3481cde5bf15f018fac6d83cd100968d6b701c5b
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129
130 /*
131  * Minimal support for a secondary security module,
132  * just to allow the use of the capability module.
133  */
134 static struct security_operations *secondary_ops;
135
136 /* Lists of inode and superblock security structures initialized
137    before the policy was loaded. */
138 static LIST_HEAD(superblock_security_head);
139 static DEFINE_SPINLOCK(sb_security_lock);
140
141 static struct kmem_cache *sel_inode_cache;
142
143 /**
144  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145  *
146  * Description:
147  * This function checks the SECMARK reference counter to see if any SECMARK
148  * targets are currently configured, if the reference counter is greater than
149  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
150  * enabled, false (0) if SECMARK is disabled.
151  *
152  */
153 static int selinux_secmark_enabled(void)
154 {
155         return (atomic_read(&selinux_secmark_refcount) > 0);
156 }
157
158 /* Allocate and free functions for each kind of security blob. */
159
160 static int task_alloc_security(struct task_struct *task)
161 {
162         struct task_security_struct *tsec;
163
164         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165         if (!tsec)
166                 return -ENOMEM;
167
168         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
169         task->security = tsec;
170
171         return 0;
172 }
173
174 static void task_free_security(struct task_struct *task)
175 {
176         struct task_security_struct *tsec = task->security;
177         task->security = NULL;
178         kfree(tsec);
179 }
180
181 static int inode_alloc_security(struct inode *inode)
182 {
183         struct task_security_struct *tsec = current->security;
184         struct inode_security_struct *isec;
185
186         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187         if (!isec)
188                 return -ENOMEM;
189
190         mutex_init(&isec->lock);
191         INIT_LIST_HEAD(&isec->list);
192         isec->inode = inode;
193         isec->sid = SECINITSID_UNLABELED;
194         isec->sclass = SECCLASS_FILE;
195         isec->task_sid = tsec->sid;
196         inode->i_security = isec;
197
198         return 0;
199 }
200
201 static void inode_free_security(struct inode *inode)
202 {
203         struct inode_security_struct *isec = inode->i_security;
204         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
205
206         spin_lock(&sbsec->isec_lock);
207         if (!list_empty(&isec->list))
208                 list_del_init(&isec->list);
209         spin_unlock(&sbsec->isec_lock);
210
211         inode->i_security = NULL;
212         kmem_cache_free(sel_inode_cache, isec);
213 }
214
215 static int file_alloc_security(struct file *file)
216 {
217         struct task_security_struct *tsec = current->security;
218         struct file_security_struct *fsec;
219
220         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
221         if (!fsec)
222                 return -ENOMEM;
223
224         fsec->sid = tsec->sid;
225         fsec->fown_sid = tsec->sid;
226         file->f_security = fsec;
227
228         return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233         struct file_security_struct *fsec = file->f_security;
234         file->f_security = NULL;
235         kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240         struct superblock_security_struct *sbsec;
241
242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243         if (!sbsec)
244                 return -ENOMEM;
245
246         mutex_init(&sbsec->lock);
247         INIT_LIST_HEAD(&sbsec->list);
248         INIT_LIST_HEAD(&sbsec->isec_head);
249         spin_lock_init(&sbsec->isec_lock);
250         sbsec->sb = sb;
251         sbsec->sid = SECINITSID_UNLABELED;
252         sbsec->def_sid = SECINITSID_FILE;
253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254         sb->s_security = sbsec;
255
256         return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261         struct superblock_security_struct *sbsec = sb->s_security;
262
263         spin_lock(&sb_security_lock);
264         if (!list_empty(&sbsec->list))
265                 list_del_init(&sbsec->list);
266         spin_unlock(&sb_security_lock);
267
268         sb->s_security = NULL;
269         kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274         struct sk_security_struct *ssec;
275
276         ssec = kzalloc(sizeof(*ssec), priority);
277         if (!ssec)
278                 return -ENOMEM;
279
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         ssec->sid = SECINITSID_UNLABELED;
282         sk->sk_security = ssec;
283
284         selinux_netlbl_sk_security_reset(ssec, family);
285
286         return 0;
287 }
288
289 static void sk_free_security(struct sock *sk)
290 {
291         struct sk_security_struct *ssec = sk->sk_security;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_error = -1,
321         Opt_context = 1,
322         Opt_fscontext = 2,
323         Opt_defcontext = 3,
324         Opt_rootcontext = 4,
325 };
326
327 static match_table_t tokens = {
328         {Opt_context, CONTEXT_STR "%s"},
329         {Opt_fscontext, FSCONTEXT_STR "%s"},
330         {Opt_defcontext, DEFCONTEXT_STR "%s"},
331         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332         {Opt_error, NULL},
333 };
334
335 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
336
337 static int may_context_mount_sb_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         struct task_security_struct *tsec)
340 {
341         int rc;
342
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__RELABELTO, NULL);
350         return rc;
351 }
352
353 static int may_context_mount_inode_relabel(u32 sid,
354                         struct superblock_security_struct *sbsec,
355                         struct task_security_struct *tsec)
356 {
357         int rc;
358         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
359                           FILESYSTEM__RELABELFROM, NULL);
360         if (rc)
361                 return rc;
362
363         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
364                           FILESYSTEM__ASSOCIATE, NULL);
365         return rc;
366 }
367
368 static int sb_finish_set_opts(struct super_block *sb)
369 {
370         struct superblock_security_struct *sbsec = sb->s_security;
371         struct dentry *root = sb->s_root;
372         struct inode *root_inode = root->d_inode;
373         int rc = 0;
374
375         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
376                 /* Make sure that the xattr handler exists and that no
377                    error other than -ENODATA is returned by getxattr on
378                    the root directory.  -ENODATA is ok, as this may be
379                    the first boot of the SELinux kernel before we have
380                    assigned xattr values to the filesystem. */
381                 if (!root_inode->i_op->getxattr) {
382                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
383                                "xattr support\n", sb->s_id, sb->s_type->name);
384                         rc = -EOPNOTSUPP;
385                         goto out;
386                 }
387                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
388                 if (rc < 0 && rc != -ENODATA) {
389                         if (rc == -EOPNOTSUPP)
390                                 printk(KERN_WARNING "SELinux: (dev %s, type "
391                                        "%s) has no security xattr handler\n",
392                                        sb->s_id, sb->s_type->name);
393                         else
394                                 printk(KERN_WARNING "SELinux: (dev %s, type "
395                                        "%s) getxattr errno %d\n", sb->s_id,
396                                        sb->s_type->name, -rc);
397                         goto out;
398                 }
399         }
400
401         sbsec->initialized = 1;
402
403         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
405                        sb->s_id, sb->s_type->name);
406         else
407                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
408                        sb->s_id, sb->s_type->name,
409                        labeling_behaviors[sbsec->behavior-1]);
410
411         /* Initialize the root inode. */
412         rc = inode_doinit_with_dentry(root_inode, root);
413
414         /* Initialize any other inodes associated with the superblock, e.g.
415            inodes created prior to initial policy load or inodes created
416            during get_sb by a pseudo filesystem that directly
417            populates itself. */
418         spin_lock(&sbsec->isec_lock);
419 next_inode:
420         if (!list_empty(&sbsec->isec_head)) {
421                 struct inode_security_struct *isec =
422                                 list_entry(sbsec->isec_head.next,
423                                            struct inode_security_struct, list);
424                 struct inode *inode = isec->inode;
425                 spin_unlock(&sbsec->isec_lock);
426                 inode = igrab(inode);
427                 if (inode) {
428                         if (!IS_PRIVATE(inode))
429                                 inode_doinit(inode);
430                         iput(inode);
431                 }
432                 spin_lock(&sbsec->isec_lock);
433                 list_del_init(&isec->list);
434                 goto next_inode;
435         }
436         spin_unlock(&sbsec->isec_lock);
437 out:
438         return rc;
439 }
440
441 /*
442  * This function should allow an FS to ask what it's mount security
443  * options were so it can use those later for submounts, displaying
444  * mount options, or whatever.
445  */
446 static int selinux_get_mnt_opts(const struct super_block *sb,
447                                 struct security_mnt_opts *opts)
448 {
449         int rc = 0, i;
450         struct superblock_security_struct *sbsec = sb->s_security;
451         char *context = NULL;
452         u32 len;
453         char tmp;
454
455         security_init_mnt_opts(opts);
456
457         if (!sbsec->initialized)
458                 return -EINVAL;
459
460         if (!ss_initialized)
461                 return -EINVAL;
462
463         /*
464          * if we ever use sbsec flags for anything other than tracking mount
465          * settings this is going to need a mask
466          */
467         tmp = sbsec->flags;
468         /* count the number of mount options for this sb */
469         for (i = 0; i < 8; i++) {
470                 if (tmp & 0x01)
471                         opts->num_mnt_opts++;
472                 tmp >>= 1;
473         }
474
475         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
476         if (!opts->mnt_opts) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
482         if (!opts->mnt_opts_flags) {
483                 rc = -ENOMEM;
484                 goto out_free;
485         }
486
487         i = 0;
488         if (sbsec->flags & FSCONTEXT_MNT) {
489                 rc = security_sid_to_context(sbsec->sid, &context, &len);
490                 if (rc)
491                         goto out_free;
492                 opts->mnt_opts[i] = context;
493                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494         }
495         if (sbsec->flags & CONTEXT_MNT) {
496                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
497                 if (rc)
498                         goto out_free;
499                 opts->mnt_opts[i] = context;
500                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501         }
502         if (sbsec->flags & DEFCONTEXT_MNT) {
503                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
504                 if (rc)
505                         goto out_free;
506                 opts->mnt_opts[i] = context;
507                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508         }
509         if (sbsec->flags & ROOTCONTEXT_MNT) {
510                 struct inode *root = sbsec->sb->s_root->d_inode;
511                 struct inode_security_struct *isec = root->i_security;
512
513                 rc = security_sid_to_context(isec->sid, &context, &len);
514                 if (rc)
515                         goto out_free;
516                 opts->mnt_opts[i] = context;
517                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         /* check if the old mount command had the same options */
533         if (sbsec->initialized)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!sbsec->initialized)
542                 if (sbsec->flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         int rc = 0, i;
555         struct task_security_struct *tsec = current->security;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         spin_lock(&sb_security_lock);
574                         if (list_empty(&sbsec->list))
575                                 list_add(&sbsec->list, &superblock_security_head);
576                         spin_unlock(&sb_security_lock);
577                         goto out;
578                 }
579                 rc = -EINVAL;
580                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
581                         "before the security server is initialized\n");
582                 goto out;
583         }
584
585         /*
586          * Binary mount data FS will come through this function twice.  Once
587          * from an explicit call and once from the generic calls from the vfs.
588          * Since the generic VFS calls will not contain any security mount data
589          * we need to skip the double mount verification.
590          *
591          * This does open a hole in which we will not notice if the first
592          * mount using this sb set explict options and a second mount using
593          * this sb does not set any security options.  (The first options
594          * will be used for both mounts)
595          */
596         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597             && (num_opts == 0))
598                 goto out;
599
600         /*
601          * parse the mount options, check if they are valid sids.
602          * also check if someone is trying to mount the same sb more
603          * than once with different security options.
604          */
605         for (i = 0; i < num_opts; i++) {
606                 u32 sid;
607                 rc = security_context_to_sid(mount_options[i],
608                                              strlen(mount_options[i]), &sid);
609                 if (rc) {
610                         printk(KERN_WARNING "SELinux: security_context_to_sid"
611                                "(%s) failed for (dev %s, type %s) errno=%d\n",
612                                mount_options[i], sb->s_id, name, rc);
613                         goto out;
614                 }
615                 switch (flags[i]) {
616                 case FSCONTEXT_MNT:
617                         fscontext_sid = sid;
618
619                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
620                                         fscontext_sid))
621                                 goto out_double_mount;
622
623                         sbsec->flags |= FSCONTEXT_MNT;
624                         break;
625                 case CONTEXT_MNT:
626                         context_sid = sid;
627
628                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
629                                         context_sid))
630                                 goto out_double_mount;
631
632                         sbsec->flags |= CONTEXT_MNT;
633                         break;
634                 case ROOTCONTEXT_MNT:
635                         rootcontext_sid = sid;
636
637                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
638                                         rootcontext_sid))
639                                 goto out_double_mount;
640
641                         sbsec->flags |= ROOTCONTEXT_MNT;
642
643                         break;
644                 case DEFCONTEXT_MNT:
645                         defcontext_sid = sid;
646
647                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
648                                         defcontext_sid))
649                                 goto out_double_mount;
650
651                         sbsec->flags |= DEFCONTEXT_MNT;
652
653                         break;
654                 default:
655                         rc = -EINVAL;
656                         goto out;
657                 }
658         }
659
660         if (sbsec->initialized) {
661                 /* previously mounted with options, but not on this attempt? */
662                 if (sbsec->flags && !num_opts)
663                         goto out_double_mount;
664                 rc = 0;
665                 goto out;
666         }
667
668         if (strcmp(sb->s_type->name, "proc") == 0)
669                 sbsec->proc = 1;
670
671         /* Determine the labeling behavior to use for this filesystem type. */
672         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
673         if (rc) {
674                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
675                        __func__, sb->s_type->name, rc);
676                 goto out;
677         }
678
679         /* sets the context of the superblock for the fs being mounted. */
680         if (fscontext_sid) {
681
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
697                         if (rc)
698                                 goto out;
699                         sbsec->sid = context_sid;
700                 } else {
701                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
714                 if (rc)
715                         goto out;
716
717                 root_isec->sid = rootcontext_sid;
718                 root_isec->initialized = 1;
719         }
720
721         if (defcontext_sid) {
722                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
723                         rc = -EINVAL;
724                         printk(KERN_WARNING "SELinux: defcontext option is "
725                                "invalid for this filesystem type\n");
726                         goto out;
727                 }
728
729                 if (defcontext_sid != sbsec->def_sid) {
730                         rc = may_context_mount_inode_relabel(defcontext_sid,
731                                                              sbsec, tsec);
732                         if (rc)
733                                 goto out;
734                 }
735
736                 sbsec->def_sid = defcontext_sid;
737         }
738
739         rc = sb_finish_set_opts(sb);
740 out:
741         mutex_unlock(&sbsec->lock);
742         return rc;
743 out_double_mount:
744         rc = -EINVAL;
745         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
746                "security settings for (dev %s, type %s)\n", sb->s_id, name);
747         goto out;
748 }
749
750 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
751                                         struct super_block *newsb)
752 {
753         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
754         struct superblock_security_struct *newsbsec = newsb->s_security;
755
756         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
757         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
758         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
759
760         /*
761          * if the parent was able to be mounted it clearly had no special lsm
762          * mount options.  thus we can safely put this sb on the list and deal
763          * with it later
764          */
765         if (!ss_initialized) {
766                 spin_lock(&sb_security_lock);
767                 if (list_empty(&newsbsec->list))
768                         list_add(&newsbsec->list, &superblock_security_head);
769                 spin_unlock(&sb_security_lock);
770                 return;
771         }
772
773         /* how can we clone if the old one wasn't set up?? */
774         BUG_ON(!oldsbsec->initialized);
775
776         /* if fs is reusing a sb, just let its options stand... */
777         if (newsbsec->initialized)
778                 return;
779
780         mutex_lock(&newsbsec->lock);
781
782         newsbsec->flags = oldsbsec->flags;
783
784         newsbsec->sid = oldsbsec->sid;
785         newsbsec->def_sid = oldsbsec->def_sid;
786         newsbsec->behavior = oldsbsec->behavior;
787
788         if (set_context) {
789                 u32 sid = oldsbsec->mntpoint_sid;
790
791                 if (!set_fscontext)
792                         newsbsec->sid = sid;
793                 if (!set_rootcontext) {
794                         struct inode *newinode = newsb->s_root->d_inode;
795                         struct inode_security_struct *newisec = newinode->i_security;
796                         newisec->sid = sid;
797                 }
798                 newsbsec->mntpoint_sid = sid;
799         }
800         if (set_rootcontext) {
801                 const struct inode *oldinode = oldsb->s_root->d_inode;
802                 const struct inode_security_struct *oldisec = oldinode->i_security;
803                 struct inode *newinode = newsb->s_root->d_inode;
804                 struct inode_security_struct *newisec = newinode->i_security;
805
806                 newisec->sid = oldisec->sid;
807         }
808
809         sb_finish_set_opts(newsb);
810         mutex_unlock(&newsbsec->lock);
811 }
812
813 static int selinux_parse_opts_str(char *options,
814                                   struct security_mnt_opts *opts)
815 {
816         char *p;
817         char *context = NULL, *defcontext = NULL;
818         char *fscontext = NULL, *rootcontext = NULL;
819         int rc, num_mnt_opts = 0;
820
821         opts->num_mnt_opts = 0;
822
823         /* Standard string-based options. */
824         while ((p = strsep(&options, "|")) != NULL) {
825                 int token;
826                 substring_t args[MAX_OPT_ARGS];
827
828                 if (!*p)
829                         continue;
830
831                 token = match_token(p, tokens, args);
832
833                 switch (token) {
834                 case Opt_context:
835                         if (context || defcontext) {
836                                 rc = -EINVAL;
837                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838                                 goto out_err;
839                         }
840                         context = match_strdup(&args[0]);
841                         if (!context) {
842                                 rc = -ENOMEM;
843                                 goto out_err;
844                         }
845                         break;
846
847                 case Opt_fscontext:
848                         if (fscontext) {
849                                 rc = -EINVAL;
850                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851                                 goto out_err;
852                         }
853                         fscontext = match_strdup(&args[0]);
854                         if (!fscontext) {
855                                 rc = -ENOMEM;
856                                 goto out_err;
857                         }
858                         break;
859
860                 case Opt_rootcontext:
861                         if (rootcontext) {
862                                 rc = -EINVAL;
863                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864                                 goto out_err;
865                         }
866                         rootcontext = match_strdup(&args[0]);
867                         if (!rootcontext) {
868                                 rc = -ENOMEM;
869                                 goto out_err;
870                         }
871                         break;
872
873                 case Opt_defcontext:
874                         if (context || defcontext) {
875                                 rc = -EINVAL;
876                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
877                                 goto out_err;
878                         }
879                         defcontext = match_strdup(&args[0]);
880                         if (!defcontext) {
881                                 rc = -ENOMEM;
882                                 goto out_err;
883                         }
884                         break;
885
886                 default:
887                         rc = -EINVAL;
888                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
889                         goto out_err;
890
891                 }
892         }
893
894         rc = -ENOMEM;
895         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
896         if (!opts->mnt_opts)
897                 goto out_err;
898
899         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
900         if (!opts->mnt_opts_flags) {
901                 kfree(opts->mnt_opts);
902                 goto out_err;
903         }
904
905         if (fscontext) {
906                 opts->mnt_opts[num_mnt_opts] = fscontext;
907                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908         }
909         if (context) {
910                 opts->mnt_opts[num_mnt_opts] = context;
911                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912         }
913         if (rootcontext) {
914                 opts->mnt_opts[num_mnt_opts] = rootcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916         }
917         if (defcontext) {
918                 opts->mnt_opts[num_mnt_opts] = defcontext;
919                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920         }
921
922         opts->num_mnt_opts = num_mnt_opts;
923         return 0;
924
925 out_err:
926         kfree(context);
927         kfree(defcontext);
928         kfree(fscontext);
929         kfree(rootcontext);
930         return rc;
931 }
932 /*
933  * string mount options parsing and call set the sbsec
934  */
935 static int superblock_doinit(struct super_block *sb, void *data)
936 {
937         int rc = 0;
938         char *options = data;
939         struct security_mnt_opts opts;
940
941         security_init_mnt_opts(&opts);
942
943         if (!data)
944                 goto out;
945
946         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
947
948         rc = selinux_parse_opts_str(options, &opts);
949         if (rc)
950                 goto out_err;
951
952 out:
953         rc = selinux_set_mnt_opts(sb, &opts);
954
955 out_err:
956         security_free_mnt_opts(&opts);
957         return rc;
958 }
959
960 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
961 {
962         int i;
963         char *prefix;
964
965         for (i = 0; i < opts->num_mnt_opts; i++) {
966                 char *has_comma = strchr(opts->mnt_opts[i], ',');
967
968                 switch (opts->mnt_opts_flags[i]) {
969                 case CONTEXT_MNT:
