *p)
2748 {
2749         return task_has_perm(current, p, PROCESS__GETSESSION);
2750 }
2751
2752 static int selinux_task_setgroups(struct group_info *group_info)
2753 {
2754         /* See the comment for setuid above. */
2755         return 0;
2756 }
2757
2758 static int selinux_task_setnice(struct task_struct *p, int nice)
2759 {
2760         int rc;
2761
2762         rc = secondary_ops->task_setnice(p, nice);
2763         if (rc)
2764                 return rc;
2765
2766         return task_has_perm(current,p, PROCESS__SETSCHED);
2767 }
2768
2769 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2770 {
2771         struct rlimit *old_rlim = current->signal->rlim + resource;
2772         int rc;
2773
2774         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2775         if (rc)
2776                 return rc;
2777
2778         /* Control the ability to change the hard limit (whether
2779            lowering or raising it), so that the hard limit can
2780            later be used as a safe reset point for the soft limit
2781            upon context transitions. See selinux_bprm_apply_creds. */
2782         if (old_rlim->rlim_max != new_rlim->rlim_max)
2783                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2784
2785         return 0;
2786 }
2787
2788 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2789 {
2790         return task_has_perm(current, p, PROCESS__SETSCHED);
2791 }
2792
2793 static int selinux_task_getscheduler(struct task_struct *p)
2794 {
2795         return task_has_perm(current, p, PROCESS__GETSCHED);
2796 }
2797
2798 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2799 {
2800         u32 perm;
2801         int rc;
2802
2803         rc = secondary_ops->task_kill(p, info, sig);
2804         if (rc)
2805                 return rc;
2806
2807         if (info && ((unsigned long)info == 1 ||
2808                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2809                 return 0;
2810
2811         if (!sig)
2812                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2813         else
2814                 perm = signal_to_av(sig);
2815
2816         return task_has_perm(current, p, perm);
2817 }
2818
2819 static int selinux_task_prctl(int option,
2820                               unsigned long arg2,
2821                               unsigned long arg3,
2822                               unsigned long arg4,
2823                               unsigned long arg5)
2824 {
2825         /* The current prctl operations do not appear to require
2826            any SELinux controls since they merely observe or modify
2827            the state of the current process. */
2828         return 0;
2829 }
2830
2831 static int selinux_task_wait(struct task_struct *p)
2832 {
2833         u32 perm;
2834
2835         perm = signal_to_av(p->exit_signal);
2836
2837         return task_has_perm(p, current, perm);
2838 }
2839
2840 static void selinux_task_reparent_to_init(struct task_struct *p)
2841 {
2842         struct task_security_struct *tsec;
2843
2844         secondary_ops->task_reparent_to_init(p);
2845
2846         tsec = p->security;
2847         tsec->osid = tsec->sid;
2848         tsec->sid = SECINITSID_KERNEL;
2849         return;
2850 }
2851
2852 static void selinux_task_to_inode(struct task_struct *p,
2853                                   struct inode *inode)
2854 {
2855         struct task_security_struct *tsec = p->security;
2856         struct inode_security_struct *isec = inode->i_security;
2857
2858         isec->sid = tsec->sid;
2859         isec->initialized = 1;
2860         return;
2861 }
2862
2863 #ifdef CONFIG_SECURITY_NETWORK
2864
2865 /* Returns error only if unable to parse addresses */
2866 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2867 {
2868         int offset, ihlen, ret = -EINVAL;
2869         struct iphdr _iph, *ih;
2870
2871         offset = skb->nh.raw - skb->data;
2872         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2873         if (ih == NULL)
2874                 goto out;
2875
2876         ihlen = ih->ihl * 4;
2877         if (ihlen < sizeof(_iph))
2878                 goto out;
2879
2880         ad->u.net.v4info.saddr = ih->saddr;
2881         ad->u.net.v4info.daddr = ih->daddr;
2882         ret = 0;
2883
2884         switch (ih->protocol) {
2885         case IPPROTO_TCP: {
2886                 struct tcphdr _tcph, *th;
2887
2888                 if (ntohs(ih->frag_off) & IP_OFFSET)
2889                         break;
2890
2891                 offset += ihlen;
2892                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2893                 if (th == NULL)
2894                         break;
2895
2896                 ad->u.net.sport = th->source;
2897                 ad->u.net.dport = th->dest;
2898                 break;
2899         }
2900         
2901         case IPPROTO_UDP: {
2902                 struct udphdr _udph, *uh;
2903                 
2904                 if (ntohs(ih->frag_off) & IP_OFFSET)
2905                         break;
2906                         
2907                 offset += ihlen;
2908                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2909                 if (uh == NULL)
2910                         break;  
2911
2912                 ad->u.net.sport = uh->source;
2913                 ad->u.net.dport = uh->dest;
2914                 break;
2915         }
2916
2917         default:
2918                 break;
2919         }
2920 out:
2921         return ret;
2922 }
2923
2924 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2925
2926 /* Returns error only if unable to parse addresses */
2927 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2928 {
2929         u8 nexthdr;
2930         int ret = -EINVAL, offset;
2931         struct ipv6hdr _ipv6h, *ip6;
2932
2933         offset = skb->nh.raw - skb->data;
2934         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2935         if (ip6 == NULL)
2936                 goto out;
2937
2938         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2939         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2940         ret = 0;
2941
2942         nexthdr = ip6->nexthdr;
2943         offset += sizeof(_ipv6h);
2944         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2945         if (offset < 0)
2946                 goto out;
2947
2948         switch (nexthdr) {
2949         case IPPROTO_TCP: {
2950                 struct tcphdr _tcph, *th;
2951
2952                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2953                 if (th == NULL)
2954                         break;
2955
2956                 ad->u.net.sport = th->source;
2957                 ad->u.net.dport = th->dest;
2958                 break;
2959         }
2960
2961         case IPPROTO_UDP: {
2962                 struct udphdr _udph, *uh;
2963
2964                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2965                 if (uh == NULL)
2966                         break;
2967
2968                 ad->u.net.sport = uh->source;
2969                 ad->u.net.dport = uh->dest;
2970                 break;
2971         }
2972
2973         /* includes fragments */
2974         default:
2975                 break;
2976         }
2977 out:
2978         return ret;
2979 }
2980
2981 #endif /* IPV6 */
2982
2983 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2984                              char **addrp, int *len, int src)
2985 {
2986         int ret = 0;
2987
2988         switch (ad->u.net.family) {
2989         case PF_INET:
2990                 ret = selinux_parse_skb_ipv4(skb, ad);
2991                 if (ret || !addrp)
2992                         break;
2993                 *len = 4;
2994                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2995                                         &ad->u.net.v4info.daddr);
2996                 break;
2997
2998 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2999         case PF_INET6:
3000                 ret = selinux_parse_skb_ipv6(skb, ad);
3001                 if (ret || !addrp)
3002                         break;
3003                 *len = 16;
3004                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3005                                         &ad->u.net.v6info.daddr);
3006                 break;
3007 #endif  /* IPV6 */
3008         default:
3009                 break;
3010         }
3011
3012         return ret;
3013 }
3014
3015 /* socket security operations */
3016 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3017                            u32 perms)
3018 {
3019         struct inode_security_struct *isec;
3020         struct task_security_struct *tsec;
3021         struct avc_audit_data ad;
3022         int err = 0;
3023
3024         tsec = task->security;
3025         isec = SOCK_INODE(sock)->i_security;
3026
3027         if (isec->sid == SECINITSID_KERNEL)
3028                 goto out;
3029
3030         AVC_AUDIT_DATA_INIT(&ad,NET);
3031         ad.u.net.sk = sock->sk;
3032         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3033
3034 out:
3035         return err;
3036 }
3037
3038 static int selinux_socket_create(int family, int type,
3039                                  int protocol, int kern)
3040 {
3041         int err = 0;
3042         struct task_security_struct *tsec;
3043
3044         if (kern)
3045                 goto out;
3046
3047         tsec = current->security;
3048         err = avc_has_perm(tsec->sid, tsec->sid,
3049                            socket_type_to_security_class(family, type,
3050                            protocol), SOCKET__CREATE, NULL);
3051
3052 out:
3053         return err;
3054 }
3055
3056 static void selinux_socket_post_create(struct socket *sock, int family,
3057                                        int type, int protocol, int kern)
3058 {
3059         struct inode_security_struct *isec;
3060         struct task_security_struct *tsec;
3061
3062         isec = SOCK_INODE(sock)->i_security;
3063
3064         tsec = current->security;
3065         isec->sclass = socket_type_to_security_class(family, type, protocol);
3066         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
3067         isec->initialized = 1;
3068
3069         return;
3070 }
3071
3072 /* Range of port numbers used to automatically bind.
