[PATCH] SELinux: extend task_kill hook to handle signals sent by AIO completion
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72 #include <linux/selinux.h>
73
74 #include "avc.h"
75 #include "objsec.h"
76 #include "netif.h"
77 #include "xfrm.h"
78
79 #define XATTR_SELINUX_SUFFIX "selinux"
80 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81
82 extern unsigned int policydb_loaded_version;
83 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
84 extern int selinux_compat_net;
85
86 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
87 int selinux_enforcing = 0;
88
89 static int __init enforcing_setup(char *str)
90 {
91         selinux_enforcing = simple_strtol(str,NULL,0);
92         return 1;
93 }
94 __setup("enforcing=", enforcing_setup);
95 #endif
96
97 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
98 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
99
100 static int __init selinux_enabled_setup(char *str)
101 {
102         selinux_enabled = simple_strtol(str, NULL, 0);
103         return 1;
104 }
105 __setup("selinux=", selinux_enabled_setup);
106 #else
107 int selinux_enabled = 1;
108 #endif
109
110 /* Original (dummy) security module. */
111 static struct security_operations *original_ops = NULL;
112
113 /* Minimal support for a secondary security module,
114    just to allow the use of the dummy or capability modules.
115    The owlsm module can alternatively be used as a secondary
116    module as long as CONFIG_OWLSM_FD is not enabled. */
117 static struct security_operations *secondary_ops = NULL;
118
119 /* Lists of inode and superblock security structures initialized
120    before the policy was loaded. */
121 static LIST_HEAD(superblock_security_head);
122 static DEFINE_SPINLOCK(sb_security_lock);
123
124 static kmem_cache_t *sel_inode_cache;
125
126 /* Return security context for a given sid or just the context 
127    length if the buffer is null or length is 0 */
128 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
129 {
130         char *context;
131         unsigned len;
132         int rc;
133
134         rc = security_sid_to_context(sid, &context, &len);
135         if (rc)
136                 return rc;
137
138         if (!buffer || !size)
139                 goto getsecurity_exit;
140
141         if (size < len) {
142                 len = -ERANGE;
143                 goto getsecurity_exit;
144         }
145         memcpy(buffer, context, len);
146
147 getsecurity_exit:
148         kfree(context);
149         return len;
150 }
151
152 /* Allocate and free functions for each kind of security blob. */
153
154 static int task_alloc_security(struct task_struct *task)
155 {
156         struct task_security_struct *tsec;
157
158         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
159         if (!tsec)
160                 return -ENOMEM;
161
162         tsec->task = task;
163         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
164         task->security = tsec;
165
166         return 0;
167 }
168
169 static void task_free_security(struct task_struct *task)
170 {
171         struct task_security_struct *tsec = task->security;
172         task->security = NULL;
173         kfree(tsec);
174 }
175
176 static int inode_alloc_security(struct inode *inode)
177 {
178         struct task_security_struct *tsec = current->security;
179         struct inode_security_struct *isec;
180
181         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
182         if (!isec)
183                 return -ENOMEM;
184
185         memset(isec, 0, sizeof(*isec));
186         init_MUTEX(&isec->sem);
187         INIT_LIST_HEAD(&isec->list);
188         isec->inode = inode;
189         isec->sid = SECINITSID_UNLABELED;
190         isec->sclass = SECCLASS_FILE;
191         isec->task_sid = tsec->sid;
192         inode->i_security = isec;
193
194         return 0;
195 }
196
197 static void inode_free_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec = inode->i_security;
200         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
202         spin_lock(&sbsec->isec_lock);
203         if (!list_empty(&isec->list))
204                 list_del_init(&isec->list);
205         spin_unlock(&sbsec->isec_lock);
206
207         inode->i_security = NULL;
208         kmem_cache_free(sel_inode_cache, isec);
209 }
210
211 static int file_alloc_security(struct file *file)
212 {
213         struct task_security_struct *tsec = current->security;
214         struct file_security_struct *fsec;
215
216         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
217         if (!fsec)
218                 return -ENOMEM;
219
220         fsec->file = file;
221         fsec->sid = tsec->sid;
222         fsec->fown_sid = tsec->sid;
223         file->f_security = fsec;
224
225         return 0;
226 }
227
228 static void file_free_security(struct file *file)
229 {
230         struct file_security_struct *fsec = file->f_security;
231         file->f_security = NULL;
232         kfree(fsec);
233 }
234
235 static int superblock_alloc_security(struct super_block *sb)
236 {
237         struct superblock_security_struct *sbsec;
238
239         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
240         if (!sbsec)
241                 return -ENOMEM;
242
243         init_MUTEX(&sbsec->sem);
244         INIT_LIST_HEAD(&sbsec->list);
245         INIT_LIST_HEAD(&sbsec->isec_head);
246         spin_lock_init(&sbsec->isec_lock);
247         sbsec->sb = sb;
248         sbsec->sid = SECINITSID_UNLABELED;
249         sbsec->def_sid = SECINITSID_FILE;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         if (family != PF_UNIX)
273                 return 0;
274
275         ssec = kzalloc(sizeof(*ssec), priority);
276         if (!ssec)
277                 return -ENOMEM;
278
279         ssec->sk = sk;
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         return 0;
284 }
285
286 static void sk_free_security(struct sock *sk)
287 {