970                         prefix = CONTEXT_STR;
971                         break;
972                 case FSCONTEXT_MNT:
973                         prefix = FSCONTEXT_STR;
974                         break;
975                 case ROOTCONTEXT_MNT:
976                         prefix = ROOTCONTEXT_STR;
977                         break;
978                 case DEFCONTEXT_MNT:
979                         prefix = DEFCONTEXT_STR;
980                         break;
981                 default:
982                         BUG();
983                 };
984                 /* we need a comma before each option */
985                 seq_putc(m, ',');
986                 seq_puts(m, prefix);
987                 if (has_comma)
988                         seq_putc(m, '\"');
989                 seq_puts(m, opts->mnt_opts[i]);
990                 if (has_comma)
991                         seq_putc(m, '\"');
992         }
993 }
994
995 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
996 {
997         struct security_mnt_opts opts;
998         int rc;
999
1000         rc = selinux_get_mnt_opts(sb, &opts);
1001         if (rc)
1002                 return rc;
1003
1004         selinux_write_opts(m, &opts);
1005
1006         security_free_mnt_opts(&opts);
1007
1008         return rc;
1009 }
1010
1011 static inline u16 inode_mode_to_security_class(umode_t mode)
1012 {
1013         switch (mode & S_IFMT) {
1014         case S_IFSOCK:
1015                 return SECCLASS_SOCK_FILE;
1016         case S_IFLNK:
1017                 return SECCLASS_LNK_FILE;
1018         case S_IFREG:
1019                 return SECCLASS_FILE;
1020         case S_IFBLK:
1021                 return SECCLASS_BLK_FILE;
1022         case S_IFDIR:
1023                 return SECCLASS_DIR;
1024         case S_IFCHR:
1025                 return SECCLASS_CHR_FILE;
1026         case S_IFIFO:
1027                 return SECCLASS_FIFO_FILE;
1028
1029         }
1030
1031         return SECCLASS_FILE;
1032 }
1033
1034 static inline int default_protocol_stream(int protocol)
1035 {
1036         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1037 }
1038
1039 static inline int default_protocol_dgram(int protocol)
1040 {
1041         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1042 }
1043
1044 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1045 {
1046         switch (family) {
1047         case PF_UNIX:
1048                 switch (type) {
1049                 case SOCK_STREAM:
1050                 case SOCK_SEQPACKET:
1051                         return SECCLASS_UNIX_STREAM_SOCKET;
1052                 case SOCK_DGRAM:
1053                         return SECCLASS_UNIX_DGRAM_SOCKET;
1054                 }
1055                 break;
1056         case PF_INET:
1057         case PF_INET6:
1058                 switch (type) {
1059                 case SOCK_STREAM:
1060                         if (default_protocol_stream(protocol))
1061                                 return SECCLASS_TCP_SOCKET;
1062                         else
1063                                 return SECCLASS_RAWIP_SOCKET;
1064                 case SOCK_DGRAM:
1065                         if (default_protocol_dgram(protocol))
1066                                 return SECCLASS_UDP_SOCKET;
1067                         else
1068                                 return SECCLASS_RAWIP_SOCKET;
1069                 case SOCK_DCCP:
1070                         return SECCLASS_DCCP_SOCKET;
1071                 default:
1072                         return SECCLASS_RAWIP_SOCKET;
1073                 }
1074                 break;
1075         case PF_NETLINK:
1076                 switch (protocol) {
1077                 case NETLINK_ROUTE:
1078                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1079                 case NETLINK_FIREWALL:
1080                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1081                 case NETLINK_INET_DIAG:
1082                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1083                 case NETLINK_NFLOG:
1084                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1085                 case NETLINK_XFRM:
1086                         return SECCLASS_NETLINK_XFRM_SOCKET;
1087                 case NETLINK_SELINUX:
1088                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1089                 case NETLINK_AUDIT:
1090                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1091                 case NETLINK_IP6_FW:
1092                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1093                 case NETLINK_DNRTMSG:
1094                         return SECCLASS_NETLINK_DNRT_SOCKET;
1095                 case NETLINK_KOBJECT_UEVENT:
1096                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1097                 default:
1098                         return SECCLASS_NETLINK_SOCKET;
1099                 }
1100         case PF_PACKET:
1101                 return SECCLASS_PACKET_SOCKET;
1102         case PF_KEY:
1103                 return SECCLASS_KEY_SOCKET;
1104         case PF_APPLETALK:
1105                 return SECCLASS_APPLETALK_SOCKET;
1106         }
1107
1108         return SECCLASS_SOCKET;
1109 }
1110
1111 #ifdef CONFIG_PROC_FS
1112 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1113                                 u16 tclass,
1114                                 u32 *sid)
1115 {
1116         int buflen, rc;
1117         char *buffer, *path, *end;
1118
1119         buffer = (char *)__get_free_page(GFP_KERNEL);
1120         if (!buffer)
1121                 return -ENOMEM;
1122
1123         buflen = PAGE_SIZE;
1124         end = buffer+buflen;
1125         *--end = '\0';
1126         buflen--;
1127         path = end-1;
1128         *path = '/';
1129         while (de && de != de->parent) {
1130                 buflen -= de->namelen + 1;
1131                 if (buflen < 0)
1132                         break;
1133                 end -= de->namelen;
1134                 memcpy(end, de->name, de->namelen);
1135                 *--end = '/';
1136                 path = end;
1137                 de = de->parent;
1138         }
1139         rc = security_genfs_sid("proc", path, tclass, sid);
1140         free_page((unsigned long)buffer);
1141         return rc;
1142 }
1143 #else
1144 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1145                                 u16 tclass,
1146                                 u32 *sid)
1147 {
1148         return -EINVAL;
1149 }
1150 #endif
1151
1152 /* The inode's security attributes must be initialized before first use. */
1153 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1154 {
1155         struct superblock_security_struct *sbsec = NULL;
1156         struct inode_security_struct *isec = inode->i_security;
1157         u32 sid;
1158         struct dentry *dentry;
1159 #define INITCONTEXTLEN 255
1160         char *context = NULL;
1161         unsigned len = 0;
1162         int rc = 0;
1163
1164         if (isec->initialized)
1165                 goto out;
1166
1167         mutex_lock(&isec->lock);
1168         if (isec->initialized)
1169                 goto out_unlock;
1170
1171         sbsec = inode->i_sb->s_security;
1172         if (!sbsec->initialized) {
1173                 /* Defer initialization until selinux_complete_init,
1174                    after the initial policy is loaded and the security
1175                    server is ready to handle calls. */
1176                 spin_lock(&sbsec->isec_lock);
1177                 if (list_empty(&isec->list))
1178                         list_add(&isec->list, &sbsec->isec_head);
1179                 spin_unlock(&sbsec->isec_lock);
1180                 goto out_unlock;
1181         }
1182
1183         switch (sbsec->behavior) {
1184         case SECURITY_FS_USE_XATTR:
1185                 if (!inode->i_op->getxattr) {
1186                         isec->sid = sbsec->def_sid;
1187                         break;
1188                 }
1189
1190                 /* Need a dentry, since the xattr API requires one.
1191                    Life would be simpler if we could just pass the inode. */
1192                 if (opt_dentry) {
1193                         /* Called from d_instantiate or d_splice_alias. */
1194                         dentry = dget(opt_dentry);
1195                 } else {
1196                         /* Called from selinux_complete_init, try to find a dentry. */
1197                         dentry = d_find_alias(inode);
1198                 }
1199                 if (!dentry) {
1200                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1201                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1202                                inode->i_ino);
1203                         goto out_unlock;
1204                 }
1205
1206                 len = INITCONTEXTLEN;
1207                 context = kmalloc(len, GFP_NOFS);
1208                 if (!context) {
1209                         rc = -ENOMEM;
1210                         dput(dentry);
1211                         goto out_unlock;
1212                 }
1213                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1214                                            context, len);
1215                 if (rc == -ERANGE) {
1216                         /* Need a larger buffer.  Query for the right size. */
1217                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1218                                                    NULL, 0);
1219                         if (rc < 0) {
1220                                 dput(dentry);
1221                                 goto out_unlock;
1222                         }
1223                         kfree(context);
1224                         len = rc;
1225                         context = kmalloc(len, GFP_NOFS);
1226                         if (!context) {
1227                                 rc = -ENOMEM;
1228                                 dput(dentry);
1229                                 goto out_unlock;
1230                         }
1231                         rc = inode->i_op->getxattr(dentry,
1232                                                    XATTR_NAME_SELINUX,
1233                                                    context, len);
1234                 }
1235                 dput(dentry);
1236                 if (rc < 0) {
1237                         if (rc != -ENODATA) {
1238                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1239                                        "%d for dev=%s ino=%ld\n", __func__,
1240                                        -rc, inode->i_sb->s_id, inode->i_ino);
1241                                 kfree(context);
1242                                 goto out_unlock;
1243                         }
1244                         /* Map ENODATA to the default file SID */
1245                         sid = sbsec->def_sid;
1246                         rc = 0;
1247                 } else {
1248                         rc = security_context_to_sid_default(context, rc, &sid,
1249                                                              sbsec->def_sid,
1250                                                              GFP_NOFS);
1251                         if (rc) {
1252                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1253                                        "returned %d for dev=%s ino=%ld\n",
1254                                        __func__, context, -rc,
1255                                        inode->i_sb->s_id, inode->i_ino);
1256                                 kfree(context);
1257                                 /* Leave with the unlabeled SID */
1258                                 rc = 0;
1259                                 break;
1260                         }
1261                 }
1262                 kfree(context);
1263                 isec->sid = sid;
1264                 break;
1265         case SECURITY_FS_USE_TASK:
1266                 isec->sid = isec->task_sid;
1267                 break;
1268         case SECURITY_FS_USE_TRANS:
1269                 /* Default to the fs SID. */
1270                 isec->sid = sbsec->sid;
1271
1272                 /* Try to obtain a transition SID. */
1273                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274                 rc = security_transition_sid(isec->task_sid,
1275                                              sbsec->sid,
1276                                              isec->sclass,
1277                                              &sid);
1278                 if (rc)
1279                         goto out_unlock;
1280                 isec->sid = sid;
1281                 break;
1282         case SECURITY_FS_USE_MNTPOINT:
1283                 isec->sid = sbsec->mntpoint_sid;
1284                 break;
1285         default:
1286                 /* Default to the fs superblock SID. */
1287                 isec->sid = sbsec->sid;
1288
1289                 if (sbsec->proc) {
1290                         struct proc_inode *proci = PROC_I(inode);
1291                         if (proci->pde) {
1292                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1293                                 rc = selinux_proc_get_sid(proci->pde,
1294                                                           isec->sclass,
1295                                                           &sid);
1296                                 if (rc)
1297                                         goto out_unlock;
1298                                 isec->sid = sid;
1299                         }
1300                 }
1301                 break;
1302         }
1303
1304         isec->initialized = 1;
1305
1306 out_unlock:
1307         mutex_unlock(&isec->lock);
1308 out:
1309         if (isec->sclass == SECCLASS_FILE)
1310                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1311         return rc;
1312 }
1313
1314 /* Convert a Linux signal to an access vector. */
1315 static inline u32 signal_to_av(int sig)
1316 {
1317         u32 perm = 0;
1318
1319         switch (sig) {
1320         case SIGCHLD:
1321                 /* Commonly granted from child to parent. */
1322                 perm = PROCESS__SIGCHLD;
1323                 break;
1324         case SIGKILL:
1325                 /* Cannot be caught or ignored */
1326                 perm = PROCESS__SIGKILL;
1327                 break;
1328         case SIGSTOP:
1329                 /* Cannot be caught or ignored */
1330                 perm = PROCESS__SIGSTOP;
1331                 break;
1332         default:
1333                 /* All other signals. */
1334                 perm = PROCESS__SIGNAL;
1335                 break;
1336         }
1337
1338         return perm;
1339 }
1340
1341 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1342    fork check, ptrace check, etc. */
1343 static int task_has_perm(struct task_struct *tsk1,
1344                          struct task_struct *tsk2,
1345                          u32 perms)
1346 {
1347         struct task_security_struct *tsec1, *tsec2;
1348
1349         tsec1 = tsk1->security;
1350         tsec2 = tsk2->security;
1351         return avc_has_perm(tsec1->sid, tsec2->sid,
1352                             SECCLASS_PROCESS, perms, NULL);
1353 }
1354
1355 #if CAP_LAST_CAP > 63
1356 #error Fix SELinux to handle capabilities > 63.
1357 #endif
1358
1359 /* Check whether a task is allowed to use a capability. */
1360 static int task_has_capability(struct task_struct *tsk,
1361                                int cap)
1362 {
1363         struct task_security_struct *tsec;
1364         struct avc_audit_data ad;
1365         u16 sclass;
1366         u32 av = CAP_TO_MASK(cap);
1367
1368         tsec = tsk->security;
1369
1370         AVC_AUDIT_DATA_INIT(&ad, CAP);
1371         ad.tsk = tsk;
1372         ad.u.cap = cap;
1373
1374         switch (CAP_TO_INDEX(cap)) {
1375         case 0:
1376                 sclass = SECCLASS_CAPABILITY;
1377                 break;
1378         case 1:
1379                 sclass = SECCLASS_CAPABILITY2;
1380                 break;
1381         default:
1382                 printk(KERN_ERR
1383                        "SELinux:  out of range capability %d\n", cap);
1384                 BUG();
1385         }
1386         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1387 }
1388
1389 /* Check whether a task is allowed to use a system operation. */
1390 static int task_has_system(struct task_struct *tsk,
1391                            u32 perms)
1392 {
1393         struct task_security_struct *tsec;
1394
1395         tsec = tsk->security;
1396
1397         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1398                             SECCLASS_SYSTEM, perms, NULL);
1399 }
1400
1401 /* Check whether a task has a particular permission to an inode.
1402    The 'adp' parameter is optional and allows other audit
1403    data to be passed (e.g. the dentry). */
1404 static int inode_has_perm(struct task_struct *tsk,
1405                           struct inode *inode,
1406                           u32 perms,
1407                           struct avc_audit_data *adp)
1408 {
1409         struct task_security_struct *tsec;
1410         struct inode_security_struct *isec;
1411         struct avc_audit_data ad;
1412
1413         if (unlikely(IS_PRIVATE(inode)))
1414                 return 0;
1415
1416         tsec = tsk->security;
1417         isec = inode->i_security;
1418
1419         if (!adp) {
1420                 adp = &ad;
1421                 AVC_AUDIT_DATA_INIT(&ad, FS);
1422                 ad.u.fs.inode = inode;
1423         }
1424
1425         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1426 }
1427
1428 /* Same as inode_has_perm, but pass explicit audit data containing
1429    the dentry to help the auditing code to more easily generate the
1430    pathname if needed. */
1431 static inline int dentry_has_perm(struct task_struct *tsk,
1432                                   struct vfsmount *mnt,
1433                                   struct dentry *dentry,
1434                                   u32 av)
1435 {
1436         struct inode *inode = dentry->d_inode;
1437         struct avc_audit_data ad;
1438         AVC_AUDIT_DATA_INIT(&ad, FS);
1439         ad.u.fs.path.mnt = mnt;
1440         ad.u.fs.path.dentry = dentry;
1441         return inode_has_perm(tsk, inode, av, &ad);
1442 }
1443
1444 /* Check whether a task can use an open file descriptor to
1445    access an inode in a given way.  Check access to the
1446    descriptor itself, and then use dentry_has_perm to
1447    check a particular permission to the file.
1448    Access to the descriptor is implicitly granted if it
1449    has the same SID as the process.  If av is zero, then
1450    access to the file is not checked, e.g. for cases
1451    where only the descriptor is affected like seek. */
1452 static int file_has_perm(struct task_struct *tsk,
1453                                 struct file *file,
1454                                 u32 av)
1455 {
1456         struct task_security_struct *tsec = tsk->security;
1457         struct file_security_struct *fsec = file->f_security;
1458         struct inode *inode = file->f_path.dentry->d_inode;
1459         struct avc_audit_data ad;
1460         int rc;
1461
1462         AVC_AUDIT_DATA_INIT(&ad, FS);
1463         ad.u.fs.path = file->f_path;
1464
1465         if (tsec->sid != fsec->sid) {
1466                 rc = avc_has_perm(tsec->sid, fsec->sid,
1467                                   SECCLASS_FD,
1468                                   FD__USE,
1469                                   &ad);
1470                 if (rc)
1471                         return rc;
1472         }
1473
1474         /* av is zero if only checking access to the descriptor. */
1475         if (av)
1476                 return inode_has_perm(tsk, inode, av, &ad);
1477
1478         return 0;
1479 }
1480
1481 /* Check whether a task can create a file. */
1482 static int may_create(struct inode *dir,
1483                       struct dentry *dentry,
1484                       u16 tclass)
1485 {
1486         struct task_security_struct *tsec;
1487         struct inode_security_struct *dsec;
1488         struct superblock_security_struct *sbsec;
1489         u32 newsid;
1490         struct avc_audit_data ad;
1491         int rc;
1492
1493         tsec = current->security;
1494         dsec = dir->i_security;
1495         sbsec = dir->i_sb->s_security;
1496
1497         AVC_AUDIT_DATA_INIT(&ad, FS);
1498         ad.u.fs.path.dentry = dentry;
1499
1500         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1501                           DIR__ADD_NAME | DIR__SEARCH,
1502                           &ad);
1503         if (rc)
1504                 return rc;
1505
1506         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1507                 newsid = tsec->create_sid;
1508         } else {
1509                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1510                                              &newsid);
1511                 if (rc)
1512                         return rc;
1513         }
1514
1515         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1516         if (rc)
1517                 return rc;
1518
1519         return avc_has_perm(newsid, sbsec->sid,
1520                             SECCLASS_FILESYSTEM,
1521                             FILESYSTEM__ASSOCIATE, &ad);
1522 }
1523
1524 /* Check whether a task can create a key. */
1525 static int may_create_key(u32 ksid,
1526                           struct task_struct *ctx)
1527 {
1528         struct task_security_struct *tsec;
1529
1530         tsec = ctx->security;
1531
1532         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1533 }
1534
1535 #define MAY_LINK        0
1536 #define MAY_UNLINK      1
1537 #define MAY_RMDIR       2
1538
1539 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1540 static int may_link(struct inode *dir,
1541                     struct dentry *dentry,
1542                     int kind)
1543
1544 {
1545         struct task_security_struct *tsec;
1546         struct inode_security_struct *dsec, *isec;
1547         struct avc_audit_data ad;
1548         u32 av;
1549         int rc;
1550
1551         tsec = current->security;
1552         dsec = dir->i_security;
1553         isec = dentry->d_inode->i_security;
1554
1555         AVC_AUDIT_DATA_INIT(&ad, FS);
1556         ad.u.fs.path.dentry = dentry;
1557
1558         av = DIR__SEARCH;
1559         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1560         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1561         if (rc)
1562                 return rc;
1563
1564         switch (kind) {
1565         case MAY_LINK:
1566                 av = FILE__LINK;
1567                 break;
1568         case MAY_UNLINK:
1569                 av = FILE__UNLINK;
1570                 break;
1571         case MAY_RMDIR:
1572                 av = DIR__RMDIR;
1573                 break;
1574         default:
1575                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1576                         __func__, kind);
1577                 return 0;
1578         }
1579
1580         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1581         return rc;
1582 }
1583
1584 static inline int may_rename(struct inode *old_dir,
1585                              struct dentry *old_dentry,
1586                              struct inode *new_dir,
1587                              struct dentry *new_dentry)
1588 {
1589         struct task_security_struct *tsec;
1590         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1591         struct avc_audit_data ad;
1592         u32 av;
1593         int old_is_dir, new_is_dir;
1594         int rc;
1595
1596         tsec = current->security;
1597         old_dsec = old_dir->i_security;
1598         old_isec = old_dentry->d_inode->i_security;
1599         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1600         new_dsec = new_dir->i_security;
1601
1602         AVC_AUDIT_DATA_INIT(&ad, FS);
1603
1604         ad.u.fs.path.dentry = old_dentry;
1605         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1606                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1607         if (rc)
1608                 return rc;
1609         rc = avc_has_perm(tsec->sid, old_isec->sid,
1610                           old_isec->sclass, FILE__RENAME, &ad);
1611         if (rc)
1612                 return rc;
1613         if (old_is_dir && new_dir != old_dir) {
1614                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1615                                   old_isec->sclass, DIR__REPARENT, &ad);
1616                 if (rc)
1617                         return rc;
1618         }
1619
1620         ad.u.fs.path.dentry = new_dentry;
1621         av = DIR__ADD_NAME | DIR__SEARCH;
1622         if (new_dentry->d_inode)
1623                 av |= DIR__REMOVE_NAME;
1624         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1625         if (rc)
1626                 return rc;
1627         if (new_dentry->d_inode) {
1628                 new_isec = new_dentry->d_inode->i_security;
1629                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1630                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1631                                   new_isec->sclass,
1632                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1633                 if (rc)
1634                         return rc;
1635         }
1636
1637         return 0;
1638 }
1639
1640 /* Check whether a task can perform a filesystem operation. */
1641 static int superblock_has_perm(struct task_struct *tsk,
1642                                struct super_block *sb,
1643                                u32 perms,
1644                                struct avc_audit_data *ad)
1645 {
1646         struct task_security_struct *tsec;
1647         struct superblock_security_struct *sbsec;
1648
1649         tsec = tsk->security;
1650         sbsec = sb->s_security;
1651         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1652                             perms, ad);
1653 }
1654
1655 /* Convert a Linux mode and permission mask to an access vector. */
1656 static inline u32 file_mask_to_av(int mode, int mask)
1657 {
1658         u32 av = 0;
1659
1660         if ((mode & S_IFMT) != S_IFDIR) {
1661                 if (mask & MAY_EXEC)
1662                         av |= FILE__EXECUTE;
1663                 if (mask & MAY_READ)
1664                         av |= FILE__READ;
1665
1666                 if (mask & MAY_APPEND)
1667                         av |= FILE__APPEND;
1668                 else if (mask & MAY_WRITE)
1669                         av |= FILE__WRITE;
1670
1671         } else {
1672                 if (mask & MAY_EXEC)
1673                         av |= DIR__SEARCH;
1674                 if (mask & MAY_WRITE)
1675                         av |= DIR__WRITE;
1676                 if (mask & MAY_READ)
1677                         av |= DIR__READ;
1678         }
1679
1680         return av;
1681 }
1682
1683 /*
1684  * Convert a file mask to an access vector and include the correct open
1685  * open permission.
