63ad57ab44fcaea232f475f60647d8b55636fbb3
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16  *                     Paul Moore, <paul.moore@hp.com>
17  *
18  *      This program is free software; you can redistribute it and/or modify
19  *      it under the terms of the GNU General Public License version 2,
20  *      as published by the Free Software Foundation.
21  */
22
23 #include <linux/module.h>
24 #include <linux/init.h>
25 #include <linux/kernel.h>
26 #include <linux/ptrace.h>
27 #include <linux/errno.h>
28 #include <linux/sched.h>
29 #include <linux/security.h>
30 #include <linux/xattr.h>
31 #include <linux/capability.h>
32 #include <linux/unistd.h>
33 #include <linux/mm.h>
34 #include <linux/mman.h>
35 #include <linux/slab.h>
36 #include <linux/pagemap.h>
37 #include <linux/swap.h>
38 #include <linux/smp_lock.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for sysctl_local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <asm/uaccess.h>
54 #include <asm/semaphore.h>
55 #include <asm/ioctls.h>
56 #include <linux/bitops.h>
57 #include <linux/interrupt.h>
58 #include <linux/netdevice.h>    /* for network interface checks */
59 #include <linux/netlink.h>
60 #include <linux/tcp.h>
61 #include <linux/udp.h>
62 #include <linux/quota.h>
63 #include <linux/un.h>           /* for Unix socket types */
64 #include <net/af_unix.h>        /* for Unix socket types */
65 #include <linux/parser.h>
66 #include <linux/nfs_mount.h>
67 #include <net/ipv6.h>
68 #include <linux/hugetlb.h>
69 #include <linux/personality.h>
70 #include <linux/sysctl.h>
71 #include <linux/audit.h>
72 #include <linux/string.h>
73 #include <linux/selinux.h>
74 #include <linux/mutex.h>
75
76 #include "avc.h"
77 #include "objsec.h"
78 #include "netif.h"
79 #include "xfrm.h"
80 #include "selinux_netlabel.h"
81
82 #define XATTR_SELINUX_SUFFIX "selinux"
83 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
85 extern unsigned int policydb_loaded_version;
86 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
87 extern int selinux_compat_net;
88
89 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
90 int selinux_enforcing = 0;
91
92 static int __init enforcing_setup(char *str)
93 {
94         selinux_enforcing = simple_strtol(str,NULL,0);
95         return 1;
96 }
97 __setup("enforcing=", enforcing_setup);
98 #endif
99
100 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
101 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
102
103 static int __init selinux_enabled_setup(char *str)
104 {
105         selinux_enabled = simple_strtol(str, NULL, 0);
106         return 1;
107 }
108 __setup("selinux=", selinux_enabled_setup);
109 #else
110 int selinux_enabled = 1;
111 #endif
112
113 /* Original (dummy) security module. */
114 static struct security_operations *original_ops = NULL;
115
116 /* Minimal support for a secondary security module,
117    just to allow the use of the dummy or capability modules.
118    The owlsm module can alternatively be used as a secondary
119    module as long as CONFIG_OWLSM_FD is not enabled. */
120 static struct security_operations *secondary_ops = NULL;
121
122 /* Lists of inode and superblock security structures initialized
123    before the policy was loaded. */
124 static LIST_HEAD(superblock_security_head);
125 static DEFINE_SPINLOCK(sb_security_lock);
126
127 static kmem_cache_t *sel_inode_cache;
128
129 /* Return security context for a given sid or just the context 
130    length if the buffer is null or length is 0 */
131 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
132 {
133         char *context;
134         unsigned len;
135         int rc;
136
137         rc = security_sid_to_context(sid, &context, &len);
138         if (rc)
139                 return rc;
140
141         if (!buffer || !size)
142                 goto getsecurity_exit;
143
144         if (size < len) {
145                 len = -ERANGE;
146                 goto getsecurity_exit;
147         }
148         memcpy(buffer, context, len);
149
150 getsecurity_exit:
151         kfree(context);
152         return len;
153 }
154
155 /* Allocate and free functions for each kind of security blob. */
156
157 static int task_alloc_security(struct task_struct *task)
158 {
159         struct task_security_struct *tsec;
160
161         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
162         if (!tsec)
163                 return -ENOMEM;
164
165         tsec->task = task;
166         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
167         task->security = tsec;
168
169         return 0;
170 }
171
172 static void task_free_security(struct task_struct *task)
173 {
174         struct task_security_struct *tsec = task->security;
175         task->security = NULL;
176         kfree(tsec);
177 }
178
179 static int inode_alloc_security(struct inode *inode)
180 {
181         struct task_security_struct *tsec = current->security;
182         struct inode_security_struct *isec;
183
184         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
185         if (!isec)
186                 return -ENOMEM;
187
188         memset(isec, 0, sizeof(*isec));
189         mutex_init(&isec->lock);
190         INIT_LIST_HEAD(&isec->list);
191         isec->inode = inode;
192         isec->sid = SECINITSID_UNLABELED;
193         isec->sclass = SECCLASS_FILE;
194         isec->task_sid = tsec->sid;
195         inode->i_security = isec;
196
197         return 0;
198 }
199
200 static void inode_free_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec = inode->i_security;
203         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
205         spin_lock(&sbsec->isec_lock);
206         if (!list_empty(&isec->list))
207                 list_del_init(&isec->list);
208         spin_unlock(&sbsec->isec_lock);
209
210         inode->i_security = NULL;
211         kmem_cache_free(sel_inode_cache, isec);
212 }
213
214 static int file_alloc_security(struct file *file)
215 {
216         struct task_security_struct *tsec = current->security;
217         struct file_security_struct *fsec;
218
219         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220         if (!fsec)
221                 return -ENOMEM;
222
223         fsec->file = file;
224         fsec->sid = tsec->sid;
225         fsec->fown_sid = tsec->sid;
226         file->f_security = fsec;
227
228         return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233         struct file_security_struct *fsec = file->f_security;
234         file->f_security = NULL;
235         kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240         struct superblock_security_struct *sbsec;
241
242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243         if (!sbsec)
244                 return -ENOMEM;
245
246         init_MUTEX(&sbsec->sem);
247         INIT_LIST_HEAD(&sbsec->list);
248         INIT_LIST_HEAD(&sbsec->isec_head);
249         spin_lock_init(&sbsec->isec_lock);
250         sbsec->sb = sb;
251         sbsec->sid = SECINITSID_UNLABELED;
252         sbsec->def_sid = SECINITSID_FILE;
253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254         sb->s_security = sbsec;
255
256         return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261         struct superblock_security_struct *sbsec = sb->s_security;
262
263         spin_lock(&sb_security_lock);
264         if (!list_empty(&sbsec->list))
265                 list_del_init(&sbsec->list);
266         spin_unlock(&sb_security_lock);
267
268         sb->s_security = NULL;
269         kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274         struct sk_security_struct *ssec;
275
276         ssec = kzalloc(sizeof(*ssec), priority);
277         if (!ssec)
278                 return -ENOMEM;
279
280         ssec->sk = sk;
281         ssec->peer_sid = SECINITSID_UNLABELED;
282         ssec->sid = SECINITSID_UNLABELED;
283         sk->sk_security = ssec;
284
285         selinux_netlbl_sk_security_init(ssec, family);
286
287         return 0;
288 }
289
290 static void sk_free_security(struct sock *sk)
291 {
292         struct sk_security_struct *ssec = sk->sk_security;
293
294         sk->sk_security = NULL;
295         kfree(ssec);
296 }
297
298 /* The security server must be initialized before
299    any labeling or access decisions can be provided. */
300 extern int ss_initialized;
301
302 /* The file system's label must be initialized prior to use. */
303
304 static char *labeling_behaviors[6] = {
305         "uses xattr",
306         "uses transition SIDs",
307         "uses task SIDs",
308         "uses genfs_contexts",
309         "not configured for labeling",
310         "uses mountpoint labeling",
311 };
312
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315 static inline int inode_doinit(struct inode *inode)
316 {
317         return inode_doinit_with_dentry(inode, NULL);
318 }
319
320 enum {
321         Opt_context = 1,
322         Opt_fscontext = 2,
323         Opt_defcontext = 4,
324         Opt_rootcontext = 8,
325 };
326
327 static match_table_t tokens = {
328         {Opt_context, "context=%s"},
329         {Opt_fscontext, "fscontext=%s"},
330         {Opt_defcontext, "defcontext=%s"},
331         {Opt_rootcontext, "rootcontext=%s"},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int try_context_mount(struct super_block *sb, void *data)
368 {
369         char *context = NULL, *defcontext = NULL;
370         char *fscontext = NULL, *rootcontext = NULL;
371         const char *name;
372         u32 sid;
373         int alloc = 0, rc = 0, seen = 0;
374         struct task_security_struct *tsec = current->security;
375         struct superblock_security_struct *sbsec = sb->s_security;
376
377         if (!data)
378                 goto out;
379
380         name = sb->s_type->name;
381
382         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384                 /* NFS we understand. */
385                 if (!strcmp(name, "nfs")) {
386                         struct nfs_mount_data *d = data;
387
388                         if (d->version <  NFS_MOUNT_VERSION)
389                                 goto out;
390
391                         if (d->context[0]) {
392                                 context = d->context;
393                                 seen |= Opt_context;
394                         }
395                 } else
396                         goto out;
397
398         } else {
399                 /* Standard string-based options. */
400                 char *p, *options = data;
401
402                 while ((p = strsep(&options, ",")) != NULL) {
403                         int token;
404                         substring_t args[MAX_OPT_ARGS];
405
406                         if (!*p)
407                                 continue;
408
409                         token = match_token(p, tokens, args);
410
411                         switch (token) {
412                         case Opt_context:
413                                 if (seen & (Opt_context|Opt_defcontext)) {
414                                         rc = -EINVAL;
415                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416                                         goto out_free;
417                                 }
418                                 context = match_strdup(&args[0]);
419                                 if (!context) {
420                                         rc = -ENOMEM;
421                                         goto out_free;
422                                 }
423                                 if (!alloc)
424                                         alloc = 1;
425                                 seen |= Opt_context;
426                                 break;
427
428                         case Opt_fscontext:
429                                 if (seen & Opt_fscontext) {
430                                         rc = -EINVAL;
431                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432                                         goto out_free;
433                                 }
434                                 fscontext = match_strdup(&args[0]);
435                                 if (!fscontext) {
436                                         rc = -ENOMEM;
437                                         goto out_free;
438                                 }
439                                 if (!alloc)
440                                         alloc = 1;
441                                 seen |= Opt_fscontext;
442                                 break;
443
444                         case Opt_rootcontext:
445                                 if (seen & Opt_rootcontext) {
446                                         rc = -EINVAL;
447                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448                                         goto out_free;
449                                 }
450                                 rootcontext = match_strdup(&args[0]);
451                                 if (!rootcontext) {
452                                         rc = -ENOMEM;
453                                         goto out_free;
454                                 }
455                                 if (!alloc)
456                                         alloc = 1;
457                                 seen |= Opt_rootcontext;
458                                 break;
459
460                         case Opt_defcontext:
461                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462                                         rc = -EINVAL;
463                                         printk(KERN_WARNING "SELinux:  "
464                                                "defcontext option is invalid "
465                                                "for this filesystem type\n");
466                                         goto out_free;
467                                 }
468                                 if (seen & (Opt_context|Opt_defcontext)) {
469                                         rc = -EINVAL;
470                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471                                         goto out_free;
472                                 }
473                                 defcontext = match_strdup(&args[0]);
474                                 if (!defcontext) {
475                                         rc = -ENOMEM;
476                                         goto out_free;
477                                 }
478                                 if (!alloc)
479                                         alloc = 1;
480                                 seen |= Opt_defcontext;
481                                 break;
482
483                         default:
484                                 rc = -EINVAL;
485                                 printk(KERN_WARNING "SELinux:  unknown mount "
486                                        "option\n");
487                                 goto out_free;
488
489                         }
490                 }
491         }
492
493         if (!seen)
494                 goto out;
495
496         /* sets the context of the superblock for the fs being mounted. */
497         if (fscontext) {
498                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
499                 if (rc) {
500                         printk(KERN_WARNING "SELinux: security_context_to_sid"
501                                "(%s) failed for (dev %s, type %s) errno=%d\n",
502                                fscontext, sb->s_id, name, rc);
503                         goto out_free;
504                 }
505
506                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
507                 if (rc)
508                         goto out_free;
509
510                 sbsec->sid = sid;
511         }
512
513         /*
514          * Switch to using mount point labeling behavior.
515          * sets the label used on all file below the mountpoint, and will set
516          * the superblock context if not already set.
517          */
518         if (context) {
519                 rc = security_context_to_sid(context, strlen(context), &sid);
520                 if (rc) {
521                         printk(KERN_WARNING "SELinux: security_context_to_sid"
522                                "(%s) failed for (dev %s, type %s) errno=%d\n",
523                                context, sb->s_id, name, rc);
524                         goto out_free;
525                 }
526
527                 if (!fscontext) {
528                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529                         if (rc)
530                                 goto out_free;
531                         sbsec->sid = sid;
532                 } else {
533                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534                         if (rc)
535                                 goto out_free;
536                 }
537                 sbsec->mntpoint_sid = sid;
538
539                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
540         }
541
542         if (rootcontext) {
543                 struct inode *inode = sb->s_root->d_inode;
544                 struct inode_security_struct *isec = inode->i_security;
545                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546                 if (rc) {
547                         printk(KERN_WARNING "SELinux: security_context_to_sid"
548                                "(%s) failed for (dev %s, type %s) errno=%d\n",
549                                rootcontext, sb->s_id, name, rc);
550                         goto out_free;
551                 }
552
553                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554                 if (rc)
555                         goto out_free;
556
557                 isec->sid = sid;
558                 isec->initialized = 1;
559         }
560
561         if (defcontext) {
562                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563                 if (rc) {
564                         printk(KERN_WARNING "SELinux: security_context_to_sid"
565                                "(%s) failed for (dev %s, type %s) errno=%d\n",
566                                defcontext, sb->s_id, name, rc);
567                         goto out_free;
568                 }
569
570                 if (sid == sbsec->def_sid)
571                         goto out_free;
572
573                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
574                 if (rc)
575                         goto out_free;
576
577                 sbsec->def_sid = sid;
578         }
579
580 out_free:
581         if (alloc) {
582                 kfree(context);
583                 kfree(defcontext);
584                 kfree(fscontext);
585                 kfree(rootcontext);
586         }
587 out:
588         return rc;
589 }
590
591 static int superblock_doinit(struct super_block *sb, void *data)
592 {
593         struct superblock_security_struct *sbsec = sb->s_security;
594         struct dentry *root = sb->s_root;
595         struct inode *inode = root->d_inode;
596         int rc = 0;
597
598         down(&sbsec->sem);
599         if (sbsec->initialized)
600                 goto out;
601
602         if (!ss_initialized) {
603                 /* Defer initialization until selinux_complete_init,
604                    after the initial policy is loaded and the security
605                    server is ready to handle calls. */
606                 spin_lock(&sb_security_lock);
607                 if (list_empty(&sbsec->list))
608                         list_add(&sbsec->list, &superblock_security_head);
609                 spin_unlock(&sb_security_lock);
610                 goto out;
611         }
612
613         /* Determine the labeling behavior to use for this filesystem type. */
614         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615         if (rc) {
616                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
617                        __FUNCTION__, sb->s_type->name, rc);
618                 goto out;
619         }
620
621         rc = try_context_mount(sb, data);
622         if (rc)
623                 goto out;
624
625         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626                 /* Make sure that the xattr handler exists and that no
627                    error other than -ENODATA is returned by getxattr on
628                    the root directory.  -ENODATA is ok, as this may be
629                    the first boot of the SELinux kernel before we have
630                    assigned xattr values to the filesystem. */
631                 if (!inode->i_op->getxattr) {
632                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633                                "xattr support\n", sb->s_id, sb->s_type->name);
634                         rc = -EOPNOTSUPP;
635                         goto out;
636                 }
637                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638                 if (rc < 0 && rc != -ENODATA) {
639                         if (rc == -EOPNOTSUPP)
640                                 printk(KERN_WARNING "SELinux: (dev %s, type "
641                                        "%s) has no security xattr handler\n",
642                                        sb->s_id, sb->s_type->name);
643                         else
644                                 printk(KERN_WARNING "SELinux: (dev %s, type "
645                                        "%s) getxattr errno %d\n", sb->s_id,
646                                        sb->s_type->name, -rc);
647                         goto out;
648                 }
649         }
650
651         if (strcmp(sb->s_type->name, "proc") == 0)
652                 sbsec->proc = 1;
653
654         sbsec->initialized = 1;
655
656         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
657                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
658                        sb->s_id, sb->s_type->name);
659         }
660         else {
661                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
662                        sb->s_id, sb->s_type->name,
663                        labeling_behaviors[sbsec->behavior-1]);
664         }
665
666         /* Initialize the root inode. */
667         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669         /* Initialize any other inodes associated with the superblock, e.g.
