[PATCH] SELinux: add rootcontext= option to label root inode when mounting
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/ptrace.h>
25 #include <linux/errno.h>
26 #include <linux/sched.h>
27 #include <linux/security.h>
28 #include <linux/xattr.h>
29 #include <linux/capability.h>
30 #include <linux/unistd.h>
31 #include <linux/mm.h>
32 #include <linux/mman.h>
33 #include <linux/slab.h>
34 #include <linux/pagemap.h>
35 #include <linux/swap.h>
36 #include <linux/smp_lock.h>
37 #include <linux/spinlock.h>
38 #include <linux/syscalls.h>
39 #include <linux/file.h>
40 #include <linux/namei.h>
41 #include <linux/mount.h>
42 #include <linux/ext2_fs.h>
43 #include <linux/proc_fs.h>
44 #include <linux/kd.h>
45 #include <linux/netfilter_ipv4.h>
46 #include <linux/netfilter_ipv6.h>
47 #include <linux/tty.h>
48 #include <net/icmp.h>
49 #include <net/ip.h>             /* for sysctl_local_port_range[] */
50 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
51 #include <asm/uaccess.h>
52 #include <asm/semaphore.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h>    /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/quota.h>
61 #include <linux/un.h>           /* for Unix socket types */
62 #include <net/af_unix.h>        /* for Unix socket types */
63 #include <linux/parser.h>
64 #include <linux/nfs_mount.h>
65 #include <net/ipv6.h>
66 #include <linux/hugetlb.h>
67 #include <linux/personality.h>
68 #include <linux/sysctl.h>
69 #include <linux/audit.h>
70 #include <linux/string.h>
71 #include <linux/selinux.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
84
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
87
88 static int __init enforcing_setup(char *str)
89 {
90         selinux_enforcing = simple_strtol(str,NULL,0);
91         return 1;
92 }
93 __setup("enforcing=", enforcing_setup);
94 #endif
95
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99 static int __init selinux_enabled_setup(char *str)
100 {
101         selinux_enabled = simple_strtol(str, NULL, 0);
102         return 1;
103 }
104 __setup("selinux=", selinux_enabled_setup);
105 #else
106 int selinux_enabled = 1;
107 #endif
108
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
111
112 /* Minimal support for a secondary security module,
113    just to allow the use of the dummy or capability modules.
114    The owlsm module can alternatively be used as a secondary
115    module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
117
118 /* Lists of inode and superblock security structures initialized
119    before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
122
123 static kmem_cache_t *sel_inode_cache;
124
125 /* Return security context for a given sid or just the context 
126    length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128 {
129         char *context;
130         unsigned len;
131         int rc;
132
133         rc = security_sid_to_context(sid, &context, &len);
134         if (rc)
135                 return rc;
136
137         if (!buffer || !size)
138                 goto getsecurity_exit;
139
140         if (size < len) {
141                 len = -ERANGE;
142                 goto getsecurity_exit;
143         }
144         memcpy(buffer, context, len);
145
146 getsecurity_exit:
147         kfree(context);
148         return len;
149 }
150
151 /* Allocate and free functions for each kind of security blob. */
152
153 static int task_alloc_security(struct task_struct *task)
154 {
155         struct task_security_struct *tsec;
156
157         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158         if (!tsec)
159                 return -ENOMEM;
160
161         tsec->task = task;
162         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163         task->security = tsec;
164
165         return 0;
166 }
167
168 static void task_free_security(struct task_struct *task)
169 {
170         struct task_security_struct *tsec = task->security;
171         task->security = NULL;
172         kfree(tsec);
173 }
174
175 static int inode_alloc_security(struct inode *inode)
176 {
177         struct task_security_struct *tsec = current->security;
178         struct inode_security_struct *isec;
179
180         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
181         if (!isec)
182                 return -ENOMEM;
183
184         memset(isec, 0, sizeof(*isec));
185         init_MUTEX(&isec->sem);
186         INIT_LIST_HEAD(&isec->list);
187         isec->inode = inode;
188         isec->sid = SECINITSID_UNLABELED;
189         isec->sclass = SECCLASS_FILE;
190         isec->task_sid = tsec->sid;
191         inode->i_security = isec;
192
193         return 0;
194 }
195
196 static void inode_free_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec = inode->i_security;
199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
201         spin_lock(&sbsec->isec_lock);
202         if (!list_empty(&isec->list))
203                 list_del_init(&isec->list);
204         spin_unlock(&sbsec->isec_lock);
205
206         inode->i_security = NULL;
207         kmem_cache_free(sel_inode_cache, isec);
208 }
209
210 static int file_alloc_security(struct file *file)
211 {
212         struct task_security_struct *tsec = current->security;
213         struct file_security_struct *fsec;
214
215         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
216         if (!fsec)
217                 return -ENOMEM;
218
219         fsec->file = file;
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         init_MUTEX(&sbsec->sem);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         if (family != PF_UNIX)
273                 return 0;
274
275         ssec = kzalloc(sizeof(*ssec), priority);
276         if (!ssec)
277                 return -ENOMEM;
278
279         ssec->sk = sk;
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         return 0;
284 }
285
286 static void sk_free_security(struct sock *sk)
287 {
288         struct sk_security_struct *ssec = sk->sk_security;
289
290         if (sk->sk_family != PF_UNIX)
291                 return;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323         Opt_rootcontext = 8,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331 };
332
333 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
334
335 static int may_context_mount_sb_relabel(u32 sid,
336                         struct superblock_security_struct *sbsec,
337                         struct task_security_struct *tsec)
338 {
339         int rc;
340
341         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342                           FILESYSTEM__RELABELFROM, NULL);
343         if (rc)
344                 return rc;
345
346         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELTO, NULL);
348         return rc;
349 }
350
351 static int may_context_mount_inode_relabel(u32 sid,
352                         struct superblock_security_struct *sbsec,
353                         struct task_security_struct *tsec)
354 {
355         int rc;
356         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357                           FILESYSTEM__RELABELFROM, NULL);
358         if (rc)
359                 return rc;
360
361         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362                           FILESYSTEM__ASSOCIATE, NULL);
363         return rc;
364 }
365
366 static int try_context_mount(struct super_block *sb, void *data)
367 {
368         char *context = NULL, *defcontext = NULL;
369         char *fscontext = NULL, *rootcontext = NULL;
370         const char *name;
371         u32 sid;
372         int alloc = 0, rc = 0, seen = 0;
373         struct task_security_struct *tsec = current->security;
374         struct superblock_security_struct *sbsec = sb->s_security;
375
376         if (!data)
377                 goto out;
378
379         name = sb->s_type->name;
380
381         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
382
383                 /* NFS we understand. */
384                 if (!strcmp(name, "nfs")) {
385                         struct nfs_mount_data *d = data;
386
387                         if (d->version <  NFS_MOUNT_VERSION)
388                                 goto out;
389
390                         if (d->context[0]) {
391                                 context = d->context;
392                                 seen |= Opt_context;
393                         }
394                 } else
395                         goto out;
396
397         } else {
398                 /* Standard string-based options. */
399                 char *p, *options = data;
400
401                 while ((p = strsep(&options, ",")) != NULL) {
402                         int token;
403                         substring_t args[MAX_OPT_ARGS];
404
405                         if (!*p)
406                                 continue;
407
408                         token = match_token(p, tokens, args);
409
410                         switch (token) {
411                         case Opt_context:
412                                 if (seen & (Opt_context|Opt_defcontext)) {
413                                         rc = -EINVAL;
414                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
415                                         goto out_free;
416                                 }
417                                 context = match_strdup(&args[0]);
418                                 if (!context) {
419                                         rc = -ENOMEM;
420                                         goto out_free;
421                                 }
422                                 if (!alloc)
423                                         alloc = 1;
424                                 seen |= Opt_context;
425                                 break;
426
427                         case Opt_fscontext:
428                                 if (seen & Opt_fscontext) {
429                                         rc = -EINVAL;
430                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
431                                         goto out_free;
432                                 }
433                                 fscontext = match_strdup(&args[0]);
434                                 if (!fscontext) {
435                                         rc = -ENOMEM;
436                                         goto out_free;
437                                 }
438                                 if (!alloc)
439                                         alloc = 1;
440                                 seen |= Opt_fscontext;
441                                 break;
442
443                         case Opt_rootcontext:
444                                 if (seen & Opt_rootcontext) {
445                                         rc = -EINVAL;
446                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
447                                         goto out_free;
448                                 }
449                                 rootcontext = match_strdup(&args[0]);
450                                 if (!rootcontext) {
451                                         rc = -ENOMEM;
452                                         goto out_free;
453                                 }
454                                 if (!alloc)
455                                         alloc = 1;
456                                 seen |= Opt_rootcontext;
457                                 break;
458
459                         case Opt_defcontext:
460                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
461                                         rc = -EINVAL;
462                                         printk(KERN_WARNING "SELinux:  "
463                                                "defcontext option is invalid "
464                                                "for this filesystem type\n");
465                                         goto out_free;
466                                 }
467                                 if (seen & (Opt_context|Opt_defcontext)) {
468                                         rc = -EINVAL;
469                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
470                                         goto out_free;
471                                 }
472                                 defcontext = match_strdup(&args[0]);
473                                 if (!defcontext) {
474                                         rc = -ENOMEM;
475                                         goto out_free;
476                                 }
477                                 if (!alloc)
478                                         alloc = 1;
479                                 seen |= Opt_defcontext;
480                                 break;
481
482                         default:
483                                 rc = -EINVAL;
484                                 printk(KERN_WARNING "SELinux:  unknown mount "
485                                        "option\n");
486                                 goto out_free;
487
488                         }
489                 }
490         }
491
492         if (!seen)
493                 goto out;
494
495         /* sets the context of the superblock for the fs being mounted. */
496         if (fscontext) {
497                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
498                 if (rc) {
499                         printk(KERN_WARNING "SELinux: security_context_to_sid"
500                                "(%s) failed for (dev %s, type %s) errno=%d\n",
501                                fscontext, sb->s_id, name, rc);
502                         goto out_free;
503                 }
504
505                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
506                 if (rc)
507                         goto out_free;
508
509                 sbsec->sid = sid;
510         }
511
512         /*
513          * Switch to using mount point labeling behavior.
514          * sets the label used on all file below the mountpoint, and will set
515          * the superblock context if not already set.
516          */
517         if (context) {
518                 rc = security_context_to_sid(context, strlen(context), &sid);
519                 if (rc) {
520                         printk(KERN_WARNING "SELinux: security_context_to_sid"
521                                "(%s) failed for (dev %s, type %s) errno=%d\n",
522                                context, sb->s_id, name, rc);
523                         goto out_free;
524                 }
525
526                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
527                 if (rc)
528                         goto out_free;
529
530                 if (!fscontext)
531                         sbsec->sid = sid;
532                 sbsec->mntpoint_sid = sid;
533
534                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
535         }
536
537         if (rootcontext) {
538                 struct inode *inode = sb->s_root->d_inode;
539                 struct inode_security_struct *isec = inode->i_security;
540                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
541                 if (rc) {
542                         printk(KERN_WARNING "SELinux: security_context_to_sid"
543                                "(%s) failed for (dev %s, type %s) errno=%d\n",
544                                rootcontext, sb->s_id, name, rc);
545                         goto out_free;
546                 }
547
548                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
549                 if (rc)
550                         goto out_free;
551
552                 isec->sid = sid;
553                 isec->initialized = 1;
554         }
555
556         if (defcontext) {
557                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
558                 if (rc) {
559                         printk(KERN_WARNING "SELinux: security_context_to_sid"
560                                "(%s) failed for (dev %s, type %s) errno=%d\n",
561                                defcontext, sb->s_id, name, rc);
562                         goto out_free;
563                 }
564
565                 if (sid == sbsec->def_sid)
566                         goto out_free;
567
568                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
569                 if (rc)
570                         goto out_free;
571
572                 sbsec->def_sid = sid;
573         }
574
575 out_free:
576         if (alloc) {
577                 kfree(context);
578                 kfree(defcontext);
579                 kfree(fscontext);
580                 kfree(rootcontext);
581         }
582 out:
583         return rc;
584 }
585
586 static int superblock_doinit(struct super_block *sb, void *data)
587 {
588         struct superblock_security_struct *sbsec = sb->s_security;
589         struct dentry *root = sb->s_root;
590         struct inode *inode = root->d_inode;
591         int rc = 0;
592
593         down(&sbsec->sem);
594         if (sbsec->initialized)
595                 goto out;
596
597         if (!ss_initialized) {
598                 /* Defer initialization until selinux_complete_init,
599                    after the initial policy is loaded and the security
600                    server is ready to handle calls. */
601                 spin_lock(&sb_security_lock);
602                 if (list_empty(&sbsec->list))
603                         list_add(&sbsec->list, &superblock_security_head);
604                 spin_unlock(&sb_security_lock);
605                 goto out;
606         }
607
608         /* Determine the labeling behavior to use for this filesystem type. */
609         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
610         if (rc) {
611                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
612                        __FUNCTION__, sb->s_type->name, rc);
613                 goto out;
614         }
615
616         rc = try_context_mount(sb, data);
617         if (rc)
618                 goto out;
619
620         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
621                 /* Make sure that the xattr handler exists and that no
622                    error other than -ENODATA is returned by getxattr on
623                    the root directory.  -ENODATA is ok, as this may be
624                    the first boot of the SELinux kernel before we have
625                    assigned xattr values to the filesystem. */
626                 if (!inode->i_op->getxattr) {
627                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
628                                "xattr support\n", sb->s_id, sb->s_type->name);
629                         rc = -EOPNOTSUPP;
630                         goto out;
631                 }
632                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
633                 if (rc < 0 && rc != -ENODATA) {
634                         if (rc == -EOPNOTSUPP)
635                                 printk(KERN_WARNING "SELinux: (dev %s, type "
636                                        "%s) has no security xattr handler\n",
637                                        sb->s_id, sb->s_type->name);
638                         else
639                                 printk(KERN_WARNING "SELinux: (dev %s, type "
640                                        "%s) getxattr errno %d\n", sb->s_id,
641                                        sb->s_type->name, -rc);
642                         goto out;
643                 }
644         }
645
646         if (strcmp(sb->s_type->name, "proc") == 0)
647                 sbsec->proc = 1;
648
649         sbsec->initialized = 1;
650
651         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
652                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
653                        sb->s_id, sb->s_type->name);
654         }
655         else {
656                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
657                        sb->s_id, sb->s_type->name,
658                        labeling_behaviors[sbsec->behavior-1]);
659         }
660
661         /* Initialize the root inode. */
662         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
663
664         /* Initialize any other inodes associated with the superblock, e.g.