1686  */
1687 static inline u32 open_file_mask_to_av(int mode, int mask)
1688 {
1689         u32 av = file_mask_to_av(mode, mask);
1690
1691         if (selinux_policycap_openperm) {
1692                 /*
1693                  * lnk files and socks do not really have an 'open'
1694                  */
1695                 if (S_ISREG(mode))
1696                         av |= FILE__OPEN;
1697                 else if (S_ISCHR(mode))
1698                         av |= CHR_FILE__OPEN;
1699                 else if (S_ISBLK(mode))
1700                         av |= BLK_FILE__OPEN;
1701                 else if (S_ISFIFO(mode))
1702                         av |= FIFO_FILE__OPEN;
1703                 else if (S_ISDIR(mode))
1704                         av |= DIR__OPEN;
1705                 else
1706                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1707                                 "unknown mode:%x\n", __func__, mode);
1708         }
1709         return av;
1710 }
1711
1712 /* Convert a Linux file to an access vector. */
1713 static inline u32 file_to_av(struct file *file)
1714 {
1715         u32 av = 0;
1716
1717         if (file->f_mode & FMODE_READ)
1718                 av |= FILE__READ;
1719         if (file->f_mode & FMODE_WRITE) {
1720                 if (file->f_flags & O_APPEND)
1721                         av |= FILE__APPEND;
1722                 else
1723                         av |= FILE__WRITE;
1724         }
1725         if (!av) {
1726                 /*
1727                  * Special file opened with flags 3 for ioctl-only use.
1728                  */
1729                 av = FILE__IOCTL;
1730         }
1731
1732         return av;
1733 }
1734
1735 /* Hook functions begin here. */
1736
1737 static int selinux_ptrace(struct task_struct *parent,
1738                           struct task_struct *child,
1739                           unsigned int mode)
1740 {
1741         int rc;
1742
1743         rc = secondary_ops->ptrace(parent, child, mode);
1744         if (rc)
1745                 return rc;
1746
1747         if (mode == PTRACE_MODE_READ) {
1748                 struct task_security_struct *tsec = parent->security;
1749                 struct task_security_struct *csec = child->security;
1750                 return avc_has_perm(tsec->sid, csec->sid,
1751                                     SECCLASS_FILE, FILE__READ, NULL);
1752         }
1753
1754         return task_has_perm(parent, child, PROCESS__PTRACE);
1755 }
1756
1757 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1758                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1759 {
1760         int error;
1761
1762         error = task_has_perm(current, target, PROCESS__GETCAP);
1763         if (error)
1764                 return error;
1765
1766         return secondary_ops->capget(target, effective, inheritable, permitted);
1767 }
1768
1769 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1770                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1771 {
1772         int error;
1773
1774         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1775         if (error)
1776                 return error;
1777
1778         return task_has_perm(current, target, PROCESS__SETCAP);
1779 }
1780
1781 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1782                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1783 {
1784         secondary_ops->capset_set(target, effective, inheritable, permitted);
1785 }
1786
1787 static int selinux_capable(struct task_struct *tsk, int cap)
1788 {
1789         int rc;
1790
1791         rc = secondary_ops->capable(tsk, cap);
1792         if (rc)
1793                 return rc;
1794
1795         return task_has_capability(tsk, cap);
1796 }
1797
1798 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1799 {
1800         int buflen, rc;
1801         char *buffer, *path, *end;
1802
1803         rc = -ENOMEM;
1804         buffer = (char *)__get_free_page(GFP_KERNEL);
1805         if (!buffer)
1806                 goto out;
1807
1808         buflen = PAGE_SIZE;
1809         end = buffer+buflen;
1810         *--end = '\0';
1811         buflen--;
1812         path = end-1;
1813         *path = '/';
1814         while (table) {
1815                 const char *name = table->procname;
1816                 size_t namelen = strlen(name);
1817                 buflen -= namelen + 1;
1818                 if (buflen < 0)
1819                         goto out_free;
1820                 end -= namelen;
1821                 memcpy(end, name, namelen);
1822                 *--end = '/';
1823                 path = end;
1824                 table = table->parent;
1825         }
1826         buflen -= 4;
1827         if (buflen < 0)
1828                 goto out_free;
1829         end -= 4;
1830         memcpy(end, "/sys", 4);
1831         path = end;
1832         rc = security_genfs_sid("proc", path, tclass, sid);
1833 out_free:
1834         free_page((unsigned long)buffer);
1835 out:
1836         return rc;
1837 }
1838
1839 static int selinux_sysctl(ctl_table *table, int op)
1840 {
1841         int error = 0;
1842         u32 av;
1843         struct task_security_struct *tsec;
1844         u32 tsid;
1845         int rc;
1846
1847         rc = secondary_ops->sysctl(table, op);
1848         if (rc)
1849                 return rc;
1850
1851         tsec = current->security;
1852
1853         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1854                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1855         if (rc) {
1856                 /* Default to the well-defined sysctl SID. */
1857                 tsid = SECINITSID_SYSCTL;
1858         }
1859
1860         /* The op values are "defined" in sysctl.c, thereby creating
1861          * a bad coupling between this module and sysctl.c */
1862         if (op == 001) {
1863                 error = avc_has_perm(tsec->sid, tsid,
1864                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1865         } else {
1866                 av = 0;
1867                 if (op & 004)
1868                         av |= FILE__READ;
1869                 if (op & 002)
1870                         av |= FILE__WRITE;
1871                 if (av)
1872                         error = avc_has_perm(tsec->sid, tsid,
1873                                              SECCLASS_FILE, av, NULL);
1874         }
1875
1876         return error;
1877 }
1878
1879 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1880 {
1881         int rc = 0;
1882
1883         if (!sb)
1884                 return 0;
1885
1886         switch (cmds) {
1887         case Q_SYNC:
1888         case Q_QUOTAON:
1889         case Q_QUOTAOFF:
1890         case Q_SETINFO:
1891         case Q_SETQUOTA:
1892                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1893                                          NULL);
1894                 break;
1895         case Q_GETFMT:
1896         case Q_GETINFO:
1897         case Q_GETQUOTA:
1898                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1899                                          NULL);
1900                 break;
1901         default:
1902                 rc = 0;  /* let the kernel handle invalid cmds */
1903                 break;
1904         }
1905         return rc;
1906 }
1907
1908 static int selinux_quota_on(struct dentry *dentry)
1909 {
1910         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1911 }
1912
1913 static int selinux_syslog(int type)
1914 {
1915         int rc;
1916
1917         rc = secondary_ops->syslog(type);
1918         if (rc)
1919                 return rc;
1920
1921         switch (type) {
1922         case 3:         /* Read last kernel messages */
1923         case 10:        /* Return size of the log buffer */
1924                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925                 break;
1926         case 6:         /* Disable logging to console */
1927         case 7:         /* Enable logging to console */
1928         case 8:         /* Set level of messages printed to console */
1929                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1930                 break;
1931         case 0:         /* Close log */
1932         case 1:         /* Open log */
1933         case 2:         /* Read from log */
1934         case 4:         /* Read/clear last kernel messages */
1935         case 5:         /* Clear ring buffer */
1936         default:
1937                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1938                 break;
1939         }
1940         return rc;
1941 }
1942
1943 /*
1944  * Check that a process has enough memory to allocate a new virtual
1945  * mapping. 0 means there is enough memory for the allocation to
1946  * succeed and -ENOMEM implies there is not.
1947  *
1948  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1949  * if the capability is granted, but __vm_enough_memory requires 1 if
1950  * the capability is granted.
1951  *
1952  * Do not audit the selinux permission check, as this is applied to all
1953  * processes that allocate mappings.
1954  */
1955 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1956 {
1957         int rc, cap_sys_admin = 0;
1958         struct task_security_struct *tsec = current->security;
1959
1960         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1961         if (rc == 0)
1962                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1963                                           SECCLASS_CAPABILITY,
1964                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1965                                           0,
1966                                           NULL);
1967
1968         if (rc == 0)
1969                 cap_sys_admin = 1;
1970
1971         return __vm_enough_memory(mm, pages, cap_sys_admin);
1972 }
1973
1974 /* binprm security operations */
1975
1976 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1977 {
1978         struct bprm_security_struct *bsec;
1979
1980         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1981         if (!bsec)
1982                 return -ENOMEM;
1983
1984         bsec->sid = SECINITSID_UNLABELED;
1985         bsec->set = 0;
1986
1987         bprm->security = bsec;
1988         return 0;
1989 }
1990
1991 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1992 {
1993         struct task_security_struct *tsec;
1994         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1995         struct inode_security_struct *isec;
1996         struct bprm_security_struct *bsec;
1997         u32 newsid;
1998         struct avc_audit_data ad;
1999         int rc;
2000
2001         rc = secondary_ops->bprm_set_security(bprm);
2002         if (rc)
2003                 return rc;
2004
2005         bsec = bprm->security;
2006
2007         if (bsec->set)
2008                 return 0;
2009
2010         tsec = current->security;
2011         isec = inode->i_security;
2012
2013         /* Default to the current task SID. */
2014         bsec->sid = tsec->sid;
2015
2016         /* Reset fs, key, and sock SIDs on execve. */
2017         tsec->create_sid = 0;
2018         tsec->keycreate_sid = 0;
2019         tsec->sockcreate_sid = 0;
2020
2021         if (tsec->exec_sid) {
2022                 newsid = tsec->exec_sid;
2023                 /* Reset exec SID on execve. */
2024                 tsec->exec_sid = 0;
2025         } else {
2026                 /* Check for a default transition on this program. */
2027                 rc = security_transition_sid(tsec->sid, isec->sid,
2028                                              SECCLASS_PROCESS, &newsid);
2029                 if (rc)
2030                         return rc;
2031         }
2032
2033         AVC_AUDIT_DATA_INIT(&ad, FS);
2034         ad.u.fs.path = bprm->file->f_path;
2035
2036         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2037                 newsid = tsec->sid;
2038
2039         if (tsec->sid == newsid) {
2040                 rc = avc_has_perm(tsec->sid, isec->sid,
2041                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2042                 if (rc)
2043                         return rc;
2044         } else {
2045                 /* Check permissions for the transition. */
2046                 rc = avc_has_perm(tsec->sid, newsid,
2047                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2048                 if (rc)
2049                         return rc;
2050
2051                 rc = avc_has_perm(newsid, isec->sid,
2052                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2053                 if (rc)
2054                         return rc;
2055
2056                 /* Clear any possibly unsafe personality bits on exec: */
2057                 current->personality &= ~PER_CLEAR_ON_SETID;
2058
2059                 /* Set the security field to the new SID. */
2060                 bsec->sid = newsid;
2061         }
2062
2063         bsec->set = 1;
2064         return 0;
2065 }
2066
2067 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2068 {
2069         return secondary_ops->bprm_check_security(bprm);
2070 }
2071
2072
2073 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2074 {
2075         struct task_security_struct *tsec = current->security;
2076         int atsecure = 0;
2077
2078         if (tsec->osid != tsec->sid) {
2079                 /* Enable secure mode for SIDs transitions unless
2080                    the noatsecure permission is granted between
2081                    the two SIDs, i.e. ahp returns 0. */
2082                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2083                                          SECCLASS_PROCESS,
2084                                          PROCESS__NOATSECURE, NULL);
2085         }
2086
2087         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2088 }
2089
2090 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2091 {
2092         kfree(bprm->security);
2093         bprm->security = NULL;
2094 }
2095
2096 extern struct vfsmount *selinuxfs_mount;
2097 extern struct dentry *selinux_null;
2098
2099 /* Derived from fs/exec.c:flush_old_files. */
2100 static inline void flush_unauthorized_files(struct files_struct *files)
2101 {
2102         struct avc_audit_data ad;
2103         struct file *file, *devnull = NULL;
2104         struct tty_struct *tty;
2105         struct fdtable *fdt;
2106         long j = -1;
2107         int drop_tty = 0;
2108
2109         mutex_lock(&tty_mutex);
2110         tty = get_current_tty();
2111         if (tty) {
2112                 file_list_lock();
2113                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2114                 if (file) {
2115                         /* Revalidate access to controlling tty.
2116                            Use inode_has_perm on the tty inode directly rather
2117                            than using file_has_perm, as this particular open
2118                            file may belong to another process and we are only
2119                            interested in the inode-based check here. */
2120                         struct inode *inode = file->f_path.dentry->d_inode;
2121                         if (inode_has_perm(current, inode,
2122                                            FILE__READ | FILE__WRITE, NULL)) {
2123                                 drop_tty = 1;
2124                         }
2125                 }
2126                 file_list_unlock();
2127         }
2128         mutex_unlock(&tty_mutex);
2129         /* Reset controlling tty. */
2130         if (drop_tty)
2131                 no_tty();
2132
2133         /* Revalidate access to inherited open files. */
2134
2135         AVC_AUDIT_DATA_INIT(&ad, FS);
2136
2137         spin_lock(&files->file_lock);
2138         for (;;) {
2139                 unsigned long set, i;
2140                 int fd;
2141
2142                 j++;
2143                 i = j * __NFDBITS;
2144                 fdt = files_fdtable(files);
2145                 if (i >= fdt->max_fds)
2146                         break;
2147                 set = fdt->open_fds->fds_bits[j];
2148                 if (!set)
2149                         continue;
2150                 spin_unlock(&files->file_lock);
2151                 for ( ; set ; i++, set >>= 1) {
2152                         if (set & 1) {
2153                                 file = fget(i);
2154                                 if (!file)
2155                                         continue;
2156                                 if (file_has_perm(current,
2157                                                   file,
2158                                                   file_to_av(file))) {
2159                                         sys_close(i);
2160                                         fd = get_unused_fd();
2161                                         if (fd != i) {
2162                                                 if (fd >= 0)
2163                                                         put_unused_fd(fd);
2164                                                 fput(file);
2165                                                 continue;
2166                                         }
2167                                         if (devnull) {
2168                                                 get_file(devnull);
2169                                         } else {
2170                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2171                                                 if (IS_ERR(devnull)) {
2172                                                         devnull = NULL;
2173                                                         put_unused_fd(fd);
2174                                                         fput(file);
2175                                                         continue;
2176                                                 }
2177                                         }
2178                                         fd_install(fd, devnull);
2179                                 }
2180                                 fput(file);
2181                         }
2182                 }
2183                 spin_lock(&files->file_lock);
2184
2185         }
2186         spin_unlock(&files->file_lock);
2187 }
2188
2189 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2190 {
2191         struct task_security_struct *tsec;
2192         struct bprm_security_struct *bsec;
2193         u32 sid;
2194         int rc;
2195
2196         secondary_ops->bprm_apply_creds(bprm, unsafe);
2197
2198         tsec = current->security;
2199
2200         bsec = bprm->security;
2201         sid = bsec->sid;
2202
2203         tsec->osid = tsec->sid;
2204         bsec->unsafe = 0;
2205         if (tsec->sid != sid) {
2206                 /* Check for shared state.  If not ok, leave SID
2207                    unchanged and kill. */
2208                 if (unsafe & LSM_UNSAFE_SHARE) {
2209                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2210                                         PROCESS__SHARE, NULL);
2211                         if (rc) {
2212                                 bsec->unsafe = 1;
2213                                 return;
2214                         }
2215                 }
2216
2217                 /* Check for ptracing, and update the task SID if ok.
2218                    Otherwise, leave SID unchanged and kill. */
2219                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2220                         struct task_struct *tracer;
2221                         struct task_security_struct *sec;
2222                         u32 ptsid = 0;
2223
2224                         rcu_read_lock();
2225                         tracer = tracehook_tracer_task(current);
2226                         if (likely(tracer != NULL)) {
2227                                 sec = tracer->security;
2228                                 ptsid = sec->sid;
2229                         }
2230                         rcu_read_unlock();
2231
2232                         if (ptsid != 0) {
2233                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2234                                                   PROCESS__PTRACE, NULL);
2235                                 if (rc) {
2236                                         bsec->unsafe = 1;
2237                                         return;
2238                                 }
2239                         }
2240                 }
2241                 tsec->sid = sid;
2242         }
2243 }
2244
2245 /*
2246  * called after apply_creds without the task lock held
2247  */
2248 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2249 {
2250         struct task_security_struct *tsec;
2251         struct rlimit *rlim, *initrlim;
2252         struct itimerval itimer;
2253         struct bprm_security_struct *bsec;
2254         int rc, i;
2255
2256         tsec = current->security;
2257         bsec = bprm->security;
2258
2259         if (bsec->unsafe) {
2260                 force_sig_specific(SIGKILL, current);
2261                 return;
2262         }
2263         if (tsec->osid == tsec->sid)
2264                 return;
2265
2266         /* Close files for which the new task SID is not authorized. */
2267         flush_unauthorized_files(current->files);
2268
2269         /* Check whether the new SID can inherit signal state
2270            from the old SID.  If not, clear itimers to avoid
2271            subsequent signal generation and flush and unblock
2272            signals. This must occur _after_ the task SID has
2273           been updated so that any kill done after the flush
2274           will be checked against the new SID. */
2275         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2276                           PROCESS__SIGINH, NULL);
2277         if (rc) {
2278                 memset(&itimer, 0, sizeof itimer);
2279                 for (i = 0; i < 3; i++)
2280                         do_setitimer(i, &itimer, NULL);
2281                 flush_signals(current);
2282                 spin_lock_irq(&current->sighand->siglock);
2283                 flush_signal_handlers(current, 1);
2284                 sigemptyset(&current->blocked);
2285                 recalc_sigpending();
2286                 spin_unlock_irq(&current->sighand->siglock);
2287         }
2288
2289         /* Always clear parent death signal on SID transitions. */
2290         current->pdeath_signal = 0;
2291
2292         /* Check whether the new SID can inherit resource limits
2293            from the old SID.  If not, reset all soft limits to
2294            the lower of the current task's hard limit and the init
2295            task's soft limit.  Note that the setting of hard limits
2296            (even to lower them) can be controlled by the setrlimit
2297            check. The inclusion of the init task's soft limit into
2298            the computation is to avoid resetting soft limits higher
2299            than the default soft limit for cases where the default
2300            is lower than the hard limit, e.g. RLIMIT_CORE or
2301            RLIMIT_STACK.*/
2302         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2303                           PROCESS__RLIMITINH, NULL);
2304         if (rc) {
2305                 for (i = 0; i < RLIM_NLIMITS; i++) {
2306                         rlim = current->signal->rlim + i;
2307                         initrlim = init_task.signal->rlim+i;
2308                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2309                 }
2310                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2311                         /*
2312                          * This will cause RLIMIT_CPU calculations
2313                          * to be refigured.