670            inodes created prior to initial policy load or inodes created
671            during get_sb by a pseudo filesystem that directly
672            populates itself. */
673         spin_lock(&sbsec->isec_lock);
674 next_inode:
675         if (!list_empty(&sbsec->isec_head)) {
676                 struct inode_security_struct *isec =
677                                 list_entry(sbsec->isec_head.next,
678                                            struct inode_security_struct, list);
679                 struct inode *inode = isec->inode;
680                 spin_unlock(&sbsec->isec_lock);
681                 inode = igrab(inode);
682                 if (inode) {
683                         if (!IS_PRIVATE (inode))
684                                 inode_doinit(inode);
685                         iput(inode);
686                 }
687                 spin_lock(&sbsec->isec_lock);
688                 list_del_init(&isec->list);
689                 goto next_inode;
690         }
691         spin_unlock(&sbsec->isec_lock);
692 out:
693         up(&sbsec->sem);
694         return rc;
695 }
696
697 static inline u16 inode_mode_to_security_class(umode_t mode)
698 {
699         switch (mode & S_IFMT) {
700         case S_IFSOCK:
701                 return SECCLASS_SOCK_FILE;
702         case S_IFLNK:
703                 return SECCLASS_LNK_FILE;
704         case S_IFREG:
705                 return SECCLASS_FILE;
706         case S_IFBLK:
707                 return SECCLASS_BLK_FILE;
708         case S_IFDIR:
709                 return SECCLASS_DIR;
710         case S_IFCHR:
711                 return SECCLASS_CHR_FILE;
712         case S_IFIFO:
713                 return SECCLASS_FIFO_FILE;
714
715         }
716
717         return SECCLASS_FILE;
718 }
719
720 static inline int default_protocol_stream(int protocol)
721 {
722         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723 }
724
725 static inline int default_protocol_dgram(int protocol)
726 {
727         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728 }
729
730 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731 {
732         switch (family) {
733         case PF_UNIX:
734                 switch (type) {
735                 case SOCK_STREAM:
736                 case SOCK_SEQPACKET:
737                         return SECCLASS_UNIX_STREAM_SOCKET;
738                 case SOCK_DGRAM:
739                         return SECCLASS_UNIX_DGRAM_SOCKET;
740                 }
741                 break;
742         case PF_INET:
743         case PF_INET6:
744                 switch (type) {
745                 case SOCK_STREAM:
746                         if (default_protocol_stream(protocol))
747                                 return SECCLASS_TCP_SOCKET;
748                         else
749                                 return SECCLASS_RAWIP_SOCKET;
750                 case SOCK_DGRAM:
751                         if (default_protocol_dgram(protocol))
752                                 return SECCLASS_UDP_SOCKET;
753                         else
754                                 return SECCLASS_RAWIP_SOCKET;
755                 default:
756                         return SECCLASS_RAWIP_SOCKET;
757                 }
758                 break;
759         case PF_NETLINK:
760                 switch (protocol) {
761                 case NETLINK_ROUTE:
762                         return SECCLASS_NETLINK_ROUTE_SOCKET;
763                 case NETLINK_FIREWALL:
764                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
765                 case NETLINK_INET_DIAG:
766                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
767                 case NETLINK_NFLOG:
768                         return SECCLASS_NETLINK_NFLOG_SOCKET;
769                 case NETLINK_XFRM:
770                         return SECCLASS_NETLINK_XFRM_SOCKET;
771                 case NETLINK_SELINUX:
772                         return SECCLASS_NETLINK_SELINUX_SOCKET;
773                 case NETLINK_AUDIT:
774                         return SECCLASS_NETLINK_AUDIT_SOCKET;
775                 case NETLINK_IP6_FW:
776                         return SECCLASS_NETLINK_IP6FW_SOCKET;
777                 case NETLINK_DNRTMSG:
778                         return SECCLASS_NETLINK_DNRT_SOCKET;
779                 case NETLINK_KOBJECT_UEVENT:
780                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
781                 default:
782                         return SECCLASS_NETLINK_SOCKET;
783                 }
784         case PF_PACKET:
785                 return SECCLASS_PACKET_SOCKET;
786         case PF_KEY:
787                 return SECCLASS_KEY_SOCKET;
788         case PF_APPLETALK:
789                 return SECCLASS_APPLETALK_SOCKET;
790         }
791
792         return SECCLASS_SOCKET;
793 }
794
795 #ifdef CONFIG_PROC_FS
796 static int selinux_proc_get_sid(struct proc_dir_entry *de,
797                                 u16 tclass,
798                                 u32 *sid)
799 {
800         int buflen, rc;
801         char *buffer, *path, *end;
802
803         buffer = (char*)__get_free_page(GFP_KERNEL);
804         if (!buffer)
805                 return -ENOMEM;
806
807         buflen = PAGE_SIZE;
808         end = buffer+buflen;
809         *--end = '\0';
810         buflen--;
811         path = end-1;
812         *path = '/';
813         while (de && de != de->parent) {
814                 buflen -= de->namelen + 1;
815                 if (buflen < 0)
816                         break;
817                 end -= de->namelen;
818                 memcpy(end, de->name, de->namelen);
819                 *--end = '/';
820                 path = end;
821                 de = de->parent;
822         }
823         rc = security_genfs_sid("proc", path, tclass, sid);
824         free_page((unsigned long)buffer);
825         return rc;
826 }
827 #else
828 static int selinux_proc_get_sid(struct proc_dir_entry *de,
829                                 u16 tclass,
830                                 u32 *sid)
831 {
832         return -EINVAL;
833 }
834 #endif
835
836 /* The inode's security attributes must be initialized before first use. */
837 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
838 {
839         struct superblock_security_struct *sbsec = NULL;
840         struct inode_security_struct *isec = inode->i_security;
841         u32 sid;
842         struct dentry *dentry;
843 #define INITCONTEXTLEN 255
844         char *context = NULL;
845         unsigned len = 0;
846         int rc = 0;
847
848         if (isec->initialized)
849                 goto out;
850
851         mutex_lock(&isec->lock);
852         if (isec->initialized)
853                 goto out_unlock;
854
855         sbsec = inode->i_sb->s_security;
856         if (!sbsec->initialized) {
857                 /* Defer initialization until selinux_complete_init,
858                    after the initial policy is loaded and the security
859                    server is ready to handle calls. */
860                 spin_lock(&sbsec->isec_lock);
861                 if (list_empty(&isec->list))
862                         list_add(&isec->list, &sbsec->isec_head);
863                 spin_unlock(&sbsec->isec_lock);
864                 goto out_unlock;
865         }
866
867         switch (sbsec->behavior) {
868         case SECURITY_FS_USE_XATTR:
869                 if (!inode->i_op->getxattr) {
870                         isec->sid = sbsec->def_sid;
871                         break;
872                 }
873
874                 /* Need a dentry, since the xattr API requires one.
875                    Life would be simpler if we could just pass the inode. */
876                 if (opt_dentry) {
877                         /* Called from d_instantiate or d_splice_alias. */
878                         dentry = dget(opt_dentry);
879                 } else {
880                         /* Called from selinux_complete_init, try to find a dentry. */
881                         dentry = d_find_alias(inode);
882                 }
883                 if (!dentry) {
884                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
885                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
886                                inode->i_ino);
887                         goto out_unlock;
888                 }
889
890                 len = INITCONTEXTLEN;
891                 context = kmalloc(len, GFP_KERNEL);
892                 if (!context) {
893                         rc = -ENOMEM;
894                         dput(dentry);
895                         goto out_unlock;
896                 }
897                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
898                                            context, len);
899                 if (rc == -ERANGE) {
900                         /* Need a larger buffer.  Query for the right size. */
901                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
902                                                    NULL, 0);
903                         if (rc < 0) {
904                                 dput(dentry);
905                                 goto out_unlock;
906                         }
907                         kfree(context);
908                         len = rc;
909                         context = kmalloc(len, GFP_KERNEL);
910                         if (!context) {
911                                 rc = -ENOMEM;
912                                 dput(dentry);
913                                 goto out_unlock;
914                         }
915                         rc = inode->i_op->getxattr(dentry,
916                                                    XATTR_NAME_SELINUX,
917                                                    context, len);
918                 }
919                 dput(dentry);
920                 if (rc < 0) {
921                         if (rc != -ENODATA) {
922                                 printk(KERN_WARNING "%s:  getxattr returned "
923                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
924                                        -rc, inode->i_sb->s_id, inode->i_ino);
925                                 kfree(context);
926                                 goto out_unlock;
927                         }
928                         /* Map ENODATA to the default file SID */
929                         sid = sbsec->def_sid;
930                         rc = 0;
931                 } else {
932                         rc = security_context_to_sid_default(context, rc, &sid,
933                                                              sbsec->def_sid);
934                         if (rc) {
935                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
936                                        "returned %d for dev=%s ino=%ld\n",
937                                        __FUNCTION__, context, -rc,
938                                        inode->i_sb->s_id, inode->i_ino);
939                                 kfree(context);
940                                 /* Leave with the unlabeled SID */
941                                 rc = 0;
942                                 break;
943                         }
944                 }
945                 kfree(context);
946                 isec->sid = sid;
947                 break;
948         case SECURITY_FS_USE_TASK:
949                 isec->sid = isec->task_sid;
950                 break;
951         case SECURITY_FS_USE_TRANS:
952                 /* Default to the fs SID. */
953                 isec->sid = sbsec->sid;
954
955                 /* Try to obtain a transition SID. */
956                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
957                 rc = security_transition_sid(isec->task_sid,
958                                              sbsec->sid,
959                                              isec->sclass,
960                                              &sid);
961                 if (rc)
962                         goto out_unlock;
963                 isec->sid = sid;
964                 break;
965         case SECURITY_FS_USE_MNTPOINT:
966                 isec->sid = sbsec->mntpoint_sid;
967                 break;
968         default:
969                 /* Default to the fs superblock SID. */
970                 isec->sid = sbsec->sid;
971
972                 if (sbsec->proc) {
973                         struct proc_inode *proci = PROC_I(inode);
974                         if (proci->pde) {
975                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
976                                 rc = selinux_proc_get_sid(proci->pde,
977                                                           isec->sclass,
978                                                           &sid);
979                                 if (rc)
980                                         goto out_unlock;
981                                 isec->sid = sid;
982                         }
983                 }
984                 break;
985         }
986
987         isec->initialized = 1;
988
989 out_unlock:
990         mutex_unlock(&isec->lock);
991 out:
992         if (isec->sclass == SECCLASS_FILE)
993                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
994         return rc;
995 }
996
997 /* Convert a Linux signal to an access vector. */
998 static inline u32 signal_to_av(int sig)
999 {
1000         u32 perm = 0;
1001
1002         switch (sig) {
1003         case SIGCHLD:
1004                 /* Commonly granted from child to parent. */
1005                 perm = PROCESS__SIGCHLD;
1006                 break;
1007         case SIGKILL:
1008                 /* Cannot be caught or ignored */
1009                 perm = PROCESS__SIGKILL;
1010                 break;
1011         case SIGSTOP:
1012                 /* Cannot be caught or ignored */
1013                 perm = PROCESS__SIGSTOP;
1014                 break;
1015         default:
1016                 /* All other signals. */
1017                 perm = PROCESS__SIGNAL;
1018                 break;
1019         }
1020
1021         return perm;
1022 }
1023
1024 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1025    fork check, ptrace check, etc. */
1026 static int task_has_perm(struct task_struct *tsk1,
1027                          struct task_struct *tsk2,
1028                          u32 perms)
1029 {
1030         struct task_security_struct *tsec1, *tsec2;
1031
1032         tsec1 = tsk1->security;
1033         tsec2 = tsk2->security;
1034         return avc_has_perm(tsec1->sid, tsec2->sid,
1035                             SECCLASS_PROCESS, perms, NULL);
1036 }
1037
1038 /* Check whether a task is allowed to use a capability. */
1039 static int task_has_capability(struct task_struct *tsk,
1040                                int cap)
1041 {
1042         struct task_security_struct *tsec;
1043         struct avc_audit_data ad;
1044
1045         tsec = tsk->security;
1046
1047         AVC_AUDIT_DATA_INIT(&ad,CAP);
1048         ad.tsk = tsk;
1049         ad.u.cap = cap;
1050
1051         return avc_has_perm(tsec->sid, tsec->sid,
1052                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1053 }
1054
1055 /* Check whether a task is allowed to use a system operation. */
1056 static int task_has_system(struct task_struct *tsk,
1057                            u32 perms)
1058 {
1059         struct task_security_struct *tsec;
1060
1061         tsec = tsk->security;
1062
1063         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1064                             SECCLASS_SYSTEM, perms, NULL);
1065 }
1066
1067 /* Check whether a task has a particular permission to an inode.
1068    The 'adp' parameter is optional and allows other audit
1069    data to be passed (e.g. the dentry). */
1070 static int inode_has_perm(struct task_struct *tsk,
1071                           struct inode *inode,
1072                           u32 perms,
1073                           struct avc_audit_data *adp)
1074 {
1075         struct task_security_struct *tsec;
1076         struct inode_security_struct *isec;
1077         struct avc_audit_data ad;
1078
1079         tsec = tsk->security;
1080         isec = inode->i_security;
1081
1082         if (!adp) {
1083                 adp = &ad;
1084                 AVC_AUDIT_DATA_INIT(&ad, FS);
1085                 ad.u.fs.inode = inode;
1086         }
1087
1088         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1089 }
1090
1091 /* Same as inode_has_perm, but pass explicit audit data containing
1092    the dentry to help the auditing code to more easily generate the
1093    pathname if needed. */
1094 static inline int dentry_has_perm(struct task_struct *tsk,
1095                                   struct vfsmount *mnt,
1096                                   struct dentry *dentry,
1097                                   u32 av)
1098 {
1099         struct inode *inode = dentry->d_inode;
1100         struct avc_audit_data ad;
1101         AVC_AUDIT_DATA_INIT(&ad,FS);
1102         ad.u.fs.mnt = mnt;
1103         ad.u.fs.dentry = dentry;
1104         return inode_has_perm(tsk, inode, av, &ad);
1105 }
1106
1107 /* Check whether a task can use an open file descriptor to
1108    access an inode in a given way.  Check access to the
1109    descriptor itself, and then use dentry_has_perm to
1110    check a particular permission to the file.
