63701fe0e1ad695fc5ad14ac5c77d88725febbd8
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         memset(tsec, 0, sizeof(struct task_security_struct));
130         tsec->magic = SELINUX_MAGIC;
131         tsec->task = task;
132         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133         task->security = tsec;
134
135         return 0;
136 }
137
138 static void task_free_security(struct task_struct *task)
139 {
140         struct task_security_struct *tsec = task->security;
141
142         if (!tsec || tsec->magic != SELINUX_MAGIC)
143                 return;
144
145         task->security = NULL;
146         kfree(tsec);
147 }
148
149 static int inode_alloc_security(struct inode *inode)
150 {
151         struct task_security_struct *tsec = current->security;
152         struct inode_security_struct *isec;
153
154         isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
155         if (!isec)
156                 return -ENOMEM;
157
158         memset(isec, 0, sizeof(struct inode_security_struct));
159         init_MUTEX(&isec->sem);
160         INIT_LIST_HEAD(&isec->list);
161         isec->magic = SELINUX_MAGIC;
162         isec->inode = inode;
163         isec->sid = SECINITSID_UNLABELED;
164         isec->sclass = SECCLASS_FILE;
165         if (tsec && tsec->magic == SELINUX_MAGIC)
166                 isec->task_sid = tsec->sid;
167         else
168                 isec->task_sid = SECINITSID_UNLABELED;
169         inode->i_security = isec;
170
171         return 0;
172 }
173
174 static void inode_free_security(struct inode *inode)
175 {
176         struct inode_security_struct *isec = inode->i_security;
177         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
178
179         if (!isec || isec->magic != SELINUX_MAGIC)
180                 return;
181
182         spin_lock(&sbsec->isec_lock);
183         if (!list_empty(&isec->list))
184                 list_del_init(&isec->list);
185         spin_unlock(&sbsec->isec_lock);
186
187         inode->i_security = NULL;
188         kfree(isec);
189 }
190
191 static int file_alloc_security(struct file *file)
192 {
193         struct task_security_struct *tsec = current->security;
194         struct file_security_struct *fsec;
195
196         fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
197         if (!fsec)
198                 return -ENOMEM;
199
200         memset(fsec, 0, sizeof(struct file_security_struct));
201         fsec->magic = SELINUX_MAGIC;
202         fsec->file = file;
203         if (tsec && tsec->magic == SELINUX_MAGIC) {
204                 fsec->sid = tsec->sid;
205                 fsec->fown_sid = tsec->sid;
206         } else {
207                 fsec->sid = SECINITSID_UNLABELED;
208                 fsec->fown_sid = SECINITSID_UNLABELED;
209         }
210         file->f_security = fsec;
211
212         return 0;
213 }
214
215 static void file_free_security(struct file *file)
216 {
217         struct file_security_struct *fsec = file->f_security;
218
219         if (!fsec || fsec->magic != SELINUX_MAGIC)
220                 return;
221
222         file->f_security = NULL;
223         kfree(fsec);
224 }
225
226 static int superblock_alloc_security(struct super_block *sb)
227 {
228         struct superblock_security_struct *sbsec;
229
230         sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
231         if (!sbsec)
232                 return -ENOMEM;
233
234         memset(sbsec, 0, sizeof(struct superblock_security_struct));
235         init_MUTEX(&sbsec->sem);
236         INIT_LIST_HEAD(&sbsec->list);
237         INIT_LIST_HEAD(&sbsec->isec_head);
238         spin_lock_init(&sbsec->isec_lock);
239         sbsec->magic = SELINUX_MAGIC;
240         sbsec->sb = sb;
241         sbsec->sid = SECINITSID_UNLABELED;
242         sbsec->def_sid = SECINITSID_FILE;
243         sb->s_security = sbsec;
244
245         return 0;
246 }
247
248 static void superblock_free_security(struct super_block *sb)
249 {
250         struct superblock_security_struct *sbsec = sb->s_security;
251
252         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
253                 return;
254
255         spin_lock(&sb_security_lock);
256         if (!list_empty(&sbsec->list))
257                 list_del_init(&sbsec->list);
258         spin_unlock(&sb_security_lock);
259
260         sb->s_security = NULL;
261         kfree(sbsec);
262 }
263
264 #ifdef CONFIG_SECURITY_NETWORK
265 static int sk_alloc_security(struct sock *sk, int family, int priority)
266 {
267         struct sk_security_struct *ssec;
268
269         if (family != PF_UNIX)
270                 return 0;
271
272         ssec = kmalloc(sizeof(*ssec), priority);
273         if (!ssec)
274                 return -ENOMEM;
275
276         memset(ssec, 0, sizeof(*ssec));
277         ssec->magic = SELINUX_MAGIC;
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         sk->sk_security = ssec;
281
282         return 0;
283 }
284
285 static void sk_free_security(struct sock *sk)
286 {
287         struct sk_security_struct *ssec = sk->sk_security;
288
289         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
290                 return;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295 #endif  /* CONFIG_SECURITY_NETWORK */
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
634 {
635         switch (family) {
636         case PF_UNIX:
637                 switch (type) {
638                 case SOCK_STREAM:
639                 case SOCK_SEQPACKET:
640                         return SECCLASS_UNIX_STREAM_SOCKET;
641                 case SOCK_DGRAM:
642                         return SECCLASS_UNIX_DGRAM_SOCKET;
643                 }
644                 break;
645         case PF_INET:
646         case PF_INET6:
647                 switch (type) {
648                 case SOCK_STREAM:
649                         return SECCLASS_TCP_SOCKET;
650                 case SOCK_DGRAM:
651                         return SECCLASS_UDP_SOCKET;
652                 case SOCK_RAW:
653                         return SECCLASS_RAWIP_SOCKET;
654                 }
655                 break;
656         case PF_NETLINK:
657                 switch (protocol) {
658                 case NETLINK_ROUTE:
659                         return SECCLASS_NETLINK_ROUTE_SOCKET;
660                 case NETLINK_FIREWALL:
661                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
662                 case NETLINK_INET_DIAG:
663                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
664                 case NETLINK_NFLOG:
665                         return SECCLASS_NETLINK_NFLOG_SOCKET;
666                 case NETLINK_XFRM:
667                         return SECCLASS_NETLINK_XFRM_SOCKET;
668                 case NETLINK_SELINUX:
669                         return SECCLASS_NETLINK_SELINUX_SOCKET;
670                 case NETLINK_AUDIT:
671                         return SECCLASS_NETLINK_AUDIT_SOCKET;
672                 case NETLINK_IP6_FW:
673                         return SECCLASS_NETLINK_IP6FW_SOCKET;
674                 case NETLINK_DNRTMSG:
675                         return SECCLASS_NETLINK_DNRT_SOCKET;
676                 case NETLINK_KOBJECT_UEVENT:
677                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
678                 default:
679                         return SECCLASS_NETLINK_SOCKET;
680                 }
681         case PF_PACKET:
682                 return SECCLASS_PACKET_SOCKET;
683         case PF_KEY:
684                 return SECCLASS_KEY_SOCKET;
685         }
686
687         return SECCLASS_SOCKET;
688 }
689
690 #ifdef CONFIG_PROC_FS
691 static int selinux_proc_get_sid(struct proc_dir_entry *de,
692                                 u16 tclass,
693                                 u32 *sid)
694 {
695         int buflen, rc;
696         char *buffer, *path, *end;
697
698         buffer = (char*)__get_free_page(GFP_KERNEL);
699         if (!buffer)
700                 return -ENOMEM;
701
702         buflen = PAGE_SIZE;
703         end = buffer+buflen;
704         *--end = '\0';
705         buflen--;
706         path = end-1;
707         *path = '/';
708         while (de && de != de->parent) {
709                 buflen -= de->namelen + 1;
710                 if (buflen < 0)
711                         break;
712                 end -= de->namelen;
713                 memcpy(end, de->name, de->namelen);
714                 *--end = '/';
715                 path = end;
716                 de = de->parent;
717         }
718         rc = security_genfs_sid("proc", path, tclass, sid);
719         free_page((unsigned long)buffer);
720         return rc;
721 }
722 #else
723 static int selinux_proc_get_sid(struct proc_dir_entry *de,
724                                 u16 tclass,
725                                 u32 *sid)
726 {
727         return -EINVAL;
728 }
729 #endif
730
731 /* The inode's security attributes must be initialized before first use. */
732 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
733 {
734         struct superblock_security_struct *sbsec = NULL;
735         struct inode_security_struct *isec = inode->i_security;
736         u32 sid;
737         struct dentry *dentry;
738 #define INITCONTEXTLEN 255
739         char *context = NULL;
740         unsigned len = 0;
741         int rc = 0;
742         int hold_sem = 0;
743
744         if (isec->initialized)
745                 goto out;
746
747         down(&isec->sem);
748         hold_sem = 1;
749         if (isec->initialized)
750                 goto out;
751
752         sbsec = inode->i_sb->s_security;
753         if (!sbsec->initialized) {
754                 /* Defer initialization until selinux_complete_init,
755                    after the initial policy is loaded and the security
756                    server is ready to handle calls. */
757                 spin_lock(&sbsec->isec_lock);
758                 if (list_empty(&isec->list))
759                         list_add(&isec->list, &sbsec->isec_head);
760                 spin_unlock(&sbsec->isec_lock);
761                 goto out;
762         }
763
764         switch (sbsec->behavior) {
765         case SECURITY_FS_USE_XATTR:
766                 if (!inode->i_op->getxattr) {
767                         isec->sid = sbsec->def_sid;
768                         break;
769                 }
770
771                 /* Need a dentry, since the xattr API requires one.
772                    Life would be simpler if we could just pass the inode. */
773                 if (opt_dentry) {
774                         /* Called from d_instantiate or d_splice_alias. */
775                         dentry = dget(opt_dentry);
776                 } else {
777                         /* Called from selinux_complete_init, try to find a dentry. */
778                         dentry = d_find_alias(inode);
779                 }
780                 if (!dentry) {
781                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
782                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
783                                inode->i_ino);
784                         goto out;
785                 }
786
787                 len = INITCONTEXTLEN;
788                 context = kmalloc(len, GFP_KERNEL);
789                 if (!context) {
790                         rc = -ENOMEM;
791                         dput(dentry);
792                         goto out;
793                 }
794                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
795                                            context, len);
796                 if (rc == -ERANGE) {
797                         /* Need a larger buffer.  Query for the right size. */
798                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
799                                                    NULL, 0);
800                         if (rc < 0) {
801                                 dput(dentry);
802                                 goto out;
803                         }
804                         kfree(context);
805                         len = rc;
806                         context = kmalloc(len, GFP_KERNEL);
807                         if (!context) {
808                                 rc = -ENOMEM;
809                                 dput(dentry);
810                                 goto out;
811                         }
812                         rc = inode->i_op->getxattr(dentry,
813                                                    XATTR_NAME_SELINUX,
814                                                    context, len);
815                 }
816                 dput(dentry);
817                 if (rc < 0) {
818                         if (rc != -ENODATA) {
819                                 printk(KERN_WARNING "%s:  getxattr returned "
820                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
821                                        -rc, inode->i_sb->s_id, inode->i_ino);
822                                 kfree(context);
823                                 goto out;
824                         }
825                         /* Map ENODATA to the default file SID */
826                         sid = sbsec->def_sid;
827                         rc = 0;
828                 } else {
829                         rc = security_context_to_sid_default(context, rc, &sid,
830                                                              sbsec->def_sid);
831                         if (rc) {
832                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
833                                        "returned %d for dev=%s ino=%ld\n",
834                                        __FUNCTION__, context, -rc,
835                                        inode->i_sb->s_id, inode->i_ino);
836                                 kfree(context);
837                                 /* Leave with the unlabeled SID */
838                                 rc = 0;
839                                 break;
840                         }
841                 }
842                 kfree(context);
843                 isec->sid = sid;
844                 break;
845         case SECURITY_FS_USE_TASK:
846                 isec->sid = isec->task_sid;
847                 break;
848         case SECURITY_FS_USE_TRANS:
849                 /* Default to the fs SID. */
850                 isec->sid = sbsec->sid;
851
852                 /* Try to obtain a transition SID. */
853                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
854                 rc = security_transition_sid(isec->task_sid,
855                                              sbsec->sid,
856                                              isec->sclass,
857                                              &sid);
858                 if (rc)
859                         goto out;
860                 isec->sid = sid;
861                 break;
862         default:
863                 /* Default to the fs SID. */
864                 isec->sid = sbsec->sid;
865
866                 if (sbsec->proc) {
867                         struct proc_inode *proci = PROC_I(inode);
868                         if (proci->pde) {
869                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
870                                 rc = selinux_proc_get_sid(proci->pde,
871                                                           isec->sclass,
872                                                           &sid);
873                                 if (rc)
874                                         goto out;
875                                 isec->sid = sid;
876                         }
877                 }
878                 break;
879         }
880
881         isec->initialized = 1;
882
883 out:
884         if (isec->sclass == SECCLASS_FILE)
885                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
886
887         if (hold_sem)
888                 up(&isec->sem);
889         return rc;
890 }
891
892 /* Convert a Linux signal to an access vector. */
893 static inline u32 signal_to_av(int sig)
894 {
895         u32 perm = 0;
896
897         switch (sig) {
898         case SIGCHLD:
899                 /* Commonly granted from child to parent. */
900                 perm = PROCESS__SIGCHLD;
901                 break;
902         case SIGKILL:
903                 /* Cannot be caught or ignored */
904                 perm = PROCESS__SIGKILL;
905                 break;
906         case SIGSTOP:
907                 /* Cannot be caught or ignored */
908                 perm = PROCESS__SIGSTOP;
909                 break;
910         default:
911                 /* All other signals. */
912                 perm = PROCESS__SIGNAL;
913                 break;
914         }
915
916         return perm;
917 }
918
919 /* Check permission betweeen a pair of tasks, e.g. signal checks,
920    fork check, ptrace check, etc. */
921 static int task_has_perm(struct task_struct *tsk1,
922                          struct task_struct *tsk2,
923                          u32 perms)
924 {
925         struct task_security_struct *tsec1, *tsec2;
926
927         tsec1 = tsk1->security;
928         tsec2 = tsk2->security;
929         return avc_has_perm(tsec1->sid, tsec2->sid,
930                             SECCLASS_PROCESS, perms, NULL);
931 }
932
933 /* Check whether a task is allowed to use a capability. */
934 static int task_has_capability(struct task_struct *tsk,
935                                int cap)
936 {
937         struct task_security_struct *tsec;
938         struct avc_audit_data ad;
939
940         tsec = tsk->security;
941
942         AVC_AUDIT_DATA_INIT(&ad,CAP);
943         ad.tsk = tsk;
944         ad.u.cap = cap;
945
946         return avc_has_perm(tsec->sid, tsec->sid,
947                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
948 }
949
950 /* Check whether a task is allowed to use a system operation. */
951 static int task_has_system(struct task_struct *tsk,
952                            u32 perms)
953 {
954         struct task_security_struct *tsec;
955
956         tsec = tsk->security;
957
958         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
959                             SECCLASS_SYSTEM, perms, NULL);
960 }
961
962 /* Check whether a task has a particular permission to an inode.