288         struct sk_security_struct *ssec = sk->sk_security;
289
290         if (sk->sk_family != PF_UNIX)
291                 return;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline int default_protocol_stream(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
636 }
637
638 static inline int default_protocol_dgram(int protocol)
639 {
640         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
641 }
642
643 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
644 {
645         switch (family) {
646         case PF_UNIX:
647                 switch (type) {
648                 case SOCK_STREAM:
649                 case SOCK_SEQPACKET:
650                         return SECCLASS_UNIX_STREAM_SOCKET;
651                 case SOCK_DGRAM:
652                         return SECCLASS_UNIX_DGRAM_SOCKET;
653                 }
654                 break;
655         case PF_INET:
656         case PF_INET6:
657                 switch (type) {
658                 case SOCK_STREAM:
659                         if (default_protocol_stream(protocol))
660                                 return SECCLASS_TCP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 case SOCK_DGRAM:
664                         if (default_protocol_dgram(protocol))
665                                 return SECCLASS_UDP_SOCKET;
666                         else
667                                 return SECCLASS_RAWIP_SOCKET;
668                 default:
669                         return SECCLASS_RAWIP_SOCKET;
670                 }
671                 break;
672         case PF_NETLINK:
673                 switch (protocol) {
674                 case NETLINK_ROUTE:
675                         return SECCLASS_NETLINK_ROUTE_SOCKET;
676                 case NETLINK_FIREWALL:
677                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
678                 case NETLINK_INET_DIAG:
679                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
680                 case NETLINK_NFLOG:
681                         return SECCLASS_NETLINK_NFLOG_SOCKET;
682                 case NETLINK_XFRM:
683                         return SECCLASS_NETLINK_XFRM_SOCKET;
684                 case NETLINK_SELINUX:
685                         return SECCLASS_NETLINK_SELINUX_SOCKET;
686                 case NETLINK_AUDIT:
687                         return SECCLASS_NETLINK_AUDIT_SOCKET;
688                 case NETLINK_IP6_FW:
689                         return SECCLASS_NETLINK_IP6FW_SOCKET;
690                 case NETLINK_DNRTMSG:
691                         return SECCLASS_NETLINK_DNRT_SOCKET;
692                 case NETLINK_KOBJECT_UEVENT:
693                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
694                 default:
695                         return SECCLASS_NETLINK_SOCKET;
696                 }
697         case PF_PACKET:
698                 return SECCLASS_PACKET_SOCKET;
699         case PF_KEY:
700                 return SECCLASS_KEY_SOCKET;
701         case PF_APPLETALK:
702                 return SECCLASS_APPLETALK_SOCKET;
703         }
704
705         return SECCLASS_SOCKET;
706 }
707
708 #ifdef CONFIG_PROC_FS
709 static int selinux_proc_get_sid(struct proc_dir_entry *de,
710                                 u16 tclass,
711                                 u32 *sid)
712 {
713         int buflen, rc;
714         char *buffer, *path, *end;
715
716         buffer = (char*)__get_free_page(GFP_KERNEL);
717         if (!buffer)
718                 return -ENOMEM;
719
720         buflen = PAGE_SIZE;
721         end = buffer+buflen;
722         *--end = '\0';
723         buflen--;
724         path = end-1;
725         *path = '/';
726         while (de && de != de->parent) {
727                 buflen -= de->namelen + 1;
728                 if (buflen < 0)
729                         break;
730                 end -= de->namelen;
731                 memcpy(end, de->name, de->namelen);
732                 *--end = '/';
733                 path = end;
734                 de = de->parent;
735         }
736         rc = security_genfs_sid("proc", path, tclass, sid);
737         free_page((unsigned long)buffer);
738         return rc;
739 }
740 #else
741 static int selinux_proc_get_sid(struct proc_dir_entry *de,
742                                 u16 tclass,
743                                 u32 *sid)
744 {
745         return -EINVAL;
746 }
747 #endif
748
749 /* The inode's security attributes must be initialized before first use. */
750 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
751 {
752         struct superblock_security_struct *sbsec = NULL;
753         struct inode_security_struct *isec = inode->i_security;
754         u32 sid;
755         struct dentry *dentry;
756 #define INITCONTEXTLEN 255
757         char *context = NULL;
758         unsigned len = 0;
759         int rc = 0;
760         int hold_sem = 0;
761
762         if (isec->initialized)
763                 goto out;
764
765         down(&isec->sem);
766         hold_sem = 1;
767         if (isec->initialized)
768                 goto out;
769
770         sbsec = inode->i_sb->s_security;
771         if (!sbsec->initialized) {
772                 /* Defer initialization until selinux_complete_init,
773                    after the initial policy is loaded and the security
774                    server is ready to handle calls. */
775                 spin_lock(&sbsec->isec_lock);
776                 if (list_empty(&isec->list))
777                         list_add(&isec->list, &sbsec->isec_head);
778                 spin_unlock(&sbsec->isec_lock);
779                 goto out;
780         }
781
782         switch (sbsec->behavior) {
783         case SECURITY_FS_USE_XATTR:
784                 if (!inode->i_op->getxattr) {
785                         isec->sid = sbsec->def_sid;
786                         break;
787                 }
788
789                 /* Need a dentry, since the xattr API requires one.