3073    Need to determine whether we should perform a name_bind
3074    permission check between the socket and the port number. */
3075 #define ip_local_port_range_0 sysctl_local_port_range[0]
3076 #define ip_local_port_range_1 sysctl_local_port_range[1]
3077
3078 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3079 {
3080         u16 family;
3081         int err;
3082
3083         err = socket_has_perm(current, sock, SOCKET__BIND);
3084         if (err)
3085                 goto out;
3086
3087         /*
3088          * If PF_INET or PF_INET6, check name_bind permission for the port.
3089          */
3090         family = sock->sk->sk_family;
3091         if (family == PF_INET || family == PF_INET6) {
3092                 char *addrp;
3093                 struct inode_security_struct *isec;
3094                 struct task_security_struct *tsec;
3095                 struct avc_audit_data ad;
3096                 struct sockaddr_in *addr4 = NULL;
3097                 struct sockaddr_in6 *addr6 = NULL;
3098                 unsigned short snum;
3099                 struct sock *sk = sock->sk;
3100                 u32 sid, node_perm, addrlen;
3101
3102                 tsec = current->security;
3103                 isec = SOCK_INODE(sock)->i_security;
3104
3105                 if (family == PF_INET) {
3106                         addr4 = (struct sockaddr_in *)address;
3107                         snum = ntohs(addr4->sin_port);
3108                         addrlen = sizeof(addr4->sin_addr.s_addr);
3109                         addrp = (char *)&addr4->sin_addr.s_addr;
3110                 } else {
3111                         addr6 = (struct sockaddr_in6 *)address;
3112                         snum = ntohs(addr6->sin6_port);
3113                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3114                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3115                 }
3116
3117                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3118                            snum > ip_local_port_range_1)) {
3119                         err = security_port_sid(sk->sk_family, sk->sk_type,
3120                                                 sk->sk_protocol, snum, &sid);
3121                         if (err)
3122                                 goto out;
3123                         AVC_AUDIT_DATA_INIT(&ad,NET);
3124                         ad.u.net.sport = htons(snum);
3125                         ad.u.net.family = family;
3126                         err = avc_has_perm(isec->sid, sid,
3127                                            isec->sclass,
3128                                            SOCKET__NAME_BIND, &ad);
3129                         if (err)
3130                                 goto out;
3131                 }
3132                 
3133                 switch(sk->sk_protocol) {
3134                 case IPPROTO_TCP:
3135                         node_perm = TCP_SOCKET__NODE_BIND;
3136                         break;
3137                         
3138                 case IPPROTO_UDP:
3139                         node_perm = UDP_SOCKET__NODE_BIND;
3140                         break;
3141                         
3142                 default:
3143                         node_perm = RAWIP_SOCKET__NODE_BIND;
3144                         break;
3145                 }
3146                 
3147                 err = security_node_sid(family, addrp, addrlen, &sid);
3148                 if (err)
3149                         goto out;
3150                 
3151                 AVC_AUDIT_DATA_INIT(&ad,NET);
3152                 ad.u.net.sport = htons(snum);
3153                 ad.u.net.family = family;
3154
3155                 if (family == PF_INET)
3156                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3157                 else
3158                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3159
3160                 err = avc_has_perm(isec->sid, sid,
3161                                    isec->sclass, node_perm, &ad);
3162                 if (err)
3163                         goto out;
3164         }
3165 out:
3166         return err;
3167 }
3168
3169 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3170 {
3171         struct inode_security_struct *isec;
3172         int err;
3173
3174         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3175         if (err)
3176                 return err;
3177
3178         /*
3179          * If a TCP socket, check name_connect permission for the port.
3180          */
3181         isec = SOCK_INODE(sock)->i_security;
3182         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3183                 struct sock *sk = sock->sk;
3184                 struct avc_audit_data ad;
3185                 struct sockaddr_in *addr4 = NULL;
3186                 struct sockaddr_in6 *addr6 = NULL;
3187                 unsigned short snum;
3188                 u32 sid;
3189
3190                 if (sk->sk_family == PF_INET) {
3191                         addr4 = (struct sockaddr_in *)address;
3192                         if (addrlen < sizeof(struct sockaddr_in))
3193                                 return -EINVAL;
3194                         snum = ntohs(addr4->sin_port);
3195                 } else {
3196                         addr6 = (struct sockaddr_in6 *)address;
3197                         if (addrlen < SIN6_LEN_RFC2133)
3198                                 return -EINVAL;
3199                         snum = ntohs(addr6->sin6_port);
3200                 }
3201
3202                 err = security_port_sid(sk->sk_family, sk->sk_type,
3203                                         sk->sk_protocol, snum, &sid);
3204                 if (err)
3205                         goto out;
3206
3207                 AVC_AUDIT_DATA_INIT(&ad,NET);
3208                 ad.u.net.dport = htons(snum);
3209                 ad.u.net.family = sk->sk_family;
3210                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3211                                    TCP_SOCKET__NAME_CONNECT, &ad);
3212                 if (err)
3213                         goto out;
3214         }
3215
3216 out:
3217         return err;
3218 }
3219
3220 static int selinux_socket_listen(struct socket *sock, int backlog)
3221 {
3222         return socket_has_perm(current, sock, SOCKET__LISTEN);
3223 }
3224
3225 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3226 {
3227         int err;
3228         struct inode_security_struct *isec;
3229         struct inode_security_struct *newisec;
3230
3231         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3232         if (err)
3233                 return err;
3234
3235         newisec = SOCK_INODE(newsock)->i_security;
3236
3237         isec = SOCK_INODE(sock)->i_security;
3238         newisec->sclass = isec->sclass;
3239         newisec->sid = isec->sid;
3240         newisec->initialized = 1;
3241
3242         return 0;
3243 }
3244
3245 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3246                                   int size)
3247 {
3248         return socket_has_perm(current, sock, SOCKET__WRITE);
3249 }
3250
3251 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3252                                   int size, int flags)
3253 {
3254         return socket_has_perm(current, sock, SOCKET__READ);
3255 }
3256
3257 static int selinux_socket_getsockname(struct socket *sock)
3258 {
3259         return socket_has_perm(current, sock, SOCKET__GETATTR);
3260 }
3261
3262 static int selinux_socket_getpeername(struct socket *sock)
3263 {
3264         return socket_has_perm(current, sock, SOCKET__GETATTR);
3265 }
3266
3267 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3268 {
3269         return socket_has_perm(current, sock, SOCKET__SETOPT);
3270 }
3271
3272 static int selinux_socket_getsockopt(struct socket *sock, int level,
3273                                      int optname)
3274 {
3275         return socket_has_perm(current, sock, SOCKET__GETOPT);
3276 }
3277