963    The 'adp' parameter is optional and allows other audit
964    data to be passed (e.g. the dentry). */
965 static int inode_has_perm(struct task_struct *tsk,
966                           struct inode *inode,
967                           u32 perms,
968                           struct avc_audit_data *adp)
969 {
970         struct task_security_struct *tsec;
971         struct inode_security_struct *isec;
972         struct avc_audit_data ad;
973
974         tsec = tsk->security;
975         isec = inode->i_security;
976
977         if (!adp) {
978                 adp = &ad;
979                 AVC_AUDIT_DATA_INIT(&ad, FS);
980                 ad.u.fs.inode = inode;
981         }
982
983         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
984 }
985
986 /* Same as inode_has_perm, but pass explicit audit data containing
987    the dentry to help the auditing code to more easily generate the
988    pathname if needed. */
989 static inline int dentry_has_perm(struct task_struct *tsk,
990                                   struct vfsmount *mnt,
991                                   struct dentry *dentry,
992                                   u32 av)
993 {
994         struct inode *inode = dentry->d_inode;
995         struct avc_audit_data ad;
996         AVC_AUDIT_DATA_INIT(&ad,FS);
997         ad.u.fs.mnt = mnt;
998         ad.u.fs.dentry = dentry;
999         return inode_has_perm(tsk, inode, av, &ad);
1000 }
1001
1002 /* Check whether a task can use an open file descriptor to
1003    access an inode in a given way.  Check access to the
1004    descriptor itself, and then use dentry_has_perm to
1005    check a particular permission to the file.
1006    Access to the descriptor is implicitly granted if it
1007    has the same SID as the process.  If av is zero, then
1008    access to the file is not checked, e.g. for cases
1009    where only the descriptor is affected like seek. */
1010 static inline int file_has_perm(struct task_struct *tsk,
1011                                 struct file *file,
1012                                 u32 av)
1013 {
1014         struct task_security_struct *tsec = tsk->security;
1015         struct file_security_struct *fsec = file->f_security;
1016         struct vfsmount *mnt = file->f_vfsmnt;
1017         struct dentry *dentry = file->f_dentry;
1018         struct inode *inode = dentry->d_inode;
1019         struct avc_audit_data ad;
1020         int rc;
1021
1022         AVC_AUDIT_DATA_INIT(&ad, FS);
1023         ad.u.fs.mnt = mnt;
1024         ad.u.fs.dentry = dentry;
1025
1026         if (tsec->sid != fsec->sid) {
1027                 rc = avc_has_perm(tsec->sid, fsec->sid,
1028                                   SECCLASS_FD,
1029                                   FD__USE,
1030                                   &ad);
1031                 if (rc)
1032                         return rc;
1033         }
1034
1035         /* av is zero if only checking access to the descriptor. */
1036         if (av)
1037                 return inode_has_perm(tsk, inode, av, &ad);
1038
1039         return 0;
1040 }
1041
1042 /* Check whether a task can create a file. */
1043 static int may_create(struct inode *dir,
1044                       struct dentry *dentry,
1045                       u16 tclass)
1046 {
1047         struct task_security_struct *tsec;
1048         struct inode_security_struct *dsec;
1049         struct superblock_security_struct *sbsec;
1050         u32 newsid;
1051         struct avc_audit_data ad;
1052         int rc;
1053
1054         tsec = current->security;
1055         dsec = dir->i_security;
1056         sbsec = dir->i_sb->s_security;
1057
1058         AVC_AUDIT_DATA_INIT(&ad, FS);
1059         ad.u.fs.dentry = dentry;
1060
1061         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1062                           DIR__ADD_NAME | DIR__SEARCH,
1063                           &ad);
1064         if (rc)
1065                 return rc;
1066
1067         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1068                 newsid = tsec->create_sid;
1069         } else {
1070                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1071                                              &newsid);
1072                 if (rc)
1073                         return rc;
1074         }
1075
1076         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1077         if (rc)
1078                 return rc;
1079
1080         return avc_has_perm(newsid, sbsec->sid,
1081                             SECCLASS_FILESYSTEM,
1082                             FILESYSTEM__ASSOCIATE, &ad);
1083 }
1084
1085 #define MAY_LINK   0
1086 #define MAY_UNLINK 1
1087 #define MAY_RMDIR  2
1088
1089 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1090 static int may_link(struct inode *dir,
1091                     struct dentry *dentry,
1092                     int kind)
1093
1094 {
1095         struct task_security_struct *tsec;
1096         struct inode_security_struct *dsec, *isec;
1097         struct avc_audit_data ad;
1098         u32 av;
1099         int rc;
1100
1101         tsec = current->security;
1102         dsec = dir->i_security;
1103         isec = dentry->d_inode->i_security;
1104
1105         AVC_AUDIT_DATA_INIT(&ad, FS);
1106         ad.u.fs.dentry = dentry;
1107
1108         av = DIR__SEARCH;
1109         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1110         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1111         if (rc)
1112                 return rc;
1113
1114         switch (kind) {
1115         case MAY_LINK:
1116                 av = FILE__LINK;
1117                 break;
1118         case MAY_UNLINK:
1119                 av = FILE__UNLINK;
1120                 break;
1121         case MAY_RMDIR:
1122                 av = DIR__RMDIR;
1123                 break;
1124         default:
1125                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1126                 return 0;
1127         }
1128
1129         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1130         return rc;
1131 }
1132
1133 static inline int may_rename(struct inode *old_dir,
1134                              struct dentry *old_dentry,
1135                              struct inode *new_dir,
1136                              struct dentry *new_dentry)
1137 {
1138         struct task_security_struct *tsec;
1139         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1140         struct avc_audit_data ad;
1141         u32 av;
1142         int old_is_dir, new_is_dir;
1143         int rc;
1144
1145         tsec = current->security;
1146         old_dsec = old_dir->i_security;
1147         old_isec = old_dentry->d_inode->i_security;
1148         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1149         new_dsec = new_dir->i_security;
1150
1151         AVC_AUDIT_DATA_INIT(&ad, FS);
1152
1153         ad.u.fs.dentry = old_dentry;
1154         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1155                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1156         if (rc)
1157                 return rc;
1158         rc = avc_has_perm(tsec->sid, old_isec->sid,
1159                           old_isec->sclass, FILE__RENAME, &ad);
1160         if (rc)
1161                 return rc;
1162         if (old_is_dir && new_dir != old_dir) {
1163                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1164                                   old_isec->sclass, DIR__REPARENT, &ad);
1165                 if (rc)
1166                         return rc;
1167         }
1168
1169         ad.u.fs.dentry = new_dentry;
1170         av = DIR__ADD_NAME | DIR__SEARCH;
1171         if (new_dentry->d_inode)
1172                 av |= DIR__REMOVE_NAME;
1173         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1174         if (rc)
1175                 return rc;
1176         if (new_dentry->d_inode) {
1177                 new_isec = new_dentry->d_inode->i_security;
1178                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1179                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1180                                   new_isec->sclass,
1181                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1182                 if (rc)
1183                         return rc;
1184         }
1185
1186         return 0;
1187 }
1188
1189 /* Check whether a task can perform a filesystem operation. */
1190 static int superblock_has_perm(struct task_struct *tsk,
1191                                struct super_block *sb,
1192                                u32 perms,
1193                                struct avc_audit_data *ad)
1194 {
1195         struct task_security_struct *tsec;
1196         struct superblock_security_struct *sbsec;
1197
1198         tsec = tsk->security;
1199         sbsec = sb->s_security;
1200         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1201                             perms, ad);
1202 }
1203
1204 /* Convert a Linux mode and permission mask to an access vector. */
1205 static inline u32 file_mask_to_av(int mode, int mask)
1206 {
1207         u32 av = 0;
1208
1209         if ((mode & S_IFMT) != S_IFDIR) {
1210                 if (mask & MAY_EXEC)
1211                         av |= FILE__EXECUTE;
1212                 if (mask & MAY_READ)
1213                         av |= FILE__READ;
1214
1215                 if (mask & MAY_APPEND)
1216                         av |= FILE__APPEND;
1217                 else if (mask & MAY_WRITE)
1218                         av |= FILE__WRITE;
1219
1220         } else {
1221                 if (mask & MAY_EXEC)
1222                         av |= DIR__SEARCH;
1223                 if (mask & MAY_WRITE)
1224                         av |= DIR__WRITE;
1225                 if (mask & MAY_READ)
1226                         av |= DIR__READ;
1227         }
1228
1229         return av;
1230 }
1231
1232 /* Convert a Linux file to an access vector. */
1233 static inline u32 file_to_av(struct file *file)
1234 {
1235         u32 av = 0;
1236
1237         if (file->f_mode & FMODE_READ)
1238                 av |= FILE__READ;
1239         if (file->f_mode & FMODE_WRITE) {
1240                 if (file->f_flags & O_APPEND)
1241                         av |= FILE__APPEND;
1242                 else
1243                         av |= FILE__WRITE;
1244         }
1245
1246         return av;
1247 }
1248
1249 /* Set an inode's SID to a specified value. */
1250 static int inode_security_set_sid(struct inode *inode, u32 sid)
1251 {
1252         struct inode_security_struct *isec = inode->i_security;
1253         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1254
1255         if (!sbsec->initialized) {
1256                 /* Defer initialization to selinux_complete_init. */
1257                 return 0;
1258         }
1259
1260         down(&isec->sem);
1261         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1262         isec->sid = sid;
1263         isec->initialized = 1;
1264         up(&isec->sem);
1265         return 0;
1266 }
1267
1268 /* Set the security attributes on a newly created file. */
1269 static int post_create(struct inode *dir,
1270                        struct dentry *dentry)
1271 {
1272
1273         struct task_security_struct *tsec;
1274         struct inode *inode;
1275         struct inode_security_struct *dsec;
1276         struct superblock_security_struct *sbsec;
1277         struct inode_security_struct *isec;
1278         u32 newsid;
1279         char *context;
1280         unsigned int len;
1281         int rc;
1282
1283         tsec = current->security;
1284         dsec = dir->i_security;
1285         sbsec = dir->i_sb->s_security;
1286
1287         inode = dentry->d_inode;
1288         if (!inode) {
1289                 /* Some file system types (e.g. NFS) may not instantiate
1290                    a dentry for all create operations (e.g. symlink),
1291                    so we have to check to see if the inode is non-NULL. */
1292                 printk(KERN_WARNING "post_create:  no inode, dir (dev=%s, "
1293                        "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1294                 return 0;
1295         }
1296
1297         isec = inode->i_security;
1298
1299         if (isec->security_attr_init)
1300                 return 0;
1301
1302         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1303                 newsid = tsec->create_sid;
1304         } else {
1305                 rc = security_transition_sid(tsec->sid, dsec->sid,
1306                                              inode_mode_to_security_class(inode->i_mode),
1307                                              &newsid);
1308                 if (rc) {
1309                         printk(KERN_WARNING "post_create:  "
1310                                "security_transition_sid failed, rc=%d (dev=%s "
1311                                "ino=%ld)\n",
1312                                -rc, inode->i_sb->s_id, inode->i_ino);
1313                         return rc;
1314                 }
1315         }
1316
1317         rc = inode_security_set_sid(inode, newsid);
1318         if (rc) {
1319                 printk(KERN_WARNING "post_create:  inode_security_set_sid "
1320                        "failed, rc=%d (dev=%s ino=%ld)\n",
1321                        -rc, inode->i_sb->s_id, inode->i_ino);
1322                 return rc;
1323         }
1324
1325         if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1326             inode->i_op->setxattr) {
1327                 /* Use extended attributes. */
1328                 rc = security_sid_to_context(newsid, &context, &len);
1329                 if (rc) {
1330                         printk(KERN_WARNING "post_create:  sid_to_context "
1331                                "failed, rc=%d (dev=%s ino=%ld)\n",
1332                                -rc, inode->i_sb->s_id, inode->i_ino);
1333                         return rc;
1334                 }
1335                 down(&inode->i_sem);
1336                 rc = inode->i_op->setxattr(dentry,
1337                                            XATTR_NAME_SELINUX,
1338                                            context, len, 0);
1339                 up(&inode->i_sem);
1340                 kfree(context);
1341                 if (rc < 0) {
1342                         printk(KERN_WARNING "post_create:  setxattr failed, "
1343                                "rc=%d (dev=%s ino=%ld)\n",
1344                                -rc, inode->i_sb->s_id, inode->i_ino);
1345                         return rc;
1346                 }
1347         }
1348
1349         return 0;
1350 }
1351
1352
1353 /* Hook functions begin here. */
1354
1355 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1356 {
1357         struct task_security_struct *psec = parent->security;
1358         struct task_security_struct *csec = child->security;
1359         int rc;
1360
1361         rc = secondary_ops->ptrace(parent,child);
1362         if (rc)
1363                 return rc;
1364
1365         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1366         /* Save the SID of the tracing process for later use in apply_creds. */
1367         if (!rc)
1368                 csec->ptrace_sid = psec->sid;
1369         return rc;
1370 }
1371
1372 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1373                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1374 {
1375         int error;
1376
1377         error = task_has_perm(current, target, PROCESS__GETCAP);
1378         if (error)
1379                 return error;
1380
1381         return secondary_ops->capget(target, effective, inheritable, permitted);
1382 }
1383
1384 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1385                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1386 {
1387         int error;
1388
1389         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1390         if (error)
1391                 return error;
1392
1393         return task_has_perm(current, target, PROCESS__SETCAP);
1394 }
1395
1396 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1397                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1398 {
1399         secondary_ops->capset_set(target, effective, inheritable, permitted);
1400 }
1401
1402 static int selinux_capable(struct task_struct *tsk, int cap)
1403 {
1404         int rc;
1405
1406         rc = secondary_ops->capable(tsk, cap);
1407         if (rc)
1408                 return rc;
1409
1410         return task_has_capability(tsk,cap);
1411 }
1412
1413 static int selinux_sysctl(ctl_table *table, int op)
1414 {
1415         int error = 0;
1416         u32 av;
1417         struct task_security_struct *tsec;
1418         u32 tsid;
1419         int rc;
1420
1421         rc = secondary_ops->sysctl(table, op);
1422         if (rc)
1423                 return rc;
1424
1425         tsec = current->security;
1426
1427         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1428                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1429         if (rc) {
1430                 /* Default to the well-defined sysctl SID. */
1431                 tsid = SECINITSID_SYSCTL;
1432         }
1433
1434         /* The op values are "defined" in sysctl.c, thereby creating
1435          * a bad coupling between this module and sysctl.c */
1436         if(op == 001) {
1437                 error = avc_has_perm(tsec->sid, tsid,
1438                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1439         } else {
1440                 av = 0;
1441                 if (op & 004)
1442                         av |= FILE__READ;
1443                 if (op & 002)
1444                         av |= FILE__WRITE;
1445                 if (av)
1446                         error = avc_has_perm(tsec->sid, tsid,
1447                                              SECCLASS_FILE, av, NULL);
1448         }
1449
1450         return error;
1451 }
1452
1453 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1454 {
1455         int rc = 0;
1456
1457         if (!sb)
1458                 return 0;
1459
1460         switch (cmds) {
1461                 case Q_SYNC:
1462                 case Q_QUOTAON:
1463                 case Q_QUOTAOFF:
1464                 case Q_SETINFO:
1465                 case Q_SETQUOTA:
1466                         rc = superblock_has_perm(current,
1467                                                  sb,
1468                                                  FILESYSTEM__QUOTAMOD, NULL);
1469                         break;
1470                 case Q_GETFMT:
1471                 case Q_GETINFO:
1472                 case Q_GETQUOTA:
1473                         rc = superblock_has_perm(current,
1474                                                  sb,
1475                                                  FILESYSTEM__QUOTAGET, NULL);
1476                         break;
1477                 default:
1478                         rc = 0;  /* let the kernel handle invalid cmds */
1479                         break;
1480         }
1481         return rc;
1482 }
1483
1484 static int selinux_quota_on(struct dentry *dentry)
1485 {
1486         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1487 }
1488
1489 static int selinux_syslog(int type)
1490 {
1491         int rc;
1492
1493         rc = secondary_ops->syslog(type);
1494         if (rc)
1495                 return rc;
1496
1497         switch (type) {
1498                 case 3:         /* Read last kernel messages */
1499                 case 10:        /* Return size of the log buffer */
1500                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1501                         break;
1502                 case 6:         /* Disable logging to console */
1503                 case 7:         /* Enable logging to console */
1504                 case 8:         /* Set level of messages printed to console */
1505                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1506                         break;
1507                 case 0:         /* Close log */
1508                 case 1:         /* Open log */
1509                 case 2:         /* Read from log */
1510                 case 4:         /* Read/clear last kernel messages */
1511                 case 5:         /* Clear ring buffer */
1512                 default:
1513                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1514                         break;
1515         }
1516         return rc;
1517 }
1518
1519 /*
1520  * Check that a process has enough memory to allocate a new virtual
1521  * mapping. 0 means there is enough memory for the allocation to
1522  * succeed and -ENOMEM implies there is not.