790                    Life would be simpler if we could just pass the inode. */
791                 if (opt_dentry) {
792                         /* Called from d_instantiate or d_splice_alias. */
793                         dentry = dget(opt_dentry);
794                 } else {
795                         /* Called from selinux_complete_init, try to find a dentry. */
796                         dentry = d_find_alias(inode);
797                 }
798                 if (!dentry) {
799                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
800                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
801                                inode->i_ino);
802                         goto out;
803                 }
804
805                 len = INITCONTEXTLEN;
806                 context = kmalloc(len, GFP_KERNEL);
807                 if (!context) {
808                         rc = -ENOMEM;
809                         dput(dentry);
810                         goto out;
811                 }
812                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
813                                            context, len);
814                 if (rc == -ERANGE) {
815                         /* Need a larger buffer.  Query for the right size. */
816                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
817                                                    NULL, 0);
818                         if (rc < 0) {
819                                 dput(dentry);
820                                 goto out;
821                         }
822                         kfree(context);
823                         len = rc;
824                         context = kmalloc(len, GFP_KERNEL);
825                         if (!context) {
826                                 rc = -ENOMEM;
827                                 dput(dentry);
828                                 goto out;
829                         }
830                         rc = inode->i_op->getxattr(dentry,
831                                                    XATTR_NAME_SELINUX,
832                                                    context, len);
833                 }
834                 dput(dentry);
835                 if (rc < 0) {
836                         if (rc != -ENODATA) {
837                                 printk(KERN_WARNING "%s:  getxattr returned "
838                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
839                                        -rc, inode->i_sb->s_id, inode->i_ino);
840                                 kfree(context);
841                                 goto out;
842                         }
843                         /* Map ENODATA to the default file SID */
844                         sid = sbsec->def_sid;
845                         rc = 0;
846                 } else {
847                         rc = security_context_to_sid_default(context, rc, &sid,
848                                                              sbsec->def_sid);
849                         if (rc) {
850                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
851                                        "returned %d for dev=%s ino=%ld\n",
852                                        __FUNCTION__, context, -rc,
853                                        inode->i_sb->s_id, inode->i_ino);
854                                 kfree(context);
855                                 /* Leave with the unlabeled SID */
856                                 rc = 0;
857                                 break;
858                         }
859                 }
860                 kfree(context);
861                 isec->sid = sid;
862                 break;
863         case SECURITY_FS_USE_TASK:
864                 isec->sid = isec->task_sid;
865                 break;
866         case SECURITY_FS_USE_TRANS:
867                 /* Default to the fs SID. */
868                 isec->sid = sbsec->sid;
869
870                 /* Try to obtain a transition SID. */
871                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
872                 rc = security_transition_sid(isec->task_sid,
873                                              sbsec->sid,
874                                              isec->sclass,
875                                              &sid);
876                 if (rc)
877                         goto out;
878                 isec->sid = sid;
879                 break;
880         default:
881                 /* Default to the fs SID. */
882                 isec->sid = sbsec->sid;
883
884                 if (sbsec->proc) {
885                         struct proc_inode *proci = PROC_I(inode);
886                         if (proci->pde) {
887                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