1111    Access to the descriptor is implicitly granted if it
1112    has the same SID as the process.  If av is zero, then
1113    access to the file is not checked, e.g. for cases
1114    where only the descriptor is affected like seek. */
1115 static int file_has_perm(struct task_struct *tsk,
1116                                 struct file *file,
1117                                 u32 av)
1118 {
1119         struct task_security_struct *tsec = tsk->security;
1120         struct file_security_struct *fsec = file->f_security;
1121         struct vfsmount *mnt = file->f_vfsmnt;
1122         struct dentry *dentry = file->f_dentry;
1123         struct inode *inode = dentry->d_inode;
1124         struct avc_audit_data ad;
1125         int rc;
1126
1127         AVC_AUDIT_DATA_INIT(&ad, FS);
1128         ad.u.fs.mnt = mnt;
1129         ad.u.fs.dentry = dentry;
1130
1131         if (tsec->sid != fsec->sid) {
1132                 rc = avc_has_perm(tsec->sid, fsec->sid,
1133                                   SECCLASS_FD,
1134                                   FD__USE,
1135                                   &ad);
1136                 if (rc)
1137                         return rc;
1138         }
1139
1140         /* av is zero if only checking access to the descriptor. */
1141         if (av)
1142                 return inode_has_perm(tsk, inode, av, &ad);
1143
1144         return 0;
1145 }
1146
1147 /* Check whether a task can create a file. */
1148 static int may_create(struct inode *dir,
1149                       struct dentry *dentry,
1150                       u16 tclass)
1151 {
1152         struct task_security_struct *tsec;
1153         struct inode_security_struct *dsec;
1154         struct superblock_security_struct *sbsec;
1155         u32 newsid;
1156         struct avc_audit_data ad;
1157         int rc;
1158
1159         tsec = current->security;
1160         dsec = dir->i_security;
1161         sbsec = dir->i_sb->s_security;
1162
1163         AVC_AUDIT_DATA_INIT(&ad, FS);
1164         ad.u.fs.dentry = dentry;
1165
1166         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1167                           DIR__ADD_NAME | DIR__SEARCH,
1168                           &ad);
1169         if (rc)
1170                 return rc;
1171
1172         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1173                 newsid = tsec->create_sid;
1174         } else {
1175                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1176                                              &newsid);
1177                 if (rc)
1178                         return rc;
1179         }
1180
1181         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1182         if (rc)
1183                 return rc;
1184
1185         return avc_has_perm(newsid, sbsec->sid,
1186                             SECCLASS_FILESYSTEM,
1187                             FILESYSTEM__ASSOCIATE, &ad);
1188 }
1189
1190 /* Check whether a task can create a key. */
1191 static int may_create_key(u32 ksid,
1192                           struct task_struct *ctx)
1193 {
1194         struct task_security_struct *tsec;
1195
1196         tsec = ctx->security;
1197
1198         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1199 }
1200
1201 #define MAY_LINK   0
1202 #define MAY_UNLINK 1
1203 #define MAY_RMDIR  2
1204
1205 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1206 static int may_link(struct inode *dir,
1207                     struct dentry *dentry,
1208                     int kind)
1209
1210 {
1211         struct task_security_struct *tsec;
1212         struct inode_security_struct *dsec, *isec;
1213         struct avc_audit_data ad;
1214         u32 av;
1215         int rc;
1216
1217         tsec = current->security;
1218         dsec = dir->i_security;
1219         isec = dentry->d_inode->i_security;
1220
1221         AVC_AUDIT_DATA_INIT(&ad, FS);
1222         ad.u.fs.dentry = dentry;
1223
1224         av = DIR__SEARCH;
1225         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1226         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1227         if (rc)
1228                 return rc;
1229
1230         switch (kind) {
1231         case MAY_LINK:
1232                 av = FILE__LINK;
1233                 break;
1234         case MAY_UNLINK:
1235                 av = FILE__UNLINK;
1236                 break;
1237         case MAY_RMDIR:
1238                 av = DIR__RMDIR;
1239                 break;
1240         default:
1241                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1242                 return 0;
1243         }
1244
1245         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1246         return rc;
1247 }
1248
1249 static inline int may_rename(struct inode *old_dir,
1250                              struct dentry *old_dentry,
1251                              struct inode *new_dir,
1252                              struct dentry *new_dentry)
1253 {
1254         struct task_security_struct *tsec;
1255         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1256         struct avc_audit_data ad;
1257         u32 av;
1258         int old_is_dir, new_is_dir;
1259         int rc;
1260
1261         tsec = current->security;
1262         old_dsec = old_dir->i_security;
1263         old_isec = old_dentry->d_inode->i_security;
1264         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1265         new_dsec = new_dir->i_security;
1266
1267         AVC_AUDIT_DATA_INIT(&ad, FS);
1268
1269         ad.u.fs.dentry = old_dentry;
1270         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1271                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1272         if (rc)
1273                 return rc;
1274         rc = avc_has_perm(tsec->sid, old_isec->sid,
1275                           old_isec->sclass, FILE__RENAME, &ad);
1276         if (rc)
1277                 return rc;
1278         if (old_is_dir && new_dir != old_dir) {
1279                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1280                                   old_isec->sclass, DIR__REPARENT, &ad);
1281                 if (rc)
1282                         return rc;
1283         }
1284
1285         ad.u.fs.dentry = new_dentry;
1286         av = DIR__ADD_NAME | DIR__SEARCH;
1287         if (new_dentry->d_inode)
1288                 av |= DIR__REMOVE_NAME;
1289         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1290         if (rc)
1291                 return rc;
1292         if (new_dentry->d_inode) {
1293                 new_isec = new_dentry->d_inode->i_security;
1294                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1295                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1296                                   new_isec->sclass,
1297                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1298                 if (rc)
1299                         return rc;
1300         }
1301
1302         return 0;
1303 }
1304
1305 /* Check whether a task can perform a filesystem operation. */
1306 static int superblock_has_perm(struct task_struct *tsk,
1307                                struct super_block *sb,
1308                                u32 perms,
1309                                struct avc_audit_data *ad)
1310 {
1311         struct task_security_struct *tsec;
1312         struct superblock_security_struct *sbsec;
1313
1314         tsec = tsk->security;
1315         sbsec = sb->s_security;
1316         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1317                             perms, ad);
1318 }
1319
1320 /* Convert a Linux mode and permission mask to an access vector. */
1321 static inline u32 file_mask_to_av(int mode, int mask)
1322 {
1323         u32 av = 0;
1324
1325         if ((mode & S_IFMT) != S_IFDIR) {
1326                 if (mask & MAY_EXEC)
1327                         av |= FILE__EXECUTE;
1328                 if (mask & MAY_READ)
1329                         av |= FILE__READ;
1330
1331                 if (mask & MAY_APPEND)
1332                         av |= FILE__APPEND;
1333                 else if (mask & MAY_WRITE)
1334                         av |= FILE__WRITE;
1335
1336         } else {
1337                 if (mask & MAY_EXEC)
1338                         av |= DIR__SEARCH;
1339                 if (mask & MAY_WRITE)
1340                         av |= DIR__WRITE;
1341                 if (mask & MAY_READ)
1342                         av |= DIR__READ;
1343         }
1344
1345         return av;
1346 }
1347
1348 /* Convert a Linux file to an access vector. */
1349 static inline u32 file_to_av(struct file *file)
1350 {
1351         u32 av = 0;
1352
1353         if (file->f_mode & FMODE_READ)
1354                 av |= FILE__READ;
1355         if (file->f_mode & FMODE_WRITE) {
1356                 if (file->f_flags & O_APPEND)
1357                         av |= FILE__APPEND;
1358                 else
1359                         av |= FILE__WRITE;
1360         }
1361
1362         return av;
1363 }
1364
1365 /* Hook functions begin here. */
1366
1367 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1368 {
1369         struct task_security_struct *psec = parent->security;
1370         struct task_security_struct *csec = child->security;
1371         int rc;
1372
1373         rc = secondary_ops->ptrace(parent,child);
1374         if (rc)
1375                 return rc;
1376
1377         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1378         /* Save the SID of the tracing process for later use in apply_creds. */
1379         if (!(child->ptrace & PT_PTRACED) && !rc)
1380                 csec->ptrace_sid = psec->sid;
1381         return rc;
1382 }
1383
1384 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1385                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1386 {
1387         int error;
1388
1389         error = task_has_perm(current, target, PROCESS__GETCAP);
1390         if (error)
1391                 return error;
1392
1393         return secondary_ops->capget(target, effective, inheritable, permitted);
1394 }
1395
1396 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1397                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1398 {
1399         int error;
1400
1401         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1402         if (error)
1403                 return error;
1404
1405         return task_has_perm(current, target, PROCESS__SETCAP);
1406 }
1407
1408 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1409                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1410 {
1411         secondary_ops->capset_set(target, effective, inheritable, permitted);
1412 }
1413
1414 static int selinux_capable(struct task_struct *tsk, int cap)
1415 {
1416         int rc;
1417
1418         rc = secondary_ops->capable(tsk, cap);
1419         if (rc)
1420                 return rc;
1421
1422         return task_has_capability(tsk,cap);
1423 }
1424
1425 static int selinux_sysctl(ctl_table *table, int op)
1426 {
1427         int error = 0;
1428         u32 av;
1429         struct task_security_struct *tsec;
1430         u32 tsid;
1431         int rc;
1432
1433         rc = secondary_ops->sysctl(table, op);
1434         if (rc)
1435                 return rc;
1436
1437         tsec = current->security;
1438
1439         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1440                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1441         if (rc) {
1442                 /* Default to the well-defined sysctl SID. */
1443                 tsid = SECINITSID_SYSCTL;
1444         }
1445
1446         /* The op values are "defined" in sysctl.c, thereby creating
1447          * a bad coupling between this module and sysctl.c */
1448         if(op == 001) {
1449                 error = avc_has_perm(tsec->sid, tsid,
1450                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1451         } else {
1452                 av = 0;
1453                 if (op & 004)
1454                         av |= FILE__READ;
1455                 if (op & 002)
1456                         av |= FILE__WRITE;
1457                 if (av)
1458                         error = avc_has_perm(tsec->sid, tsid,
1459                                              SECCLASS_FILE, av, NULL);
1460         }
1461
1462         return error;
1463 }
1464
1465 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1466 {
1467         int rc = 0;
1468
1469         if (!sb)
1470                 return 0;
1471
1472         switch (cmds) {
1473                 case Q_SYNC:
1474                 case Q_QUOTAON:
1475                 case Q_QUOTAOFF:
1476                 case Q_SETINFO:
1477                 case Q_SETQUOTA:
1478                         rc = superblock_has_perm(current,
1479                                                  sb,
1480                                                  FILESYSTEM__QUOTAMOD, NULL);
1481                         break;
1482                 case Q_GETFMT:
1483                 case Q_GETINFO:
1484                 case Q_GETQUOTA:
1485                         rc = superblock_has_perm(current,
1486                                                  sb,
1487                                                  FILESYSTEM__QUOTAGET, NULL);
1488                         break;
1489                 default:
1490                         rc = 0;  /* let the kernel handle invalid cmds */
1491                         break;
1492         }
1493         return rc;
1494 }
1495
1496 static int selinux_quota_on(struct dentry *dentry)
1497 {
1498         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1499 }
1500
1501 static int selinux_syslog(int type)
1502 {
1503         int rc;
1504
1505         rc = secondary_ops->syslog(type);
1506         if (rc)
1507                 return rc;
1508
1509         switch (type) {
1510                 case 3:         /* Read last kernel messages */
1511                 case 10:        /* Return size of the log buffer */
1512                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1513                         break;
1514                 case 6:         /* Disable logging to console */
1515                 case 7:         /* Enable logging to console */
1516                 case 8:         /* Set level of messages printed to console */
1517                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1518                         break;
1519                 case 0:         /* Close log */
1520                 case 1:         /* Open log */
1521                 case 2:         /* Read from log */
1522                 case 4:         /* Read/clear last kernel messages */
1523                 case 5:         /* Clear ring buffer */
1524                 default:
1525                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1526                         break;
1527         }
1528         return rc;
1529 }
1530
1531 /*
1532  * Check that a process has enough memory to allocate a new virtual
1533  * mapping. 0 means there is enough memory for the allocation to
1534  * succeed and -ENOMEM implies there is not.
1535  *
1536  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1537  * if the capability is granted, but __vm_enough_memory requires 1 if
1538  * the capability is granted.
1539  *
1540  * Do not audit the selinux permission check, as this is applied to all
1541  * processes that allocate mappings.
1542  */
1543 static int selinux_vm_enough_memory(long pages)
1544 {
1545         int rc, cap_sys_admin = 0;
1546         struct task_security_struct *tsec = current->security;
1547
1548         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1549         if (rc == 0)
1550                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1551                                         SECCLASS_CAPABILITY,
1552                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1553                                         NULL);
1554
1555         if (rc == 0)
1556                 cap_sys_admin = 1;
1557
1558         return __vm_enough_memory(pages, cap_sys_admin);
1559 }
1560
1561 /* binprm security operations */
1562
1563 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1564 {
1565         struct bprm_security_struct *bsec;
1566
1567         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1568         if (!bsec)
1569                 return -ENOMEM;
1570
1571         bsec->bprm = bprm;
1572         bsec->sid = SECINITSID_UNLABELED;
1573         bsec->set = 0;
1574
1575         bprm->security = bsec;
1576         return 0;
1577 }
1578
1579 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1580 {
1581         struct task_security_struct *tsec;
1582         struct inode *inode = bprm->file->f_dentry->d_inode;
1583         struct inode_security_struct *isec;
1584         struct bprm_security_struct *bsec;
1585         u32 newsid;
1586         struct avc_audit_data ad;
1587         int rc;
1588
1589         rc = secondary_ops->bprm_set_security(bprm);
1590         if (rc)
1591                 return rc;
1592
1593         bsec = bprm->security;
1594
1595         if (bsec->set)
1596                 return 0;
1597
1598         tsec = current->security;
1599         isec = inode->i_security;
1600
1601         /* Default to the current task SID. */
1602         bsec->sid = tsec->sid;
1603
1604         /* Reset fs, key, and sock SIDs on execve. */
1605         tsec->create_sid = 0;
1606         tsec->keycreate_sid = 0;
1607         tsec->sockcreate_sid = 0;
1608
1609         if (tsec->exec_sid) {
1610                 newsid = tsec->exec_sid;
1611                 /* Reset exec SID on execve. */
1612                 tsec->exec_sid = 0;
1613         } else {
1614                 /* Check for a default transition on this program. */
1615                 rc = security_transition_sid(tsec->sid, isec->sid,
1616                                              SECCLASS_PROCESS, &newsid);
1617                 if (rc)
1618                         return rc;
1619         }
1620
1621         AVC_AUDIT_DATA_INIT(&ad, FS);
1622         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1623         ad.u.fs.dentry = bprm->file->f_dentry;
1624
1625         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1626                 newsid = tsec->sid;
1627
1628         if (tsec->sid == newsid) {
1629                 rc = avc_has_perm(tsec->sid, isec->sid,
1630                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1631                 if (rc)
1632                         return rc;
1633         } else {
1634                 /* Check permissions for the transition. */
1635                 rc = avc_has_perm(tsec->sid, newsid,
1636                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1637                 if (rc)
1638                         return rc;
1639
1640                 rc = avc_has_perm(newsid, isec->sid,
1641                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1642                 if (rc)
1643                         return rc;
1644
1645                 /* Clear any possibly unsafe personality bits on exec: */
1646                 current->personality &= ~PER_CLEAR_ON_SETID;
1647
1648                 /* Set the security field to the new SID. */
1649                 bsec->sid = newsid;
1650         }
1651
1652         bsec->set = 1;
1653         return 0;
1654 }
1655
1656 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1657 {
1658         return secondary_ops->bprm_check_security(bprm);
1659 }
1660
1661
1662 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1663 {
1664         struct task_security_struct *tsec = current->security;
1665         int atsecure = 0;
1666
1667         if (tsec->osid != tsec->sid) {
1668                 /* Enable secure mode for SIDs transitions unless
1669                    the noatsecure permission is granted between
1670                    the two SIDs, i.e. ahp returns 0. */
1671                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1672                                          SECCLASS_PROCESS,
1673                                          PROCESS__NOATSECURE, NULL);
1674         }
1675
1676         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1677 }
1678
1679 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1680 {
1681         kfree(bprm->security);
1682         bprm->security = NULL;
1683 }
1684
1685 extern struct vfsmount *selinuxfs_mount;
1686 extern struct dentry *selinux_null;
1687
1688 /* Derived from fs/exec.c:flush_old_files. */
1689 static inline void flush_unauthorized_files(struct files_struct * files)
1690 {
1691         struct avc_audit_data ad;
1692         struct file *file, *devnull = NULL;
1693         struct tty_struct *tty = current->signal->tty;
1694         struct fdtable *fdt;
1695         long j = -1;
1696
1697         if (tty) {
1698                 file_list_lock();
1699                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1700                 if (file) {
1701                         /* Revalidate access to controlling tty.
1702                            Use inode_has_perm on the tty inode directly rather
1703                            than using file_has_perm, as this particular open
1704                            file may belong to another process and we are only
1705                            interested in the inode-based check here. */
1706                         struct inode *inode = file->f_dentry->d_inode;
1707                         if (inode_has_perm(current, inode,
1708                                            FILE__READ | FILE__WRITE, NULL)) {
1709                                 /* Reset controlling tty. */
1710                                 current->signal->tty = NULL;
1711                                 current->signal->tty_old_pgrp = 0;
1712                         }
1713                 }
1714                 file_list_unlock();
1715         }
1716
1717         /* Revalidate access to inherited open files. */
1718
1719         AVC_AUDIT_DATA_INIT(&ad,FS);
1720
1721         spin_lock(&files->file_lock);
1722         for (;;) {
1723                 unsigned long set, i;
1724                 int fd;
1725
1726                 j++;
1727                 i = j * __NFDBITS;
1728                 fdt = files_fdtable(files);
1729                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1730                         break;
1731                 set = fdt->open_fds->fds_bits[j];
1732                 if (!set)
1733                         continue;
1734                 spin_unlock(&files->file_lock);
1735                 for ( ; set ; i++,set >>= 1) {
1736                         if (set & 1) {
1737                                 file = fget(i);
1738                                 if (!file)
1739                                         continue;
1740                                 if (file_has_perm(current,
1741                                                   file,
1742                                                   file_to_av(file))) {
1743                                         sys_close(i);
1744                                         fd = get_unused_fd();
1745                                         if (fd != i) {
1746                                                 if (fd >= 0)
1747                                                         put_unused_fd(fd);
1748                                                 fput(file);
1749                                                 continue;
1750                                         }
1751                                         if (devnull) {
1752                                                 get_file(devnull);
1753                                         } else {
1754                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1755                                                 if (!devnull) {
1756                                                         put_unused_fd(fd);
1757                                                         fput(file);
1758                                                         continue;
1759                                                 }
1760                                         }
1761                                         fd_install(fd, devnull);
1762                                 }
1763                                 fput(file);
1764                         }
1765                 }
1766                 spin_lock(&files->file_lock);
1767
1768         }
1769         spin_unlock(&files->file_lock);
1770 }
1771
1772 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1773 {
1774         struct task_security_struct *tsec;
1775         struct bprm_security_struct *bsec;
1776         u32 sid;
1777         int rc;
1778
1779         secondary_ops->bprm_apply_creds(bprm, unsafe);
1780
1781         tsec = current->security;
1782
1783         bsec = bprm->security;
1784         sid = bsec->sid;
1785
1786         tsec->osid = tsec->sid;
1787         bsec->unsafe = 0;
1788         if (tsec->sid != sid) {
1789                 /* Check for shared state.  If not ok, leave SID
1790                    unchanged and kill. */
1791                 if (unsafe & LSM_UNSAFE_SHARE) {
1792                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1793                                         PROCESS__SHARE, NULL);
1794                         if (rc) {
1795                                 bsec->unsafe = 1;
1796                                 return;
1797                         }
1798                 }
1799
1800                 /* Check for ptracing, and update the task SID if ok.
1801                    Otherwise, leave SID unchanged and kill. */
1802                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1803                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1804                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1805                                           NULL);
1806                         if (rc) {
1807                                 bsec->unsafe = 1;
1808                                 return;
1809                         }
1810                 }
1811                 tsec->sid = sid;
1812         }
1813 }
1814
1815 /*
1816  * called after apply_creds without the task lock held
1817  */
1818 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1819 {
1820         struct task_security_struct *tsec;
1821         struct rlimit *rlim, *initrlim;
1822         struct itimerval itimer;
1823         struct bprm_security_struct *bsec;
1824         int rc, i;
1825
1826         tsec = current->security;
1827         bsec = bprm->security;
1828
1829         if (bsec->unsafe) {
1830                 force_sig_specific(SIGKILL, current);
1831                 return;
1832         }
1833         if (tsec->osid == tsec->sid)
1834                 return;
1835
1836         /* Close files for which the new task SID is not authorized. */
1837         flush_unauthorized_files(current->files);
1838
1839         /* Check whether the new SID can inherit signal state
1840            from the old SID.  If not, clear itimers to avoid
1841            subsequent signal generation and flush and unblock
1842            signals. This must occur _after_ the task SID has
1843           been updated so that any kill done after the flush
1844           will be checked against the new SID. */
1845         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1846                           PROCESS__SIGINH, NULL);
1847         if (rc) {
1848                 memset(&itimer, 0, sizeof itimer);
1849                 for (i = 0; i < 3; i++)
1850                         do_setitimer(i, &itimer, NULL);
1851                 flush_signals(current);
1852                 spin_lock_irq(&current->sighand->siglock);
1853                 flush_signal_handlers(current, 1);
1854                 sigemptyset(&current->blocked);
1855                 recalc_sigpending();
1856                 spin_unlock_irq(&current->sighand->siglock);
1857         }
1858
1859         /* Check whether the new SID can inherit resource limits
1860            from the old SID.  If not, reset all soft limits to
1861            the lower of the current task's hard limit and the init
1862            task's soft limit.  Note that the setting of hard limits
1863            (even to lower them) can be controlled by the setrlimit
1864            check. The inclusion of the init task's soft limit into
1865            the computation is to avoid resetting soft limits higher
1866            than the default soft limit for cases where the default
1867            is lower than the hard limit, e.g. RLIMIT_CORE or
1868            RLIMIT_STACK.*/
1869         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1870                           PROCESS__RLIMITINH, NULL);
1871         if (rc) {
1872                 for (i = 0; i < RLIM_NLIMITS; i++) {
1873                         rlim = current->signal->rlim + i;
1874                         initrlim = init_task.signal->rlim+i;
1875                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1876                 }
1877                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1878                         /*
1879                          * This will cause RLIMIT_CPU calculations
1880                          * to be refigured.