665            inodes created prior to initial policy load or inodes created
666            during get_sb by a pseudo filesystem that directly
667            populates itself. */
668         spin_lock(&sbsec->isec_lock);
669 next_inode:
670         if (!list_empty(&sbsec->isec_head)) {
671                 struct inode_security_struct *isec =
672                                 list_entry(sbsec->isec_head.next,
673                                            struct inode_security_struct, list);
674                 struct inode *inode = isec->inode;
675                 spin_unlock(&sbsec->isec_lock);
676                 inode = igrab(inode);
677                 if (inode) {
678                         if (!IS_PRIVATE (inode))
679                                 inode_doinit(inode);
680                         iput(inode);
681                 }
682                 spin_lock(&sbsec->isec_lock);
683                 list_del_init(&isec->list);
684                 goto next_inode;
685         }
686         spin_unlock(&sbsec->isec_lock);
687 out:
688         up(&sbsec->sem);
689         return rc;
690 }
691
692 static inline u16 inode_mode_to_security_class(umode_t mode)
693 {
694         switch (mode & S_IFMT) {
695         case S_IFSOCK:
696                 return SECCLASS_SOCK_FILE;
697         case S_IFLNK:
698                 return SECCLASS_LNK_FILE;
699         case S_IFREG:
700                 return SECCLASS_FILE;
701         case S_IFBLK:
702                 return SECCLASS_BLK_FILE;
703         case S_IFDIR:
704                 return SECCLASS_DIR;
705         case S_IFCHR:
706                 return SECCLASS_CHR_FILE;
707         case S_IFIFO:
708                 return SECCLASS_FIFO_FILE;
709
710         }
711
712         return SECCLASS_FILE;
713 }
714
715 static inline int default_protocol_stream(int protocol)
716 {
717         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
718 }
719
720 static inline int default_protocol_dgram(int protocol)
721 {
722         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
723 }
724
725 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
726 {
727         switch (family) {
728         case PF_UNIX:
729                 switch (type) {
730                 case SOCK_STREAM:
731                 case SOCK_SEQPACKET:
732                         return SECCLASS_UNIX_STREAM_SOCKET;
733                 case SOCK_DGRAM:
734                         return SECCLASS_UNIX_DGRAM_SOCKET;
735                 }
736                 break;
737         case PF_INET:
738         case PF_INET6:
739                 switch (type) {
740                 case SOCK_STREAM:
741                         if (default_protocol_stream(protocol))
742                                 return SECCLASS_TCP_SOCKET;
743                         else
744                                 return SECCLASS_RAWIP_SOCKET;
745                 case SOCK_DGRAM:
746                         if (default_protocol_dgram(protocol))
747                                 return SECCLASS_UDP_SOCKET;
748                         else
749                                 return SECCLASS_RAWIP_SOCKET;
750                 default:
751                         return SECCLASS_RAWIP_SOCKET;
752                 }
753                 break;
754         case PF_NETLINK:
755                 switch (protocol) {
756                 case NETLINK_ROUTE:
757                         return SECCLASS_NETLINK_ROUTE_SOCKET;
758                 case NETLINK_FIREWALL:
759                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
760                 case NETLINK_INET_DIAG:
761                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
762                 case NETLINK_NFLOG:
763                         return SECCLASS_NETLINK_NFLOG_SOCKET;
764                 case NETLINK_XFRM:
765                         return SECCLASS_NETLINK_XFRM_SOCKET;
766                 case NETLINK_SELINUX:
767                         return SECCLASS_NETLINK_SELINUX_SOCKET;
768                 case NETLINK_AUDIT:
769                         return SECCLASS_NETLINK_AUDIT_SOCKET;
770                 case NETLINK_IP6_FW:
771                         return SECCLASS_NETLINK_IP6FW_SOCKET;
772                 case NETLINK_DNRTMSG:
773                         return SECCLASS_NETLINK_DNRT_SOCKET;
774                 case NETLINK_KOBJECT_UEVENT:
775                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
776                 default:
777                         return SECCLASS_NETLINK_SOCKET;
778                 }
779         case PF_PACKET:
780                 return SECCLASS_PACKET_SOCKET;
781         case PF_KEY:
782                 return SECCLASS_KEY_SOCKET;
783         case PF_APPLETALK:
784                 return SECCLASS_APPLETALK_SOCKET;
785         }
786
787         return SECCLASS_SOCKET;
788 }
789
790 #ifdef CONFIG_PROC_FS
791 static int selinux_proc_get_sid(struct proc_dir_entry *de,
792                                 u16 tclass,
793                                 u32 *sid)
794 {
795         int buflen, rc;
796         char *buffer, *path, *end;
797
798         buffer = (char*)__get_free_page(GFP_KERNEL);
799         if (!buffer)
800                 return -ENOMEM;
801
802         buflen = PAGE_SIZE;
803         end = buffer+buflen;
804         *--end = '\0';
805         buflen--;
806         path = end-1;
807         *path = '/';
808         while (de && de != de->parent) {
809                 buflen -= de->namelen + 1;
810                 if (buflen < 0)
811                         break;
812                 end -= de->namelen;
813                 memcpy(end, de->name, de->namelen);
814                 *--end = '/';
815                 path = end;
816                 de = de->parent;
817         }
818         rc = security_genfs_sid("proc", path, tclass, sid);
819         free_page((unsigned long)buffer);
820         return rc;
821 }
822 #else
823 static int selinux_proc_get_sid(struct proc_dir_entry *de,
824                                 u16 tclass,
825                                 u32 *sid)
826 {
827         return -EINVAL;
828 }
829 #endif
830
831 /* The inode's security attributes must be initialized before first use. */
832 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
833 {
834         struct superblock_security_struct *sbsec = NULL;
835         struct inode_security_struct *isec = inode->i_security;
836         u32 sid;
837         struct dentry *dentry;
838 #define INITCONTEXTLEN 255
839         char *context = NULL;
840         unsigned len = 0;
841         int rc = 0;
842         int hold_sem = 0;
843
844         if (isec->initialized)
845                 goto out;
846
847         down(&isec->sem);
848         hold_sem = 1;
849         if (isec->initialized)
850                 goto out;
851
852         sbsec = inode->i_sb->s_security;
853         if (!sbsec->initialized) {
854                 /* Defer initialization until selinux_complete_init,
855                    after the initial policy is loaded and the security
856                    server is ready to handle calls. */
857                 spin_lock(&sbsec->isec_lock);
858                 if (list_empty(&isec->list))
859                         list_add(&isec->list, &sbsec->isec_head);
860                 spin_unlock(&sbsec->isec_lock);
861                 goto out;
862         }
863
864         switch (sbsec->behavior) {
865         case SECURITY_FS_USE_XATTR:
866                 if (!inode->i_op->getxattr) {
867                         isec->sid = sbsec->def_sid;
868                         break;
869                 }
870
871                 /* Need a dentry, since the xattr API requires one.
872                    Life would be simpler if we could just pass the inode. */
873                 if (opt_dentry) {
874                         /* Called from d_instantiate or d_splice_alias. */
875                         dentry = dget(opt_dentry);
876                 } else {
877                         /* Called from selinux_complete_init, try to find a dentry. */
878                         dentry = d_find_alias(inode);
879                 }
880                 if (!dentry) {
881                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
882                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
883                                inode->i_ino);
884                         goto out;
885                 }
886
887                 len = INITCONTEXTLEN;
888                 context = kmalloc(len, GFP_KERNEL);
889                 if (!context) {
890                         rc = -ENOMEM;
891                         dput(dentry);
892                         goto out;
893                 }
894                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
895                                            context, len);
896                 if (rc == -ERANGE) {
897                         /* Need a larger buffer.  Query for the right size. */
898                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
899                                                    NULL, 0);
900                         if (rc < 0) {
901                                 dput(dentry);
902                                 goto out;
903                         }
904                         kfree(context);
905                         len = rc;
906                         context = kmalloc(len, GFP_KERNEL);
907                         if (!context) {
908                                 rc = -ENOMEM;
909                                 dput(dentry);
910                                 goto out;
911                         }
912                         rc = inode->i_op->getxattr(dentry,
913                                                    XATTR_NAME_SELINUX,
914                                                    context, len);
915                 }
916                 dput(dentry);
917                 if (rc < 0) {
918                         if (rc != -ENODATA) {
919                                 printk(KERN_WARNING "%s:  getxattr returned "
920                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
921                                        -rc, inode->i_sb->s_id, inode->i_ino);
922                                 kfree(context);
923                                 goto out;
924                         }
925                         /* Map ENODATA to the default file SID */
926                         sid = sbsec->def_sid;
927                         rc = 0;
928                 } else {
929                         rc = security_context_to_sid_default(context, rc, &sid,
930                                                              sbsec->def_sid);
931                         if (rc) {
932                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
933                                        "returned %d for dev=%s ino=%ld\n",
934                                        __FUNCTION__, context, -rc,
935                                        inode->i_sb->s_id, inode->i_ino);
936                                 kfree(context);
937                                 /* Leave with the unlabeled SID */
938                                 rc = 0;
939                                 break;
940                         }
941                 }
942                 kfree(context);
943                 isec->sid = sid;
944                 break;
945         case SECURITY_FS_USE_TASK:
946                 isec->sid = isec->task_sid;
947                 break;
948         case SECURITY_FS_USE_TRANS:
949                 /* Default to the fs SID. */
950                 isec->sid = sbsec->sid;
951
952                 /* Try to obtain a transition SID. */
953                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
954                 rc = security_transition_sid(isec->task_sid,
955                                              sbsec->sid,
956                                              isec->sclass,
957                                              &sid);
958                 if (rc)
959                         goto out;
960                 isec->sid = sid;
961                 break;
962         case SECURITY_FS_USE_MNTPOINT:
963                 isec->sid = sbsec->mntpoint_sid;
964                 break;
965         default:
966                 /* Default to the fs superblock SID. */
967                 isec->sid = sbsec->sid;
968
969                 if (sbsec->proc) {
970                         struct proc_inode *proci = PROC_I(inode);
971                         if (proci->pde) {
972                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
973                                 rc = selinux_proc_get_sid(proci->pde,
974                                                           isec->sclass,
975                                                           &sid);
976                                 if (rc)
977                                         goto out;
978                                 isec->sid = sid;
979                         }
980                 }
981                 break;
982         }
983
984         isec->initialized = 1;
985
986 out:
987         if (isec->sclass == SECCLASS_FILE)
988                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
989
990         if (hold_sem)
991                 up(&isec->sem);
992         return rc;
993 }
994
995 /* Convert a Linux signal to an access vector. */
996 static inline u32 signal_to_av(int sig)
997 {
998         u32 perm = 0;
999
1000         switch (sig) {
1001         case SIGCHLD:
1002                 /* Commonly granted from child to parent. */
1003                 perm = PROCESS__SIGCHLD;
1004                 break;
1005         case SIGKILL:
1006                 /* Cannot be caught or ignored */
1007                 perm = PROCESS__SIGKILL;
1008                 break;
1009         case SIGSTOP:
1010                 /* Cannot be caught or ignored */
1011                 perm = PROCESS__SIGSTOP;
1012                 break;
1013         default:
1014                 /* All other signals. */
1015                 perm = PROCESS__SIGNAL;
1016                 break;
1017         }
1018
1019         return perm;
1020 }
1021
1022 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1023    fork check, ptrace check, etc. */
1024 static int task_has_perm(struct task_struct *tsk1,
1025                          struct task_struct *tsk2,
1026                          u32 perms)
1027 {
1028         struct task_security_struct *tsec1, *tsec2;
1029
1030         tsec1 = tsk1->security;
1031         tsec2 = tsk2->security;
1032         return avc_has_perm(tsec1->sid, tsec2->sid,
1033                             SECCLASS_PROCESS, perms, NULL);
1034 }
1035
1036 /* Check whether a task is allowed to use a capability. */
1037 static int task_has_capability(struct task_struct *tsk,
1038                                int cap)
1039 {
1040         struct task_security_struct *tsec;
1041         struct avc_audit_data ad;
1042
1043         tsec = tsk->security;
1044
1045         AVC_AUDIT_DATA_INIT(&ad,CAP);
1046         ad.tsk = tsk;
1047         ad.u.cap = cap;
1048
1049         return avc_has_perm(tsec->sid, tsec->sid,
1050                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1051 }
1052
1053 /* Check whether a task is allowed to use a system operation. */
1054 static int task_has_system(struct task_struct *tsk,
1055                            u32 perms)
1056 {
1057         struct task_security_struct *tsec;
1058
1059         tsec = tsk->security;
1060
1061         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1062                             SECCLASS_SYSTEM, perms, NULL);
1063 }
1064
1065 /* Check whether a task has a particular permission to an inode.
1066    The 'adp' parameter is optional and allows other audit
1067    data to be passed (e.g. the dentry). */
1068 static int inode_has_perm(struct task_struct *tsk,
1069                           struct inode *inode,
1070                           u32 perms,
1071                           struct avc_audit_data *adp)
1072 {
1073         struct task_security_struct *tsec;
1074         struct inode_security_struct *isec;
1075         struct avc_audit_data ad;
1076
1077         tsec = tsk->security;
1078         isec = inode->i_security;
1079
1080         if (!adp) {
1081                 adp = &ad;
1082                 AVC_AUDIT_DATA_INIT(&ad, FS);
1083                 ad.u.fs.inode = inode;
1084         }
1085
1086         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1087 }
1088
1089 /* Same as inode_has_perm, but pass explicit audit data containing
1090    the dentry to help the auditing code to more easily generate the
1091    pathname if needed. */
1092 static inline int dentry_has_perm(struct task_struct *tsk,
1093                                   struct vfsmount *mnt,
1094                                   struct dentry *dentry,
1095                                   u32 av)
1096 {
1097         struct inode *inode = dentry->d_inode;
1098         struct avc_audit_data ad;
1099         AVC_AUDIT_DATA_INIT(&ad,FS);
1100         ad.u.fs.mnt = mnt;
1101         ad.u.fs.dentry = dentry;
1102         return inode_has_perm(tsk, inode, av, &ad);
1103 }
1104
1105 /* Check whether a task can use an open file descriptor to
1106    access an inode in a given way.  Check access to the
1107    descriptor itself, and then use dentry_has_perm to
1108    check a particular permission to the file.
