7e101dbea4cb28ffb381869904e0709debce56ee
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/ptrace.h>
25 #include <linux/errno.h>
26 #include <linux/sched.h>
27 #include <linux/security.h>
28 #include <linux/xattr.h>
29 #include <linux/capability.h>
30 #include <linux/unistd.h>
31 #include <linux/mm.h>
32 #include <linux/mman.h>
33 #include <linux/slab.h>
34 #include <linux/pagemap.h>
35 #include <linux/swap.h>
36 #include <linux/smp_lock.h>
37 #include <linux/spinlock.h>
38 #include <linux/syscalls.h>
39 #include <linux/file.h>
40 #include <linux/namei.h>
41 #include <linux/mount.h>
42 #include <linux/ext2_fs.h>
43 #include <linux/proc_fs.h>
44 #include <linux/kd.h>
45 #include <linux/netfilter_ipv4.h>
46 #include <linux/netfilter_ipv6.h>
47 #include <linux/tty.h>
48 #include <net/icmp.h>
49 #include <net/ip.h>             /* for sysctl_local_port_range[] */
50 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
51 #include <asm/uaccess.h>
52 #include <asm/semaphore.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h>    /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/quota.h>
61 #include <linux/un.h>           /* for Unix socket types */
62 #include <net/af_unix.h>        /* for Unix socket types */
63 #include <linux/parser.h>
64 #include <linux/nfs_mount.h>
65 #include <net/ipv6.h>
66 #include <linux/hugetlb.h>
67 #include <linux/personality.h>
68 #include <linux/sysctl.h>
69 #include <linux/audit.h>
70 #include <linux/string.h>
71 #include <linux/selinux.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
84
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
87
88 static int __init enforcing_setup(char *str)
89 {
90         selinux_enforcing = simple_strtol(str,NULL,0);
91         return 1;
92 }
93 __setup("enforcing=", enforcing_setup);
94 #endif
95
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98
99 static int __init selinux_enabled_setup(char *str)
100 {
101         selinux_enabled = simple_strtol(str, NULL, 0);
102         return 1;
103 }
104 __setup("selinux=", selinux_enabled_setup);
105 #else
106 int selinux_enabled = 1;
107 #endif
108
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
111
112 /* Minimal support for a secondary security module,
113    just to allow the use of the dummy or capability modules.
114    The owlsm module can alternatively be used as a secondary
115    module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
117
118 /* Lists of inode and superblock security structures initialized
119    before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
122
123 static kmem_cache_t *sel_inode_cache;
124
125 /* Return security context for a given sid or just the context 
126    length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
128 {
129         char *context;
130         unsigned len;
131         int rc;
132
133         rc = security_sid_to_context(sid, &context, &len);
134         if (rc)
135                 return rc;
136
137         if (!buffer || !size)
138                 goto getsecurity_exit;
139
140         if (size < len) {
141                 len = -ERANGE;
142                 goto getsecurity_exit;
143         }
144         memcpy(buffer, context, len);
145
146 getsecurity_exit:
147         kfree(context);
148         return len;
149 }
150
151 /* Allocate and free functions for each kind of security blob. */
152
153 static int task_alloc_security(struct task_struct *task)
154 {
155         struct task_security_struct *tsec;
156
157         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
158         if (!tsec)
159                 return -ENOMEM;
160
161         tsec->task = task;
162         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163         task->security = tsec;
164
165         return 0;
166 }
167
168 static void task_free_security(struct task_struct *task)
169 {
170         struct task_security_struct *tsec = task->security;
171         task->security = NULL;
172         kfree(tsec);
173 }
174
175 static int inode_alloc_security(struct inode *inode)
176 {
177         struct task_security_struct *tsec = current->security;
178         struct inode_security_struct *isec;
179
180         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
181         if (!isec)
182                 return -ENOMEM;
183
184         memset(isec, 0, sizeof(*isec));
185         init_MUTEX(&isec->sem);
186         INIT_LIST_HEAD(&isec->list);
187         isec->inode = inode;
188         isec->sid = SECINITSID_UNLABELED;
189         isec->sclass = SECCLASS_FILE;
190         isec->task_sid = tsec->sid;
191         inode->i_security = isec;
192
193         return 0;
194 }
195
196 static void inode_free_security(struct inode *inode)
197 {
198         struct inode_security_struct *isec = inode->i_security;
199         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
200
201         spin_lock(&sbsec->isec_lock);
202         if (!list_empty(&isec->list))
203                 list_del_init(&isec->list);
204         spin_unlock(&sbsec->isec_lock);
205
206         inode->i_security = NULL;
207         kmem_cache_free(sel_inode_cache, isec);
208 }
209
210 static int file_alloc_security(struct file *file)
211 {
212         struct task_security_struct *tsec = current->security;
213         struct file_security_struct *fsec;
214
215         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
216         if (!fsec)
217                 return -ENOMEM;
218
219         fsec->file = file;
220         fsec->sid = tsec->sid;
221         fsec->fown_sid = tsec->sid;
222         file->f_security = fsec;
223
224         return 0;
225 }
226
227 static void file_free_security(struct file *file)
228 {
229         struct file_security_struct *fsec = file->f_security;
230         file->f_security = NULL;
231         kfree(fsec);
232 }
233
234 static int superblock_alloc_security(struct super_block *sb)
235 {
236         struct superblock_security_struct *sbsec;
237
238         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
239         if (!sbsec)
240                 return -ENOMEM;
241
242         init_MUTEX(&sbsec->sem);
243         INIT_LIST_HEAD(&sbsec->list);
244         INIT_LIST_HEAD(&sbsec->isec_head);
245         spin_lock_init(&sbsec->isec_lock);
246         sbsec->sb = sb;
247         sbsec->sid = SECINITSID_UNLABELED;
248         sbsec->def_sid = SECINITSID_FILE;
249         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         if (family != PF_UNIX)
273                 return 0;
274
275         ssec = kzalloc(sizeof(*ssec), priority);
276         if (!ssec)
277                 return -ENOMEM;
278
279         ssec->sk = sk;
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         return 0;
284 }
285
286 static void sk_free_security(struct sock *sk)
287 {
288         struct sk_security_struct *ssec = sk->sk_security;
289
290         if (sk->sk_family != PF_UNIX)
291                 return;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int may_context_mount_sb_relabel(u32 sid,
334                         struct superblock_security_struct *sbsec,
335                         struct task_security_struct *tsec)
336 {
337         int rc;
338
339         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
340                           FILESYSTEM__RELABELFROM, NULL);
341         if (rc)
342                 return rc;
343
344         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
345                           FILESYSTEM__RELABELTO, NULL);
346         return rc;
347 }
348
349 static int try_context_mount(struct super_block *sb, void *data)
350 {
351         char *context = NULL, *defcontext = NULL;
352         char *fscontext = NULL;
353         const char *name;
354         u32 sid;
355         int alloc = 0, rc = 0, seen = 0;
356         struct task_security_struct *tsec = current->security;
357         struct superblock_security_struct *sbsec = sb->s_security;
358
359         if (!data)
360                 goto out;
361
362         name = sb->s_type->name;
363
364         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
365
366                 /* NFS we understand. */
367                 if (!strcmp(name, "nfs")) {
368                         struct nfs_mount_data *d = data;
369
370                         if (d->version <  NFS_MOUNT_VERSION)
371                                 goto out;
372
373                         if (d->context[0]) {
374                                 context = d->context;
375                                 seen |= Opt_context;
376                         }
377                 } else
378                         goto out;
379
380         } else {
381                 /* Standard string-based options. */
382                 char *p, *options = data;
383
384                 while ((p = strsep(&options, ",")) != NULL) {
385                         int token;
386                         substring_t args[MAX_OPT_ARGS];
387
388                         if (!*p)
389                                 continue;
390
391                         token = match_token(p, tokens, args);
392
393                         switch (token) {
394                         case Opt_context:
395                                 if (seen & (Opt_context|Opt_defcontext)) {
396                                         rc = -EINVAL;
397                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
398                                         goto out_free;
399                                 }
400                                 context = match_strdup(&args[0]);
401                                 if (!context) {
402                                         rc = -ENOMEM;
403                                         goto out_free;
404                                 }
405                                 if (!alloc)
406                                         alloc = 1;
407                                 seen |= Opt_context;
408                                 break;
409
410                         case Opt_fscontext:
411                                 if (seen & Opt_fscontext) {
412                                         rc = -EINVAL;
413                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
414                                         goto out_free;
415                                 }
416                                 fscontext = match_strdup(&args[0]);
417                                 if (!fscontext) {
418                                         rc = -ENOMEM;
419                                         goto out_free;
420                                 }
421                                 if (!alloc)
422                                         alloc = 1;
423                                 seen |= Opt_fscontext;
424                                 break;
425
426                         case Opt_defcontext:
427                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
428                                         rc = -EINVAL;
429                                         printk(KERN_WARNING "SELinux:  "
430                                                "defcontext option is invalid "
431                                                "for this filesystem type\n");
432                                         goto out_free;
433                                 }
434                                 if (seen & (Opt_context|Opt_defcontext)) {
435                                         rc = -EINVAL;
436                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
437                                         goto out_free;
438                                 }
439                                 defcontext = match_strdup(&args[0]);
440                                 if (!defcontext) {
441                                         rc = -ENOMEM;
442                                         goto out_free;
443                                 }
444                                 if (!alloc)
445                                         alloc = 1;
446                                 seen |= Opt_defcontext;
447                                 break;
448
449                         default:
450                                 rc = -EINVAL;
451                                 printk(KERN_WARNING "SELinux:  unknown mount "
452                                        "option\n");
453                                 goto out_free;
454
455                         }
456                 }
457         }
458
459         if (!seen)
460                 goto out;
461
462         /* sets the context of the superblock for the fs being mounted. */
463         if (fscontext) {
464                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
465                 if (rc) {
466                         printk(KERN_WARNING "SELinux: security_context_to_sid"
467                                "(%s) failed for (dev %s, type %s) errno=%d\n",
468                                fscontext, sb->s_id, name, rc);
469                         goto out_free;
470                 }
471
472                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
473                 if (rc)
474                         goto out_free;
475
476                 sbsec->sid = sid;
477         }
478
479         /*
480          * Switch to using mount point labeling behavior.
481          * sets the label used on all file below the mountpoint, and will set
482          * the superblock context if not already set.
483          */
484         if (context) {
485                 rc = security_context_to_sid(context, strlen(context), &sid);
486                 if (rc) {
487                         printk(KERN_WARNING "SELinux: security_context_to_sid"
488                                "(%s) failed for (dev %s, type %s) errno=%d\n",
489                                context, sb->s_id, name, rc);
490                         goto out_free;
491                 }
492
493                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
494                 if (rc)
495                         goto out_free;
496
497                 if (!fscontext)
498                         sbsec->sid = sid;
499                 sbsec->mntpoint_sid = sid;
500
501                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
502         }
503
504         if (defcontext) {
505                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
506                 if (rc) {
507                         printk(KERN_WARNING "SELinux: security_context_to_sid"
508                                "(%s) failed for (dev %s, type %s) errno=%d\n",
509                                defcontext, sb->s_id, name, rc);
510                         goto out_free;
511                 }
512
513                 if (sid == sbsec->def_sid)
514                         goto out_free;
515
516                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
517                                   FILESYSTEM__RELABELFROM, NULL);
518                 if (rc)
519                         goto out_free;
520
521                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
522                                   FILESYSTEM__ASSOCIATE, NULL);
523                 if (rc)
524                         goto out_free;
525
526                 sbsec->def_sid = sid;
527         }
528
529 out_free:
530         if (alloc) {
531                 kfree(context);
532                 kfree(defcontext);
533                 kfree(fscontext);
534         }
535 out:
536         return rc;
537 }
538
539 static int superblock_doinit(struct super_block *sb, void *data)
540 {
541         struct superblock_security_struct *sbsec = sb->s_security;
542         struct dentry *root = sb->s_root;
543         struct inode *inode = root->d_inode;
544         int rc = 0;
545
546         down(&sbsec->sem);
547         if (sbsec->initialized)
548                 goto out;
549
550         if (!ss_initialized) {
551                 /* Defer initialization until selinux_complete_init,
552                    after the initial policy is loaded and the security
553                    server is ready to handle calls. */
554                 spin_lock(&sb_security_lock);
555                 if (list_empty(&sbsec->list))
556                         list_add(&sbsec->list, &superblock_security_head);
557                 spin_unlock(&sb_security_lock);
558                 goto out;
559         }
560
561         /* Determine the labeling behavior to use for this filesystem type. */
562         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
563         if (rc) {
564                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
565                        __FUNCTION__, sb->s_type->name, rc);
566                 goto out;
567         }
568
569         rc = try_context_mount(sb, data);
570         if (rc)
571                 goto out;
572
573         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
574                 /* Make sure that the xattr handler exists and that no
575                    error other than -ENODATA is returned by getxattr on
576                    the root directory.  -ENODATA is ok, as this may be
577                    the first boot of the SELinux kernel before we have
578                    assigned xattr values to the filesystem. */
579                 if (!inode->i_op->getxattr) {
580                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
581                                "xattr support\n", sb->s_id, sb->s_type->name);
582                         rc = -EOPNOTSUPP;
583                         goto out;
584                 }
585                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
586                 if (rc < 0 && rc != -ENODATA) {
587                         if (rc == -EOPNOTSUPP)
588                                 printk(KERN_WARNING "SELinux: (dev %s, type "
589                                        "%s) has no security xattr handler\n",
590                                        sb->s_id, sb->s_type->name);
591                         else
592                                 printk(KERN_WARNING "SELinux: (dev %s, type "
593                                        "%s) getxattr errno %d\n", sb->s_id,
594                                        sb->s_type->name, -rc);
595                         goto out;
596                 }
597         }
598
599         if (strcmp(sb->s_type->name, "proc") == 0)
600                 sbsec->proc = 1;
601
602         sbsec->initialized = 1;
603
604         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
605                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
606                        sb->s_id, sb->s_type->name);
607         }
608         else {
609                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
610                        sb->s_id, sb->s_type->name,
611                        labeling_behaviors[sbsec->behavior-1]);
612         }
613
614         /* Initialize the root inode. */
615         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
616
617         /* Initialize any other inodes associated with the superblock, e.g.