1881                          */
1882                         current->it_prof_expires = jiffies_to_cputime(1);
1883                 }
1884         }
1885
1886         /* Wake up the parent if it is waiting so that it can
1887            recheck wait permission to the new task SID. */
1888         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1889 }
1890
1891 /* superblock security operations */
1892
1893 static int selinux_sb_alloc_security(struct super_block *sb)
1894 {
1895         return superblock_alloc_security(sb);
1896 }
1897
1898 static void selinux_sb_free_security(struct super_block *sb)
1899 {
1900         superblock_free_security(sb);
1901 }
1902
1903 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1904 {
1905         if (plen > olen)
1906                 return 0;
1907
1908         return !memcmp(prefix, option, plen);
1909 }
1910
1911 static inline int selinux_option(char *option, int len)
1912 {
1913         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1914                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1915                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1916                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1917 }
1918
1919 static inline void take_option(char **to, char *from, int *first, int len)
1920 {
1921         if (!*first) {
1922                 **to = ',';
1923                 *to += 1;
1924         }
1925         else
1926                 *first = 0;
1927         memcpy(*to, from, len);
1928         *to += len;
1929 }
1930
1931 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1932 {
1933         int fnosec, fsec, rc = 0;
1934         char *in_save, *in_curr, *in_end;
1935         char *sec_curr, *nosec_save, *nosec;
1936
1937         in_curr = orig;
1938         sec_curr = copy;
1939
1940         /* Binary mount data: just copy */
1941         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1942                 copy_page(sec_curr, in_curr);
1943                 goto out;
1944         }
1945
1946         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1947         if (!nosec) {
1948                 rc = -ENOMEM;
1949                 goto out;
1950         }
1951
1952         nosec_save = nosec;
1953         fnosec = fsec = 1;
1954         in_save = in_end = orig;
1955
1956         do {
1957                 if (*in_end == ',' || *in_end == '\0') {
1958                         int len = in_end - in_curr;
1959
1960                         if (selinux_option(in_curr, len))
1961                                 take_option(&sec_curr, in_curr, &fsec, len);
1962                         else
1963                                 take_option(&nosec, in_curr, &fnosec, len);
1964
1965                         in_curr = in_end + 1;
1966                 }
1967         } while (*in_end++);
1968
1969         strcpy(in_save, nosec_save);
1970         free_page((unsigned long)nosec_save);
1971 out:
1972         return rc;
1973 }
1974
1975 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1976 {
1977         struct avc_audit_data ad;
1978         int rc;
1979
1980         rc = superblock_doinit(sb, data);
1981         if (rc)
1982                 return rc;
1983
1984         AVC_AUDIT_DATA_INIT(&ad,FS);
1985         ad.u.fs.dentry = sb->s_root;
1986         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1987 }
1988
1989 static int selinux_sb_statfs(struct dentry *dentry)
1990 {
1991         struct avc_audit_data ad;
1992
1993         AVC_AUDIT_DATA_INIT(&ad,FS);
1994         ad.u.fs.dentry = dentry->d_sb->s_root;
1995         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1996 }
1997
1998 static int selinux_mount(char * dev_name,
1999                          struct nameidata *nd,
2000                          char * type,
2001                          unsigned long flags,
2002                          void * data)
2003 {
2004         int rc;
2005
2006         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2007         if (rc)
2008                 return rc;
2009
2010         if (flags & MS_REMOUNT)
2011                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2012                                            FILESYSTEM__REMOUNT, NULL);
2013         else
2014                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2015                                        FILE__MOUNTON);
2016 }
2017
2018 static int selinux_umount(struct vfsmount *mnt, int flags)
2019 {
2020         int rc;
2021
2022         rc = secondary_ops->sb_umount(mnt, flags);
2023         if (rc)
2024                 return rc;
2025
2026         return superblock_has_perm(current,mnt->mnt_sb,
2027                                    FILESYSTEM__UNMOUNT,NULL);
2028 }
2029
2030 /* inode security operations */
2031
2032 static int selinux_inode_alloc_security(struct inode *inode)
2033 {
2034         return inode_alloc_security(inode);
2035 }
2036
2037 static void selinux_inode_free_security(struct inode *inode)
2038 {
2039         inode_free_security(inode);
2040 }
2041
2042 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2043                                        char **name, void **value,
2044                                        size_t *len)
2045 {
2046         struct task_security_struct *tsec;
2047         struct inode_security_struct *dsec;
2048         struct superblock_security_struct *sbsec;
2049         u32 newsid, clen;
2050         int rc;
2051         char *namep = NULL, *context;
2052
2053         tsec = current->security;
2054         dsec = dir->i_security;
2055         sbsec = dir->i_sb->s_security;
2056
2057         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2058                 newsid = tsec->create_sid;
2059         } else {
2060                 rc = security_transition_sid(tsec->sid, dsec->sid,
2061                                              inode_mode_to_security_class(inode->i_mode),
2062                                              &newsid);
2063                 if (rc) {
2064                         printk(KERN_WARNING "%s:  "
2065                                "security_transition_sid failed, rc=%d (dev=%s "
2066                                "ino=%ld)\n",
2067                                __FUNCTION__,
2068                                -rc, inode->i_sb->s_id, inode->i_ino);
2069                         return rc;
2070                 }
2071         }
2072
2073         /* Possibly defer initialization to selinux_complete_init. */
2074         if (sbsec->initialized) {
2075                 struct inode_security_struct *isec = inode->i_security;
2076                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2077                 isec->sid = newsid;
2078                 isec->initialized = 1;
2079         }
2080
2081         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2082                 return -EOPNOTSUPP;
2083
2084         if (name) {
2085                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2086                 if (!namep)
2087                         return -ENOMEM;
2088                 *name = namep;
2089         }
2090
2091         if (value && len) {
2092                 rc = security_sid_to_context(newsid, &context, &clen);
2093                 if (rc) {
2094                         kfree(namep);
2095                         return rc;
2096                 }
2097                 *value = context;
2098                 *len = clen;
2099         }
2100
2101         return 0;
2102 }
2103
2104 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2105 {
2106         return may_create(dir, dentry, SECCLASS_FILE);
2107 }
2108
2109 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2110 {
2111         int rc;
2112
2113         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2114         if (rc)
2115                 return rc;
2116         return may_link(dir, old_dentry, MAY_LINK);
2117 }
2118
2119 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2120 {
2121         int rc;
2122
2123         rc = secondary_ops->inode_unlink(dir, dentry);
2124         if (rc)
2125                 return rc;
2126         return may_link(dir, dentry, MAY_UNLINK);
2127 }
2128
2129 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2130 {
2131         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2132 }
2133
2134 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2135 {
2136         return may_create(dir, dentry, SECCLASS_DIR);
2137 }
2138
2139 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2140 {
2141         return may_link(dir, dentry, MAY_RMDIR);
2142 }
2143
2144 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2145 {
2146         int rc;
2147
2148         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2149         if (rc)
2150                 return rc;
2151
2152         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2153 }
2154
2155 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2156                                 struct inode *new_inode, struct dentry *new_dentry)
2157 {
2158         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2159 }
2160
2161 static int selinux_inode_readlink(struct dentry *dentry)
2162 {
2163         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2164 }
2165
2166 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2167 {
2168         int rc;
2169
2170         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2171         if (rc)
2172                 return rc;
2173         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2174 }
2175
2176 static int selinux_inode_permission(struct inode *inode, int mask,
2177                                     struct nameidata *nd)
2178 {
2179         int rc;
2180
2181         rc = secondary_ops->inode_permission(inode, mask, nd);
2182         if (rc)
2183                 return rc;
2184
2185         if (!mask) {
2186                 /* No permission to check.  Existence test. */
2187                 return 0;
2188         }
2189
2190         return inode_has_perm(current, inode,
2191                                file_mask_to_av(inode->i_mode, mask), NULL);
2192 }
2193
2194 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2195 {
2196         int rc;
2197
2198         rc = secondary_ops->inode_setattr(dentry, iattr);
2199         if (rc)
2200                 return rc;
2201
2202         if (iattr->ia_valid & ATTR_FORCE)
2203                 return 0;
2204
2205         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2206                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2207                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2208
2209         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2210 }
2211
2212 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2213 {
2214         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2215 }
2216
2217 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2218 {
2219         struct task_security_struct *tsec = current->security;
2220         struct inode *inode = dentry->d_inode;
2221         struct inode_security_struct *isec = inode->i_security;
2222         struct superblock_security_struct *sbsec;
2223         struct avc_audit_data ad;
2224         u32 newsid;
2225         int rc = 0;
2226
2227         if (strcmp(name, XATTR_NAME_SELINUX)) {
2228                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2229                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2230                     !capable(CAP_SYS_ADMIN)) {
2231                         /* A different attribute in the security namespace.
2232                            Restrict to administrator. */
2233                         return -EPERM;
2234                 }
2235
2236                 /* Not an attribute we recognize, so just check the
2237                    ordinary setattr permission. */
2238                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2239         }
2240
2241         sbsec = inode->i_sb->s_security;
2242         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2243                 return -EOPNOTSUPP;
2244
2245         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2246                 return -EPERM;
2247
2248         AVC_AUDIT_DATA_INIT(&ad,FS);
2249         ad.u.fs.dentry = dentry;
2250
2251         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2252                           FILE__RELABELFROM, &ad);
2253         if (rc)
2254                 return rc;
2255
2256         rc = security_context_to_sid(value, size, &newsid);
2257         if (rc)
2258                 return rc;
2259
2260         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2261                           FILE__RELABELTO, &ad);
2262         if (rc)
2263                 return rc;
2264
2265         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2266                                           isec->sclass);
2267         if (rc)
2268                 return rc;
2269
2270         return avc_has_perm(newsid,
2271                             sbsec->sid,
2272                             SECCLASS_FILESYSTEM,
2273                             FILESYSTEM__ASSOCIATE,
2274                             &ad);
2275 }
2276
2277 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2278                                         void *value, size_t size, int flags)
2279 {
2280         struct inode *inode = dentry->d_inode;
2281         struct inode_security_struct *isec = inode->i_security;
2282         u32 newsid;
2283         int rc;
2284
2285         if (strcmp(name, XATTR_NAME_SELINUX)) {
2286                 /* Not an attribute we recognize, so nothing to do. */
2287                 return;
2288         }
2289
2290         rc = security_context_to_sid(value, size, &newsid);
2291         if (rc) {
2292                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2293                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2294                 return;
2295         }
2296
2297         isec->sid = newsid;
2298         return;
2299 }
2300
2301 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2302 {
2303         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2304 }
2305
2306 static int selinux_inode_listxattr (struct dentry *dentry)
2307 {
2308         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2309 }
2310
2311 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2312 {
2313         if (strcmp(name, XATTR_NAME_SELINUX)) {
2314                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2315                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2316                     !capable(CAP_SYS_ADMIN)) {
2317                         /* A different attribute in the security namespace.
2318                            Restrict to administrator. */
2319                         return -EPERM;
2320                 }
2321
2322                 /* Not an attribute we recognize, so just check the
2323                    ordinary setattr permission. Might want a separate
2324                    permission for removexattr. */
2325                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2326         }
2327
2328         /* No one is allowed to remove a SELinux security label.
2329            You can change the label, but all data must be labeled. */
2330         return -EACCES;
2331 }
2332
2333 static const char *selinux_inode_xattr_getsuffix(void)
2334 {
2335       return XATTR_SELINUX_SUFFIX;
2336 }
2337
2338 /*
2339  * Copy the in-core inode security context value to the user.  If the
2340  * getxattr() prior to this succeeded, check to see if we need to
2341  * canonicalize the value to be finally returned to the user.
2342  *
2343  * Permission check is handled by selinux_inode_getxattr hook.
2344  */
2345 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2346 {
2347         struct inode_security_struct *isec = inode->i_security;
2348
2349         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2350                 return -EOPNOTSUPP;
2351
2352         return selinux_getsecurity(isec->sid, buffer, size);
2353 }
2354
2355 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2356                                      const void *value, size_t size, int flags)
2357 {
2358         struct inode_security_struct *isec = inode->i_security;
2359         u32 newsid;
2360         int rc;
2361
2362         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2363                 return -EOPNOTSUPP;
2364
2365         if (!value || !size)
2366                 return -EACCES;
2367
2368         rc = security_context_to_sid((void*)value, size, &newsid);
2369         if (rc)
2370                 return rc;
2371
2372         isec->sid = newsid;
2373         return 0;
2374 }
2375
2376 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2377 {
2378         const int len = sizeof(XATTR_NAME_SELINUX);
2379         if (buffer && len <= buffer_size)
2380                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2381         return len;
2382 }
2383
2384 /* file security operations */
2385
2386 static int selinux_file_permission(struct file *file, int mask)
2387 {
2388         int rc;
2389         struct inode *inode = file->f_dentry->d_inode;
2390
2391         if (!mask) {
2392                 /* No permission to check.  Existence test. */
2393                 return 0;
2394         }
2395
2396         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2397         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2398                 mask |= MAY_APPEND;
2399
2400         rc = file_has_perm(current, file,
2401                            file_mask_to_av(inode->i_mode, mask));
2402         if (rc)
2403                 return rc;
2404
2405         return selinux_netlbl_inode_permission(inode, mask);
2406 }
2407
2408 static int selinux_file_alloc_security(struct file *file)
2409 {
2410         return file_alloc_security(file);
2411 }
2412
2413 static void selinux_file_free_security(struct file *file)
2414 {
2415         file_free_security(file);
2416 }
2417
2418 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2419                               unsigned long arg)
2420 {
2421         int error = 0;
2422
2423         switch (cmd) {
2424                 case FIONREAD:
2425                 /* fall through */
2426                 case FIBMAP:
2427                 /* fall through */
2428                 case FIGETBSZ:
2429                 /* fall through */
2430                 case EXT2_IOC_GETFLAGS:
2431                 /* fall through */
2432                 case EXT2_IOC_GETVERSION:
2433                         error = file_has_perm(current, file, FILE__GETATTR);
2434                         break;
2435
2436                 case EXT2_IOC_SETFLAGS:
2437                 /* fall through */
2438                 case EXT2_IOC_SETVERSION:
2439                         error = file_has_perm(current, file, FILE__SETATTR);
2440                         break;
2441
2442                 /* sys_ioctl() checks */
2443                 case FIONBIO:
2444                 /* fall through */
2445                 case FIOASYNC:
2446                         error = file_has_perm(current, file, 0);
2447                         break;
2448
2449                 case KDSKBENT:
2450                 case KDSKBSENT:
2451                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2452                         break;
2453
2454                 /* default case assumes that the command will go
2455                  * to the file's ioctl() function.
2456                  */
2457                 default:
2458                         error = file_has_perm(current, file, FILE__IOCTL);
2459
2460         }
2461         return error;
2462 }
2463
2464 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2465 {
2466 #ifndef CONFIG_PPC32
2467         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2468                 /*
2469                  * We are making executable an anonymous mapping or a
2470                  * private file mapping that will also be writable.
2471                  * This has an additional check.
2472                  */
2473                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2474                 if (rc)
2475                         return rc;
2476         }
2477 #endif
2478
2479         if (file) {
2480                 /* read access is always possible with a mapping */
2481                 u32 av = FILE__READ;
2482
2483                 /* write access only matters if the mapping is shared */
2484                 if (shared && (prot & PROT_WRITE))
2485                         av |= FILE__WRITE;
2486
2487                 if (prot & PROT_EXEC)
2488                         av |= FILE__EXECUTE;
2489
2490                 return file_has_perm(current, file, av);
2491         }
2492         return 0;
2493 }
2494
2495 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2496                              unsigned long prot, unsigned long flags)
2497 {
2498         int rc;
2499
2500         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2501         if (rc)
2502                 return rc;
2503
2504         if (selinux_checkreqprot)
2505                 prot = reqprot;
2506
2507         return file_map_prot_check(file, prot,
2508                                    (flags & MAP_TYPE) == MAP_SHARED);
2509 }
2510
2511 static int selinux_file_mprotect(struct vm_area_struct *vma,
2512                                  unsigned long reqprot,
2513                                  unsigned long prot)
2514 {
2515         int rc;
2516
2517         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2518         if (rc)
2519                 return rc;
2520
2521         if (selinux_checkreqprot)
2522                 prot = reqprot;
2523
2524 #ifndef CONFIG_PPC32
2525         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2526                 rc = 0;
2527                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2528                     vma->vm_end <= vma->vm_mm->brk) {
2529                         rc = task_has_perm(current, current,
2530                                            PROCESS__EXECHEAP);
2531                 } else if (!vma->vm_file &&
2532                            vma->vm_start <= vma->vm_mm->start_stack &&
2533                            vma->vm_end >= vma->vm_mm->start_stack) {
2534                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2535                 } else if (vma->vm_file && vma->anon_vma) {
2536                         /*
2537                          * We are making executable a file mapping that has
2538                          * had some COW done. Since pages might have been
2539                          * written, check ability to execute the possibly
2540                          * modified content.  This typically should only
2541                          * occur for text relocations.