3278 static int selinux_socket_shutdown(struct socket *sock, int how)
3279 {
3280         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3281 }
3282
3283 static int selinux_socket_unix_stream_connect(struct socket *sock,
3284                                               struct socket *other,
3285                                               struct sock *newsk)
3286 {
3287         struct sk_security_struct *ssec;
3288         struct inode_security_struct *isec;
3289         struct inode_security_struct *other_isec;
3290         struct avc_audit_data ad;
3291         int err;
3292
3293         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3294         if (err)
3295                 return err;
3296
3297         isec = SOCK_INODE(sock)->i_security;
3298         other_isec = SOCK_INODE(other)->i_security;
3299
3300         AVC_AUDIT_DATA_INIT(&ad,NET);
3301         ad.u.net.sk = other->sk;
3302
3303         err = avc_has_perm(isec->sid, other_isec->sid,
3304                            isec->sclass,
3305                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3306         if (err)
3307                 return err;
3308
3309         /* connecting socket */
3310         ssec = sock->sk->sk_security;
3311         ssec->peer_sid = other_isec->sid;
3312         
3313         /* server child socket */
3314         ssec = newsk->sk_security;
3315         ssec->peer_sid = isec->sid;
3316         
3317         return 0;
3318 }
3319
3320 static int selinux_socket_unix_may_send(struct socket *sock,
3321                                         struct socket *other)
3322 {
3323         struct inode_security_struct *isec;
3324         struct inode_security_struct *other_isec;
3325         struct avc_audit_data ad;
3326         int err;
3327
3328         isec = SOCK_INODE(sock)->i_security;
3329         other_isec = SOCK_INODE(other)->i_security;
3330
3331         AVC_AUDIT_DATA_INIT(&ad,NET);
3332         ad.u.net.sk = other->sk;
3333
3334         err = avc_has_perm(isec->sid, other_isec->sid,
3335                            isec->sclass, SOCKET__SENDTO, &ad);
3336         if (err)
3337                 return err;
3338
3339         return 0;
3340 }
3341
3342 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3343 {
3344         u16 family;
3345         char *addrp;
3346         int len, err = 0;
3347         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3348         u32 sock_sid = 0;
3349         u16 sock_class = 0;
3350         struct socket *sock;
3351         struct net_device *dev;
3352         struct avc_audit_data ad;
3353
3354         family = sk->sk_family;
3355         if (family != PF_INET && family != PF_INET6)
3356                 goto out;
3357
3358         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3359         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3360                 family = PF_INET;
3361
3362         read_lock_bh(&sk->sk_callback_lock);
3363         sock = sk->sk_socket;
3364         if (sock) {
3365                 struct inode *inode;
3366                 inode = SOCK_INODE(sock);
3367                 if (inode) {
3368                         struct inode_security_struct *isec;
3369                         isec = inode->i_security;
3370                         sock_sid = isec->sid;
3371                         sock_class = isec->sclass;
3372                 }
3373         }
3374         read_unlock_bh(&sk->sk_callback_lock);
3375         if (!sock_sid)
3376                 goto out;
3377
3378         dev = skb->dev;
3379         if (!dev)
3380                 goto out;
3381
3382         err = sel_netif_sids(dev, &if_sid, NULL);
3383         if (err)
3384                 goto out;
3385
3386         switch (sock_class) {
3387         case SECCLASS_UDP_SOCKET:
3388                 netif_perm = NETIF__UDP_RECV;
3389                 node_perm = NODE__UDP_RECV;
3390                 recv_perm = UDP_SOCKET__RECV_MSG;
3391                 break;
3392         
3393         case SECCLASS_TCP_SOCKET:
3394                 netif_perm = NETIF__TCP_RECV;
3395                 node_perm = NODE__TCP_RECV;
3396                 recv_perm = TCP_SOCKET__RECV_MSG;
3397                 break;
3398         
3399         default:
3400                 netif_perm = NETIF__RAWIP_RECV;
3401                 node_perm = NODE__RAWIP_RECV;
3402                 break;
3403         }
3404
3405         AVC_AUDIT_DATA_INIT(&ad, NET);
3406         ad.u.net.netif = dev->name;
3407         ad.u.net.family = family;
3408
3409         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3410         if (err)
3411                 goto out;
3412
3413         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3414         if (err)
3415                 goto out;
3416         
3417         /* Fixme: this lookup is inefficient */
3418         err = security_node_sid(family, addrp, len, &node_sid);
3419         if (err)
3420                 goto out;
3421         
3422         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3423         if (err)
3424                 goto out;
3425
3426         if (recv_perm) {
3427                 u32 port_sid;
3428
3429                 /* Fixme: make this more efficient */
3430                 err = security_port_sid(sk->sk_family, sk->sk_type,
3431                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3432                                         &port_sid);
3433                 if (err)
3434                         goto out;
3435
3436                 err = avc_has_perm(sock_sid, port_sid,
3437                                    sock_class, recv_perm, &ad);
3438         }
3439 out:    
3440         return err;
3441 }
3442
3443 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3444                                      int __user *optlen, unsigned len)
3445 {
3446         int err = 0;
3447         char *scontext;
3448         u32 scontext_len;
3449         struct sk_security_struct *ssec;
3450         struct inode_security_struct *isec;
3451
3452         isec = SOCK_INODE(sock)->i_security;
3453         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3454                 err = -ENOPROTOOPT;
3455                 goto out;
3456         }
3457
3458         ssec = sock->sk->sk_security;
3459         
3460         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3461         if (err)
3462                 goto out;
3463
3464         if (scontext_len > len) {
3465                 err = -ERANGE;
3466                 goto out_len;
3467         }
3468
3469         if (copy_to_user(optval, scontext, scontext_len))
3470                 err = -EFAULT;
3471
3472 out_len:
3473         if (put_user(scontext_len, optlen))
3474                 err = -EFAULT;
3475
3476         kfree(scontext);
3477 out:    
3478         return err;
3479 }
3480
3481 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3482 {
3483         return sk_alloc_security(sk, family, priority);
3484 }
3485
3486 static void selinux_sk_free_security(struct sock *sk)
3487 {
3488         sk_free_security(sk);
3489 }
3490
3491 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3492 {
3493         int err = 0;
3494         u32 perm;
3495         struct nlmsghdr *nlh;
3496         struct socket *sock = sk->sk_socket;
3497         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3498         
3499         if (skb->len < NLMSG_SPACE(0)) {
3500                 err = -EINVAL;
3501                 goto out;
3502         }
3503         nlh = (struct nlmsghdr *)skb->data;
3504         
3505         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3506         if (err) {
3507                 if (err == -EINVAL) {
3508                         audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3509                                   "SELinux:  unrecognized netlink message"
3510                                   " type=%hu for sclass=%hu\n",
3511                                   nlh->nlmsg_type, isec->sclass);
3512                         if (!selinux_enforcing)
3513                                 err = 0;