1109    Access to the descriptor is implicitly granted if it
1110    has the same SID as the process.  If av is zero, then
1111    access to the file is not checked, e.g. for cases
1112    where only the descriptor is affected like seek. */
1113 static int file_has_perm(struct task_struct *tsk,
1114                                 struct file *file,
1115                                 u32 av)
1116 {
1117         struct task_security_struct *tsec = tsk->security;
1118         struct file_security_struct *fsec = file->f_security;
1119         struct vfsmount *mnt = file->f_vfsmnt;
1120         struct dentry *dentry = file->f_dentry;
1121         struct inode *inode = dentry->d_inode;
1122         struct avc_audit_data ad;
1123         int rc;
1124
1125         AVC_AUDIT_DATA_INIT(&ad, FS);
1126         ad.u.fs.mnt = mnt;
1127         ad.u.fs.dentry = dentry;
1128
1129         if (tsec->sid != fsec->sid) {
1130                 rc = avc_has_perm(tsec->sid, fsec->sid,
1131                                   SECCLASS_FD,
1132                                   FD__USE,
1133                                   &ad);
1134                 if (rc)
1135                         return rc;
1136         }
1137
1138         /* av is zero if only checking access to the descriptor. */
1139         if (av)
1140                 return inode_has_perm(tsk, inode, av, &ad);
1141
1142         return 0;
1143 }
1144
1145 /* Check whether a task can create a file. */
1146 static int may_create(struct inode *dir,
1147                       struct dentry *dentry,
1148                       u16 tclass)
1149 {
1150         struct task_security_struct *tsec;
1151         struct inode_security_struct *dsec;
1152         struct superblock_security_struct *sbsec;
1153         u32 newsid;
1154         struct avc_audit_data ad;
1155         int rc;
1156
1157         tsec = current->security;
1158         dsec = dir->i_security;
1159         sbsec = dir->i_sb->s_security;
1160
1161         AVC_AUDIT_DATA_INIT(&ad, FS);
1162         ad.u.fs.dentry = dentry;
1163
1164         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1165                           DIR__ADD_NAME | DIR__SEARCH,
1166                           &ad);
1167         if (rc)
1168                 return rc;
1169
1170         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1171                 newsid = tsec->create_sid;
1172         } else {
1173                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1174                                              &newsid);
1175                 if (rc)
1176                         return rc;
1177         }
1178
1179         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1180         if (rc)
1181                 return rc;
1182
1183         return avc_has_perm(newsid, sbsec->sid,
1184                             SECCLASS_FILESYSTEM,
1185                             FILESYSTEM__ASSOCIATE, &ad);
1186 }
1187
1188 /* Check whether a task can create a key. */
1189 static int may_create_key(u32 ksid,
1190                           struct task_struct *ctx)
1191 {
1192         struct task_security_struct *tsec;
1193
1194         tsec = ctx->security;
1195
1196         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1197 }
1198
1199 #define MAY_LINK   0
1200 #define MAY_UNLINK 1
1201 #define MAY_RMDIR  2
1202
1203 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1204 static int may_link(struct inode *dir,
1205                     struct dentry *dentry,
1206                     int kind)
1207
1208 {
1209         struct task_security_struct *tsec;
1210         struct inode_security_struct *dsec, *isec;
1211         struct avc_audit_data ad;
1212         u32 av;
1213         int rc;
1214
1215         tsec = current->security;
1216         dsec = dir->i_security;
1217         isec = dentry->d_inode->i_security;
1218
1219         AVC_AUDIT_DATA_INIT(&ad, FS);
1220         ad.u.fs.dentry = dentry;
1221
1222         av = DIR__SEARCH;
1223         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1224         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1225         if (rc)
1226                 return rc;
1227
1228         switch (kind) {
1229         case MAY_LINK:
1230                 av = FILE__LINK;
1231                 break;
1232         case MAY_UNLINK:
1233                 av = FILE__UNLINK;
1234                 break;
1235         case MAY_RMDIR:
1236                 av = DIR__RMDIR;
1237                 break;
1238         default:
1239                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1240                 return 0;
1241         }
1242
1243         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1244         return rc;
1245 }
1246
1247 static inline int may_rename(struct inode *old_dir,
1248                              struct dentry *old_dentry,
1249                              struct inode *new_dir,
1250                              struct dentry *new_dentry)
1251 {
1252         struct task_security_struct *tsec;
1253         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1254         struct avc_audit_data ad;
1255         u32 av;
1256         int old_is_dir, new_is_dir;
1257         int rc;
1258
1259         tsec = current->security;
1260         old_dsec = old_dir->i_security;
1261         old_isec = old_dentry->d_inode->i_security;
1262         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1263         new_dsec = new_dir->i_security;
1264
1265         AVC_AUDIT_DATA_INIT(&ad, FS);
1266
1267         ad.u.fs.dentry = old_dentry;
1268         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1269                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1270         if (rc)
1271                 return rc;
1272         rc = avc_has_perm(tsec->sid, old_isec->sid,
1273                           old_isec->sclass, FILE__RENAME, &ad);
1274         if (rc)
1275                 return rc;
1276         if (old_is_dir && new_dir != old_dir) {
1277                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1278                                   old_isec->sclass, DIR__REPARENT, &ad);
1279                 if (rc)
1280                         return rc;
1281         }
1282
1283         ad.u.fs.dentry = new_dentry;
1284         av = DIR__ADD_NAME | DIR__SEARCH;
1285         if (new_dentry->d_inode)
1286                 av |= DIR__REMOVE_NAME;
1287         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1288         if (rc)
1289                 return rc;
1290         if (new_dentry->d_inode) {
1291                 new_isec = new_dentry->d_inode->i_security;
1292                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1293                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1294                                   new_isec->sclass,
1295                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1296                 if (rc)
1297                         return rc;
1298         }
1299
1300         return 0;
1301 }
1302
1303 /* Check whether a task can perform a filesystem operation. */
1304 static int superblock_has_perm(struct task_struct *tsk,
1305                                struct super_block *sb,
1306                                u32 perms,
1307                                struct avc_audit_data *ad)
1308 {
1309         struct task_security_struct *tsec;
1310         struct superblock_security_struct *sbsec;
1311
1312         tsec = tsk->security;
1313         sbsec = sb->s_security;
1314         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1315                             perms, ad);
1316 }
1317
1318 /* Convert a Linux mode and permission mask to an access vector. */
1319 static inline u32 file_mask_to_av(int mode, int mask)
1320 {
1321         u32 av = 0;
1322
1323         if ((mode & S_IFMT) != S_IFDIR) {
1324                 if (mask & MAY_EXEC)
1325                         av |= FILE__EXECUTE;
1326                 if (mask & MAY_READ)
1327                         av |= FILE__READ;
1328
1329                 if (mask & MAY_APPEND)
1330                         av |= FILE__APPEND;
1331                 else if (mask & MAY_WRITE)
1332                         av |= FILE__WRITE;
1333
1334         } else {
1335                 if (mask & MAY_EXEC)
1336                         av |= DIR__SEARCH;
1337                 if (mask & MAY_WRITE)
1338                         av |= DIR__WRITE;
1339                 if (mask & MAY_READ)
1340                         av |= DIR__READ;
1341         }
1342
1343         return av;
1344 }
1345
1346 /* Convert a Linux file to an access vector. */
1347 static inline u32 file_to_av(struct file *file)
1348 {
1349         u32 av = 0;
1350
1351         if (file->f_mode & FMODE_READ)
1352                 av |= FILE__READ;
1353         if (file->f_mode & FMODE_WRITE) {
1354                 if (file->f_flags & O_APPEND)
1355                         av |= FILE__APPEND;
1356                 else
1357                         av |= FILE__WRITE;
1358         }
1359
1360         return av;
1361 }
1362
1363 /* Set an inode's SID to a specified value. */
1364 static int inode_security_set_sid(struct inode *inode, u32 sid)
1365 {
1366         struct inode_security_struct *isec = inode->i_security;
1367         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1368
1369         if (!sbsec->initialized) {
1370                 /* Defer initialization to selinux_complete_init. */
1371                 return 0;
1372         }
1373
1374         down(&isec->sem);
1375         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1376         isec->sid = sid;
1377         isec->initialized = 1;
1378         up(&isec->sem);
1379         return 0;
1380 }
1381
1382 /* Hook functions begin here. */
1383
1384 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1385 {
1386         struct task_security_struct *psec = parent->security;
1387         struct task_security_struct *csec = child->security;
1388         int rc;
1389
1390         rc = secondary_ops->ptrace(parent,child);
1391         if (rc)
1392                 return rc;
1393
1394         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1395         /* Save the SID of the tracing process for later use in apply_creds. */
1396         if (!(child->ptrace & PT_PTRACED) && !rc)
1397                 csec->ptrace_sid = psec->sid;
1398         return rc;
1399 }
1400
1401 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1402                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1403 {
1404         int error;
1405
1406         error = task_has_perm(current, target, PROCESS__GETCAP);
1407         if (error)
1408                 return error;
1409
1410         return secondary_ops->capget(target, effective, inheritable, permitted);
1411 }
1412
1413 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1414                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1415 {
1416         int error;
1417
1418         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1419         if (error)
1420                 return error;
1421
1422         return task_has_perm(current, target, PROCESS__SETCAP);
1423 }
1424
1425 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1426                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1427 {
1428         secondary_ops->capset_set(target, effective, inheritable, permitted);
1429 }
1430
1431 static int selinux_capable(struct task_struct *tsk, int cap)
1432 {
1433         int rc;
1434
1435         rc = secondary_ops->capable(tsk, cap);
1436         if (rc)
1437                 return rc;
1438
1439         return task_has_capability(tsk,cap);
1440 }
1441
1442 static int selinux_sysctl(ctl_table *table, int op)
1443 {
1444         int error = 0;
1445         u32 av;
1446         struct task_security_struct *tsec;
1447         u32 tsid;
1448         int rc;
1449
1450         rc = secondary_ops->sysctl(table, op);
1451         if (rc)
1452                 return rc;
1453
1454         tsec = current->security;
1455
1456         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1457                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1458         if (rc) {
1459                 /* Default to the well-defined sysctl SID. */
1460                 tsid = SECINITSID_SYSCTL;
1461         }
1462
1463         /* The op values are "defined" in sysctl.c, thereby creating
1464          * a bad coupling between this module and sysctl.c */
1465         if(op == 001) {
1466                 error = avc_has_perm(tsec->sid, tsid,
1467                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1468         } else {
1469                 av = 0;
1470                 if (op & 004)
1471                         av |= FILE__READ;
1472                 if (op & 002)
1473                         av |= FILE__WRITE;
1474                 if (av)
1475                         error = avc_has_perm(tsec->sid, tsid,
1476                                              SECCLASS_FILE, av, NULL);
1477         }
1478
1479         return error;
1480 }
1481
1482 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1483 {
1484         int rc = 0;
1485
1486         if (!sb)
1487                 return 0;
1488
1489         switch (cmds) {
1490                 case Q_SYNC:
1491                 case Q_QUOTAON:
1492                 case Q_QUOTAOFF:
1493                 case Q_SETINFO:
1494                 case Q_SETQUOTA:
1495                         rc = superblock_has_perm(current,
1496                                                  sb,
1497                                                  FILESYSTEM__QUOTAMOD, NULL);
1498                         break;
1499                 case Q_GETFMT:
1500                 case Q_GETINFO:
1501                 case Q_GETQUOTA:
1502                         rc = superblock_has_perm(current,
1503                                                  sb,
1504                                                  FILESYSTEM__QUOTAGET, NULL);
1505                         break;
1506                 default:
1507                         rc = 0;  /* let the kernel handle invalid cmds */
1508                         break;
1509         }
1510         return rc;
1511 }
1512
1513 static int selinux_quota_on(struct dentry *dentry)
1514 {
1515         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1516 }
1517
1518 static int selinux_syslog(int type)
1519 {
1520         int rc;
1521
1522         rc = secondary_ops->syslog(type);
1523         if (rc)
1524                 return rc;
1525
1526         switch (type) {
1527                 case 3:         /* Read last kernel messages */
1528                 case 10:        /* Return size of the log buffer */
1529                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1530                         break;
1531                 case 6:         /* Disable logging to console */
1532                 case 7:         /* Enable logging to console */
1533                 case 8:         /* Set level of messages printed to console */
1534                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1535                         break;
1536                 case 0:         /* Close log */
1537                 case 1:         /* Open log */
1538                 case 2:         /* Read from log */
1539                 case 4:         /* Read/clear last kernel messages */
1540                 case 5:         /* Clear ring buffer */
1541                 default:
1542                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1543                         break;
1544         }
1545         return rc;
1546 }
1547
1548 /*
1549  * Check that a process has enough memory to allocate a new virtual
1550  * mapping. 0 means there is enough memory for the allocation to
1551  * succeed and -ENOMEM implies there is not.
1552  *
1553  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1554  * if the capability is granted, but __vm_enough_memory requires 1 if
1555  * the capability is granted.
1556  *
1557  * Do not audit the selinux permission check, as this is applied to all
1558  * processes that allocate mappings.
1559  */
1560 static int selinux_vm_enough_memory(long pages)
1561 {
1562         int rc, cap_sys_admin = 0;
1563         struct task_security_struct *tsec = current->security;
1564
1565         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1566         if (rc == 0)
1567                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1568                                         SECCLASS_CAPABILITY,
1569                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1570                                         NULL);
1571
1572         if (rc == 0)
1573                 cap_sys_admin = 1;
1574
1575         return __vm_enough_memory(pages, cap_sys_admin);
1576 }
1577
1578 /* binprm security operations */
1579
1580 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1581 {
1582         struct bprm_security_struct *bsec;
1583
1584         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1585         if (!bsec)
1586                 return -ENOMEM;
1587
1588         bsec->bprm = bprm;
1589         bsec->sid = SECINITSID_UNLABELED;
1590         bsec->set = 0;
1591
1592         bprm->security = bsec;
1593         return 0;
1594 }
1595
1596 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1597 {
1598         struct task_security_struct *tsec;
1599         struct inode *inode = bprm->file->f_dentry->d_inode;
1600         struct inode_security_struct *isec;
1601         struct bprm_security_struct *bsec;
1602         u32 newsid;
1603         struct avc_audit_data ad;
1604         int rc;
1605
1606         rc = secondary_ops->bprm_set_security(bprm);
1607         if (rc)
1608                 return rc;
1609
1610         bsec = bprm->security;
1611
1612         if (bsec->set)
1613                 return 0;
1614
1615         tsec = current->security;
1616         isec = inode->i_security;
1617
1618         /* Default to the current task SID. */
1619         bsec->sid = tsec->sid;
1620
1621         /* Reset fs, key, and sock SIDs on execve. */
1622         tsec->create_sid = 0;
1623         tsec->keycreate_sid = 0;
1624         tsec->sockcreate_sid = 0;
1625
1626         if (tsec->exec_sid) {
1627                 newsid = tsec->exec_sid;
1628                 /* Reset exec SID on execve. */
1629                 tsec->exec_sid = 0;
1630         } else {
1631                 /* Check for a default transition on this program. */
1632                 rc = security_transition_sid(tsec->sid, isec->sid,
1633                                              SECCLASS_PROCESS, &newsid);
1634                 if (rc)
1635                         return rc;
1636         }
1637
1638         AVC_AUDIT_DATA_INIT(&ad, FS);
1639         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1640         ad.u.fs.dentry = bprm->file->f_dentry;
1641
1642         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1643                 newsid = tsec->sid;
1644
1645         if (tsec->sid == newsid) {
1646                 rc = avc_has_perm(tsec->sid, isec->sid,
1647                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1648                 if (rc)
1649                         return rc;
1650         } else {
1651                 /* Check permissions for the transition. */
1652                 rc = avc_has_perm(tsec->sid, newsid,
1653                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1654                 if (rc)
1655                         return rc;
1656
1657                 rc = avc_has_perm(newsid, isec->sid,
1658                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1659                 if (rc)
1660                         return rc;
1661
1662                 /* Clear any possibly unsafe personality bits on exec: */
1663                 current->personality &= ~PER_CLEAR_ON_SETID;
1664
1665                 /* Set the security field to the new SID. */
1666                 bsec->sid = newsid;
1667         }
1668
1669         bsec->set = 1;
1670         return 0;
1671 }
1672
1673 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1674 {
1675         return secondary_ops->bprm_check_security(bprm);
1676 }
1677
1678
1679 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1680 {
1681         struct task_security_struct *tsec = current->security;
1682         int atsecure = 0;
1683
1684         if (tsec->osid != tsec->sid) {
1685                 /* Enable secure mode for SIDs transitions unless
1686                    the noatsecure permission is granted between
1687                    the two SIDs, i.e. ahp returns 0. */
1688                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1689                                          SECCLASS_PROCESS,
1690                                          PROCESS__NOATSECURE, NULL);
1691         }
1692
1693         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1694 }
1695
1696 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1697 {
1698         kfree(bprm->security);
1699         bprm->security = NULL;
1700 }
1701
1702 extern struct vfsmount *selinuxfs_mount;
1703 extern struct dentry *selinux_null;
1704
1705 /* Derived from fs/exec.c:flush_old_files. */
1706 static inline void flush_unauthorized_files(struct files_struct * files)
1707 {
1708         struct avc_audit_data ad;
1709         struct file *file, *devnull = NULL;
1710         struct tty_struct *tty = current->signal->tty;
1711         struct fdtable *fdt;
1712         long j = -1;
1713
1714         if (tty) {
1715                 file_list_lock();
1716                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1717                 if (file) {
1718                         /* Revalidate access to controlling tty.
1719                            Use inode_has_perm on the tty inode directly rather
1720                            than using file_has_perm, as this particular open
1721                            file may belong to another process and we are only
1722                            interested in the inode-based check here. */
1723                         struct inode *inode = file->f_dentry->d_inode;
1724                         if (inode_has_perm(current, inode,
1725                                            FILE__READ | FILE__WRITE, NULL)) {
1726                                 /* Reset controlling tty. */
1727                                 current->signal->tty = NULL;
1728                                 current->signal->tty_old_pgrp = 0;
1729                         }
1730                 }
1731                 file_list_unlock();
1732         }
1733
1734         /* Revalidate access to inherited open files. */
1735
1736         AVC_AUDIT_DATA_INIT(&ad,FS);
1737
1738         spin_lock(&files->file_lock);
1739         for (;;) {
1740                 unsigned long set, i;
1741                 int fd;
1742
1743                 j++;
1744                 i = j * __NFDBITS;
1745                 fdt = files_fdtable(files);
1746                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1747                         break;
1748                 set = fdt->open_fds->fds_bits[j];
1749                 if (!set)
1750                         continue;
1751                 spin_unlock(&files->file_lock);
1752                 for ( ; set ; i++,set >>= 1) {
1753                         if (set & 1) {
1754                                 file = fget(i);
1755                                 if (!file)
1756                                         continue;
1757                                 if (file_has_perm(current,
1758                                                   file,
1759                                                   file_to_av(file))) {
1760                                         sys_close(i);
1761                                         fd = get_unused_fd();
1762                                         if (fd != i) {
1763                                                 if (fd >= 0)
1764                                                         put_unused_fd(fd);
1765                                                 fput(file);
1766                                                 continue;
1767                                         }
1768                                         if (devnull) {
1769                                                 get_file(devnull);
1770                                         } else {
1771                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1772                                                 if (!devnull) {
1773                                                         put_unused_fd(fd);
1774                                                         fput(file);
1775                                                         continue;
1776                                                 }
1777                                         }
1778                                         fd_install(fd, devnull);
1779                                 }
1780                                 fput(file);
1781                         }
1782                 }
1783                 spin_lock(&files->file_lock);
1784
1785         }
1786         spin_unlock(&files->file_lock);
1787 }
1788
1789 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1790 {
1791         struct task_security_struct *tsec;
1792         struct bprm_security_struct *bsec;
1793         u32 sid;
1794         int rc;
1795
1796         secondary_ops->bprm_apply_creds(bprm, unsafe);
1797
1798         tsec = current->security;
1799
1800         bsec = bprm->security;
1801         sid = bsec->sid;
1802
1803         tsec->osid = tsec->sid;
1804         bsec->unsafe = 0;
1805         if (tsec->sid != sid) {
1806                 /* Check for shared state.  If not ok, leave SID
1807                    unchanged and kill. */
1808                 if (unsafe & LSM_UNSAFE_SHARE) {
1809                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1810                                         PROCESS__SHARE, NULL);
1811                         if (rc) {
1812                                 bsec->unsafe = 1;
1813                                 return;
1814                         }
1815                 }
1816
1817                 /* Check for ptracing, and update the task SID if ok.