2314                          */
2315                         current->it_prof_expires = jiffies_to_cputime(1);
2316                 }
2317         }
2318
2319         /* Wake up the parent if it is waiting so that it can
2320            recheck wait permission to the new task SID. */
2321         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2322 }
2323
2324 /* superblock security operations */
2325
2326 static int selinux_sb_alloc_security(struct super_block *sb)
2327 {
2328         return superblock_alloc_security(sb);
2329 }
2330
2331 static void selinux_sb_free_security(struct super_block *sb)
2332 {
2333         superblock_free_security(sb);
2334 }
2335
2336 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2337 {
2338         if (plen > olen)
2339                 return 0;
2340
2341         return !memcmp(prefix, option, plen);
2342 }
2343
2344 static inline int selinux_option(char *option, int len)
2345 {
2346         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2347                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2348                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2349                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2350 }
2351
2352 static inline void take_option(char **to, char *from, int *first, int len)
2353 {
2354         if (!*first) {
2355                 **to = ',';
2356                 *to += 1;
2357         } else
2358                 *first = 0;
2359         memcpy(*to, from, len);
2360         *to += len;
2361 }
2362
2363 static inline void take_selinux_option(char **to, char *from, int *first,
2364                                        int len)
2365 {
2366         int current_size = 0;
2367
2368         if (!*first) {
2369                 **to = '|';
2370                 *to += 1;
2371         } else
2372                 *first = 0;
2373
2374         while (current_size < len) {
2375                 if (*from != '"') {
2376                         **to = *from;
2377                         *to += 1;
2378                 }
2379                 from += 1;
2380                 current_size += 1;
2381         }
2382 }
2383
2384 static int selinux_sb_copy_data(char *orig, char *copy)
2385 {
2386         int fnosec, fsec, rc = 0;
2387         char *in_save, *in_curr, *in_end;
2388         char *sec_curr, *nosec_save, *nosec;
2389         int open_quote = 0;
2390
2391         in_curr = orig;
2392         sec_curr = copy;
2393
2394         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2395         if (!nosec) {
2396                 rc = -ENOMEM;
2397                 goto out;
2398         }
2399
2400         nosec_save = nosec;
2401         fnosec = fsec = 1;
2402         in_save = in_end = orig;
2403
2404         do {
2405                 if (*in_end == '"')
2406                         open_quote = !open_quote;
2407                 if ((*in_end == ',' && open_quote == 0) ||
2408                                 *in_end == '\0') {
2409                         int len = in_end - in_curr;
2410
2411                         if (selinux_option(in_curr, len))
2412                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2413                         else
2414                                 take_option(&nosec, in_curr, &fnosec, len);
2415
2416                         in_curr = in_end + 1;
2417                 }
2418         } while (*in_end++);
2419
2420         strcpy(in_save, nosec_save);
2421         free_page((unsigned long)nosec_save);
2422 out:
2423         return rc;
2424 }
2425
2426 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2427 {
2428         struct avc_audit_data ad;
2429         int rc;
2430
2431         rc = superblock_doinit(sb, data);
2432         if (rc)
2433                 return rc;
2434
2435         AVC_AUDIT_DATA_INIT(&ad, FS);
2436         ad.u.fs.path.dentry = sb->s_root;
2437         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2438 }
2439
2440 static int selinux_sb_statfs(struct dentry *dentry)
2441 {
2442         struct avc_audit_data ad;
2443
2444         AVC_AUDIT_DATA_INIT(&ad, FS);
2445         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2446         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2447 }
2448
2449 static int selinux_mount(char *dev_name,
2450                          struct path *path,
2451                          char *type,
2452                          unsigned long flags,
2453                          void *data)
2454 {
2455         int rc;
2456
2457         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2458         if (rc)
2459                 return rc;
2460
2461         if (flags & MS_REMOUNT)
2462                 return superblock_has_perm(current, path->mnt->mnt_sb,
2463                                            FILESYSTEM__REMOUNT, NULL);
2464         else
2465                 return dentry_has_perm(current, path->mnt, path->dentry,
2466                                        FILE__MOUNTON);
2467 }
2468
2469 static int selinux_umount(struct vfsmount *mnt, int flags)
2470 {
2471         int rc;
2472
2473         rc = secondary_ops->sb_umount(mnt, flags);
2474         if (rc)
2475                 return rc;
2476
2477         return superblock_has_perm(current, mnt->mnt_sb,
2478                                    FILESYSTEM__UNMOUNT, NULL);
2479 }
2480
2481 /* inode security operations */
2482
2483 static int selinux_inode_alloc_security(struct inode *inode)
2484 {
2485         return inode_alloc_security(inode);
2486 }
2487
2488 static void selinux_inode_free_security(struct inode *inode)
2489 {
2490         inode_free_security(inode);
2491 }
2492
2493 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2494                                        char **name, void **value,
2495                                        size_t *len)
2496 {
2497         struct task_security_struct *tsec;
2498         struct inode_security_struct *dsec;
2499         struct superblock_security_struct *sbsec;
2500         u32 newsid, clen;
2501         int rc;
2502         char *namep = NULL, *context;
2503
2504         tsec = current->security;
2505         dsec = dir->i_security;
2506         sbsec = dir->i_sb->s_security;
2507
2508         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2509                 newsid = tsec->create_sid;
2510         } else {
2511                 rc = security_transition_sid(tsec->sid, dsec->sid,
2512                                              inode_mode_to_security_class(inode->i_mode),
2513                                              &newsid);
2514                 if (rc) {
2515                         printk(KERN_WARNING "%s:  "
2516                                "security_transition_sid failed, rc=%d (dev=%s "
2517                                "ino=%ld)\n",
2518                                __func__,
2519                                -rc, inode->i_sb->s_id, inode->i_ino);
2520                         return rc;
2521                 }
2522         }
2523
2524         /* Possibly defer initialization to selinux_complete_init. */
2525         if (sbsec->initialized) {
2526                 struct inode_security_struct *isec = inode->i_security;
2527                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2528                 isec->sid = newsid;
2529                 isec->initialized = 1;
2530         }
2531
2532         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2533                 return -EOPNOTSUPP;
2534
2535         if (name) {
2536                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2537                 if (!namep)
2538                         return -ENOMEM;
2539                 *name = namep;
2540         }
2541
2542         if (value && len) {
2543                 rc = security_sid_to_context_force(newsid, &context, &clen);
2544                 if (rc) {
2545                         kfree(namep);
2546                         return rc;
2547                 }
2548                 *value = context;
2549                 *len = clen;
2550         }
2551
2552         return 0;
2553 }
2554
2555 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2556 {
2557         return may_create(dir, dentry, SECCLASS_FILE);
2558 }
2559
2560 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2561 {
2562         int rc;
2563
2564         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2565         if (rc)
2566                 return rc;
2567         return may_link(dir, old_dentry, MAY_LINK);
2568 }
2569
2570 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2571 {
2572         int rc;
2573
2574         rc = secondary_ops->inode_unlink(dir, dentry);
2575         if (rc)
2576                 return rc;
2577         return may_link(dir, dentry, MAY_UNLINK);
2578 }
2579
2580 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2581 {
2582         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2583 }
2584
2585 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2586 {
2587         return may_create(dir, dentry, SECCLASS_DIR);
2588 }
2589
2590 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2591 {
2592         return may_link(dir, dentry, MAY_RMDIR);
2593 }
2594
2595 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2596 {
2597         int rc;
2598
2599         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2600         if (rc)
2601                 return rc;
2602
2603         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2604 }
2605
2606 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2607                                 struct inode *new_inode, struct dentry *new_dentry)
2608 {
2609         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2610 }
2611
2612 static int selinux_inode_readlink(struct dentry *dentry)
2613 {
2614         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2615 }
2616
2617 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2618 {
2619         int rc;
2620
2621         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2622         if (rc)
2623                 return rc;
2624         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2625 }
2626
2627 static int selinux_inode_permission(struct inode *inode, int mask,
2628                                     struct nameidata *nd)
2629 {
2630         int rc;
2631
2632         rc = secondary_ops->inode_permission(inode, mask, nd);
2633         if (rc)
2634                 return rc;
2635
2636         if (!mask) {
2637                 /* No permission to check.  Existence test. */
2638                 return 0;
2639         }
2640
2641         return inode_has_perm(current, inode,
2642                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2643 }
2644
2645 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2646 {
2647         int rc;
2648
2649         rc = secondary_ops->inode_setattr(dentry, iattr);
2650         if (rc)
2651                 return rc;
2652
2653         if (iattr->ia_valid & ATTR_FORCE)
2654                 return 0;
2655
2656         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2657                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2658                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2659
2660         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2661 }
2662
2663 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2664 {
2665         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2666 }
2667
2668 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2669 {
2670         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2671                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2672                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2673                         if (!capable(CAP_SETFCAP))
2674                                 return -EPERM;
2675                 } else if (!capable(CAP_SYS_ADMIN)) {
2676                         /* A different attribute in the security namespace.
2677                            Restrict to administrator. */
2678                         return -EPERM;
2679                 }
2680         }
2681
2682         /* Not an attribute we recognize, so just check the
2683            ordinary setattr permission. */
2684         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2685 }
2686
2687 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2688                                   const void *value, size_t size, int flags)
2689 {
2690         struct task_security_struct *tsec = current->security;
2691         struct inode *inode = dentry->d_inode;
2692         struct inode_security_struct *isec = inode->i_security;
2693         struct superblock_security_struct *sbsec;
2694         struct avc_audit_data ad;
2695         u32 newsid;
2696         int rc = 0;
2697
2698         if (strcmp(name, XATTR_NAME_SELINUX))
2699                 return selinux_inode_setotherxattr(dentry, name);
2700
2701         sbsec = inode->i_sb->s_security;
2702         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2703                 return -EOPNOTSUPP;
2704
2705         if (!is_owner_or_cap(inode))
2706                 return -EPERM;
2707
2708         AVC_AUDIT_DATA_INIT(&ad, FS);
2709         ad.u.fs.path.dentry = dentry;
2710
2711         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2712                           FILE__RELABELFROM, &ad);
2713         if (rc)
2714                 return rc;
2715
2716         rc = security_context_to_sid(value, size, &newsid);
2717         if (rc == -EINVAL) {
2718                 if (!capable(CAP_MAC_ADMIN))
2719                         return rc;
2720                 rc = security_context_to_sid_force(value, size, &newsid);
2721         }
2722         if (rc)
2723                 return rc;
2724
2725         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2726                           FILE__RELABELTO, &ad);
2727         if (rc)
2728                 return rc;
2729
2730         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2731                                           isec->sclass);
2732         if (rc)
2733                 return rc;
2734
2735         return avc_has_perm(newsid,
2736                             sbsec->sid,
2737                             SECCLASS_FILESYSTEM,
2738                             FILESYSTEM__ASSOCIATE,
2739                             &ad);
2740 }
2741
2742 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2743                                         const void *value, size_t size,
2744                                         int flags)
2745 {
2746         struct inode *inode = dentry->d_inode;
2747         struct inode_security_struct *isec = inode->i_security;
2748         u32 newsid;
2749         int rc;
2750
2751         if (strcmp(name, XATTR_NAME_SELINUX)) {
2752                 /* Not an attribute we recognize, so nothing to do. */
2753                 return;
2754         }
2755
2756         rc = security_context_to_sid_force(value, size, &newsid);
2757         if (rc) {
2758                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2759                        "for (%s, %lu), rc=%d\n",
2760                        inode->i_sb->s_id, inode->i_ino, -rc);
2761                 return;
2762         }
2763
2764         isec->sid = newsid;
2765         return;
2766 }
2767
2768 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2769 {
2770         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2771 }
2772
2773 static int selinux_inode_listxattr(struct dentry *dentry)
2774 {
2775         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2776 }
2777
2778 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2779 {
2780         if (strcmp(name, XATTR_NAME_SELINUX))
2781                 return selinux_inode_setotherxattr(dentry, name);
2782
2783         /* No one is allowed to remove a SELinux security label.
2784            You can change the label, but all data must be labeled. */
2785         return -EACCES;
2786 }
2787
2788 /*
2789  * Copy the inode security context value to the user.
2790  *
2791  * Permission check is handled by selinux_inode_getxattr hook.
2792  */
2793 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2794 {
2795         u32 size;
2796         int error;
2797         char *context = NULL;
2798         struct task_security_struct *tsec = current->security;
2799         struct inode_security_struct *isec = inode->i_security;
2800
2801         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2802                 return -EOPNOTSUPP;
2803
2804         /*
2805          * If the caller has CAP_MAC_ADMIN, then get the raw context
2806          * value even if it is not defined by current policy; otherwise,
2807          * use the in-core value under current policy.
2808          * Use the non-auditing forms of the permission checks since
2809          * getxattr may be called by unprivileged processes commonly
2810          * and lack of permission just means that we fall back to the
2811          * in-core context value, not a denial.
2812          */
2813         error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2814         if (!error)
2815                 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2816                                              SECCLASS_CAPABILITY2,
2817                                              CAPABILITY2__MAC_ADMIN,
2818                                              0,
2819                                              NULL);
2820         if (!error)
2821                 error = security_sid_to_context_force(isec->sid, &context,
2822                                                       &size);
2823         else
2824                 error = security_sid_to_context(isec->sid, &context, &size);
2825         if (error)
2826                 return error;
2827         error = size;
2828         if (alloc) {
2829                 *buffer = context;
2830                 goto out_nofree;
2831         }
2832         kfree(context);
2833 out_nofree:
2834         return error;
2835 }
2836
2837 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2838                                      const void *value, size_t size, int flags)
2839 {
2840         struct inode_security_struct *isec = inode->i_security;
2841         u32 newsid;
2842         int rc;
2843
2844         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2845                 return -EOPNOTSUPP;
2846
2847         if (!value || !size)
2848                 return -EACCES;
2849
2850         rc = security_context_to_sid((void *)value, size, &newsid);
2851         if (rc)
2852                 return rc;
2853
2854         isec->sid = newsid;
2855         return 0;
2856 }
2857
2858 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2859 {
2860         const int len = sizeof(XATTR_NAME_SELINUX);
2861         if (buffer && len <= buffer_size)
2862                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2863         return len;
2864 }
2865
2866 static int selinux_inode_need_killpriv(struct dentry *dentry)
2867 {
2868         return secondary_ops->inode_need_killpriv(dentry);
2869 }
2870
2871 static int selinux_inode_killpriv(struct dentry *dentry)
2872 {
2873         return secondary_ops->inode_killpriv(dentry);
2874 }
2875
2876 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2877 {
2878         struct inode_security_struct *isec = inode->i_security;
2879         *secid = isec->sid;
2880 }
2881
2882 /* file security operations */
2883
2884 static int selinux_revalidate_file_permission(struct file *file, int mask)
2885 {
2886         int rc;
2887         struct inode *inode = file->f_path.dentry->d_inode;
2888
2889         if (!mask) {
2890                 /* No permission to check.  Existence test. */
2891                 return 0;
2892         }
2893
2894         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2895         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2896                 mask |= MAY_APPEND;
2897
2898         rc = file_has_perm(current, file,
2899                            file_mask_to_av(inode->i_mode, mask));
2900         if (rc)
2901                 return rc;
2902
2903         return selinux_netlbl_inode_permission(inode, mask);
2904 }
2905
2906 static int selinux_file_permission(struct file *file, int mask)
2907 {
2908         struct inode *inode = file->f_path.dentry->d_inode;
2909         struct task_security_struct *tsec = current->security;
2910         struct file_security_struct *fsec = file->f_security;
2911         struct inode_security_struct *isec = inode->i_security;
2912
2913         if (!mask) {
2914                 /* No permission to check.  Existence test. */
2915                 return 0;
2916         }
2917
2918         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2919             && fsec->pseqno == avc_policy_seqno())
2920                 return selinux_netlbl_inode_permission(inode, mask);
2921
2922         return selinux_revalidate_file_permission(file, mask);
2923 }
2924
2925 static int selinux_file_alloc_security(struct file *file)
2926 {
2927         return file_alloc_security(file);
2928 }
2929
2930 static void selinux_file_free_security(struct file *file)
2931 {
2932         file_free_security(file);
2933 }
2934
2935 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2936                               unsigned long arg)
2937 {
2938         u32 av = 0;
2939
2940         if (_IOC_DIR(cmd) & _IOC_WRITE)
2941                 av |= FILE__WRITE;
2942         if (_IOC_DIR(cmd) & _IOC_READ)
2943                 av |= FILE__READ;
2944         if (!av)
2945                 av = FILE__IOCTL;
2946
2947         return file_has_perm(current, file, av);
2948 }
2949
2950 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2951 {
2952 #ifndef CONFIG_PPC32
2953         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2954                 /*
2955                  * We are making executable an anonymous mapping or a
2956                  * private file mapping that will also be writable.
2957                  * This has an additional check.
2958                  */
2959                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2960                 if (rc)
2961                         return rc;
2962         }
2963 #endif
2964
2965         if (file) {
2966                 /* read access is always possible with a mapping */
2967                 u32 av = FILE__READ;
2968
2969                 /* write access only matters if the mapping is shared */
2970                 if (shared && (prot & PROT_WRITE))
2971                         av |= FILE__WRITE;
2972
2973                 if (prot & PROT_EXEC)
2974                         av |= FILE__EXECUTE;
2975
2976                 return file_has_perm(current, file, av);
2977         }
2978         return 0;
2979 }
2980
2981 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2982                              unsigned long prot, unsigned long flags,
2983                              unsigned long addr, unsigned long addr_only)
2984 {
2985         int rc = 0;
2986         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2987
2988         if (addr < mmap_min_addr)
2989                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2990                                   MEMPROTECT__MMAP_ZERO, NULL);
2991         if (rc || addr_only)
2992                 return rc;
2993
2994         if (selinux_checkreqprot)
2995                 prot = reqprot;
2996
2997         return file_map_prot_check(file, prot,
2998                                    (flags & MAP_TYPE) == MAP_SHARED);
2999 }
3000
3001 static int selinux_file_mprotect(struct vm_area_struct *vma,
3002                                  unsigned long reqprot,
3003                                  unsigned long prot)
3004 {
3005         int rc;
3006
3007         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3008         if (rc)
3009                 return rc;
3010
3011         if (selinux_checkreqprot)
3012                 prot = reqprot;
3013
3014 #ifndef CONFIG_PPC32
3015         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3016                 rc = 0;
3017                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3018                     vma->vm_end <= vma->vm_mm->brk) {
3019                         rc = task_has_perm(current, current,
3020                                            PROCESS__EXECHEAP);
3021                 } else if (!vma->vm_file &&
3022                            vma->vm_start <= vma->vm_mm->start_stack &&
3023                            vma->vm_end >= vma->vm_mm->start_stack) {
3024                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3025                 } else if (vma->vm_file && vma->anon_vma) {
3026                         /*
3027                          * We are making executable a file mapping that has
3028                          * had some COW done. Since pages might have been
3029                          * written, check ability to execute the possibly
3030                          * modified content.  This typically should only
3031                          * occur for text relocations.