3514                 }
3515
3516                 /* Ignore */
3517                 if (err == -ENOENT)
3518                         err = 0;
3519                 goto out;
3520         }
3521
3522         err = socket_has_perm(current, sock, perm);
3523 out:
3524         return err;
3525 }
3526
3527 #ifdef CONFIG_NETFILTER
3528
3529 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3530                                               struct sk_buff **pskb,
3531                                               const struct net_device *in,
3532                                               const struct net_device *out,
3533                                               int (*okfn)(struct sk_buff *),
3534                                               u16 family)
3535 {
3536         char *addrp;
3537         int len, err = NF_ACCEPT;
3538         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3539         struct sock *sk;
3540         struct socket *sock;
3541         struct inode *inode;
3542         struct sk_buff *skb = *pskb;
3543         struct inode_security_struct *isec;
3544         struct avc_audit_data ad;
3545         struct net_device *dev = (struct net_device *)out;
3546         
3547         sk = skb->sk;
3548         if (!sk)
3549                 goto out;
3550                 
3551         sock = sk->sk_socket;
3552         if (!sock)
3553                 goto out;
3554                 
3555         inode = SOCK_INODE(sock);
3556         if (!inode)
3557                 goto out;
3558
3559         err = sel_netif_sids(dev, &if_sid, NULL);
3560         if (err)
3561                 goto out;
3562
3563         isec = inode->i_security;
3564         
3565         switch (isec->sclass) {
3566         case SECCLASS_UDP_SOCKET:
3567                 netif_perm = NETIF__UDP_SEND;
3568                 node_perm = NODE__UDP_SEND;
3569                 send_perm = UDP_SOCKET__SEND_MSG;
3570                 break;
3571         
3572         case SECCLASS_TCP_SOCKET:
3573                 netif_perm = NETIF__TCP_SEND;
3574                 node_perm = NODE__TCP_SEND;
3575                 send_perm = TCP_SOCKET__SEND_MSG;
3576                 break;
3577         
3578         default:
3579                 netif_perm = NETIF__RAWIP_SEND;
3580                 node_perm = NODE__RAWIP_SEND;
3581                 break;
3582         }
3583
3584
3585         AVC_AUDIT_DATA_INIT(&ad, NET);
3586         ad.u.net.netif = dev->name;
3587         ad.u.net.family = family;
3588
3589         err = selinux_parse_skb(skb, &ad, &addrp,
3590                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3591         if (err != NF_ACCEPT)
3592                 goto out;
3593
3594         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3595                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3596         if (err != NF_ACCEPT)
3597                 goto out;
3598                 
3599         /* Fixme: this lookup is inefficient */
3600         err = security_node_sid(family, addrp, len,
3601                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3602         if (err != NF_ACCEPT)
3603                 goto out;
3604         
3605         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3606                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3607         if (err != NF_ACCEPT)
3608                 goto out;
3609
3610         if (send_perm) {
3611                 u32 port_sid;
3612                 
3613                 /* Fixme: make this more efficient */
3614                 err = security_port_sid(sk->sk_family,
3615                                         sk->sk_type,
3616                                         sk->sk_protocol,
3617                                         ntohs(ad.u.net.dport),
3618                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3619                 if (err != NF_ACCEPT)
3620                         goto out;
3621
3622                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3623                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3624         }
3625
3626 out:
3627         return err;
3628 }
3629
3630 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3631                                                 struct sk_buff **pskb,
3632                                                 const struct net_device *in,
3633                                                 const struct net_device *out,
3634                                                 int (*okfn)(struct sk_buff *))
3635 {
3636         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3637 }
3638
3639 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3640
3641 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3642                                                 struct sk_buff **pskb,
3643                                                 const struct net_device *in,
3644                                                 const struct net_device *out,
3645                                                 int (*okfn)(struct sk_buff *))
3646 {
3647         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3648 }
3649
3650 #endif  /* IPV6 */
3651
3652 #endif  /* CONFIG_NETFILTER */
3653
3654 #else
3655
3656 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3657 {
3658         return 0;
3659 }
3660
3661 #endif  /* CONFIG_SECURITY_NETWORK */
3662
3663 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3664 {
3665         struct task_security_struct *tsec;
3666         struct av_decision avd;
3667         int err;
3668
3669         err = secondary_ops->netlink_send(sk, skb);
3670         if (err)
3671                 return err;
3672
3673         tsec = current->security;
3674
3675         avd.allowed = 0;
3676         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3677                                 SECCLASS_CAPABILITY, ~0, &avd);
3678         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3679
3680         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3681                 err = selinux_nlmsg_perm(sk, skb);
3682
3683         return err;
3684 }
3685
3686 static int selinux_netlink_recv(struct sk_buff *skb)
3687 {
3688         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3689                 return -EPERM;
3690         return 0;
3691 }
3692
3693 static int ipc_alloc_security(struct task_struct *task,
3694                               struct kern_ipc_perm *perm,
3695                               u16 sclass)
3696 {
3697         struct task_security_struct *tsec = task->security;
3698         struct ipc_security_struct *isec;
3699
3700         isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3701         if (!isec)
3702                 return -ENOMEM;
3703
3704         memset(isec, 0, sizeof(struct ipc_security_struct));
3705         isec->magic = SELINUX_MAGIC;
3706         isec->sclass = sclass;
3707         isec->ipc_perm = perm;
3708         if (tsec) {
3709                 isec->sid = tsec->sid;
3710         } else {
3711                 isec->sid = SECINITSID_UNLABELED;
3712         }
3713         perm->security = isec;
3714
3715         return 0;
3716 }
3717
3718 static void ipc_free_security(struct kern_ipc_perm *perm)
3719 {
3720         struct ipc_security_struct *isec = perm->security;
3721         if (!isec || isec->magic != SELINUX_MAGIC)
3722                 return;
3723
3724         perm->security = NULL;
3725         kfree(isec);
3726 }
3727
3728 static int msg_msg_alloc_security(struct msg_msg *msg)
3729 {
3730         struct msg_security_struct *msec;
3731
3732         msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3733         if (!msec)
3734                 return -ENOMEM;
3735
3736         memset(msec, 0, sizeof(struct msg_security_struct));
3737         msec->magic = SELINUX_MAGIC;
3738         msec->msg = msg;
3739         msec->sid = SECINITSID_UNLABELED;
3740         msg->security = msec;
3741
3742         return 0;
3743 }
3744