1523  *
1524  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1525  * if the capability is granted, but __vm_enough_memory requires 1 if
1526  * the capability is granted.
1527  *
1528  * Do not audit the selinux permission check, as this is applied to all
1529  * processes that allocate mappings.
1530  */
1531 static int selinux_vm_enough_memory(long pages)
1532 {
1533         int rc, cap_sys_admin = 0;
1534         struct task_security_struct *tsec = current->security;
1535
1536         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1537         if (rc == 0)
1538                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1539                                         SECCLASS_CAPABILITY,
1540                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1541                                         NULL);
1542
1543         if (rc == 0)
1544                 cap_sys_admin = 1;
1545
1546         return __vm_enough_memory(pages, cap_sys_admin);
1547 }
1548
1549 /* binprm security operations */
1550
1551 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1552 {
1553         struct bprm_security_struct *bsec;
1554
1555         bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1556         if (!bsec)
1557                 return -ENOMEM;
1558
1559         memset(bsec, 0, sizeof *bsec);
1560         bsec->magic = SELINUX_MAGIC;
1561         bsec->bprm = bprm;
1562         bsec->sid = SECINITSID_UNLABELED;
1563         bsec->set = 0;
1564
1565         bprm->security = bsec;
1566         return 0;
1567 }
1568
1569 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1570 {
1571         struct task_security_struct *tsec;
1572         struct inode *inode = bprm->file->f_dentry->d_inode;
1573         struct inode_security_struct *isec;
1574         struct bprm_security_struct *bsec;
1575         u32 newsid;
1576         struct avc_audit_data ad;
1577         int rc;
1578
1579         rc = secondary_ops->bprm_set_security(bprm);
1580         if (rc)
1581                 return rc;
1582
1583         bsec = bprm->security;
1584
1585         if (bsec->set)
1586                 return 0;
1587
1588         tsec = current->security;
1589         isec = inode->i_security;
1590
1591         /* Default to the current task SID. */
1592         bsec->sid = tsec->sid;
1593
1594         /* Reset create SID on execve. */
1595         tsec->create_sid = 0;
1596
1597         if (tsec->exec_sid) {
1598                 newsid = tsec->exec_sid;
1599                 /* Reset exec SID on execve. */
1600                 tsec->exec_sid = 0;
1601         } else {
1602                 /* Check for a default transition on this program. */
1603                 rc = security_transition_sid(tsec->sid, isec->sid,
1604                                              SECCLASS_PROCESS, &newsid);
1605                 if (rc)
1606                         return rc;
1607         }
1608
1609         AVC_AUDIT_DATA_INIT(&ad, FS);
1610         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1611         ad.u.fs.dentry = bprm->file->f_dentry;
1612
1613         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1614                 newsid = tsec->sid;
1615
1616         if (tsec->sid == newsid) {
1617                 rc = avc_has_perm(tsec->sid, isec->sid,
1618                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1619                 if (rc)
1620                         return rc;
1621         } else {
1622                 /* Check permissions for the transition. */
1623                 rc = avc_has_perm(tsec->sid, newsid,
1624                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1625                 if (rc)
1626                         return rc;
1627
1628                 rc = avc_has_perm(newsid, isec->sid,
1629                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1630                 if (rc)
1631                         return rc;
1632
1633                 /* Clear any possibly unsafe personality bits on exec: */
1634                 current->personality &= ~PER_CLEAR_ON_SETID;
1635
1636                 /* Set the security field to the new SID. */
1637                 bsec->sid = newsid;
1638         }
1639
1640         bsec->set = 1;
1641         return 0;
1642 }
1643
1644 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1645 {
1646         return secondary_ops->bprm_check_security(bprm);
1647 }
1648
1649
1650 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1651 {
1652         struct task_security_struct *tsec = current->security;
1653         int atsecure = 0;
1654
1655         if (tsec->osid != tsec->sid) {
1656                 /* Enable secure mode for SIDs transitions unless
1657                    the noatsecure permission is granted between
1658                    the two SIDs, i.e. ahp returns 0. */
1659                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1660                                          SECCLASS_PROCESS,
1661                                          PROCESS__NOATSECURE, NULL);
1662         }
1663
1664         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1665 }
1666
1667 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1668 {
1669         kfree(bprm->security);
1670         bprm->security = NULL;
1671 }
1672
1673 extern struct vfsmount *selinuxfs_mount;
1674 extern struct dentry *selinux_null;
1675
1676 /* Derived from fs/exec.c:flush_old_files. */
1677 static inline void flush_unauthorized_files(struct files_struct * files)
1678 {
1679         struct avc_audit_data ad;
1680         struct file *file, *devnull = NULL;
1681         struct tty_struct *tty = current->signal->tty;
1682         long j = -1;
1683
1684         if (tty) {
1685                 file_list_lock();
1686                 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1687                 if (file) {
1688                         /* Revalidate access to controlling tty.
1689                            Use inode_has_perm on the tty inode directly rather
1690                            than using file_has_perm, as this particular open
1691                            file may belong to another process and we are only
1692                            interested in the inode-based check here. */
1693                         struct inode *inode = file->f_dentry->d_inode;
1694                         if (inode_has_perm(current, inode,
1695                                            FILE__READ | FILE__WRITE, NULL)) {
1696                                 /* Reset controlling tty. */
1697                                 current->signal->tty = NULL;
1698                                 current->signal->tty_old_pgrp = 0;
1699                         }
1700                 }
1701                 file_list_unlock();
1702         }
1703
1704         /* Revalidate access to inherited open files. */
1705
1706         AVC_AUDIT_DATA_INIT(&ad,FS);
1707
1708         spin_lock(&files->file_lock);
1709         for (;;) {
1710                 unsigned long set, i;
1711                 int fd;
1712
1713                 j++;
1714                 i = j * __NFDBITS;
1715                 if (i >= files->max_fds || i >= files->max_fdset)
1716                         break;
1717                 set = files->open_fds->fds_bits[j];
1718                 if (!set)
1719                         continue;
1720                 spin_unlock(&files->file_lock);
1721                 for ( ; set ; i++,set >>= 1) {
1722                         if (set & 1) {
1723                                 file = fget(i);
1724                                 if (!file)
1725                                         continue;
1726                                 if (file_has_perm(current,
1727                                                   file,
1728                                                   file_to_av(file))) {
1729                                         sys_close(i);
1730                                         fd = get_unused_fd();
1731                                         if (fd != i) {
1732                                                 if (fd >= 0)
1733                                                         put_unused_fd(fd);
1734                                                 fput(file);
1735                                                 continue;
1736                                         }
1737                                         if (devnull) {
1738                                                 atomic_inc(&devnull->f_count);
1739                                         } else {
1740                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1741                                                 if (!devnull) {
1742                                                         put_unused_fd(fd);
1743                                                         fput(file);
1744                                                         continue;
1745                                                 }
1746                                         }
1747                                         fd_install(fd, devnull);
1748                                 }
1749                                 fput(file);
1750                         }
1751                 }
1752                 spin_lock(&files->file_lock);
1753
1754         }
1755         spin_unlock(&files->file_lock);
1756 }
1757
1758 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1759 {
1760         struct task_security_struct *tsec;
1761         struct bprm_security_struct *bsec;
1762         u32 sid;
1763         int rc;
1764
1765         secondary_ops->bprm_apply_creds(bprm, unsafe);
1766
1767         tsec = current->security;
1768
1769         bsec = bprm->security;
1770         sid = bsec->sid;
1771
1772         tsec->osid = tsec->sid;
1773         bsec->unsafe = 0;
1774         if (tsec->sid != sid) {
1775                 /* Check for shared state.  If not ok, leave SID
1776                    unchanged and kill. */
1777                 if (unsafe & LSM_UNSAFE_SHARE) {
1778                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1779                                         PROCESS__SHARE, NULL);
1780                         if (rc) {
1781                                 bsec->unsafe = 1;
1782                                 return;
1783                         }
1784                 }
1785
1786                 /* Check for ptracing, and update the task SID if ok.
1787                    Otherwise, leave SID unchanged and kill. */
1788                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1789                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1790                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1791                                           NULL);
1792                         if (rc) {
1793                                 bsec->unsafe = 1;
1794                                 return;
1795                         }
1796                 }
1797                 tsec->sid = sid;
1798         }
1799 }
1800
1801 /*
1802  * called after apply_creds without the task lock held
1803  */
1804 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1805 {
1806         struct task_security_struct *tsec;
1807         struct rlimit *rlim, *initrlim;
1808         struct itimerval itimer;
1809         struct bprm_security_struct *bsec;
1810         int rc, i;
1811
1812         tsec = current->security;
1813         bsec = bprm->security;
1814
1815         if (bsec->unsafe) {
1816                 force_sig_specific(SIGKILL, current);
1817                 return;
1818         }
1819         if (tsec->osid == tsec->sid)
1820                 return;
1821
1822         /* Close files for which the new task SID is not authorized. */
1823         flush_unauthorized_files(current->files);
1824
1825         /* Check whether the new SID can inherit signal state
1826            from the old SID.  If not, clear itimers to avoid
1827            subsequent signal generation and flush and unblock
1828            signals. This must occur _after_ the task SID has
1829           been updated so that any kill done after the flush
1830           will be checked against the new SID. */
1831         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1832                           PROCESS__SIGINH, NULL);
1833         if (rc) {
1834                 memset(&itimer, 0, sizeof itimer);
1835                 for (i = 0; i < 3; i++)
1836                         do_setitimer(i, &itimer, NULL);
1837                 flush_signals(current);
1838                 spin_lock_irq(&current->sighand->siglock);
1839                 flush_signal_handlers(current, 1);
1840                 sigemptyset(&current->blocked);
1841                 recalc_sigpending();
1842                 spin_unlock_irq(&current->sighand->siglock);
1843         }
1844
1845         /* Check whether the new SID can inherit resource limits
1846            from the old SID.  If not, reset all soft limits to
1847            the lower of the current task's hard limit and the init
1848            task's soft limit.  Note that the setting of hard limits
1849            (even to lower them) can be controlled by the setrlimit
1850            check. The inclusion of the init task's soft limit into
1851            the computation is to avoid resetting soft limits higher
1852            than the default soft limit for cases where the default
1853            is lower than the hard limit, e.g. RLIMIT_CORE or
1854            RLIMIT_STACK.*/
1855         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1856                           PROCESS__RLIMITINH, NULL);
1857         if (rc) {
1858                 for (i = 0; i < RLIM_NLIMITS; i++) {
1859                         rlim = current->signal->rlim + i;
1860                         initrlim = init_task.signal->rlim+i;
1861                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1862                 }
1863                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1864                         /*
1865                          * This will cause RLIMIT_CPU calculations
1866                          * to be refigured.