618            inodes created prior to initial policy load or inodes created
619            during get_sb by a pseudo filesystem that directly
620            populates itself. */
621         spin_lock(&sbsec->isec_lock);
622 next_inode:
623         if (!list_empty(&sbsec->isec_head)) {
624                 struct inode_security_struct *isec =
625                                 list_entry(sbsec->isec_head.next,
626                                            struct inode_security_struct, list);
627                 struct inode *inode = isec->inode;
628                 spin_unlock(&sbsec->isec_lock);
629                 inode = igrab(inode);
630                 if (inode) {
631                         if (!IS_PRIVATE (inode))
632                                 inode_doinit(inode);
633                         iput(inode);
634                 }
635                 spin_lock(&sbsec->isec_lock);
636                 list_del_init(&isec->list);
637                 goto next_inode;
638         }
639         spin_unlock(&sbsec->isec_lock);
640 out:
641         up(&sbsec->sem);
642         return rc;
643 }
644
645 static inline u16 inode_mode_to_security_class(umode_t mode)
646 {
647         switch (mode & S_IFMT) {
648         case S_IFSOCK:
649                 return SECCLASS_SOCK_FILE;
650         case S_IFLNK:
651                 return SECCLASS_LNK_FILE;
652         case S_IFREG:
653                 return SECCLASS_FILE;
654         case S_IFBLK:
655                 return SECCLASS_BLK_FILE;
656         case S_IFDIR:
657                 return SECCLASS_DIR;
658         case S_IFCHR:
659                 return SECCLASS_CHR_FILE;
660         case S_IFIFO:
661                 return SECCLASS_FIFO_FILE;
662
663         }
664
665         return SECCLASS_FILE;
666 }
667
668 static inline int default_protocol_stream(int protocol)
669 {
670         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
671 }
672
673 static inline int default_protocol_dgram(int protocol)
674 {
675         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
676 }
677
678 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
679 {
680         switch (family) {
681         case PF_UNIX:
682                 switch (type) {
683                 case SOCK_STREAM:
684                 case SOCK_SEQPACKET:
685                         return SECCLASS_UNIX_STREAM_SOCKET;
686                 case SOCK_DGRAM:
687                         return SECCLASS_UNIX_DGRAM_SOCKET;
688                 }
689                 break;
690         case PF_INET:
691         case PF_INET6:
692                 switch (type) {
693                 case SOCK_STREAM:
694                         if (default_protocol_stream(protocol))
695                                 return SECCLASS_TCP_SOCKET;
696                         else
697                                 return SECCLASS_RAWIP_SOCKET;
698                 case SOCK_DGRAM:
699                         if (default_protocol_dgram(protocol))
700                                 return SECCLASS_UDP_SOCKET;
701                         else
702                                 return SECCLASS_RAWIP_SOCKET;
703                 default:
704                         return SECCLASS_RAWIP_SOCKET;
705                 }
706                 break;
707         case PF_NETLINK:
708                 switch (protocol) {
709                 case NETLINK_ROUTE:
710                         return SECCLASS_NETLINK_ROUTE_SOCKET;
711                 case NETLINK_FIREWALL:
712                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
713                 case NETLINK_INET_DIAG:
714                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
715                 case NETLINK_NFLOG:
716                         return SECCLASS_NETLINK_NFLOG_SOCKET;
717                 case NETLINK_XFRM:
718                         return SECCLASS_NETLINK_XFRM_SOCKET;
719                 case NETLINK_SELINUX:
720                         return SECCLASS_NETLINK_SELINUX_SOCKET;
721                 case NETLINK_AUDIT:
722                         return SECCLASS_NETLINK_AUDIT_SOCKET;
723                 case NETLINK_IP6_FW:
724                         return SECCLASS_NETLINK_IP6FW_SOCKET;
725                 case NETLINK_DNRTMSG:
726                         return SECCLASS_NETLINK_DNRT_SOCKET;
727                 case NETLINK_KOBJECT_UEVENT:
728                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
729                 default:
730                         return SECCLASS_NETLINK_SOCKET;
731                 }
732         case PF_PACKET:
733                 return SECCLASS_PACKET_SOCKET;
734         case PF_KEY:
735                 return SECCLASS_KEY_SOCKET;
736         case PF_APPLETALK:
737                 return SECCLASS_APPLETALK_SOCKET;
738         }
739
740         return SECCLASS_SOCKET;
741 }
742
743 #ifdef CONFIG_PROC_FS
744 static int selinux_proc_get_sid(struct proc_dir_entry *de,
745                                 u16 tclass,
746                                 u32 *sid)
747 {
748         int buflen, rc;
749         char *buffer, *path, *end;
750
751         buffer = (char*)__get_free_page(GFP_KERNEL);
752         if (!buffer)
753                 return -ENOMEM;
754
755         buflen = PAGE_SIZE;
756         end = buffer+buflen;
757         *--end = '\0';
758         buflen--;
759         path = end-1;
760         *path = '/';
761         while (de && de != de->parent) {
762                 buflen -= de->namelen + 1;
763                 if (buflen < 0)
764                         break;
765                 end -= de->namelen;
766                 memcpy(end, de->name, de->namelen);
767                 *--end = '/';
768                 path = end;
769                 de = de->parent;
770         }
771         rc = security_genfs_sid("proc", path, tclass, sid);
772         free_page((unsigned long)buffer);
773         return rc;
774 }
775 #else
776 static int selinux_proc_get_sid(struct proc_dir_entry *de,
777                                 u16 tclass,
778                                 u32 *sid)
779 {
780         return -EINVAL;
781 }
782 #endif
783
784 /* The inode's security attributes must be initialized before first use. */
785 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
786 {
787         struct superblock_security_struct *sbsec = NULL;
788         struct inode_security_struct *isec = inode->i_security;
789         u32 sid;
790         struct dentry *dentry;
791 #define INITCONTEXTLEN 255
792         char *context = NULL;
793         unsigned len = 0;
794         int rc = 0;
795         int hold_sem = 0;
796
797         if (isec->initialized)
798                 goto out;
799
800         down(&isec->sem);
801         hold_sem = 1;
802         if (isec->initialized)
803                 goto out;
804
805         sbsec = inode->i_sb->s_security;
806         if (!sbsec->initialized) {
807                 /* Defer initialization until selinux_complete_init,
808                    after the initial policy is loaded and the security
809                    server is ready to handle calls. */
810                 spin_lock(&sbsec->isec_lock);
811                 if (list_empty(&isec->list))
812                         list_add(&isec->list, &sbsec->isec_head);
813                 spin_unlock(&sbsec->isec_lock);
814                 goto out;
815         }
816
817         switch (sbsec->behavior) {
818         case SECURITY_FS_USE_XATTR:
819                 if (!inode->i_op->getxattr) {
820                         isec->sid = sbsec->def_sid;
821                         break;
822                 }
823
824                 /* Need a dentry, since the xattr API requires one.
825                    Life would be simpler if we could just pass the inode. */
826                 if (opt_dentry) {
827                         /* Called from d_instantiate or d_splice_alias. */
828                         dentry = dget(opt_dentry);
829                 } else {
830                         /* Called from selinux_complete_init, try to find a dentry. */
831                         dentry = d_find_alias(inode);
832                 }
833                 if (!dentry) {
834                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
835                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
836                                inode->i_ino);
837                         goto out;
838                 }
839
840                 len = INITCONTEXTLEN;
841                 context = kmalloc(len, GFP_KERNEL);
842                 if (!context) {
843                         rc = -ENOMEM;
844                         dput(dentry);
845                         goto out;
846                 }
847                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
848                                            context, len);
849                 if (rc == -ERANGE) {
850                         /* Need a larger buffer.  Query for the right size. */
851                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
852                                                    NULL, 0);
853                         if (rc < 0) {
854                                 dput(dentry);
855                                 goto out;
856                         }
857                         kfree(context);
858                         len = rc;
859                         context = kmalloc(len, GFP_KERNEL);
860                         if (!context) {
861                                 rc = -ENOMEM;
862                                 dput(dentry);
863                                 goto out;
864                         }
865                         rc = inode->i_op->getxattr(dentry,
866                                                    XATTR_NAME_SELINUX,
867                                                    context, len);
868                 }
869                 dput(dentry);
870                 if (rc < 0) {
871                         if (rc != -ENODATA) {
872                                 printk(KERN_WARNING "%s:  getxattr returned "
873                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
874                                        -rc, inode->i_sb->s_id, inode->i_ino);
875                                 kfree(context);
876                                 goto out;
877                         }
878                         /* Map ENODATA to the default file SID */
879                         sid = sbsec->def_sid;
880                         rc = 0;
881                 } else {
882                         rc = security_context_to_sid_default(context, rc, &sid,
883                                                              sbsec->def_sid);
884                         if (rc) {
885                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
886                                        "returned %d for dev=%s ino=%ld\n",
887                                        __FUNCTION__, context, -rc,
888                                        inode->i_sb->s_id, inode->i_ino);
889                                 kfree(context);
890                                 /* Leave with the unlabeled SID */
891                                 rc = 0;
892                                 break;
893                         }
894                 }
895                 kfree(context);
896                 isec->sid = sid;
897                 break;
898         case SECURITY_FS_USE_TASK:
899                 isec->sid = isec->task_sid;
900                 break;
901         case SECURITY_FS_USE_TRANS:
902                 /* Default to the fs SID. */
903                 isec->sid = sbsec->sid;
904
905                 /* Try to obtain a transition SID. */
906                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
907                 rc = security_transition_sid(isec->task_sid,
908                                              sbsec->sid,
909                                              isec->sclass,
910                                              &sid);
911                 if (rc)
912                         goto out;
913                 isec->sid = sid;
914                 break;
915         case SECURITY_FS_USE_MNTPOINT:
916                 isec->sid = sbsec->mntpoint_sid;
917                 break;
918         default:
919                 /* Default to the fs superblock SID. */
920                 isec->sid = sbsec->sid;
921
922                 if (sbsec->proc) {
923                         struct proc_inode *proci = PROC_I(inode);
924                         if (proci->pde) {
925                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
926                                 rc = selinux_proc_get_sid(proci->pde,
927                                                           isec->sclass,
928                                                           &sid);
929                                 if (rc)
930                                         goto out;
931                                 isec->sid = sid;
932                         }
933                 }
934                 break;
935         }
936
937         isec->initialized = 1;
938
939 out:
940         if (isec->sclass == SECCLASS_FILE)
941                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
942
943         if (hold_sem)
944                 up(&isec->sem);
945         return rc;
946 }
947
948 /* Convert a Linux signal to an access vector. */
949 static inline u32 signal_to_av(int sig)
950 {
951         u32 perm = 0;
952
953         switch (sig) {
954         case SIGCHLD:
955                 /* Commonly granted from child to parent. */
956                 perm = PROCESS__SIGCHLD;
957                 break;
958         case SIGKILL:
959                 /* Cannot be caught or ignored */
960                 perm = PROCESS__SIGKILL;
961                 break;
962         case SIGSTOP:
963                 /* Cannot be caught or ignored */
964                 perm = PROCESS__SIGSTOP;
965                 break;
966         default:
967                 /* All other signals. */
968                 perm = PROCESS__SIGNAL;
969                 break;
970         }
971
972         return perm;
973 }
974
975 /* Check permission betweeen a pair of tasks, e.g. signal checks,
976    fork check, ptrace check, etc. */
977 static int task_has_perm(struct task_struct *tsk1,
978                          struct task_struct *tsk2,
979                          u32 perms)
980 {
981         struct task_security_struct *tsec1, *tsec2;
982
983         tsec1 = tsk1->security;
984         tsec2 = tsk2->security;
985         return avc_has_perm(tsec1->sid, tsec2->sid,
986                             SECCLASS_PROCESS, perms, NULL);
987 }
988
989 /* Check whether a task is allowed to use a capability. */
990 static int task_has_capability(struct task_struct *tsk,
991                                int cap)
992 {
993         struct task_security_struct *tsec;
994         struct avc_audit_data ad;
995
996         tsec = tsk->security;
997
998         AVC_AUDIT_DATA_INIT(&ad,CAP);
999         ad.tsk = tsk;
1000         ad.u.cap = cap;
1001
1002         return avc_has_perm(tsec->sid, tsec->sid,
1003                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1004 }
1005
1006 /* Check whether a task is allowed to use a system operation. */
1007 static int task_has_system(struct task_struct *tsk,
1008                            u32 perms)
1009 {
1010         struct task_security_struct *tsec;
1011
1012         tsec = tsk->security;
1013
1014         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1015                             SECCLASS_SYSTEM, perms, NULL);
1016 }
1017
1018 /* Check whether a task has a particular permission to an inode.
1019    The 'adp' parameter is optional and allows other audit
1020    data to be passed (e.g. the dentry). */
1021 static int inode_has_perm(struct task_struct *tsk,
1022                           struct inode *inode,
1023                           u32 perms,
1024                           struct avc_audit_data *adp)
1025 {
1026         struct task_security_struct *tsec;
1027         struct inode_security_struct *isec;
1028         struct avc_audit_data ad;
1029
1030         tsec = tsk->security;
1031         isec = inode->i_security;
1032
1033         if (!adp) {
1034                 adp = &ad;
1035                 AVC_AUDIT_DATA_INIT(&ad, FS);
1036                 ad.u.fs.inode = inode;
1037         }
1038
1039         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1040 }
1041
1042 /* Same as inode_has_perm, but pass explicit audit data containing
1043    the dentry to help the auditing code to more easily generate the
1044    pathname if needed. */
1045 static inline int dentry_has_perm(struct task_struct *tsk,
1046                                   struct vfsmount *mnt,
1047                                   struct dentry *dentry,
1048                                   u32 av)
1049 {
1050         struct inode *inode = dentry->d_inode;
1051         struct avc_audit_data ad;
1052         AVC_AUDIT_DATA_INIT(&ad,FS);
1053         ad.u.fs.mnt = mnt;
1054         ad.u.fs.dentry = dentry;
1055         return inode_has_perm(tsk, inode, av, &ad);
1056 }
1057
1058 /* Check whether a task can use an open file descriptor to
1059    access an inode in a given way.  Check access to the
1060    descriptor itself, and then use dentry_has_perm to
1061    check a particular permission to the file.
1062    Access to the descriptor is implicitly granted if it
1063    has the same SID as the process.  If av is zero, then
1064    access to the file is not checked, e.g. for cases
1065    where only the descriptor is affected like seek. */
1066 static int file_has_perm(struct task_struct *tsk,
1067                                 struct file *file,
1068                                 u32 av)
1069 {
1070         struct task_security_struct *tsec = tsk->security;
1071         struct file_security_struct *fsec = file->f_security;
1072         struct vfsmount *mnt = file->f_vfsmnt;
1073         struct dentry *dentry = file->f_dentry;
1074         struct inode *inode = dentry->d_inode;
1075         struct avc_audit_data ad;
1076         int rc;
1077
1078         AVC_AUDIT_DATA_INIT(&ad, FS);
1079         ad.u.fs.mnt = mnt;
1080         ad.u.fs.dentry = dentry;
1081
1082         if (tsec->sid != fsec->sid) {
1083                 rc = avc_has_perm(tsec->sid, fsec->sid,
1084                                   SECCLASS_FD,
1085                                   FD__USE,
1086                                   &ad);
1087                 if (rc)
1088                         return rc;
1089         }
1090
1091         /* av is zero if only checking access to the descriptor. */
1092         if (av)
1093                 return inode_has_perm(tsk, inode, av, &ad);
1094
1095         return 0;
1096 }
1097
1098 /* Check whether a task can create a file. */
1099 static int may_create(struct inode *dir,
1100                       struct dentry *dentry,
1101                       u16 tclass)
1102 {
1103         struct task_security_struct *tsec;
1104         struct inode_security_struct *dsec;
1105         struct superblock_security_struct *sbsec;
1106         u32 newsid;
1107         struct avc_audit_data ad;
1108         int rc;
1109
1110         tsec = current->security;
1111         dsec = dir->i_security;
1112         sbsec = dir->i_sb->s_security;
1113
1114         AVC_AUDIT_DATA_INIT(&ad, FS);
1115         ad.u.fs.dentry = dentry;
1116
1117         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1118                           DIR__ADD_NAME | DIR__SEARCH,
1119                           &ad);
1120         if (rc)
1121                 return rc;
1122
1123         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1124                 newsid = tsec->create_sid;
1125         } else {
1126                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1127                                              &newsid);
1128                 if (rc)
1129                         return rc;
1130         }
1131
1132         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1133         if (rc)
1134                 return rc;
1135
1136         return avc_has_perm(newsid, sbsec->sid,
1137                             SECCLASS_FILESYSTEM,
1138                             FILESYSTEM__ASSOCIATE, &ad);
1139 }
1140
1141 /* Check whether a task can create a key. */
1142 static int may_create_key(u32 ksid,
1143                           struct task_struct *ctx)
1144 {
1145         struct task_security_struct *tsec;
1146
1147         tsec = ctx->security;
1148
1149         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1150 }
1151
1152 #define MAY_LINK   0
1153 #define MAY_UNLINK 1
1154 #define MAY_RMDIR  2
1155
1156 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1157 static int may_link(struct inode *dir,
1158                     struct dentry *dentry,
1159                     int kind)
1160
1161 {
1162         struct task_security_struct *tsec;
1163         struct inode_security_struct *dsec, *isec;
1164         struct avc_audit_data ad;
1165         u32 av;
1166         int rc;
1167
1168         tsec = current->security;
1169         dsec = dir->i_security;
1170         isec = dentry->d_inode->i_security;
1171
1172         AVC_AUDIT_DATA_INIT(&ad, FS);
1173         ad.u.fs.dentry = dentry;
1174
1175         av = DIR__SEARCH;
1176         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1177         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1178         if (rc)
1179                 return rc;
1180
1181         switch (kind) {
1182         case MAY_LINK:
1183                 av = FILE__LINK;
1184                 break;
1185         case MAY_UNLINK:
1186                 av = FILE__UNLINK;
1187                 break;
1188         case MAY_RMDIR:
1189                 av = DIR__RMDIR;
1190                 break;
1191         default:
1192                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1193                 return 0;
1194         }
1195
1196         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1197         return rc;
1198 }
1199
1200 static inline int may_rename(struct inode *old_dir,
1201                              struct dentry *old_dentry,
1202                              struct inode *new_dir,
1203                              struct dentry *new_dentry)
1204 {
1205         struct task_security_struct *tsec;
1206         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1207         struct avc_audit_data ad;
1208         u32 av;
1209         int old_is_dir, new_is_dir;
1210         int rc;
1211
1212         tsec = current->security;
1213         old_dsec = old_dir->i_security;
1214         old_isec = old_dentry->d_inode->i_security;
1215         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1216         new_dsec = new_dir->i_security;
1217
1218         AVC_AUDIT_DATA_INIT(&ad, FS);
1219
1220         ad.u.fs.dentry = old_dentry;
1221         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1222                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1223         if (rc)
1224                 return rc;
1225         rc = avc_has_perm(tsec->sid, old_isec->sid,
1226                           old_isec->sclass, FILE__RENAME, &ad);
1227         if (rc)
1228                 return rc;
1229         if (old_is_dir && new_dir != old_dir) {
1230                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1231                                   old_isec->sclass, DIR__REPARENT, &ad);
1232                 if (rc)
1233                         return rc;
1234         }
1235
1236         ad.u.fs.dentry = new_dentry;
1237         av = DIR__ADD_NAME | DIR__SEARCH;