3032                          */
3033                         rc = file_has_perm(current, vma->vm_file,
3034                                            FILE__EXECMOD);
3035                 }
3036                 if (rc)
3037                         return rc;
3038         }
3039 #endif
3040
3041         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3042 }
3043
3044 static int selinux_file_lock(struct file *file, unsigned int cmd)
3045 {
3046         return file_has_perm(current, file, FILE__LOCK);
3047 }
3048
3049 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3050                               unsigned long arg)
3051 {
3052         int err = 0;
3053
3054         switch (cmd) {
3055         case F_SETFL:
3056                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3057                         err = -EINVAL;
3058                         break;
3059                 }
3060
3061                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3062                         err = file_has_perm(current, file, FILE__WRITE);
3063                         break;
3064                 }
3065                 /* fall through */
3066         case F_SETOWN:
3067         case F_SETSIG:
3068         case F_GETFL:
3069         case F_GETOWN:
3070         case F_GETSIG:
3071                 /* Just check FD__USE permission */
3072                 err = file_has_perm(current, file, 0);
3073                 break;
3074         case F_GETLK:
3075         case F_SETLK:
3076         case F_SETLKW:
3077 #if BITS_PER_LONG == 32
3078         case F_GETLK64:
3079         case F_SETLK64:
3080         case F_SETLKW64:
3081 #endif
3082                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3083                         err = -EINVAL;
3084                         break;
3085                 }
3086                 err = file_has_perm(current, file, FILE__LOCK);
3087                 break;
3088         }
3089
3090         return err;
3091 }
3092
3093 static int selinux_file_set_fowner(struct file *file)
3094 {
3095         struct task_security_struct *tsec;
3096         struct file_security_struct *fsec;
3097
3098         tsec = current->security;
3099         fsec = file->f_security;
3100         fsec->fown_sid = tsec->sid;
3101
3102         return 0;
3103 }
3104
3105 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3106                                        struct fown_struct *fown, int signum)
3107 {
3108         struct file *file;
3109         u32 perm;
3110         struct task_security_struct *tsec;
3111         struct file_security_struct *fsec;
3112
3113         /* struct fown_struct is never outside the context of a struct file */
3114         file = container_of(fown, struct file, f_owner);
3115
3116         tsec = tsk->security;
3117         fsec = file->f_security;
3118
3119         if (!signum)
3120                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3121         else
3122                 perm = signal_to_av(signum);
3123
3124         return avc_has_perm(fsec->fown_sid, tsec->sid,
3125                             SECCLASS_PROCESS, perm, NULL);
3126 }
3127
3128 static int selinux_file_receive(struct file *file)
3129 {
3130         return file_has_perm(current, file, file_to_av(file));
3131 }
3132
3133 static int selinux_dentry_open(struct file *file)
3134 {
3135         struct file_security_struct *fsec;
3136         struct inode *inode;
3137         struct inode_security_struct *isec;
3138         inode = file->f_path.dentry->d_inode;
3139         fsec = file->f_security;
3140         isec = inode->i_security;
3141         /*
3142          * Save inode label and policy sequence number
3143          * at open-time so that selinux_file_permission
3144          * can determine whether revalidation is necessary.
3145          * Task label is already saved in the file security
3146          * struct as its SID.
3147          */
3148         fsec->isid = isec->sid;
3149         fsec->pseqno = avc_policy_seqno();
3150         /*
3151          * Since the inode label or policy seqno may have changed
3152          * between the selinux_inode_permission check and the saving
3153          * of state above, recheck that access is still permitted.
3154          * Otherwise, access might never be revalidated against the
3155          * new inode label or new policy.
3156          * This check is not redundant - do not remove.
3157          */
3158         return inode_has_perm(current, inode, file_to_av(file), NULL);
3159 }
3160
3161 /* task security operations */
3162
3163 static int selinux_task_create(unsigned long clone_flags)
3164 {
3165         int rc;
3166
3167         rc = secondary_ops->task_create(clone_flags);
3168         if (rc)
3169                 return rc;
3170
3171         return task_has_perm(current, current, PROCESS__FORK);
3172 }
3173
3174 static int selinux_task_alloc_security(struct task_struct *tsk)
3175 {
3176         struct task_security_struct *tsec1, *tsec2;
3177         int rc;
3178
3179         tsec1 = current->security;
3180
3181         rc = task_alloc_security(tsk);
3182         if (rc)
3183                 return rc;
3184         tsec2 = tsk->security;
3185
3186         tsec2->osid = tsec1->osid;
3187         tsec2->sid = tsec1->sid;
3188
3189         /* Retain the exec, fs, key, and sock SIDs across fork */
3190         tsec2->exec_sid = tsec1->exec_sid;
3191         tsec2->create_sid = tsec1->create_sid;
3192         tsec2->keycreate_sid = tsec1->keycreate_sid;
3193         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3194
3195         return 0;
3196 }
3197
3198 static void selinux_task_free_security(struct task_struct *tsk)
3199 {
3200         task_free_security(tsk);
3201 }
3202
3203 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3204 {
3205         /* Since setuid only affects the current process, and
3206            since the SELinux controls are not based on the Linux
3207            identity attributes, SELinux does not need to control
3208            this operation.  However, SELinux does control the use
3209            of the CAP_SETUID and CAP_SETGID capabilities using the
3210            capable hook. */
3211         return 0;
3212 }
3213
3214 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3215 {
3216         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3217 }
3218
3219 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3220 {
3221         /* See the comment for setuid above. */
3222         return 0;
3223 }
3224
3225 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3226 {
3227         return task_has_perm(current, p, PROCESS__SETPGID);
3228 }
3229
3230 static int selinux_task_getpgid(struct task_struct *p)
3231 {
3232         return task_has_perm(current, p, PROCESS__GETPGID);
3233 }
3234
3235 static int selinux_task_getsid(struct task_struct *p)
3236 {
3237         return task_has_perm(current, p, PROCESS__GETSESSION);
3238 }
3239
3240 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3241 {
3242         struct task_security_struct *tsec = p->security;
3243         *secid = tsec->sid;
3244 }
3245
3246 static int selinux_task_setgroups(struct group_info *group_info)
3247 {
3248         /* See the comment for setuid above. */
3249         return 0;
3250 }
3251
3252 static int selinux_task_setnice(struct task_struct *p, int nice)
3253 {
3254         int rc;
3255
3256         rc = secondary_ops->task_setnice(p, nice);
3257         if (rc)
3258                 return rc;
3259
3260         return task_has_perm(current, p, PROCESS__SETSCHED);
3261 }
3262
3263 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3264 {
3265         int rc;
3266
3267         rc = secondary_ops->task_setioprio(p, ioprio);
3268         if (rc)
3269                 return rc;
3270
3271         return task_has_perm(current, p, PROCESS__SETSCHED);
3272 }
3273
3274 static int selinux_task_getioprio(struct task_struct *p)
3275 {
3276         return task_has_perm(current, p, PROCESS__GETSCHED);
3277 }
3278
3279 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3280 {
3281         struct rlimit *old_rlim = current->signal->rlim + resource;
3282         int rc;
3283
3284         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3285         if (rc)
3286                 return rc;
3287
3288         /* Control the ability to change the hard limit (whether
3289            lowering or raising it), so that the hard limit can
3290            later be used as a safe reset point for the soft limit
3291            upon context transitions. See selinux_bprm_apply_creds. */
3292         if (old_rlim->rlim_max != new_rlim->rlim_max)
3293                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3294
3295         return 0;
3296 }
3297
3298 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3299 {
3300         int rc;
3301
3302         rc = secondary_ops->task_setscheduler(p, policy, lp);
3303         if (rc)
3304                 return rc;
3305
3306         return task_has_perm(current, p, PROCESS__SETSCHED);
3307 }
3308
3309 static int selinux_task_getscheduler(struct task_struct *p)
3310 {
3311         return task_has_perm(current, p, PROCESS__GETSCHED);
3312 }
3313
3314 static int selinux_task_movememory(struct task_struct *p)
3315 {
3316         return task_has_perm(current, p, PROCESS__SETSCHED);
3317 }
3318
3319 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3320                                 int sig, u32 secid)
3321 {
3322         u32 perm;
3323         int rc;
3324         struct task_security_struct *tsec;
3325
3326         rc = secondary_ops->task_kill(p, info, sig, secid);
3327         if (rc)
3328                 return rc;
3329
3330         if (!sig)
3331                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3332         else
3333                 perm = signal_to_av(sig);
3334         tsec = p->security;
3335         if (secid)
3336                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3337         else
3338                 rc = task_has_perm(current, p, perm);
3339         return rc;
3340 }
3341
3342 static int selinux_task_prctl(int option,
3343                               unsigned long arg2,
3344                               unsigned long arg3,
3345                               unsigned long arg4,
3346                               unsigned long arg5,
3347                               long *rc_p)
3348 {
3349         /* The current prctl operations do not appear to require
3350            any SELinux controls since they merely observe or modify
3351            the state of the current process. */
3352         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3353 }
3354
3355 static int selinux_task_wait(struct task_struct *p)
3356 {
3357         return task_has_perm(p, current, PROCESS__SIGCHLD);
3358 }
3359
3360 static void selinux_task_reparent_to_init(struct task_struct *p)
3361 {
3362         struct task_security_struct *tsec;
3363
3364         secondary_ops->task_reparent_to_init(p);
3365
3366         tsec = p->security;
3367         tsec->osid = tsec->sid;
3368         tsec->sid = SECINITSID_KERNEL;
3369         return;
3370 }
3371
3372 static void selinux_task_to_inode(struct task_struct *p,
3373                                   struct inode *inode)
3374 {
3375         struct task_security_struct *tsec = p->security;
3376         struct inode_security_struct *isec = inode->i_security;
3377
3378         isec->sid = tsec->sid;
3379         isec->initialized = 1;
3380         return;
3381 }
3382
3383 /* Returns error only if unable to parse addresses */
3384 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3385                         struct avc_audit_data *ad, u8 *proto)
3386 {
3387         int offset, ihlen, ret = -EINVAL;
3388         struct iphdr _iph, *ih;
3389
3390         offset = skb_network_offset(skb);
3391         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3392         if (ih == NULL)
3393                 goto out;
3394
3395         ihlen = ih->ihl * 4;
3396         if (ihlen < sizeof(_iph))
3397                 goto out;
3398
3399         ad->u.net.v4info.saddr = ih->saddr;
3400         ad->u.net.v4info.daddr = ih->daddr;
3401         ret = 0;
3402
3403         if (proto)
3404                 *proto = ih->protocol;
3405
3406         switch (ih->protocol) {
3407         case IPPROTO_TCP: {
3408                 struct tcphdr _tcph, *th;
3409
3410                 if (ntohs(ih->frag_off) & IP_OFFSET)
3411                         break;
3412
3413                 offset += ihlen;
3414                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3415                 if (th == NULL)
3416                         break;
3417
3418                 ad->u.net.sport = th->source;
3419                 ad->u.net.dport = th->dest;
3420                 break;
3421         }
3422
3423         case IPPROTO_UDP: {
3424                 struct udphdr _udph, *uh;
3425
3426                 if (ntohs(ih->frag_off) & IP_OFFSET)
3427                         break;
3428
3429                 offset += ihlen;
3430                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3431                 if (uh == NULL)
3432                         break;
3433
3434                 ad->u.net.sport = uh->source;
3435                 ad->u.net.dport = uh->dest;
3436                 break;
3437         }
3438
3439         case IPPROTO_DCCP: {
3440                 struct dccp_hdr _dccph, *dh;
3441
3442                 if (ntohs(ih->frag_off) & IP_OFFSET)
3443                         break;
3444
3445                 offset += ihlen;
3446                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3447                 if (dh == NULL)
3448                         break;
3449
3450                 ad->u.net.sport = dh->dccph_sport;
3451                 ad->u.net.dport = dh->dccph_dport;
3452                 break;
3453         }
3454
3455         default:
3456                 break;
3457         }
3458 out:
3459         return ret;
3460 }
3461
3462 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3463
3464 /* Returns error only if unable to parse addresses */
3465 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3466                         struct avc_audit_data *ad, u8 *proto)
3467 {
3468         u8 nexthdr;
3469         int ret = -EINVAL, offset;
3470         struct ipv6hdr _ipv6h, *ip6;
3471
3472         offset = skb_network_offset(skb);
3473         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3474         if (ip6 == NULL)
3475                 goto out;
3476
3477         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3478         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3479         ret = 0;
3480
3481         nexthdr = ip6->nexthdr;
3482         offset += sizeof(_ipv6h);
3483         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3484         if (offset < 0)
3485                 goto out;
3486
3487         if (proto)
3488                 *proto = nexthdr;
3489
3490         switch (nexthdr) {
3491         case IPPROTO_TCP: {
3492                 struct tcphdr _tcph, *th;
3493
3494                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3495                 if (th == NULL)
3496                         break;
3497
3498                 ad->u.net.sport = th->source;
3499                 ad->u.net.dport = th->dest;
3500                 break;
3501         }
3502
3503         case IPPROTO_UDP: {
3504                 struct udphdr _udph, *uh;
3505
3506                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3507                 if (uh == NULL)
3508                         break;
3509
3510                 ad->u.net.sport = uh->source;
3511                 ad->u.net.dport = uh->dest;
3512                 break;
3513         }
3514
3515         case IPPROTO_DCCP: {
3516                 struct dccp_hdr _dccph, *dh;
3517
3518                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3519                 if (dh == NULL)
3520                         break;
3521
3522                 ad->u.net.sport = dh->dccph_sport;
3523                 ad->u.net.dport = dh->dccph_dport;
3524                 break;
3525         }
3526
3527         /* includes fragments */
3528         default:
3529                 break;
3530         }
3531 out:
3532         return ret;
3533 }
3534
3535 #endif /* IPV6 */
3536
3537 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3538                              char **addrp, int src, u8 *proto)
3539 {
3540         int ret = 0;
3541
3542         switch (ad->u.net.family) {
3543         case PF_INET:
3544                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3545                 if (ret || !addrp)
3546                         break;
3547                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3548                                         &ad->u.net.v4info.daddr);
3549                 break;
3550
3551 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3552         case PF_INET6:
3553                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3554                 if (ret || !addrp)
3555                         break;
3556                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3557                                         &ad->u.net.v6info.daddr);
3558                 break;
3559 #endif  /* IPV6 */
3560         default:
3561                 break;
3562         }
3563
3564         if (unlikely(ret))
3565                 printk(KERN_WARNING
3566                        "SELinux: failure in selinux_parse_skb(),"
3567                        " unable to parse packet\n");
3568
3569         return ret;
3570 }
3571
3572 /**
3573  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3574  * @skb: the packet
3575  * @family: protocol family
3576  * @sid: the packet's peer label SID
3577  *
3578  * Description:
3579  * Check the various different forms of network peer labeling and determine
3580  * the peer label/SID for the packet; most of the magic actually occurs in
3581  * the security server function security_net_peersid_cmp().  The function
3582  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3583  * or -EACCES if @sid is invalid due to inconsistencies with the different
3584  * peer labels.
3585  *
3586  */
3587 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3588 {
3589         int err;
3590         u32 xfrm_sid;
3591         u32 nlbl_sid;
3592         u32 nlbl_type;
3593
3594         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3595         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3596
3597         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3598         if (unlikely(err)) {
3599                 printk(KERN_WARNING
3600                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3601                        " unable to determine packet's peer label\n");
3602                 return -EACCES;
3603         }
3604
3605         return 0;
3606 }
3607
3608 /* socket security operations */
3609 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3610                            u32 perms)
3611 {
3612         struct inode_security_struct *isec;
3613         struct task_security_struct *tsec;
3614         struct avc_audit_data ad;
3615         int err = 0;
3616
3617         tsec = task->security;
3618         isec = SOCK_INODE(sock)->i_security;
3619
3620         if (isec->sid == SECINITSID_KERNEL)
3621                 goto out;
3622
3623         AVC_AUDIT_DATA_INIT(&ad, NET);
3624         ad.u.net.sk = sock->sk;
3625         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3626
3627 out:
3628         return err;
3629 }
3630
3631 static int selinux_socket_create(int family, int type,
3632                                  int protocol, int kern)
3633 {
3634         int err = 0;
3635         struct task_security_struct *tsec;
3636         u32 newsid;
3637
3638         if (kern)
3639                 goto out;
3640
3641         tsec = current->security;
3642         newsid = tsec->sockcreate_sid ? : tsec->sid;
3643         err = avc_has_perm(tsec->sid, newsid,
3644                            socket_type_to_security_class(family, type,
3645                            protocol), SOCKET__CREATE, NULL);
3646
3647 out:
3648         return err;
3649 }
3650
3651 static int selinux_socket_post_create(struct socket *sock, int family,
3652                                       int type, int protocol, int kern)
3653 {
3654         int err = 0;
3655         struct inode_security_struct *isec;
3656         struct task_security_struct *tsec;
3657         struct sk_security_struct *sksec;
3658         u32 newsid;
3659
3660         isec = SOCK_INODE(sock)->i_security;
3661
3662         tsec = current->security;
3663         newsid = tsec->sockcreate_sid ? : tsec->sid;
3664         isec->sclass = socket_type_to_security_class(family, type, protocol);
3665         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3666         isec->initialized = 1;
3667
3668         if (sock->sk) {
3669                 sksec = sock->sk->sk_security;
3670                 sksec->sid = isec->sid;
3671                 sksec->sclass = isec->sclass;
3672                 err = selinux_netlbl_socket_post_create(sock);
3673         }
3674
3675         return err;
3676 }
3677
3678 /* Range of port numbers used to automatically bind.
3679    Need to determine whether we should perform a name_bind
3680    permission check between the socket and the port number. */
3681
3682 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3683 {
3684         u16 family;
3685         int err;
3686
3687         err = socket_has_perm(current, sock, SOCKET__BIND);
3688         if (err)
3689                 goto out;
3690
3691         /*
3692          * If PF_INET or PF_INET6, check name_bind permission for the port.
3693          * Multiple address binding for SCTP is not supported yet: we just
3694          * check the first address now.
3695          */
3696         family = sock->sk->sk_family;
3697         if (family == PF_INET || family == PF_INET6) {
3698                 char *addrp;
3699                 struct inode_security_struct *isec;
3700                 struct task_security_struct *tsec;
3701                 struct avc_audit_data ad;
3702                 struct sockaddr_in *addr4 = NULL;
3703                 struct sockaddr_in6 *addr6 = NULL;
3704                 unsigned short snum;
3705                 struct sock *sk = sock->sk;
3706                 u32 sid, node_perm;
3707
3708                 tsec = current->security;
3709                 isec = SOCK_INODE(sock)->i_security;
3710
3711                 if (family == PF_INET) {
3712                         addr4 = (struct sockaddr_in *)address;
3713                         snum = ntohs(addr4->sin_port);
3714                         addrp = (char *)&addr4->sin_addr.s_addr;
3715                 } else {
3716                         addr6 = (struct sockaddr_in6 *)address;
3717                         snum = ntohs(addr6->sin6_port);
3718                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3719                 }
3720
3721                 if (snum) {
3722                         int low, high;
3723
3724                         inet_get_local_port_range(&low, &high);
3725
3726                         if (snum < max(PROT_SOCK, low) || snum > high) {
3727                                 err = sel_netport_sid(sk->sk_protocol,
3728                                                       snum, &sid);
3729                                 if (err)
3730                                         goto out;
3731                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3732                                 ad.u.net.sport = htons(snum);
3733                                 ad.u.net.family = family;
3734                                 err = avc_has_perm(isec->sid, sid,
3735                                                    isec->sclass,
3736                                                    SOCKET__NAME_BIND, &ad);
3737                                 if (err)
3738                                         goto out;
3739                         }
3740                 }
3741
3742                 switch (isec->sclass) {
3743                 case SECCLASS_TCP_SOCKET:
3744                         node_perm = TCP_SOCKET__NODE_BIND;
3745                         break;
3746
3747                 case SECCLASS_UDP_SOCKET:
3748                         node_perm = UDP_SOCKET__NODE_BIND;
3749                         break;
3750
3751                 case SECCLASS_DCCP_SOCKET:
3752                         node_perm = DCCP_SOCKET__NODE_BIND;
3753                         break;
3754
3755                 default:
3756                         node_perm = RAWIP_SOCKET__NODE_BIND;
3757                         break;
3758                 }
3759
3760                 err = sel_netnode_sid(addrp, family, &sid);
3761                 if (err)
3762                         goto out;
3763
3764                 AVC_AUDIT_DATA_INIT(&ad, NET);
3765                 ad.u.net.sport = htons(snum);
3766                 ad.u.net.family = family;
3767
3768                 if (family == PF_INET)
3769                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3770                 else
3771                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3772
3773                 err = avc_has_perm(isec->sid, sid,
3774                                    isec->sclass, node_perm, &ad);
3775                 if (err)
3776                         goto out;
3777         }
3778 out:
3779         return err;
3780 }
3781
3782 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3783 {
3784         struct inode_security_struct *isec;
3785         int err;
3786
3787         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3788         if (err)
3789                 return err;
3790
3791         /*
3792          * If a TCP or DCCP socket, check name_connect permission for the port.