1867                          */
1868                         current->it_prof_expires = jiffies_to_cputime(1);
1869                 }
1870         }
1871
1872         /* Wake up the parent if it is waiting so that it can
1873            recheck wait permission to the new task SID. */
1874         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1875 }
1876
1877 /* superblock security operations */
1878
1879 static int selinux_sb_alloc_security(struct super_block *sb)
1880 {
1881         return superblock_alloc_security(sb);
1882 }
1883
1884 static void selinux_sb_free_security(struct super_block *sb)
1885 {
1886         superblock_free_security(sb);
1887 }
1888
1889 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1890 {
1891         if (plen > olen)
1892                 return 0;
1893
1894         return !memcmp(prefix, option, plen);
1895 }
1896
1897 static inline int selinux_option(char *option, int len)
1898 {
1899         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1900                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1901                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1902 }
1903
1904 static inline void take_option(char **to, char *from, int *first, int len)
1905 {
1906         if (!*first) {
1907                 **to = ',';
1908                 *to += 1;
1909         }
1910         else
1911                 *first = 0;
1912         memcpy(*to, from, len);
1913         *to += len;
1914 }
1915
1916 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1917 {
1918         int fnosec, fsec, rc = 0;
1919         char *in_save, *in_curr, *in_end;
1920         char *sec_curr, *nosec_save, *nosec;
1921
1922         in_curr = orig;
1923         sec_curr = copy;
1924
1925         /* Binary mount data: just copy */
1926         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1927                 copy_page(sec_curr, in_curr);
1928                 goto out;
1929         }
1930
1931         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1932         if (!nosec) {
1933                 rc = -ENOMEM;
1934                 goto out;
1935         }
1936
1937         nosec_save = nosec;
1938         fnosec = fsec = 1;
1939         in_save = in_end = orig;
1940
1941         do {
1942                 if (*in_end == ',' || *in_end == '\0') {
1943                         int len = in_end - in_curr;
1944
1945                         if (selinux_option(in_curr, len))
1946                                 take_option(&sec_curr, in_curr, &fsec, len);
1947                         else
1948                                 take_option(&nosec, in_curr, &fnosec, len);
1949
1950                         in_curr = in_end + 1;
1951                 }
1952         } while (*in_end++);
1953
1954         strcpy(in_save, nosec_save);
1955         free_page((unsigned long)nosec_save);
1956 out:
1957         return rc;
1958 }
1959
1960 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1961 {
1962         struct avc_audit_data ad;
1963         int rc;
1964
1965         rc = superblock_doinit(sb, data);
1966         if (rc)
1967                 return rc;
1968
1969         AVC_AUDIT_DATA_INIT(&ad,FS);
1970         ad.u.fs.dentry = sb->s_root;
1971         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1972 }
1973
1974 static int selinux_sb_statfs(struct super_block *sb)
1975 {
1976         struct avc_audit_data ad;
1977
1978         AVC_AUDIT_DATA_INIT(&ad,FS);
1979         ad.u.fs.dentry = sb->s_root;
1980         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1981 }
1982
1983 static int selinux_mount(char * dev_name,
1984                          struct nameidata *nd,
1985                          char * type,
1986                          unsigned long flags,
1987                          void * data)
1988 {
1989         int rc;
1990
1991         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1992         if (rc)
1993                 return rc;
1994
1995         if (flags & MS_REMOUNT)
1996                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1997                                            FILESYSTEM__REMOUNT, NULL);
1998         else
1999                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2000                                        FILE__MOUNTON);
2001 }
2002
2003 static int selinux_umount(struct vfsmount *mnt, int flags)
2004 {
2005         int rc;
2006
2007         rc = secondary_ops->sb_umount(mnt, flags);
2008         if (rc)
2009                 return rc;
2010
2011         return superblock_has_perm(current,mnt->mnt_sb,
2012                                    FILESYSTEM__UNMOUNT,NULL);
2013 }
2014
2015 /* inode security operations */
2016
2017 static int selinux_inode_alloc_security(struct inode *inode)
2018 {
2019         return inode_alloc_security(inode);
2020 }
2021
2022 static void selinux_inode_free_security(struct inode *inode)
2023 {
2024         inode_free_security(inode);
2025 }
2026
2027 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2028                                        char **name, void **value,
2029                                        size_t *len)
2030 {
2031         struct task_security_struct *tsec;
2032         struct inode_security_struct *dsec;
2033         struct superblock_security_struct *sbsec;
2034         struct inode_security_struct *isec;
2035         u32 newsid;
2036         int rc;
2037         char *namep, *context;
2038
2039         tsec = current->security;
2040         dsec = dir->i_security;
2041         sbsec = dir->i_sb->s_security;
2042         isec = inode->i_security;
2043
2044         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2045                 newsid = tsec->create_sid;
2046         } else {
2047                 rc = security_transition_sid(tsec->sid, dsec->sid,
2048                                              inode_mode_to_security_class(inode->i_mode),
2049                                              &newsid);
2050                 if (rc) {
2051                         printk(KERN_WARNING "%s:  "
2052                                "security_transition_sid failed, rc=%d (dev=%s "
2053                                "ino=%ld)\n",
2054                                __FUNCTION__,
2055                                -rc, inode->i_sb->s_id, inode->i_ino);
2056                         return rc;
2057                 }
2058         }
2059
2060         inode_security_set_sid(inode, newsid);
2061
2062         namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2063         if (!namep)
2064                 return -ENOMEM;
2065         *name = namep;
2066
2067         rc = security_sid_to_context(newsid, &context, len);
2068         if (rc) {
2069                 kfree(namep);
2070                 return rc;
2071         }
2072         *value = context;
2073
2074         isec->security_attr_init = 1;
2075
2076         return 0;
2077 }
2078
2079 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2080 {
2081         return may_create(dir, dentry, SECCLASS_FILE);
2082 }
2083
2084 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2085 {
2086         post_create(dir, dentry);
2087 }
2088
2089 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2090 {
2091         int rc;
2092
2093         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2094         if (rc)
2095                 return rc;
2096         return may_link(dir, old_dentry, MAY_LINK);
2097 }
2098
2099 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2100 {
2101         return;
2102 }
2103
2104 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2105 {
2106         int rc;
2107
2108         rc = secondary_ops->inode_unlink(dir, dentry);
2109         if (rc)
2110                 return rc;
2111         return may_link(dir, dentry, MAY_UNLINK);
2112 }
2113
2114 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2115 {
2116         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2117 }
2118
2119 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2120 {
2121         post_create(dir, dentry);
2122 }
2123
2124 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2125 {
2126         return may_create(dir, dentry, SECCLASS_DIR);
2127 }
2128
2129 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2130 {
2131         post_create(dir, dentry);
2132 }
2133
2134 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2135 {
2136         return may_link(dir, dentry, MAY_RMDIR);
2137 }
2138
2139 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2140 {
2141         int rc;
2142
2143         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2144         if (rc)
2145                 return rc;
2146
2147         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2148 }
2149
2150 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2151 {
2152         post_create(dir, dentry);
2153 }
2154
2155 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2156                                 struct inode *new_inode, struct dentry *new_dentry)
2157 {
2158         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2159 }
2160
2161 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2162                                       struct inode *new_inode, struct dentry *new_dentry)
2163 {
2164         return;
2165 }
2166
2167 static int selinux_inode_readlink(struct dentry *dentry)
2168 {
2169         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2170 }
2171
2172 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2173 {
2174         int rc;
2175
2176         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2177         if (rc)
2178                 return rc;
2179         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2180 }
2181
2182 static int selinux_inode_permission(struct inode *inode, int mask,
2183                                     struct nameidata *nd)
2184 {
2185         int rc;
2186
2187         rc = secondary_ops->inode_permission(inode, mask, nd);
2188         if (rc)
2189                 return rc;
2190
2191         if (!mask) {
2192                 /* No permission to check.  Existence test. */
2193                 return 0;
2194         }
2195
2196         return inode_has_perm(current, inode,
2197                                file_mask_to_av(inode->i_mode, mask), NULL);
2198 }
2199
2200 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2201 {
2202         int rc;
2203
2204         rc = secondary_ops->inode_setattr(dentry, iattr);
2205         if (rc)
2206                 return rc;
2207
2208         if (iattr->ia_valid & ATTR_FORCE)
2209                 return 0;
2210
2211         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2212                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2213                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2214
2215         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2216 }
2217
2218 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2219 {
2220         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2221 }
2222
2223 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2224 {
2225         struct task_security_struct *tsec = current->security;
2226         struct inode *inode = dentry->d_inode;
2227         struct inode_security_struct *isec = inode->i_security;
2228         struct superblock_security_struct *sbsec;
2229         struct avc_audit_data ad;
2230         u32 newsid;
2231         int rc = 0;
2232
2233         if (strcmp(name, XATTR_NAME_SELINUX)) {
2234                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2235                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2236                     !capable(CAP_SYS_ADMIN)) {
2237                         /* A different attribute in the security namespace.
2238                            Restrict to administrator. */
2239                         return -EPERM;
2240                 }
2241
2242                 /* Not an attribute we recognize, so just check the
2243                    ordinary setattr permission. */
2244                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2245         }
2246
2247         sbsec = inode->i_sb->s_security;
2248         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2249                 return -EOPNOTSUPP;
2250
2251         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2252                 return -EPERM;
2253
2254         AVC_AUDIT_DATA_INIT(&ad,FS);
2255         ad.u.fs.dentry = dentry;
2256
2257         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2258                           FILE__RELABELFROM, &ad);
2259         if (rc)
2260                 return rc;
2261
2262         rc = security_context_to_sid(value, size, &newsid);
2263         if (rc)
2264                 return rc;
2265
2266         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2267                           FILE__RELABELTO, &ad);
2268         if (rc)
2269                 return rc;
2270
2271         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2272                                           isec->sclass);
2273         if (rc)
2274                 return rc;
2275
2276         return avc_has_perm(newsid,
2277                             sbsec->sid,
2278                             SECCLASS_FILESYSTEM,
2279                             FILESYSTEM__ASSOCIATE,
2280                             &ad);
2281 }
2282
2283 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2284                                         void *value, size_t size, int flags)
2285 {
2286         struct inode *inode = dentry->d_inode;
2287         struct inode_security_struct *isec = inode->i_security;
2288         u32 newsid;
2289         int rc;
2290
2291         if (strcmp(name, XATTR_NAME_SELINUX)) {
2292                 /* Not an attribute we recognize, so nothing to do. */
2293                 return;
2294         }
2295
2296         rc = security_context_to_sid(value, size, &newsid);
2297         if (rc) {
2298                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2299                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2300                 return;
2301         }
2302
2303         isec->sid = newsid;
2304         return;
2305 }
2306
2307 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2308 {
2309         struct inode *inode = dentry->d_inode;
2310         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2311
2312         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2313                 return -EOPNOTSUPP;
2314
2315         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2316 }
2317
2318 static int selinux_inode_listxattr (struct dentry *dentry)
2319 {
2320         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2321 }
2322
2323 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2324 {
2325         if (strcmp(name, XATTR_NAME_SELINUX)) {
2326                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2327                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2328                     !capable(CAP_SYS_ADMIN)) {
2329                         /* A different attribute in the security namespace.
2330                            Restrict to administrator. */
2331                         return -EPERM;
2332                 }
2333
2334                 /* Not an attribute we recognize, so just check the
2335                    ordinary setattr permission. Might want a separate
2336                    permission for removexattr. */
2337                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2338         }
2339
2340         /* No one is allowed to remove a SELinux security label.
2341            You can change the label, but all data must be labeled. */
2342         return -EACCES;
2343 }
2344
2345 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2346 {
2347         struct inode_security_struct *isec = inode->i_security;
2348         char *context;
2349         unsigned len;
2350         int rc;
2351
2352         /* Permission check handled by selinux_inode_getxattr hook.*/
2353
2354         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2355                 return -EOPNOTSUPP;
2356
2357         rc = security_sid_to_context(isec->sid, &context, &len);
2358         if (rc)
2359                 return rc;
2360
2361         if (!buffer || !size) {
2362                 kfree(context);
2363                 return len;
2364         }
2365         if (size < len) {
2366                 kfree(context);
2367                 return -ERANGE;
2368         }
2369         memcpy(buffer, context, len);
2370         kfree(context);
2371         return len;
2372 }
2373
2374 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2375                                      const void *value, size_t size, int flags)
2376 {
2377         struct inode_security_struct *isec = inode->i_security;
2378         u32 newsid;
2379         int rc;
2380
2381         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2382                 return -EOPNOTSUPP;
2383
2384         if (!value || !size)
2385                 return -EACCES;
2386
2387         rc = security_context_to_sid((void*)value, size, &newsid);
2388         if (rc)
2389                 return rc;
2390
2391         isec->sid = newsid;
2392         return 0;
2393 }
2394
2395 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2396 {
2397         const int len = sizeof(XATTR_NAME_SELINUX);
2398         if (buffer && len <= buffer_size)
2399                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2400         return len;
2401 }
2402
2403 /* file security operations */
2404
2405 static int selinux_file_permission(struct file *file, int mask)
2406 {
2407         struct inode *inode = file->f_dentry->d_inode;
2408
2409         if (!mask) {
2410                 /* No permission to check.  Existence test. */
2411                 return 0;
2412         }
2413
2414         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2415         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2416                 mask |= MAY_APPEND;
2417
2418         return file_has_perm(current, file,
2419                              file_mask_to_av(inode->i_mode, mask));
2420 }
2421
2422 static int selinux_file_alloc_security(struct file *file)
2423 {
2424         return file_alloc_security(file);
2425 }
2426
2427 static void selinux_file_free_security(struct file *file)
2428 {
2429         file_free_security(file);
2430 }
2431
2432 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2433                               unsigned long arg)
2434 {
2435         int error = 0;
2436
2437         switch (cmd) {
2438                 case FIONREAD:
2439                 /* fall through */
2440                 case FIBMAP:
2441                 /* fall through */
2442                 case FIGETBSZ:
2443                 /* fall through */
2444                 case EXT2_IOC_GETFLAGS:
2445                 /* fall through */
2446                 case EXT2_IOC_GETVERSION:
2447                         error = file_has_perm(current, file, FILE__GETATTR);
2448                         break;
2449
2450                 case EXT2_IOC_SETFLAGS:
2451                 /* fall through */
2452                 case EXT2_IOC_SETVERSION:
2453                         error = file_has_perm(current, file, FILE__SETATTR);
2454                         break;
2455
2456                 /* sys_ioctl() checks */
2457                 case FIONBIO:
2458                 /* fall through */
2459                 case FIOASYNC:
2460                         error = file_has_perm(current, file, 0);
2461                         break;
2462
2463                 case KDSKBENT:
2464                 case KDSKBSENT:
2465                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2466                         break;
2467
2468                 /* default case assumes that the command will go
2469                  * to the file's ioctl() function.
2470                  */
2471                 default:
2472                         error = file_has_perm(current, file, FILE__IOCTL);
2473
2474         }
2475         return error;
2476 }
2477
2478 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2479 {
2480 #ifndef CONFIG_PPC32
2481         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2482                 /*
2483                  * We are making executable an anonymous mapping or a
2484                  * private file mapping that will also be writable.
2485                  * This has an additional check.
2486                  */
2487                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2488                 if (rc)
2489                         return rc;
2490         }
2491 #endif
2492
2493         if (file) {
2494                 /* read access is always possible with a mapping */
2495                 u32 av = FILE__READ;
2496
2497                 /* write access only matters if the mapping is shared */
2498                 if (shared && (prot & PROT_WRITE))
2499                         av |= FILE__WRITE;
2500
2501                 if (prot & PROT_EXEC)
2502                         av |= FILE__EXECUTE;
2503
2504                 return file_has_perm(current, file, av);
2505         }
2506         return 0;
2507 }
2508
2509 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2510                              unsigned long prot, unsigned long flags)
2511 {
2512         int rc;
2513
2514         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2515         if (rc)
2516                 return rc;
2517
2518         if (selinux_checkreqprot)
2519                 prot = reqprot;
2520
2521         return file_map_prot_check(file, prot,
2522                                    (flags & MAP_TYPE) == MAP_SHARED);
2523 }
2524
2525 static int selinux_file_mprotect(struct vm_area_struct *vma,
2526                                  unsigned long reqprot,
2527                                  unsigned long prot)
2528 {
2529         int rc;
2530
2531         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2532         if (rc)
2533                 return rc;
2534
2535         if (selinux_checkreqprot)
2536                 prot = reqprot;
2537
2538 #ifndef CONFIG_PPC32
2539         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2540            (vma->vm_start >= vma->vm_mm->start_brk &&
2541             vma->vm_end <= vma->vm_mm->brk)) {
2542                 /*
2543                  * We are making an executable mapping in the brk region.
2544                  * This has an additional execheap check.
2545                  */
2546                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2547                 if (rc)
2548                         return rc;
2549         }
2550         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2551                 /*
2552                  * We are making executable a file mapping that has
2553                  * had some COW done. Since pages might have been written,
2554                  * check ability to execute the possibly modified content.
2555                  * This typically should only occur for text relocations.
2556                  */
2557                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2558                 if (rc)
2559                         return rc;
2560         }
2561         if (!vma->vm_file && (prot & PROT_EXEC) &&
2562                 vma->vm_start <= vma->vm_mm->start_stack &&
2563                 vma->vm_end >= vma->vm_mm->start_stack) {
2564                 /* Attempt to make the process stack executable.
2565                  * This has an additional execstack check.