1238         if (new_dentry->d_inode)
1239                 av |= DIR__REMOVE_NAME;
1240         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1241         if (rc)
1242                 return rc;
1243         if (new_dentry->d_inode) {
1244                 new_isec = new_dentry->d_inode->i_security;
1245                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1246                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1247                                   new_isec->sclass,
1248                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1249                 if (rc)
1250                         return rc;
1251         }
1252
1253         return 0;
1254 }
1255
1256 /* Check whether a task can perform a filesystem operation. */
1257 static int superblock_has_perm(struct task_struct *tsk,
1258                                struct super_block *sb,
1259                                u32 perms,
1260                                struct avc_audit_data *ad)
1261 {
1262         struct task_security_struct *tsec;
1263         struct superblock_security_struct *sbsec;
1264
1265         tsec = tsk->security;
1266         sbsec = sb->s_security;
1267         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1268                             perms, ad);
1269 }
1270
1271 /* Convert a Linux mode and permission mask to an access vector. */
1272 static inline u32 file_mask_to_av(int mode, int mask)
1273 {
1274         u32 av = 0;
1275
1276         if ((mode & S_IFMT) != S_IFDIR) {
1277                 if (mask & MAY_EXEC)
1278                         av |= FILE__EXECUTE;
1279                 if (mask & MAY_READ)
1280                         av |= FILE__READ;
1281
1282                 if (mask & MAY_APPEND)
1283                         av |= FILE__APPEND;
1284                 else if (mask & MAY_WRITE)
1285                         av |= FILE__WRITE;
1286
1287         } else {
1288                 if (mask & MAY_EXEC)
1289                         av |= DIR__SEARCH;
1290                 if (mask & MAY_WRITE)
1291                         av |= DIR__WRITE;
1292                 if (mask & MAY_READ)
1293                         av |= DIR__READ;
1294         }
1295
1296         return av;
1297 }
1298
1299 /* Convert a Linux file to an access vector. */
1300 static inline u32 file_to_av(struct file *file)
1301 {
1302         u32 av = 0;
1303
1304         if (file->f_mode & FMODE_READ)
1305                 av |= FILE__READ;
1306         if (file->f_mode & FMODE_WRITE) {
1307                 if (file->f_flags & O_APPEND)
1308                         av |= FILE__APPEND;
1309                 else
1310                         av |= FILE__WRITE;
1311         }
1312
1313         return av;
1314 }
1315
1316 /* Set an inode's SID to a specified value. */
1317 static int inode_security_set_sid(struct inode *inode, u32 sid)
1318 {
1319         struct inode_security_struct *isec = inode->i_security;
1320         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1321
1322         if (!sbsec->initialized) {
1323                 /* Defer initialization to selinux_complete_init. */
1324                 return 0;
1325         }
1326
1327         down(&isec->sem);
1328         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1329         isec->sid = sid;
1330         isec->initialized = 1;
1331         up(&isec->sem);
1332         return 0;
1333 }
1334
1335 /* Hook functions begin here. */
1336
1337 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1338 {
1339         struct task_security_struct *psec = parent->security;
1340         struct task_security_struct *csec = child->security;
1341         int rc;
1342
1343         rc = secondary_ops->ptrace(parent,child);
1344         if (rc)
1345                 return rc;
1346
1347         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1348         /* Save the SID of the tracing process for later use in apply_creds. */
1349         if (!(child->ptrace & PT_PTRACED) && !rc)
1350                 csec->ptrace_sid = psec->sid;
1351         return rc;
1352 }
1353
1354 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1355                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1356 {
1357         int error;
1358
1359         error = task_has_perm(current, target, PROCESS__GETCAP);
1360         if (error)
1361                 return error;
1362
1363         return secondary_ops->capget(target, effective, inheritable, permitted);
1364 }
1365
1366 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1367                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1368 {
1369         int error;
1370
1371         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1372         if (error)
1373                 return error;
1374
1375         return task_has_perm(current, target, PROCESS__SETCAP);
1376 }
1377
1378 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1379                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1380 {
1381         secondary_ops->capset_set(target, effective, inheritable, permitted);
1382 }
1383
1384 static int selinux_capable(struct task_struct *tsk, int cap)
1385 {
1386         int rc;
1387
1388         rc = secondary_ops->capable(tsk, cap);
1389         if (rc)
1390                 return rc;
1391
1392         return task_has_capability(tsk,cap);
1393 }
1394
1395 static int selinux_sysctl(ctl_table *table, int op)
1396 {
1397         int error = 0;
1398         u32 av;
1399         struct task_security_struct *tsec;
1400         u32 tsid;
1401         int rc;
1402
1403         rc = secondary_ops->sysctl(table, op);
1404         if (rc)
1405                 return rc;
1406
1407         tsec = current->security;
1408
1409         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1410                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1411         if (rc) {
1412                 /* Default to the well-defined sysctl SID. */
1413                 tsid = SECINITSID_SYSCTL;
1414         }
1415
1416         /* The op values are "defined" in sysctl.c, thereby creating
1417          * a bad coupling between this module and sysctl.c */
1418         if(op == 001) {
1419                 error = avc_has_perm(tsec->sid, tsid,
1420                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1421         } else {
1422                 av = 0;
1423                 if (op & 004)
1424                         av |= FILE__READ;
1425                 if (op & 002)
1426                         av |= FILE__WRITE;
1427                 if (av)
1428                         error = avc_has_perm(tsec->sid, tsid,
1429                                              SECCLASS_FILE, av, NULL);
1430         }
1431
1432         return error;
1433 }
1434
1435 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1436 {
1437         int rc = 0;
1438
1439         if (!sb)
1440                 return 0;
1441
1442         switch (cmds) {
1443                 case Q_SYNC:
1444                 case Q_QUOTAON:
1445                 case Q_QUOTAOFF:
1446                 case Q_SETINFO:
1447                 case Q_SETQUOTA:
1448                         rc = superblock_has_perm(current,
1449                                                  sb,
1450                                                  FILESYSTEM__QUOTAMOD, NULL);
1451                         break;
1452                 case Q_GETFMT:
1453                 case Q_GETINFO:
1454                 case Q_GETQUOTA:
1455                         rc = superblock_has_perm(current,
1456                                                  sb,
1457                                                  FILESYSTEM__QUOTAGET, NULL);
1458                         break;
1459                 default:
1460                         rc = 0;  /* let the kernel handle invalid cmds */
1461                         break;
1462         }
1463         return rc;
1464 }
1465
1466 static int selinux_quota_on(struct dentry *dentry)
1467 {
1468         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1469 }
1470
1471 static int selinux_syslog(int type)
1472 {
1473         int rc;
1474
1475         rc = secondary_ops->syslog(type);
1476         if (rc)
1477                 return rc;
1478
1479         switch (type) {
1480                 case 3:         /* Read last kernel messages */
1481                 case 10:        /* Return size of the log buffer */
1482                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1483                         break;
1484                 case 6:         /* Disable logging to console */
1485                 case 7:         /* Enable logging to console */
1486                 case 8:         /* Set level of messages printed to console */
1487                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1488                         break;
1489                 case 0:         /* Close log */
1490                 case 1:         /* Open log */
1491                 case 2:         /* Read from log */
1492                 case 4:         /* Read/clear last kernel messages */
1493                 case 5:         /* Clear ring buffer */
1494                 default:
1495                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1496                         break;
1497         }
1498         return rc;
1499 }
1500
1501 /*
1502  * Check that a process has enough memory to allocate a new virtual
1503  * mapping. 0 means there is enough memory for the allocation to
1504  * succeed and -ENOMEM implies there is not.
1505  *
1506  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1507  * if the capability is granted, but __vm_enough_memory requires 1 if
1508  * the capability is granted.
1509  *
1510  * Do not audit the selinux permission check, as this is applied to all
1511  * processes that allocate mappings.
1512  */
1513 static int selinux_vm_enough_memory(long pages)
1514 {
1515         int rc, cap_sys_admin = 0;
1516         struct task_security_struct *tsec = current->security;
1517
1518         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1519         if (rc == 0)
1520                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1521                                         SECCLASS_CAPABILITY,
1522                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1523                                         NULL);
1524
1525         if (rc == 0)
1526                 cap_sys_admin = 1;
1527
1528         return __vm_enough_memory(pages, cap_sys_admin);
1529 }
1530
1531 /* binprm security operations */
1532
1533 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1534 {
1535         struct bprm_security_struct *bsec;
1536
1537         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1538         if (!bsec)
1539                 return -ENOMEM;
1540
1541         bsec->bprm = bprm;
1542         bsec->sid = SECINITSID_UNLABELED;
1543         bsec->set = 0;
1544
1545         bprm->security = bsec;
1546         return 0;
1547 }
1548
1549 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1550 {
1551         struct task_security_struct *tsec;
1552         struct inode *inode = bprm->file->f_dentry->d_inode;
1553         struct inode_security_struct *isec;
1554         struct bprm_security_struct *bsec;
1555         u32 newsid;
1556         struct avc_audit_data ad;
1557         int rc;
1558
1559         rc = secondary_ops->bprm_set_security(bprm);
1560         if (rc)
1561                 return rc;
1562
1563         bsec = bprm->security;
1564
1565         if (bsec->set)
1566                 return 0;
1567
1568         tsec = current->security;
1569         isec = inode->i_security;
1570
1571         /* Default to the current task SID. */
1572         bsec->sid = tsec->sid;
1573
1574         /* Reset fs, key, and sock SIDs on execve. */
1575         tsec->create_sid = 0;
1576         tsec->keycreate_sid = 0;
1577         tsec->sockcreate_sid = 0;
1578
1579         if (tsec->exec_sid) {
1580                 newsid = tsec->exec_sid;
1581                 /* Reset exec SID on execve. */
1582                 tsec->exec_sid = 0;
1583         } else {
1584                 /* Check for a default transition on this program. */
1585                 rc = security_transition_sid(tsec->sid, isec->sid,
1586                                              SECCLASS_PROCESS, &newsid);
1587                 if (rc)
1588                         return rc;
1589         }
1590
1591         AVC_AUDIT_DATA_INIT(&ad, FS);
1592         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1593         ad.u.fs.dentry = bprm->file->f_dentry;
1594
1595         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1596                 newsid = tsec->sid;
1597
1598         if (tsec->sid == newsid) {
1599                 rc = avc_has_perm(tsec->sid, isec->sid,
1600                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1601                 if (rc)
1602                         return rc;
1603         } else {
1604                 /* Check permissions for the transition. */
1605                 rc = avc_has_perm(tsec->sid, newsid,
1606                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1607                 if (rc)
1608                         return rc;
1609
1610                 rc = avc_has_perm(newsid, isec->sid,
1611                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1612                 if (rc)
1613                         return rc;
1614
1615                 /* Clear any possibly unsafe personality bits on exec: */
1616                 current->personality &= ~PER_CLEAR_ON_SETID;
1617
1618                 /* Set the security field to the new SID. */
1619                 bsec->sid = newsid;
1620         }
1621
1622         bsec->set = 1;
1623         return 0;
1624 }
1625
1626 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1627 {
1628         return secondary_ops->bprm_check_security(bprm);
1629 }
1630
1631
1632 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1633 {
1634         struct task_security_struct *tsec = current->security;
1635         int atsecure = 0;
1636
1637         if (tsec->osid != tsec->sid) {
1638                 /* Enable secure mode for SIDs transitions unless
1639                    the noatsecure permission is granted between
1640                    the two SIDs, i.e. ahp returns 0. */
1641                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1642                                          SECCLASS_PROCESS,
1643                                          PROCESS__NOATSECURE, NULL);
1644         }
1645
1646         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1647 }
1648
1649 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1650 {
1651         kfree(bprm->security);
1652         bprm->security = NULL;
1653 }
1654
1655 extern struct vfsmount *selinuxfs_mount;
1656 extern struct dentry *selinux_null;
1657
1658 /* Derived from fs/exec.c:flush_old_files. */
1659 static inline void flush_unauthorized_files(struct files_struct * files)
1660 {
1661         struct avc_audit_data ad;
1662         struct file *file, *devnull = NULL;
1663         struct tty_struct *tty = current->signal->tty;
1664         struct fdtable *fdt;
1665         long j = -1;
1666
1667         if (tty) {
1668                 file_list_lock();
1669                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1670                 if (file) {
1671                         /* Revalidate access to controlling tty.
1672                            Use inode_has_perm on the tty inode directly rather
1673                            than using file_has_perm, as this particular open
1674                            file may belong to another process and we are only
1675                            interested in the inode-based check here. */
1676                         struct inode *inode = file->f_dentry->d_inode;
1677                         if (inode_has_perm(current, inode,
1678                                            FILE__READ | FILE__WRITE, NULL)) {
1679                                 /* Reset controlling tty. */
1680                                 current->signal->tty = NULL;
1681                                 current->signal->tty_old_pgrp = 0;
1682                         }
1683                 }
1684                 file_list_unlock();
1685         }
1686
1687         /* Revalidate access to inherited open files. */
1688
1689         AVC_AUDIT_DATA_INIT(&ad,FS);
1690
1691         spin_lock(&files->file_lock);
1692         for (;;) {
1693                 unsigned long set, i;
1694                 int fd;
1695
1696                 j++;
1697                 i = j * __NFDBITS;
1698                 fdt = files_fdtable(files);
1699                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1700                         break;
1701                 set = fdt->open_fds->fds_bits[j];
1702                 if (!set)
1703                         continue;
1704                 spin_unlock(&files->file_lock);
1705                 for ( ; set ; i++,set >>= 1) {
1706                         if (set & 1) {
1707                                 file = fget(i);
1708                                 if (!file)
1709                                         continue;
1710                                 if (file_has_perm(current,
1711                                                   file,
1712                                                   file_to_av(file))) {
1713                                         sys_close(i);
1714                                         fd = get_unused_fd();
1715                                         if (fd != i) {
1716                                                 if (fd >= 0)
1717                                                         put_unused_fd(fd);
1718                                                 fput(file);
1719                                                 continue;
1720                                         }
1721                                         if (devnull) {
1722                                                 get_file(devnull);
1723                                         } else {
1724                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1725                                                 if (!devnull) {
1726                                                         put_unused_fd(fd);
1727                                                         fput(file);
1728                                                         continue;
1729                                                 }
1730                                         }
1731                                         fd_install(fd, devnull);
1732                                 }
1733                                 fput(file);
1734                         }
1735                 }
1736                 spin_lock(&files->file_lock);
1737
1738         }
1739         spin_unlock(&files->file_lock);
1740 }
1741
1742 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1743 {
1744         struct task_security_struct *tsec;
1745         struct bprm_security_struct *bsec;
1746         u32 sid;
1747         int rc;
1748
1749         secondary_ops->bprm_apply_creds(bprm, unsafe);
1750
1751         tsec = current->security;
1752
1753         bsec = bprm->security;
1754         sid = bsec->sid;
1755
1756         tsec->osid = tsec->sid;
1757         bsec->unsafe = 0;
1758         if (tsec->sid != sid) {
1759                 /* Check for shared state.  If not ok, leave SID
1760                    unchanged and kill. */
1761                 if (unsafe & LSM_UNSAFE_SHARE) {
1762                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1763                                         PROCESS__SHARE, NULL);
1764                         if (rc) {
1765                                 bsec->unsafe = 1;
1766                                 return;
1767                         }
1768                 }
1769
1770                 /* Check for ptracing, and update the task SID if ok.
1771                    Otherwise, leave SID unchanged and kill. */
1772                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1773                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1774                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1775                                           NULL);
1776                         if (rc) {
1777                                 bsec->unsafe = 1;
1778                                 return;
1779                         }
1780                 }
1781                 tsec->sid = sid;
1782         }
1783 }
1784
1785 /*
1786  * called after apply_creds without the task lock held
1787  */
1788 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1789 {
1790         struct task_security_struct *tsec;
1791         struct rlimit *rlim, *initrlim;
1792         struct itimerval itimer;
1793         struct bprm_security_struct *bsec;
1794         int rc, i;
1795
1796         tsec = current->security;
1797         bsec = bprm->security;
1798
1799         if (bsec->unsafe) {
1800                 force_sig_specific(SIGKILL, current);
1801                 return;
1802         }
1803         if (tsec->osid == tsec->sid)
1804                 return;
1805
1806         /* Close files for which the new task SID is not authorized. */
1807         flush_unauthorized_files(current->files);
1808
1809         /* Check whether the new SID can inherit signal state
1810            from the old SID.  If not, clear itimers to avoid
1811            subsequent signal generation and flush and unblock
1812            signals. This must occur _after_ the task SID has
1813           been updated so that any kill done after the flush
1814           will be checked against the new SID. */
1815         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1816                           PROCESS__SIGINH, NULL);
1817         if (rc) {
1818                 memset(&itimer, 0, sizeof itimer);
1819                 for (i = 0; i < 3; i++)
1820                         do_setitimer(i, &itimer, NULL);
1821                 flush_signals(current);
1822                 spin_lock_irq(&current->sighand->siglock);
1823                 flush_signal_handlers(current, 1);
1824                 sigemptyset(&current->blocked);
1825                 recalc_sigpending();
1826                 spin_unlock_irq(&current->sighand->siglock);
1827         }
1828
1829         /* Check whether the new SID can inherit resource limits
1830            from the old SID.  If not, reset all soft limits to
1831            the lower of the current task's hard limit and the init
1832            task's soft limit.  Note that the setting of hard limits
1833            (even to lower them) can be controlled by the setrlimit
1834            check. The inclusion of the init task's soft limit into
1835            the computation is to avoid resetting soft limits higher
1836            than the default soft limit for cases where the default
1837            is lower than the hard limit, e.g. RLIMIT_CORE or
1838            RLIMIT_STACK.*/
1839         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1840                           PROCESS__RLIMITINH, NULL);
1841         if (rc) {
1842                 for (i = 0; i < RLIM_NLIMITS; i++) {
1843                         rlim = current->signal->rlim + i;
1844                         initrlim = init_task.signal->rlim+i;
1845                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1846                 }
1847                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1848                         /*
1849                          * This will cause RLIMIT_CPU calculations
1850                          * to be refigured.