2542                          */
2543                         rc = file_has_perm(current, vma->vm_file,
2544                                            FILE__EXECMOD);
2545                 }
2546                 if (rc)
2547                         return rc;
2548         }
2549 #endif
2550
2551         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2552 }
2553
2554 static int selinux_file_lock(struct file *file, unsigned int cmd)
2555 {
2556         return file_has_perm(current, file, FILE__LOCK);
2557 }
2558
2559 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2560                               unsigned long arg)
2561 {
2562         int err = 0;
2563
2564         switch (cmd) {
2565                 case F_SETFL:
2566                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2567                                 err = -EINVAL;
2568                                 break;
2569                         }
2570
2571                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2572                                 err = file_has_perm(current, file,FILE__WRITE);
2573                                 break;
2574                         }
2575                         /* fall through */
2576                 case F_SETOWN:
2577                 case F_SETSIG:
2578                 case F_GETFL:
2579                 case F_GETOWN:
2580                 case F_GETSIG:
2581                         /* Just check FD__USE permission */
2582                         err = file_has_perm(current, file, 0);
2583                         break;
2584                 case F_GETLK:
2585                 case F_SETLK:
2586                 case F_SETLKW:
2587 #if BITS_PER_LONG == 32
2588                 case F_GETLK64:
2589                 case F_SETLK64:
2590                 case F_SETLKW64:
2591 #endif
2592                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2593                                 err = -EINVAL;
2594                                 break;
2595                         }
2596                         err = file_has_perm(current, file, FILE__LOCK);
2597                         break;
2598         }
2599
2600         return err;
2601 }
2602
2603 static int selinux_file_set_fowner(struct file *file)
2604 {
2605         struct task_security_struct *tsec;
2606         struct file_security_struct *fsec;
2607
2608         tsec = current->security;
2609         fsec = file->f_security;
2610         fsec->fown_sid = tsec->sid;
2611
2612         return 0;
2613 }
2614
2615 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2616                                        struct fown_struct *fown, int signum)
2617 {
2618         struct file *file;
2619         u32 perm;
2620         struct task_security_struct *tsec;
2621         struct file_security_struct *fsec;
2622
2623         /* struct fown_struct is never outside the context of a struct file */
2624         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2625
2626         tsec = tsk->security;
2627         fsec = file->f_security;
2628
2629         if (!signum)
2630                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2631         else
2632                 perm = signal_to_av(signum);
2633
2634         return avc_has_perm(fsec->fown_sid, tsec->sid,
2635                             SECCLASS_PROCESS, perm, NULL);
2636 }
2637
2638 static int selinux_file_receive(struct file *file)
2639 {
2640         return file_has_perm(current, file, file_to_av(file));
2641 }
2642
2643 /* task security operations */
2644
2645 static int selinux_task_create(unsigned long clone_flags)
2646 {
2647         int rc;
2648
2649         rc = secondary_ops->task_create(clone_flags);
2650         if (rc)
2651                 return rc;
2652
2653         return task_has_perm(current, current, PROCESS__FORK);
2654 }
2655
2656 static int selinux_task_alloc_security(struct task_struct *tsk)
2657 {
2658         struct task_security_struct *tsec1, *tsec2;
2659         int rc;
2660
2661         tsec1 = current->security;
2662
2663         rc = task_alloc_security(tsk);
2664         if (rc)
2665                 return rc;
2666         tsec2 = tsk->security;
2667
2668         tsec2->osid = tsec1->osid;
2669         tsec2->sid = tsec1->sid;
2670
2671         /* Retain the exec, fs, key, and sock SIDs across fork */
2672         tsec2->exec_sid = tsec1->exec_sid;
2673         tsec2->create_sid = tsec1->create_sid;
2674         tsec2->keycreate_sid = tsec1->keycreate_sid;
2675         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2676
2677         /* Retain ptracer SID across fork, if any.
2678            This will be reset by the ptrace hook upon any
2679            subsequent ptrace_attach operations. */
2680         tsec2->ptrace_sid = tsec1->ptrace_sid;
2681
2682         return 0;
2683 }
2684
2685 static void selinux_task_free_security(struct task_struct *tsk)
2686 {
2687         task_free_security(tsk);
2688 }
2689
2690 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2691 {
2692         /* Since setuid only affects the current process, and
2693            since the SELinux controls are not based on the Linux
2694            identity attributes, SELinux does not need to control
2695            this operation.  However, SELinux does control the use
2696            of the CAP_SETUID and CAP_SETGID capabilities using the
2697            capable hook. */
2698         return 0;
2699 }
2700
2701 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2702 {
2703         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2704 }
2705
2706 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2707 {
2708         /* See the comment for setuid above. */
2709         return 0;
2710 }
2711
2712 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2713 {
2714         return task_has_perm(current, p, PROCESS__SETPGID);
2715 }
2716
2717 static int selinux_task_getpgid(struct task_struct *p)
2718 {
2719         return task_has_perm(current, p, PROCESS__GETPGID);
2720 }
2721
2722 static int selinux_task_getsid(struct task_struct *p)
2723 {
2724         return task_has_perm(current, p, PROCESS__GETSESSION);
2725 }
2726
2727 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2728 {
2729         selinux_get_task_sid(p, secid);
2730 }
2731
2732 static int selinux_task_setgroups(struct group_info *group_info)
2733 {
2734         /* See the comment for setuid above. */
2735         return 0;
2736 }
2737
2738 static int selinux_task_setnice(struct task_struct *p, int nice)
2739 {
2740         int rc;
2741
2742         rc = secondary_ops->task_setnice(p, nice);
2743         if (rc)
2744                 return rc;
2745
2746         return task_has_perm(current,p, PROCESS__SETSCHED);
2747 }
2748
2749 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2750 {
2751         return task_has_perm(current, p, PROCESS__SETSCHED);
2752 }
2753
2754 static int selinux_task_getioprio(struct task_struct *p)
2755 {
2756         return task_has_perm(current, p, PROCESS__GETSCHED);
2757 }
2758
2759 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2760 {
2761         struct rlimit *old_rlim = current->signal->rlim + resource;
2762         int rc;
2763
2764         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2765         if (rc)
2766                 return rc;
2767
2768         /* Control the ability to change the hard limit (whether
2769            lowering or raising it), so that the hard limit can
2770            later be used as a safe reset point for the soft limit
2771            upon context transitions. See selinux_bprm_apply_creds. */
2772         if (old_rlim->rlim_max != new_rlim->rlim_max)
2773                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2774
2775         return 0;
2776 }
2777
2778 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2779 {
2780         return task_has_perm(current, p, PROCESS__SETSCHED);
2781 }
2782
2783 static int selinux_task_getscheduler(struct task_struct *p)
2784 {
2785         return task_has_perm(current, p, PROCESS__GETSCHED);
2786 }
2787
2788 static int selinux_task_movememory(struct task_struct *p)
2789 {
2790         return task_has_perm(current, p, PROCESS__SETSCHED);
2791 }
2792
2793 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2794                                 int sig, u32 secid)
2795 {
2796         u32 perm;
2797         int rc;
2798         struct task_security_struct *tsec;
2799
2800         rc = secondary_ops->task_kill(p, info, sig, secid);
2801         if (rc)
2802                 return rc;
2803
2804         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2805                 return 0;
2806
2807         if (!sig)
2808                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2809         else
2810                 perm = signal_to_av(sig);
2811         tsec = p->security;
2812         if (secid)
2813                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2814         else
2815                 rc = task_has_perm(current, p, perm);
2816         return rc;
2817 }
2818
2819 static int selinux_task_prctl(int option,
2820                               unsigned long arg2,
2821                               unsigned long arg3,
2822                               unsigned long arg4,
2823                               unsigned long arg5)
2824 {
2825         /* The current prctl operations do not appear to require
2826            any SELinux controls since they merely observe or modify
2827            the state of the current process. */
2828         return 0;
2829 }
2830
2831 static int selinux_task_wait(struct task_struct *p)
2832 {
2833         u32 perm;
2834
2835         perm = signal_to_av(p->exit_signal);
2836
2837         return task_has_perm(p, current, perm);
2838 }
2839
2840 static void selinux_task_reparent_to_init(struct task_struct *p)
2841 {
2842         struct task_security_struct *tsec;
2843
2844         secondary_ops->task_reparent_to_init(p);
2845
2846         tsec = p->security;
2847         tsec->osid = tsec->sid;
2848         tsec->sid = SECINITSID_KERNEL;
2849         return;
2850 }
2851
2852 static void selinux_task_to_inode(struct task_struct *p,
2853                                   struct inode *inode)
2854 {
2855         struct task_security_struct *tsec = p->security;
2856         struct inode_security_struct *isec = inode->i_security;
2857
2858         isec->sid = tsec->sid;
2859         isec->initialized = 1;
2860         return;
2861 }
2862
2863 /* Returns error only if unable to parse addresses */
2864 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2865 {
2866         int offset, ihlen, ret = -EINVAL;
2867         struct iphdr _iph, *ih;
2868
2869         offset = skb->nh.raw - skb->data;
2870         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2871         if (ih == NULL)
2872                 goto out;
2873
2874         ihlen = ih->ihl * 4;
2875         if (ihlen < sizeof(_iph))
2876                 goto out;
2877
2878         ad->u.net.v4info.saddr = ih->saddr;
2879         ad->u.net.v4info.daddr = ih->daddr;
2880         ret = 0;
2881
2882         switch (ih->protocol) {
2883         case IPPROTO_TCP: {
2884                 struct tcphdr _tcph, *th;
2885
2886                 if (ntohs(ih->frag_off) & IP_OFFSET)
2887                         break;
2888
2889                 offset += ihlen;
2890                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2891                 if (th == NULL)
2892                         break;
2893
2894                 ad->u.net.sport = th->source;
2895                 ad->u.net.dport = th->dest;
2896                 break;
2897         }
2898         
2899         case IPPROTO_UDP: {
2900                 struct udphdr _udph, *uh;
2901                 
2902                 if (ntohs(ih->frag_off) & IP_OFFSET)
2903                         break;
2904                         
2905                 offset += ihlen;
2906                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2907                 if (uh == NULL)
2908                         break;  
2909
2910                 ad->u.net.sport = uh->source;
2911                 ad->u.net.dport = uh->dest;
2912                 break;
2913         }
2914
2915         default:
2916                 break;
2917         }
2918 out:
2919         return ret;
2920 }
2921
2922 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2923
2924 /* Returns error only if unable to parse addresses */
2925 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2926 {
2927         u8 nexthdr;
2928         int ret = -EINVAL, offset;
2929         struct ipv6hdr _ipv6h, *ip6;
2930
2931         offset = skb->nh.raw - skb->data;
2932         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2933         if (ip6 == NULL)
2934                 goto out;
2935
2936         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2937         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2938         ret = 0;
2939
2940         nexthdr = ip6->nexthdr;
2941         offset += sizeof(_ipv6h);
2942         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2943         if (offset < 0)
2944                 goto out;
2945
2946         switch (nexthdr) {
2947         case IPPROTO_TCP: {
2948                 struct tcphdr _tcph, *th;
2949
2950                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2951                 if (th == NULL)
2952                         break;
2953
2954                 ad->u.net.sport = th->source;
2955                 ad->u.net.dport = th->dest;
2956                 break;
2957         }
2958
2959         case IPPROTO_UDP: {
2960                 struct udphdr _udph, *uh;
2961
2962                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2963                 if (uh == NULL)
2964                         break;
2965
2966                 ad->u.net.sport = uh->source;
2967                 ad->u.net.dport = uh->dest;
2968                 break;
2969         }
2970
2971         /* includes fragments */
2972         default:
2973                 break;
2974         }
2975 out:
2976         return ret;
2977 }
2978
2979 #endif /* IPV6 */
2980
2981 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2982                              char **addrp, int *len, int src)
2983 {
2984         int ret = 0;
2985
2986         switch (ad->u.net.family) {
2987         case PF_INET:
2988                 ret = selinux_parse_skb_ipv4(skb, ad);
2989                 if (ret || !addrp)
2990                         break;
2991                 *len = 4;
2992                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2993                                         &ad->u.net.v4info.daddr);
2994                 break;
2995
2996 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2997         case PF_INET6:
2998                 ret = selinux_parse_skb_ipv6(skb, ad);
2999                 if (ret || !addrp)
3000                         break;
3001                 *len = 16;
3002                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3003                                         &ad->u.net.v6info.daddr);
3004                 break;
3005 #endif  /* IPV6 */
3006         default:
3007                 break;
3008         }
3009
3010         return ret;
3011 }
3012
3013 /* socket security operations */
3014 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3015                            u32 perms)
3016 {
3017         struct inode_security_struct *isec;
3018         struct task_security_struct *tsec;
3019         struct avc_audit_data ad;
3020         int err = 0;
3021
3022         tsec = task->security;
3023         isec = SOCK_INODE(sock)->i_security;
3024
3025         if (isec->sid == SECINITSID_KERNEL)
3026                 goto out;
3027
3028         AVC_AUDIT_DATA_INIT(&ad,NET);
3029         ad.u.net.sk = sock->sk;
3030         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3031
3032 out:
3033         return err;
3034 }
3035
3036 static int selinux_socket_create(int family, int type,
3037                                  int protocol, int kern)
3038 {
3039         int err = 0;
3040         struct task_security_struct *tsec;
3041         u32 newsid;
3042
3043         if (kern)
3044                 goto out;
3045
3046         tsec = current->security;
3047         newsid = tsec->sockcreate_sid ? : tsec->sid;
3048         err = avc_has_perm(tsec->sid, newsid,
3049                            socket_type_to_security_class(family, type,
3050                            protocol), SOCKET__CREATE, NULL);
3051
3052 out:
3053         return err;
3054 }
3055
3056 static int selinux_socket_post_create(struct socket *sock, int family,
3057                                       int type, int protocol, int kern)
3058 {
3059         int err = 0;
3060         struct inode_security_struct *isec;
3061         struct task_security_struct *tsec;
3062         struct sk_security_struct *sksec;
3063         u32 newsid;
3064
3065         isec = SOCK_INODE(sock)->i_security;
3066
3067         tsec = current->security;
3068         newsid = tsec->sockcreate_sid ? : tsec->sid;
3069         isec->sclass = socket_type_to_security_class(family, type, protocol);
3070         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3071         isec->initialized = 1;
3072
3073         if (sock->sk) {
3074                 sksec = sock->sk->sk_security;
3075                 sksec->sid = isec->sid;
3076                 err = selinux_netlbl_socket_post_create(sock,
3077                                                         family,
3078                                                         isec->sid);
3079         }
3080
3081         return err;
3082 }
3083
3084 /* Range of port numbers used to automatically bind.
3085    Need to determine whether we should perform a name_bind
3086    permission check between the socket and the port number. */
3087 #define ip_local_port_range_0 sysctl_local_port_range[0]
3088 #define ip_local_port_range_1 sysctl_local_port_range[1]
3089
3090 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3091 {
3092         u16 family;
3093         int err;
3094
3095         err = socket_has_perm(current, sock, SOCKET__BIND);
3096         if (err)
3097                 goto out;
3098
3099         /*
3100          * If PF_INET or PF_INET6, check name_bind permission for the port.
3101          * Multiple address binding for SCTP is not supported yet: we just
3102          * check the first address now.
3103          */
3104         family = sock->sk->sk_family;
3105         if (family == PF_INET || family == PF_INET6) {
3106                 char *addrp;
3107                 struct inode_security_struct *isec;
3108                 struct task_security_struct *tsec;
3109                 struct avc_audit_data ad;
3110                 struct sockaddr_in *addr4 = NULL;
3111                 struct sockaddr_in6 *addr6 = NULL;
3112                 unsigned short snum;
3113                 struct sock *sk = sock->sk;
3114                 u32 sid, node_perm, addrlen;
3115
3116                 tsec = current->security;
3117                 isec = SOCK_INODE(sock)->i_security;
3118
3119                 if (family == PF_INET) {
3120                         addr4 = (struct sockaddr_in *)address;
3121                         snum = ntohs(addr4->sin_port);
3122                         addrlen = sizeof(addr4->sin_addr.s_addr);
3123                         addrp = (char *)&addr4->sin_addr.s_addr;
3124                 } else {
3125                         addr6 = (struct sockaddr_in6 *)address;
3126                         snum = ntohs(addr6->sin6_port);
3127                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3128                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3129                 }
3130
3131                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3132                            snum > ip_local_port_range_1)) {
3133                         err = security_port_sid(sk->sk_family, sk->sk_type,
3134                                                 sk->sk_protocol, snum, &sid);
3135                         if (err)
3136                                 goto out;
3137                         AVC_AUDIT_DATA_INIT(&ad,NET);
3138                         ad.u.net.sport = htons(snum);
3139                         ad.u.net.family = family;
3140                         err = avc_has_perm(isec->sid, sid,
3141                                            isec->sclass,
3142                                            SOCKET__NAME_BIND, &ad);
3143                         if (err)
3144                                 goto out;
3145                 }
3146                 
3147                 switch(isec->sclass) {
3148                 case SECCLASS_TCP_SOCKET:
3149                         node_perm = TCP_SOCKET__NODE_BIND;
3150                         break;
3151                         
3152                 case SECCLASS_UDP_SOCKET:
3153                         node_perm = UDP_SOCKET__NODE_BIND;
3154                         break;
3155                         
3156                 default:
3157                         node_perm = RAWIP_SOCKET__NODE_BIND;
3158                         break;
3159                 }
3160                 
3161                 err = security_node_sid(family, addrp, addrlen, &sid);
3162                 if (err)
3163                         goto out;
3164                 
3165                 AVC_AUDIT_DATA_INIT(&ad,NET);
3166                 ad.u.net.sport = htons(snum);
3167                 ad.u.net.family = family;
3168
3169                 if (family == PF_INET)
3170                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3171                 else
3172                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3173
3174                 err = avc_has_perm(isec->sid, sid,
3175                                    isec->sclass, node_perm, &ad);
3176                 if (err)
3177                         goto out;
3178         }
3179 out:
3180         return err;
3181 }
3182
3183 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3184 {
3185         struct inode_security_struct *isec;
3186         int err;
3187
3188         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3189         if (err)
3190                 return err;
3191
3192         /*
3193          * If a TCP socket, check name_connect permission for the port.