2566                  */
2567                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2568                 if (rc)
2569                         return rc;
2570         }
2571 #endif
2572
2573         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2574 }
2575
2576 static int selinux_file_lock(struct file *file, unsigned int cmd)
2577 {
2578         return file_has_perm(current, file, FILE__LOCK);
2579 }
2580
2581 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2582                               unsigned long arg)
2583 {
2584         int err = 0;
2585
2586         switch (cmd) {
2587                 case F_SETFL:
2588                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2589                                 err = -EINVAL;
2590                                 break;
2591                         }
2592
2593                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2594                                 err = file_has_perm(current, file,FILE__WRITE);
2595                                 break;
2596                         }
2597                         /* fall through */
2598                 case F_SETOWN:
2599                 case F_SETSIG:
2600                 case F_GETFL:
2601                 case F_GETOWN:
2602                 case F_GETSIG:
2603                         /* Just check FD__USE permission */
2604                         err = file_has_perm(current, file, 0);
2605                         break;
2606                 case F_GETLK:
2607                 case F_SETLK:
2608                 case F_SETLKW:
2609 #if BITS_PER_LONG == 32
2610                 case F_GETLK64:
2611                 case F_SETLK64:
2612                 case F_SETLKW64:
2613 #endif
2614                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2615                                 err = -EINVAL;
2616                                 break;
2617                         }
2618                         err = file_has_perm(current, file, FILE__LOCK);
2619                         break;
2620         }
2621
2622         return err;
2623 }
2624
2625 static int selinux_file_set_fowner(struct file *file)
2626 {
2627         struct task_security_struct *tsec;
2628         struct file_security_struct *fsec;
2629
2630         tsec = current->security;
2631         fsec = file->f_security;
2632         fsec->fown_sid = tsec->sid;
2633
2634         return 0;
2635 }
2636
2637 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2638                                        struct fown_struct *fown, int signum)
2639 {
2640         struct file *file;
2641         u32 perm;
2642         struct task_security_struct *tsec;
2643         struct file_security_struct *fsec;
2644
2645         /* struct fown_struct is never outside the context of a struct file */
2646         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2647
2648         tsec = tsk->security;
2649         fsec = file->f_security;
2650
2651         if (!signum)
2652                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2653         else
2654                 perm = signal_to_av(signum);
2655
2656         return avc_has_perm(fsec->fown_sid, tsec->sid,
2657                             SECCLASS_PROCESS, perm, NULL);
2658 }
2659
2660 static int selinux_file_receive(struct file *file)
2661 {
2662         return file_has_perm(current, file, file_to_av(file));
2663 }
2664
2665 /* task security operations */
2666
2667 static int selinux_task_create(unsigned long clone_flags)
2668 {
2669         int rc;
2670
2671         rc = secondary_ops->task_create(clone_flags);
2672         if (rc)
2673                 return rc;
2674
2675         return task_has_perm(current, current, PROCESS__FORK);
2676 }
2677
2678 static int selinux_task_alloc_security(struct task_struct *tsk)
2679 {
2680         struct task_security_struct *tsec1, *tsec2;
2681         int rc;
2682
2683         tsec1 = current->security;
2684
2685         rc = task_alloc_security(tsk);
2686         if (rc)
2687                 return rc;
2688         tsec2 = tsk->security;
2689
2690         tsec2->osid = tsec1->osid;
2691         tsec2->sid = tsec1->sid;
2692
2693         /* Retain the exec and create SIDs across fork */
2694         tsec2->exec_sid = tsec1->exec_sid;
2695         tsec2->create_sid = tsec1->create_sid;
2696
2697         /* Retain ptracer SID across fork, if any.
2698            This will be reset by the ptrace hook upon any
2699            subsequent ptrace_attach operations. */
2700         tsec2->ptrace_sid = tsec1->ptrace_sid;
2701
2702         return 0;
2703 }
2704
2705 static void selinux_task_free_security(struct task_struct *tsk)
2706 {
2707         task_free_security(tsk);
2708 }
2709
2710 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2711 {
2712         /* Since setuid only affects the current process, and
2713            since the SELinux controls are not based on the Linux
2714            identity attributes, SELinux does not need to control
2715            this operation.  However, SELinux does control the use
2716            of the CAP_SETUID and CAP_SETGID capabilities using the
2717            capable hook. */
2718         return 0;
2719 }
2720
2721 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2722 {
2723         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2724 }
2725
2726 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2727 {
2728         /* See the comment for setuid above. */
2729         return 0;
2730 }
2731
2732 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2733 {
2734         return task_has_perm(current, p, PROCESS__SETPGID);
2735 }
2736
2737 static int selinux_task_getpgid(struct task_struct *p)
2738 {
2739         return task_has_perm(current, p, PROCESS__GETPGID);
2740 }
2741
2742 static int selinux_task_getsid(struct task_struct *p)
2743 {
2744         return task_has_perm(current, p, PROCESS__GETSESSION);
2745 }
2746
2747 static int selinux_task_setgroups(struct group_info *group_info)
2748 {
2749         /* See the comment for setuid above. */
2750         return 0;
2751 }
2752
2753 static int selinux_task_setnice(struct task_struct *p, int nice)
2754 {
2755         int rc;
2756
2757         rc = secondary_ops->task_setnice(p, nice);
2758         if (rc)
2759                 return rc;
2760
2761         return task_has_perm(current,p, PROCESS__SETSCHED);
2762 }
2763
2764 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2765 {
2766         struct rlimit *old_rlim = current->signal->rlim + resource;
2767         int rc;
2768
2769         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2770         if (rc)
2771                 return rc;
2772
2773         /* Control the ability to change the hard limit (whether
2774            lowering or raising it), so that the hard limit can
2775            later be used as a safe reset point for the soft limit
2776            upon context transitions. See selinux_bprm_apply_creds. */
2777         if (old_rlim->rlim_max != new_rlim->rlim_max)
2778                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2779
2780         return 0;
2781 }
2782
2783 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2784 {
2785         return task_has_perm(current, p, PROCESS__SETSCHED);
2786 }
2787
2788 static int selinux_task_getscheduler(struct task_struct *p)
2789 {
2790         return task_has_perm(current, p, PROCESS__GETSCHED);
2791 }
2792
2793 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2794 {
2795         u32 perm;
2796         int rc;
2797
2798         rc = secondary_ops->task_kill(p, info, sig);
2799         if (rc)
2800                 return rc;
2801
2802         if (info && ((unsigned long)info == 1 ||
2803                      (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2804                 return 0;
2805
2806         if (!sig)
2807                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2808         else
2809                 perm = signal_to_av(sig);
2810
2811         return task_has_perm(current, p, perm);
2812 }
2813
2814 static int selinux_task_prctl(int option,
2815                               unsigned long arg2,
2816                               unsigned long arg3,
2817                               unsigned long arg4,
2818                               unsigned long arg5)
2819 {
2820         /* The current prctl operations do not appear to require
2821            any SELinux controls since they merely observe or modify
2822            the state of the current process. */
2823         return 0;
2824 }
2825
2826 static int selinux_task_wait(struct task_struct *p)
2827 {
2828         u32 perm;
2829
2830         perm = signal_to_av(p->exit_signal);
2831
2832         return task_has_perm(p, current, perm);
2833 }
2834
2835 static void selinux_task_reparent_to_init(struct task_struct *p)
2836 {
2837         struct task_security_struct *tsec;
2838
2839         secondary_ops->task_reparent_to_init(p);
2840
2841         tsec = p->security;
2842         tsec->osid = tsec->sid;
2843         tsec->sid = SECINITSID_KERNEL;
2844         return;
2845 }
2846
2847 static void selinux_task_to_inode(struct task_struct *p,
2848                                   struct inode *inode)
2849 {
2850         struct task_security_struct *tsec = p->security;
2851         struct inode_security_struct *isec = inode->i_security;
2852
2853         isec->sid = tsec->sid;
2854         isec->initialized = 1;
2855         return;
2856 }
2857
2858 #ifdef CONFIG_SECURITY_NETWORK
2859
2860 /* Returns error only if unable to parse addresses */
2861 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2862 {
2863         int offset, ihlen, ret = -EINVAL;
2864         struct iphdr _iph, *ih;
2865
2866         offset = skb->nh.raw - skb->data;
2867         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2868         if (ih == NULL)
2869                 goto out;
2870
2871         ihlen = ih->ihl * 4;
2872         if (ihlen < sizeof(_iph))
2873                 goto out;
2874
2875         ad->u.net.v4info.saddr = ih->saddr;
2876         ad->u.net.v4info.daddr = ih->daddr;
2877         ret = 0;
2878
2879         switch (ih->protocol) {
2880         case IPPROTO_TCP: {
2881                 struct tcphdr _tcph, *th;
2882
2883                 if (ntohs(ih->frag_off) & IP_OFFSET)
2884                         break;
2885
2886                 offset += ihlen;
2887                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2888                 if (th == NULL)
2889                         break;
2890
2891                 ad->u.net.sport = th->source;
2892                 ad->u.net.dport = th->dest;
2893                 break;
2894         }
2895         
2896         case IPPROTO_UDP: {
2897                 struct udphdr _udph, *uh;
2898                 
2899                 if (ntohs(ih->frag_off) & IP_OFFSET)
2900                         break;
2901                         
2902                 offset += ihlen;
2903                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2904                 if (uh == NULL)
2905                         break;  
2906
2907                 ad->u.net.sport = uh->source;
2908                 ad->u.net.dport = uh->dest;
2909                 break;
2910         }
2911
2912         default:
2913                 break;
2914         }
2915 out:
2916         return ret;
2917 }
2918
2919 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2920
2921 /* Returns error only if unable to parse addresses */
2922 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2923 {
2924         u8 nexthdr;
2925         int ret = -EINVAL, offset;
2926         struct ipv6hdr _ipv6h, *ip6;
2927
2928         offset = skb->nh.raw - skb->data;
2929         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2930         if (ip6 == NULL)
2931                 goto out;
2932
2933         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2934         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2935         ret = 0;
2936
2937         nexthdr = ip6->nexthdr;
2938         offset += sizeof(_ipv6h);
2939         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2940         if (offset < 0)
2941                 goto out;
2942
2943         switch (nexthdr) {
2944         case IPPROTO_TCP: {
2945                 struct tcphdr _tcph, *th;
2946
2947                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2948                 if (th == NULL)
2949                         break;
2950
2951                 ad->u.net.sport = th->source;
2952                 ad->u.net.dport = th->dest;
2953                 break;
2954         }
2955
2956         case IPPROTO_UDP: {
2957                 struct udphdr _udph, *uh;
2958
2959                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2960                 if (uh == NULL)
2961                         break;
2962
2963                 ad->u.net.sport = uh->source;
2964                 ad->u.net.dport = uh->dest;
2965                 break;
2966         }
2967
2968         /* includes fragments */
2969         default:
2970                 break;
2971         }
2972 out:
2973         return ret;
2974 }
2975
2976 #endif /* IPV6 */
2977
2978 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2979                              char **addrp, int *len, int src)
2980 {
2981         int ret = 0;
2982
2983         switch (ad->u.net.family) {
2984         case PF_INET:
2985                 ret = selinux_parse_skb_ipv4(skb, ad);
2986                 if (ret || !addrp)
2987                         break;
2988                 *len = 4;
2989                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2990                                         &ad->u.net.v4info.daddr);
2991                 break;
2992
2993 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2994         case PF_INET6:
2995                 ret = selinux_parse_skb_ipv6(skb, ad);
2996                 if (ret || !addrp)
2997                         break;
2998                 *len = 16;
2999                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3000                                         &ad->u.net.v6info.daddr);
3001                 break;
3002 #endif  /* IPV6 */
3003         default:
3004                 break;
3005         }
3006
3007         return ret;
3008 }
3009
3010 /* socket security operations */
3011 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3012                            u32 perms)
3013 {
3014         struct inode_security_struct *isec;
3015         struct task_security_struct *tsec;
3016         struct avc_audit_data ad;
3017         int err = 0;
3018
3019         tsec = task->security;
3020         isec = SOCK_INODE(sock)->i_security;
3021
3022         if (isec->sid == SECINITSID_KERNEL)
3023                 goto out;
3024
3025         AVC_AUDIT_DATA_INIT(&ad,NET);
3026         ad.u.net.sk = sock->sk;
3027         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3028
3029 out:
3030         return err;
3031 }
3032
3033 static int selinux_socket_create(int family, int type,
3034                                  int protocol, int kern)
3035 {
3036         int err = 0;
3037         struct task_security_struct *tsec;
3038
3039         if (kern)
3040                 goto out;
3041
3042         tsec = current->security;
3043         err = avc_has_perm(tsec->sid, tsec->sid,
3044                            socket_type_to_security_class(family, type,
3045                            protocol), SOCKET__CREATE, NULL);
3046
3047 out:
3048         return err;
3049 }
3050
3051 static void selinux_socket_post_create(struct socket *sock, int family,
3052                                        int type, int protocol, int kern)
3053 {
3054         struct inode_security_struct *isec;
3055         struct task_security_struct *tsec;
3056
3057         isec = SOCK_INODE(sock)->i_security;
3058
3059         tsec = current->security;
3060         isec->sclass = socket_type_to_security_class(family, type, protocol);
3061         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
3062         isec->initialized = 1;
3063
3064         return;
3065 }
3066
3067 /* Range of port numbers used to automatically bind.
3068    Need to determine whether we should perform a name_bind
3069    permission check between the socket and the port number. */
3070 #define ip_local_port_range_0 sysctl_local_port_range[0]
3071 #define ip_local_port_range_1 sysctl_local_port_range[1]
3072
3073 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3074 {
3075         u16 family;
3076         int err;
3077
3078         err = socket_has_perm(current, sock, SOCKET__BIND);
3079         if (err)
3080                 goto out;
3081
3082         /*
3083          * If PF_INET or PF_INET6, check name_bind permission for the port.
3084          */
3085         family = sock->sk->sk_family;
3086         if (family == PF_INET || family == PF_INET6) {
3087                 char *addrp;
3088                 struct inode_security_struct *isec;
3089                 struct task_security_struct *tsec;
3090                 struct avc_audit_data ad;
3091                 struct sockaddr_in *addr4 = NULL;
3092                 struct sockaddr_in6 *addr6 = NULL;
3093                 unsigned short snum;
3094                 struct sock *sk = sock->sk;
3095                 u32 sid, node_perm, addrlen;
3096
3097                 tsec = current->security;
3098                 isec = SOCK_INODE(sock)->i_security;
3099
3100                 if (family == PF_INET) {
3101                         addr4 = (struct sockaddr_in *)address;
3102                         snum = ntohs(addr4->sin_port);
3103                         addrlen = sizeof(addr4->sin_addr.s_addr);
3104                         addrp = (char *)&addr4->sin_addr.s_addr;
3105                 } else {
3106                         addr6 = (struct sockaddr_in6 *)address;
3107                         snum = ntohs(addr6->sin6_port);
3108                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3109                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3110                 }
3111
3112                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3113                            snum > ip_local_port_range_1)) {
3114                         err = security_port_sid(sk->sk_family, sk->sk_type,
3115                                                 sk->sk_protocol, snum, &sid);
3116                         if (err)
3117                                 goto out;
3118                         AVC_AUDIT_DATA_INIT(&ad,NET);
3119                         ad.u.net.sport = htons(snum);
3120                         ad.u.net.family = family;
3121                         err = avc_has_perm(isec->sid, sid,
3122                                            isec->sclass,
3123                                            SOCKET__NAME_BIND, &ad);
3124                         if (err)
3125                                 goto out;
3126                 }
3127                 
3128                 switch(sk->sk_protocol) {
3129                 case IPPROTO_TCP:
3130                         node_perm = TCP_SOCKET__NODE_BIND;
3131                         break;
3132                         
3133                 case IPPROTO_UDP:
3134                         node_perm = UDP_SOCKET__NODE_BIND;
3135                         break;
3136                         
3137                 default:
3138                         node_perm = RAWIP_SOCKET__NODE_BIND;
3139                         break;
3140                 }
3141                 
3142                 err = security_node_sid(family, addrp, addrlen, &sid);
3143                 if (err)
3144                         goto out;
3145                 
3146                 AVC_AUDIT_DATA_INIT(&ad,NET);
3147                 ad.u.net.sport = htons(snum);
3148                 ad.u.net.family = family;
3149
3150                 if (family == PF_INET)
3151                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3152                 else
3153                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3154
3155                 err = avc_has_perm(isec->sid, sid,
3156                                    isec->sclass, node_perm, &ad);
3157                 if (err)
3158                         goto out;
3159         }
3160 out:
3161         return err;
3162 }
3163
3164 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3165 {
3166         struct inode_security_struct *isec;
3167         int err;
3168
3169         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3170         if (err)
3171                 return err;
3172
3173         /*
3174          * If a TCP socket, check name_connect permission for the port.