1851                          */
1852                         current->it_prof_expires = jiffies_to_cputime(1);
1853                 }
1854         }
1855
1856         /* Wake up the parent if it is waiting so that it can
1857            recheck wait permission to the new task SID. */
1858         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1859 }
1860
1861 /* superblock security operations */
1862
1863 static int selinux_sb_alloc_security(struct super_block *sb)
1864 {
1865         return superblock_alloc_security(sb);
1866 }
1867
1868 static void selinux_sb_free_security(struct super_block *sb)
1869 {
1870         superblock_free_security(sb);
1871 }
1872
1873 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1874 {
1875         if (plen > olen)
1876                 return 0;
1877
1878         return !memcmp(prefix, option, plen);
1879 }
1880
1881 static inline int selinux_option(char *option, int len)
1882 {
1883         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1884                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1885                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1886 }
1887
1888 static inline void take_option(char **to, char *from, int *first, int len)
1889 {
1890         if (!*first) {
1891                 **to = ',';
1892                 *to += 1;
1893         }
1894         else
1895                 *first = 0;
1896         memcpy(*to, from, len);
1897         *to += len;
1898 }
1899
1900 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1901 {
1902         int fnosec, fsec, rc = 0;
1903         char *in_save, *in_curr, *in_end;
1904         char *sec_curr, *nosec_save, *nosec;
1905
1906         in_curr = orig;
1907         sec_curr = copy;
1908
1909         /* Binary mount data: just copy */
1910         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1911                 copy_page(sec_curr, in_curr);
1912                 goto out;
1913         }
1914
1915         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1916         if (!nosec) {
1917                 rc = -ENOMEM;
1918                 goto out;
1919         }
1920
1921         nosec_save = nosec;
1922         fnosec = fsec = 1;
1923         in_save = in_end = orig;
1924
1925         do {
1926                 if (*in_end == ',' || *in_end == '\0') {
1927                         int len = in_end - in_curr;
1928
1929                         if (selinux_option(in_curr, len))
1930                                 take_option(&sec_curr, in_curr, &fsec, len);
1931                         else
1932                                 take_option(&nosec, in_curr, &fnosec, len);
1933
1934                         in_curr = in_end + 1;
1935                 }
1936         } while (*in_end++);
1937
1938         strcpy(in_save, nosec_save);
1939         free_page((unsigned long)nosec_save);
1940 out:
1941         return rc;
1942 }
1943
1944 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1945 {
1946         struct avc_audit_data ad;
1947         int rc;
1948
1949         rc = superblock_doinit(sb, data);
1950         if (rc)
1951                 return rc;
1952
1953         AVC_AUDIT_DATA_INIT(&ad,FS);
1954         ad.u.fs.dentry = sb->s_root;
1955         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1956 }
1957
1958 static int selinux_sb_statfs(struct dentry *dentry)
1959 {
1960         struct avc_audit_data ad;
1961
1962         AVC_AUDIT_DATA_INIT(&ad,FS);
1963         ad.u.fs.dentry = dentry->d_sb->s_root;
1964         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1965 }
1966
1967 static int selinux_mount(char * dev_name,
1968                          struct nameidata *nd,
1969                          char * type,
1970                          unsigned long flags,
1971                          void * data)
1972 {
1973         int rc;
1974
1975         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1976         if (rc)
1977                 return rc;
1978
1979         if (flags & MS_REMOUNT)
1980                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1981                                            FILESYSTEM__REMOUNT, NULL);
1982         else
1983                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1984                                        FILE__MOUNTON);
1985 }
1986
1987 static int selinux_umount(struct vfsmount *mnt, int flags)
1988 {
1989         int rc;
1990
1991         rc = secondary_ops->sb_umount(mnt, flags);
1992         if (rc)
1993                 return rc;
1994
1995         return superblock_has_perm(current,mnt->mnt_sb,
1996                                    FILESYSTEM__UNMOUNT,NULL);
1997 }
1998
1999 /* inode security operations */
2000
2001 static int selinux_inode_alloc_security(struct inode *inode)
2002 {
2003         return inode_alloc_security(inode);
2004 }
2005
2006 static void selinux_inode_free_security(struct inode *inode)
2007 {
2008         inode_free_security(inode);
2009 }
2010
2011 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2012                                        char **name, void **value,
2013                                        size_t *len)
2014 {
2015         struct task_security_struct *tsec;
2016         struct inode_security_struct *dsec;
2017         struct superblock_security_struct *sbsec;
2018         u32 newsid, clen;
2019         int rc;
2020         char *namep = NULL, *context;
2021
2022         tsec = current->security;
2023         dsec = dir->i_security;
2024         sbsec = dir->i_sb->s_security;
2025
2026         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2027                 newsid = tsec->create_sid;
2028         } else {
2029                 rc = security_transition_sid(tsec->sid, dsec->sid,
2030                                              inode_mode_to_security_class(inode->i_mode),
2031                                              &newsid);
2032                 if (rc) {
2033                         printk(KERN_WARNING "%s:  "
2034                                "security_transition_sid failed, rc=%d (dev=%s "
2035                                "ino=%ld)\n",
2036                                __FUNCTION__,
2037                                -rc, inode->i_sb->s_id, inode->i_ino);
2038                         return rc;
2039                 }
2040         }
2041
2042         inode_security_set_sid(inode, newsid);
2043
2044         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2045                 return -EOPNOTSUPP;
2046
2047         if (name) {
2048                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2049                 if (!namep)
2050                         return -ENOMEM;
2051                 *name = namep;
2052         }
2053
2054         if (value && len) {
2055                 rc = security_sid_to_context(newsid, &context, &clen);
2056                 if (rc) {
2057                         kfree(namep);
2058                         return rc;
2059                 }
2060                 *value = context;
2061                 *len = clen;
2062         }
2063
2064         return 0;
2065 }
2066
2067 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2068 {
2069         return may_create(dir, dentry, SECCLASS_FILE);
2070 }
2071
2072 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2073 {
2074         int rc;
2075
2076         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2077         if (rc)
2078                 return rc;
2079         return may_link(dir, old_dentry, MAY_LINK);
2080 }
2081
2082 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2083 {
2084         int rc;
2085
2086         rc = secondary_ops->inode_unlink(dir, dentry);
2087         if (rc)
2088                 return rc;
2089         return may_link(dir, dentry, MAY_UNLINK);
2090 }
2091
2092 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2093 {
2094         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2095 }
2096
2097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2098 {
2099         return may_create(dir, dentry, SECCLASS_DIR);
2100 }
2101
2102 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2103 {
2104         return may_link(dir, dentry, MAY_RMDIR);
2105 }
2106
2107 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2108 {
2109         int rc;
2110
2111         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2112         if (rc)
2113                 return rc;
2114
2115         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2116 }
2117
2118 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2119                                 struct inode *new_inode, struct dentry *new_dentry)
2120 {
2121         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2122 }
2123
2124 static int selinux_inode_readlink(struct dentry *dentry)
2125 {
2126         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2127 }
2128
2129 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2130 {
2131         int rc;
2132
2133         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2134         if (rc)
2135                 return rc;
2136         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2137 }
2138
2139 static int selinux_inode_permission(struct inode *inode, int mask,
2140                                     struct nameidata *nd)
2141 {
2142         int rc;
2143
2144         rc = secondary_ops->inode_permission(inode, mask, nd);
2145         if (rc)
2146                 return rc;
2147
2148         if (!mask) {
2149                 /* No permission to check.  Existence test. */
2150                 return 0;
2151         }
2152
2153         return inode_has_perm(current, inode,
2154                                file_mask_to_av(inode->i_mode, mask), NULL);
2155 }
2156
2157 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2158 {
2159         int rc;
2160
2161         rc = secondary_ops->inode_setattr(dentry, iattr);
2162         if (rc)
2163                 return rc;
2164
2165         if (iattr->ia_valid & ATTR_FORCE)
2166                 return 0;
2167
2168         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2169                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2170                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2171
2172         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2173 }
2174
2175 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2176 {
2177         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2178 }
2179
2180 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2181 {
2182         struct task_security_struct *tsec = current->security;
2183         struct inode *inode = dentry->d_inode;
2184         struct inode_security_struct *isec = inode->i_security;
2185         struct superblock_security_struct *sbsec;
2186         struct avc_audit_data ad;
2187         u32 newsid;
2188         int rc = 0;
2189
2190         if (strcmp(name, XATTR_NAME_SELINUX)) {
2191                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2192                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2193                     !capable(CAP_SYS_ADMIN)) {
2194                         /* A different attribute in the security namespace.
2195                            Restrict to administrator. */
2196                         return -EPERM;
2197                 }
2198
2199                 /* Not an attribute we recognize, so just check the
2200                    ordinary setattr permission. */
2201                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2202         }
2203
2204         sbsec = inode->i_sb->s_security;
2205         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2206                 return -EOPNOTSUPP;
2207
2208         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2209                 return -EPERM;
2210
2211         AVC_AUDIT_DATA_INIT(&ad,FS);
2212         ad.u.fs.dentry = dentry;
2213
2214         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2215                           FILE__RELABELFROM, &ad);
2216         if (rc)
2217                 return rc;
2218
2219         rc = security_context_to_sid(value, size, &newsid);
2220         if (rc)
2221                 return rc;
2222
2223         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2224                           FILE__RELABELTO, &ad);
2225         if (rc)
2226                 return rc;
2227
2228         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2229                                           isec->sclass);
2230         if (rc)
2231                 return rc;
2232
2233         return avc_has_perm(newsid,
2234                             sbsec->sid,
2235                             SECCLASS_FILESYSTEM,
2236                             FILESYSTEM__ASSOCIATE,
2237                             &ad);
2238 }
2239
2240 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2241                                         void *value, size_t size, int flags)
2242 {
2243         struct inode *inode = dentry->d_inode;
2244         struct inode_security_struct *isec = inode->i_security;
2245         u32 newsid;
2246         int rc;
2247
2248         if (strcmp(name, XATTR_NAME_SELINUX)) {
2249                 /* Not an attribute we recognize, so nothing to do. */
2250                 return;
2251         }
2252
2253         rc = security_context_to_sid(value, size, &newsid);
2254         if (rc) {
2255                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2256                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2257                 return;
2258         }
2259
2260         isec->sid = newsid;
2261         return;
2262 }
2263
2264 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2265 {
2266         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2267 }
2268
2269 static int selinux_inode_listxattr (struct dentry *dentry)
2270 {
2271         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2272 }
2273
2274 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2275 {
2276         if (strcmp(name, XATTR_NAME_SELINUX)) {
2277                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2278                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2279                     !capable(CAP_SYS_ADMIN)) {
2280                         /* A different attribute in the security namespace.
2281                            Restrict to administrator. */
2282                         return -EPERM;
2283                 }
2284
2285                 /* Not an attribute we recognize, so just check the
2286                    ordinary setattr permission. Might want a separate
2287                    permission for removexattr. */
2288                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2289         }
2290
2291         /* No one is allowed to remove a SELinux security label.
2292            You can change the label, but all data must be labeled. */
2293         return -EACCES;
2294 }
2295
2296 static const char *selinux_inode_xattr_getsuffix(void)
2297 {
2298       return XATTR_SELINUX_SUFFIX;
2299 }
2300
2301 /*
2302  * Copy the in-core inode security context value to the user.  If the
2303  * getxattr() prior to this succeeded, check to see if we need to
2304  * canonicalize the value to be finally returned to the user.
2305  *
2306  * Permission check is handled by selinux_inode_getxattr hook.
2307  */
2308 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2309 {
2310         struct inode_security_struct *isec = inode->i_security;
2311
2312         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2313                 return -EOPNOTSUPP;
2314
2315         return selinux_getsecurity(isec->sid, buffer, size);
2316 }
2317
2318 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2319                                      const void *value, size_t size, int flags)
2320 {
2321         struct inode_security_struct *isec = inode->i_security;
2322         u32 newsid;
2323         int rc;
2324
2325         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2326                 return -EOPNOTSUPP;
2327
2328         if (!value || !size)
2329                 return -EACCES;
2330
2331         rc = security_context_to_sid((void*)value, size, &newsid);
2332         if (rc)
2333                 return rc;
2334
2335         isec->sid = newsid;
2336         return 0;
2337 }
2338
2339 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2340 {
2341         const int len = sizeof(XATTR_NAME_SELINUX);
2342         if (buffer && len <= buffer_size)
2343                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2344         return len;
2345 }
2346
2347 /* file security operations */
2348
2349 static int selinux_file_permission(struct file *file, int mask)
2350 {
2351         struct inode *inode = file->f_dentry->d_inode;
2352
2353         if (!mask) {
2354                 /* No permission to check.  Existence test. */
2355                 return 0;
2356         }
2357
2358         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2359         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2360                 mask |= MAY_APPEND;
2361
2362         return file_has_perm(current, file,
2363                              file_mask_to_av(inode->i_mode, mask));
2364 }
2365
2366 static int selinux_file_alloc_security(struct file *file)
2367 {
2368         return file_alloc_security(file);
2369 }
2370
2371 static void selinux_file_free_security(struct file *file)
2372 {
2373         file_free_security(file);
2374 }
2375
2376 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2377                               unsigned long arg)
2378 {
2379         int error = 0;
2380
2381         switch (cmd) {
2382                 case FIONREAD:
2383                 /* fall through */
2384                 case FIBMAP:
2385                 /* fall through */
2386                 case FIGETBSZ:
2387                 /* fall through */
2388                 case EXT2_IOC_GETFLAGS:
2389                 /* fall through */
2390                 case EXT2_IOC_GETVERSION:
2391                         error = file_has_perm(current, file, FILE__GETATTR);
2392                         break;
2393
2394                 case EXT2_IOC_SETFLAGS:
2395                 /* fall through */
2396                 case EXT2_IOC_SETVERSION:
2397                         error = file_has_perm(current, file, FILE__SETATTR);
2398                         break;
2399
2400                 /* sys_ioctl() checks */
2401                 case FIONBIO:
2402                 /* fall through */
2403                 case FIOASYNC:
2404                         error = file_has_perm(current, file, 0);
2405                         break;
2406
2407                 case KDSKBENT:
2408                 case KDSKBSENT:
2409                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2410                         break;
2411
2412                 /* default case assumes that the command will go
2413                  * to the file's ioctl() function.
2414                  */
2415                 default:
2416                         error = file_has_perm(current, file, FILE__IOCTL);
2417
2418         }
2419         return error;
2420 }
2421
2422 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2423 {
2424 #ifndef CONFIG_PPC32
2425         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2426                 /*
2427                  * We are making executable an anonymous mapping or a
2428                  * private file mapping that will also be writable.
2429                  * This has an additional check.
2430                  */
2431                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2432                 if (rc)
2433                         return rc;
2434         }
2435 #endif
2436
2437         if (file) {
2438                 /* read access is always possible with a mapping */
2439                 u32 av = FILE__READ;
2440
2441                 /* write access only matters if the mapping is shared */
2442                 if (shared && (prot & PROT_WRITE))
2443                         av |= FILE__WRITE;
2444
2445                 if (prot & PROT_EXEC)
2446                         av |= FILE__EXECUTE;
2447
2448                 return file_has_perm(current, file, av);
2449         }
2450         return 0;
2451 }
2452
2453 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2454                              unsigned long prot, unsigned long flags)
2455 {
2456         int rc;
2457
2458         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2459         if (rc)
2460                 return rc;
2461
2462         if (selinux_checkreqprot)
2463                 prot = reqprot;
2464
2465         return file_map_prot_check(file, prot,
2466                                    (flags & MAP_TYPE) == MAP_SHARED);
2467 }
2468
2469 static int selinux_file_mprotect(struct vm_area_struct *vma,
2470                                  unsigned long reqprot,
2471                                  unsigned long prot)
2472 {
2473         int rc;
2474
2475         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2476         if (rc)
2477                 return rc;
2478
2479         if (selinux_checkreqprot)
2480                 prot = reqprot;
2481
2482 #ifndef CONFIG_PPC32
2483         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2484                 rc = 0;
2485                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2486                     vma->vm_end <= vma->vm_mm->brk) {
2487                         rc = task_has_perm(current, current,
2488                                            PROCESS__EXECHEAP);
2489                 } else if (!vma->vm_file &&
2490                            vma->vm_start <= vma->vm_mm->start_stack &&
2491                            vma->vm_end >= vma->vm_mm->start_stack) {
2492                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2493                 } else if (vma->vm_file && vma->anon_vma) {
2494                         /*
2495                          * We are making executable a file mapping that has
2496                          * had some COW done. Since pages might have been
2497                          * written, check ability to execute the possibly
2498                          * modified content.  This typically should only
2499                          * occur for text relocations.