1818                    Otherwise, leave SID unchanged and kill. */
1819                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1820                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1821                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1822                                           NULL);
1823                         if (rc) {
1824                                 bsec->unsafe = 1;
1825                                 return;
1826                         }
1827                 }
1828                 tsec->sid = sid;
1829         }
1830 }
1831
1832 /*
1833  * called after apply_creds without the task lock held
1834  */
1835 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1836 {
1837         struct task_security_struct *tsec;
1838         struct rlimit *rlim, *initrlim;
1839         struct itimerval itimer;
1840         struct bprm_security_struct *bsec;
1841         int rc, i;
1842
1843         tsec = current->security;
1844         bsec = bprm->security;
1845
1846         if (bsec->unsafe) {
1847                 force_sig_specific(SIGKILL, current);
1848                 return;
1849         }
1850         if (tsec->osid == tsec->sid)
1851                 return;
1852
1853         /* Close files for which the new task SID is not authorized. */
1854         flush_unauthorized_files(current->files);
1855
1856         /* Check whether the new SID can inherit signal state
1857            from the old SID.  If not, clear itimers to avoid
1858            subsequent signal generation and flush and unblock
1859            signals. This must occur _after_ the task SID has
1860           been updated so that any kill done after the flush
1861           will be checked against the new SID. */
1862         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1863                           PROCESS__SIGINH, NULL);
1864         if (rc) {
1865                 memset(&itimer, 0, sizeof itimer);
1866                 for (i = 0; i < 3; i++)
1867                         do_setitimer(i, &itimer, NULL);
1868                 flush_signals(current);
1869                 spin_lock_irq(&current->sighand->siglock);
1870                 flush_signal_handlers(current, 1);
1871                 sigemptyset(&current->blocked);
1872                 recalc_sigpending();
1873                 spin_unlock_irq(&current->sighand->siglock);
1874         }
1875
1876         /* Check whether the new SID can inherit resource limits
1877            from the old SID.  If not, reset all soft limits to
1878            the lower of the current task's hard limit and the init
1879            task's soft limit.  Note that the setting of hard limits
1880            (even to lower them) can be controlled by the setrlimit
1881            check. The inclusion of the init task's soft limit into
1882            the computation is to avoid resetting soft limits higher
1883            than the default soft limit for cases where the default
1884            is lower than the hard limit, e.g. RLIMIT_CORE or
1885            RLIMIT_STACK.*/
1886         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1887                           PROCESS__RLIMITINH, NULL);
1888         if (rc) {
1889                 for (i = 0; i < RLIM_NLIMITS; i++) {
1890                         rlim = current->signal->rlim + i;
1891                         initrlim = init_task.signal->rlim+i;
1892                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1893                 }
1894                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1895                         /*
1896                          * This will cause RLIMIT_CPU calculations
1897                          * to be refigured.
1898                          */
1899                         current->it_prof_expires = jiffies_to_cputime(1);
1900                 }
1901         }
1902
1903         /* Wake up the parent if it is waiting so that it can
1904            recheck wait permission to the new task SID. */
1905         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1906 }
1907
1908 /* superblock security operations */
1909
1910 static int selinux_sb_alloc_security(struct super_block *sb)
1911 {
1912         return superblock_alloc_security(sb);
1913 }
1914
1915 static void selinux_sb_free_security(struct super_block *sb)
1916 {
1917         superblock_free_security(sb);
1918 }
1919
1920 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1921 {
1922         if (plen > olen)
1923                 return 0;
1924
1925         return !memcmp(prefix, option, plen);
1926 }
1927
1928 static inline int selinux_option(char *option, int len)
1929 {
1930         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1931                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1932                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1933                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1934 }
1935
1936 static inline void take_option(char **to, char *from, int *first, int len)
1937 {
1938         if (!*first) {
1939                 **to = ',';
1940                 *to += 1;
1941         }
1942         else
1943                 *first = 0;
1944         memcpy(*to, from, len);
1945         *to += len;
1946 }
1947
1948 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1949 {
1950         int fnosec, fsec, rc = 0;
1951         char *in_save, *in_curr, *in_end;
1952         char *sec_curr, *nosec_save, *nosec;
1953
1954         in_curr = orig;
1955         sec_curr = copy;
1956
1957         /* Binary mount data: just copy */
1958         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1959                 copy_page(sec_curr, in_curr);
1960                 goto out;
1961         }
1962
1963         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1964         if (!nosec) {
1965                 rc = -ENOMEM;
1966                 goto out;
1967         }
1968
1969         nosec_save = nosec;
1970         fnosec = fsec = 1;
1971         in_save = in_end = orig;
1972
1973         do {
1974                 if (*in_end == ',' || *in_end == '\0') {
1975                         int len = in_end - in_curr;
1976
1977                         if (selinux_option(in_curr, len))
1978                                 take_option(&sec_curr, in_curr, &fsec, len);
1979                         else
1980                                 take_option(&nosec, in_curr, &fnosec, len);
1981
1982                         in_curr = in_end + 1;
1983                 }
1984         } while (*in_end++);
1985
1986         strcpy(in_save, nosec_save);
1987         free_page((unsigned long)nosec_save);
1988 out:
1989         return rc;
1990 }
1991
1992 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1993 {
1994         struct avc_audit_data ad;
1995         int rc;
1996
1997         rc = superblock_doinit(sb, data);
1998         if (rc)
1999                 return rc;
2000
2001         AVC_AUDIT_DATA_INIT(&ad,FS);
2002         ad.u.fs.dentry = sb->s_root;
2003         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2004 }
2005
2006 static int selinux_sb_statfs(struct dentry *dentry)
2007 {
2008         struct avc_audit_data ad;
2009
2010         AVC_AUDIT_DATA_INIT(&ad,FS);
2011         ad.u.fs.dentry = dentry->d_sb->s_root;
2012         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2013 }
2014
2015 static int selinux_mount(char * dev_name,
2016                          struct nameidata *nd,
2017                          char * type,
2018                          unsigned long flags,
2019                          void * data)
2020 {
2021         int rc;
2022
2023         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2024         if (rc)
2025                 return rc;
2026
2027         if (flags & MS_REMOUNT)
2028                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2029                                            FILESYSTEM__REMOUNT, NULL);
2030         else
2031                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2032                                        FILE__MOUNTON);
2033 }
2034
2035 static int selinux_umount(struct vfsmount *mnt, int flags)
2036 {
2037         int rc;
2038
2039         rc = secondary_ops->sb_umount(mnt, flags);
2040         if (rc)
2041                 return rc;
2042
2043         return superblock_has_perm(current,mnt->mnt_sb,
2044                                    FILESYSTEM__UNMOUNT,NULL);
2045 }
2046
2047 /* inode security operations */
2048
2049 static int selinux_inode_alloc_security(struct inode *inode)
2050 {
2051         return inode_alloc_security(inode);
2052 }
2053
2054 static void selinux_inode_free_security(struct inode *inode)
2055 {
2056         inode_free_security(inode);
2057 }
2058
2059 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2060                                        char **name, void **value,
2061                                        size_t *len)
2062 {
2063         struct task_security_struct *tsec;
2064         struct inode_security_struct *dsec;
2065         struct superblock_security_struct *sbsec;
2066         u32 newsid, clen;
2067         int rc;
2068         char *namep = NULL, *context;
2069
2070         tsec = current->security;
2071         dsec = dir->i_security;
2072         sbsec = dir->i_sb->s_security;
2073
2074         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2075                 newsid = tsec->create_sid;
2076         } else {
2077                 rc = security_transition_sid(tsec->sid, dsec->sid,
2078                                              inode_mode_to_security_class(inode->i_mode),
2079                                              &newsid);
2080                 if (rc) {
2081                         printk(KERN_WARNING "%s:  "
2082                                "security_transition_sid failed, rc=%d (dev=%s "
2083                                "ino=%ld)\n",
2084                                __FUNCTION__,
2085                                -rc, inode->i_sb->s_id, inode->i_ino);
2086                         return rc;
2087                 }
2088         }
2089
2090         inode_security_set_sid(inode, newsid);
2091
2092         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2093                 return -EOPNOTSUPP;
2094
2095         if (name) {
2096                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2097                 if (!namep)
2098                         return -ENOMEM;
2099                 *name = namep;
2100         }
2101
2102         if (value && len) {
2103                 rc = security_sid_to_context(newsid, &context, &clen);
2104                 if (rc) {
2105                         kfree(namep);
2106                         return rc;
2107                 }
2108                 *value = context;
2109                 *len = clen;
2110         }
2111
2112         return 0;
2113 }
2114
2115 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2116 {
2117         return may_create(dir, dentry, SECCLASS_FILE);
2118 }
2119
2120 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2121 {
2122         int rc;
2123
2124         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2125         if (rc)
2126                 return rc;
2127         return may_link(dir, old_dentry, MAY_LINK);
2128 }
2129
2130 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2131 {
2132         int rc;
2133
2134         rc = secondary_ops->inode_unlink(dir, dentry);
2135         if (rc)
2136                 return rc;
2137         return may_link(dir, dentry, MAY_UNLINK);
2138 }
2139
2140 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2141 {
2142         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2143 }
2144
2145 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2146 {
2147         return may_create(dir, dentry, SECCLASS_DIR);
2148 }
2149
2150 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2151 {
2152         return may_link(dir, dentry, MAY_RMDIR);
2153 }
2154
2155 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2156 {
2157         int rc;
2158
2159         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2160         if (rc)
2161                 return rc;
2162
2163         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2164 }
2165
2166 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2167                                 struct inode *new_inode, struct dentry *new_dentry)
2168 {
2169         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2170 }
2171
2172 static int selinux_inode_readlink(struct dentry *dentry)
2173 {
2174         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2175 }
2176
2177 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2178 {
2179         int rc;
2180
2181         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2182         if (rc)
2183                 return rc;
2184         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2185 }
2186
2187 static int selinux_inode_permission(struct inode *inode, int mask,
2188                                     struct nameidata *nd)
2189 {
2190         int rc;
2191
2192         rc = secondary_ops->inode_permission(inode, mask, nd);
2193         if (rc)
2194                 return rc;
2195
2196         if (!mask) {
2197                 /* No permission to check.  Existence test. */
2198                 return 0;
2199         }
2200
2201         return inode_has_perm(current, inode,
2202                                file_mask_to_av(inode->i_mode, mask), NULL);
2203 }
2204
2205 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2206 {
2207         int rc;
2208
2209         rc = secondary_ops->inode_setattr(dentry, iattr);
2210         if (rc)
2211                 return rc;
2212
2213         if (iattr->ia_valid & ATTR_FORCE)
2214                 return 0;
2215
2216         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2217                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2218                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2219
2220         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2221 }
2222
2223 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2224 {
2225         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2226 }
2227
2228 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2229 {
2230         struct task_security_struct *tsec = current->security;
2231         struct inode *inode = dentry->d_inode;
2232         struct inode_security_struct *isec = inode->i_security;
2233         struct superblock_security_struct *sbsec;
2234         struct avc_audit_data ad;
2235         u32 newsid;
2236         int rc = 0;
2237
2238         if (strcmp(name, XATTR_NAME_SELINUX)) {
2239                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2240                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2241                     !capable(CAP_SYS_ADMIN)) {
2242                         /* A different attribute in the security namespace.
2243                            Restrict to administrator. */
2244                         return -EPERM;
2245                 }
2246
2247                 /* Not an attribute we recognize, so just check the
2248                    ordinary setattr permission. */
2249                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2250         }
2251
2252         sbsec = inode->i_sb->s_security;
2253         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2254                 return -EOPNOTSUPP;
2255
2256         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2257                 return -EPERM;
2258
2259         AVC_AUDIT_DATA_INIT(&ad,FS);
2260         ad.u.fs.dentry = dentry;
2261
2262         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2263                           FILE__RELABELFROM, &ad);
2264         if (rc)
2265                 return rc;
2266
2267         rc = security_context_to_sid(value, size, &newsid);
2268         if (rc)
2269                 return rc;
2270
2271         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2272                           FILE__RELABELTO, &ad);
2273         if (rc)
2274                 return rc;
2275
2276         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2277                                           isec->sclass);
2278         if (rc)
2279                 return rc;
2280
2281         return avc_has_perm(newsid,
2282                             sbsec->sid,
2283                             SECCLASS_FILESYSTEM,
2284                             FILESYSTEM__ASSOCIATE,
2285                             &ad);
2286 }
2287
2288 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2289                                         void *value, size_t size, int flags)
2290 {
2291         struct inode *inode = dentry->d_inode;
2292         struct inode_security_struct *isec = inode->i_security;
2293         u32 newsid;
2294         int rc;
2295
2296         if (strcmp(name, XATTR_NAME_SELINUX)) {
2297                 /* Not an attribute we recognize, so nothing to do. */
2298                 return;
2299         }
2300
2301         rc = security_context_to_sid(value, size, &newsid);
2302         if (rc) {
2303                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2304                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2305                 return;
2306         }
2307
2308         isec->sid = newsid;
2309         return;
2310 }
2311
2312 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2313 {
2314         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2315 }
2316
2317 static int selinux_inode_listxattr (struct dentry *dentry)
2318 {
2319         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2320 }
2321
2322 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2323 {
2324         if (strcmp(name, XATTR_NAME_SELINUX)) {
2325                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2326                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2327                     !capable(CAP_SYS_ADMIN)) {
2328                         /* A different attribute in the security namespace.
2329                            Restrict to administrator. */
2330                         return -EPERM;
2331                 }
2332
2333                 /* Not an attribute we recognize, so just check the
2334                    ordinary setattr permission. Might want a separate
2335                    permission for removexattr. */
2336                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2337         }
2338
2339         /* No one is allowed to remove a SELinux security label.
2340            You can change the label, but all data must be labeled. */
2341         return -EACCES;
2342 }
2343
2344 static const char *selinux_inode_xattr_getsuffix(void)
2345 {
2346       return XATTR_SELINUX_SUFFIX;
2347 }
2348
2349 /*
2350  * Copy the in-core inode security context value to the user.  If the
2351  * getxattr() prior to this succeeded, check to see if we need to
2352  * canonicalize the value to be finally returned to the user.
2353  *
2354  * Permission check is handled by selinux_inode_getxattr hook.
2355  */
2356 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2357 {
2358         struct inode_security_struct *isec = inode->i_security;
2359
2360         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2361                 return -EOPNOTSUPP;
2362
2363         return selinux_getsecurity(isec->sid, buffer, size);
2364 }
2365
2366 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2367                                      const void *value, size_t size, int flags)
2368 {
2369         struct inode_security_struct *isec = inode->i_security;
2370         u32 newsid;
2371         int rc;
2372
2373         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2374                 return -EOPNOTSUPP;
2375
2376         if (!value || !size)
2377                 return -EACCES;
2378
2379         rc = security_context_to_sid((void*)value, size, &newsid);
2380         if (rc)
2381                 return rc;
2382
2383         isec->sid = newsid;
2384         return 0;
2385 }
2386
2387 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2388 {
2389         const int len = sizeof(XATTR_NAME_SELINUX);
2390         if (buffer && len <= buffer_size)
2391                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2392         return len;
2393 }
2394
2395 /* file security operations */
2396
2397 static int selinux_file_permission(struct file *file, int mask)
2398 {
2399         struct inode *inode = file->f_dentry->d_inode;
2400
2401         if (!mask) {
2402                 /* No permission to check.  Existence test. */
2403                 return 0;
2404         }
2405
2406         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2407         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2408                 mask |= MAY_APPEND;
2409
2410         return file_has_perm(current, file,
2411                              file_mask_to_av(inode->i_mode, mask));
2412 }
2413
2414 static int selinux_file_alloc_security(struct file *file)
2415 {
2416         return file_alloc_security(file);
2417 }
2418
2419 static void selinux_file_free_security(struct file *file)
2420 {
2421         file_free_security(file);
2422 }
2423
2424 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2425                               unsigned long arg)
2426 {
2427         int error = 0;
2428
2429         switch (cmd) {
2430                 case FIONREAD:
2431                 /* fall through */
2432                 case FIBMAP:
2433                 /* fall through */
2434                 case FIGETBSZ:
2435                 /* fall through */
2436                 case EXT2_IOC_GETFLAGS:
2437                 /* fall through */
2438                 case EXT2_IOC_GETVERSION:
2439                         error = file_has_perm(current, file, FILE__GETATTR);
2440                         break;
2441
2442                 case EXT2_IOC_SETFLAGS:
2443                 /* fall through */
2444                 case EXT2_IOC_SETVERSION:
2445                         error = file_has_perm(current, file, FILE__SETATTR);
2446                         break;
2447
2448                 /* sys_ioctl() checks */
2449                 case FIONBIO:
2450                 /* fall through */
2451                 case FIOASYNC:
2452                         error = file_has_perm(current, file, 0);
2453                         break;
2454
2455                 case KDSKBENT:
2456                 case KDSKBSENT:
2457                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2458                         break;
2459
2460                 /* default case assumes that the command will go
2461                  * to the file's ioctl() function.
2462                  */
2463                 default:
2464                         error = file_has_perm(current, file, FILE__IOCTL);
2465
2466         }
2467         return error;
2468 }
2469
2470 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2471 {
2472 #ifndef CONFIG_PPC32
2473         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2474                 /*
2475                  * We are making executable an anonymous mapping or a
2476                  * private file mapping that will also be writable.
2477                  * This has an additional check.