3175          */
3176         isec = SOCK_INODE(sock)->i_security;
3177         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3178                 struct sock *sk = sock->sk;
3179                 struct avc_audit_data ad;
3180                 struct sockaddr_in *addr4 = NULL;
3181                 struct sockaddr_in6 *addr6 = NULL;
3182                 unsigned short snum;
3183                 u32 sid;
3184
3185                 if (sk->sk_family == PF_INET) {
3186                         addr4 = (struct sockaddr_in *)address;
3187                         if (addrlen < sizeof(struct sockaddr_in))
3188                                 return -EINVAL;
3189                         snum = ntohs(addr4->sin_port);
3190                 } else {
3191                         addr6 = (struct sockaddr_in6 *)address;
3192                         if (addrlen < SIN6_LEN_RFC2133)
3193                                 return -EINVAL;
3194                         snum = ntohs(addr6->sin6_port);
3195                 }
3196
3197                 err = security_port_sid(sk->sk_family, sk->sk_type,
3198                                         sk->sk_protocol, snum, &sid);
3199                 if (err)
3200                         goto out;
3201
3202                 AVC_AUDIT_DATA_INIT(&ad,NET);
3203                 ad.u.net.dport = htons(snum);
3204                 ad.u.net.family = sk->sk_family;
3205                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3206                                    TCP_SOCKET__NAME_CONNECT, &ad);
3207                 if (err)
3208                         goto out;
3209         }
3210
3211 out:
3212         return err;
3213 }
3214
3215 static int selinux_socket_listen(struct socket *sock, int backlog)
3216 {
3217         return socket_has_perm(current, sock, SOCKET__LISTEN);
3218 }
3219
3220 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3221 {
3222         int err;
3223         struct inode_security_struct *isec;
3224         struct inode_security_struct *newisec;
3225
3226         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3227         if (err)
3228                 return err;
3229
3230         newisec = SOCK_INODE(newsock)->i_security;
3231
3232         isec = SOCK_INODE(sock)->i_security;
3233         newisec->sclass = isec->sclass;
3234         newisec->sid = isec->sid;
3235         newisec->initialized = 1;
3236
3237         return 0;
3238 }
3239
3240 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3241                                   int size)
3242 {
3243         return socket_has_perm(current, sock, SOCKET__WRITE);
3244 }
3245
3246 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3247                                   int size, int flags)
3248 {
3249         return socket_has_perm(current, sock, SOCKET__READ);
3250 }
3251
3252 static int selinux_socket_getsockname(struct socket *sock)
3253 {
3254         return socket_has_perm(current, sock, SOCKET__GETATTR);
3255 }
3256
3257 static int selinux_socket_getpeername(struct socket *sock)
3258 {
3259         return socket_has_perm(current, sock, SOCKET__GETATTR);
3260 }
3261
3262 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3263 {
3264         return socket_has_perm(current, sock, SOCKET__SETOPT);
3265 }
3266
3267 static int selinux_socket_getsockopt(struct socket *sock, int level,
3268                                      int optname)
3269 {
3270         return socket_has_perm(current, sock, SOCKET__GETOPT);
3271 }
3272
3273 static int selinux_socket_shutdown(struct socket *sock, int how)
3274 {
3275         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3276 }
3277
3278 static int selinux_socket_unix_stream_connect(struct socket *sock,
3279                                               struct socket *other,
3280                                               struct sock *newsk)
3281 {
3282         struct sk_security_struct *ssec;
3283         struct inode_security_struct *isec;
3284         struct inode_security_struct *other_isec;
3285         struct avc_audit_data ad;
3286         int err;
3287
3288         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3289         if (err)
3290                 return err;
3291
3292         isec = SOCK_INODE(sock)->i_security;
3293         other_isec = SOCK_INODE(other)->i_security;
3294
3295         AVC_AUDIT_DATA_INIT(&ad,NET);
3296         ad.u.net.sk = other->sk;
3297
3298         err = avc_has_perm(isec->sid, other_isec->sid,
3299                            isec->sclass,
3300                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3301         if (err)
3302                 return err;
3303
3304         /* connecting socket */
3305         ssec = sock->sk->sk_security;
3306         ssec->peer_sid = other_isec->sid;
3307         
3308         /* server child socket */
3309         ssec = newsk->sk_security;
3310         ssec->peer_sid = isec->sid;
3311         
3312         return 0;
3313 }
3314
3315 static int selinux_socket_unix_may_send(struct socket *sock,
3316                                         struct socket *other)
3317 {
3318         struct inode_security_struct *isec;
3319         struct inode_security_struct *other_isec;
3320         struct avc_audit_data ad;
3321         int err;
3322
3323         isec = SOCK_INODE(sock)->i_security;
3324         other_isec = SOCK_INODE(other)->i_security;
3325
3326         AVC_AUDIT_DATA_INIT(&ad,NET);
3327         ad.u.net.sk = other->sk;
3328
3329         err = avc_has_perm(isec->sid, other_isec->sid,
3330                            isec->sclass, SOCKET__SENDTO, &ad);
3331         if (err)
3332                 return err;
3333
3334         return 0;
3335 }
3336
3337 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3338 {
3339         u16 family;
3340         char *addrp;
3341         int len, err = 0;
3342         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3343         u32 sock_sid = 0;
3344         u16 sock_class = 0;
3345         struct socket *sock;
3346         struct net_device *dev;
3347         struct avc_audit_data ad;
3348
3349         family = sk->sk_family;
3350         if (family != PF_INET && family != PF_INET6)
3351                 goto out;
3352
3353         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3354         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3355                 family = PF_INET;
3356
3357         read_lock_bh(&sk->sk_callback_lock);
3358         sock = sk->sk_socket;
3359         if (sock) {
3360                 struct inode *inode;
3361                 inode = SOCK_INODE(sock);
3362                 if (inode) {
3363                         struct inode_security_struct *isec;
3364                         isec = inode->i_security;
3365                         sock_sid = isec->sid;
3366                         sock_class = isec->sclass;
3367                 }
3368         }
3369         read_unlock_bh(&sk->sk_callback_lock);
3370         if (!sock_sid)
3371                 goto out;
3372
3373         dev = skb->dev;
3374         if (!dev)
3375                 goto out;
3376
3377         err = sel_netif_sids(dev, &if_sid, NULL);
3378         if (err)
3379                 goto out;
3380
3381         switch (sock_class) {
3382         case SECCLASS_UDP_SOCKET:
3383                 netif_perm = NETIF__UDP_RECV;
3384                 node_perm = NODE__UDP_RECV;
3385                 recv_perm = UDP_SOCKET__RECV_MSG;
3386                 break;
3387         
3388         case SECCLASS_TCP_SOCKET:
3389                 netif_perm = NETIF__TCP_RECV;
3390                 node_perm = NODE__TCP_RECV;
3391                 recv_perm = TCP_SOCKET__RECV_MSG;
3392                 break;
3393         
3394         default:
3395                 netif_perm = NETIF__RAWIP_RECV;
3396                 node_perm = NODE__RAWIP_RECV;
3397                 break;
3398         }
3399
3400         AVC_AUDIT_DATA_INIT(&ad, NET);
3401         ad.u.net.netif = dev->name;
3402         ad.u.net.family = family;
3403
3404         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3405         if (err)
3406                 goto out;
3407
3408         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3409         if (err)
3410                 goto out;
3411         
3412         /* Fixme: this lookup is inefficient */
3413         err = security_node_sid(family, addrp, len, &node_sid);
3414         if (err)
3415                 goto out;
3416         
3417         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3418         if (err)
3419                 goto out;
3420
3421         if (recv_perm) {
3422                 u32 port_sid;
3423
3424                 /* Fixme: make this more efficient */
3425                 err = security_port_sid(sk->sk_family, sk->sk_type,
3426                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3427                                         &port_sid);
3428                 if (err)
3429                         goto out;
3430
3431                 err = avc_has_perm(sock_sid, port_sid,
3432                                    sock_class, recv_perm, &ad);
3433         }
3434 out:    
3435         return err;
3436 }
3437
3438 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3439                                      int __user *optlen, unsigned len)
3440 {
3441         int err = 0;
3442         char *scontext;
3443         u32 scontext_len;
3444         struct sk_security_struct *ssec;
3445         struct inode_security_struct *isec;
3446
3447         isec = SOCK_INODE(sock)->i_security;
3448         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3449                 err = -ENOPROTOOPT;
3450                 goto out;
3451         }
3452
3453         ssec = sock->sk->sk_security;
3454         
3455         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3456         if (err)
3457                 goto out;
3458
3459         if (scontext_len > len) {
3460                 err = -ERANGE;
3461                 goto out_len;
3462         }
3463
3464         if (copy_to_user(optval, scontext, scontext_len))
3465                 err = -EFAULT;
3466
3467 out_len:
3468         if (put_user(scontext_len, optlen))
3469                 err = -EFAULT;
3470
3471         kfree(scontext);
3472 out:    
3473         return err;
3474 }
3475
3476 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3477 {
3478         return sk_alloc_security(sk, family, priority);
3479 }
3480
3481 static void selinux_sk_free_security(struct sock *sk)
3482 {
3483         sk_free_security(sk);
3484 }
3485
3486 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3487 {
3488         int err = 0;
3489         u32 perm;
3490         struct nlmsghdr *nlh;
3491         struct socket *sock = sk->sk_socket;
3492         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3493         
3494         if (skb->len < NLMSG_SPACE(0)) {
3495                 err = -EINVAL;
3496                 goto out;
3497         }
3498         nlh = (struct nlmsghdr *)skb->data;
3499         
3500         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3501         if (err) {
3502                 if (err == -EINVAL) {
3503                         audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3504                                   "SELinux:  unrecognized netlink message"
3505                                   " type=%hu for sclass=%hu\n",
3506                                   nlh->nlmsg_type, isec->sclass);
3507                         if (!selinux_enforcing)
3508                                 err = 0;
3509                 }
3510
3511                 /* Ignore */
3512                 if (err == -ENOENT)
3513                         err = 0;
3514                 goto out;
3515         }
3516
3517         err = socket_has_perm(current, sock, perm);
3518 out:
3519         return err;
3520 }
3521
3522 #ifdef CONFIG_NETFILTER
3523
3524 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3525                                               struct sk_buff **pskb,
3526                                               const struct net_device *in,
3527                                               const struct net_device *out,
3528                                               int (*okfn)(struct sk_buff *),
3529                                               u16 family)
3530 {
3531         char *addrp;
3532         int len, err = NF_ACCEPT;
3533         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3534         struct sock *sk;
3535         struct socket *sock;
3536         struct inode *inode;
3537         struct sk_buff *skb = *pskb;
3538         struct inode_security_struct *isec;
3539         struct avc_audit_data ad;
3540         struct net_device *dev = (struct net_device *)out;
3541         
3542         sk = skb->sk;
3543         if (!sk)
3544                 goto out;
3545                 
3546         sock = sk->sk_socket;
3547         if (!sock)
3548                 goto out;
3549                 
3550         inode = SOCK_INODE(sock);
3551         if (!inode)
3552                 goto out;
3553
3554         err = sel_netif_sids(dev, &if_sid, NULL);
3555         if (err)
3556                 goto out;
3557
3558         isec = inode->i_security;
3559         
3560         switch (isec->sclass) {
3561         case SECCLASS_UDP_SOCKET:
3562                 netif_perm = NETIF__UDP_SEND;
3563                 node_perm = NODE__UDP_SEND;
3564                 send_perm = UDP_SOCKET__SEND_MSG;
3565                 break;
3566         
3567         case SECCLASS_TCP_SOCKET:
3568                 netif_perm = NETIF__TCP_SEND;
3569                 node_perm = NODE__TCP_SEND;
3570                 send_perm = TCP_SOCKET__SEND_MSG;
3571                 break;
3572         
3573         default:
3574                 netif_perm = NETIF__RAWIP_SEND;
3575                 node_perm = NODE__RAWIP_SEND;
3576                 break;
3577         }
3578
3579
3580         AVC_AUDIT_DATA_INIT(&ad, NET);
3581         ad.u.net.netif = dev->name;
3582         ad.u.net.family = family;
3583
3584         err = selinux_parse_skb(skb, &ad, &addrp,
3585                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3586         if (err != NF_ACCEPT)
3587                 goto out;
3588
3589         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3590                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3591         if (err != NF_ACCEPT)
3592                 goto out;
3593                 
3594         /* Fixme: this lookup is inefficient */
3595         err = security_node_sid(family, addrp, len,
3596                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3597         if (err != NF_ACCEPT)
3598                 goto out;
3599         
3600         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3601                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3602         if (err != NF_ACCEPT)
3603                 goto out;
3604
3605         if (send_perm) {
3606                 u32 port_sid;
3607                 
3608                 /* Fixme: make this more efficient */
3609                 err = security_port_sid(sk->sk_family,
3610                                         sk->sk_type,
3611                                         sk->sk_protocol,
3612                                         ntohs(ad.u.net.dport),
3613                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3614                 if (err != NF_ACCEPT)
3615                         goto out;
3616
3617                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3618                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3619         }
3620
3621 out:
3622         return err;
3623 }
3624
3625 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3626                                                 struct sk_buff **pskb,
3627                                                 const struct net_device *in,
3628                                                 const struct net_device *out,
3629                                                 int (*okfn)(struct sk_buff *))
3630 {
3631         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3632 }
3633
3634 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3635
3636 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3637                                                 struct sk_buff **pskb,
3638                                                 const struct net_device *in,
3639                                                 const struct net_device *out,
3640                                                 int (*okfn)(struct sk_buff *))
3641 {
3642         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3643 }
3644
3645 #endif  /* IPV6 */
3646
3647 #endif  /* CONFIG_NETFILTER */
3648
3649 #else
3650
3651 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3652 {
3653         return 0;
3654 }
3655
3656 #endif  /* CONFIG_SECURITY_NETWORK */
3657
3658 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3659 {
3660         struct task_security_struct *tsec;
3661         struct av_decision avd;
3662         int err;
3663
3664         err = secondary_ops->netlink_send(sk, skb);
3665         if (err)
3666                 return err;
3667
3668         tsec = current->security;
3669
3670         avd.allowed = 0;
3671         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3672                                 SECCLASS_CAPABILITY, ~0, &avd);
3673         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3674
3675         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3676                 err = selinux_nlmsg_perm(sk, skb);
3677
3678         return err;
3679 }
3680
3681 static int selinux_netlink_recv(struct sk_buff *skb)
3682 {