3745 static void msg_msg_free_security(struct msg_msg *msg)
3746 {
3747         struct msg_security_struct *msec = msg->security;
3748         if (!msec || msec->magic != SELINUX_MAGIC)
3749                 return;
3750
3751         msg->security = NULL;
3752         kfree(msec);
3753 }
3754
3755 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3756                         u32 perms)
3757 {
3758         struct task_security_struct *tsec;
3759         struct ipc_security_struct *isec;
3760         struct avc_audit_data ad;
3761
3762         tsec = current->security;
3763         isec = ipc_perms->security;
3764
3765         AVC_AUDIT_DATA_INIT(&ad, IPC);
3766         ad.u.ipc_id = ipc_perms->key;
3767
3768         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3769 }
3770
3771 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3772 {
3773         return msg_msg_alloc_security(msg);
3774 }
3775
3776 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3777 {
3778         msg_msg_free_security(msg);
3779 }
3780
3781 /* message queue security operations */
3782 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3783 {
3784         struct task_security_struct *tsec;
3785         struct ipc_security_struct *isec;
3786         struct avc_audit_data ad;
3787         int rc;
3788
3789         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3790         if (rc)
3791                 return rc;
3792
3793         tsec = current->security;
3794         isec = msq->q_perm.security;
3795
3796         AVC_AUDIT_DATA_INIT(&ad, IPC);
3797         ad.u.ipc_id = msq->q_perm.key;
3798
3799         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3800                           MSGQ__CREATE, &ad);
3801         if (rc) {
3802                 ipc_free_security(&msq->q_perm);
3803                 return rc;
3804         }
3805         return 0;
3806 }
3807
3808 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3809 {
3810         ipc_free_security(&msq->q_perm);
3811 }
3812
3813 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3814 {
3815         struct task_security_struct *tsec;
3816         struct ipc_security_struct *isec;
3817         struct avc_audit_data ad;
3818
3819         tsec = current->security;
3820         isec = msq->q_perm.security;
3821
3822         AVC_AUDIT_DATA_INIT(&ad, IPC);
3823         ad.u.ipc_id = msq->q_perm.key;
3824
3825         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3826                             MSGQ__ASSOCIATE, &ad);
3827 }
3828
3829 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3830 {
3831         int err;
3832         int perms;
3833
3834         switch(cmd) {
3835         case IPC_INFO:
3836         case MSG_INFO:
3837                 /* No specific object, just general system-wide information. */
3838                 return task_has_system(current, SYSTEM__IPC_INFO);
3839         case IPC_STAT:
3840         case MSG_STAT:
3841                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3842                 break;
3843         case IPC_SET:
3844                 perms = MSGQ__SETATTR;
3845                 break;
3846         case IPC_RMID:
3847                 perms = MSGQ__DESTROY;
3848                 break;
3849         default:
3850                 return 0;
3851         }
3852
3853         err = ipc_has_perm(&msq->q_perm, perms);
3854         return err;
3855 }
3856
3857 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3858 {
3859         struct task_security_struct *tsec;
3860         struct ipc_security_struct *isec;
3861         struct msg_security_struct *msec;
3862         struct avc_audit_data ad;
3863         int rc;
3864
3865         tsec = current->security;
3866         isec = msq->q_perm.security;
3867         msec = msg->security;
3868
3869         /*
3870          * First time through, need to assign label to the message
3871          */
3872         if (msec->sid == SECINITSID_UNLABELED) {
3873                 /*
3874                  * Compute new sid based on current process and
3875                  * message queue this message will be stored in
3876                  */
3877                 rc = security_transition_sid(tsec->sid,
3878                                              isec->sid,
3879                                              SECCLASS_MSG,
3880                                              &msec->sid);
3881                 if (rc)
3882                         return rc;
3883         }
3884
3885         AVC_AUDIT_DATA_INIT(&ad, IPC);
3886         ad.u.ipc_id = msq->q_perm.key;
3887
3888         /* Can this process write to the queue? */
3889         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3890                           MSGQ__WRITE, &ad);
3891         if (!rc)
3892                 /* Can this process send the message */
3893                 rc = avc_has_perm(tsec->sid, msec->sid,
3894                                   SECCLASS_MSG, MSG__SEND, &ad);
3895         if (!rc)
3896                 /* Can the message be put in the queue? */
3897                 rc = avc_has_perm(msec->sid, isec->sid,
3898                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3899
3900         return rc;
3901 }
3902
3903 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3904                                     struct task_struct *target,
3905                                     long type, int mode)
3906 {
3907         struct task_security_struct *tsec;
3908         struct ipc_security_struct *isec;
3909         struct msg_security_struct *msec;
3910         struct avc_audit_data ad;
3911         int rc;
3912
3913         tsec = target->security;
3914         isec = msq->q_perm.security;
3915         msec = msg->security;
3916
3917         AVC_AUDIT_DATA_INIT(&ad, IPC);
3918         ad.u.ipc_id = msq->q_perm.key;
3919
3920         rc = avc_has_perm(tsec->sid, isec->sid,
3921                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3922         if (!rc)
3923                 rc = avc_has_perm(tsec->sid, msec->sid,
3924                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3925         return rc;
3926 }
3927
3928 /* Shared Memory security operations */
3929 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3930 {
3931         struct task_security_struct *tsec;
3932         struct ipc_security_struct *isec;
3933         struct avc_audit_data ad;
3934         int rc;
3935
3936         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3937         if (rc)
3938                 return rc;
3939
3940         tsec = current->security;
3941         isec = shp->shm_perm.security;
3942
3943         AVC_AUDIT_DATA_INIT(&ad, IPC);
3944         ad.u.ipc_id = shp->shm_perm.key;
3945
3946         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3947                           SHM__CREATE, &ad);
3948         if (rc) {
3949                 ipc_free_security(&shp->shm_perm);
3950                 return rc;
3951         }
3952         return 0;
3953 }
3954
3955 static void selinux_shm_free_security(struct shmid_kernel *shp)
3956 {
3957         ipc_free_security(&shp->shm_perm);
3958 }
3959
3960 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3961 {
3962         struct task_security_struct *tsec;
3963         struct ipc_security_struct *isec;
3964         struct avc_audit_data ad;
3965
3966         tsec = current->security;
3967         isec = shp->shm_perm.security;
3968
3969         AVC_AUDIT_DATA_INIT(&ad, IPC);
3970         ad.u.ipc_id = shp->shm_perm.key;
3971
3972         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3973                             SHM__ASSOCIATE, &ad);
3974 }
3975
3976 /* Note, at this point, shp is locked down */
3977 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3978 {
3979         int perms;
3980         int err;
3981
3982         switch(cmd) {
3983         case IPC_INFO:
3984         case SHM_INFO:
3985                 /* No specific object, just general system-wide information. */
3986                 return task_has_system(current, SYSTEM__IPC_INFO);