3194          */
3195         isec = SOCK_INODE(sock)->i_security;
3196         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3197                 struct sock *sk = sock->sk;
3198                 struct avc_audit_data ad;
3199                 struct sockaddr_in *addr4 = NULL;
3200                 struct sockaddr_in6 *addr6 = NULL;
3201                 unsigned short snum;
3202                 u32 sid;
3203
3204                 if (sk->sk_family == PF_INET) {
3205                         addr4 = (struct sockaddr_in *)address;
3206                         if (addrlen < sizeof(struct sockaddr_in))
3207                                 return -EINVAL;
3208                         snum = ntohs(addr4->sin_port);
3209                 } else {
3210                         addr6 = (struct sockaddr_in6 *)address;
3211                         if (addrlen < SIN6_LEN_RFC2133)
3212                                 return -EINVAL;
3213                         snum = ntohs(addr6->sin6_port);
3214                 }
3215
3216                 err = security_port_sid(sk->sk_family, sk->sk_type,
3217                                         sk->sk_protocol, snum, &sid);
3218                 if (err)
3219                         goto out;
3220
3221                 AVC_AUDIT_DATA_INIT(&ad,NET);
3222                 ad.u.net.dport = htons(snum);
3223                 ad.u.net.family = sk->sk_family;
3224                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3225                                    TCP_SOCKET__NAME_CONNECT, &ad);
3226                 if (err)
3227                         goto out;
3228         }
3229
3230 out:
3231         return err;
3232 }
3233
3234 static int selinux_socket_listen(struct socket *sock, int backlog)
3235 {
3236         return socket_has_perm(current, sock, SOCKET__LISTEN);
3237 }
3238
3239 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3240 {
3241         int err;
3242         struct inode_security_struct *isec;
3243         struct inode_security_struct *newisec;
3244
3245         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3246         if (err)
3247                 return err;
3248
3249         newisec = SOCK_INODE(newsock)->i_security;
3250
3251         isec = SOCK_INODE(sock)->i_security;
3252         newisec->sclass = isec->sclass;
3253         newisec->sid = isec->sid;
3254         newisec->initialized = 1;
3255
3256         return 0;
3257 }
3258
3259 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3260                                   int size)
3261 {
3262         int rc;
3263
3264         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3265         if (rc)
3266                 return rc;
3267
3268         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3269 }
3270
3271 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3272                                   int size, int flags)
3273 {
3274         return socket_has_perm(current, sock, SOCKET__READ);
3275 }
3276
3277 static int selinux_socket_getsockname(struct socket *sock)
3278 {
3279         return socket_has_perm(current, sock, SOCKET__GETATTR);
3280 }
3281
3282 static int selinux_socket_getpeername(struct socket *sock)
3283 {
3284         return socket_has_perm(current, sock, SOCKET__GETATTR);
3285 }
3286
3287 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3288 {
3289         return socket_has_perm(current, sock, SOCKET__SETOPT);
3290 }
3291
3292 static int selinux_socket_getsockopt(struct socket *sock, int level,
3293                                      int optname)
3294 {
3295         return socket_has_perm(current, sock, SOCKET__GETOPT);
3296 }
3297
3298 static int selinux_socket_shutdown(struct socket *sock, int how)
3299 {
3300         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3301 }
3302
3303 static int selinux_socket_unix_stream_connect(struct socket *sock,
3304                                               struct socket *other,
3305                                               struct sock *newsk)
3306 {
3307         struct sk_security_struct *ssec;
3308         struct inode_security_struct *isec;
3309         struct inode_security_struct *other_isec;
3310         struct avc_audit_data ad;
3311         int err;
3312
3313         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3314         if (err)
3315                 return err;
3316
3317         isec = SOCK_INODE(sock)->i_security;
3318         other_isec = SOCK_INODE(other)->i_security;
3319
3320         AVC_AUDIT_DATA_INIT(&ad,NET);
3321         ad.u.net.sk = other->sk;
3322
3323         err = avc_has_perm(isec->sid, other_isec->sid,
3324                            isec->sclass,
3325                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3326         if (err)
3327                 return err;
3328
3329         /* connecting socket */
3330         ssec = sock->sk->sk_security;
3331         ssec->peer_sid = other_isec->sid;
3332         
3333         /* server child socket */
3334         ssec = newsk->sk_security;
3335         ssec->peer_sid = isec->sid;
3336         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3337
3338         return err;
3339 }
3340
3341 static int selinux_socket_unix_may_send(struct socket *sock,
3342                                         struct socket *other)
3343 {
3344         struct inode_security_struct *isec;
3345         struct inode_security_struct *other_isec;
3346         struct avc_audit_data ad;
3347         int err;
3348
3349         isec = SOCK_INODE(sock)->i_security;
3350         other_isec = SOCK_INODE(other)->i_security;
3351
3352         AVC_AUDIT_DATA_INIT(&ad,NET);
3353         ad.u.net.sk = other->sk;
3354
3355         err = avc_has_perm(isec->sid, other_isec->sid,
3356                            isec->sclass, SOCKET__SENDTO, &ad);
3357         if (err)
3358                 return err;
3359
3360         return 0;
3361 }
3362
3363 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3364                 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3365 {
3366         int err = 0;
3367         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3368         struct socket *sock;
3369         u16 sock_class = 0;
3370         u32 sock_sid = 0;
3371
3372         read_lock_bh(&sk->sk_callback_lock);
3373         sock = sk->sk_socket;
3374         if (sock) {
3375                 struct inode *inode;
3376                 inode = SOCK_INODE(sock);
3377                 if (inode) {
3378                         struct inode_security_struct *isec;
3379                         isec = inode->i_security;
3380                         sock_sid = isec->sid;
3381                         sock_class = isec->sclass;
3382                 }
3383         }
3384         read_unlock_bh(&sk->sk_callback_lock);
3385         if (!sock_sid)
3386                 goto out;
3387
3388         if (!skb->dev)
3389                 goto out;
3390
3391         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3392         if (err)
3393                 goto out;
3394
3395         switch (sock_class) {
3396         case SECCLASS_UDP_SOCKET:
3397                 netif_perm = NETIF__UDP_RECV;
3398                 node_perm = NODE__UDP_RECV;
3399                 recv_perm = UDP_SOCKET__RECV_MSG;
3400                 break;
3401         
3402         case SECCLASS_TCP_SOCKET:
3403                 netif_perm = NETIF__TCP_RECV;
3404                 node_perm = NODE__TCP_RECV;
3405                 recv_perm = TCP_SOCKET__RECV_MSG;
3406                 break;
3407         
3408         default:
3409                 netif_perm = NETIF__RAWIP_RECV;
3410                 node_perm = NODE__RAWIP_RECV;
3411                 break;
3412         }
3413
3414         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3415         if (err)
3416                 goto out;
3417         
3418         err = security_node_sid(family, addrp, len, &node_sid);
3419         if (err)
3420                 goto out;
3421         
3422         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3423         if (err)
3424                 goto out;
3425
3426         if (recv_perm) {
3427                 u32 port_sid;
3428
3429                 err = security_port_sid(sk->sk_family, sk->sk_type,
3430                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3431                                         &port_sid);
3432                 if (err)
3433                         goto out;
3434
3435                 err = avc_has_perm(sock_sid, port_sid,
3436                                    sock_class, recv_perm, ad);
3437         }
3438
3439 out:
3440         return err;
3441 }
3442
3443 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3444 {
3445         u16 family;
3446         char *addrp;
3447         int len, err = 0;
3448         struct avc_audit_data ad;
3449         struct sk_security_struct *sksec = sk->sk_security;
3450
3451         family = sk->sk_family;
3452         if (family != PF_INET && family != PF_INET6)
3453                 goto out;
3454
3455         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3456         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3457                 family = PF_INET;
3458
3459         AVC_AUDIT_DATA_INIT(&ad, NET);
3460         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3461         ad.u.net.family = family;
3462
3463         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3464         if (err)
3465                 goto out;
3466
3467         if (selinux_compat_net)
3468                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3469                                                   addrp, len);
3470         else
3471                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3472                                    PACKET__RECV, &ad);
3473         if (err)
3474                 goto out;
3475
3476         err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
3477         if (err)
3478                 goto out;
3479
3480         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3481 out:    
3482         return err;
3483 }
3484
3485 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3486                                             int __user *optlen, unsigned len)
3487 {
3488         int err = 0;
3489         char *scontext;
3490         u32 scontext_len;
3491         struct sk_security_struct *ssec;
3492         struct inode_security_struct *isec;
3493         u32 peer_sid = 0;
3494
3495         isec = SOCK_INODE(sock)->i_security;
3496
3497         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3498         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3499                 ssec = sock->sk->sk_security;
3500                 peer_sid = ssec->peer_sid;
3501         }
3502         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3503                 peer_sid = selinux_netlbl_socket_getpeersec_stream(sock);
3504                 if (peer_sid == SECSID_NULL)
3505                         peer_sid = selinux_socket_getpeer_stream(sock->sk);
3506                 if (peer_sid == SECSID_NULL) {
3507                         err = -ENOPROTOOPT;
3508                         goto out;
3509                 }
3510         }
3511         else {
3512                 err = -ENOPROTOOPT;
3513                 goto out;
3514         }
3515
3516         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3517
3518         if (err)
3519                 goto out;
3520
3521         if (scontext_len > len) {
3522                 err = -ERANGE;
3523                 goto out_len;
3524         }
3525
3526         if (copy_to_user(optval, scontext, scontext_len))
3527                 err = -EFAULT;
3528
3529 out_len:
3530         if (put_user(scontext_len, optlen))
3531                 err = -EFAULT;
3532
3533         kfree(scontext);
3534 out:    
3535         return err;
3536 }
3537
3538 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3539 {
3540         u32 peer_secid = SECSID_NULL;
3541         int err = 0;
3542
3543         if (sock && (sock->sk->sk_family == PF_UNIX))
3544                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3545         else if (skb) {
3546                 peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb);
3547                 if (peer_secid == SECSID_NULL)
3548                         peer_secid = selinux_socket_getpeer_dgram(skb);
3549         }
3550
3551         if (peer_secid == SECSID_NULL)
3552                 err = -EINVAL;
3553         *secid = peer_secid;
3554
3555         return err;
3556 }
3557
3558 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3559 {
3560         return sk_alloc_security(sk, family, priority);
3561 }
3562
3563 static void selinux_sk_free_security(struct sock *sk)
3564 {
3565         sk_free_security(sk);
3566 }
3567
3568 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3569 {
3570         struct sk_security_struct *ssec = sk->sk_security;
3571         struct sk_security_struct *newssec = newsk->sk_security;
3572
3573         newssec->sid = ssec->sid;
3574         newssec->peer_sid = ssec->peer_sid;
3575
3576         selinux_netlbl_sk_clone_security(ssec, newssec);
3577 }
3578
3579 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3580 {
3581         if (!sk)
3582                 *secid = SECINITSID_ANY_SOCKET;
3583         else {
3584                 struct sk_security_struct *sksec = sk->sk_security;
3585
3586                 *secid = sksec->sid;
3587         }
3588 }
3589
3590 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
3591 {
3592         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3593         struct sk_security_struct *sksec = sk->sk_security;
3594
3595         isec->sid = sksec->sid;
3596
3597         selinux_netlbl_sock_graft(sk, parent);
3598 }
3599
3600 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3601                                      struct request_sock *req)
3602 {
3603         struct sk_security_struct *sksec = sk->sk_security;
3604         int err;
3605         u32 newsid;
3606         u32 peersid;
3607
3608         newsid = selinux_netlbl_inet_conn_request(skb, sksec->sid);
3609         if (newsid != SECSID_NULL) {
3610                 req->secid = newsid;
3611                 return 0;
3612         }
3613
3614         err = selinux_xfrm_decode_session(skb, &peersid, 0);
3615         BUG_ON(err);
3616
3617         if (peersid == SECSID_NULL) {
3618                 req->secid = sksec->sid;
3619                 return 0;
3620         }
3621
3622         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3623         if (err)
3624                 return err;
3625
3626         req->secid = newsid;
3627         return 0;
3628 }
3629
3630 static void selinux_inet_csk_clone(struct sock *newsk,
3631                                    const struct request_sock *req)
3632 {
3633         struct sk_security_struct *newsksec = newsk->sk_security;
3634
3635         newsksec->sid = req->secid;
3636         /* NOTE: Ideally, we should also get the isec->sid for the
3637            new socket in sync, but we don't have the isec available yet.