2500                          */
2501                         rc = file_has_perm(current, vma->vm_file,
2502                                            FILE__EXECMOD);
2503                 }
2504                 if (rc)
2505                         return rc;
2506         }
2507 #endif
2508
2509         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2510 }
2511
2512 static int selinux_file_lock(struct file *file, unsigned int cmd)
2513 {
2514         return file_has_perm(current, file, FILE__LOCK);
2515 }
2516
2517 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2518                               unsigned long arg)
2519 {
2520         int err = 0;
2521
2522         switch (cmd) {
2523                 case F_SETFL:
2524                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2525                                 err = -EINVAL;
2526                                 break;
2527                         }
2528
2529                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2530                                 err = file_has_perm(current, file,FILE__WRITE);
2531                                 break;
2532                         }
2533                         /* fall through */
2534                 case F_SETOWN:
2535                 case F_SETSIG:
2536                 case F_GETFL:
2537                 case F_GETOWN:
2538                 case F_GETSIG:
2539                         /* Just check FD__USE permission */
2540                         err = file_has_perm(current, file, 0);
2541                         break;
2542                 case F_GETLK:
2543                 case F_SETLK:
2544                 case F_SETLKW:
2545 #if BITS_PER_LONG == 32
2546                 case F_GETLK64:
2547                 case F_SETLK64:
2548                 case F_SETLKW64:
2549 #endif
2550                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2551                                 err = -EINVAL;
2552                                 break;
2553                         }
2554                         err = file_has_perm(current, file, FILE__LOCK);
2555                         break;
2556         }
2557
2558         return err;
2559 }
2560
2561 static int selinux_file_set_fowner(struct file *file)
2562 {
2563         struct task_security_struct *tsec;
2564         struct file_security_struct *fsec;
2565
2566         tsec = current->security;
2567         fsec = file->f_security;
2568         fsec->fown_sid = tsec->sid;
2569
2570         return 0;
2571 }
2572
2573 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2574                                        struct fown_struct *fown, int signum)
2575 {
2576         struct file *file;
2577         u32 perm;
2578         struct task_security_struct *tsec;
2579         struct file_security_struct *fsec;
2580
2581         /* struct fown_struct is never outside the context of a struct file */
2582         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2583
2584         tsec = tsk->security;
2585         fsec = file->f_security;
2586
2587         if (!signum)
2588                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2589         else
2590                 perm = signal_to_av(signum);
2591
2592         return avc_has_perm(fsec->fown_sid, tsec->sid,
2593                             SECCLASS_PROCESS, perm, NULL);
2594 }
2595
2596 static int selinux_file_receive(struct file *file)
2597 {
2598         return file_has_perm(current, file, file_to_av(file));
2599 }
2600
2601 /* task security operations */
2602
2603 static int selinux_task_create(unsigned long clone_flags)
2604 {
2605         int rc;
2606
2607         rc = secondary_ops->task_create(clone_flags);
2608         if (rc)
2609                 return rc;
2610
2611         return task_has_perm(current, current, PROCESS__FORK);
2612 }
2613
2614 static int selinux_task_alloc_security(struct task_struct *tsk)
2615 {
2616         struct task_security_struct *tsec1, *tsec2;
2617         int rc;
2618
2619         tsec1 = current->security;
2620
2621         rc = task_alloc_security(tsk);
2622         if (rc)
2623                 return rc;
2624         tsec2 = tsk->security;
2625
2626         tsec2->osid = tsec1->osid;
2627         tsec2->sid = tsec1->sid;
2628
2629         /* Retain the exec, fs, key, and sock SIDs across fork */
2630         tsec2->exec_sid = tsec1->exec_sid;
2631         tsec2->create_sid = tsec1->create_sid;
2632         tsec2->keycreate_sid = tsec1->keycreate_sid;
2633         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2634
2635         /* Retain ptracer SID across fork, if any.
2636            This will be reset by the ptrace hook upon any
2637            subsequent ptrace_attach operations. */
2638         tsec2->ptrace_sid = tsec1->ptrace_sid;
2639
2640         return 0;
2641 }
2642
2643 static void selinux_task_free_security(struct task_struct *tsk)
2644 {
2645         task_free_security(tsk);
2646 }
2647
2648 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2649 {
2650         /* Since setuid only affects the current process, and
2651            since the SELinux controls are not based on the Linux
2652            identity attributes, SELinux does not need to control
2653            this operation.  However, SELinux does control the use
2654            of the CAP_SETUID and CAP_SETGID capabilities using the
2655            capable hook. */
2656         return 0;
2657 }
2658
2659 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2660 {
2661         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2662 }
2663
2664 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2665 {
2666         /* See the comment for setuid above. */
2667         return 0;
2668 }
2669
2670 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2671 {
2672         return task_has_perm(current, p, PROCESS__SETPGID);
2673 }
2674
2675 static int selinux_task_getpgid(struct task_struct *p)
2676 {
2677         return task_has_perm(current, p, PROCESS__GETPGID);
2678 }
2679
2680 static int selinux_task_getsid(struct task_struct *p)
2681 {
2682         return task_has_perm(current, p, PROCESS__GETSESSION);
2683 }
2684
2685 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2686 {
2687         selinux_get_task_sid(p, secid);
2688 }
2689
2690 static int selinux_task_setgroups(struct group_info *group_info)
2691 {
2692         /* See the comment for setuid above. */
2693         return 0;
2694 }
2695
2696 static int selinux_task_setnice(struct task_struct *p, int nice)
2697 {
2698         int rc;
2699
2700         rc = secondary_ops->task_setnice(p, nice);
2701         if (rc)
2702                 return rc;
2703
2704         return task_has_perm(current,p, PROCESS__SETSCHED);
2705 }
2706
2707 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2708 {
2709         return task_has_perm(current, p, PROCESS__SETSCHED);
2710 }
2711
2712 static int selinux_task_getioprio(struct task_struct *p)
2713 {
2714         return task_has_perm(current, p, PROCESS__GETSCHED);
2715 }
2716
2717 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2718 {
2719         struct rlimit *old_rlim = current->signal->rlim + resource;
2720         int rc;
2721
2722         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2723         if (rc)
2724                 return rc;
2725
2726         /* Control the ability to change the hard limit (whether
2727            lowering or raising it), so that the hard limit can
2728            later be used as a safe reset point for the soft limit
2729            upon context transitions. See selinux_bprm_apply_creds. */
2730         if (old_rlim->rlim_max != new_rlim->rlim_max)
2731                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2732
2733         return 0;
2734 }
2735
2736 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2737 {
2738         return task_has_perm(current, p, PROCESS__SETSCHED);
2739 }
2740
2741 static int selinux_task_getscheduler(struct task_struct *p)
2742 {
2743         return task_has_perm(current, p, PROCESS__GETSCHED);
2744 }
2745
2746 static int selinux_task_movememory(struct task_struct *p)
2747 {
2748         return task_has_perm(current, p, PROCESS__SETSCHED);
2749 }
2750
2751 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2752                                 int sig, u32 secid)
2753 {
2754         u32 perm;
2755         int rc;
2756         struct task_security_struct *tsec;
2757
2758         rc = secondary_ops->task_kill(p, info, sig, secid);
2759         if (rc)
2760                 return rc;
2761
2762         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2763                 return 0;
2764
2765         if (!sig)
2766                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2767         else
2768                 perm = signal_to_av(sig);
2769         tsec = p->security;
2770         if (secid)
2771                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2772         else
2773                 rc = task_has_perm(current, p, perm);
2774         return rc;
2775 }
2776
2777 static int selinux_task_prctl(int option,
2778                               unsigned long arg2,
2779                               unsigned long arg3,
2780                               unsigned long arg4,
2781                               unsigned long arg5)
2782 {
2783         /* The current prctl operations do not appear to require
2784            any SELinux controls since they merely observe or modify
2785            the state of the current process. */
2786         return 0;
2787 }
2788
2789 static int selinux_task_wait(struct task_struct *p)
2790 {
2791         u32 perm;
2792
2793         perm = signal_to_av(p->exit_signal);
2794
2795         return task_has_perm(p, current, perm);
2796 }
2797
2798 static void selinux_task_reparent_to_init(struct task_struct *p)
2799 {
2800         struct task_security_struct *tsec;
2801
2802         secondary_ops->task_reparent_to_init(p);
2803
2804         tsec = p->security;
2805         tsec->osid = tsec->sid;
2806         tsec->sid = SECINITSID_KERNEL;
2807         return;
2808 }
2809
2810 static void selinux_task_to_inode(struct task_struct *p,
2811                                   struct inode *inode)
2812 {
2813         struct task_security_struct *tsec = p->security;
2814         struct inode_security_struct *isec = inode->i_security;
2815
2816         isec->sid = tsec->sid;
2817         isec->initialized = 1;
2818         return;
2819 }
2820
2821 /* Returns error only if unable to parse addresses */
2822 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2823 {
2824         int offset, ihlen, ret = -EINVAL;
2825         struct iphdr _iph, *ih;
2826
2827         offset = skb->nh.raw - skb->data;
2828         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2829         if (ih == NULL)
2830                 goto out;
2831
2832         ihlen = ih->ihl * 4;
2833         if (ihlen < sizeof(_iph))
2834                 goto out;
2835
2836         ad->u.net.v4info.saddr = ih->saddr;
2837         ad->u.net.v4info.daddr = ih->daddr;
2838         ret = 0;
2839
2840         switch (ih->protocol) {
2841         case IPPROTO_TCP: {
2842                 struct tcphdr _tcph, *th;
2843
2844                 if (ntohs(ih->frag_off) & IP_OFFSET)
2845                         break;
2846
2847                 offset += ihlen;
2848                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2849                 if (th == NULL)
2850                         break;
2851
2852                 ad->u.net.sport = th->source;
2853                 ad->u.net.dport = th->dest;
2854                 break;
2855         }
2856         
2857         case IPPROTO_UDP: {
2858                 struct udphdr _udph, *uh;
2859                 
2860                 if (ntohs(ih->frag_off) & IP_OFFSET)
2861                         break;
2862                         
2863                 offset += ihlen;
2864                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2865                 if (uh == NULL)
2866                         break;  
2867
2868                 ad->u.net.sport = uh->source;
2869                 ad->u.net.dport = uh->dest;
2870                 break;
2871         }
2872
2873         default:
2874                 break;
2875         }
2876 out:
2877         return ret;
2878 }
2879
2880 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2881
2882 /* Returns error only if unable to parse addresses */
2883 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2884 {
2885         u8 nexthdr;
2886         int ret = -EINVAL, offset;
2887         struct ipv6hdr _ipv6h, *ip6;
2888
2889         offset = skb->nh.raw - skb->data;
2890         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2891         if (ip6 == NULL)
2892                 goto out;
2893
2894         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2895         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2896         ret = 0;
2897
2898         nexthdr = ip6->nexthdr;
2899         offset += sizeof(_ipv6h);
2900         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2901         if (offset < 0)
2902                 goto out;
2903
2904         switch (nexthdr) {
2905         case IPPROTO_TCP: {
2906                 struct tcphdr _tcph, *th;
2907
2908                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2909                 if (th == NULL)
2910                         break;
2911
2912                 ad->u.net.sport = th->source;
2913                 ad->u.net.dport = th->dest;
2914                 break;
2915         }
2916
2917         case IPPROTO_UDP: {
2918                 struct udphdr _udph, *uh;
2919
2920                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2921                 if (uh == NULL)
2922                         break;
2923
2924                 ad->u.net.sport = uh->source;
2925                 ad->u.net.dport = uh->dest;
2926                 break;
2927         }
2928
2929         /* includes fragments */
2930         default:
2931                 break;
2932         }
2933 out:
2934         return ret;
2935 }
2936
2937 #endif /* IPV6 */
2938
2939 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2940                              char **addrp, int *len, int src)
2941 {
2942         int ret = 0;
2943
2944         switch (ad->u.net.family) {
2945         case PF_INET:
2946                 ret = selinux_parse_skb_ipv4(skb, ad);
2947                 if (ret || !addrp)
2948                         break;
2949                 *len = 4;
2950                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2951                                         &ad->u.net.v4info.daddr);
2952                 break;
2953
2954 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2955         case PF_INET6:
2956                 ret = selinux_parse_skb_ipv6(skb, ad);
2957                 if (ret || !addrp)
2958                         break;
2959                 *len = 16;
2960                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2961                                         &ad->u.net.v6info.daddr);
2962                 break;
2963 #endif  /* IPV6 */
2964         default:
2965                 break;
2966         }
2967
2968         return ret;
2969 }
2970
2971 /* socket security operations */
2972 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2973                            u32 perms)
2974 {
2975         struct inode_security_struct *isec;
2976         struct task_security_struct *tsec;
2977         struct avc_audit_data ad;
2978         int err = 0;
2979
2980         tsec = task->security;
2981         isec = SOCK_INODE(sock)->i_security;
2982
2983         if (isec->sid == SECINITSID_KERNEL)
2984                 goto out;
2985
2986         AVC_AUDIT_DATA_INIT(&ad,NET);
2987         ad.u.net.sk = sock->sk;
2988         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2989
2990 out:
2991         return err;
2992 }
2993
2994 static int selinux_socket_create(int family, int type,
2995                                  int protocol, int kern)
2996 {
2997         int err = 0;
2998         struct task_security_struct *tsec;
2999         u32 newsid;
3000
3001         if (kern)
3002                 goto out;
3003
3004         tsec = current->security;
3005         newsid = tsec->sockcreate_sid ? : tsec->sid;
3006         err = avc_has_perm(tsec->sid, newsid,
3007                            socket_type_to_security_class(family, type,
3008                            protocol), SOCKET__CREATE, NULL);
3009
3010 out:
3011         return err;
3012 }
3013
3014 static void selinux_socket_post_create(struct socket *sock, int family,
3015                                        int type, int protocol, int kern)
3016 {
3017         struct inode_security_struct *isec;
3018         struct task_security_struct *tsec;
3019         u32 newsid;
3020
3021         isec = SOCK_INODE(sock)->i_security;
3022
3023         tsec = current->security;
3024         newsid = tsec->sockcreate_sid ? : tsec->sid;
3025         isec->sclass = socket_type_to_security_class(family, type, protocol);
3026         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3027         isec->initialized = 1;
3028
3029         return;
3030 }
3031
3032 /* Range of port numbers used to automatically bind.
3033    Need to determine whether we should perform a name_bind
3034    permission check between the socket and the port number. */
3035 #define ip_local_port_range_0 sysctl_local_port_range[0]
3036 #define ip_local_port_range_1 sysctl_local_port_range[1]
3037
3038 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3039 {
3040         u16 family;
3041         int err;
3042
3043         err = socket_has_perm(current, sock, SOCKET__BIND);
3044         if (err)
3045                 goto out;
3046
3047         /*
3048          * If PF_INET or PF_INET6, check name_bind permission for the port.
3049          * Multiple address binding for SCTP is not supported yet: we just
3050          * check the first address now.