3987         case IPC_STAT:
3988         case SHM_STAT:
3989                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3990                 break;
3991         case IPC_SET:
3992                 perms = SHM__SETATTR;
3993                 break;
3994         case SHM_LOCK:
3995         case SHM_UNLOCK:
3996                 perms = SHM__LOCK;
3997                 break;
3998         case IPC_RMID:
3999                 perms = SHM__DESTROY;
4000                 break;
4001         default:
4002                 return 0;
4003         }
4004
4005         err = ipc_has_perm(&shp->shm_perm, perms);
4006         return err;
4007 }
4008
4009 static int selinux_shm_shmat(struct shmid_kernel *shp,
4010                              char __user *shmaddr, int shmflg)
4011 {
4012         u32 perms;
4013         int rc;
4014
4015         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4016         if (rc)
4017                 return rc;
4018
4019         if (shmflg & SHM_RDONLY)
4020                 perms = SHM__READ;
4021         else
4022                 perms = SHM__READ | SHM__WRITE;
4023
4024         return ipc_has_perm(&shp->shm_perm, perms);
4025 }
4026
4027 /* Semaphore security operations */
4028 static int selinux_sem_alloc_security(struct sem_array *sma)
4029 {
4030         struct task_security_struct *tsec;
4031         struct ipc_security_struct *isec;
4032         struct avc_audit_data ad;
4033         int rc;
4034
4035         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4036         if (rc)
4037                 return rc;
4038
4039         tsec = current->security;
4040         isec = sma->sem_perm.security;
4041
4042         AVC_AUDIT_DATA_INIT(&ad, IPC);
4043         ad.u.ipc_id = sma->sem_perm.key;
4044
4045         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4046                           SEM__CREATE, &ad);
4047         if (rc) {
4048                 ipc_free_security(&sma->sem_perm);
4049                 return rc;
4050         }
4051         return 0;
4052 }
4053
4054 static void selinux_sem_free_security(struct sem_array *sma)
4055 {
4056         ipc_free_security(&sma->sem_perm);
4057 }
4058
4059 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4060 {
4061         struct task_security_struct *tsec;
4062         struct ipc_security_struct *isec;
4063         struct avc_audit_data ad;
4064
4065         tsec = current->security;
4066         isec = sma->sem_perm.security;
4067
4068         AVC_AUDIT_DATA_INIT(&ad, IPC);
4069         ad.u.ipc_id = sma->sem_perm.key;
4070
4071         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4072                             SEM__ASSOCIATE, &ad);
4073 }
4074
4075 /* Note, at this point, sma is locked down */
4076 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4077 {
4078         int err;
4079         u32 perms;
4080
4081         switch(cmd) {
4082         case IPC_INFO:
4083         case SEM_INFO:
4084                 /* No specific object, just general system-wide information. */
4085                 return task_has_system(current, SYSTEM__IPC_INFO);
4086         case GETPID:
4087         case GETNCNT:
4088         case GETZCNT:
4089                 perms = SEM__GETATTR;
4090                 break;
4091         case GETVAL:
4092         case GETALL:
4093                 perms = SEM__READ;
4094                 break;
4095         case SETVAL:
4096         case SETALL:
4097                 perms = SEM__WRITE;
4098                 break;
4099         case IPC_RMID:
4100                 perms = SEM__DESTROY;
4101                 break;
4102         case IPC_SET:
4103                 perms = SEM__SETATTR;
4104                 break;
4105         case IPC_STAT:
4106         case SEM_STAT:
4107                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4108                 break;
4109         default:
4110                 return 0;
4111         }
4112
4113         err = ipc_has_perm(&sma->sem_perm, perms);
4114         return err;
4115 }
4116
4117 static int selinux_sem_semop(struct sem_array *sma,
4118                              struct sembuf *sops, unsigned nsops, int alter)
4119 {
4120         u32 perms;
4121
4122         if (alter)
4123                 perms = SEM__READ | SEM__WRITE;
4124         else
4125                 perms = SEM__READ;
4126
4127         return ipc_has_perm(&sma->sem_perm, perms);
4128 }
4129
4130 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4131 {
4132         u32 av = 0;
4133
4134         av = 0;
4135         if (flag & S_IRUGO)
4136                 av |= IPC__UNIX_READ;
4137         if (flag & S_IWUGO)
4138                 av |= IPC__UNIX_WRITE;
4139
4140         if (av == 0)
4141                 return 0;
4142
4143         return ipc_has_perm(ipcp, av);
4144 }
4145
4146 /* module stacking operations */
4147 static int selinux_register_security (const char *name, struct security_operations *ops)
4148 {
4149         if (secondary_ops != original_ops) {
4150                 printk(KERN_INFO "%s:  There is already a secondary security "
4151                        "module registered.\n", __FUNCTION__);
4152                 return -EINVAL;
4153         }
4154
4155         secondary_ops = ops;
4156
4157         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4158                __FUNCTION__,
4159                name);
4160
4161         return 0;
4162 }
4163
4164 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4165 {
4166         if (ops != secondary_ops) {
4167                 printk (KERN_INFO "%s:  trying to unregister a security module "
4168                         "that is not registered.\n", __FUNCTION__);
4169                 return -EINVAL;
4170         }
4171
4172         secondary_ops = original_ops;
4173
4174         return 0;
4175 }
4176
4177 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4178 {
4179         if (inode)
4180                 inode_doinit_with_dentry(inode, dentry);
4181 }
4182
4183 static int selinux_getprocattr(struct task_struct *p,
4184                                char *name, void *value, size_t size)
4185 {
4186         struct task_security_struct *tsec;
4187         u32 sid, len;
4188         char *context;
4189         int error;
4190
4191         if (current != p) {
4192                 error = task_has_perm(current, p, PROCESS__GETATTR);
4193                 if (error)
4194                         return error;
4195         }
4196
4197         if (!size)
4198                 return -ERANGE;
4199
4200         tsec = p->security;
4201
4202         if (!strcmp(name, "current"))
4203                 sid = tsec->sid;
4204         else if (!strcmp(name, "prev"))
4205                 sid = tsec->osid;
4206         else if (!strcmp(name, "exec"))
4207                 sid = tsec->exec_sid;
4208         else if (!strcmp(name, "fscreate"))
4209                 sid = tsec->create_sid;
4210         else
4211                 return -EINVAL;
4212
4213         if (!sid)
4214                 return 0;
4215
4216         error = security_sid_to_context(sid, &context, &len);
4217         if (error)
4218                 return error;
4219         if (len > size) {
4220                 kfree(context);
4221                 return -ERANGE;
4222         }
4223         memcpy(value, context, len);
4224         kfree(context);
4225         return len;
4226 }
4227
4228 static int selinux_setprocattr(struct task_struct *p,
4229                                char *name, void *value, size_t size)
4230 {
4231         struct task_security_struct *tsec;
4232         u32 sid = 0;
4233         int error;
4234         char *str = value;
4235
4236         if (current != p) {
4237                 /* SELinux only allows a process to change its own
4238                    security attributes. */
4239                 return -EACCES;
4240         }
4241
4242         /*
4243          * Basic control over ability to set these attributes at all.
4244          * current == p, but we'll pass them separately in case the
4245          * above restriction is ever removed.