2478                  */
2479                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2480                 if (rc)
2481                         return rc;
2482         }
2483 #endif
2484
2485         if (file) {
2486                 /* read access is always possible with a mapping */
2487                 u32 av = FILE__READ;
2488
2489                 /* write access only matters if the mapping is shared */
2490                 if (shared && (prot & PROT_WRITE))
2491                         av |= FILE__WRITE;
2492
2493                 if (prot & PROT_EXEC)
2494                         av |= FILE__EXECUTE;
2495
2496                 return file_has_perm(current, file, av);
2497         }
2498         return 0;
2499 }
2500
2501 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2502                              unsigned long prot, unsigned long flags)
2503 {
2504         int rc;
2505
2506         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2507         if (rc)
2508                 return rc;
2509
2510         if (selinux_checkreqprot)
2511                 prot = reqprot;
2512
2513         return file_map_prot_check(file, prot,
2514                                    (flags & MAP_TYPE) == MAP_SHARED);
2515 }
2516
2517 static int selinux_file_mprotect(struct vm_area_struct *vma,
2518                                  unsigned long reqprot,
2519                                  unsigned long prot)
2520 {
2521         int rc;
2522
2523         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2524         if (rc)
2525                 return rc;
2526
2527         if (selinux_checkreqprot)
2528                 prot = reqprot;
2529
2530 #ifndef CONFIG_PPC32
2531         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2532                 rc = 0;
2533                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2534                     vma->vm_end <= vma->vm_mm->brk) {
2535                         rc = task_has_perm(current, current,
2536                                            PROCESS__EXECHEAP);
2537                 } else if (!vma->vm_file &&
2538                            vma->vm_start <= vma->vm_mm->start_stack &&
2539                            vma->vm_end >= vma->vm_mm->start_stack) {
2540                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2541                 } else if (vma->vm_file && vma->anon_vma) {
2542                         /*
2543                          * We are making executable a file mapping that has
2544                          * had some COW done. Since pages might have been
2545                          * written, check ability to execute the possibly
2546                          * modified content.  This typically should only
2547                          * occur for text relocations.
2548                          */
2549                         rc = file_has_perm(current, vma->vm_file,
2550                                            FILE__EXECMOD);
2551                 }
2552                 if (rc)
2553                         return rc;
2554         }
2555 #endif
2556
2557         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2558 }
2559
2560 static int selinux_file_lock(struct file *file, unsigned int cmd)
2561 {
2562         return file_has_perm(current, file, FILE__LOCK);
2563 }
2564
2565 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2566                               unsigned long arg)
2567 {
2568         int err = 0;
2569
2570         switch (cmd) {
2571                 case F_SETFL:
2572                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2573                                 err = -EINVAL;
2574                                 break;
2575                         }
2576
2577                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2578                                 err = file_has_perm(current, file,FILE__WRITE);
2579                                 break;
2580                         }
2581                         /* fall through */
2582                 case F_SETOWN:
2583                 case F_SETSIG:
2584                 case F_GETFL:
2585                 case F_GETOWN:
2586                 case F_GETSIG:
2587                         /* Just check FD__USE permission */
2588                         err = file_has_perm(current, file, 0);
2589                         break;
2590                 case F_GETLK:
2591                 case F_SETLK:
2592                 case F_SETLKW:
2593 #if BITS_PER_LONG == 32
2594                 case F_GETLK64:
2595                 case F_SETLK64:
2596                 case F_SETLKW64:
2597 #endif
2598                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2599                                 err = -EINVAL;
2600                                 break;
2601                         }
2602                         err = file_has_perm(current, file, FILE__LOCK);
2603                         break;
2604         }
2605
2606         return err;
2607 }
2608
2609 static int selinux_file_set_fowner(struct file *file)
2610 {
2611         struct task_security_struct *tsec;
2612         struct file_security_struct *fsec;
2613
2614         tsec = current->security;
2615         fsec = file->f_security;
2616         fsec->fown_sid = tsec->sid;
2617
2618         return 0;
2619 }
2620
2621 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2622                                        struct fown_struct *fown, int signum)
2623 {
2624         struct file *file;
2625         u32 perm;
2626         struct task_security_struct *tsec;
2627         struct file_security_struct *fsec;
2628
2629         /* struct fown_struct is never outside the context of a struct file */
2630         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2631
2632         tsec = tsk->security;
2633         fsec = file->f_security;
2634
2635         if (!signum)
2636                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2637         else
2638                 perm = signal_to_av(signum);
2639
2640         return avc_has_perm(fsec->fown_sid, tsec->sid,
2641                             SECCLASS_PROCESS, perm, NULL);
2642 }
2643
2644 static int selinux_file_receive(struct file *file)
2645 {
2646         return file_has_perm(current, file, file_to_av(file));
2647 }
2648
2649 /* task security operations */
2650
2651 static int selinux_task_create(unsigned long clone_flags)
2652 {
2653         int rc;
2654
2655         rc = secondary_ops->task_create(clone_flags);
2656         if (rc)
2657                 return rc;
2658
2659         return task_has_perm(current, current, PROCESS__FORK);
2660 }
2661
2662 static int selinux_task_alloc_security(struct task_struct *tsk)
2663 {
2664         struct task_security_struct *tsec1, *tsec2;
2665         int rc;
2666
2667         tsec1 = current->security;
2668
2669         rc = task_alloc_security(tsk);
2670         if (rc)
2671                 return rc;
2672         tsec2 = tsk->security;
2673
2674         tsec2->osid = tsec1->osid;
2675         tsec2->sid = tsec1->sid;
2676
2677         /* Retain the exec, fs, key, and sock SIDs across fork */
2678         tsec2->exec_sid = tsec1->exec_sid;
2679         tsec2->create_sid = tsec1->create_sid;
2680         tsec2->keycreate_sid = tsec1->keycreate_sid;
2681         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2682
2683         /* Retain ptracer SID across fork, if any.
2684            This will be reset by the ptrace hook upon any
2685            subsequent ptrace_attach operations. */
2686         tsec2->ptrace_sid = tsec1->ptrace_sid;
2687
2688         return 0;
2689 }
2690
2691 static void selinux_task_free_security(struct task_struct *tsk)
2692 {
2693         task_free_security(tsk);
2694 }
2695
2696 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2697 {
2698         /* Since setuid only affects the current process, and
2699            since the SELinux controls are not based on the Linux
2700            identity attributes, SELinux does not need to control
2701            this operation.  However, SELinux does control the use
2702            of the CAP_SETUID and CAP_SETGID capabilities using the
2703            capable hook. */
2704         return 0;
2705 }
2706
2707 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2708 {
2709         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2710 }
2711
2712 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2713 {
2714         /* See the comment for setuid above. */
2715         return 0;
2716 }
2717
2718 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2719 {
2720         return task_has_perm(current, p, PROCESS__SETPGID);
2721 }
2722
2723 static int selinux_task_getpgid(struct task_struct *p)
2724 {
2725         return task_has_perm(current, p, PROCESS__GETPGID);
2726 }
2727
2728 static int selinux_task_getsid(struct task_struct *p)
2729 {
2730         return task_has_perm(current, p, PROCESS__GETSESSION);
2731 }
2732
2733 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2734 {
2735         selinux_get_task_sid(p, secid);
2736 }
2737
2738 static int selinux_task_setgroups(struct group_info *group_info)
2739 {
2740         /* See the comment for setuid above. */
2741         return 0;
2742 }
2743
2744 static int selinux_task_setnice(struct task_struct *p, int nice)
2745 {
2746         int rc;
2747
2748         rc = secondary_ops->task_setnice(p, nice);
2749         if (rc)
2750                 return rc;
2751
2752         return task_has_perm(current,p, PROCESS__SETSCHED);
2753 }
2754
2755 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2756 {
2757         return task_has_perm(current, p, PROCESS__SETSCHED);
2758 }
2759
2760 static int selinux_task_getioprio(struct task_struct *p)
2761 {
2762         return task_has_perm(current, p, PROCESS__GETSCHED);
2763 }
2764
2765 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2766 {
2767         struct rlimit *old_rlim = current->signal->rlim + resource;
2768         int rc;
2769
2770         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2771         if (rc)
2772                 return rc;
2773
2774         /* Control the ability to change the hard limit (whether
2775            lowering or raising it), so that the hard limit can
2776            later be used as a safe reset point for the soft limit
2777            upon context transitions. See selinux_bprm_apply_creds. */
2778         if (old_rlim->rlim_max != new_rlim->rlim_max)
2779                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2780
2781         return 0;
2782 }
2783
2784 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2785 {
2786         return task_has_perm(current, p, PROCESS__SETSCHED);
2787 }
2788
2789 static int selinux_task_getscheduler(struct task_struct *p)
2790 {
2791         return task_has_perm(current, p, PROCESS__GETSCHED);
2792 }
2793
2794 static int selinux_task_movememory(struct task_struct *p)
2795 {
2796         return task_has_perm(current, p, PROCESS__SETSCHED);
2797 }
2798
2799 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2800                                 int sig, u32 secid)
2801 {
2802         u32 perm;
2803         int rc;
2804         struct task_security_struct *tsec;
2805
2806         rc = secondary_ops->task_kill(p, info, sig, secid);
2807         if (rc)
2808                 return rc;
2809
2810         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2811                 return 0;
2812
2813         if (!sig)
2814                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2815         else
2816                 perm = signal_to_av(sig);
2817         tsec = p->security;
2818         if (secid)
2819                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2820         else
2821                 rc = task_has_perm(current, p, perm);
2822         return rc;
2823 }
2824
2825 static int selinux_task_prctl(int option,
2826                               unsigned long arg2,
2827                               unsigned long arg3,
2828                               unsigned long arg4,
2829                               unsigned long arg5)
2830 {
2831         /* The current prctl operations do not appear to require
2832            any SELinux controls since they merely observe or modify
2833            the state of the current process. */
2834         return 0;
2835 }
2836
2837 static int selinux_task_wait(struct task_struct *p)
2838 {
2839         u32 perm;
2840
2841         perm = signal_to_av(p->exit_signal);
2842
2843         return task_has_perm(p, current, perm);
2844 }
2845
2846 static void selinux_task_reparent_to_init(struct task_struct *p)
2847 {
2848         struct task_security_struct *tsec;
2849
2850         secondary_ops->task_reparent_to_init(p);
2851
2852         tsec = p->security;
2853         tsec->osid = tsec->sid;
2854         tsec->sid = SECINITSID_KERNEL;
2855         return;
2856 }
2857
2858 static void selinux_task_to_inode(struct task_struct *p,
2859                                   struct inode *inode)
2860 {
2861         struct task_security_struct *tsec = p->security;
2862         struct inode_security_struct *isec = inode->i_security;
2863
2864         isec->sid = tsec->sid;
2865         isec->initialized = 1;
2866         return;
2867 }
2868
2869 /* Returns error only if unable to parse addresses */
2870 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2871 {
2872         int offset, ihlen, ret = -EINVAL;
2873         struct iphdr _iph, *ih;
2874
2875         offset = skb->nh.raw - skb->data;
2876         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2877         if (ih == NULL)
2878                 goto out;
2879
2880         ihlen = ih->ihl * 4;
2881         if (ihlen < sizeof(_iph))
2882                 goto out;
2883
2884         ad->u.net.v4info.saddr = ih->saddr;
2885         ad->u.net.v4info.daddr = ih->daddr;
2886         ret = 0;
2887
2888         switch (ih->protocol) {
2889         case IPPROTO_TCP: {
2890                 struct tcphdr _tcph, *th;
2891
2892                 if (ntohs(ih->frag_off) & IP_OFFSET)
2893                         break;
2894
2895                 offset += ihlen;
2896                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2897                 if (th == NULL)
2898                         break;
2899
2900                 ad->u.net.sport = th->source;
2901                 ad->u.net.dport = th->dest;
2902                 break;
2903         }
2904         
2905         case IPPROTO_UDP: {
2906                 struct udphdr _udph, *uh;
2907                 
2908                 if (ntohs(ih->frag_off) & IP_OFFSET)
2909                         break;
2910                         
2911                 offset += ihlen;
2912                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2913                 if (uh == NULL)
2914                         break;  
2915
2916                 ad->u.net.sport = uh->source;
2917                 ad->u.net.dport = uh->dest;
2918                 break;
2919         }
2920
2921         default:
2922                 break;
2923         }
2924 out:
2925         return ret;
2926 }
2927
2928 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2929
2930 /* Returns error only if unable to parse addresses */
2931 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2932 {
2933         u8 nexthdr;
2934         int ret = -EINVAL, offset;
2935         struct ipv6hdr _ipv6h, *ip6;
2936
2937         offset = skb->nh.raw - skb->data;
2938         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2939         if (ip6 == NULL)
2940                 goto out;
2941
2942         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2943         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2944         ret = 0;
2945
2946         nexthdr = ip6->nexthdr;
2947         offset += sizeof(_ipv6h);
2948         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2949         if (offset < 0)
2950                 goto out;
2951
2952         switch (nexthdr) {
2953         case IPPROTO_TCP: {
2954                 struct tcphdr _tcph, *th;
2955
2956                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2957                 if (th == NULL)
2958                         break;
2959
2960                 ad->u.net.sport = th->source;
2961                 ad->u.net.dport = th->dest;
2962                 break;
2963         }
2964
2965         case IPPROTO_UDP: {
2966                 struct udphdr _udph, *uh;
2967
2968                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2969                 if (uh == NULL)
2970                         break;
2971
2972                 ad->u.net.sport = uh->source;
2973                 ad->u.net.dport = uh->dest;
2974                 break;
2975         }
2976
2977         /* includes fragments */
2978         default:
2979                 break;
2980         }
2981 out:
2982         return ret;
2983 }
2984
2985 #endif /* IPV6 */
2986
2987 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2988                              char **addrp, int *len, int src)
2989 {
2990         int ret = 0;
2991
2992         switch (ad->u.net.family) {
2993         case PF_INET:
2994                 ret = selinux_parse_skb_ipv4(skb, ad);
2995                 if (ret || !addrp)
2996                         break;
2997                 *len = 4;
2998                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2999                                         &ad->u.net.v4info.daddr);
3000                 break;
3001
3002 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3003         case PF_INET6:
3004                 ret = selinux_parse_skb_ipv6(skb, ad);
3005                 if (ret || !addrp)
3006                         break;
3007                 *len = 16;
3008                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3009                                         &ad->u.net.v6info.daddr);
3010                 break;
3011 #endif  /* IPV6 */
3012         default:
3013                 break;
3014         }
3015
3016         return ret;
3017 }
3018
3019 /* socket security operations */
3020 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3021                            u32 perms)
3022 {
3023         struct inode_security_struct *isec;
3024         struct task_security_struct *tsec;
3025         struct avc_audit_data ad;
3026         int err = 0;
3027
3028         tsec = task->security;
3029         isec = SOCK_INODE(sock)->i_security;
3030
3031         if (isec->sid == SECINITSID_KERNEL)
3032                 goto out;
3033
3034         AVC_AUDIT_DATA_INIT(&ad,NET);
3035         ad.u.net.sk = sock->sk;
3036         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3037
3038 out:
3039         return err;
3040 }
3041
3042 static int selinux_socket_create(int family, int type,
3043                                  int protocol, int kern)
3044 {
3045         int err = 0;
3046         struct task_security_struct *tsec;
3047         u32 newsid;
3048
3049         if (kern)
3050                 goto out;
3051
3052         tsec = current->security;
3053         newsid = tsec->sockcreate_sid ? : tsec->sid;
3054         err = avc_has_perm(tsec->sid, newsid,
3055                            socket_type_to_security_class(family, type,
3056                            protocol), SOCKET__CREATE, NULL);
3057
3058 out:
3059         return err;
3060 }
3061
3062 static void selinux_socket_post_create(struct socket *sock, int family,
3063                                        int type, int protocol, int kern)
3064 {
3065         struct inode_security_struct *isec;
3066         struct task_security_struct *tsec;
3067         u32 newsid;
3068
3069         isec = SOCK_INODE(sock)->i_security;
3070
3071         tsec = current->security;
3072         newsid = tsec->sockcreate_sid ? : tsec->sid;
3073         isec->sclass = socket_type_to_security_class(family, type, protocol);
3074         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3075         isec->initialized = 1;
3076
3077         return;
3078 }
3079
3080 /* Range of port numbers used to automatically bind.
3081    Need to determine whether we should perform a name_bind
3082    permission check between the socket and the port number. */
3083 #define ip_local_port_range_0 sysctl_local_port_range[0]
3084 #define ip_local_port_range_1 sysctl_local_port_range[1]
3085
3086 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3087 {
3088         u16 family;
3089         int err;
3090
3091         err = socket_has_perm(current, sock, SOCKET__BIND);
3092         if (err)
3093                 goto out;
3094
3095         /*
3096          * If PF_INET or PF_INET6, check name_bind permission for the port.
3097          * Multiple address binding for SCTP is not supported yet: we just
3098          * check the first address now.