3638            So we will wait until sock_graft to do it, by which
3639            time it will have been created and available. */
3640
3641         selinux_netlbl_sk_security_init(newsksec, req->rsk_ops->family);
3642 }
3643
3644 static void selinux_req_classify_flow(const struct request_sock *req,
3645                                       struct flowi *fl)
3646 {
3647         fl->secid = req->secid;
3648 }
3649
3650 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3651 {
3652         int err = 0;
3653         u32 perm;
3654         struct nlmsghdr *nlh;
3655         struct socket *sock = sk->sk_socket;
3656         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3657         
3658         if (skb->len < NLMSG_SPACE(0)) {
3659                 err = -EINVAL;
3660                 goto out;
3661         }
3662         nlh = (struct nlmsghdr *)skb->data;
3663         
3664         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3665         if (err) {
3666                 if (err == -EINVAL) {
3667                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3668                                   "SELinux:  unrecognized netlink message"
3669                                   " type=%hu for sclass=%hu\n",
3670                                   nlh->nlmsg_type, isec->sclass);
3671                         if (!selinux_enforcing)
3672                                 err = 0;
3673                 }
3674
3675                 /* Ignore */
3676                 if (err == -ENOENT)
3677                         err = 0;
3678                 goto out;
3679         }
3680
3681         err = socket_has_perm(current, sock, perm);
3682 out:
3683         return err;
3684 }
3685
3686 #ifdef CONFIG_NETFILTER
3687
3688 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3689                                             struct avc_audit_data *ad,
3690                                             u16 family, char *addrp, int len)
3691 {
3692         int err = 0;
3693         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3694         struct socket *sock;
3695         struct inode *inode;
3696         struct inode_security_struct *isec;
3697
3698         sock = sk->sk_socket;
3699         if (!sock)
3700                 goto out;
3701
3702         inode = SOCK_INODE(sock);
3703         if (!inode)
3704                 goto out;
3705
3706         isec = inode->i_security;
3707         
3708         err = sel_netif_sids(dev, &if_sid, NULL);
3709         if (err)
3710                 goto out;
3711
3712         switch (isec->sclass) {
3713         case SECCLASS_UDP_SOCKET:
3714                 netif_perm = NETIF__UDP_SEND;
3715                 node_perm = NODE__UDP_SEND;
3716                 send_perm = UDP_SOCKET__SEND_MSG;
3717                 break;
3718         
3719         case SECCLASS_TCP_SOCKET:
3720                 netif_perm = NETIF__TCP_SEND;
3721                 node_perm = NODE__TCP_SEND;
3722                 send_perm = TCP_SOCKET__SEND_MSG;
3723                 break;
3724         
3725         default:
3726                 netif_perm = NETIF__RAWIP_SEND;
3727                 node_perm = NODE__RAWIP_SEND;
3728                 break;
3729         }
3730
3731         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3732         if (err)
3733                 goto out;
3734                 
3735         err = security_node_sid(family, addrp, len, &node_sid);
3736         if (err)
3737                 goto out;
3738         
3739         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3740         if (err)
3741                 goto out;
3742
3743         if (send_perm) {
3744                 u32 port_sid;
3745                 
3746                 err = security_port_sid(sk->sk_family,
3747                                         sk->sk_type,
3748                                         sk->sk_protocol,
3749                                         ntohs(ad->u.net.dport),
3750                                         &port_sid);
3751                 if (err)
3752                         goto out;
3753
3754                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3755                                    send_perm, ad);
3756         }
3757 out:
3758         return err;
3759 }
3760
3761 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3762                                               struct sk_buff **pskb,
3763                                               const struct net_device *in,
3764                                               const struct net_device *out,
3765                                               int (*okfn)(struct sk_buff *),
3766                                               u16 family)
3767 {
3768         char *addrp;
3769         int len, err = 0;
3770         struct sock *sk;
3771         struct sk_buff *skb = *pskb;
3772         struct avc_audit_data ad;
3773         struct net_device *dev = (struct net_device *)out;
3774         struct sk_security_struct *sksec;
3775
3776         sk = skb->sk;
3777         if (!sk)
3778                 goto out;
3779
3780         sksec = sk->sk_security;
3781
3782         AVC_AUDIT_DATA_INIT(&ad, NET);
3783         ad.u.net.netif = dev->name;
3784         ad.u.net.family = family;
3785
3786         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3787         if (err)
3788                 goto out;
3789
3790         if (selinux_compat_net)
3791                 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
3792                                                        family, addrp, len);
3793         else
3794                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3795                                    PACKET__SEND, &ad);
3796
3797         if (err)
3798                 goto out;
3799
3800         err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad);
3801 out:
3802         return err ? NF_DROP : NF_ACCEPT;
3803 }
3804
3805 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3806                                                 struct sk_buff **pskb,
3807                                                 const struct net_device *in,
3808                                                 const struct net_device *out,
3809                                                 int (*okfn)(struct sk_buff *))
3810 {
3811         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3812 }
3813
3814 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3815
3816 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3817                                                 struct sk_buff **pskb,
3818                                                 const struct net_device *in,
3819                                                 const struct net_device *out,
3820                                                 int (*okfn)(struct sk_buff *))
3821 {
3822         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3823 }
3824
3825 #endif  /* IPV6 */
3826
3827 #endif  /* CONFIG_NETFILTER */
3828
3829 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3830 {
3831         int err;
3832
3833         err = secondary_ops->netlink_send(sk, skb);
3834         if (err)
3835                 return err;
3836
3837         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3838                 err = selinux_nlmsg_perm(sk, skb);
3839
3840         return err;
3841 }
3842
3843 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3844 {
3845         int err;
3846         struct avc_audit_data ad;
3847
3848         err = secondary_ops->netlink_recv(skb, capability);
3849         if (err)
3850                 return err;
3851
3852         AVC_AUDIT_DATA_INIT(&ad, CAP);
3853         ad.u.cap = capability;
3854
3855         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3856                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3857 }
3858
3859 static int ipc_alloc_security(struct task_struct *task,
3860                               struct kern_ipc_perm *perm,
3861                               u16 sclass)
3862 {
3863         struct task_security_struct *tsec = task->security;
3864         struct ipc_security_struct *isec;
3865
3866         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3867         if (!isec)
3868                 return -ENOMEM;
3869
3870         isec->sclass = sclass;
3871         isec->ipc_perm = perm;
3872         isec->sid = tsec->sid;
3873         perm->security = isec;
3874
3875         return 0;
3876 }
3877
3878 static void ipc_free_security(struct kern_ipc_perm *perm)
3879 {
3880         struct ipc_security_struct *isec = perm->security;
3881         perm->security = NULL;
3882         kfree(isec);
3883 }
3884
3885 static int msg_msg_alloc_security(struct msg_msg *msg)
3886 {
3887         struct msg_security_struct *msec;
3888
3889         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3890         if (!msec)
3891                 return -ENOMEM;
3892
3893         msec->msg = msg;
3894         msec->sid = SECINITSID_UNLABELED;
3895         msg->security = msec;
3896
3897         return 0;
3898 }
3899
3900 static void msg_msg_free_security(struct msg_msg *msg)
3901 {
3902         struct msg_security_struct *msec = msg->security;
3903
3904         msg->security = NULL;
3905         kfree(msec);
3906 }
3907
3908 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3909                         u32 perms)
3910 {
3911         struct task_security_struct *tsec;
3912         struct ipc_security_struct *isec;
3913         struct avc_audit_data ad;
3914
3915         tsec = current->security;
3916         isec = ipc_perms->security;
3917
3918         AVC_AUDIT_DATA_INIT(&ad, IPC);
3919         ad.u.ipc_id = ipc_perms->key;
3920
3921         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3922 }
3923
3924 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3925 {
3926         return msg_msg_alloc_security(msg);
3927 }
3928
3929 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3930 {
3931         msg_msg_free_security(msg);
3932 }
3933
3934 /* message queue security operations */
3935 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3936 {
3937         struct task_security_struct *tsec;
3938         struct ipc_security_struct *isec;
3939         struct avc_audit_data ad;
3940         int rc;
3941
3942         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3943         if (rc)
3944                 return rc;
3945
3946         tsec = current->security;
3947         isec = msq->q_perm.security;
3948
3949         AVC_AUDIT_DATA_INIT(&ad, IPC);
3950         ad.u.ipc_id = msq->q_perm.key;
3951
3952         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3953                           MSGQ__CREATE, &ad);
3954         if (rc) {
3955                 ipc_free_security(&msq->q_perm);
3956                 return rc;
3957         }
3958         return 0;
3959 }
3960
3961 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3962 {
3963         ipc_free_security(&msq->q_perm);
3964 }
3965
3966 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3967 {
3968         struct task_security_struct *tsec;
3969         struct ipc_security_struct *isec;
3970         struct avc_audit_data ad;
3971
3972         tsec = current->security;
3973         isec = msq->q_perm.security;
3974
3975         AVC_AUDIT_DATA_INIT(&ad, IPC);
3976         ad.u.ipc_id = msq->q_perm.key;
3977
3978         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3979                             MSGQ__ASSOCIATE, &ad);
3980 }
3981
3982 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3983 {
3984         int err;
3985         int perms;
3986
3987         switch(cmd) {
3988         case IPC_INFO:
3989         case MSG_INFO:
3990                 /* No specific object, just general system-wide information. */
3991                 return task_has_system(current, SYSTEM__IPC_INFO);
3992         case IPC_STAT:
3993         case MSG_STAT:
3994                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3995                 break;
3996         case IPC_SET:
3997                 perms = MSGQ__SETATTR;
3998                 break;
3999         case IPC_RMID:
4000                 perms = MSGQ__DESTROY;
4001                 break;
4002         default:
4003                 return 0;
4004         }
4005
4006         err = ipc_has_perm(&msq->q_perm, perms);
4007         return err;
4008 }
4009
4010 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4011 {
4012         struct task_security_struct *tsec;
4013         struct ipc_security_struct *isec;
4014         struct msg_security_struct *msec;
4015         struct avc_audit_data ad;
4016         int rc;
4017
4018         tsec = current->security;
4019         isec = msq->q_perm.security;
4020         msec = msg->security;
4021
4022         /*
4023          * First time through, need to assign label to the message
4024          */
4025         if (msec->sid == SECINITSID_UNLABELED) {
4026                 /*
4027                  * Compute new sid based on current process and
4028                  * message queue this message will be stored in
4029                  */
4030                 rc = security_transition_sid(tsec->sid,
4031                                              isec->sid,
4032                                              SECCLASS_MSG,
4033                                              &msec->sid);
4034                 if (rc)
4035                         return rc;
4036         }
4037
4038         AVC_AUDIT_DATA_INIT(&ad, IPC);
4039         ad.u.ipc_id = msq->q_perm.key;
4040
4041         /* Can this process write to the queue? */
4042         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4043                           MSGQ__WRITE, &ad);
4044         if (!rc)
4045                 /* Can this process send the message */
4046                 rc = avc_has_perm(tsec->sid, msec->sid,
4047                                   SECCLASS_MSG, MSG__SEND, &ad);
4048         if (!rc)
4049                 /* Can the message be put in the queue? */
4050                 rc = avc_has_perm(msec->sid, isec->sid,
4051                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4052
4053         return rc;
4054 }
4055
4056 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4057                                     struct task_struct *target,
4058                                     long type, int mode)
4059 {
4060         struct task_security_struct *tsec;
4061         struct ipc_security_struct *isec;
4062         struct msg_security_struct *msec;
4063         struct avc_audit_data ad;
4064         int rc;
4065
4066         tsec = target->security;
4067         isec = msq->q_perm.security;
4068         msec = msg->security;
4069
4070         AVC_AUDIT_DATA_INIT(&ad, IPC);
4071         ad.u.ipc_id = msq->q_perm.key;
4072
4073         rc = avc_has_perm(tsec->sid, isec->sid,
4074                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4075         if (!rc)
4076                 rc = avc_has_perm(tsec->sid, msec->sid,
4077                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4078         return rc;
4079 }
4080
4081 /* Shared Memory security operations */
4082 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4083 {
4084         struct task_security_struct *tsec;
4085         struct ipc_security_struct *isec;
4086         struct avc_audit_data ad;
4087         int rc;
4088
4089         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4090         if (rc)
4091                 return rc;
4092
4093         tsec = current->security;
4094         isec = shp->shm_perm.security;
4095
4096         AVC_AUDIT_DATA_INIT(&ad, IPC);
4097         ad.u.ipc_id = shp->shm_perm.key;
4098
4099         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4100                           SHM__CREATE, &ad);
4101         if (rc) {
4102                 ipc_free_security(&shp->shm_perm);
4103                 return rc;
4104         }
4105         return 0;
4106 }
4107
4108 static void selinux_shm_free_security(struct shmid_kernel *shp)
4109 {
4110         ipc_free_security(&shp->shm_perm);
4111 }
4112
4113 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4114 {
4115         struct task_security_struct *tsec;
4116         struct ipc_security_struct *isec;
4117         struct avc_audit_data ad;
4118
4119         tsec = current->security;
4120         isec = shp->shm_perm.security;
4121
4122         AVC_AUDIT_DATA_INIT(&ad, IPC);
4123         ad.u.ipc_id = shp->shm_perm.key;
4124
4125         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4126                             SHM__ASSOCIATE, &ad);
4127 }
4128
4129 /* Note, at this point, shp is locked down */
4130 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4131 {
4132         int perms;
4133         int err;
4134
4135         switch(cmd) {
4136         case IPC_INFO:
4137         case SHM_INFO:
4138                 /* No specific object, just general system-wide information. */
4139                 return task_has_system(current, SYSTEM__IPC_INFO);
4140         case IPC_STAT:
4141         case SHM_STAT:
4142                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4143                 break;
4144         case IPC_SET:
4145                 perms = SHM__SETATTR;
4146                 break;
4147         case SHM_LOCK:
4148         case SHM_UNLOCK:
4149                 perms = SHM__LOCK;
4150                 break;
4151         case IPC_RMID:
4152                 perms = SHM__DESTROY;
4153                 break;
4154         default:
4155                 return 0;
4156         }
4157
4158         err = ipc_has_perm(&shp->shm_perm, perms);
4159         return err;
4160 }
4161
4162 static int selinux_shm_shmat(struct shmid_kernel *shp,
4163                              char __user *shmaddr, int shmflg)
4164 {
4165         u32 perms;
4166         int rc;
4167
4168         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4169         if (rc)
4170                 return rc;
4171
4172         if (shmflg & SHM_RDONLY)
4173                 perms = SHM__READ;
4174         else
4175                 perms = SHM__READ | SHM__WRITE;
4176
4177         return ipc_has_perm(&shp->shm_perm, perms);
4178 }
4179
4180 /* Semaphore security operations */
4181 static int selinux_sem_alloc_security(struct sem_array *sma)
4182 {
4183         struct task_security_struct *tsec;
4184         struct ipc_security_struct *isec;
4185         struct avc_audit_data ad;
4186         int rc;
4187
4188         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4189         if (rc)
4190                 return rc;
4191
4192         tsec = current->security;
4193         isec = sma->sem_perm.security;
4194
4195         AVC_AUDIT_DATA_INIT(&ad, IPC);
4196         ad.u.ipc_id = sma->sem_perm.key;
4197
4198         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4199                           SEM__CREATE, &ad);
4200         if (rc) {
4201                 ipc_free_security(&sma->sem_perm);
4202                 return rc;
4203         }
4204         return 0;
4205 }
4206
4207 static void selinux_sem_free_security(struct sem_array *sma)
4208 {
4209         ipc_free_security(&sma->sem_perm);
4210 }
4211
4212 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4213 {
4214         struct task_security_struct *tsec;
4215         struct ipc_security_struct *isec;
4216         struct avc_audit_data ad;
4217
4218         tsec = current->security;
4219         isec = sma->sem_perm.security;
4220
4221         AVC_AUDIT_DATA_INIT(&ad, IPC);
4222         ad.u.ipc_id = sma->sem_perm.key;
4223
4224         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4225                             SEM__ASSOCIATE, &ad);
4226 }
4227
4228 /* Note, at this point, sma is locked down */
4229 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4230 {
4231         int err;
4232         u32 perms;
4233
4234         switch(cmd) {
4235         case IPC_INFO:
4236         case SEM_INFO:
4237                 /* No specific object, just general system-wide information. */
4238                 return task_has_system(current, SYSTEM__IPC_INFO);
4239         case GETPID:
4240         case GETNCNT:
4241         case GETZCNT:
4242                 perms = SEM__GETATTR;
4243                 break;
4244         case GETVAL:
4245         case GETALL:
4246                 perms = SEM__READ;
4247                 break;
4248         case SETVAL:
4249         case SETALL:
4250                 perms = SEM__WRITE;
4251                 break;
4252         case IPC_RMID:
4253                 perms = SEM__DESTROY;
4254                 break;
4255         case IPC_SET:
4256                 perms = SEM__SETATTR;
4257                 break;
4258         case IPC_STAT:
4259         case SEM_STAT:
4260                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4261                 break;
4262         default:
4263                 return 0;
4264         }
4265
4266         err = ipc_has_perm(&sma->sem_perm, perms);
4267         return err;
4268 }
4269
4270 static int selinux_sem_semop(struct sem_array *sma,
4271                              struct sembuf *sops, unsigned nsops, int alter)
4272 {
4273         u32 perms;
4274
4275         if (alter)
4276                 perms = SEM__READ | SEM__WRITE;
4277         else
4278                 perms = SEM__READ;
4279
4280         return ipc_has_perm(&sma->sem_perm, perms);
4281 }
4282
4283 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4284 {
4285         u32 av = 0;
4286
4287         av = 0;
4288         if (flag & S_IRUGO)
4289                 av |= IPC__UNIX_READ;
4290         if (flag & S_IWUGO)
4291                 av |= IPC__UNIX_WRITE;
4292
4293         if (av == 0)
4294                 return 0;
4295
4296         return ipc_has_perm(ipcp, av);
4297 }
4298
4299 /* module stacking operations */
4300 static int selinux_register_security (const char *name, struct security_operations *ops)
4301 {
4302         if (secondary_ops != original_ops) {
4303                 printk(KERN_INFO "%s:  There is already a secondary security "
4304                        "module registered.\n", __FUNCTION__);
4305                 return -EINVAL;
4306         }
4307
4308         secondary_ops = ops;
4309
4310         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4311                __FUNCTION__,
4312                name);
4313
4314         return 0;
4315 }
4316
4317 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4318 {
4319         if (ops != secondary_ops) {
4320                 printk (KERN_INFO "%s:  trying to unregister a security module "
4321                         "that is not registered.\n", __FUNCTION__);
4322                 return -EINVAL;
4323         }
4324
4325         secondary_ops = original_ops;
4326
4327         return 0;
4328 }
4329
4330 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4331 {
4332         if (inode)
4333                 inode_doinit_with_dentry(inode, dentry);
4334 }
4335
4336 static int selinux_getprocattr(struct task_struct *p,
4337                                char *name, void *value, size_t size)
4338 {
4339         struct task_security_struct *tsec;
4340         u32 sid;
4341         int error;
4342
4343         if (current != p) {
4344                 error = task_has_perm(current, p, PROCESS__GETATTR);
4345                 if (error)
4346                         return error;
4347         }
4348
4349         tsec = p->security;
4350
4351         if (!strcmp(name, "current"))
4352                 sid = tsec->sid;
4353         else if (!strcmp(name, "prev"))
4354                 sid = tsec->osid;
4355         else if (!strcmp(name, "exec"))
4356                 sid = tsec->exec_sid;
4357         else if (!strcmp(name, "fscreate"))
4358                 sid = tsec->create_sid;
4359         else if (!strcmp(name, "keycreate"))
4360                 sid = tsec->keycreate_sid;
4361         else if (!strcmp(name, "sockcreate"))
4362                 sid = tsec->sockcreate_sid;
4363         else
4364                 return -EINVAL;
4365
4366         if (!sid)
4367                 return 0;
4368
4369         return selinux_getsecurity(sid, value, size);
4370 }
4371
4372 static int selinux_setprocattr(struct task_struct *p,
4373                                char *name, void *value, size_t size)
4374 {
4375         struct task_security_struct *tsec;
4376         u32 sid = 0;
4377         int error;
4378         char *str = value;
4379
4380         if (current != p) {
4381                 /* SELinux only allows a process to change its own
4382                    security attributes. */
4383                 return -EACCES;
4384         }
4385
4386         /*
4387          * Basic control over ability to set these attributes at all.
4388          * current == p, but we'll pass them separately in case the
4389          * above restriction is ever removed.