4246          */
4247         if (!strcmp(name, "exec"))
4248                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4249         else if (!strcmp(name, "fscreate"))
4250                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4251         else if (!strcmp(name, "current"))
4252                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4253         else
4254                 error = -EINVAL;
4255         if (error)
4256                 return error;
4257
4258         /* Obtain a SID for the context, if one was specified. */
4259         if (size && str[1] && str[1] != '\n') {
4260                 if (str[size-1] == '\n') {
4261                         str[size-1] = 0;
4262                         size--;
4263                 }
4264                 error = security_context_to_sid(value, size, &sid);
4265                 if (error)
4266                         return error;
4267         }
4268
4269         /* Permission checking based on the specified context is
4270            performed during the actual operation (execve,
4271            open/mkdir/...), when we know the full context of the
4272            operation.  See selinux_bprm_set_security for the execve
4273            checks and may_create for the file creation checks. The
4274            operation will then fail if the context is not permitted. */
4275         tsec = p->security;
4276         if (!strcmp(name, "exec"))
4277                 tsec->exec_sid = sid;
4278         else if (!strcmp(name, "fscreate"))
4279                 tsec->create_sid = sid;
4280         else if (!strcmp(name, "current")) {
4281                 struct av_decision avd;
4282
4283                 if (sid == 0)
4284                         return -EINVAL;
4285
4286                 /* Only allow single threaded processes to change context */
4287                 if (atomic_read(&p->mm->mm_users) != 1) {
4288                         struct task_struct *g, *t;
4289                         struct mm_struct *mm = p->mm;
4290                         read_lock(&tasklist_lock);
4291                         do_each_thread(g, t)
4292                                 if (t->mm == mm && t != p) {
4293                                         read_unlock(&tasklist_lock);
4294                                         return -EPERM;
4295                                 }
4296                         while_each_thread(g, t);
4297                         read_unlock(&tasklist_lock);
4298                 }
4299
4300                 /* Check permissions for the transition. */
4301                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4302                                      PROCESS__DYNTRANSITION, NULL);
4303                 if (error)
4304                         return error;
4305
4306                 /* Check for ptracing, and update the task SID if ok.
4307                    Otherwise, leave SID unchanged and fail. */
4308                 task_lock(p);
4309                 if (p->ptrace & PT_PTRACED) {
4310                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4311                                                      SECCLASS_PROCESS,
4312                                                      PROCESS__PTRACE, &avd);
4313                         if (!error)
4314                                 tsec->sid = sid;
4315                         task_unlock(p);
4316                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4317                                   PROCESS__PTRACE, &avd, error, NULL);
4318                         if (error)
4319                                 return error;
4320                 } else {
4321                         tsec->sid = sid;
4322                         task_unlock(p);
4323                 }
4324         }
4325         else
4326                 return -EINVAL;
4327
4328         return size;
4329 }
4330
4331 static struct security_operations selinux_ops = {
4332         .ptrace =                       selinux_ptrace,
4333         .capget =                       selinux_capget,
4334         .capset_check =                 selinux_capset_check,
4335         .capset_set =                   selinux_capset_set,
4336         .sysctl =                       selinux_sysctl,
4337         .capable =                      selinux_capable,
4338         .quotactl =                     selinux_quotactl,
4339         .quota_on =                     selinux_quota_on,
4340         .syslog =                       selinux_syslog,
4341         .vm_enough_memory =             selinux_vm_enough_memory,
4342
4343         .netlink_send =                 selinux_netlink_send,
4344         .netlink_recv =                 selinux_netlink_recv,
4345
4346         .bprm_alloc_security =          selinux_bprm_alloc_security,
4347         .bprm_free_security =           selinux_bprm_free_security,
4348         .bprm_apply_creds =             selinux_bprm_apply_creds,
4349         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4350         .bprm_set_security =            selinux_bprm_set_security,
4351         .bprm_check_security =          selinux_bprm_check_security,
4352         .bprm_secureexec =              selinux_bprm_secureexec,
4353
4354         .sb_alloc_security =            selinux_sb_alloc_security,
4355         .sb_free_security =             selinux_sb_free_security,
4356         .sb_copy_data =                 selinux_sb_copy_data,
4357         .sb_kern_mount =                selinux_sb_kern_mount,
4358         .sb_statfs =                    selinux_sb_statfs,
4359         .sb_mount =                     selinux_mount,
4360         .sb_umount =                    selinux_umount,
4361
4362         .inode_alloc_security =         selinux_inode_alloc_security,
4363         .inode_free_security =          selinux_inode_free_security,
4364         .inode_init_security =          selinux_inode_init_security,
4365         .inode_create =                 selinux_inode_create,
4366         .inode_post_create =            selinux_inode_post_create,
4367         .inode_link =                   selinux_inode_link,
4368         .inode_post_link =              selinux_inode_post_link,
4369         .inode_unlink =                 selinux_inode_unlink,
4370         .inode_symlink =                selinux_inode_symlink,
4371         .inode_post_symlink =           selinux_inode_post_symlink,
4372         .inode_mkdir =                  selinux_inode_mkdir,
4373         .inode_post_mkdir =             selinux_inode_post_mkdir,
4374         .inode_rmdir =                  selinux_inode_rmdir,
4375         .inode_mknod =                  selinux_inode_mknod,
4376         .inode_post_mknod =             selinux_inode_post_mknod,
4377         .inode_rename =                 selinux_inode_rename,
4378         .inode_post_rename =            selinux_inode_post_rename,
4379         .inode_readlink =               selinux_inode_readlink,
4380         .inode_follow_link =            selinux_inode_follow_link,
4381         .inode_permission =             selinux_inode_permission,
4382         .inode_setattr =                selinux_inode_setattr,
4383         .inode_getattr =                selinux_inode_getattr,
4384         .inode_setxattr =               selinux_inode_setxattr,
4385         .inode_post_setxattr =          selinux_inode_post_setxattr,
4386         .inode_getxattr =               selinux_inode_getxattr,
4387         .inode_listxattr =              selinux_inode_listxattr,
4388         .inode_removexattr =            selinux_inode_removexattr,
4389         .inode_getsecurity =            selinux_inode_getsecurity,
4390         .inode_setsecurity =            selinux_inode_setsecurity,
4391         .inode_listsecurity =           selinux_inode_listsecurity,
4392
4393         .file_permission =              selinux_file_permission,
4394         .file_alloc_security =          selinux_file_alloc_security,
4395         .file_free_security =           selinux_file_free_security,
4396         .file_ioctl =                   selinux_file_ioctl,
4397         .file_mmap =                    selinux_file_mmap,
4398         .file_mprotect =                selinux_file_mprotect,
4399         .file_lock =                    selinux_file_lock,
4400         .file_fcntl =                   selinux_file_fcntl,
4401         .file_set_fowner =              selinux_file_set_fowner,
4402         .file_send_sigiotask =          selinux_file_send_sigiotask,
4403         .file_receive =                 selinux_file_receive,
4404
4405         .task_create =                  selinux_task_create,
4406         .task_alloc_security =          selinux_task_alloc_security,
4407         .task_free_security =           selinux_task_free_security,
4408         .task_setuid =                  selinux_task_setuid,
4409         .task_post_setuid =             selinux_task_post_setuid,
4410         .task_setgid =                  selinux_task_setgid,
4411         .task_setpgid =                 selinux_task_setpgid,
4412         .task_getpgid =                 selinux_task_getpgid,
4413         .task_getsid =                  selinux_task_getsid,
4414         .task_setgroups =               selinux_task_setgroups,
4415         .task_setnice =                 selinux_task_setnice,