3099          */
3100         family = sock->sk->sk_family;
3101         if (family == PF_INET || family == PF_INET6) {
3102                 char *addrp;
3103                 struct inode_security_struct *isec;
3104                 struct task_security_struct *tsec;
3105                 struct avc_audit_data ad;
3106                 struct sockaddr_in *addr4 = NULL;
3107                 struct sockaddr_in6 *addr6 = NULL;
3108                 unsigned short snum;
3109                 struct sock *sk = sock->sk;
3110                 u32 sid, node_perm, addrlen;
3111
3112                 tsec = current->security;
3113                 isec = SOCK_INODE(sock)->i_security;
3114
3115                 if (family == PF_INET) {
3116                         addr4 = (struct sockaddr_in *)address;
3117                         snum = ntohs(addr4->sin_port);
3118                         addrlen = sizeof(addr4->sin_addr.s_addr);
3119                         addrp = (char *)&addr4->sin_addr.s_addr;
3120                 } else {
3121                         addr6 = (struct sockaddr_in6 *)address;
3122                         snum = ntohs(addr6->sin6_port);
3123                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3124                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3125                 }
3126
3127                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3128                            snum > ip_local_port_range_1)) {
3129                         err = security_port_sid(sk->sk_family, sk->sk_type,
3130                                                 sk->sk_protocol, snum, &sid);
3131                         if (err)
3132                                 goto out;
3133                         AVC_AUDIT_DATA_INIT(&ad,NET);
3134                         ad.u.net.sport = htons(snum);
3135                         ad.u.net.family = family;
3136                         err = avc_has_perm(isec->sid, sid,
3137                                            isec->sclass,
3138                                            SOCKET__NAME_BIND, &ad);
3139                         if (err)
3140                                 goto out;
3141                 }
3142                 
3143                 switch(isec->sclass) {
3144                 case SECCLASS_TCP_SOCKET:
3145                         node_perm = TCP_SOCKET__NODE_BIND;
3146                         break;
3147                         
3148                 case SECCLASS_UDP_SOCKET:
3149                         node_perm = UDP_SOCKET__NODE_BIND;
3150                         break;
3151                         
3152                 default:
3153                         node_perm = RAWIP_SOCKET__NODE_BIND;
3154                         break;
3155                 }
3156                 
3157                 err = security_node_sid(family, addrp, addrlen, &sid);
3158                 if (err)
3159                         goto out;
3160                 
3161                 AVC_AUDIT_DATA_INIT(&ad,NET);
3162                 ad.u.net.sport = htons(snum);
3163                 ad.u.net.family = family;
3164
3165                 if (family == PF_INET)
3166                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3167                 else
3168                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3169
3170                 err = avc_has_perm(isec->sid, sid,
3171                                    isec->sclass, node_perm, &ad);
3172                 if (err)
3173                         goto out;
3174         }
3175 out:
3176         return err;
3177 }
3178
3179 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3180 {
3181         struct inode_security_struct *isec;
3182         int err;
3183
3184         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3185         if (err)
3186                 return err;
3187
3188         /*
3189          * If a TCP socket, check name_connect permission for the port.
3190          */
3191         isec = SOCK_INODE(sock)->i_security;
3192         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3193                 struct sock *sk = sock->sk;
3194                 struct avc_audit_data ad;
3195                 struct sockaddr_in *addr4 = NULL;
3196                 struct sockaddr_in6 *addr6 = NULL;
3197                 unsigned short snum;
3198                 u32 sid;
3199
3200                 if (sk->sk_family == PF_INET) {
3201                         addr4 = (struct sockaddr_in *)address;
3202                         if (addrlen < sizeof(struct sockaddr_in))
3203                                 return -EINVAL;
3204                         snum = ntohs(addr4->sin_port);
3205                 } else {
3206                         addr6 = (struct sockaddr_in6 *)address;
3207                         if (addrlen < SIN6_LEN_RFC2133)
3208                                 return -EINVAL;
3209                         snum = ntohs(addr6->sin6_port);
3210                 }
3211
3212                 err = security_port_sid(sk->sk_family, sk->sk_type,
3213                                         sk->sk_protocol, snum, &sid);
3214                 if (err)
3215                         goto out;
3216
3217                 AVC_AUDIT_DATA_INIT(&ad,NET);
3218                 ad.u.net.dport = htons(snum);
3219                 ad.u.net.family = sk->sk_family;
3220                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3221                                    TCP_SOCKET__NAME_CONNECT, &ad);
3222                 if (err)
3223                         goto out;
3224         }
3225
3226 out:
3227         return err;
3228 }
3229
3230 static int selinux_socket_listen(struct socket *sock, int backlog)
3231 {
3232         return socket_has_perm(current, sock, SOCKET__LISTEN);
3233 }
3234
3235 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3236 {
3237         int err;
3238         struct inode_security_struct *isec;
3239         struct inode_security_struct *newisec;
3240
3241         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3242         if (err)
3243                 return err;
3244
3245         newisec = SOCK_INODE(newsock)->i_security;
3246
3247         isec = SOCK_INODE(sock)->i_security;
3248         newisec->sclass = isec->sclass;
3249         newisec->sid = isec->sid;
3250         newisec->initialized = 1;
3251
3252         return 0;
3253 }
3254
3255 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3256                                   int size)
3257 {
3258         return socket_has_perm(current, sock, SOCKET__WRITE);
3259 }
3260
3261 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3262                                   int size, int flags)
3263 {
3264         return socket_has_perm(current, sock, SOCKET__READ);
3265 }
3266
3267 static int selinux_socket_getsockname(struct socket *sock)
3268 {
3269         return socket_has_perm(current, sock, SOCKET__GETATTR);
3270 }
3271
3272 static int selinux_socket_getpeername(struct socket *sock)
3273 {
3274         return socket_has_perm(current, sock, SOCKET__GETATTR);
3275 }
3276
3277 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3278 {
3279         return socket_has_perm(current, sock, SOCKET__SETOPT);
3280 }
3281
3282 static int selinux_socket_getsockopt(struct socket *sock, int level,
3283                                      int optname)
3284 {
3285         return socket_has_perm(current, sock, SOCKET__GETOPT);
3286 }
3287
3288 static int selinux_socket_shutdown(struct socket *sock, int how)
3289 {
3290         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3291 }
3292
3293 static int selinux_socket_unix_stream_connect(struct socket *sock,
3294                                               struct socket *other,
3295                                               struct sock *newsk)
3296 {
3297         struct sk_security_struct *ssec;
3298         struct inode_security_struct *isec;
3299         struct inode_security_struct *other_isec;
3300         struct avc_audit_data ad;
3301         int err;
3302
3303         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3304         if (err)
3305                 return err;
3306
3307         isec = SOCK_INODE(sock)->i_security;
3308         other_isec = SOCK_INODE(other)->i_security;
3309
3310         AVC_AUDIT_DATA_INIT(&ad,NET);
3311         ad.u.net.sk = other->sk;
3312
3313         err = avc_has_perm(isec->sid, other_isec->sid,
3314                            isec->sclass,
3315                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3316         if (err)
3317                 return err;
3318
3319         /* connecting socket */
3320         ssec = sock->sk->sk_security;
3321         ssec->peer_sid = other_isec->sid;
3322         
3323         /* server child socket */
3324         ssec = newsk->sk_security;
3325         ssec->peer_sid = isec->sid;
3326         
3327         return 0;
3328 }
3329
3330 static int selinux_socket_unix_may_send(struct socket *sock,
3331                                         struct socket *other)
3332 {
3333         struct inode_security_struct *isec;
3334         struct inode_security_struct *other_isec;
3335         struct avc_audit_data ad;
3336         int err;
3337
3338         isec = SOCK_INODE(sock)->i_security;
3339         other_isec = SOCK_INODE(other)->i_security;
3340
3341         AVC_AUDIT_DATA_INIT(&ad,NET);
3342         ad.u.net.sk = other->sk;
3343
3344         err = avc_has_perm(isec->sid, other_isec->sid,
3345                            isec->sclass, SOCKET__SENDTO, &ad);
3346         if (err)
3347                 return err;
3348
3349         return 0;
3350 }
3351
3352 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3353                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3354                 u16 family, char *addrp, int len)
3355 {
3356         int err = 0;
3357         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3358
3359         if (!skb->dev)
3360                 goto out;
3361
3362         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3363         if (err)
3364                 goto out;
3365
3366         switch (sock_class) {
3367         case SECCLASS_UDP_SOCKET:
3368                 netif_perm = NETIF__UDP_RECV;
3369                 node_perm = NODE__UDP_RECV;
3370                 recv_perm = UDP_SOCKET__RECV_MSG;
3371                 break;
3372         
3373         case SECCLASS_TCP_SOCKET:
3374                 netif_perm = NETIF__TCP_RECV;
3375                 node_perm = NODE__TCP_RECV;
3376                 recv_perm = TCP_SOCKET__RECV_MSG;
3377                 break;
3378         
3379         default:
3380                 netif_perm = NETIF__RAWIP_RECV;
3381                 node_perm = NODE__RAWIP_RECV;
3382                 break;
3383         }
3384
3385         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3386         if (err)
3387                 goto out;
3388         
3389         err = security_node_sid(family, addrp, len, &node_sid);
3390         if (err)
3391                 goto out;
3392         
3393         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3394         if (err)
3395                 goto out;
3396
3397         if (recv_perm) {
3398                 u32 port_sid;
3399
3400                 err = security_port_sid(sk->sk_family, sk->sk_type,
3401                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3402                                         &port_sid);
3403                 if (err)
3404                         goto out;
3405
3406                 err = avc_has_perm(sock_sid, port_sid,
3407                                    sock_class, recv_perm, ad);
3408         }
3409
3410 out:
3411         return err;
3412 }
3413
3414 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3415 {
3416         u16 family;
3417         u16 sock_class = 0;
3418         char *addrp;
3419         int len, err = 0;
3420         u32 sock_sid = 0;
3421         struct socket *sock;
3422         struct avc_audit_data ad;
3423
3424         family = sk->sk_family;
3425         if (family != PF_INET && family != PF_INET6)
3426                 goto out;
3427
3428         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3429         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3430                 family = PF_INET;
3431
3432         read_lock_bh(&sk->sk_callback_lock);
3433         sock = sk->sk_socket;
3434         if (sock) {
3435                 struct inode *inode;
3436                 inode = SOCK_INODE(sock);
3437                 if (inode) {
3438                         struct inode_security_struct *isec;
3439                         isec = inode->i_security;
3440                         sock_sid = isec->sid;
3441                         sock_class = isec->sclass;
3442                 }
3443         }
3444         read_unlock_bh(&sk->sk_callback_lock);
3445         if (!sock_sid)
3446                 goto out;
3447
3448         AVC_AUDIT_DATA_INIT(&ad, NET);
3449         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3450         ad.u.net.family = family;
3451
3452         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3453         if (err)
3454                 goto out;
3455
3456         if (selinux_compat_net)
3457                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3458                                                   sock_class, family,
3459                                                   addrp, len);
3460         else
3461                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3462                                    PACKET__RECV, &ad);
3463         if (err)
3464                 goto out;
3465
3466         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3467 out:    
3468         return err;
3469 }
3470
3471 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3472                                             int __user *optlen, unsigned len)
3473 {
3474         int err = 0;
3475         char *scontext;
3476         u32 scontext_len;
3477         struct sk_security_struct *ssec;
3478         struct inode_security_struct *isec;
3479         u32 peer_sid = 0;
3480
3481         isec = SOCK_INODE(sock)->i_security;
3482
3483         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3484         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3485                 ssec = sock->sk->sk_security;
3486                 peer_sid = ssec->peer_sid;
3487         }
3488         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3489                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3490
3491                 if (peer_sid == SECSID_NULL) {
3492                         err = -ENOPROTOOPT;
3493                         goto out;
3494                 }
3495         }
3496         else {
3497                 err = -ENOPROTOOPT;
3498                 goto out;
3499         }
3500
3501         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3502
3503         if (err)
3504                 goto out;
3505
3506         if (scontext_len > len) {
3507                 err = -ERANGE;
3508                 goto out_len;
3509         }
3510
3511         if (copy_to_user(optval, scontext, scontext_len))
3512                 err = -EFAULT;
3513
3514 out_len:
3515         if (put_user(scontext_len, optlen))
3516                 err = -EFAULT;
3517
3518         kfree(scontext);
3519 out:    
3520         return err;
3521 }
3522
3523 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3524 {
3525         int err = 0;
3526         u32 peer_sid;
3527
3528         if (skb->sk->sk_family == PF_UNIX)
3529                 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
3530                                       &peer_sid);
3531         else
3532                 peer_sid = selinux_socket_getpeer_dgram(skb);
3533
3534         if (peer_sid == SECSID_NULL)
3535                 return -EINVAL;
3536
3537         err = security_sid_to_context(peer_sid, secdata, seclen);
3538         if (err)
3539                 return err;
3540
3541         return 0;
3542 }
3543
3544 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3545 {
3546         return sk_alloc_security(sk, family, priority);
3547 }
3548
3549 static void selinux_sk_free_security(struct sock *sk)
3550 {
3551         sk_free_security(sk);
3552 }
3553
3554 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3555 {
3556         struct inode_security_struct *isec;
3557         u32 sock_sid = SECINITSID_ANY_SOCKET;
3558
3559         if (!sk)
3560                 return selinux_no_sk_sid(fl);
3561
3562         read_lock_bh(&sk->sk_callback_lock);
3563         isec = get_sock_isec(sk);
3564
3565         if (isec)
3566                 sock_sid = isec->sid;
3567
3568         read_unlock_bh(&sk->sk_callback_lock);
3569         return sock_sid;
3570 }
3571
3572 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3573 {
3574         int err = 0;
3575         u32 perm;
3576         struct nlmsghdr *nlh;
3577         struct socket *sock = sk->sk_socket;
3578         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3579         
3580         if (skb->len < NLMSG_SPACE(0)) {
3581                 err = -EINVAL;
3582                 goto out;
3583         }
3584         nlh = (struct nlmsghdr *)skb->data;
3585         
3586         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3587         if (err) {
3588                 if (err == -EINVAL) {
3589                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3590                                   "SELinux:  unrecognized netlink message"
3591                                   " type=%hu for sclass=%hu\n",
3592                                   nlh->nlmsg_type, isec->sclass);
3593                         if (!selinux_enforcing)
3594                                 err = 0;
3595                 }
3596
3597                 /* Ignore */
3598                 if (err == -ENOENT)
3599                         err = 0;
3600                 goto out;
3601         }
3602
3603         err = socket_has_perm(current, sock, perm);
3604 out:
3605         return err;
3606 }
3607
3608 #ifdef CONFIG_NETFILTER
3609
3610 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3611                                             struct inode_security_struct *isec,
3612                                             struct avc_audit_data *ad,
3613                                             u16 family, char *addrp, int len)
3614 {
3615         int err;
3616         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3617         
3618         err = sel_netif_sids(dev, &if_sid, NULL);
3619         if (err)
3620                 goto out;
3621
3622         switch (isec->sclass) {
3623         case SECCLASS_UDP_SOCKET:
3624                 netif_perm = NETIF__UDP_SEND;
3625                 node_perm = NODE__UDP_SEND;
3626                 send_perm = UDP_SOCKET__SEND_MSG;
3627                 break;
3628         
3629         case SECCLASS_TCP_SOCKET:
3630                 netif_perm = NETIF__TCP_SEND;
3631                 node_perm = NODE__TCP_SEND;
3632                 send_perm = TCP_SOCKET__SEND_MSG;
3633                 break;
3634         
3635         default:
3636                 netif_perm = NETIF__RAWIP_SEND;
3637                 node_perm = NODE__RAWIP_SEND;
3638                 break;
3639         }
3640
3641         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3642         if (err)
3643                 goto out;
3644                 
3645         err = security_node_sid(family, addrp, len, &node_sid);
3646         if (err)
3647                 goto out;
3648         
3649         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3650         if (err)
3651                 goto out;
3652
3653         if (send_perm) {
3654                 u32 port_sid;
3655                 
3656                 err = security_port_sid(sk->sk_family,
3657                                         sk->sk_type,
3658                                         sk->sk_protocol,
3659                                         ntohs(ad->u.net.dport),
3660                                         &port_sid);
3661                 if (err)
3662                         goto out;
3663
3664                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3665                                    send_perm, ad);
3666         }
3667 out:
3668         return err;
3669 }
3670
3671 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3672                                               struct sk_buff **pskb,
3673                                               const struct net_device *in,