3683         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3684                 return -EPERM;
3685         return 0;
3686 }
3687
3688 static int ipc_alloc_security(struct task_struct *task,
3689                               struct kern_ipc_perm *perm,
3690                               u16 sclass)
3691 {
3692         struct task_security_struct *tsec = task->security;
3693         struct ipc_security_struct *isec;
3694
3695         isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3696         if (!isec)
3697                 return -ENOMEM;
3698
3699         memset(isec, 0, sizeof(struct ipc_security_struct));
3700         isec->magic = SELINUX_MAGIC;
3701         isec->sclass = sclass;
3702         isec->ipc_perm = perm;
3703         if (tsec) {
3704                 isec->sid = tsec->sid;
3705         } else {
3706                 isec->sid = SECINITSID_UNLABELED;
3707         }
3708         perm->security = isec;
3709
3710         return 0;
3711 }
3712
3713 static void ipc_free_security(struct kern_ipc_perm *perm)
3714 {
3715         struct ipc_security_struct *isec = perm->security;
3716         if (!isec || isec->magic != SELINUX_MAGIC)
3717                 return;
3718
3719         perm->security = NULL;
3720         kfree(isec);
3721 }
3722
3723 static int msg_msg_alloc_security(struct msg_msg *msg)
3724 {
3725         struct msg_security_struct *msec;
3726
3727         msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3728         if (!msec)
3729                 return -ENOMEM;
3730
3731         memset(msec, 0, sizeof(struct msg_security_struct));
3732         msec->magic = SELINUX_MAGIC;
3733         msec->msg = msg;
3734         msec->sid = SECINITSID_UNLABELED;
3735         msg->security = msec;
3736
3737         return 0;
3738 }
3739
3740 static void msg_msg_free_security(struct msg_msg *msg)
3741 {
3742         struct msg_security_struct *msec = msg->security;
3743         if (!msec || msec->magic != SELINUX_MAGIC)
3744                 return;
3745
3746         msg->security = NULL;
3747         kfree(msec);
3748 }
3749
3750 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3751                         u32 perms)
3752 {
3753         struct task_security_struct *tsec;
3754         struct ipc_security_struct *isec;
3755         struct avc_audit_data ad;
3756
3757         tsec = current->security;
3758         isec = ipc_perms->security;
3759
3760         AVC_AUDIT_DATA_INIT(&ad, IPC);
3761         ad.u.ipc_id = ipc_perms->key;
3762
3763         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3764 }
3765
3766 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3767 {
3768         return msg_msg_alloc_security(msg);
3769 }
3770
3771 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3772 {
3773         msg_msg_free_security(msg);
3774 }
3775
3776 /* message queue security operations */
3777 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3778 {
3779         struct task_security_struct *tsec;
3780         struct ipc_security_struct *isec;
3781         struct avc_audit_data ad;
3782         int rc;
3783
3784         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3785         if (rc)
3786                 return rc;
3787
3788         tsec = current->security;
3789         isec = msq->q_perm.security;
3790
3791         AVC_AUDIT_DATA_INIT(&ad, IPC);
3792         ad.u.ipc_id = msq->q_perm.key;
3793
3794         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3795                           MSGQ__CREATE, &ad);
3796         if (rc) {
3797                 ipc_free_security(&msq->q_perm);
3798                 return rc;
3799         }
3800         return 0;
3801 }
3802
3803 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3804 {
3805         ipc_free_security(&msq->q_perm);
3806 }
3807
3808 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3809 {
3810         struct task_security_struct *tsec;
3811         struct ipc_security_struct *isec;
3812         struct avc_audit_data ad;
3813
3814         tsec = current->security;
3815         isec = msq->q_perm.security;
3816
3817         AVC_AUDIT_DATA_INIT(&ad, IPC);
3818         ad.u.ipc_id = msq->q_perm.key;
3819
3820         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3821                             MSGQ__ASSOCIATE, &ad);
3822 }
3823
3824 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3825 {
3826         int err;
3827         int perms;
3828
3829         switch(cmd) {
3830         case IPC_INFO:
3831         case MSG_INFO:
3832                 /* No specific object, just general system-wide information. */
3833                 return task_has_system(current, SYSTEM__IPC_INFO);
3834         case IPC_STAT:
3835         case MSG_STAT:
3836                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3837                 break;
3838         case IPC_SET:
3839                 perms = MSGQ__SETATTR;
3840                 break;
3841         case IPC_RMID:
3842                 perms = MSGQ__DESTROY;
3843                 break;
3844         default:
3845                 return 0;
3846         }
3847
3848         err = ipc_has_perm(&msq->q_perm, perms);
3849         return err;
3850 }
3851
3852 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3853 {
3854         struct task_security_struct *tsec;
3855         struct ipc_security_struct *isec;
3856         struct msg_security_struct *msec;
3857         struct avc_audit_data ad;
3858         int rc;
3859
3860         tsec = current->security;
3861         isec = msq->q_perm.security;
3862         msec = msg->security;
3863
3864         /*
3865          * First time through, need to assign label to the message
3866          */
3867         if (msec->sid == SECINITSID_UNLABELED) {
3868                 /*
3869                  * Compute new sid based on current process and
3870                  * message queue this message will be stored in
3871                  */
3872                 rc = security_transition_sid(tsec->sid,
3873                                              isec->sid,
3874                                              SECCLASS_MSG,
3875                                              &msec->sid);
3876                 if (rc)
3877                         return rc;
3878         }
3879
3880         AVC_AUDIT_DATA_INIT(&ad, IPC);
3881         ad.u.ipc_id = msq->q_perm.key;
3882
3883         /* Can this process write to the queue? */
3884         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3885                           MSGQ__WRITE, &ad);
3886         if (!rc)
3887                 /* Can this process send the message */
3888                 rc = avc_has_perm(tsec->sid, msec->sid,
3889                                   SECCLASS_MSG, MSG__SEND, &ad);
3890         if (!rc)
3891                 /* Can the message be put in the queue? */
3892                 rc = avc_has_perm(msec->sid, isec->sid,
3893                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3894
3895         return rc;
3896 }
3897
3898 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3899                                     struct task_struct *target,
3900                                     long type, int mode)
3901 {
3902         struct task_security_struct *tsec;
3903         struct ipc_security_struct *isec;
3904         struct msg_security_struct *msec;
3905         struct avc_audit_data ad;
3906         int rc;
3907
3908         tsec = target->security;
3909         isec = msq->q_perm.security;
3910         msec = msg->security;
3911
3912         AVC_AUDIT_DATA_INIT(&ad, IPC);
3913         ad.u.ipc_id = msq->q_perm.key;
3914
3915         rc = avc_has_perm(tsec->sid, isec->sid,
3916                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3917         if (!rc)
3918                 rc = avc_has_perm(tsec->sid, msec->sid,
3919                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3920         return rc;
3921 }
3922
3923 /* Shared Memory security operations */
3924 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3925 {
3926         struct task_security_struct *tsec;
3927         struct ipc_security_struct *isec;
3928         struct avc_audit_data ad;
3929         int rc;
3930
3931         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3932         if (rc)
3933                 return rc;
3934
3935         tsec = current->security;
3936         isec = shp->shm_perm.security;
3937
3938         AVC_AUDIT_DATA_INIT(&ad, IPC);
3939         ad.u.ipc_id = shp->shm_perm.key;
3940
3941         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3942                           SHM__CREATE, &ad);
3943         if (rc) {
3944                 ipc_free_security(&shp->shm_perm);
3945                 return rc;
3946         }
3947         return 0;
3948 }
3949
3950 static void selinux_shm_free_security(struct shmid_kernel *shp)
3951 {
3952         ipc_free_security(&shp->shm_perm);
3953 }
3954
3955 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3956 {
3957         struct task_security_struct *tsec;
3958         struct ipc_security_struct *isec;
3959         struct avc_audit_data ad;
3960
3961         tsec = current->security;
3962         isec = shp->shm_perm.security;
3963
3964         AVC_AUDIT_DATA_INIT(&ad, IPC);
3965         ad.u.ipc_id = shp->shm_perm.key;
3966
3967         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3968                             SHM__ASSOCIATE, &ad);
3969 }
3970
3971 /* Note, at this point, shp is locked down */
3972 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3973 {
3974         int perms;
3975         int err;
3976
3977         switch(cmd) {
3978         case IPC_INFO:
3979         case SHM_INFO:
3980                 /* No specific object, just general system-wide information. */
3981                 return task_has_system(current, SYSTEM__IPC_INFO);
3982         case IPC_STAT:
3983         case SHM_STAT:
3984                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3985                 break;
3986         case IPC_SET:
3987                 perms = SHM__SETATTR;
3988                 break;
3989         case SHM_LOCK:
3990         case SHM_UNLOCK:
3991                 perms = SHM__LOCK;
3992                 break;
3993         case IPC_RMID:
3994                 perms = SHM__DESTROY;
3995                 break;
3996         default:
3997                 return 0;
3998         }
3999
4000         err = ipc_has_perm(&shp->shm_perm, perms);
4001         return err;
4002 }
4003
4004 static int selinux_shm_shmat(struct shmid_kernel *shp,
4005                              char __user *shmaddr, int shmflg)
4006 {
4007         u32 perms;
4008         int rc;
4009
4010         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4011         if (rc)
4012                 return rc;
4013
4014         if (shmflg & SHM_RDONLY)
4015                 perms = SHM__READ;
4016         else
4017                 perms = SHM__READ | SHM__WRITE;
4018
4019         return ipc_has_perm(&shp->shm_perm, perms);
4020 }
4021
4022 /* Semaphore security operations */
4023 static int selinux_sem_alloc_security(struct sem_array *sma)
4024 {
4025         struct task_security_struct *tsec;
4026         struct ipc_security_struct *isec;
4027         struct avc_audit_data ad;
4028         int rc;
4029
4030         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4031         if (rc)
4032                 return rc;
4033
4034         tsec = current->security;
4035         isec = sma->sem_perm.security;
4036
4037         AVC_AUDIT_DATA_INIT(&ad, IPC);
4038         ad.u.ipc_id = sma->sem_perm.key;
4039
4040         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4041                           SEM__CREATE, &ad);
4042         if (rc) {
4043                 ipc_free_security(&sma->sem_perm);
4044                 return rc;
4045         }
4046         return 0;
4047 }
4048
4049 static void selinux_sem_free_security(struct sem_array *sma)
4050 {
4051         ipc_free_security(&sma->sem_perm);
4052 }
4053
4054 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4055 {
4056         struct task_security_struct *tsec;
4057         struct ipc_security_struct *isec;
4058         struct avc_audit_data ad;
4059
4060         tsec = current->security;
4061         isec = sma->sem_perm.security;
4062
4063         AVC_AUDIT_DATA_INIT(&ad, IPC);
4064         ad.u.ipc_id = sma->sem_perm.key;
4065
4066         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4067                             SEM__ASSOCIATE, &ad);
4068 }
4069
4070 /* Note, at this point, sma is locked down */
4071 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4072 {
4073         int err;
4074         u32 perms;
4075
4076         switch(cmd) {
4077         case IPC_INFO:
4078         case SEM_INFO:
4079                 /* No specific object, just general system-wide information. */
4080                 return task_has_system(current, SYSTEM__IPC_INFO);
4081         case GETPID:
4082         case GETNCNT:
4083         case GETZCNT:
4084                 perms = SEM__GETATTR;
4085                 break;
4086         case GETVAL:
4087         case GETALL:
4088                 perms = SEM__READ;
4089                 break;
4090         case SETVAL:
4091         case SETALL:
4092                 perms = SEM__WRITE;
4093                 break;
4094         case IPC_RMID:
4095                 perms = SEM__DESTROY;
4096                 break;
4097         case IPC_SET:
4098                 perms = SEM__SETATTR;
4099                 break;
4100         case IPC_STAT:
4101         case SEM_STAT:
4102                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4103                 break;
4104         default:
4105                 return 0;
4106         }
4107
4108         err = ipc_has_perm(&sma->sem_perm, perms);
4109         return err;
4110 }
4111
4112 static int selinux_sem_semop(struct sem_array *sma,
4113                              struct sembuf *sops, unsigned nsops, int alter)
4114 {
4115         u32 perms;
4116
4117         if (alter)
4118                 perms = SEM__READ | SEM__WRITE;
4119         else
4120                 perms = SEM__READ;
4121
4122         return ipc_has_perm(&sma->sem_perm, perms);
4123 }
4124
4125 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4126 {
4127         u32 av = 0;
4128
4129         av = 0;
4130         if (flag & S_IRUGO)
4131                 av |= IPC__UNIX_READ;
4132         if (flag & S_IWUGO)
4133                 av |= IPC__UNIX_WRITE;
4134
4135         if (av == 0)
4136                 return 0;
4137
4138         return ipc_has_perm(ipcp, av);
4139 }
4140
4141 /* module stacking operations */
4142 static int selinux_register_security (const char *name, struct security_operations *ops)
4143 {
4144         if (secondary_ops != original_ops) {
4145                 printk(KERN_INFO "%s:  There is already a secondary security "
4146                        "module registered.\n", __FUNCTION__);
4147                 return -EINVAL;
4148         }
4149
4150         secondary_ops = ops;
4151
4152         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4153                __FUNCTION__,
4154                name);
4155
4156         return 0;
4157 }
4158
4159 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4160 {
4161         if (ops != secondary_ops) {
4162                 printk (KERN_INFO "%s:  trying to unregister a security module "
4163                         "that is not registered.\n", __FUNCTION__);
4164                 return -EINVAL;
4165         }
4166
4167         secondary_ops = original_ops;
4168
4169         return 0;
4170 }
4171
4172 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4173 {
4174         if (inode)
4175                 inode_doinit_with_dentry(inode, dentry);
4176 }
4177
4178 static int selinux_getprocattr(struct task_struct *p,
4179                                char *name, void *value, size_t size)
4180 {
4181         struct task_security_struct *tsec;
4182         u32 sid, len;
4183         char *context;
4184         int error;
4185
4186         if (current != p) {
4187                 error = task_has_perm(current, p, PROCESS__GETATTR);
4188                 if (error)
4189                         return error;
4190         }
4191
4192         if (!size)
4193                 return -ERANGE;
4194
4195         tsec = p->security;
4196
4197         if (!strcmp(name, "current"))
4198                 sid = tsec->sid;
4199         else if (!strcmp(name, "prev"))
4200                 sid = tsec->osid;
4201         else if (!strcmp(name, "exec"))
4202                 sid = tsec->exec_sid;
4203         else if (!strcmp(name, "fscreate"))
4204                 sid = tsec->create_sid;
4205         else
4206                 return -EINVAL;
4207
4208         if (!sid)
4209                 return 0;
4210
4211         error = security_sid_to_context(sid, &context, &len);
4212         if (error)
4213                 return error;
4214         if (len > size) {
4215                 kfree(context);
4216                 return -ERANGE;
4217         }
4218         memcpy(value, context, len);
4219         kfree(context);
4220         return len;
4221 }
4222
4223 static int selinux_setprocattr(struct task_struct *p,
4224                                char *name, void *value, size_t size)
4225 {
4226         struct task_security_struct *tsec;
4227         u32 sid = 0;
4228         int error;
4229         char *str = value;
4230
4231         if (current != p) {
4232                 /* SELinux only allows a process to change its own
4233                    security attributes. */
4234                 return -EACCES;
4235         }
4236
4237         /*
4238          * Basic control over ability to set these attributes at all.