888                                 rc = selinux_proc_get_sid(proci->pde,
889                                                           isec->sclass,
890                                                           &sid);
891                                 if (rc)
892                                         goto out;
893                                 isec->sid = sid;
894                         }
895                 }
896                 break;
897         }
898
899         isec->initialized = 1;
900
901 out:
902         if (isec->sclass == SECCLASS_FILE)
903                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
904
905         if (hold_sem)
906                 up(&isec->sem);
907         return rc;
908 }
909
910 /* Convert a Linux signal to an access vector. */
911 static inline u32 signal_to_av(int sig)
912 {
913         u32 perm = 0;
914
915         switch (sig) {
916         case SIGCHLD:
917                 /* Commonly granted from child to parent. */
918                 perm = PROCESS__SIGCHLD;
919                 break;
920         case SIGKILL:
921                 /* Cannot be caught or ignored */
922                 perm = PROCESS__SIGKILL;
923                 break;
924         case SIGSTOP:
925                 /* Cannot be caught or ignored */
926                 perm = PROCESS__SIGSTOP;
927                 break;
928         default:
929                 /* All other signals. */
930                 perm = PROCESS__SIGNAL;
931                 break;
932         }
933
934         return perm;
935 }
936
937 /* Check permission betweeen a pair of tasks, e.g. signal checks,
938    fork check, ptrace check, etc. */
939 static int task_has_perm(struct task_struct *tsk1,
940                          struct task_struct *tsk2,
941                          u32 perms)
942 {
943         struct task_security_struct *tsec1, *tsec2;
944
945         tsec1 = tsk1->security;
946         tsec2 = tsk2->security;
947         return avc_has_perm(tsec1->sid, tsec2->sid,
948                             SECCLASS_PROCESS, perms, NULL);
949 }
950
951 /* Check whether a task is allowed to use a capability. */
952 static int task_has_capability(struct task_struct *tsk,
953                                int cap)
954 {
955         struct task_security_struct *tsec;
956         struct avc_audit_data ad;
957
958         tsec = tsk->security;
959
960         AVC_AUDIT_DATA_INIT(&ad,CAP);
961         ad.tsk = tsk;
962         ad.u.cap = cap;
963
964         return avc_has_perm(tsec->sid, tsec->sid,
965                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
966 }
967
968 /* Check whether a task is allowed to use a system operation. */
969 static int task_has_system(struct task_struct *tsk,
970                            u32 perms)
971 {
972         struct task_security_struct *tsec;
973
974         tsec = tsk->security;
975
976         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
977                             SECCLASS_SYSTEM, perms, NULL);
978 }
979
980 /* Check whether a task has a particular permission to an inode.
981    The 'adp' parameter is optional and allows other audit
982    data to be passed (e.g. the dentry). */
983 static int inode_has_perm(struct task_struct *tsk,
984                           struct inode *inode,
985                           u32 perms,
986                           struct avc_audit_data *adp)
987 {
988         struct task_security_struct *tsec;
989         struct inode_security_struct *isec;
990         struct avc_audit_data ad;
991
992         tsec = tsk->security;
993         isec = inode->i_security;
994
995         if (!adp) {
996                 adp = &ad;
997                 AVC_AUDIT_DATA_INIT(&ad, FS);
998                 ad.u.fs.inode = inode;
999         }
1000
1001         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1002 }
1003
1004 /* Same as inode_has_perm, but pass explicit audit data containing
1005    the dentry to help the auditing code to more easily generate the
1006    pathname if needed. */
1007 static inline int dentry_has_perm(struct task_struct *tsk,
1008                                   struct vfsmount *mnt,
1009                                   struct dentry *dentry,
1010                                   u32 av)
1011 {
1012         struct inode *inode = dentry->d_inode;
1013         struct avc_audit_data ad;
1014         AVC_AUDIT_DATA_INIT(&ad,FS);
1015         ad.u.fs.mnt = mnt;
1016         ad.u.fs.dentry = dentry;
1017         return inode_has_perm(tsk, inode, av, &ad);
1018 }
1019
1020 /* Check whether a task can use an open file descriptor to
1021    access an inode in a given way.  Check access to the
1022    descriptor itself, and then use dentry_has_perm to
1023    check a particular permission to the file.