3674                                               const struct net_device *out,
3675                                               int (*okfn)(struct sk_buff *),
3676                                               u16 family)
3677 {
3678         char *addrp;
3679         int len, err = 0;
3680         struct sock *sk;
3681         struct socket *sock;
3682         struct inode *inode;
3683         struct sk_buff *skb = *pskb;
3684         struct inode_security_struct *isec;
3685         struct avc_audit_data ad;
3686         struct net_device *dev = (struct net_device *)out;
3687
3688         sk = skb->sk;
3689         if (!sk)
3690                 goto out;
3691
3692         sock = sk->sk_socket;
3693         if (!sock)
3694                 goto out;
3695
3696         inode = SOCK_INODE(sock);
3697         if (!inode)
3698                 goto out;
3699
3700         isec = inode->i_security;
3701
3702         AVC_AUDIT_DATA_INIT(&ad, NET);
3703         ad.u.net.netif = dev->name;
3704         ad.u.net.family = family;
3705
3706         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3707         if (err)
3708                 goto out;
3709
3710         if (selinux_compat_net)
3711                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3712                                                        family, addrp, len);
3713         else
3714                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3715                                    PACKET__SEND, &ad);
3716
3717         if (err)
3718                 goto out;
3719
3720         err = selinux_xfrm_postroute_last(isec->sid, skb);
3721 out:
3722         return err ? NF_DROP : NF_ACCEPT;
3723 }
3724
3725 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3726                                                 struct sk_buff **pskb,
3727                                                 const struct net_device *in,
3728                                                 const struct net_device *out,
3729                                                 int (*okfn)(struct sk_buff *))
3730 {
3731         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3732 }
3733
3734 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3735
3736 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3737                                                 struct sk_buff **pskb,
3738                                                 const struct net_device *in,
3739                                                 const struct net_device *out,
3740                                                 int (*okfn)(struct sk_buff *))
3741 {
3742         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3743 }
3744
3745 #endif  /* IPV6 */
3746
3747 #endif  /* CONFIG_NETFILTER */
3748
3749 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3750 {
3751         int err;
3752
3753         err = secondary_ops->netlink_send(sk, skb);
3754         if (err)
3755                 return err;
3756
3757         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3758                 err = selinux_nlmsg_perm(sk, skb);
3759
3760         return err;
3761 }
3762
3763 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3764 {
3765         int err;
3766         struct avc_audit_data ad;
3767
3768         err = secondary_ops->netlink_recv(skb, capability);
3769         if (err)
3770                 return err;
3771
3772         AVC_AUDIT_DATA_INIT(&ad, CAP);
3773         ad.u.cap = capability;
3774
3775         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3776                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3777 }
3778
3779 static int ipc_alloc_security(struct task_struct *task,
3780                               struct kern_ipc_perm *perm,
3781                               u16 sclass)
3782 {
3783         struct task_security_struct *tsec = task->security;
3784         struct ipc_security_struct *isec;
3785
3786         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3787         if (!isec)
3788                 return -ENOMEM;
3789
3790         isec->sclass = sclass;
3791         isec->ipc_perm = perm;
3792         isec->sid = tsec->sid;
3793         perm->security = isec;
3794
3795         return 0;
3796 }
3797
3798 static void ipc_free_security(struct kern_ipc_perm *perm)
3799 {
3800         struct ipc_security_struct *isec = perm->security;
3801         perm->security = NULL;
3802         kfree(isec);
3803 }
3804
3805 static int msg_msg_alloc_security(struct msg_msg *msg)
3806 {
3807         struct msg_security_struct *msec;
3808
3809         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3810         if (!msec)
3811                 return -ENOMEM;
3812
3813         msec->msg = msg;
3814         msec->sid = SECINITSID_UNLABELED;
3815         msg->security = msec;
3816
3817         return 0;
3818 }
3819
3820 static void msg_msg_free_security(struct msg_msg *msg)
3821 {
3822         struct msg_security_struct *msec = msg->security;
3823
3824         msg->security = NULL;
3825         kfree(msec);
3826 }
3827
3828 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3829                         u32 perms)
3830 {
3831         struct task_security_struct *tsec;
3832         struct ipc_security_struct *isec;
3833         struct avc_audit_data ad;
3834
3835         tsec = current->security;
3836         isec = ipc_perms->security;
3837
3838         AVC_AUDIT_DATA_INIT(&ad, IPC);
3839         ad.u.ipc_id = ipc_perms->key;
3840
3841         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3842 }
3843
3844 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3845 {
3846         return msg_msg_alloc_security(msg);
3847 }
3848
3849 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3850 {
3851         msg_msg_free_security(msg);
3852 }
3853
3854 /* message queue security operations */
3855 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3856 {
3857         struct task_security_struct *tsec;
3858         struct ipc_security_struct *isec;
3859         struct avc_audit_data ad;
3860         int rc;
3861
3862         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3863         if (rc)
3864                 return rc;
3865
3866         tsec = current->security;
3867         isec = msq->q_perm.security;
3868
3869         AVC_AUDIT_DATA_INIT(&ad, IPC);
3870         ad.u.ipc_id = msq->q_perm.key;
3871
3872         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3873                           MSGQ__CREATE, &ad);
3874         if (rc) {
3875                 ipc_free_security(&msq->q_perm);
3876                 return rc;
3877         }
3878         return 0;
3879 }
3880
3881 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3882 {
3883         ipc_free_security(&msq->q_perm);
3884 }
3885
3886 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3887 {
3888         struct task_security_struct *tsec;
3889         struct ipc_security_struct *isec;
3890         struct avc_audit_data ad;
3891
3892         tsec = current->security;
3893         isec = msq->q_perm.security;
3894
3895         AVC_AUDIT_DATA_INIT(&ad, IPC);
3896         ad.u.ipc_id = msq->q_perm.key;
3897
3898         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3899                             MSGQ__ASSOCIATE, &ad);
3900 }
3901
3902 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3903 {
3904         int err;
3905         int perms;
3906
3907         switch(cmd) {
3908         case IPC_INFO:
3909         case MSG_INFO:
3910                 /* No specific object, just general system-wide information. */
3911                 return task_has_system(current, SYSTEM__IPC_INFO);
3912         case IPC_STAT:
3913         case MSG_STAT:
3914                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3915                 break;
3916         case IPC_SET:
3917                 perms = MSGQ__SETATTR;
3918                 break;
3919         case IPC_RMID:
3920                 perms = MSGQ__DESTROY;
3921                 break;
3922         default:
3923                 return 0;
3924         }
3925
3926         err = ipc_has_perm(&msq->q_perm, perms);
3927         return err;
3928 }
3929
3930 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3931 {
3932         struct task_security_struct *tsec;
3933         struct ipc_security_struct *isec;
3934         struct msg_security_struct *msec;
3935         struct avc_audit_data ad;
3936         int rc;
3937
3938         tsec = current->security;
3939         isec = msq->q_perm.security;
3940         msec = msg->security;
3941
3942         /*
3943          * First time through, need to assign label to the message
3944          */
3945         if (msec->sid == SECINITSID_UNLABELED) {
3946                 /*
3947                  * Compute new sid based on current process and
3948                  * message queue this message will be stored in
3949                  */
3950                 rc = security_transition_sid(tsec->sid,
3951                                              isec->sid,
3952                                              SECCLASS_MSG,
3953                                              &msec->sid);
3954                 if (rc)
3955                         return rc;
3956         }
3957
3958         AVC_AUDIT_DATA_INIT(&ad, IPC);
3959         ad.u.ipc_id = msq->q_perm.key;
3960
3961         /* Can this process write to the queue? */
3962         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3963                           MSGQ__WRITE, &ad);
3964         if (!rc)
3965                 /* Can this process send the message */
3966                 rc = avc_has_perm(tsec->sid, msec->sid,
3967                                   SECCLASS_MSG, MSG__SEND, &ad);
3968         if (!rc)
3969                 /* Can the message be put in the queue? */
3970                 rc = avc_has_perm(msec->sid, isec->sid,
3971                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3972
3973         return rc;
3974 }
3975
3976 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3977                                     struct task_struct *target,
3978                                     long type, int mode)
3979 {
3980         struct task_security_struct *tsec;
3981         struct ipc_security_struct *isec;
3982         struct msg_security_struct *msec;
3983         struct avc_audit_data ad;
3984         int rc;
3985
3986         tsec = target->security;
3987         isec = msq->q_perm.security;
3988         msec = msg->security;
3989
3990         AVC_AUDIT_DATA_INIT(&ad, IPC);
3991         ad.u.ipc_id = msq->q_perm.key;
3992
3993         rc = avc_has_perm(tsec->sid, isec->sid,
3994                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3995         if (!rc)
3996                 rc = avc_has_perm(tsec->sid, msec->sid,
3997                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3998         return rc;
3999 }
4000
4001 /* Shared Memory security operations */
4002 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4003 {
4004         struct task_security_struct *tsec;
4005         struct ipc_security_struct *isec;
4006         struct avc_audit_data ad;
4007         int rc;
4008
4009         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4010         if (rc)
4011                 return rc;
4012
4013         tsec = current->security;
4014         isec = shp->shm_perm.security;
4015
4016         AVC_AUDIT_DATA_INIT(&ad, IPC);
4017         ad.u.ipc_id = shp->shm_perm.key;
4018
4019         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4020                           SHM__CREATE, &ad);
4021         if (rc) {
4022                 ipc_free_security(&shp->shm_perm);
4023                 return rc;
4024         }
4025         return 0;
4026 }
4027
4028 static void selinux_shm_free_security(struct shmid_kernel *shp)
4029 {
4030         ipc_free_security(&shp->shm_perm);
4031 }
4032
4033 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4034 {
4035         struct task_security_struct *tsec;
4036         struct ipc_security_struct *isec;
4037         struct avc_audit_data ad;
4038
4039         tsec = current->security;
4040         isec = shp->shm_perm.security;
4041
4042         AVC_AUDIT_DATA_INIT(&ad, IPC);
4043         ad.u.ipc_id = shp->shm_perm.key;
4044
4045         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4046                             SHM__ASSOCIATE, &ad);
4047 }
4048
4049 /* Note, at this point, shp is locked down */
4050 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4051 {
4052         int perms;
4053         int err;
4054
4055         switch(cmd) {
4056         case IPC_INFO:
4057         case SHM_INFO:
4058                 /* No specific object, just general system-wide information. */
4059                 return task_has_system(current, SYSTEM__IPC_INFO);
4060         case IPC_STAT:
4061         case SHM_STAT:
4062                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4063                 break;
4064         case IPC_SET:
4065                 perms = SHM__SETATTR;
4066                 break;
4067         case SHM_LOCK:
4068         case SHM_UNLOCK:
4069                 perms = SHM__LOCK;
4070                 break;
4071         case IPC_RMID:
4072                 perms = SHM__DESTROY;
4073                 break;
4074         default:
4075                 return 0;
4076         }
4077
4078         err = ipc_has_perm(&shp->shm_perm, perms);
4079         return err;
4080 }
4081
4082 static int selinux_shm_shmat(struct shmid_kernel *shp,
4083                              char __user *shmaddr, int shmflg)
4084 {
4085         u32 perms;
4086         int rc;
4087
4088         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4089         if (rc)
4090                 return rc;
4091
4092         if (shmflg & SHM_RDONLY)
4093                 perms = SHM__READ;
4094         else
4095                 perms = SHM__READ | SHM__WRITE;
4096
4097         return ipc_has_perm(&shp->shm_perm, perms);
4098 }
4099
4100 /* Semaphore security operations */
4101 static int selinux_sem_alloc_security(struct sem_array *sma)
4102 {
4103         struct task_security_struct *tsec;
4104         struct ipc_security_struct *isec;
4105         struct avc_audit_data ad;
4106         int rc;
4107
4108         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4109         if (rc)
4110                 return rc;
4111
4112         tsec = current->security;
4113         isec = sma->sem_perm.security;
4114
4115         AVC_AUDIT_DATA_INIT(&ad, IPC);
4116         ad.u.ipc_id = sma->sem_perm.key;
4117
4118         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4119                           SEM__CREATE, &ad);
4120         if (rc) {
4121                 ipc_free_security(&sma->sem_perm);
4122                 return rc;
4123         }
4124         return 0;
4125 }
4126
4127 static void selinux_sem_free_security(struct sem_array *sma)
4128 {
4129         ipc_free_security(&sma->sem_perm);
4130 }
4131
4132 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4133 {
4134         struct task_security_struct *tsec;
4135         struct ipc_security_struct *isec;
4136         struct avc_audit_data ad;
4137
4138         tsec = current->security;
4139         isec = sma->sem_perm.security;
4140
4141         AVC_AUDIT_DATA_INIT(&ad, IPC);
4142         ad.u.ipc_id = sma->sem_perm.key;
4143
4144         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4145                             SEM__ASSOCIATE, &ad);
4146 }
4147
4148 /* Note, at this point, sma is locked down */
4149 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4150 {
4151         int err;
4152         u32 perms;
4153
4154         switch(cmd) {
4155         case IPC_INFO:
4156         case SEM_INFO:
4157                 /* No specific object, just general system-wide information. */
4158                 return task_has_system(current, SYSTEM__IPC_INFO);
4159         case GETPID:
4160         case GETNCNT:
4161         case GETZCNT:
4162                 perms = SEM__GETATTR;
4163                 break;
4164         case GETVAL:
4165         case GETALL:
4166                 perms = SEM__READ;
4167                 break;
4168         case SETVAL:
4169         case SETALL:
4170                 perms = SEM__WRITE;
4171                 break;
4172         case IPC_RMID:
4173                 perms = SEM__DESTROY;
4174                 break;
4175         case IPC_SET:
4176                 perms = SEM__SETATTR;
4177                 break;
4178         case IPC_STAT:
4179         case SEM_STAT:
4180                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4181                 break;
4182         default:
4183                 return 0;
4184         }
4185
4186         err = ipc_has_perm(&sma->sem_perm, perms);
4187         return err;
4188 }
4189
4190 static int selinux_sem_semop(struct sem_array *sma,
4191                              struct sembuf *sops, unsigned nsops, int alter)
4192 {
4193         u32 perms;
4194
4195         if (alter)
4196                 perms = SEM__READ | SEM__WRITE;
4197         else
4198                 perms = SEM__READ;
4199
4200         return ipc_has_perm(&sma->sem_perm, perms);
4201 }
4202
4203 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4204 {
4205         u32 av = 0;
4206
4207         av = 0;
4208         if (flag & S_IRUGO)
4209                 av |= IPC__UNIX_READ;
4210         if (flag & S_IWUGO)
4211                 av |= IPC__UNIX_WRITE;
4212
4213         if (av == 0)
4214                 return 0;
4215
4216         return ipc_has_perm(ipcp, av);
4217 }
4218
4219 /* module stacking operations */
4220 static int selinux_register_security (const char *name, struct security_operations *ops)
4221 {
4222         if (secondary_ops != original_ops) {
4223                 printk(KERN_INFO "%s:  There is already a secondary security "
4224                        "module registered.\n", __FUNCTION__);
4225                 return -EINVAL;
4226         }
4227
4228         secondary_ops = ops;
4229
4230         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4231                __FUNCTION__,
4232                name);
4233
4234         return 0;
4235 }
4236
4237 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4238 {
4239         if (ops != secondary_ops) {
4240                 printk (KERN_INFO "%s:  trying to unregister a security module "
4241                         "that is not registered.\n", __FUNCTION__);
4242                 return -EINVAL;
4243         }
4244
4245         secondary_ops = original_ops;
4246
4247         return 0;
4248 }
4249
4250 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4251 {
4252         if (inode)
4253                 inode_doinit_with_dentry(inode, dentry);
4254 }
4255
4256 static int selinux_getprocattr(struct task_struct *p,
4257                                char *name, void *value, size_t size)
4258 {
4259         struct task_security_struct *tsec;
4260         u32 sid;
4261         int error;
4262
4263         if (current != p) {
4264                 error = task_has_perm(current, p, PROCESS__GETATTR);
4265                 if (error)
4266                         return error;
4267         }
4268
4269         tsec = p->security;
4270
4271         if (!strcmp(name, "current"))
4272                 sid = tsec->sid;
4273         else if (!strcmp(name, "prev"))
4274                 sid = tsec->osid;
4275         else if (!strcmp(name, "exec"))
4276                 sid = tsec->exec_sid;
4277         else if (!strcmp(name, "fscreate"))
4278                 sid = tsec->create_sid;
4279         else if (!strcmp(name, "keycreate"))
4280                 sid = tsec->keycreate_sid;
4281         else if (!strcmp(name, "sockcreate"))
4282                 sid = tsec->sockcreate_sid;
4283         else
4284                 return -EINVAL;
4285
4286         if (!sid)
4287                 return 0;
4288
4289         return selinux_getsecurity(sid, value, size);
4290 }
4291
4292 static int selinux_setprocattr(struct task_struct *p,
4293                                char *name, void *value, size_t size)
4294 {
4295         struct task_security_struct *tsec;
4296         u32 sid = 0;
4297         int error;
4298         char *str = value;
4299
4300         if (current != p) {
4301                 /* SELinux only allows a process to change its own
4302                    security attributes. */
4303                 return -EACCES;
4304         }
4305
4306         /*
4307          * Basic control over ability to set these attributes at all.
4308          * current == p, but we'll pass them separately in case the
4309          * above restriction is ever removed.