3793          */
3794         isec = SOCK_INODE(sock)->i_security;
3795         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3796             isec->sclass == SECCLASS_DCCP_SOCKET) {
3797                 struct sock *sk = sock->sk;
3798                 struct avc_audit_data ad;
3799                 struct sockaddr_in *addr4 = NULL;
3800                 struct sockaddr_in6 *addr6 = NULL;
3801                 unsigned short snum;
3802                 u32 sid, perm;
3803
3804                 if (sk->sk_family == PF_INET) {
3805                         addr4 = (struct sockaddr_in *)address;
3806                         if (addrlen < sizeof(struct sockaddr_in))
3807                                 return -EINVAL;
3808                         snum = ntohs(addr4->sin_port);
3809                 } else {
3810                         addr6 = (struct sockaddr_in6 *)address;
3811                         if (addrlen < SIN6_LEN_RFC2133)
3812                                 return -EINVAL;
3813                         snum = ntohs(addr6->sin6_port);
3814                 }
3815
3816                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3817                 if (err)
3818                         goto out;
3819
3820                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3821                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3822
3823                 AVC_AUDIT_DATA_INIT(&ad, NET);
3824                 ad.u.net.dport = htons(snum);
3825                 ad.u.net.family = sk->sk_family;
3826                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3827                 if (err)
3828                         goto out;
3829         }
3830
3831 out:
3832         return err;
3833 }
3834
3835 static int selinux_socket_listen(struct socket *sock, int backlog)
3836 {
3837         return socket_has_perm(current, sock, SOCKET__LISTEN);
3838 }
3839
3840 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3841 {
3842         int err;
3843         struct inode_security_struct *isec;
3844         struct inode_security_struct *newisec;
3845
3846         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3847         if (err)
3848                 return err;
3849
3850         newisec = SOCK_INODE(newsock)->i_security;
3851
3852         isec = SOCK_INODE(sock)->i_security;
3853         newisec->sclass = isec->sclass;
3854         newisec->sid = isec->sid;
3855         newisec->initialized = 1;
3856
3857         return 0;
3858 }
3859
3860 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3861                                   int size)
3862 {
3863         int rc;
3864
3865         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3866         if (rc)
3867                 return rc;
3868
3869         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3870 }
3871
3872 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3873                                   int size, int flags)
3874 {
3875         return socket_has_perm(current, sock, SOCKET__READ);
3876 }
3877
3878 static int selinux_socket_getsockname(struct socket *sock)
3879 {
3880         return socket_has_perm(current, sock, SOCKET__GETATTR);
3881 }
3882
3883 static int selinux_socket_getpeername(struct socket *sock)
3884 {
3885         return socket_has_perm(current, sock, SOCKET__GETATTR);
3886 }
3887
3888 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3889 {
3890         int err;
3891
3892         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3893         if (err)
3894                 return err;
3895
3896         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3897 }
3898
3899 static int selinux_socket_getsockopt(struct socket *sock, int level,
3900                                      int optname)
3901 {
3902         return socket_has_perm(current, sock, SOCKET__GETOPT);
3903 }
3904
3905 static int selinux_socket_shutdown(struct socket *sock, int how)
3906 {
3907         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3908 }
3909
3910 static int selinux_socket_unix_stream_connect(struct socket *sock,
3911                                               struct socket *other,
3912                                               struct sock *newsk)
3913 {
3914         struct sk_security_struct *ssec;
3915         struct inode_security_struct *isec;
3916         struct inode_security_struct *other_isec;
3917         struct avc_audit_data ad;
3918         int err;
3919
3920         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3921         if (err)
3922                 return err;
3923
3924         isec = SOCK_INODE(sock)->i_security;
3925         other_isec = SOCK_INODE(other)->i_security;
3926
3927         AVC_AUDIT_DATA_INIT(&ad, NET);
3928         ad.u.net.sk = other->sk;
3929
3930         err = avc_has_perm(isec->sid, other_isec->sid,
3931                            isec->sclass,
3932                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3933         if (err)
3934                 return err;
3935
3936         /* connecting socket */
3937         ssec = sock->sk->sk_security;
3938         ssec->peer_sid = other_isec->sid;
3939
3940         /* server child socket */
3941         ssec = newsk->sk_security;
3942         ssec->peer_sid = isec->sid;
3943         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3944
3945         return err;
3946 }
3947
3948 static int selinux_socket_unix_may_send(struct socket *sock,
3949                                         struct socket *other)
3950 {
3951         struct inode_security_struct *isec;
3952         struct inode_security_struct *other_isec;
3953         struct avc_audit_data ad;
3954         int err;
3955
3956         isec = SOCK_INODE(sock)->i_security;
3957         other_isec = SOCK_INODE(other)->i_security;
3958
3959         AVC_AUDIT_DATA_INIT(&ad, NET);
3960         ad.u.net.sk = other->sk;
3961
3962         err = avc_has_perm(isec->sid, other_isec->sid,
3963                            isec->sclass, SOCKET__SENDTO, &ad);
3964         if (err)
3965                 return err;
3966
3967         return 0;
3968 }
3969
3970 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3971                                     u32 peer_sid,
3972                                     struct avc_audit_data *ad)
3973 {
3974         int err;
3975         u32 if_sid;
3976         u32 node_sid;
3977
3978         err = sel_netif_sid(ifindex, &if_sid);
3979         if (err)
3980                 return err;
3981         err = avc_has_perm(peer_sid, if_sid,
3982                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3983         if (err)
3984                 return err;
3985
3986         err = sel_netnode_sid(addrp, family, &node_sid);
3987         if (err)
3988                 return err;
3989         return avc_has_perm(peer_sid, node_sid,
3990                             SECCLASS_NODE, NODE__RECVFROM, ad);
3991 }
3992
3993 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3994                                                 struct sk_buff *skb,
3995                                                 struct avc_audit_data *ad,
3996                                                 u16 family,
3997                                                 char *addrp)
3998 {
3999         int err;
4000         struct sk_security_struct *sksec = sk->sk_security;
4001         u16 sk_class;
4002         u32 netif_perm, node_perm, recv_perm;
4003         u32 port_sid, node_sid, if_sid, sk_sid;
4004
4005         sk_sid = sksec->sid;
4006         sk_class = sksec->sclass;
4007
4008         switch (sk_class) {
4009         case SECCLASS_UDP_SOCKET:
4010                 netif_perm = NETIF__UDP_RECV;
4011                 node_perm = NODE__UDP_RECV;
4012                 recv_perm = UDP_SOCKET__RECV_MSG;
4013                 break;
4014         case SECCLASS_TCP_SOCKET:
4015                 netif_perm = NETIF__TCP_RECV;
4016                 node_perm = NODE__TCP_RECV;
4017                 recv_perm = TCP_SOCKET__RECV_MSG;
4018                 break;
4019         case SECCLASS_DCCP_SOCKET:
4020                 netif_perm = NETIF__DCCP_RECV;
4021                 node_perm = NODE__DCCP_RECV;
4022                 recv_perm = DCCP_SOCKET__RECV_MSG;
4023                 break;
4024         default:
4025                 netif_perm = NETIF__RAWIP_RECV;
4026                 node_perm = NODE__RAWIP_RECV;
4027                 recv_perm = 0;
4028                 break;
4029         }
4030
4031         err = sel_netif_sid(skb->iif, &if_sid);
4032         if (err)
4033                 return err;
4034         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4035         if (err)
4036                 return err;
4037
4038         err = sel_netnode_sid(addrp, family, &node_sid);
4039         if (err)
4040                 return err;
4041         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4042         if (err)
4043                 return err;
4044
4045         if (!recv_perm)
4046                 return 0;
4047         err = sel_netport_sid(sk->sk_protocol,
4048                               ntohs(ad->u.net.sport), &port_sid);
4049         if (unlikely(err)) {
4050                 printk(KERN_WARNING
4051                        "SELinux: failure in"
4052                        " selinux_sock_rcv_skb_iptables_compat(),"
4053                        " network port label not found\n");
4054                 return err;
4055         }
4056         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4057 }
4058
4059 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4060                                        struct avc_audit_data *ad,
4061                                        u16 family, char *addrp)
4062 {
4063         int err;
4064         struct sk_security_struct *sksec = sk->sk_security;
4065         u32 peer_sid;
4066         u32 sk_sid = sksec->sid;
4067
4068         if (selinux_compat_net)
4069                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4070                                                            family, addrp);
4071         else
4072                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4073                                    PACKET__RECV, ad);
4074         if (err)
4075                 return err;
4076
4077         if (selinux_policycap_netpeer) {
4078                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4079                 if (err)
4080                         return err;
4081                 err = avc_has_perm(sk_sid, peer_sid,
4082                                    SECCLASS_PEER, PEER__RECV, ad);
4083         } else {
4084                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4085                 if (err)
4086                         return err;
4087                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4088         }
4089
4090         return err;
4091 }
4092
4093 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4094 {
4095         int err;
4096         struct sk_security_struct *sksec = sk->sk_security;
4097         u16 family = sk->sk_family;
4098         u32 sk_sid = sksec->sid;
4099         struct avc_audit_data ad;
4100         char *addrp;
4101
4102         if (family != PF_INET && family != PF_INET6)
4103                 return 0;
4104
4105         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4106         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4107                 family = PF_INET;
4108
4109         AVC_AUDIT_DATA_INIT(&ad, NET);
4110         ad.u.net.netif = skb->iif;
4111         ad.u.net.family = family;
4112         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4113         if (err)
4114                 return err;
4115
4116         /* If any sort of compatibility mode is enabled then handoff processing
4117          * to the selinux_sock_rcv_skb_compat() function to deal with the
4118          * special handling.  We do this in an attempt to keep this function
4119          * as fast and as clean as possible. */
4120         if (selinux_compat_net || !selinux_policycap_netpeer)
4121                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4122                                                    family, addrp);
4123
4124         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4125                 u32 peer_sid;
4126
4127                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4128                 if (err)
4129                         return err;
4130                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4131                                                peer_sid, &ad);
4132                 if (err)
4133                         return err;
4134                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4135                                    PEER__RECV, &ad);
4136         }
4137
4138         if (selinux_secmark_enabled()) {
4139                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4140                                    PACKET__RECV, &ad);
4141                 if (err)
4142                         return err;
4143         }
4144
4145         return err;
4146 }
4147
4148 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4149                                             int __user *optlen, unsigned len)
4150 {
4151         int err = 0;
4152         char *scontext;
4153         u32 scontext_len;
4154         struct sk_security_struct *ssec;
4155         struct inode_security_struct *isec;
4156         u32 peer_sid = SECSID_NULL;
4157
4158         isec = SOCK_INODE(sock)->i_security;
4159
4160         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4161             isec->sclass == SECCLASS_TCP_SOCKET) {
4162                 ssec = sock->sk->sk_security;
4163                 peer_sid = ssec->peer_sid;
4164         }
4165         if (peer_sid == SECSID_NULL) {
4166                 err = -ENOPROTOOPT;
4167                 goto out;
4168         }
4169
4170         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4171
4172         if (err)
4173                 goto out;
4174
4175         if (scontext_len > len) {
4176                 err = -ERANGE;
4177                 goto out_len;
4178         }
4179
4180         if (copy_to_user(optval, scontext, scontext_len))
4181                 err = -EFAULT;
4182
4183 out_len:
4184         if (put_user(scontext_len, optlen))
4185                 err = -EFAULT;
4186
4187         kfree(scontext);
4188 out:
4189         return err;
4190 }
4191
4192 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4193 {
4194         u32 peer_secid = SECSID_NULL;
4195         u16 family;
4196
4197         if (sock)
4198                 family = sock->sk->sk_family;
4199         else if (skb && skb->sk)
4200                 family = skb->sk->sk_family;
4201         else
4202                 goto out;
4203
4204         if (sock && family == PF_UNIX)
4205                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4206         else if (skb)
4207                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4208
4209 out:
4210         *secid = peer_secid;
4211         if (peer_secid == SECSID_NULL)
4212                 return -EINVAL;
4213         return 0;
4214 }
4215
4216 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4217 {
4218         return sk_alloc_security(sk, family, priority);
4219 }
4220
4221 static void selinux_sk_free_security(struct sock *sk)
4222 {
4223         sk_free_security(sk);
4224 }
4225
4226 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4227 {
4228         struct sk_security_struct *ssec = sk->sk_security;
4229         struct sk_security_struct *newssec = newsk->sk_security;
4230
4231         newssec->sid = ssec->sid;
4232         newssec->peer_sid = ssec->peer_sid;
4233         newssec->sclass = ssec->sclass;
4234
4235         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4236 }
4237
4238 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4239 {
4240         if (!sk)
4241                 *secid = SECINITSID_ANY_SOCKET;
4242         else {
4243                 struct sk_security_struct *sksec = sk->sk_security;
4244
4245                 *secid = sksec->sid;
4246         }
4247 }
4248
4249 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4250 {
4251         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4252         struct sk_security_struct *sksec = sk->sk_security;
4253
4254         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4255             sk->sk_family == PF_UNIX)
4256                 isec->sid = sksec->sid;
4257         sksec->sclass = isec->sclass;
4258
4259         selinux_netlbl_sock_graft(sk, parent);
4260 }
4261
4262 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4263                                      struct request_sock *req)
4264 {
4265         struct sk_security_struct *sksec = sk->sk_security;
4266         int err;
4267         u32 newsid;
4268         u32 peersid;
4269
4270         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4271         if (err)
4272                 return err;
4273         if (peersid == SECSID_NULL) {
4274                 req->secid = sksec->sid;
4275                 req->peer_secid = SECSID_NULL;
4276                 return 0;
4277         }
4278
4279         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4280         if (err)
4281                 return err;
4282
4283         req->secid = newsid;
4284         req->peer_secid = peersid;
4285         return 0;
4286 }
4287
4288 static void selinux_inet_csk_clone(struct sock *newsk,
4289                                    const struct request_sock *req)
4290 {
4291         struct sk_security_struct *newsksec = newsk->sk_security;
4292
4293         newsksec->sid = req->secid;
4294         newsksec->peer_sid = req->peer_secid;
4295         /* NOTE: Ideally, we should also get the isec->sid for the
4296            new socket in sync, but we don't have the isec available yet.
4297            So we will wait until sock_graft to do it, by which
4298            time it will have been created and available. */
4299
4300         /* We don't need to take any sort of lock here as we are the only
4301          * thread with access to newsksec */
4302         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4303 }
4304
4305 static void selinux_inet_conn_established(struct sock *sk,
4306                                 struct sk_buff *skb)
4307 {
4308         struct sk_security_struct *sksec = sk->sk_security;
4309
4310         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4311 }
4312
4313 static void selinux_req_classify_flow(const struct request_sock *req,
4314                                       struct flowi *fl)
4315 {
4316         fl->secid = req->secid;
4317 }
4318
4319 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4320 {
4321         int err = 0;
4322         u32 perm;
4323         struct nlmsghdr *nlh;
4324         struct socket *sock = sk->sk_socket;
4325         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4326
4327         if (skb->len < NLMSG_SPACE(0)) {
4328                 err = -EINVAL;
4329                 goto out;
4330         }
4331         nlh = nlmsg_hdr(skb);
4332
4333         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4334         if (err) {
4335                 if (err == -EINVAL) {
4336                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4337                                   "SELinux:  unrecognized netlink message"
4338                                   " type=%hu for sclass=%hu\n",
4339                                   nlh->nlmsg_type, isec->sclass);
4340                         if (!selinux_enforcing)
4341                                 err = 0;
4342                 }
4343
4344                 /* Ignore */
4345                 if (err == -ENOENT)
4346                         err = 0;
4347                 goto out;
4348         }
4349
4350         err = socket_has_perm(current, sock, perm);
4351 out:
4352         return err;
4353 }
4354
4355 #ifdef CONFIG_NETFILTER
4356
4357 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4358                                        u16 family)
4359 {
4360         char *addrp;
4361         u32 peer_sid;
4362         struct avc_audit_data ad;
4363         u8 secmark_active;
4364         u8 peerlbl_active;
4365
4366         if (!selinux_policycap_netpeer)
4367                 return NF_ACCEPT;
4368
4369         secmark_active = selinux_secmark_enabled();
4370         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4371         if (!secmark_active && !peerlbl_active)
4372                 return NF_ACCEPT;
4373
4374         AVC_AUDIT_DATA_INIT(&ad, NET);
4375         ad.u.net.netif = ifindex;
4376         ad.u.net.family = family;
4377         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4378                 return NF_DROP;
4379
4380         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4381                 return NF_DROP;
4382
4383         if (peerlbl_active)
4384                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4385                                              peer_sid, &ad) != 0)
4386                         return NF_DROP;
4387
4388         if (secmark_active)
4389                 if (avc_has_perm(peer_sid, skb->secmark,
4390                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4391                         return NF_DROP;
4392
4393         return NF_ACCEPT;
4394 }
4395
4396 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4397                                          struct sk_buff *skb,
4398                                          const struct net_device *in,
4399                                          const struct net_device *out,
4400                                          int (*okfn)(struct sk_buff *))
4401 {
4402         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4403 }
4404
4405 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4406 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4407                                          struct sk_buff *skb,
4408                                          const struct net_device *in,
4409                                          const struct net_device *out,
4410                                          int (*okfn)(struct sk_buff *))
4411 {
4412         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4413 }
4414 #endif  /* IPV6 */
4415
4416 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4417                                                 int ifindex,
4418                                                 struct avc_audit_data *ad,
4419                                                 u16 family, char *addrp)
4420 {
4421         int err;
4422         struct sk_security_struct *sksec = sk->sk_security;
4423         u16 sk_class;
4424         u32 netif_perm, node_perm, send_perm;
4425         u32 port_sid, node_sid, if_sid, sk_sid;
4426
4427         sk_sid = sksec->sid;
4428         sk_class = sksec->sclass;
4429
4430         switch (sk_class) {
4431         case SECCLASS_UDP_SOCKET:
4432                 netif_perm = NETIF__UDP_SEND;
4433                 node_perm = NODE__UDP_SEND;
4434                 send_perm = UDP_SOCKET__SEND_MSG;
4435                 break;
4436         case SECCLASS_TCP_SOCKET:
4437                 netif_perm = NETIF__TCP_SEND;
4438                 node_perm = NODE__TCP_SEND;
4439                 send_perm = TCP_SOCKET__SEND_MSG;
4440                 break;
4441         case SECCLASS_DCCP_SOCKET:
4442                 netif_perm = NETIF__DCCP_SEND;
4443                 node_perm = NODE__DCCP_SEND;
4444                 send_perm = DCCP_SOCKET__SEND_MSG;
4445                 break;
4446         default:
4447                 netif_perm = NETIF__RAWIP_SEND;
4448                 node_perm = NODE__RAWIP_SEND;
4449                 send_perm = 0;
4450                 break;
4451         }
4452
4453         err = sel_netif_sid(ifindex, &if_sid);
4454         if (err)
4455                 return err;
4456         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4457                 return err;
4458
4459         err = sel_netnode_sid(addrp, family, &node_sid);
4460         if (err)
4461                 return err;
4462         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4463         if (err)
4464                 return err;
4465
4466         if (send_perm != 0)
4467                 return 0;
4468
4469         err = sel_netport_sid(sk->sk_protocol,
4470                               ntohs(ad->u.net.dport), &port_sid);
4471         if (unlikely(err)) {
4472                 printk(KERN_WARNING
4473                        "SELinux: failure in"
4474                        " selinux_ip_postroute_iptables_compat(),"
4475                        " network port label not found\n");
4476                 return err;
4477         }
4478         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4479 }
4480
4481 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4482                                                 int ifindex,
4483                                                 struct avc_audit_data *ad,
4484                                                 u16 family,
4485                                                 char *addrp,
4486                                                 u8 proto)
4487 {
4488         struct sock *sk = skb->sk;
4489         struct sk_security_struct *sksec;
4490
4491         if (sk == NULL)
4492                 return NF_ACCEPT;
4493         sksec = sk->sk_security;
4494
4495         if (selinux_compat_net) {
4496                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4497                                                          ad, family, addrp))
4498                         return NF_DROP;
4499         } else {
4500                 if (avc_has_perm(sksec->sid, skb->secmark,
4501                                  SECCLASS_PACKET, PACKET__SEND, ad))
4502                         return NF_DROP;
4503         }
4504
4505         if (selinux_policycap_netpeer)
4506                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4507                         return NF_DROP;
4508
4509         return NF_ACCEPT;
4510 }
4511
4512 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4513                                          u16 family)
4514 {
4515         u32 secmark_perm;
4516         u32 peer_sid;
4517         struct sock *sk;
4518         struct avc_audit_data ad;
4519         char *addrp;
4520         u8 proto;
4521         u8 secmark_active;
4522         u8 peerlbl_active;
4523
4524         AVC_AUDIT_DATA_INIT(&ad, NET);
4525         ad.u.net.netif = ifindex;
4526         ad.u.net.family = family;
4527         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4528                 return NF_DROP;
4529
4530         /* If any sort of compatibility mode is enabled then handoff processing
4531          * to the selinux_ip_postroute_compat() function to deal with the
4532          * special handling.  We do this in an attempt to keep this function
4533          * as fast and as clean as possible. */
4534         if (selinux_compat_net || !selinux_policycap_netpeer)
4535                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4536                                                    family, addrp, proto);
4537
4538         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4539          * packet transformation so allow the packet to pass without any checks
4540          * since we'll have another chance to perform access control checks
4541          * when the packet is on it's final way out.