3051          */
3052         family = sock->sk->sk_family;
3053         if (family == PF_INET || family == PF_INET6) {
3054                 char *addrp;
3055                 struct inode_security_struct *isec;
3056                 struct task_security_struct *tsec;
3057                 struct avc_audit_data ad;
3058                 struct sockaddr_in *addr4 = NULL;
3059                 struct sockaddr_in6 *addr6 = NULL;
3060                 unsigned short snum;
3061                 struct sock *sk = sock->sk;
3062                 u32 sid, node_perm, addrlen;
3063
3064                 tsec = current->security;
3065                 isec = SOCK_INODE(sock)->i_security;
3066
3067                 if (family == PF_INET) {
3068                         addr4 = (struct sockaddr_in *)address;
3069                         snum = ntohs(addr4->sin_port);
3070                         addrlen = sizeof(addr4->sin_addr.s_addr);
3071                         addrp = (char *)&addr4->sin_addr.s_addr;
3072                 } else {
3073                         addr6 = (struct sockaddr_in6 *)address;
3074                         snum = ntohs(addr6->sin6_port);
3075                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3076                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3077                 }
3078
3079                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3080                            snum > ip_local_port_range_1)) {
3081                         err = security_port_sid(sk->sk_family, sk->sk_type,
3082                                                 sk->sk_protocol, snum, &sid);
3083                         if (err)
3084                                 goto out;
3085                         AVC_AUDIT_DATA_INIT(&ad,NET);
3086                         ad.u.net.sport = htons(snum);
3087                         ad.u.net.family = family;
3088                         err = avc_has_perm(isec->sid, sid,
3089                                            isec->sclass,
3090                                            SOCKET__NAME_BIND, &ad);
3091                         if (err)
3092                                 goto out;
3093                 }
3094                 
3095                 switch(isec->sclass) {
3096                 case SECCLASS_TCP_SOCKET:
3097                         node_perm = TCP_SOCKET__NODE_BIND;
3098                         break;
3099                         
3100                 case SECCLASS_UDP_SOCKET:
3101                         node_perm = UDP_SOCKET__NODE_BIND;
3102                         break;
3103                         
3104                 default:
3105                         node_perm = RAWIP_SOCKET__NODE_BIND;
3106                         break;
3107                 }
3108                 
3109                 err = security_node_sid(family, addrp, addrlen, &sid);
3110                 if (err)
3111                         goto out;
3112                 
3113                 AVC_AUDIT_DATA_INIT(&ad,NET);
3114                 ad.u.net.sport = htons(snum);
3115                 ad.u.net.family = family;
3116
3117                 if (family == PF_INET)
3118                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3119                 else
3120                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3121
3122                 err = avc_has_perm(isec->sid, sid,
3123                                    isec->sclass, node_perm, &ad);
3124                 if (err)
3125                         goto out;
3126         }
3127 out:
3128         return err;
3129 }
3130
3131 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3132 {
3133         struct inode_security_struct *isec;
3134         int err;
3135
3136         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3137         if (err)
3138                 return err;
3139
3140         /*
3141          * If a TCP socket, check name_connect permission for the port.
3142          */
3143         isec = SOCK_INODE(sock)->i_security;
3144         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3145                 struct sock *sk = sock->sk;
3146                 struct avc_audit_data ad;
3147                 struct sockaddr_in *addr4 = NULL;
3148                 struct sockaddr_in6 *addr6 = NULL;
3149                 unsigned short snum;
3150                 u32 sid;
3151
3152                 if (sk->sk_family == PF_INET) {
3153                         addr4 = (struct sockaddr_in *)address;
3154                         if (addrlen < sizeof(struct sockaddr_in))
3155                                 return -EINVAL;
3156                         snum = ntohs(addr4->sin_port);
3157                 } else {
3158                         addr6 = (struct sockaddr_in6 *)address;
3159                         if (addrlen < SIN6_LEN_RFC2133)
3160                                 return -EINVAL;
3161                         snum = ntohs(addr6->sin6_port);
3162                 }
3163
3164                 err = security_port_sid(sk->sk_family, sk->sk_type,
3165                                         sk->sk_protocol, snum, &sid);
3166                 if (err)
3167                         goto out;
3168
3169                 AVC_AUDIT_DATA_INIT(&ad,NET);
3170                 ad.u.net.dport = htons(snum);
3171                 ad.u.net.family = sk->sk_family;
3172                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3173                                    TCP_SOCKET__NAME_CONNECT, &ad);
3174                 if (err)
3175                         goto out;
3176         }
3177
3178 out:
3179         return err;
3180 }
3181
3182 static int selinux_socket_listen(struct socket *sock, int backlog)
3183 {
3184         return socket_has_perm(current, sock, SOCKET__LISTEN);
3185 }
3186
3187 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3188 {
3189         int err;
3190         struct inode_security_struct *isec;
3191         struct inode_security_struct *newisec;
3192
3193         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3194         if (err)
3195                 return err;
3196
3197         newisec = SOCK_INODE(newsock)->i_security;
3198
3199         isec = SOCK_INODE(sock)->i_security;
3200         newisec->sclass = isec->sclass;
3201         newisec->sid = isec->sid;
3202         newisec->initialized = 1;
3203
3204         return 0;
3205 }
3206
3207 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3208                                   int size)
3209 {
3210         return socket_has_perm(current, sock, SOCKET__WRITE);
3211 }
3212
3213 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3214                                   int size, int flags)
3215 {
3216         return socket_has_perm(current, sock, SOCKET__READ);
3217 }
3218
3219 static int selinux_socket_getsockname(struct socket *sock)
3220 {
3221         return socket_has_perm(current, sock, SOCKET__GETATTR);
3222 }
3223
3224 static int selinux_socket_getpeername(struct socket *sock)
3225 {
3226         return socket_has_perm(current, sock, SOCKET__GETATTR);
3227 }
3228
3229 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3230 {
3231         return socket_has_perm(current, sock, SOCKET__SETOPT);
3232 }
3233
3234 static int selinux_socket_getsockopt(struct socket *sock, int level,
3235                                      int optname)
3236 {
3237         return socket_has_perm(current, sock, SOCKET__GETOPT);
3238 }
3239
3240 static int selinux_socket_shutdown(struct socket *sock, int how)
3241 {
3242         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3243 }
3244
3245 static int selinux_socket_unix_stream_connect(struct socket *sock,
3246                                               struct socket *other,
3247                                               struct sock *newsk)
3248 {
3249         struct sk_security_struct *ssec;
3250         struct inode_security_struct *isec;
3251         struct inode_security_struct *other_isec;
3252         struct avc_audit_data ad;
3253         int err;
3254
3255         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3256         if (err)
3257                 return err;
3258
3259         isec = SOCK_INODE(sock)->i_security;
3260         other_isec = SOCK_INODE(other)->i_security;
3261
3262         AVC_AUDIT_DATA_INIT(&ad,NET);
3263         ad.u.net.sk = other->sk;
3264
3265         err = avc_has_perm(isec->sid, other_isec->sid,
3266                            isec->sclass,
3267                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3268         if (err)
3269                 return err;
3270
3271         /* connecting socket */
3272         ssec = sock->sk->sk_security;
3273         ssec->peer_sid = other_isec->sid;
3274         
3275         /* server child socket */
3276         ssec = newsk->sk_security;
3277         ssec->peer_sid = isec->sid;
3278         
3279         return 0;
3280 }
3281
3282 static int selinux_socket_unix_may_send(struct socket *sock,
3283                                         struct socket *other)
3284 {
3285         struct inode_security_struct *isec;
3286         struct inode_security_struct *other_isec;
3287         struct avc_audit_data ad;
3288         int err;
3289
3290         isec = SOCK_INODE(sock)->i_security;
3291         other_isec = SOCK_INODE(other)->i_security;
3292
3293         AVC_AUDIT_DATA_INIT(&ad,NET);
3294         ad.u.net.sk = other->sk;
3295
3296         err = avc_has_perm(isec->sid, other_isec->sid,
3297                            isec->sclass, SOCKET__SENDTO, &ad);
3298         if (err)
3299                 return err;
3300
3301         return 0;
3302 }
3303
3304 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3305                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3306                 u16 family, char *addrp, int len)
3307 {
3308         int err = 0;
3309         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3310
3311         if (!skb->dev)
3312                 goto out;
3313
3314         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3315         if (err)
3316                 goto out;
3317
3318         switch (sock_class) {
3319         case SECCLASS_UDP_SOCKET:
3320                 netif_perm = NETIF__UDP_RECV;
3321                 node_perm = NODE__UDP_RECV;
3322                 recv_perm = UDP_SOCKET__RECV_MSG;
3323                 break;
3324         
3325         case SECCLASS_TCP_SOCKET:
3326                 netif_perm = NETIF__TCP_RECV;
3327                 node_perm = NODE__TCP_RECV;
3328                 recv_perm = TCP_SOCKET__RECV_MSG;
3329                 break;
3330         
3331         default:
3332                 netif_perm = NETIF__RAWIP_RECV;
3333                 node_perm = NODE__RAWIP_RECV;
3334                 break;
3335         }
3336
3337         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3338         if (err)
3339                 goto out;
3340         
3341         err = security_node_sid(family, addrp, len, &node_sid);
3342         if (err)
3343                 goto out;
3344         
3345         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3346         if (err)
3347                 goto out;
3348
3349         if (recv_perm) {
3350                 u32 port_sid;
3351
3352                 err = security_port_sid(sk->sk_family, sk->sk_type,
3353                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3354                                         &port_sid);
3355                 if (err)
3356                         goto out;
3357
3358                 err = avc_has_perm(sock_sid, port_sid,
3359                                    sock_class, recv_perm, ad);
3360         }
3361
3362 out:
3363         return err;
3364 }
3365
3366 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3367 {
3368         u16 family;
3369         u16 sock_class = 0;
3370         char *addrp;
3371         int len, err = 0;
3372         u32 sock_sid = 0;
3373         struct socket *sock;
3374         struct avc_audit_data ad;
3375
3376         family = sk->sk_family;
3377         if (family != PF_INET && family != PF_INET6)
3378                 goto out;
3379
3380         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3381         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3382                 family = PF_INET;
3383
3384         read_lock_bh(&sk->sk_callback_lock);
3385         sock = sk->sk_socket;
3386         if (sock) {
3387                 struct inode *inode;
3388                 inode = SOCK_INODE(sock);
3389                 if (inode) {
3390                         struct inode_security_struct *isec;
3391                         isec = inode->i_security;
3392                         sock_sid = isec->sid;
3393                         sock_class = isec->sclass;
3394                 }
3395         }
3396         read_unlock_bh(&sk->sk_callback_lock);
3397         if (!sock_sid)
3398                 goto out;
3399
3400         AVC_AUDIT_DATA_INIT(&ad, NET);
3401         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3402         ad.u.net.family = family;
3403
3404         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3405         if (err)
3406                 goto out;
3407
3408         if (selinux_compat_net)
3409                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3410                                                   sock_class, family,
3411                                                   addrp, len);
3412         else
3413                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3414                                    PACKET__RECV, &ad);
3415         if (err)
3416                 goto out;
3417
3418         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3419 out:    
3420         return err;
3421 }
3422
3423 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3424                                             int __user *optlen, unsigned len)
3425 {
3426         int err = 0;
3427         char *scontext;
3428         u32 scontext_len;
3429         struct sk_security_struct *ssec;
3430         struct inode_security_struct *isec;
3431         u32 peer_sid = 0;
3432
3433         isec = SOCK_INODE(sock)->i_security;
3434
3435         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3436         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3437                 ssec = sock->sk->sk_security;
3438                 peer_sid = ssec->peer_sid;
3439         }
3440         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3441                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3442
3443                 if (peer_sid == SECSID_NULL) {
3444                         err = -ENOPROTOOPT;
3445                         goto out;
3446                 }
3447         }
3448         else {
3449                 err = -ENOPROTOOPT;
3450                 goto out;
3451         }
3452
3453         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3454
3455         if (err)
3456                 goto out;
3457
3458         if (scontext_len > len) {
3459                 err = -ERANGE;
3460                 goto out_len;
3461         }
3462
3463         if (copy_to_user(optval, scontext, scontext_len))
3464                 err = -EFAULT;
3465
3466 out_len:
3467         if (put_user(scontext_len, optlen))
3468                 err = -EFAULT;
3469
3470         kfree(scontext);
3471 out:    
3472         return err;
3473 }
3474
3475 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3476 {
3477         int err = 0;
3478         u32 peer_sid;
3479
3480         if (skb->sk->sk_family == PF_UNIX)
3481                 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
3482                                       &peer_sid);
3483         else
3484                 peer_sid = selinux_socket_getpeer_dgram(skb);
3485
3486         if (peer_sid == SECSID_NULL)
3487                 return -EINVAL;
3488
3489         err = security_sid_to_context(peer_sid, secdata, seclen);
3490         if (err)
3491                 return err;
3492
3493         return 0;
3494 }
3495
3496 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3497 {
3498         return sk_alloc_security(sk, family, priority);
3499 }
3500
3501 static void selinux_sk_free_security(struct sock *sk)
3502 {
3503         sk_free_security(sk);
3504 }
3505
3506 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3507 {
3508         struct inode_security_struct *isec;
3509         u32 sock_sid = SECINITSID_ANY_SOCKET;
3510
3511         if (!sk)
3512                 return selinux_no_sk_sid(fl);
3513
3514         read_lock_bh(&sk->sk_callback_lock);
3515         isec = get_sock_isec(sk);
3516
3517         if (isec)
3518                 sock_sid = isec->sid;
3519
3520         read_unlock_bh(&sk->sk_callback_lock);
3521         return sock_sid;
3522 }
3523
3524 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3525 {
3526         int err = 0;
3527         u32 perm;
3528         struct nlmsghdr *nlh;
3529         struct socket *sock = sk->sk_socket;
3530         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3531         
3532         if (skb->len < NLMSG_SPACE(0)) {
3533                 err = -EINVAL;
3534                 goto out;
3535         }
3536         nlh = (struct nlmsghdr *)skb->data;
3537         
3538         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3539         if (err) {
3540                 if (err == -EINVAL) {
3541                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3542                                   "SELinux:  unrecognized netlink message"
3543                                   " type=%hu for sclass=%hu\n",
3544                                   nlh->nlmsg_type, isec->sclass);
3545                         if (!selinux_enforcing)
3546                                 err = 0;
3547                 }
3548
3549                 /* Ignore */
3550                 if (err == -ENOENT)
3551                         err = 0;
3552                 goto out;
3553         }
3554
3555         err = socket_has_perm(current, sock, perm);
3556 out:
3557         return err;
3558 }
3559
3560 #ifdef CONFIG_NETFILTER
3561
3562 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3563                                             struct inode_security_struct *isec,
3564                                             struct avc_audit_data *ad,
3565                                             u16 family, char *addrp, int len)
3566 {
3567         int err;
3568         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3569         
3570         err = sel_netif_sids(dev, &if_sid, NULL);
3571         if (err)
3572                 goto out;
3573
3574         switch (isec->sclass) {
3575         case SECCLASS_UDP_SOCKET:
3576                 netif_perm = NETIF__UDP_SEND;
3577                 node_perm = NODE__UDP_SEND;
3578                 send_perm = UDP_SOCKET__SEND_MSG;
3579                 break;
3580         
3581         case SECCLASS_TCP_SOCKET:
3582                 netif_perm = NETIF__TCP_SEND;
3583                 node_perm = NODE__TCP_SEND;
3584                 send_perm = TCP_SOCKET__SEND_MSG;
3585                 break;
3586         
3587         default:
3588                 netif_perm = NETIF__RAWIP_SEND;
3589                 node_perm = NODE__RAWIP_SEND;
3590                 break;
3591         }
3592
3593         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3594         if (err)
3595                 goto out;
3596                 
3597         err = security_node_sid(family, addrp, len, &node_sid);
3598         if (err)
3599                 goto out;
3600         
3601         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3602         if (err)
3603                 goto out;
3604
3605         if (send_perm) {
3606                 u32 port_sid;
3607                 
3608                 err = security_port_sid(sk->sk_family,
3609                                         sk->sk_type,
3610                                         sk->sk_protocol,
3611                                         ntohs(ad->u.net.dport),
3612                                         &port_sid);
3613                 if (err)
3614                         goto out;
3615
3616                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3617                                    send_perm, ad);
3618         }
3619 out:
3620         return err;
3621 }
3622
3623 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3624                                               struct sk_buff **pskb,
3625                                               const struct net_device *in,