4239          * current == p, but we'll pass them separately in case the
4240          * above restriction is ever removed.
4241          */
4242         if (!strcmp(name, "exec"))
4243                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4244         else if (!strcmp(name, "fscreate"))
4245                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4246         else if (!strcmp(name, "current"))
4247                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4248         else
4249                 error = -EINVAL;
4250         if (error)
4251                 return error;
4252
4253         /* Obtain a SID for the context, if one was specified. */
4254         if (size && str[1] && str[1] != '\n') {
4255                 if (str[size-1] == '\n') {
4256                         str[size-1] = 0;
4257                         size--;
4258                 }
4259                 error = security_context_to_sid(value, size, &sid);
4260                 if (error)
4261                         return error;
4262         }
4263
4264         /* Permission checking based on the specified context is
4265            performed during the actual operation (execve,
4266            open/mkdir/...), when we know the full context of the
4267            operation.  See selinux_bprm_set_security for the execve
4268            checks and may_create for the file creation checks. The
4269            operation will then fail if the context is not permitted. */
4270         tsec = p->security;
4271         if (!strcmp(name, "exec"))
4272                 tsec->exec_sid = sid;
4273         else if (!strcmp(name, "fscreate"))
4274                 tsec->create_sid = sid;
4275         else if (!strcmp(name, "current")) {
4276                 struct av_decision avd;
4277
4278                 if (sid == 0)
4279                         return -EINVAL;
4280
4281                 /* Only allow single threaded processes to change context */
4282                 if (atomic_read(&p->mm->mm_users) != 1) {
4283                         struct task_struct *g, *t;
4284                         struct mm_struct *mm = p->mm;
4285                         read_lock(&tasklist_lock);
4286                         do_each_thread(g, t)
4287                                 if (t->mm == mm && t != p) {
4288                                         read_unlock(&tasklist_lock);
4289                                         return -EPERM;
4290                                 }
4291                         while_each_thread(g, t);
4292                         read_unlock(&tasklist_lock);
4293                 }
4294
4295                 /* Check permissions for the transition. */
4296                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4297                                      PROCESS__DYNTRANSITION, NULL);
4298                 if (error)
4299                         return error;
4300
4301                 /* Check for ptracing, and update the task SID if ok.
4302                    Otherwise, leave SID unchanged and fail. */
4303                 task_lock(p);
4304                 if (p->ptrace & PT_PTRACED) {
4305                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4306                                                      SECCLASS_PROCESS,
4307                                                      PROCESS__PTRACE, &avd);
4308                         if (!error)
4309                                 tsec->sid = sid;
4310                         task_unlock(p);
4311                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4312                                   PROCESS__PTRACE, &avd, error, NULL);
4313                         if (error)
4314                                 return error;
4315                 } else {
4316                         tsec->sid = sid;
4317                         task_unlock(p);
4318                 }
4319         }
4320         else
4321                 return -EINVAL;
4322
4323         return size;
4324 }
4325
4326 static struct security_operations selinux_ops = {
4327         .ptrace =                       selinux_ptrace,
4328         .capget =                       selinux_capget,
4329         .capset_check =                 selinux_capset_check,
4330         .capset_set =                   selinux_capset_set,
4331         .sysctl =                       selinux_sysctl,
4332         .capable =                      selinux_capable,
4333         .quotactl =                     selinux_quotactl,
4334         .quota_on =                     selinux_quota_on,
4335         .syslog =                       selinux_syslog,
4336         .vm_enough_memory =             selinux_vm_enough_memory,
4337
4338         .netlink_send =                 selinux_netlink_send,
4339         .netlink_recv =                 selinux_netlink_recv,
4340
4341         .bprm_alloc_security =          selinux_bprm_alloc_security,
4342         .bprm_free_security =           selinux_bprm_free_security,
4343         .bprm_apply_creds =             selinux_bprm_apply_creds,
4344         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4345         .bprm_set_security =            selinux_bprm_set_security,
4346         .bprm_check_security =          selinux_bprm_check_security,
4347         .bprm_secureexec =              selinux_bprm_secureexec,
4348
4349         .sb_alloc_security =            selinux_sb_alloc_security,
4350         .sb_free_security =             selinux_sb_free_security,
4351         .sb_copy_data =                 selinux_sb_copy_data,
4352         .sb_kern_mount =                selinux_sb_kern_mount,
4353         .sb_statfs =                    selinux_sb_statfs,
4354         .sb_mount =                     selinux_mount,
4355         .sb_umount =                    selinux_umount,
4356
4357         .inode_alloc_security =         selinux_inode_alloc_security,
4358         .inode_free_security =          selinux_inode_free_security,
4359         .inode_init_security =          selinux_inode_init_security,
4360         .inode_create =                 selinux_inode_create,
4361         .inode_post_create =            selinux_inode_post_create,
4362         .inode_link =                   selinux_inode_link,
4363         .inode_post_link =              selinux_inode_post_link,
4364         .inode_unlink =                 selinux_inode_unlink,
4365         .inode_symlink =                selinux_inode_symlink,
4366         .inode_post_symlink =           selinux_inode_post_symlink,
4367         .inode_mkdir =                  selinux_inode_mkdir,
4368         .inode_post_mkdir =             selinux_inode_post_mkdir,
4369         .inode_rmdir =                  selinux_inode_rmdir,
4370         .inode_mknod =                  selinux_inode_mknod,
4371         .inode_post_mknod =             selinux_inode_post_mknod,
4372         .inode_rename =                 selinux_inode_rename,
4373         .inode_post_rename =            selinux_inode_post_rename,
4374         .inode_readlink =               selinux_inode_readlink,
4375         .inode_follow_link =            selinux_inode_follow_link,
4376         .inode_permission =             selinux_inode_permission,
4377         .inode_setattr =                selinux_inode_setattr,
4378         .inode_getattr =                selinux_inode_getattr,
4379         .inode_setxattr =               selinux_inode_setxattr,
4380         .inode_post_setxattr =          selinux_inode_post_setxattr,
4381         .inode_getxattr =               selinux_inode_getxattr,
4382         .inode_listxattr =              selinux_inode_listxattr,
4383         .inode_removexattr =            selinux_inode_removexattr,
4384         .inode_getsecurity =            selinux_inode_getsecurity,
4385         .inode_setsecurity =            selinux_inode_setsecurity,
4386         .inode_listsecurity =           selinux_inode_listsecurity,
4387
4388         .file_permission =              selinux_file_permission,
4389         .file_alloc_security =          selinux_file_alloc_security,
4390         .file_free_security =           selinux_file_free_security,
4391         .file_ioctl =                   selinux_file_ioctl,
4392         .file_mmap =                    selinux_file_mmap,
4393         .file_mprotect =                selinux_file_mprotect,
4394         .file_lock =                    selinux_file_lock,
4395         .file_fcntl =                   selinux_file_fcntl,
4396         .file_set_fowner =              selinux_file_set_fowner,
4397         .file_send_sigiotask =          selinux_file_send_sigiotask,
4398         .file_receive =                 selinux_file_receive,
4399
4400         .task_create =                  selinux_task_create,
4401         .task_alloc_security =          selinux_task_alloc_security,
4402         .task_free_security =           selinux_task_free_security,
4403         .task_setuid =                  selinux_task_setuid,
4404         .task_post_setuid =             selinux_task_post_setuid,
4405         .task_setgid =                  selinux_task_setgid,
4406         .task_setpgid =                 selinux_task_setpgid,
4407         .task_getpgid =                 selinux_task_getpgid,
4408         .task_getsid =                  selinux_task_getsid,
4409         .task_setgroups =               selinux_task_setgroups,
4410         .task_setnice =                 selinux_task_setnice,
4411         .task_setrlimit =               selinux_task_setrlimit,
4412         .task_setscheduler =            selinux_task_setscheduler,
4413         .task_getscheduler =            selinux_task_getscheduler,
4414         .task_kill =                    selinux_task_kill,
4415         .task_wait =                    selinux_task_wait,
4416         .task_prctl =                   selinux_task_prctl,
4417         .task_reparent_to_init =        selinux_task_reparent_to_init,
4418         .task_to_inode =                selinux_task_to_inode,
4419
4420         .ipc_permission =               selinux_ipc_permission,
4421
4422         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4423         .msg_msg_free_security =        selinux_msg_msg_free_security,
4424
4425         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4426         .msg_queue_free_security =      selinux_msg_queue_free_security,
4427         .msg_queue_associate =          selinux_msg_queue_associate,
4428         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4429         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4430         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4431
4432         .shm_alloc_security =           selinux_shm_alloc_security,
4433         .shm_free_security =            selinux_shm_free_security,
4434         .shm_associate =                selinux_shm_associate,
4435         .shm_shmctl =                   selinux_shm_shmctl,
4436         .shm_shmat =                    selinux_shm_shmat,
4437
4438         .sem_alloc_security =           selinux_sem_alloc_security,
4439         .sem_free_security =            selinux_sem_free_security,
4440         .sem_associate =                selinux_sem_associate,
4441         .sem_semctl =                   selinux_sem_semctl,
4442         .sem_semop =                    selinux_sem_semop,
4443
4444         .register_security =            selinux_register_security,
4445         .unregister_security =          selinux_unregister_security,
4446
4447         .d_instantiate =                selinux_d_instantiate,
4448
4449         .getprocattr =                  selinux_getprocattr,
4450         .setprocattr =                  selinux_setprocattr,
4451
4452 #ifdef CONFIG_SECURITY_NETWORK
4453         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4454         .unix_may_send =                selinux_socket_unix_may_send,
4455
4456         .socket_create =                selinux_socket_create,
4457         .socket_post_create =           selinux_socket_post_create,
4458         .socket_bind =                  selinux_socket_bind,
4459         .socket_connect =               selinux_socket_connect,
4460         .socket_listen =                selinux_socket_listen,
4461         .socket_accept =                selinux_socket_accept,
4462         .socket_sendmsg =               selinux_socket_sendmsg,
4463         .socket_recvmsg =               selinux_socket_recvmsg,
4464         .socket_getsockname =           selinux_socket_getsockname,
4465         .socket_getpeername =           selinux_socket_getpeername,
4466         .socket_getsockopt =            selinux_socket_getsockopt,
4467         .socket_setsockopt =            selinux_socket_setsockopt,
4468         .socket_shutdown =              selinux_socket_shutdown,
4469         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4470         .socket_getpeersec =            selinux_socket_getpeersec,
4471         .sk_alloc_security =            selinux_sk_alloc_security,
4472         .sk_free_security =             selinux_sk_free_security,
4473 #endif
4474 };
4475
4476 static __init int selinux_init(void)
4477 {
4478         struct task_security_struct *tsec;
4479
4480         if (!selinux_enabled) {
4481                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4482                 return 0;
4483         }
4484
4485         printk(KERN_INFO "SELinux:  Initializing.\n");
4486
4487         /* Set the security state for the initial task. */
4488         if (task_alloc_security(current))
4489                 panic("SELinux:  Failed to initialize initial task.\n");
4490         tsec = current->security;
4491         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4492
4493         avc_init();
4494
4495         original_ops = secondary_ops = security_ops;
4496         if (!secondary_ops)
4497                 panic ("SELinux: No initial security operations\n");
4498         if (register_security (&selinux_ops))
4499                 panic("SELinux: Unable to register with kernel.\n");
4500
4501         if (selinux_enforcing) {
4502                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4503         } else {
4504                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4505         }
4506         return 0;
4507 }
4508
4509 void selinux_complete_init(void)
4510 {
4511         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4512
4513         /* Set up any superblocks initialized prior to the policy load. */
4514         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4515         spin_lock(&sb_security_lock);
4516 next_sb:
4517         if (!list_empty(&superblock_security_head)) {
4518                 struct superblock_security_struct *sbsec =
4519                                 list_entry(superblock_security_head.next,
4520                                            struct superblock_security_struct,
4521                                            list);
4522                 struct super_block *sb = sbsec->sb;
4523                 spin_lock(&sb_lock);
4524                 sb->s_count++;
4525                 spin_unlock(&sb_lock);
4526                 spin_unlock(&sb_security_lock);
4527                 down_read(&sb->s_umount);
4528                 if (sb->s_root)
4529                         superblock_doinit(sb, NULL);
4530                 drop_super(sb);
4531                 spin_lock(&sb_security_lock);
4532                 list_del_init(&sbsec->list);
4533                 goto next_sb;
4534         }
4535         spin_unlock(&sb_security_lock);
4536 }
4537
4538 /* SELinux requires early initialization in order to label
4539    all processes and objects when they are created. */
4540 security_initcall(selinux_init);
4541
4542 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4543
4544 static struct nf_hook_ops selinux_ipv4_op = {
4545         .hook =         selinux_ipv4_postroute_last,
4546         .owner =        THIS_MODULE,
4547         .pf =           PF_INET,
4548         .hooknum =      NF_IP_POST_ROUTING,
4549         .priority =     NF_IP_PRI_SELINUX_LAST,
4550 };
4551
4552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4553
4554 static struct nf_hook_ops selinux_ipv6_op = {
4555         .hook =         selinux_ipv6_postroute_last,
4556         .owner =        THIS_MODULE,
4557         .pf =           PF_INET6,
4558         .hooknum =      NF_IP6_POST_ROUTING,
4559         .priority =     NF_IP6_PRI_SELINUX_LAST,
4560 };
4561
4562 #endif  /* IPV6 */
4563
4564 static int __init selinux_nf_ip_init(void)
4565 {
4566         int err = 0;
4567
4568         if (!selinux_enabled)
4569                 goto out;
4570                 
4571         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4572         
4573         err = nf_register_hook(&selinux_ipv4_op);
4574         if (err)
4575                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4576
4577 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4578
4579         err = nf_register_hook(&selinux_ipv6_op);
4580         if (err)
4581                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4582
4583 #endif  /* IPV6 */
4584 out:
4585         return err;
4586 }
4587
4588 __initcall(selinux_nf_ip_init);
4589
4590 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4591 static void selinux_nf_ip_exit(void)
4592 {
4593         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4594
4595         nf_unregister_hook(&selinux_ipv4_op);
4596 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4597         nf_unregister_hook(&selinux_ipv6_op);
4598 #endif  /* IPV6 */
4599 }
4600 #endif
4601
4602 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4603
4604 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4605 #define selinux_nf_ip_exit()
4606 #endif
4607
4608 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4609
4610 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4611 int selinux_disable(void)
4612 {
4613         extern void exit_sel_fs(void);
4614         static int selinux_disabled = 0;
4615
4616         if (ss_initialized) {
4617                 /* Not permitted after initial policy load. */
4618                 return -EINVAL;
4619         }
4620
4621         if (selinux_disabled) {
4622                 /* Only do this once. */
4623                 return -EINVAL;
4624         }
4625
4626         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4627
4628         selinux_disabled = 1;
4629
4630         /* Reset security_ops to the secondary module, dummy or capability. */
4631         security_ops = secondary_ops;
4632
4633         /* Unregister netfilter hooks. */
4634         selinux_nf_ip_exit();
4635
4636         /* Unregister selinuxfs. */
4637         exit_sel_fs();
4638
4639         return 0;
4640 }
4641 #endif
4642
4643