4542          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4543          *       is NULL, in this case go ahead and apply access control. */
4544         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4545                 return NF_ACCEPT;
4546
4547         secmark_active = selinux_secmark_enabled();
4548         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4549         if (!secmark_active && !peerlbl_active)
4550                 return NF_ACCEPT;
4551
4552         /* if the packet is locally generated (skb->sk != NULL) then use the
4553          * socket's label as the peer label, otherwise the packet is being
4554          * forwarded through this system and we need to fetch the peer label
4555          * directly from the packet */
4556         sk = skb->sk;
4557         if (sk) {
4558                 struct sk_security_struct *sksec = sk->sk_security;
4559                 peer_sid = sksec->sid;
4560                 secmark_perm = PACKET__SEND;
4561         } else {
4562                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4563                                 return NF_DROP;
4564                 secmark_perm = PACKET__FORWARD_OUT;
4565         }
4566
4567         if (secmark_active)
4568                 if (avc_has_perm(peer_sid, skb->secmark,
4569                                  SECCLASS_PACKET, secmark_perm, &ad))
4570                         return NF_DROP;
4571
4572         if (peerlbl_active) {
4573                 u32 if_sid;
4574                 u32 node_sid;
4575
4576                 if (sel_netif_sid(ifindex, &if_sid))
4577                         return NF_DROP;
4578                 if (avc_has_perm(peer_sid, if_sid,
4579                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4580                         return NF_DROP;
4581
4582                 if (sel_netnode_sid(addrp, family, &node_sid))
4583                         return NF_DROP;
4584                 if (avc_has_perm(peer_sid, node_sid,
4585                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4586                         return NF_DROP;
4587         }
4588
4589         return NF_ACCEPT;
4590 }
4591
4592 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4593                                            struct sk_buff *skb,
4594                                            const struct net_device *in,
4595                                            const struct net_device *out,
4596                                            int (*okfn)(struct sk_buff *))
4597 {
4598         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4599 }
4600
4601 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4602 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4603                                            struct sk_buff *skb,
4604                                            const struct net_device *in,
4605                                            const struct net_device *out,
4606                                            int (*okfn)(struct sk_buff *))
4607 {
4608         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4609 }
4610 #endif  /* IPV6 */
4611
4612 #endif  /* CONFIG_NETFILTER */
4613
4614 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4615 {
4616         int err;
4617
4618         err = secondary_ops->netlink_send(sk, skb);
4619         if (err)
4620                 return err;
4621
4622         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4623                 err = selinux_nlmsg_perm(sk, skb);
4624
4625         return err;
4626 }
4627
4628 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4629 {
4630         int err;
4631         struct avc_audit_data ad;
4632
4633         err = secondary_ops->netlink_recv(skb, capability);
4634         if (err)
4635                 return err;
4636
4637         AVC_AUDIT_DATA_INIT(&ad, CAP);
4638         ad.u.cap = capability;
4639
4640         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4641                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4642 }
4643
4644 static int ipc_alloc_security(struct task_struct *task,
4645                               struct kern_ipc_perm *perm,
4646                               u16 sclass)
4647 {
4648         struct task_security_struct *tsec = task->security;
4649         struct ipc_security_struct *isec;
4650
4651         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4652         if (!isec)
4653                 return -ENOMEM;
4654
4655         isec->sclass = sclass;
4656         isec->sid = tsec->sid;
4657         perm->security = isec;
4658
4659         return 0;
4660 }
4661
4662 static void ipc_free_security(struct kern_ipc_perm *perm)
4663 {
4664         struct ipc_security_struct *isec = perm->security;
4665         perm->security = NULL;
4666         kfree(isec);
4667 }
4668
4669 static int msg_msg_alloc_security(struct msg_msg *msg)
4670 {
4671         struct msg_security_struct *msec;
4672
4673         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4674         if (!msec)
4675                 return -ENOMEM;
4676
4677         msec->sid = SECINITSID_UNLABELED;
4678         msg->security = msec;
4679
4680         return 0;
4681 }
4682
4683 static void msg_msg_free_security(struct msg_msg *msg)
4684 {
4685         struct msg_security_struct *msec = msg->security;
4686
4687         msg->security = NULL;
4688         kfree(msec);
4689 }
4690
4691 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4692                         u32 perms)
4693 {
4694         struct task_security_struct *tsec;
4695         struct ipc_security_struct *isec;
4696         struct avc_audit_data ad;
4697
4698         tsec = current->security;
4699         isec = ipc_perms->security;
4700
4701         AVC_AUDIT_DATA_INIT(&ad, IPC);
4702         ad.u.ipc_id = ipc_perms->key;
4703
4704         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4705 }
4706
4707 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4708 {
4709         return msg_msg_alloc_security(msg);
4710 }
4711
4712 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4713 {
4714         msg_msg_free_security(msg);
4715 }
4716
4717 /* message queue security operations */
4718 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4719 {
4720         struct task_security_struct *tsec;
4721         struct ipc_security_struct *isec;
4722         struct avc_audit_data ad;
4723         int rc;
4724
4725         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4726         if (rc)
4727                 return rc;
4728
4729         tsec = current->security;
4730         isec = msq->q_perm.security;
4731
4732         AVC_AUDIT_DATA_INIT(&ad, IPC);
4733         ad.u.ipc_id = msq->q_perm.key;
4734
4735         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4736                           MSGQ__CREATE, &ad);
4737         if (rc) {
4738                 ipc_free_security(&msq->q_perm);
4739                 return rc;
4740         }
4741         return 0;
4742 }
4743
4744 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4745 {
4746         ipc_free_security(&msq->q_perm);
4747 }
4748
4749 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4750 {
4751         struct task_security_struct *tsec;
4752         struct ipc_security_struct *isec;
4753         struct avc_audit_data ad;
4754
4755         tsec = current->security;
4756         isec = msq->q_perm.security;
4757
4758         AVC_AUDIT_DATA_INIT(&ad, IPC);
4759         ad.u.ipc_id = msq->q_perm.key;
4760
4761         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4762                             MSGQ__ASSOCIATE, &ad);
4763 }
4764
4765 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4766 {
4767         int err;
4768         int perms;
4769
4770         switch (cmd) {
4771         case IPC_INFO:
4772         case MSG_INFO:
4773                 /* No specific object, just general system-wide information. */
4774                 return task_has_system(current, SYSTEM__IPC_INFO);
4775         case IPC_STAT:
4776         case MSG_STAT:
4777                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4778                 break;
4779         case IPC_SET:
4780                 perms = MSGQ__SETATTR;
4781                 break;
4782         case IPC_RMID:
4783                 perms = MSGQ__DESTROY;
4784                 break;
4785         default:
4786                 return 0;
4787         }
4788
4789         err = ipc_has_perm(&msq->q_perm, perms);
4790         return err;
4791 }
4792
4793 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4794 {
4795         struct task_security_struct *tsec;
4796         struct ipc_security_struct *isec;
4797         struct msg_security_struct *msec;
4798         struct avc_audit_data ad;
4799         int rc;
4800
4801         tsec = current->security;
4802         isec = msq->q_perm.security;
4803         msec = msg->security;
4804
4805         /*
4806          * First time through, need to assign label to the message
4807          */
4808         if (msec->sid == SECINITSID_UNLABELED) {
4809                 /*
4810                  * Compute new sid based on current process and
4811                  * message queue this message will be stored in
4812                  */
4813                 rc = security_transition_sid(tsec->sid,
4814                                              isec->sid,
4815                                              SECCLASS_MSG,
4816                                              &msec->sid);
4817                 if (rc)
4818                         return rc;
4819         }
4820
4821         AVC_AUDIT_DATA_INIT(&ad, IPC);
4822         ad.u.ipc_id = msq->q_perm.key;
4823
4824         /* Can this process write to the queue? */
4825         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4826                           MSGQ__WRITE, &ad);
4827         if (!rc)
4828                 /* Can this process send the message */
4829                 rc = avc_has_perm(tsec->sid, msec->sid,
4830                                   SECCLASS_MSG, MSG__SEND, &ad);
4831         if (!rc)
4832                 /* Can the message be put in the queue? */
4833                 rc = avc_has_perm(msec->sid, isec->sid,
4834                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4835
4836         return rc;
4837 }
4838
4839 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4840                                     struct task_struct *target,
4841                                     long type, int mode)
4842 {
4843         struct task_security_struct *tsec;
4844         struct ipc_security_struct *isec;
4845         struct msg_security_struct *msec;
4846         struct avc_audit_data ad;
4847         int rc;
4848
4849         tsec = target->security;
4850         isec = msq->q_perm.security;
4851         msec = msg->security;
4852
4853         AVC_AUDIT_DATA_INIT(&ad, IPC);
4854         ad.u.ipc_id = msq->q_perm.key;
4855
4856         rc = avc_has_perm(tsec->sid, isec->sid,
4857                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4858         if (!rc)
4859                 rc = avc_has_perm(tsec->sid, msec->sid,
4860                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4861         return rc;
4862 }
4863
4864 /* Shared Memory security operations */
4865 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4866 {
4867         struct task_security_struct *tsec;
4868         struct ipc_security_struct *isec;
4869         struct avc_audit_data ad;
4870         int rc;
4871
4872         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4873         if (rc)
4874                 return rc;
4875
4876         tsec = current->security;
4877         isec = shp->shm_perm.security;
4878
4879         AVC_AUDIT_DATA_INIT(&ad, IPC);
4880         ad.u.ipc_id = shp->shm_perm.key;
4881
4882         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4883                           SHM__CREATE, &ad);
4884         if (rc) {
4885                 ipc_free_security(&shp->shm_perm);
4886                 return rc;
4887         }
4888         return 0;
4889 }
4890
4891 static void selinux_shm_free_security(struct shmid_kernel *shp)
4892 {
4893         ipc_free_security(&shp->shm_perm);
4894 }
4895
4896 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4897 {
4898         struct task_security_struct *tsec;
4899         struct ipc_security_struct *isec;
4900         struct avc_audit_data ad;
4901
4902         tsec = current->security;
4903         isec = shp->shm_perm.security;
4904
4905         AVC_AUDIT_DATA_INIT(&ad, IPC);
4906         ad.u.ipc_id = shp->shm_perm.key;
4907
4908         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4909                             SHM__ASSOCIATE, &ad);
4910 }
4911
4912 /* Note, at this point, shp is locked down */
4913 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4914 {
4915         int perms;
4916         int err;
4917
4918         switch (cmd) {
4919         case IPC_INFO:
4920         case SHM_INFO:
4921                 /* No specific object, just general system-wide information. */
4922                 return task_has_system(current, SYSTEM__IPC_INFO);
4923         case IPC_STAT:
4924         case SHM_STAT:
4925                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4926                 break;
4927         case IPC_SET:
4928                 perms = SHM__SETATTR;
4929                 break;
4930         case SHM_LOCK:
4931         case SHM_UNLOCK:
4932                 perms = SHM__LOCK;
4933                 break;
4934         case IPC_RMID:
4935                 perms = SHM__DESTROY;
4936                 break;
4937         default:
4938                 return 0;
4939         }
4940
4941         err = ipc_has_perm(&shp->shm_perm, perms);
4942         return err;
4943 }
4944
4945 static int selinux_shm_shmat(struct shmid_kernel *shp,
4946                              char __user *shmaddr, int shmflg)
4947 {
4948         u32 perms;
4949         int rc;
4950
4951         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4952         if (rc)
4953                 return rc;
4954
4955         if (shmflg & SHM_RDONLY)
4956                 perms = SHM__READ;
4957         else
4958                 perms = SHM__READ | SHM__WRITE;
4959
4960         return ipc_has_perm(&shp->shm_perm, perms);
4961 }
4962
4963 /* Semaphore security operations */
4964 static int selinux_sem_alloc_security(struct sem_array *sma)
4965 {
4966         struct task_security_struct *tsec;
4967         struct ipc_security_struct *isec;
4968         struct avc_audit_data ad;
4969         int rc;
4970
4971         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4972         if (rc)
4973                 return rc;
4974
4975         tsec = current->security;
4976         isec = sma->sem_perm.security;
4977
4978         AVC_AUDIT_DATA_INIT(&ad, IPC);
4979         ad.u.ipc_id = sma->sem_perm.key;
4980
4981         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4982                           SEM__CREATE, &ad);
4983         if (rc) {
4984                 ipc_free_security(&sma->sem_perm);
4985                 return rc;
4986         }
4987         return 0;
4988 }
4989
4990 static void selinux_sem_free_security(struct sem_array *sma)
4991 {
4992         ipc_free_security(&sma->sem_perm);
4993 }
4994
4995 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4996 {
4997         struct task_security_struct *tsec;
4998         struct ipc_security_struct *isec;
4999         struct avc_audit_data ad;
5000
5001         tsec = current->security;
5002         isec = sma->sem_perm.security;
5003
5004         AVC_AUDIT_DATA_INIT(&ad, IPC);
5005         ad.u.ipc_id = sma->sem_perm.key;
5006
5007         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5008                             SEM__ASSOCIATE, &ad);
5009 }
5010
5011 /* Note, at this point, sma is locked down */
5012 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5013 {
5014         int err;
5015         u32 perms;
5016
5017         switch (cmd) {
5018         case IPC_INFO:
5019         case SEM_INFO:
5020                 /* No specific object, just general system-wide information. */
5021                 return task_has_system(current, SYSTEM__IPC_INFO);
5022         case GETPID:
5023         case GETNCNT:
5024         case GETZCNT:
5025                 perms = SEM__GETATTR;
5026                 break;
5027         case GETVAL:
5028         case GETALL:
5029                 perms = SEM__READ;
5030                 break;
5031         case SETVAL:
5032         case SETALL:
5033                 perms = SEM__WRITE;
5034                 break;
5035         case IPC_RMID:
5036                 perms = SEM__DESTROY;
5037                 break;
5038         case IPC_SET:
5039                 perms = SEM__SETATTR;
5040                 break;
5041         case IPC_STAT:
5042         case SEM_STAT:
5043                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5044                 break;
5045         default:
5046                 return 0;
5047         }
5048
5049         err = ipc_has_perm(&sma->sem_perm, perms);
5050         return err;
5051 }
5052
5053 static int selinux_sem_semop(struct sem_array *sma,
5054                              struct sembuf *sops, unsigned nsops, int alter)
5055 {
5056         u32 perms;
5057
5058         if (alter)
5059                 perms = SEM__READ | SEM__WRITE;
5060         else
5061                 perms = SEM__READ;
5062
5063         return ipc_has_perm(&sma->sem_perm, perms);
5064 }
5065
5066 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5067 {
5068         u32 av = 0;
5069
5070         av = 0;
5071         if (flag & S_IRUGO)
5072                 av |= IPC__UNIX_READ;
5073         if (flag & S_IWUGO)
5074                 av |= IPC__UNIX_WRITE;
5075
5076         if (av == 0)
5077                 return 0;
5078
5079         return ipc_has_perm(ipcp, av);
5080 }
5081
5082 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5083 {
5084         struct ipc_security_struct *isec = ipcp->security;
5085         *secid = isec->sid;
5086 }
5087
5088 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5089 {
5090         if (inode)
5091                 inode_doinit_with_dentry(inode, dentry);
5092 }
5093
5094 static int selinux_getprocattr(struct task_struct *p,
5095                                char *name, char **value)
5096 {
5097         struct task_security_struct *tsec;
5098         u32 sid;
5099         int error;
5100         unsigned len;
5101
5102         if (current != p) {
5103                 error = task_has_perm(current, p, PROCESS__GETATTR);
5104                 if (error)
5105                         return error;
5106         }
5107
5108         tsec = p->security;
5109
5110         if (!strcmp(name, "current"))
5111                 sid = tsec->sid;
5112         else if (!strcmp(name, "prev"))
5113                 sid = tsec->osid;
5114         else if (!strcmp(name, "exec"))
5115                 sid = tsec->exec_sid;
5116         else if (!strcmp(name, "fscreate"))
5117                 sid = tsec->create_sid;
5118         else if (!strcmp(name, "keycreate"))
5119                 sid = tsec->keycreate_sid;
5120         else if (!strcmp(name, "sockcreate"))
5121                 sid = tsec->sockcreate_sid;
5122         else
5123                 return -EINVAL;
5124
5125         if (!sid)
5126                 return 0;
5127
5128         error = security_sid_to_context(sid, value, &len);
5129         if (error)
5130                 return error;
5131         return len;
5132 }
5133
5134 static int selinux_setprocattr(struct task_struct *p,
5135                                char *name, void *value, size_t size)
5136 {
5137         struct task_security_struct *tsec;
5138         struct task_struct *tracer;
5139         u32 sid = 0;
5140         int error;
5141         char *str = value;
5142
5143         if (current != p) {
5144                 /* SELinux only allows a process to change its own
5145                    security attributes. */
5146                 return -EACCES;
5147         }
5148
5149         /*
5150          * Basic control over ability to set these attributes at all.
5151          * current == p, but we'll pass them separately in case the
5152          * above restriction is ever removed.