3626                                               const struct net_device *out,
3627                                               int (*okfn)(struct sk_buff *),
3628                                               u16 family)
3629 {
3630         char *addrp;
3631         int len, err = 0;
3632         struct sock *sk;
3633         struct socket *sock;
3634         struct inode *inode;
3635         struct sk_buff *skb = *pskb;
3636         struct inode_security_struct *isec;
3637         struct avc_audit_data ad;
3638         struct net_device *dev = (struct net_device *)out;
3639
3640         sk = skb->sk;
3641         if (!sk)
3642                 goto out;
3643
3644         sock = sk->sk_socket;
3645         if (!sock)
3646                 goto out;
3647
3648         inode = SOCK_INODE(sock);
3649         if (!inode)
3650                 goto out;
3651
3652         isec = inode->i_security;
3653
3654         AVC_AUDIT_DATA_INIT(&ad, NET);
3655         ad.u.net.netif = dev->name;
3656         ad.u.net.family = family;
3657
3658         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3659         if (err)
3660                 goto out;
3661
3662         if (selinux_compat_net)
3663                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3664                                                        family, addrp, len);
3665         else
3666                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3667                                    PACKET__SEND, &ad);
3668
3669         if (err)
3670                 goto out;
3671
3672         err = selinux_xfrm_postroute_last(isec->sid, skb);
3673 out:
3674         return err ? NF_DROP : NF_ACCEPT;
3675 }
3676
3677 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3678                                                 struct sk_buff **pskb,
3679                                                 const struct net_device *in,
3680                                                 const struct net_device *out,
3681                                                 int (*okfn)(struct sk_buff *))
3682 {
3683         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3684 }
3685
3686 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3687
3688 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3689                                                 struct sk_buff **pskb,
3690                                                 const struct net_device *in,
3691                                                 const struct net_device *out,
3692                                                 int (*okfn)(struct sk_buff *))
3693 {
3694         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3695 }
3696
3697 #endif  /* IPV6 */
3698
3699 #endif  /* CONFIG_NETFILTER */
3700
3701 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3702 {
3703         int err;
3704
3705         err = secondary_ops->netlink_send(sk, skb);
3706         if (err)
3707                 return err;
3708
3709         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3710                 err = selinux_nlmsg_perm(sk, skb);
3711
3712         return err;
3713 }
3714
3715 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3716 {
3717         int err;
3718         struct avc_audit_data ad;
3719
3720         err = secondary_ops->netlink_recv(skb, capability);
3721         if (err)
3722                 return err;
3723
3724         AVC_AUDIT_DATA_INIT(&ad, CAP);
3725         ad.u.cap = capability;
3726
3727         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3728                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3729 }
3730
3731 static int ipc_alloc_security(struct task_struct *task,
3732                               struct kern_ipc_perm *perm,
3733                               u16 sclass)
3734 {
3735         struct task_security_struct *tsec = task->security;
3736         struct ipc_security_struct *isec;
3737
3738         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3739         if (!isec)
3740                 return -ENOMEM;
3741
3742         isec->sclass = sclass;
3743         isec->ipc_perm = perm;
3744         isec->sid = tsec->sid;
3745         perm->security = isec;
3746
3747         return 0;
3748 }
3749
3750 static void ipc_free_security(struct kern_ipc_perm *perm)
3751 {
3752         struct ipc_security_struct *isec = perm->security;
3753         perm->security = NULL;
3754         kfree(isec);
3755 }
3756
3757 static int msg_msg_alloc_security(struct msg_msg *msg)
3758 {
3759         struct msg_security_struct *msec;
3760
3761         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3762         if (!msec)
3763                 return -ENOMEM;
3764
3765         msec->msg = msg;
3766         msec->sid = SECINITSID_UNLABELED;
3767         msg->security = msec;
3768
3769         return 0;
3770 }
3771
3772 static void msg_msg_free_security(struct msg_msg *msg)
3773 {
3774         struct msg_security_struct *msec = msg->security;
3775
3776         msg->security = NULL;
3777         kfree(msec);
3778 }
3779
3780 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3781                         u32 perms)
3782 {
3783         struct task_security_struct *tsec;
3784         struct ipc_security_struct *isec;
3785         struct avc_audit_data ad;
3786
3787         tsec = current->security;
3788         isec = ipc_perms->security;
3789
3790         AVC_AUDIT_DATA_INIT(&ad, IPC);
3791         ad.u.ipc_id = ipc_perms->key;
3792
3793         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3794 }
3795
3796 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3797 {
3798         return msg_msg_alloc_security(msg);
3799 }
3800
3801 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3802 {
3803         msg_msg_free_security(msg);
3804 }
3805
3806 /* message queue security operations */
3807 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3808 {
3809         struct task_security_struct *tsec;
3810         struct ipc_security_struct *isec;
3811         struct avc_audit_data ad;
3812         int rc;
3813
3814         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3815         if (rc)
3816                 return rc;
3817
3818         tsec = current->security;
3819         isec = msq->q_perm.security;
3820
3821         AVC_AUDIT_DATA_INIT(&ad, IPC);
3822         ad.u.ipc_id = msq->q_perm.key;
3823
3824         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3825                           MSGQ__CREATE, &ad);
3826         if (rc) {
3827                 ipc_free_security(&msq->q_perm);
3828                 return rc;
3829         }
3830         return 0;
3831 }
3832
3833 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3834 {
3835         ipc_free_security(&msq->q_perm);
3836 }
3837
3838 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3839 {
3840         struct task_security_struct *tsec;
3841         struct ipc_security_struct *isec;
3842         struct avc_audit_data ad;
3843
3844         tsec = current->security;
3845         isec = msq->q_perm.security;
3846
3847         AVC_AUDIT_DATA_INIT(&ad, IPC);
3848         ad.u.ipc_id = msq->q_perm.key;
3849
3850         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3851                             MSGQ__ASSOCIATE, &ad);
3852 }
3853
3854 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3855 {
3856         int err;
3857         int perms;
3858
3859         switch(cmd) {
3860         case IPC_INFO:
3861         case MSG_INFO:
3862                 /* No specific object, just general system-wide information. */
3863                 return task_has_system(current, SYSTEM__IPC_INFO);
3864         case IPC_STAT:
3865         case MSG_STAT:
3866                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3867                 break;
3868         case IPC_SET:
3869                 perms = MSGQ__SETATTR;
3870                 break;
3871         case IPC_RMID:
3872                 perms = MSGQ__DESTROY;
3873                 break;
3874         default:
3875                 return 0;
3876         }
3877
3878         err = ipc_has_perm(&msq->q_perm, perms);
3879         return err;
3880 }
3881
3882 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3883 {
3884         struct task_security_struct *tsec;
3885         struct ipc_security_struct *isec;
3886         struct msg_security_struct *msec;
3887         struct avc_audit_data ad;
3888         int rc;
3889
3890         tsec = current->security;
3891         isec = msq->q_perm.security;
3892         msec = msg->security;
3893
3894         /*
3895          * First time through, need to assign label to the message
3896          */
3897         if (msec->sid == SECINITSID_UNLABELED) {
3898                 /*
3899                  * Compute new sid based on current process and
3900                  * message queue this message will be stored in
3901                  */
3902                 rc = security_transition_sid(tsec->sid,
3903                                              isec->sid,
3904                                              SECCLASS_MSG,
3905                                              &msec->sid);
3906                 if (rc)
3907                         return rc;
3908         }
3909
3910         AVC_AUDIT_DATA_INIT(&ad, IPC);
3911         ad.u.ipc_id = msq->q_perm.key;
3912
3913         /* Can this process write to the queue? */
3914         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3915                           MSGQ__WRITE, &ad);
3916         if (!rc)
3917                 /* Can this process send the message */
3918                 rc = avc_has_perm(tsec->sid, msec->sid,
3919                                   SECCLASS_MSG, MSG__SEND, &ad);
3920         if (!rc)
3921                 /* Can the message be put in the queue? */
3922                 rc = avc_has_perm(msec->sid, isec->sid,
3923                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3924
3925         return rc;
3926 }
3927
3928 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3929                                     struct task_struct *target,
3930                                     long type, int mode)
3931 {
3932         struct task_security_struct *tsec;
3933         struct ipc_security_struct *isec;
3934         struct msg_security_struct *msec;
3935         struct avc_audit_data ad;
3936         int rc;
3937
3938         tsec = target->security;
3939         isec = msq->q_perm.security;
3940         msec = msg->security;
3941
3942         AVC_AUDIT_DATA_INIT(&ad, IPC);
3943         ad.u.ipc_id = msq->q_perm.key;
3944
3945         rc = avc_has_perm(tsec->sid, isec->sid,
3946                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3947         if (!rc)
3948                 rc = avc_has_perm(tsec->sid, msec->sid,
3949                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3950         return rc;
3951 }
3952
3953 /* Shared Memory security operations */
3954 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3955 {
3956         struct task_security_struct *tsec;
3957         struct ipc_security_struct *isec;
3958         struct avc_audit_data ad;
3959         int rc;
3960
3961         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3962         if (rc)
3963                 return rc;
3964
3965         tsec = current->security;
3966         isec = shp->shm_perm.security;
3967
3968         AVC_AUDIT_DATA_INIT(&ad, IPC);
3969         ad.u.ipc_id = shp->shm_perm.key;
3970
3971         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3972                           SHM__CREATE, &ad);
3973         if (rc) {
3974                 ipc_free_security(&shp->shm_perm);
3975                 return rc;
3976         }
3977         return 0;
3978 }
3979
3980 static void selinux_shm_free_security(struct shmid_kernel *shp)
3981 {
3982         ipc_free_security(&shp->shm_perm);
3983 }
3984
3985 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3986 {
3987         struct task_security_struct *tsec;
3988         struct ipc_security_struct *isec;
3989         struct avc_audit_data ad;
3990
3991         tsec = current->security;
3992         isec = shp->shm_perm.security;
3993
3994         AVC_AUDIT_DATA_INIT(&ad, IPC);
3995         ad.u.ipc_id = shp->shm_perm.key;
3996
3997         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3998                             SHM__ASSOCIATE, &ad);
3999 }
4000
4001 /* Note, at this point, shp is locked down */
4002 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4003 {
4004         int perms;
4005         int err;
4006
4007         switch(cmd) {
4008         case IPC_INFO:
4009         case SHM_INFO:
4010                 /* No specific object, just general system-wide information. */
4011                 return task_has_system(current, SYSTEM__IPC_INFO);
4012         case IPC_STAT:
4013         case SHM_STAT:
4014                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4015                 break;
4016         case IPC_SET:
4017                 perms = SHM__SETATTR;
4018                 break;
4019         case SHM_LOCK:
4020         case SHM_UNLOCK:
4021                 perms = SHM__LOCK;
4022                 break;
4023         case IPC_RMID:
4024                 perms = SHM__DESTROY;
4025                 break;
4026         default:
4027                 return 0;
4028         }
4029
4030         err = ipc_has_perm(&shp->shm_perm, perms);
4031         return err;
4032 }
4033
4034 static int selinux_shm_shmat(struct shmid_kernel *shp,
4035                              char __user *shmaddr, int shmflg)
4036 {
4037         u32 perms;
4038         int rc;
4039
4040         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4041         if (rc)
4042                 return rc;
4043
4044         if (shmflg & SHM_RDONLY)
4045                 perms = SHM__READ;
4046         else
4047                 perms = SHM__READ | SHM__WRITE;
4048
4049         return ipc_has_perm(&shp->shm_perm, perms);
4050 }
4051
4052 /* Semaphore security operations */
4053 static int selinux_sem_alloc_security(struct sem_array *sma)
4054 {
4055         struct task_security_struct *tsec;
4056         struct ipc_security_struct *isec;
4057         struct avc_audit_data ad;
4058         int rc;
4059
4060         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4061         if (rc)
4062                 return rc;
4063
4064         tsec = current->security;
4065         isec = sma->sem_perm.security;
4066
4067         AVC_AUDIT_DATA_INIT(&ad, IPC);
4068         ad.u.ipc_id = sma->sem_perm.key;
4069
4070         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4071                           SEM__CREATE, &ad);
4072         if (rc) {
4073                 ipc_free_security(&sma->sem_perm);
4074                 return rc;
4075         }
4076         return 0;
4077 }
4078
4079 static void selinux_sem_free_security(struct sem_array *sma)
4080 {
4081         ipc_free_security(&sma->sem_perm);
4082 }
4083
4084 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4085 {
4086         struct task_security_struct *tsec;
4087         struct ipc_security_struct *isec;
4088         struct avc_audit_data ad;
4089
4090         tsec = current->security;
4091         isec = sma->sem_perm.security;
4092
4093         AVC_AUDIT_DATA_INIT(&ad, IPC);
4094         ad.u.ipc_id = sma->sem_perm.key;
4095
4096         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4097                             SEM__ASSOCIATE, &ad);
4098 }
4099
4100 /* Note, at this point, sma is locked down */
4101 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4102 {
4103         int err;
4104         u32 perms;
4105
4106         switch(cmd) {
4107         case IPC_INFO:
4108         case SEM_INFO:
4109                 /* No specific object, just general system-wide information. */
4110                 return task_has_system(current, SYSTEM__IPC_INFO);
4111         case GETPID:
4112         case GETNCNT:
4113         case GETZCNT:
4114                 perms = SEM__GETATTR;
4115                 break;
4116         case GETVAL:
4117         case GETALL:
4118                 perms = SEM__READ;
4119                 break;
4120         case SETVAL:
4121         case SETALL:
4122                 perms = SEM__WRITE;
4123                 break;
4124         case IPC_RMID:
4125                 perms = SEM__DESTROY;
4126                 break;
4127         case IPC_SET:
4128                 perms = SEM__SETATTR;
4129                 break;
4130         case IPC_STAT:
4131         case SEM_STAT:
4132                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4133                 break;
4134         default:
4135                 return 0;
4136         }
4137
4138         err = ipc_has_perm(&sma->sem_perm, perms);
4139         return err;
4140 }
4141
4142 static int selinux_sem_semop(struct sem_array *sma,
4143                              struct sembuf *sops, unsigned nsops, int alter)
4144 {
4145         u32 perms;
4146
4147         if (alter)
4148                 perms = SEM__READ | SEM__WRITE;
4149         else
4150                 perms = SEM__READ;
4151
4152         return ipc_has_perm(&sma->sem_perm, perms);
4153 }
4154
4155 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4156 {
4157         u32 av = 0;
4158
4159         av = 0;
4160         if (flag & S_IRUGO)
4161                 av |= IPC__UNIX_READ;
4162         if (flag & S_IWUGO)
4163                 av |= IPC__UNIX_WRITE;
4164
4165         if (av == 0)
4166                 return 0;
4167
4168         return ipc_has_perm(ipcp, av);
4169 }
4170
4171 /* module stacking operations */
4172 static int selinux_register_security (const char *name, struct security_operations *ops)
4173 {
4174         if (secondary_ops != original_ops) {
4175                 printk(KERN_INFO "%s:  There is already a secondary security "
4176                        "module registered.\n", __FUNCTION__);
4177                 return -EINVAL;
4178         }
4179
4180         secondary_ops = ops;
4181
4182         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4183                __FUNCTION__,
4184                name);
4185
4186         return 0;
4187 }
4188
4189 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4190 {
4191         if (ops != secondary_ops) {
4192                 printk (KERN_INFO "%s:  trying to unregister a security module "
4193                         "that is not registered.\n", __FUNCTION__);
4194                 return -EINVAL;
4195         }
4196
4197         secondary_ops = original_ops;
4198
4199         return 0;
4200 }
4201
4202 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4203 {
4204         if (inode)
4205                 inode_doinit_with_dentry(inode, dentry);
4206 }
4207
4208 static int selinux_getprocattr(struct task_struct *p,
4209                                char *name, void *value, size_t size)
4210 {
4211         struct task_security_struct *tsec;
4212         u32 sid;
4213         int error;
4214
4215         if (current != p) {
4216                 error = task_has_perm(current, p, PROCESS__GETATTR);
4217                 if (error)
4218                         return error;
4219         }
4220
4221         tsec = p->security;
4222
4223         if (!strcmp(name, "current"))
4224                 sid = tsec->sid;
4225         else if (!strcmp(name, "prev"))
4226                 sid = tsec->osid;
4227         else if (!strcmp(name, "exec"))
4228                 sid = tsec->exec_sid;
4229         else if (!strcmp(name, "fscreate"))
4230                 sid = tsec->create_sid;
4231         else if (!strcmp(name, "keycreate"))
4232                 sid = tsec->keycreate_sid;
4233         else if (!strcmp(name, "sockcreate"))
4234                 sid = tsec->sockcreate_sid;
4235         else
4236                 return -EINVAL;
4237
4238         if (!sid)
4239                 return 0;
4240
4241         return selinux_getsecurity(sid, value, size);
4242 }
4243
4244 static int selinux_setprocattr(struct task_struct *p,
4245                                char *name, void *value, size_t size)
4246 {
4247         struct task_security_struct *tsec;
4248         u32 sid = 0;
4249         int error;
4250         char *str = value;
4251
4252         if (current != p) {
4253                 /* SELinux only allows a process to change its own
4254                    security attributes. */
4255                 return -EACCES;
4256         }
4257
4258         /*
4259          * Basic control over ability to set these attributes at all.
4260          * current == p, but we'll pass them separately in case the
4261          * above restriction is ever removed.