4390          */
4391         if (!strcmp(name, "exec"))
4392                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4393         else if (!strcmp(name, "fscreate"))
4394                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4395         else if (!strcmp(name, "keycreate"))
4396                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4397         else if (!strcmp(name, "sockcreate"))
4398                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4399         else if (!strcmp(name, "current"))
4400                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4401         else
4402                 error = -EINVAL;
4403         if (error)
4404                 return error;
4405
4406         /* Obtain a SID for the context, if one was specified. */
4407         if (size && str[1] && str[1] != '\n') {
4408                 if (str[size-1] == '\n') {
4409                         str[size-1] = 0;
4410                         size--;
4411                 }
4412                 error = security_context_to_sid(value, size, &sid);
4413                 if (error)
4414                         return error;
4415         }
4416
4417         /* Permission checking based on the specified context is
4418            performed during the actual operation (execve,
4419            open/mkdir/...), when we know the full context of the
4420            operation.  See selinux_bprm_set_security for the execve
4421            checks and may_create for the file creation checks. The
4422            operation will then fail if the context is not permitted. */
4423         tsec = p->security;
4424         if (!strcmp(name, "exec"))
4425                 tsec->exec_sid = sid;
4426         else if (!strcmp(name, "fscreate"))
4427                 tsec->create_sid = sid;
4428         else if (!strcmp(name, "keycreate")) {
4429                 error = may_create_key(sid, p);
4430                 if (error)
4431                         return error;
4432                 tsec->keycreate_sid = sid;
4433         } else if (!strcmp(name, "sockcreate"))
4434                 tsec->sockcreate_sid = sid;
4435         else if (!strcmp(name, "current")) {
4436                 struct av_decision avd;
4437
4438                 if (sid == 0)
4439                         return -EINVAL;
4440
4441                 /* Only allow single threaded processes to change context */
4442                 if (atomic_read(&p->mm->mm_users) != 1) {
4443                         struct task_struct *g, *t;
4444                         struct mm_struct *mm = p->mm;
4445                         read_lock(&tasklist_lock);
4446                         do_each_thread(g, t)
4447                                 if (t->mm == mm && t != p) {
4448                                         read_unlock(&tasklist_lock);
4449                                         return -EPERM;
4450                                 }
4451                         while_each_thread(g, t);
4452                         read_unlock(&tasklist_lock);
4453                 }
4454
4455                 /* Check permissions for the transition. */
4456                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4457                                      PROCESS__DYNTRANSITION, NULL);
4458                 if (error)
4459                         return error;
4460
4461                 /* Check for ptracing, and update the task SID if ok.
4462                    Otherwise, leave SID unchanged and fail. */
4463                 task_lock(p);
4464                 if (p->ptrace & PT_PTRACED) {
4465                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4466                                                      SECCLASS_PROCESS,
4467                                                      PROCESS__PTRACE, &avd);
4468                         if (!error)
4469                                 tsec->sid = sid;
4470                         task_unlock(p);
4471                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4472                                   PROCESS__PTRACE, &avd, error, NULL);
4473                         if (error)
4474                                 return error;
4475                 } else {
4476                         tsec->sid = sid;
4477                         task_unlock(p);
4478                 }
4479         }
4480         else
4481                 return -EINVAL;
4482
4483         return size;
4484 }
4485
4486 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4487 {
4488         return security_sid_to_context(secid, secdata, seclen);
4489 }
4490
4491 static void selinux_release_secctx(char *secdata, u32 seclen)
4492 {
4493         if (secdata)
4494                 kfree(secdata);
4495 }
4496
4497 #ifdef CONFIG_KEYS
4498
4499 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4500                              unsigned long flags)
4501 {
4502         struct task_security_struct *tsec = tsk->security;
4503         struct key_security_struct *ksec;
4504
4505         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4506         if (!ksec)
4507                 return -ENOMEM;
4508
4509         ksec->obj = k;
4510         if (tsec->keycreate_sid)
4511                 ksec->sid = tsec->keycreate_sid;
4512         else
4513                 ksec->sid = tsec->sid;
4514         k->security = ksec;
4515
4516         return 0;
4517 }
4518
4519 static void selinux_key_free(struct key *k)
4520 {
4521         struct key_security_struct *ksec = k->security;
4522
4523         k->security = NULL;
4524         kfree(ksec);
4525 }
4526
4527 static int selinux_key_permission(key_ref_t key_ref,
4528                             struct task_struct *ctx,
4529                             key_perm_t perm)
4530 {
4531         struct key *key;
4532         struct task_security_struct *tsec;
4533         struct key_security_struct *ksec;
4534
4535         key = key_ref_to_ptr(key_ref);
4536
4537         tsec = ctx->security;
4538         ksec = key->security;
4539
4540         /* if no specific permissions are requested, we skip the
4541            permission check. No serious, additional covert channels
4542            appear to be created. */
4543         if (perm == 0)
4544                 return 0;
4545
4546         return avc_has_perm(tsec->sid, ksec->sid,
4547                             SECCLASS_KEY, perm, NULL);
4548 }
4549
4550 #endif
4551
4552 static struct security_operations selinux_ops = {
4553         .ptrace =                       selinux_ptrace,
4554         .capget =                       selinux_capget,
4555         .capset_check =                 selinux_capset_check,
4556         .capset_set =                   selinux_capset_set,
4557         .sysctl =                       selinux_sysctl,
4558         .capable =                      selinux_capable,
4559         .quotactl =                     selinux_quotactl,
4560         .quota_on =                     selinux_quota_on,
4561         .syslog =                       selinux_syslog,
4562         .vm_enough_memory =             selinux_vm_enough_memory,
4563
4564         .netlink_send =                 selinux_netlink_send,
4565         .netlink_recv =                 selinux_netlink_recv,
4566
4567         .bprm_alloc_security =          selinux_bprm_alloc_security,
4568         .bprm_free_security =           selinux_bprm_free_security,
4569         .bprm_apply_creds =             selinux_bprm_apply_creds,
4570         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4571         .bprm_set_security =            selinux_bprm_set_security,
4572         .bprm_check_security =          selinux_bprm_check_security,
4573         .bprm_secureexec =              selinux_bprm_secureexec,
4574
4575         .sb_alloc_security =            selinux_sb_alloc_security,
4576         .sb_free_security =             selinux_sb_free_security,
4577         .sb_copy_data =                 selinux_sb_copy_data,
4578         .sb_kern_mount =                selinux_sb_kern_mount,
4579         .sb_statfs =                    selinux_sb_statfs,
4580         .sb_mount =                     selinux_mount,
4581         .sb_umount =                    selinux_umount,
4582
4583         .inode_alloc_security =         selinux_inode_alloc_security,
4584         .inode_free_security =          selinux_inode_free_security,
4585         .inode_init_security =          selinux_inode_init_security,
4586         .inode_create =                 selinux_inode_create,
4587         .inode_link =                   selinux_inode_link,
4588         .inode_unlink =                 selinux_inode_unlink,
4589         .inode_symlink =                selinux_inode_symlink,
4590         .inode_mkdir =                  selinux_inode_mkdir,
4591         .inode_rmdir =                  selinux_inode_rmdir,
4592         .inode_mknod =                  selinux_inode_mknod,
4593         .inode_rename =                 selinux_inode_rename,
4594         .inode_readlink =               selinux_inode_readlink,
4595         .inode_follow_link =            selinux_inode_follow_link,
4596         .inode_permission =             selinux_inode_permission,
4597         .inode_setattr =                selinux_inode_setattr,
4598         .inode_getattr =                selinux_inode_getattr,
4599         .inode_setxattr =               selinux_inode_setxattr,
4600         .inode_post_setxattr =          selinux_inode_post_setxattr,
4601         .inode_getxattr =               selinux_inode_getxattr,
4602         .inode_listxattr =              selinux_inode_listxattr,
4603         .inode_removexattr =            selinux_inode_removexattr,
4604         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4605         .inode_getsecurity =            selinux_inode_getsecurity,
4606         .inode_setsecurity =            selinux_inode_setsecurity,
4607         .inode_listsecurity =           selinux_inode_listsecurity,
4608
4609         .file_permission =              selinux_file_permission,
4610         .file_alloc_security =          selinux_file_alloc_security,
4611         .file_free_security =           selinux_file_free_security,
4612         .file_ioctl =                   selinux_file_ioctl,
4613         .file_mmap =                    selinux_file_mmap,
4614         .file_mprotect =                selinux_file_mprotect,
4615         .file_lock =                    selinux_file_lock,
4616         .file_fcntl =                   selinux_file_fcntl,
4617         .file_set_fowner =              selinux_file_set_fowner,
4618         .file_send_sigiotask =          selinux_file_send_sigiotask,
4619         .file_receive =                 selinux_file_receive,
4620
4621         .task_create =                  selinux_task_create,
4622         .task_alloc_security =          selinux_task_alloc_security,
4623         .task_free_security =           selinux_task_free_security,
4624         .task_setuid =                  selinux_task_setuid,
4625         .task_post_setuid =             selinux_task_post_setuid,
4626         .task_setgid =                  selinux_task_setgid,
4627         .task_setpgid =                 selinux_task_setpgid,
4628         .task_getpgid =                 selinux_task_getpgid,
4629         .task_getsid =                  selinux_task_getsid,
4630         .task_getsecid =                selinux_task_getsecid,
4631         .task_setgroups =               selinux_task_setgroups,
4632         .task_setnice =                 selinux_task_setnice,
4633         .task_setioprio =               selinux_task_setioprio,
4634         .task_getioprio =               selinux_task_getioprio,
4635         .task_setrlimit =               selinux_task_setrlimit,
4636         .task_setscheduler =            selinux_task_setscheduler,
4637         .task_getscheduler =            selinux_task_getscheduler,
4638         .task_movememory =              selinux_task_movememory,
4639         .task_kill =                    selinux_task_kill,
4640         .task_wait =                    selinux_task_wait,
4641         .task_prctl =                   selinux_task_prctl,
4642         .task_reparent_to_init =        selinux_task_reparent_to_init,
4643         .task_to_inode =                selinux_task_to_inode,
4644
4645         .ipc_permission =               selinux_ipc_permission,
4646
4647         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4648         .msg_msg_free_security =        selinux_msg_msg_free_security,
4649
4650         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4651         .msg_queue_free_security =      selinux_msg_queue_free_security,
4652         .msg_queue_associate =          selinux_msg_queue_associate,
4653         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4654         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4655         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4656
4657         .shm_alloc_security =           selinux_shm_alloc_security,
4658         .shm_free_security =            selinux_shm_free_security,
4659         .shm_associate =                selinux_shm_associate,
4660         .shm_shmctl =                   selinux_shm_shmctl,
4661         .shm_shmat =                    selinux_shm_shmat,
4662
4663         .sem_alloc_security =           selinux_sem_alloc_security,
4664         .sem_free_security =            selinux_sem_free_security,
4665         .sem_associate =                selinux_sem_associate,
4666         .sem_semctl =                   selinux_sem_semctl,
4667         .sem_semop =                    selinux_sem_semop,
4668
4669         .register_security =            selinux_register_security,
4670         .unregister_security =          selinux_unregister_security,
4671
4672         .d_instantiate =                selinux_d_instantiate,
4673
4674         .getprocattr =                  selinux_getprocattr,
4675         .setprocattr =                  selinux_setprocattr,
4676
4677         .secid_to_secctx =              selinux_secid_to_secctx,
4678         .release_secctx =               selinux_release_secctx,
4679
4680         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4681         .unix_may_send =                selinux_socket_unix_may_send,
4682
4683         .socket_create =                selinux_socket_create,
4684         .socket_post_create =           selinux_socket_post_create,
4685         .socket_bind =                  selinux_socket_bind,
4686         .socket_connect =               selinux_socket_connect,
4687         .socket_listen =                selinux_socket_listen,
4688         .socket_accept =                selinux_socket_accept,
4689         .socket_sendmsg =               selinux_socket_sendmsg,
4690         .socket_recvmsg =               selinux_socket_recvmsg,
4691         .socket_getsockname =           selinux_socket_getsockname,
4692         .socket_getpeername =           selinux_socket_getpeername,
4693         .socket_getsockopt =            selinux_socket_getsockopt,
4694         .socket_setsockopt =            selinux_socket_setsockopt,
4695         .socket_shutdown =              selinux_socket_shutdown,
4696         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4697         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4698         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4699         .sk_alloc_security =            selinux_sk_alloc_security,
4700         .sk_free_security =             selinux_sk_free_security,
4701         .sk_clone_security =            selinux_sk_clone_security,
4702         .sk_getsecid =                  selinux_sk_getsecid,
4703         .sock_graft =                   selinux_sock_graft,
4704         .inet_conn_request =            selinux_inet_conn_request,
4705         .inet_csk_clone =               selinux_inet_csk_clone,
4706         .req_classify_flow =            selinux_req_classify_flow,
4707
4708 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4709         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4710         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4711         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4712         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4713         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4714         .xfrm_state_free_security =     selinux_xfrm_state_free,
4715         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4716         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4717         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
4718         .xfrm_flow_state_match =        selinux_xfrm_flow_state_match,
4719         .xfrm_decode_session =          selinux_xfrm_decode_session,
4720 #endif
4721
4722 #ifdef CONFIG_KEYS
4723         .key_alloc =                    selinux_key_alloc,
4724         .key_free =                     selinux_key_free,
4725         .key_permission =               selinux_key_permission,
4726 #endif
4727 };
4728
4729 static __init int selinux_init(void)
4730 {
4731         struct task_security_struct *tsec;
4732
4733         if (!selinux_enabled) {
4734                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4735                 return 0;
4736         }
4737
4738         printk(KERN_INFO "SELinux:  Initializing.\n");
4739
4740         /* Set the security state for the initial task. */
4741         if (task_alloc_security(current))
4742                 panic("SELinux:  Failed to initialize initial task.\n");
4743         tsec = current->security;
4744         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4745
4746         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4747                                             sizeof(struct inode_security_struct),
4748                                             0, SLAB_PANIC, NULL, NULL);
4749         avc_init();
4750
4751         original_ops = secondary_ops = security_ops;
4752         if (!secondary_ops)
4753                 panic ("SELinux: No initial security operations\n");
4754         if (register_security (&selinux_ops))
4755                 panic("SELinux: Unable to register with kernel.\n");
4756
4757         if (selinux_enforcing) {
4758                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4759         } else {
4760                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4761         }
4762
4763 #ifdef CONFIG_KEYS
4764         /* Add security information to initial keyrings */
4765         selinux_key_alloc(&root_user_keyring, current,
4766                           KEY_ALLOC_NOT_IN_QUOTA);
4767         selinux_key_alloc(&root_session_keyring, current,
4768                           KEY_ALLOC_NOT_IN_QUOTA);
4769 #endif
4770
4771         return 0;
4772 }
4773
4774 void selinux_complete_init(void)
4775 {
4776         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4777
4778         /* Set up any superblocks initialized prior to the policy load. */
4779         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4780         spin_lock(&sb_lock);
4781         spin_lock(&sb_security_lock);
4782 next_sb:
4783         if (!list_empty(&superblock_security_head)) {
4784                 struct superblock_security_struct *sbsec =
4785                                 list_entry(superblock_security_head.next,
4786                                            struct superblock_security_struct,
4787                                            list);
4788                 struct super_block *sb = sbsec->sb;
4789                 sb->s_count++;
4790                 spin_unlock(&sb_security_lock);
4791                 spin_unlock(&sb_lock);
4792                 down_read(&sb->s_umount);
4793                 if (sb->s_root)
4794                         superblock_doinit(sb, NULL);
4795                 drop_super(sb);
4796                 spin_lock(&sb_lock);
4797                 spin_lock(&sb_security_lock);
4798                 list_del_init(&sbsec->list);
4799                 goto next_sb;
4800         }
4801         spin_unlock(&sb_security_lock);
4802         spin_unlock(&sb_lock);
4803 }
4804
4805 /* SELinux requires early initialization in order to label
4806    all processes and objects when they are created. */
4807 security_initcall(selinux_init);
4808
4809 #if defined(CONFIG_NETFILTER)
4810
4811 static struct nf_hook_ops selinux_ipv4_op = {
4812         .hook =         selinux_ipv4_postroute_last,
4813         .owner =        THIS_MODULE,
4814         .pf =           PF_INET,
4815         .hooknum =      NF_IP_POST_ROUTING,
4816         .priority =     NF_IP_PRI_SELINUX_LAST,
4817 };
4818
4819 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4820
4821 static struct nf_hook_ops selinux_ipv6_op = {
4822         .hook =         selinux_ipv6_postroute_last,
4823         .owner =        THIS_MODULE,
4824         .pf =           PF_INET6,
4825         .hooknum =      NF_IP6_POST_ROUTING,
4826         .priority =     NF_IP6_PRI_SELINUX_LAST,
4827 };
4828
4829 #endif  /* IPV6 */
4830
4831 static int __init selinux_nf_ip_init(void)
4832 {
4833         int err = 0;
4834
4835         if (!selinux_enabled)
4836                 goto out;
4837                 
4838         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4839         
4840         err = nf_register_hook(&selinux_ipv4_op);
4841         if (err)
4842                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4843
4844 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4845
4846         err = nf_register_hook(&selinux_ipv6_op);
4847         if (err)
4848                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4849
4850 #endif  /* IPV6 */
4851
4852 out:
4853         return err;
4854 }
4855
4856 __initcall(selinux_nf_ip_init);
4857
4858 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4859 static void selinux_nf_ip_exit(void)
4860 {
4861         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4862
4863         nf_unregister_hook(&selinux_ipv4_op);
4864 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4865         nf_unregister_hook(&selinux_ipv6_op);
4866 #endif  /* IPV6 */
4867 }
4868 #endif
4869
4870 #else /* CONFIG_NETFILTER */
4871
4872 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4873 #define selinux_nf_ip_exit()
4874 #endif
4875
4876 #endif /* CONFIG_NETFILTER */
4877
4878 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4879 int selinux_disable(void)
4880 {
4881         extern void exit_sel_fs(void);
4882         static int selinux_disabled = 0;
4883
4884         if (ss_initialized) {
4885                 /* Not permitted after initial policy load. */
4886                 return -EINVAL;
4887         }
4888
4889         if (selinux_disabled) {
4890                 /* Only do this once. */
4891                 return -EINVAL;
4892         }
4893
4894         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4895
4896         selinux_disabled = 1;
4897         selinux_enabled = 0;
4898
4899         /* Reset security_ops to the secondary module, dummy or capability. */
4900         security_ops = secondary_ops;
4901
4902         /* Unregister netfilter hooks. */
4903         selinux_nf_ip_exit();
4904
4905         /* Unregister selinuxfs. */
4906         exit_sel_fs();
4907
4908         return 0;
4909 }
4910 #endif
4911
4912