5153          */
5154         if (!strcmp(name, "exec"))
5155                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5156         else if (!strcmp(name, "fscreate"))
5157                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5158         else if (!strcmp(name, "keycreate"))
5159                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5160         else if (!strcmp(name, "sockcreate"))
5161                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5162         else if (!strcmp(name, "current"))
5163                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5164         else
5165                 error = -EINVAL;
5166         if (error)
5167                 return error;
5168
5169         /* Obtain a SID for the context, if one was specified. */
5170         if (size && str[1] && str[1] != '\n') {
5171                 if (str[size-1] == '\n') {
5172                         str[size-1] = 0;
5173                         size--;
5174                 }
5175                 error = security_context_to_sid(value, size, &sid);
5176                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5177                         if (!capable(CAP_MAC_ADMIN))
5178                                 return error;
5179                         error = security_context_to_sid_force(value, size,
5180                                                               &sid);
5181                 }
5182                 if (error)
5183                         return error;
5184         }
5185
5186         /* Permission checking based on the specified context is
5187            performed during the actual operation (execve,
5188            open/mkdir/...), when we know the full context of the
5189            operation.  See selinux_bprm_set_security for the execve
5190            checks and may_create for the file creation checks. The
5191            operation will then fail if the context is not permitted. */
5192         tsec = p->security;
5193         if (!strcmp(name, "exec"))
5194                 tsec->exec_sid = sid;
5195         else if (!strcmp(name, "fscreate"))
5196                 tsec->create_sid = sid;
5197         else if (!strcmp(name, "keycreate")) {
5198                 error = may_create_key(sid, p);
5199                 if (error)
5200                         return error;
5201                 tsec->keycreate_sid = sid;
5202         } else if (!strcmp(name, "sockcreate"))
5203                 tsec->sockcreate_sid = sid;
5204         else if (!strcmp(name, "current")) {
5205                 struct av_decision avd;
5206
5207                 if (sid == 0)
5208                         return -EINVAL;
5209
5210                 /* Only allow single threaded processes to change context */
5211                 if (atomic_read(&p->mm->mm_users) != 1) {
5212                         struct task_struct *g, *t;
5213                         struct mm_struct *mm = p->mm;
5214                         read_lock(&tasklist_lock);
5215                         do_each_thread(g, t) {
5216                                 if (t->mm == mm && t != p) {
5217                                         read_unlock(&tasklist_lock);
5218                                         return -EPERM;
5219                                 }
5220                         } while_each_thread(g, t);
5221                         read_unlock(&tasklist_lock);
5222                 }
5223
5224                 /* Check permissions for the transition. */
5225                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5226                                      PROCESS__DYNTRANSITION, NULL);
5227                 if (error)
5228                         return error;
5229
5230                 /* Check for ptracing, and update the task SID if ok.
5231                    Otherwise, leave SID unchanged and fail. */
5232                 task_lock(p);
5233                 rcu_read_lock();
5234                 tracer = tracehook_tracer_task(p);
5235                 if (tracer != NULL) {
5236                         struct task_security_struct *ptsec = tracer->security;
5237                         u32 ptsid = ptsec->sid;
5238                         rcu_read_unlock();
5239                         error = avc_has_perm_noaudit(ptsid, sid,
5240                                                      SECCLASS_PROCESS,
5241                                                      PROCESS__PTRACE, 0, &avd);
5242                         if (!error)
5243                                 tsec->sid = sid;
5244                         task_unlock(p);
5245                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5246                                   PROCESS__PTRACE, &avd, error, NULL);
5247                         if (error)
5248                                 return error;
5249                 } else {
5250                         rcu_read_unlock();
5251                         tsec->sid = sid;
5252                         task_unlock(p);
5253                 }
5254         } else
5255                 return -EINVAL;
5256
5257         return size;
5258 }
5259
5260 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5261 {
5262         return security_sid_to_context(secid, secdata, seclen);
5263 }
5264
5265 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5266 {
5267         return security_context_to_sid(secdata, seclen, secid);
5268 }
5269
5270 static void selinux_release_secctx(char *secdata, u32 seclen)
5271 {
5272         kfree(secdata);
5273 }
5274
5275 #ifdef CONFIG_KEYS
5276
5277 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5278                              unsigned long flags)
5279 {
5280         struct task_security_struct *tsec = tsk->security;
5281         struct key_security_struct *ksec;
5282
5283         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5284         if (!ksec)
5285                 return -ENOMEM;
5286
5287         if (tsec->keycreate_sid)
5288                 ksec->sid = tsec->keycreate_sid;
5289         else
5290                 ksec->sid = tsec->sid;
5291         k->security = ksec;
5292
5293         return 0;
5294 }
5295
5296 static void selinux_key_free(struct key *k)
5297 {
5298         struct key_security_struct *ksec = k->security;
5299
5300         k->security = NULL;
5301         kfree(ksec);
5302 }
5303
5304 static int selinux_key_permission(key_ref_t key_ref,
5305                             struct task_struct *ctx,
5306                             key_perm_t perm)
5307 {
5308         struct key *key;
5309         struct task_security_struct *tsec;
5310         struct key_security_struct *ksec;
5311
5312         key = key_ref_to_ptr(key_ref);
5313
5314         tsec = ctx->security;
5315         ksec = key->security;
5316
5317         /* if no specific permissions are requested, we skip the
5318            permission check. No serious, additional covert channels
5319            appear to be created. */
5320         if (perm == 0)
5321                 return 0;
5322
5323         return avc_has_perm(tsec->sid, ksec->sid,
5324                             SECCLASS_KEY, perm, NULL);
5325 }
5326
5327 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5328 {
5329         struct key_security_struct *ksec = key->security;
5330         char *context = NULL;
5331         unsigned len;
5332         int rc;
5333
5334         rc = security_sid_to_context(ksec->sid, &context, &len);
5335         if (!rc)
5336                 rc = len;
5337         *_buffer = context;
5338         return rc;
5339 }
5340
5341 #endif
5342
5343 static struct security_operations selinux_ops = {
5344         .name =                         "selinux",
5345
5346         .ptrace =                       selinux_ptrace,
5347         .capget =                       selinux_capget,
5348         .capset_check =                 selinux_capset_check,
5349         .capset_set =                   selinux_capset_set,
5350         .sysctl =                       selinux_sysctl,
5351         .capable =                      selinux_capable,
5352         .quotactl =                     selinux_quotactl,
5353         .quota_on =                     selinux_quota_on,
5354         .syslog =                       selinux_syslog,
5355         .vm_enough_memory =             selinux_vm_enough_memory,
5356
5357         .netlink_send =                 selinux_netlink_send,
5358         .netlink_recv =                 selinux_netlink_recv,
5359
5360         .bprm_alloc_security =          selinux_bprm_alloc_security,
5361         .bprm_free_security =           selinux_bprm_free_security,
5362         .bprm_apply_creds =             selinux_bprm_apply_creds,
5363         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5364         .bprm_set_security =            selinux_bprm_set_security,
5365         .bprm_check_security =          selinux_bprm_check_security,
5366         .bprm_secureexec =              selinux_bprm_secureexec,
5367
5368         .sb_alloc_security =            selinux_sb_alloc_security,
5369         .sb_free_security =             selinux_sb_free_security,
5370         .sb_copy_data =                 selinux_sb_copy_data,
5371         .sb_kern_mount =                selinux_sb_kern_mount,
5372         .sb_show_options =              selinux_sb_show_options,
5373         .sb_statfs =                    selinux_sb_statfs,
5374         .sb_mount =                     selinux_mount,
5375         .sb_umount =                    selinux_umount,
5376         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5377         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5378         .sb_parse_opts_str =            selinux_parse_opts_str,
5379
5380
5381         .inode_alloc_security =         selinux_inode_alloc_security,
5382         .inode_free_security =          selinux_inode_free_security,
5383         .inode_init_security =          selinux_inode_init_security,
5384         .inode_create =                 selinux_inode_create,
5385         .inode_link =                   selinux_inode_link,
5386         .inode_unlink =                 selinux_inode_unlink,
5387         .inode_symlink =                selinux_inode_symlink,
5388         .inode_mkdir =                  selinux_inode_mkdir,
5389         .inode_rmdir =                  selinux_inode_rmdir,
5390         .inode_mknod =                  selinux_inode_mknod,
5391         .inode_rename =                 selinux_inode_rename,
5392         .inode_readlink =               selinux_inode_readlink,
5393         .inode_follow_link =            selinux_inode_follow_link,
5394         .inode_permission =             selinux_inode_permission,
5395         .inode_setattr =                selinux_inode_setattr,
5396         .inode_getattr =                selinux_inode_getattr,
5397         .inode_setxattr =               selinux_inode_setxattr,
5398         .inode_post_setxattr =          selinux_inode_post_setxattr,
5399         .inode_getxattr =               selinux_inode_getxattr,
5400         .inode_listxattr =              selinux_inode_listxattr,
5401         .inode_removexattr =            selinux_inode_removexattr,
5402         .inode_getsecurity =            selinux_inode_getsecurity,
5403         .inode_setsecurity =            selinux_inode_setsecurity,
5404         .inode_listsecurity =           selinux_inode_listsecurity,
5405         .inode_need_killpriv =          selinux_inode_need_killpriv,
5406         .inode_killpriv =               selinux_inode_killpriv,
5407         .inode_getsecid =               selinux_inode_getsecid,
5408
5409         .file_permission =              selinux_file_permission,
5410         .file_alloc_security =          selinux_file_alloc_security,
5411         .file_free_security =           selinux_file_free_security,
5412         .file_ioctl =                   selinux_file_ioctl,
5413         .file_mmap =                    selinux_file_mmap,
5414         .file_mprotect =                selinux_file_mprotect,
5415         .file_lock =                    selinux_file_lock,
5416         .file_fcntl =                   selinux_file_fcntl,
5417         .file_set_fowner =              selinux_file_set_fowner,
5418         .file_send_sigiotask =          selinux_file_send_sigiotask,
5419         .file_receive =                 selinux_file_receive,
5420
5421         .dentry_open =                  selinux_dentry_open,
5422
5423         .task_create =                  selinux_task_create,
5424         .task_alloc_security =          selinux_task_alloc_security,
5425         .task_free_security =           selinux_task_free_security,
5426         .task_setuid =                  selinux_task_setuid,
5427         .task_post_setuid =             selinux_task_post_setuid,
5428         .task_setgid =                  selinux_task_setgid,
5429         .task_setpgid =                 selinux_task_setpgid,
5430         .task_getpgid =                 selinux_task_getpgid,
5431         .task_getsid =                  selinux_task_getsid,
5432         .task_getsecid =                selinux_task_getsecid,
5433         .task_setgroups =               selinux_task_setgroups,
5434         .task_setnice =                 selinux_task_setnice,
5435         .task_setioprio =               selinux_task_setioprio,
5436         .task_getioprio =               selinux_task_getioprio,
5437         .task_setrlimit =               selinux_task_setrlimit,
5438         .task_setscheduler =            selinux_task_setscheduler,
5439         .task_getscheduler =            selinux_task_getscheduler,
5440         .task_movememory =              selinux_task_movememory,
5441         .task_kill =                    selinux_task_kill,
5442         .task_wait =                    selinux_task_wait,
5443         .task_prctl =                   selinux_task_prctl,
5444         .task_reparent_to_init =        selinux_task_reparent_to_init,
5445         .task_to_inode =                selinux_task_to_inode,
5446
5447         .ipc_permission =               selinux_ipc_permission,
5448         .ipc_getsecid =                 selinux_ipc_getsecid,
5449
5450         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5451         .msg_msg_free_security =        selinux_msg_msg_free_security,
5452
5453         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5454         .msg_queue_free_security =      selinux_msg_queue_free_security,
5455         .msg_queue_associate =          selinux_msg_queue_associate,
5456         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5457         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5458         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5459
5460         .shm_alloc_security =           selinux_shm_alloc_security,
5461         .shm_free_security =            selinux_shm_free_security,
5462         .shm_associate =                selinux_shm_associate,
5463         .shm_shmctl =                   selinux_shm_shmctl,
5464         .shm_shmat =                    selinux_shm_shmat,
5465
5466         .sem_alloc_security =           selinux_sem_alloc_security,
5467         .sem_free_security =            selinux_sem_free_security,
5468         .sem_associate =                selinux_sem_associate,
5469         .sem_semctl =                   selinux_sem_semctl,
5470         .sem_semop =                    selinux_sem_semop,
5471
5472         .d_instantiate =                selinux_d_instantiate,
5473
5474         .getprocattr =                  selinux_getprocattr,
5475         .setprocattr =                  selinux_setprocattr,
5476
5477         .secid_to_secctx =              selinux_secid_to_secctx,
5478         .secctx_to_secid =              selinux_secctx_to_secid,
5479         .release_secctx =               selinux_release_secctx,
5480
5481         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5482         .unix_may_send =                selinux_socket_unix_may_send,
5483
5484         .socket_create =                selinux_socket_create,
5485         .socket_post_create =           selinux_socket_post_create,
5486         .socket_bind =                  selinux_socket_bind,
5487         .socket_connect =               selinux_socket_connect,
5488         .socket_listen =                selinux_socket_listen,
5489         .socket_accept =                selinux_socket_accept,
5490         .socket_sendmsg =               selinux_socket_sendmsg,
5491         .socket_recvmsg =               selinux_socket_recvmsg,
5492         .socket_getsockname =           selinux_socket_getsockname,
5493         .socket_getpeername =           selinux_socket_getpeername,
5494         .socket_getsockopt =            selinux_socket_getsockopt,
5495         .socket_setsockopt =            selinux_socket_setsockopt,
5496         .socket_shutdown =              selinux_socket_shutdown,
5497         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5498         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5499         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5500         .sk_alloc_security =            selinux_sk_alloc_security,
5501         .sk_free_security =             selinux_sk_free_security,
5502         .sk_clone_security =            selinux_sk_clone_security,
5503         .sk_getsecid =                  selinux_sk_getsecid,
5504         .sock_graft =                   selinux_sock_graft,
5505         .inet_conn_request =            selinux_inet_conn_request,
5506         .inet_csk_clone =               selinux_inet_csk_clone,
5507         .inet_conn_established =        selinux_inet_conn_established,
5508         .req_classify_flow =            selinux_req_classify_flow,
5509
5510 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5511         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5512         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5513         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5514         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5515         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5516         .xfrm_state_free_security =     selinux_xfrm_state_free,
5517         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5518         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5519         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5520         .xfrm_decode_session =          selinux_xfrm_decode_session,
5521 #endif
5522
5523 #ifdef CONFIG_KEYS
5524         .key_alloc =                    selinux_key_alloc,
5525         .key_free =                     selinux_key_free,
5526         .key_permission =               selinux_key_permission,
5527         .key_getsecurity =              selinux_key_getsecurity,
5528 #endif
5529
5530 #ifdef CONFIG_AUDIT
5531         .audit_rule_init =              selinux_audit_rule_init,
5532         .audit_rule_known =             selinux_audit_rule_known,
5533         .audit_rule_match =             selinux_audit_rule_match,
5534         .audit_rule_free =              selinux_audit_rule_free,
5535 #endif
5536 };
5537
5538 static __init int selinux_init(void)
5539 {
5540         struct task_security_struct *tsec;
5541
5542         if (!security_module_enable(&selinux_ops)) {
5543                 selinux_enabled = 0;
5544                 return 0;
5545         }
5546
5547         if (!selinux_enabled) {
5548                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5549                 return 0;
5550         }
5551
5552         printk(KERN_INFO "SELinux:  Initializing.\n");
5553
5554         /* Set the security state for the initial task. */
5555         if (task_alloc_security(current))
5556                 panic("SELinux:  Failed to initialize initial task.\n");
5557         tsec = current->security;
5558         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5559
5560         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5561                                             sizeof(struct inode_security_struct),
5562                                             0, SLAB_PANIC, NULL);
5563         avc_init();
5564
5565         secondary_ops = security_ops;
5566         if (!secondary_ops)
5567                 panic("SELinux: No initial security operations\n");
5568         if (register_security(&selinux_ops))
5569                 panic("SELinux: Unable to register with kernel.\n");
5570
5571         if (selinux_enforcing)
5572                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5573         else
5574                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5575
5576         return 0;
5577 }
5578
5579 void selinux_complete_init(void)
5580 {
5581         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5582
5583         /* Set up any superblocks initialized prior to the policy load. */
5584         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5585         spin_lock(&sb_lock);
5586         spin_lock(&sb_security_lock);
5587 next_sb:
5588         if (!list_empty(&superblock_security_head)) {
5589                 struct superblock_security_struct *sbsec =
5590                                 list_entry(superblock_security_head.next,
5591                                            struct superblock_security_struct,
5592                                            list);
5593                 struct super_block *sb = sbsec->sb;
5594                 sb->s_count++;
5595                 spin_unlock(&sb_security_lock);
5596                 spin_unlock(&sb_lock);
5597                 down_read(&sb->s_umount);
5598                 if (sb->s_root)
5599                         superblock_doinit(sb, NULL);
5600                 drop_super(sb);
5601                 spin_lock(&sb_lock);
5602                 spin_lock(&sb_security_lock);
5603                 list_del_init(&sbsec->list);
5604                 goto next_sb;
5605         }
5606         spin_unlock(&sb_security_lock);
5607         spin_unlock(&sb_lock);
5608 }
5609
5610 /* SELinux requires early initialization in order to label
5611    all processes and objects when they are created. */
5612 security_initcall(selinux_init);
5613
5614 #if defined(CONFIG_NETFILTER)
5615
5616 static struct nf_hook_ops selinux_ipv4_ops[] = {
5617         {
5618                 .hook =         selinux_ipv4_postroute,
5619                 .owner =        THIS_MODULE,
5620                 .pf =           PF_INET,
5621                 .hooknum =      NF_INET_POST_ROUTING,
5622                 .priority =     NF_IP_PRI_SELINUX_LAST,
5623         },
5624         {
5625                 .hook =         selinux_ipv4_forward,
5626                 .owner =        THIS_MODULE,
5627                 .pf =           PF_INET,
5628                 .hooknum =      NF_INET_FORWARD,
5629                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5630         }
5631 };
5632
5633 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5634
5635 static struct nf_hook_ops selinux_ipv6_ops[] = {
5636         {
5637                 .hook =         selinux_ipv6_postroute,
5638                 .owner =        THIS_MODULE,
5639                 .pf =           PF_INET6,
5640                 .hooknum =      NF_INET_POST_ROUTING,
5641                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5642         },
5643         {
5644                 .hook =         selinux_ipv6_forward,
5645                 .owner =        THIS_MODULE,
5646                 .pf =           PF_INET6,
5647                 .hooknum =      NF_INET_FORWARD,
5648                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5649         }
5650 };
5651
5652 #endif  /* IPV6 */
5653
5654 static int __init selinux_nf_ip_init(void)
5655 {
5656         int err = 0;
5657         u32 iter;
5658
5659         if (!selinux_enabled)
5660                 goto out;
5661
5662         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5663
5664         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5665                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5666                 if (err)
5667                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5668                               err);
5669         }
5670
5671 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5672         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5673                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5674                 if (err)
5675                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5676                               err);
5677         }
5678 #endif  /* IPV6 */
5679
5680 out:
5681         return err;
5682 }
5683
5684 __initcall(selinux_nf_ip_init);
5685
5686 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5687 static void selinux_nf_ip_exit(void)
5688 {
5689         u32 iter;
5690
5691         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5692
5693         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5694                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5695 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5696         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5697                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5698 #endif  /* IPV6 */
5699 }
5700 #endif
5701
5702 #else /* CONFIG_NETFILTER */
5703
5704 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5705 #define selinux_nf_ip_exit()
5706 #endif
5707
5708 #endif /* CONFIG_NETFILTER */
5709
5710 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5711 static int selinux_disabled;
5712
5713 int selinux_disable(void)
5714 {
5715         extern void exit_sel_fs(void);
5716
5717         if (ss_initialized) {
5718                 /* Not permitted after initial policy load. */
5719                 return -EINVAL;
5720         }
5721
5722         if (selinux_disabled) {
5723                 /* Only do this once. */
5724                 return -EINVAL;
5725         }
5726
5727         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5728
5729         selinux_disabled = 1;
5730         selinux_enabled = 0;
5731
5732         /* Reset security_ops to the secondary module, dummy or capability. */
5733         security_ops = secondary_ops;
5734
5735         /* Unregister netfilter hooks. */
5736         selinux_nf_ip_exit();
5737
5738         /* Unregister selinuxfs. */
5739         exit_sel_fs();
5740
5741         return 0;
5742 }
5743 #endif