4310          */
4311         if (!strcmp(name, "exec"))
4312                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4313         else if (!strcmp(name, "fscreate"))
4314                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4315         else if (!strcmp(name, "keycreate"))
4316                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4317         else if (!strcmp(name, "sockcreate"))
4318                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4319         else if (!strcmp(name, "current"))
4320                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4321         else
4322                 error = -EINVAL;
4323         if (error)
4324                 return error;
4325
4326         /* Obtain a SID for the context, if one was specified. */
4327         if (size && str[1] && str[1] != '\n') {
4328                 if (str[size-1] == '\n') {
4329                         str[size-1] = 0;
4330                         size--;
4331                 }
4332                 error = security_context_to_sid(value, size, &sid);
4333                 if (error)
4334                         return error;
4335         }
4336
4337         /* Permission checking based on the specified context is
4338            performed during the actual operation (execve,
4339            open/mkdir/...), when we know the full context of the
4340            operation.  See selinux_bprm_set_security for the execve
4341            checks and may_create for the file creation checks. The
4342            operation will then fail if the context is not permitted. */
4343         tsec = p->security;
4344         if (!strcmp(name, "exec"))
4345                 tsec->exec_sid = sid;
4346         else if (!strcmp(name, "fscreate"))
4347                 tsec->create_sid = sid;
4348         else if (!strcmp(name, "keycreate")) {
4349                 error = may_create_key(sid, p);
4350                 if (error)
4351                         return error;
4352                 tsec->keycreate_sid = sid;
4353         } else if (!strcmp(name, "sockcreate"))
4354                 tsec->sockcreate_sid = sid;
4355         else if (!strcmp(name, "current")) {
4356                 struct av_decision avd;
4357
4358                 if (sid == 0)
4359                         return -EINVAL;
4360
4361                 /* Only allow single threaded processes to change context */
4362                 if (atomic_read(&p->mm->mm_users) != 1) {
4363                         struct task_struct *g, *t;
4364                         struct mm_struct *mm = p->mm;
4365                         read_lock(&tasklist_lock);
4366                         do_each_thread(g, t)
4367                                 if (t->mm == mm && t != p) {
4368                                         read_unlock(&tasklist_lock);
4369                                         return -EPERM;
4370                                 }
4371                         while_each_thread(g, t);
4372                         read_unlock(&tasklist_lock);
4373                 }
4374
4375                 /* Check permissions for the transition. */
4376                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4377                                      PROCESS__DYNTRANSITION, NULL);
4378                 if (error)
4379                         return error;
4380
4381                 /* Check for ptracing, and update the task SID if ok.
4382                    Otherwise, leave SID unchanged and fail. */
4383                 task_lock(p);
4384                 if (p->ptrace & PT_PTRACED) {
4385                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4386                                                      SECCLASS_PROCESS,
4387                                                      PROCESS__PTRACE, &avd);
4388                         if (!error)
4389                                 tsec->sid = sid;
4390                         task_unlock(p);
4391                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4392                                   PROCESS__PTRACE, &avd, error, NULL);
4393                         if (error)
4394                                 return error;
4395                 } else {
4396                         tsec->sid = sid;
4397                         task_unlock(p);
4398                 }
4399         }
4400         else
4401                 return -EINVAL;
4402
4403         return size;
4404 }
4405
4406 #ifdef CONFIG_KEYS
4407
4408 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4409                              unsigned long flags)
4410 {
4411         struct task_security_struct *tsec = tsk->security;
4412         struct key_security_struct *ksec;
4413
4414         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4415         if (!ksec)
4416                 return -ENOMEM;
4417
4418         ksec->obj = k;
4419         if (tsec->keycreate_sid)
4420                 ksec->sid = tsec->keycreate_sid;
4421         else
4422                 ksec->sid = tsec->sid;
4423         k->security = ksec;
4424
4425         return 0;
4426 }
4427
4428 static void selinux_key_free(struct key *k)
4429 {
4430         struct key_security_struct *ksec = k->security;
4431
4432         k->security = NULL;
4433         kfree(ksec);
4434 }
4435
4436 static int selinux_key_permission(key_ref_t key_ref,
4437                             struct task_struct *ctx,
4438                             key_perm_t perm)
4439 {
4440         struct key *key;
4441         struct task_security_struct *tsec;
4442         struct key_security_struct *ksec;
4443
4444         key = key_ref_to_ptr(key_ref);
4445
4446         tsec = ctx->security;
4447         ksec = key->security;
4448
4449         /* if no specific permissions are requested, we skip the
4450            permission check. No serious, additional covert channels
4451            appear to be created. */
4452         if (perm == 0)
4453                 return 0;
4454
4455         return avc_has_perm(tsec->sid, ksec->sid,
4456                             SECCLASS_KEY, perm, NULL);
4457 }
4458
4459 #endif
4460
4461 static struct security_operations selinux_ops = {
4462         .ptrace =                       selinux_ptrace,
4463         .capget =                       selinux_capget,
4464         .capset_check =                 selinux_capset_check,
4465         .capset_set =                   selinux_capset_set,
4466         .sysctl =                       selinux_sysctl,
4467         .capable =                      selinux_capable,
4468         .quotactl =                     selinux_quotactl,
4469         .quota_on =                     selinux_quota_on,
4470         .syslog =                       selinux_syslog,
4471         .vm_enough_memory =             selinux_vm_enough_memory,
4472
4473         .netlink_send =                 selinux_netlink_send,
4474         .netlink_recv =                 selinux_netlink_recv,
4475
4476         .bprm_alloc_security =          selinux_bprm_alloc_security,
4477         .bprm_free_security =           selinux_bprm_free_security,
4478         .bprm_apply_creds =             selinux_bprm_apply_creds,
4479         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4480         .bprm_set_security =            selinux_bprm_set_security,
4481         .bprm_check_security =          selinux_bprm_check_security,
4482         .bprm_secureexec =              selinux_bprm_secureexec,
4483
4484         .sb_alloc_security =            selinux_sb_alloc_security,
4485         .sb_free_security =             selinux_sb_free_security,
4486         .sb_copy_data =                 selinux_sb_copy_data,
4487         .sb_kern_mount =                selinux_sb_kern_mount,
4488         .sb_statfs =                    selinux_sb_statfs,
4489         .sb_mount =                     selinux_mount,
4490         .sb_umount =                    selinux_umount,
4491
4492         .inode_alloc_security =         selinux_inode_alloc_security,
4493         .inode_free_security =          selinux_inode_free_security,
4494         .inode_init_security =          selinux_inode_init_security,
4495         .inode_create =                 selinux_inode_create,
4496         .inode_link =                   selinux_inode_link,
4497         .inode_unlink =                 selinux_inode_unlink,
4498         .inode_symlink =                selinux_inode_symlink,
4499         .inode_mkdir =                  selinux_inode_mkdir,
4500         .inode_rmdir =                  selinux_inode_rmdir,
4501         .inode_mknod =                  selinux_inode_mknod,
4502         .inode_rename =                 selinux_inode_rename,
4503         .inode_readlink =               selinux_inode_readlink,
4504         .inode_follow_link =            selinux_inode_follow_link,
4505         .inode_permission =             selinux_inode_permission,
4506         .inode_setattr =                selinux_inode_setattr,
4507         .inode_getattr =                selinux_inode_getattr,
4508         .inode_setxattr =               selinux_inode_setxattr,
4509         .inode_post_setxattr =          selinux_inode_post_setxattr,
4510         .inode_getxattr =               selinux_inode_getxattr,
4511         .inode_listxattr =              selinux_inode_listxattr,
4512         .inode_removexattr =            selinux_inode_removexattr,
4513         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4514         .inode_getsecurity =            selinux_inode_getsecurity,
4515         .inode_setsecurity =            selinux_inode_setsecurity,
4516         .inode_listsecurity =           selinux_inode_listsecurity,
4517
4518         .file_permission =              selinux_file_permission,
4519         .file_alloc_security =          selinux_file_alloc_security,
4520         .file_free_security =           selinux_file_free_security,
4521         .file_ioctl =                   selinux_file_ioctl,
4522         .file_mmap =                    selinux_file_mmap,
4523         .file_mprotect =                selinux_file_mprotect,
4524         .file_lock =                    selinux_file_lock,
4525         .file_fcntl =                   selinux_file_fcntl,
4526         .file_set_fowner =              selinux_file_set_fowner,
4527         .file_send_sigiotask =          selinux_file_send_sigiotask,
4528         .file_receive =                 selinux_file_receive,
4529
4530         .task_create =                  selinux_task_create,
4531         .task_alloc_security =          selinux_task_alloc_security,
4532         .task_free_security =           selinux_task_free_security,
4533         .task_setuid =                  selinux_task_setuid,
4534         .task_post_setuid =             selinux_task_post_setuid,
4535         .task_setgid =                  selinux_task_setgid,
4536         .task_setpgid =                 selinux_task_setpgid,
4537         .task_getpgid =                 selinux_task_getpgid,
4538         .task_getsid =                  selinux_task_getsid,
4539         .task_getsecid =                selinux_task_getsecid,
4540         .task_setgroups =               selinux_task_setgroups,
4541         .task_setnice =                 selinux_task_setnice,
4542         .task_setioprio =               selinux_task_setioprio,
4543         .task_getioprio =               selinux_task_getioprio,
4544         .task_setrlimit =               selinux_task_setrlimit,
4545         .task_setscheduler =            selinux_task_setscheduler,
4546         .task_getscheduler =            selinux_task_getscheduler,
4547         .task_movememory =              selinux_task_movememory,
4548         .task_kill =                    selinux_task_kill,
4549         .task_wait =                    selinux_task_wait,
4550         .task_prctl =                   selinux_task_prctl,
4551         .task_reparent_to_init =        selinux_task_reparent_to_init,
4552         .task_to_inode =                selinux_task_to_inode,
4553
4554         .ipc_permission =               selinux_ipc_permission,
4555
4556         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4557         .msg_msg_free_security =        selinux_msg_msg_free_security,
4558
4559         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4560         .msg_queue_free_security =      selinux_msg_queue_free_security,
4561         .msg_queue_associate =          selinux_msg_queue_associate,
4562         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4563         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4564         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4565
4566         .shm_alloc_security =           selinux_shm_alloc_security,
4567         .shm_free_security =            selinux_shm_free_security,
4568         .shm_associate =                selinux_shm_associate,
4569         .shm_shmctl =                   selinux_shm_shmctl,
4570         .shm_shmat =                    selinux_shm_shmat,
4571
4572         .sem_alloc_security =           selinux_sem_alloc_security,
4573         .sem_free_security =            selinux_sem_free_security,
4574         .sem_associate =                selinux_sem_associate,
4575         .sem_semctl =                   selinux_sem_semctl,
4576         .sem_semop =                    selinux_sem_semop,
4577
4578         .register_security =            selinux_register_security,
4579         .unregister_security =          selinux_unregister_security,
4580
4581         .d_instantiate =                selinux_d_instantiate,
4582
4583         .getprocattr =                  selinux_getprocattr,
4584         .setprocattr =                  selinux_setprocattr,
4585
4586         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4587         .unix_may_send =                selinux_socket_unix_may_send,
4588
4589         .socket_create =                selinux_socket_create,
4590         .socket_post_create =           selinux_socket_post_create,
4591         .socket_bind =                  selinux_socket_bind,
4592         .socket_connect =               selinux_socket_connect,
4593         .socket_listen =                selinux_socket_listen,
4594         .socket_accept =                selinux_socket_accept,
4595         .socket_sendmsg =               selinux_socket_sendmsg,
4596         .socket_recvmsg =               selinux_socket_recvmsg,
4597         .socket_getsockname =           selinux_socket_getsockname,
4598         .socket_getpeername =           selinux_socket_getpeername,
4599         .socket_getsockopt =            selinux_socket_getsockopt,
4600         .socket_setsockopt =            selinux_socket_setsockopt,
4601         .socket_shutdown =              selinux_socket_shutdown,
4602         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4603         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4604         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4605         .sk_alloc_security =            selinux_sk_alloc_security,
4606         .sk_free_security =             selinux_sk_free_security,
4607         .sk_getsid =                    selinux_sk_getsid_security,
4608
4609 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4610         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4611         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4612         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4613         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4614         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4615         .xfrm_state_free_security =     selinux_xfrm_state_free,
4616         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4617         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4618 #endif
4619
4620 #ifdef CONFIG_KEYS
4621         .key_alloc =                    selinux_key_alloc,
4622         .key_free =                     selinux_key_free,
4623         .key_permission =               selinux_key_permission,
4624 #endif
4625 };
4626
4627 static __init int selinux_init(void)
4628 {
4629         struct task_security_struct *tsec;
4630
4631         if (!selinux_enabled) {
4632                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4633                 return 0;
4634         }
4635
4636         printk(KERN_INFO "SELinux:  Initializing.\n");
4637
4638         /* Set the security state for the initial task. */
4639         if (task_alloc_security(current))
4640                 panic("SELinux:  Failed to initialize initial task.\n");
4641         tsec = current->security;
4642         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4643
4644         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4645                                             sizeof(struct inode_security_struct),
4646                                             0, SLAB_PANIC, NULL, NULL);
4647         avc_init();
4648
4649         original_ops = secondary_ops = security_ops;
4650         if (!secondary_ops)
4651                 panic ("SELinux: No initial security operations\n");
4652         if (register_security (&selinux_ops))
4653                 panic("SELinux: Unable to register with kernel.\n");
4654
4655         if (selinux_enforcing) {
4656                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4657         } else {
4658                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4659         }
4660
4661 #ifdef CONFIG_KEYS
4662         /* Add security information to initial keyrings */
4663         selinux_key_alloc(&root_user_keyring, current,
4664                           KEY_ALLOC_NOT_IN_QUOTA);
4665         selinux_key_alloc(&root_session_keyring, current,
4666                           KEY_ALLOC_NOT_IN_QUOTA);
4667 #endif
4668
4669         return 0;
4670 }
4671
4672 void selinux_complete_init(void)
4673 {
4674         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4675
4676         /* Set up any superblocks initialized prior to the policy load. */
4677         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4678         spin_lock(&sb_lock);
4679         spin_lock(&sb_security_lock);
4680 next_sb:
4681         if (!list_empty(&superblock_security_head)) {
4682                 struct superblock_security_struct *sbsec =
4683                                 list_entry(superblock_security_head.next,
4684                                            struct superblock_security_struct,
4685                                            list);
4686                 struct super_block *sb = sbsec->sb;
4687                 sb->s_count++;
4688                 spin_unlock(&sb_security_lock);
4689                 spin_unlock(&sb_lock);
4690                 down_read(&sb->s_umount);
4691                 if (sb->s_root)
4692                         superblock_doinit(sb, NULL);
4693                 drop_super(sb);
4694                 spin_lock(&sb_lock);
4695                 spin_lock(&sb_security_lock);
4696                 list_del_init(&sbsec->list);
4697                 goto next_sb;
4698         }
4699         spin_unlock(&sb_security_lock);
4700         spin_unlock(&sb_lock);
4701 }
4702
4703 /* SELinux requires early initialization in order to label
4704    all processes and objects when they are created. */
4705 security_initcall(selinux_init);
4706
4707 #if defined(CONFIG_NETFILTER)
4708
4709 static struct nf_hook_ops selinux_ipv4_op = {
4710         .hook =         selinux_ipv4_postroute_last,
4711         .owner =        THIS_MODULE,
4712         .pf =           PF_INET,
4713         .hooknum =      NF_IP_POST_ROUTING,
4714         .priority =     NF_IP_PRI_SELINUX_LAST,
4715 };
4716
4717 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4718
4719 static struct nf_hook_ops selinux_ipv6_op = {
4720         .hook =         selinux_ipv6_postroute_last,
4721         .owner =        THIS_MODULE,
4722         .pf =           PF_INET6,
4723         .hooknum =      NF_IP6_POST_ROUTING,
4724         .priority =     NF_IP6_PRI_SELINUX_LAST,
4725 };
4726
4727 #endif  /* IPV6 */
4728
4729 static int __init selinux_nf_ip_init(void)
4730 {
4731         int err = 0;
4732
4733         if (!selinux_enabled)
4734                 goto out;
4735                 
4736         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4737         
4738         err = nf_register_hook(&selinux_ipv4_op);
4739         if (err)
4740                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4741
4742 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4743
4744         err = nf_register_hook(&selinux_ipv6_op);
4745         if (err)
4746                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4747
4748 #endif  /* IPV6 */
4749
4750 out:
4751         return err;
4752 }
4753
4754 __initcall(selinux_nf_ip_init);
4755
4756 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4757 static void selinux_nf_ip_exit(void)
4758 {
4759         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4760
4761         nf_unregister_hook(&selinux_ipv4_op);
4762 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4763         nf_unregister_hook(&selinux_ipv6_op);
4764 #endif  /* IPV6 */
4765 }
4766 #endif
4767
4768 #else /* CONFIG_NETFILTER */
4769
4770 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4771 #define selinux_nf_ip_exit()
4772 #endif
4773
4774 #endif /* CONFIG_NETFILTER */
4775
4776 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4777 int selinux_disable(void)
4778 {
4779         extern void exit_sel_fs(void);
4780         static int selinux_disabled = 0;
4781
4782         if (ss_initialized) {
4783                 /* Not permitted after initial policy load. */
4784                 return -EINVAL;
4785         }
4786
4787         if (selinux_disabled) {
4788                 /* Only do this once. */
4789                 return -EINVAL;
4790         }
4791
4792         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4793
4794         selinux_disabled = 1;
4795         selinux_enabled = 0;
4796
4797         /* Reset security_ops to the secondary module, dummy or capability. */
4798         security_ops = secondary_ops;
4799
4800         /* Unregister netfilter hooks. */
4801         selinux_nf_ip_exit();
4802
4803         /* Unregister selinuxfs. */
4804         exit_sel_fs();
4805
4806         return 0;
4807 }
4808 #endif
4809
4810