4262          */
4263         if (!strcmp(name, "exec"))
4264                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4265         else if (!strcmp(name, "fscreate"))
4266                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4267         else if (!strcmp(name, "keycreate"))
4268                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4269         else if (!strcmp(name, "sockcreate"))
4270                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4271         else if (!strcmp(name, "current"))
4272                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4273         else
4274                 error = -EINVAL;
4275         if (error)
4276                 return error;
4277
4278         /* Obtain a SID for the context, if one was specified. */
4279         if (size && str[1] && str[1] != '\n') {
4280                 if (str[size-1] == '\n') {
4281                         str[size-1] = 0;
4282                         size--;
4283                 }
4284                 error = security_context_to_sid(value, size, &sid);
4285                 if (error)
4286                         return error;
4287         }
4288
4289         /* Permission checking based on the specified context is
4290            performed during the actual operation (execve,
4291            open/mkdir/...), when we know the full context of the
4292            operation.  See selinux_bprm_set_security for the execve
4293            checks and may_create for the file creation checks. The
4294            operation will then fail if the context is not permitted. */
4295         tsec = p->security;
4296         if (!strcmp(name, "exec"))
4297                 tsec->exec_sid = sid;
4298         else if (!strcmp(name, "fscreate"))
4299                 tsec->create_sid = sid;
4300         else if (!strcmp(name, "keycreate")) {
4301                 error = may_create_key(sid, p);
4302                 if (error)
4303                         return error;
4304                 tsec->keycreate_sid = sid;
4305         } else if (!strcmp(name, "sockcreate"))
4306                 tsec->sockcreate_sid = sid;
4307         else if (!strcmp(name, "current")) {
4308                 struct av_decision avd;
4309
4310                 if (sid == 0)
4311                         return -EINVAL;
4312
4313                 /* Only allow single threaded processes to change context */
4314                 if (atomic_read(&p->mm->mm_users) != 1) {
4315                         struct task_struct *g, *t;
4316                         struct mm_struct *mm = p->mm;
4317                         read_lock(&tasklist_lock);
4318                         do_each_thread(g, t)
4319                                 if (t->mm == mm && t != p) {
4320                                         read_unlock(&tasklist_lock);
4321                                         return -EPERM;
4322                                 }
4323                         while_each_thread(g, t);
4324                         read_unlock(&tasklist_lock);
4325                 }
4326
4327                 /* Check permissions for the transition. */
4328                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4329                                      PROCESS__DYNTRANSITION, NULL);
4330                 if (error)
4331                         return error;
4332
4333                 /* Check for ptracing, and update the task SID if ok.
4334                    Otherwise, leave SID unchanged and fail. */
4335                 task_lock(p);
4336                 if (p->ptrace & PT_PTRACED) {
4337                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4338                                                      SECCLASS_PROCESS,
4339                                                      PROCESS__PTRACE, &avd);
4340                         if (!error)
4341                                 tsec->sid = sid;
4342                         task_unlock(p);
4343                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4344                                   PROCESS__PTRACE, &avd, error, NULL);
4345                         if (error)
4346                                 return error;
4347                 } else {
4348                         tsec->sid = sid;
4349                         task_unlock(p);
4350                 }
4351         }
4352         else
4353                 return -EINVAL;
4354
4355         return size;
4356 }
4357
4358 #ifdef CONFIG_KEYS
4359
4360 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4361                              unsigned long flags)
4362 {
4363         struct task_security_struct *tsec = tsk->security;
4364         struct key_security_struct *ksec;
4365
4366         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4367         if (!ksec)
4368                 return -ENOMEM;
4369
4370         ksec->obj = k;
4371         if (tsec->keycreate_sid)
4372                 ksec->sid = tsec->keycreate_sid;
4373         else
4374                 ksec->sid = tsec->sid;
4375         k->security = ksec;
4376
4377         return 0;
4378 }
4379
4380 static void selinux_key_free(struct key *k)
4381 {
4382         struct key_security_struct *ksec = k->security;
4383
4384         k->security = NULL;
4385         kfree(ksec);
4386 }
4387
4388 static int selinux_key_permission(key_ref_t key_ref,
4389                             struct task_struct *ctx,
4390                             key_perm_t perm)
4391 {
4392         struct key *key;
4393         struct task_security_struct *tsec;
4394         struct key_security_struct *ksec;
4395
4396         key = key_ref_to_ptr(key_ref);
4397
4398         tsec = ctx->security;
4399         ksec = key->security;
4400
4401         /* if no specific permissions are requested, we skip the
4402            permission check. No serious, additional covert channels
4403            appear to be created. */
4404         if (perm == 0)
4405                 return 0;
4406
4407         return avc_has_perm(tsec->sid, ksec->sid,
4408                             SECCLASS_KEY, perm, NULL);
4409 }
4410
4411 #endif
4412
4413 static struct security_operations selinux_ops = {
4414         .ptrace =                       selinux_ptrace,
4415         .capget =                       selinux_capget,
4416         .capset_check =                 selinux_capset_check,
4417         .capset_set =                   selinux_capset_set,
4418         .sysctl =                       selinux_sysctl,
4419         .capable =                      selinux_capable,
4420         .quotactl =                     selinux_quotactl,
4421         .quota_on =                     selinux_quota_on,
4422         .syslog =                       selinux_syslog,
4423         .vm_enough_memory =             selinux_vm_enough_memory,
4424
4425         .netlink_send =                 selinux_netlink_send,
4426         .netlink_recv =                 selinux_netlink_recv,
4427
4428         .bprm_alloc_security =          selinux_bprm_alloc_security,
4429         .bprm_free_security =           selinux_bprm_free_security,
4430         .bprm_apply_creds =             selinux_bprm_apply_creds,
4431         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4432         .bprm_set_security =            selinux_bprm_set_security,
4433         .bprm_check_security =          selinux_bprm_check_security,
4434         .bprm_secureexec =              selinux_bprm_secureexec,
4435
4436         .sb_alloc_security =            selinux_sb_alloc_security,
4437         .sb_free_security =             selinux_sb_free_security,
4438         .sb_copy_data =                 selinux_sb_copy_data,
4439         .sb_kern_mount =                selinux_sb_kern_mount,
4440         .sb_statfs =                    selinux_sb_statfs,
4441         .sb_mount =                     selinux_mount,
4442         .sb_umount =                    selinux_umount,
4443
4444         .inode_alloc_security =         selinux_inode_alloc_security,
4445         .inode_free_security =          selinux_inode_free_security,
4446         .inode_init_security =          selinux_inode_init_security,
4447         .inode_create =                 selinux_inode_create,
4448         .inode_link =                   selinux_inode_link,
4449         .inode_unlink =                 selinux_inode_unlink,
4450         .inode_symlink =                selinux_inode_symlink,
4451         .inode_mkdir =                  selinux_inode_mkdir,
4452         .inode_rmdir =                  selinux_inode_rmdir,
4453         .inode_mknod =                  selinux_inode_mknod,
4454         .inode_rename =                 selinux_inode_rename,
4455         .inode_readlink =               selinux_inode_readlink,
4456         .inode_follow_link =            selinux_inode_follow_link,
4457         .inode_permission =             selinux_inode_permission,
4458         .inode_setattr =                selinux_inode_setattr,
4459         .inode_getattr =                selinux_inode_getattr,
4460         .inode_setxattr =               selinux_inode_setxattr,
4461         .inode_post_setxattr =          selinux_inode_post_setxattr,
4462         .inode_getxattr =               selinux_inode_getxattr,
4463         .inode_listxattr =              selinux_inode_listxattr,
4464         .inode_removexattr =            selinux_inode_removexattr,
4465         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4466         .inode_getsecurity =            selinux_inode_getsecurity,
4467         .inode_setsecurity =            selinux_inode_setsecurity,
4468         .inode_listsecurity =           selinux_inode_listsecurity,
4469
4470         .file_permission =              selinux_file_permission,
4471         .file_alloc_security =          selinux_file_alloc_security,
4472         .file_free_security =           selinux_file_free_security,
4473         .file_ioctl =                   selinux_file_ioctl,
4474         .file_mmap =                    selinux_file_mmap,
4475         .file_mprotect =                selinux_file_mprotect,
4476         .file_lock =                    selinux_file_lock,
4477         .file_fcntl =                   selinux_file_fcntl,
4478         .file_set_fowner =              selinux_file_set_fowner,
4479         .file_send_sigiotask =          selinux_file_send_sigiotask,
4480         .file_receive =                 selinux_file_receive,
4481
4482         .task_create =                  selinux_task_create,
4483         .task_alloc_security =          selinux_task_alloc_security,
4484         .task_free_security =           selinux_task_free_security,
4485         .task_setuid =                  selinux_task_setuid,
4486         .task_post_setuid =             selinux_task_post_setuid,
4487         .task_setgid =                  selinux_task_setgid,
4488         .task_setpgid =                 selinux_task_setpgid,
4489         .task_getpgid =                 selinux_task_getpgid,
4490         .task_getsid =                  selinux_task_getsid,
4491         .task_getsecid =                selinux_task_getsecid,
4492         .task_setgroups =               selinux_task_setgroups,
4493         .task_setnice =                 selinux_task_setnice,
4494         .task_setioprio =               selinux_task_setioprio,
4495         .task_getioprio =               selinux_task_getioprio,
4496         .task_setrlimit =               selinux_task_setrlimit,
4497         .task_setscheduler =            selinux_task_setscheduler,
4498         .task_getscheduler =            selinux_task_getscheduler,
4499         .task_movememory =              selinux_task_movememory,
4500         .task_kill =                    selinux_task_kill,
4501         .task_wait =                    selinux_task_wait,
4502         .task_prctl =                   selinux_task_prctl,
4503         .task_reparent_to_init =        selinux_task_reparent_to_init,
4504         .task_to_inode =                selinux_task_to_inode,
4505
4506         .ipc_permission =               selinux_ipc_permission,
4507
4508         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4509         .msg_msg_free_security =        selinux_msg_msg_free_security,
4510
4511         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4512         .msg_queue_free_security =      selinux_msg_queue_free_security,
4513         .msg_queue_associate =          selinux_msg_queue_associate,
4514         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4515         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4516         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4517
4518         .shm_alloc_security =           selinux_shm_alloc_security,
4519         .shm_free_security =            selinux_shm_free_security,
4520         .shm_associate =                selinux_shm_associate,
4521         .shm_shmctl =                   selinux_shm_shmctl,
4522         .shm_shmat =                    selinux_shm_shmat,
4523
4524         .sem_alloc_security =           selinux_sem_alloc_security,
4525         .sem_free_security =            selinux_sem_free_security,
4526         .sem_associate =                selinux_sem_associate,
4527         .sem_semctl =                   selinux_sem_semctl,
4528         .sem_semop =                    selinux_sem_semop,
4529
4530         .register_security =            selinux_register_security,
4531         .unregister_security =          selinux_unregister_security,
4532
4533         .d_instantiate =                selinux_d_instantiate,
4534
4535         .getprocattr =                  selinux_getprocattr,
4536         .setprocattr =                  selinux_setprocattr,
4537
4538         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4539         .unix_may_send =                selinux_socket_unix_may_send,
4540
4541         .socket_create =                selinux_socket_create,
4542         .socket_post_create =           selinux_socket_post_create,
4543         .socket_bind =                  selinux_socket_bind,
4544         .socket_connect =               selinux_socket_connect,
4545         .socket_listen =                selinux_socket_listen,
4546         .socket_accept =                selinux_socket_accept,
4547         .socket_sendmsg =               selinux_socket_sendmsg,
4548         .socket_recvmsg =               selinux_socket_recvmsg,
4549         .socket_getsockname =           selinux_socket_getsockname,
4550         .socket_getpeername =           selinux_socket_getpeername,
4551         .socket_getsockopt =            selinux_socket_getsockopt,
4552         .socket_setsockopt =            selinux_socket_setsockopt,
4553         .socket_shutdown =              selinux_socket_shutdown,
4554         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4555         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4556         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4557         .sk_alloc_security =            selinux_sk_alloc_security,
4558         .sk_free_security =             selinux_sk_free_security,
4559         .sk_getsid =                    selinux_sk_getsid_security,
4560
4561 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4562         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4563         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4564         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4565         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4566         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4567         .xfrm_state_free_security =     selinux_xfrm_state_free,
4568         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4569         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4570 #endif
4571
4572 #ifdef CONFIG_KEYS
4573         .key_alloc =                    selinux_key_alloc,
4574         .key_free =                     selinux_key_free,
4575         .key_permission =               selinux_key_permission,
4576 #endif
4577 };
4578
4579 static __init int selinux_init(void)
4580 {
4581         struct task_security_struct *tsec;
4582
4583         if (!selinux_enabled) {
4584                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4585                 return 0;
4586         }
4587
4588         printk(KERN_INFO "SELinux:  Initializing.\n");
4589
4590         /* Set the security state for the initial task. */
4591         if (task_alloc_security(current))
4592                 panic("SELinux:  Failed to initialize initial task.\n");
4593         tsec = current->security;
4594         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4595
4596         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4597                                             sizeof(struct inode_security_struct),
4598                                             0, SLAB_PANIC, NULL, NULL);
4599         avc_init();
4600
4601         original_ops = secondary_ops = security_ops;
4602         if (!secondary_ops)
4603                 panic ("SELinux: No initial security operations\n");
4604         if (register_security (&selinux_ops))
4605                 panic("SELinux: Unable to register with kernel.\n");
4606
4607         if (selinux_enforcing) {
4608                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4609         } else {
4610                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4611         }
4612
4613 #ifdef CONFIG_KEYS
4614         /* Add security information to initial keyrings */
4615         selinux_key_alloc(&root_user_keyring, current,
4616                           KEY_ALLOC_NOT_IN_QUOTA);
4617         selinux_key_alloc(&root_session_keyring, current,
4618                           KEY_ALLOC_NOT_IN_QUOTA);
4619 #endif
4620
4621         return 0;
4622 }
4623
4624 void selinux_complete_init(void)
4625 {
4626         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4627
4628         /* Set up any superblocks initialized prior to the policy load. */
4629         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4630         spin_lock(&sb_lock);
4631         spin_lock(&sb_security_lock);
4632 next_sb:
4633         if (!list_empty(&superblock_security_head)) {
4634                 struct superblock_security_struct *sbsec =
4635                                 list_entry(superblock_security_head.next,
4636                                            struct superblock_security_struct,
4637                                            list);
4638                 struct super_block *sb = sbsec->sb;
4639                 sb->s_count++;
4640                 spin_unlock(&sb_security_lock);
4641                 spin_unlock(&sb_lock);
4642                 down_read(&sb->s_umount);
4643                 if (sb->s_root)
4644                         superblock_doinit(sb, NULL);
4645                 drop_super(sb);
4646                 spin_lock(&sb_lock);
4647                 spin_lock(&sb_security_lock);
4648                 list_del_init(&sbsec->list);
4649                 goto next_sb;
4650         }
4651         spin_unlock(&sb_security_lock);
4652         spin_unlock(&sb_lock);
4653 }
4654
4655 /* SELinux requires early initialization in order to label
4656    all processes and objects when they are created. */
4657 security_initcall(selinux_init);
4658
4659 #if defined(CONFIG_NETFILTER)
4660
4661 static struct nf_hook_ops selinux_ipv4_op = {
4662         .hook =         selinux_ipv4_postroute_last,
4663         .owner =        THIS_MODULE,
4664         .pf =           PF_INET,
4665         .hooknum =      NF_IP_POST_ROUTING,
4666         .priority =     NF_IP_PRI_SELINUX_LAST,
4667 };
4668
4669 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4670
4671 static struct nf_hook_ops selinux_ipv6_op = {
4672         .hook =         selinux_ipv6_postroute_last,
4673         .owner =        THIS_MODULE,
4674         .pf =           PF_INET6,
4675         .hooknum =      NF_IP6_POST_ROUTING,
4676         .priority =     NF_IP6_PRI_SELINUX_LAST,
4677 };
4678
4679 #endif  /* IPV6 */
4680
4681 static int __init selinux_nf_ip_init(void)
4682 {
4683         int err = 0;
4684
4685         if (!selinux_enabled)
4686                 goto out;
4687                 
4688         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4689         
4690         err = nf_register_hook(&selinux_ipv4_op);
4691         if (err)
4692                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4693
4694 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4695
4696         err = nf_register_hook(&selinux_ipv6_op);
4697         if (err)
4698                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4699
4700 #endif  /* IPV6 */
4701
4702 out:
4703         return err;
4704 }
4705
4706 __initcall(selinux_nf_ip_init);
4707
4708 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4709 static void selinux_nf_ip_exit(void)
4710 {
4711         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4712
4713         nf_unregister_hook(&selinux_ipv4_op);
4714 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4715         nf_unregister_hook(&selinux_ipv6_op);
4716 #endif  /* IPV6 */
4717 }
4718 #endif
4719
4720 #else /* CONFIG_NETFILTER */
4721
4722 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4723 #define selinux_nf_ip_exit()
4724 #endif
4725
4726 #endif /* CONFIG_NETFILTER */
4727
4728 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4729 int selinux_disable(void)
4730 {
4731         extern void exit_sel_fs(void);
4732         static int selinux_disabled = 0;
4733
4734         if (ss_initialized) {
4735                 /* Not permitted after initial policy load. */
4736                 return -EINVAL;
4737         }
4738
4739         if (selinux_disabled) {
4740                 /* Only do this once. */
4741                 return -EINVAL;
4742         }
4743
4744         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4745
4746         selinux_disabled = 1;
4747         selinux_enabled = 0;
4748
4749         /* Reset security_ops to the secondary module, dummy or capability. */
4750         security_ops = secondary_ops;
4751
4752         /* Unregister netfilter hooks. */
4753         selinux_nf_ip_exit();
4754
4755         /* Unregister selinuxfs. */
4756         exit_sel_fs();
4757
4758         return 0;
4759 }
4760 #endif
4761
4762