4416         .task_setrlimit =               selinux_task_setrlimit,
4417         .task_setscheduler =            selinux_task_setscheduler,
4418         .task_getscheduler =            selinux_task_getscheduler,
4419         .task_kill =                    selinux_task_kill,
4420         .task_wait =                    selinux_task_wait,
4421         .task_prctl =                   selinux_task_prctl,
4422         .task_reparent_to_init =        selinux_task_reparent_to_init,
4423         .task_to_inode =                selinux_task_to_inode,
4424
4425         .ipc_permission =               selinux_ipc_permission,
4426
4427         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4428         .msg_msg_free_security =        selinux_msg_msg_free_security,
4429
4430         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4431         .msg_queue_free_security =      selinux_msg_queue_free_security,
4432         .msg_queue_associate =          selinux_msg_queue_associate,
4433         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4434         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4435         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4436
4437         .shm_alloc_security =           selinux_shm_alloc_security,
4438         .shm_free_security =            selinux_shm_free_security,
4439         .shm_associate =                selinux_shm_associate,
4440         .shm_shmctl =                   selinux_shm_shmctl,
4441         .shm_shmat =                    selinux_shm_shmat,
4442
4443         .sem_alloc_security =           selinux_sem_alloc_security,
4444         .sem_free_security =            selinux_sem_free_security,
4445         .sem_associate =                selinux_sem_associate,
4446         .sem_semctl =                   selinux_sem_semctl,
4447         .sem_semop =                    selinux_sem_semop,
4448
4449         .register_security =            selinux_register_security,
4450         .unregister_security =          selinux_unregister_security,
4451
4452         .d_instantiate =                selinux_d_instantiate,
4453
4454         .getprocattr =                  selinux_getprocattr,
4455         .setprocattr =                  selinux_setprocattr,
4456
4457 #ifdef CONFIG_SECURITY_NETWORK
4458         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4459         .unix_may_send =                selinux_socket_unix_may_send,
4460
4461         .socket_create =                selinux_socket_create,
4462         .socket_post_create =           selinux_socket_post_create,
4463         .socket_bind =                  selinux_socket_bind,
4464         .socket_connect =               selinux_socket_connect,
4465         .socket_listen =                selinux_socket_listen,
4466         .socket_accept =                selinux_socket_accept,
4467         .socket_sendmsg =               selinux_socket_sendmsg,
4468         .socket_recvmsg =               selinux_socket_recvmsg,
4469         .socket_getsockname =           selinux_socket_getsockname,
4470         .socket_getpeername =           selinux_socket_getpeername,
4471         .socket_getsockopt =            selinux_socket_getsockopt,
4472         .socket_setsockopt =            selinux_socket_setsockopt,
4473         .socket_shutdown =              selinux_socket_shutdown,
4474         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4475         .socket_getpeersec =            selinux_socket_getpeersec,
4476         .sk_alloc_security =            selinux_sk_alloc_security,
4477         .sk_free_security =             selinux_sk_free_security,
4478 #endif
4479 };
4480
4481 static __init int selinux_init(void)
4482 {
4483         struct task_security_struct *tsec;
4484
4485         if (!selinux_enabled) {
4486                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4487                 return 0;
4488         }
4489
4490         printk(KERN_INFO "SELinux:  Initializing.\n");
4491
4492         /* Set the security state for the initial task. */
4493         if (task_alloc_security(current))
4494                 panic("SELinux:  Failed to initialize initial task.\n");
4495         tsec = current->security;
4496         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4497
4498         avc_init();
4499
4500         original_ops = secondary_ops = security_ops;
4501         if (!secondary_ops)
4502                 panic ("SELinux: No initial security operations\n");
4503         if (register_security (&selinux_ops))
4504                 panic("SELinux: Unable to register with kernel.\n");
4505
4506         if (selinux_enforcing) {
4507                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4508         } else {
4509                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4510         }
4511         return 0;
4512 }
4513
4514 void selinux_complete_init(void)
4515 {
4516         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4517
4518         /* Set up any superblocks initialized prior to the policy load. */
4519         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4520         spin_lock(&sb_security_lock);
4521 next_sb:
4522         if (!list_empty(&superblock_security_head)) {
4523                 struct superblock_security_struct *sbsec =
4524                                 list_entry(superblock_security_head.next,
4525                                            struct superblock_security_struct,
4526                                            list);
4527                 struct super_block *sb = sbsec->sb;
4528                 spin_lock(&sb_lock);
4529                 sb->s_count++;
4530                 spin_unlock(&sb_lock);
4531                 spin_unlock(&sb_security_lock);
4532                 down_read(&sb->s_umount);
4533                 if (sb->s_root)
4534                         superblock_doinit(sb, NULL);
4535                 drop_super(sb);
4536                 spin_lock(&sb_security_lock);
4537                 list_del_init(&sbsec->list);
4538                 goto next_sb;
4539         }
4540         spin_unlock(&sb_security_lock);
4541 }
4542
4543 /* SELinux requires early initialization in order to label
4544    all processes and objects when they are created. */
4545 security_initcall(selinux_init);
4546
4547 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4548
4549 static struct nf_hook_ops selinux_ipv4_op = {
4550         .hook =         selinux_ipv4_postroute_last,
4551         .owner =        THIS_MODULE,
4552         .pf =           PF_INET,
4553         .hooknum =      NF_IP_POST_ROUTING,
4554         .priority =     NF_IP_PRI_SELINUX_LAST,
4555 };
4556
4557 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4558
4559 static struct nf_hook_ops selinux_ipv6_op = {
4560         .hook =         selinux_ipv6_postroute_last,
4561         .owner =        THIS_MODULE,
4562         .pf =           PF_INET6,
4563         .hooknum =      NF_IP6_POST_ROUTING,
4564         .priority =     NF_IP6_PRI_SELINUX_LAST,
4565 };
4566
4567 #endif  /* IPV6 */
4568
4569 static int __init selinux_nf_ip_init(void)
4570 {
4571         int err = 0;
4572
4573         if (!selinux_enabled)
4574                 goto out;
4575                 
4576         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4577         
4578         err = nf_register_hook(&selinux_ipv4_op);
4579         if (err)
4580                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4581
4582 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4583
4584         err = nf_register_hook(&selinux_ipv6_op);
4585         if (err)
4586                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4587
4588 #endif  /* IPV6 */
4589 out:
4590         return err;
4591 }
4592
4593 __initcall(selinux_nf_ip_init);
4594
4595 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4596 static void selinux_nf_ip_exit(void)
4597 {
4598         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4599
4600         nf_unregister_hook(&selinux_ipv4_op);
4601 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4602         nf_unregister_hook(&selinux_ipv6_op);
4603 #endif  /* IPV6 */
4604 }
4605 #endif
4606
4607 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4608
4609 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4610 #define selinux_nf_ip_exit()
4611 #endif
4612
4613 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4614
4615 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4616 int selinux_disable(void)
4617 {
4618         extern void exit_sel_fs(void);
4619         static int selinux_disabled = 0;
4620
4621         if (ss_initialized) {
4622                 /* Not permitted after initial policy load. */
4623                 return -EINVAL;
4624         }
4625
4626         if (selinux_disabled) {
4627                 /* Only do this once. */
4628                 return -EINVAL;
4629         }
4630
4631         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4632
4633         selinux_disabled = 1;
4634
4635         /* Reset security_ops to the secondary module, dummy or capability. */
4636         security_ops = secondary_ops;
4637
4638         /* Unregister netfilter hooks. */
4639         selinux_nf_ip_exit();
4640
4641         /* Unregister selinuxfs. */
4642         exit_sel_fs();
4643
4644         return 0;
4645 }
4646 #endif
4647
4648