1024    Access to the descriptor is implicitly granted if it
1025    has the same SID as the process.  If av is zero, then
1026    access to the file is not checked, e.g. for cases
1027    where only the descriptor is affected like seek. */
1028 static int file_has_perm(struct task_struct *tsk,
1029                                 struct file *file,
1030                                 u32 av)
1031 {
1032         struct task_security_struct *tsec = tsk->security;
1033         struct file_security_struct *fsec = file->f_security;
1034         struct vfsmount *mnt = file->f_vfsmnt;
1035         struct dentry *dentry = file->f_dentry;
1036         struct inode *inode = dentry->d_inode;
1037         struct avc_audit_data ad;
1038         int rc;
1039
1040         AVC_AUDIT_DATA_INIT(&ad, FS);
1041         ad.u.fs.mnt = mnt;
1042         ad.u.fs.dentry = dentry;
1043
1044         if (tsec->sid != fsec->sid) {
1045                 rc = avc_has_perm(tsec->sid, fsec->sid,
1046                                   SECCLASS_FD,
1047                                   FD__USE,
1048                                   &ad);
1049                 if (rc)
1050                         return rc;
1051         }
1052
1053         /* av is zero if only checking access to the descriptor. */
1054         if (av)
1055                 return inode_has_perm(tsk, inode, av, &ad);
1056
1057         return 0;
1058 }
1059
1060 /* Check whether a task can create a file. */
1061 static int may_create(struct inode *dir,
1062                       struct dentry *dentry,
1063                       u16 tclass)
1064 {
1065         struct task_security_struct *tsec;
1066         struct inode_security_struct *dsec;
1067         struct superblock_security_struct *sbsec;
1068         u32 newsid;
1069         struct avc_audit_data ad;
1070         int rc;
1071
1072         tsec = current->security;
1073         dsec = dir->i_security;
1074         sbsec = dir->i_sb->s_security;
1075
1076         AVC_AUDIT_DATA_INIT(&ad, FS);
1077         ad.u.fs.dentry = dentry;
1078
1079         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1080                           DIR__ADD_NAME | DIR__SEARCH,
1081                           &ad);
1082         if (rc)
1083                 return rc;
1084
1085         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1086                 newsid = tsec->create_sid;
1087         } else {
1088                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1089                                              &newsid);
1090                 if (rc)
1091                         return rc;
1092         }
1093
1094         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1095         if (rc)
1096                 return rc;
1097
1098         return avc_has_perm(newsid, sbsec->sid,
1099                             SECCLASS_FILESYSTEM,
1100                             FILESYSTEM__ASSOCIATE, &ad);
1101 }
1102
1103 /* Check whether a task can create a key. */
1104 static int may_create_key(u32 ksid,
1105                           struct task_struct *ctx)
1106 {
1107         struct task_security_struct *tsec;
1108
1109         tsec = ctx->security;
1110
1111         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1112 }
1113
1114 #define MAY_LINK   0
1115 #define MAY_UNLINK 1
1116 #define MAY_RMDIR  2
1117
1118 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1119 static int may_link(struct inode *dir,
1120                     struct dentry *dentry,
1121                     int kind)
1122
1123 {
1124         struct task_security_struct *tsec;
1125         struct inode_security_struct *dsec, *isec;
1126         struct avc_audit_data ad;
1127         u32 av;
1128         int rc;
1129
1130         tsec = current->security;
1131         dsec = dir->i_security;
1132         isec = dentry->d_inode->i_security;
1133
1134         AVC_AUDIT_DATA_INIT(&ad, FS);
1135         ad.u.fs.dentry = dentry;
1136
1137         av = DIR__SEARCH;
1138         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1139         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1140         if (rc)
1141                 return rc;
1142
1143         switch (kind) {
1144         case MAY_LINK:
1145                 av = FILE__LINK;
1146                 break;
1147         case MAY_UNLINK:
1148                 av = FILE__UNLINK;
1149                 break;
1150         case MAY_RMDIR:
1151                 av = DIR__RMDIR;
1152                 break;
1153         default:
1154                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1155                 return 0;
1156         }
1157
1158         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1159         return rc;
1160 }
1161
1162 static inline int may_rename(struct inode *old_dir,
1163                              struct dentry *old_dentry,
1164                              struct inode *new_dir,
1165                              struct dentry *new_dentry)
1166 {
1167         struct task_security_struct *tsec;
1168         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1169         struct avc_audit_data ad;
1170         u32 av;
1171         int old_is_dir, new_is_dir;
1172         int rc;
1173
1174         tsec = current->security;
1175         old_dsec = old_dir->i_security;
1176         old_isec = old_dentry->d_inode->i_security;
1177         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1178         new_dsec = new_dir->i_security;
1179
1180         AVC_AUDIT_DATA_INIT(&ad, FS);
1181
1182         ad.u.fs.dentry = old_dentry;
1183         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1184                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1185         if (rc)
1186                 return rc;
1187         rc = avc_has_perm(tsec->sid, old_isec->sid,
1188                           old_isec->sclass, FILE__RENAME, &ad);
1189         if (rc)
1190                 return rc;
1191         if (old_is_dir && new_dir != old_dir) {
1192                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1193                                   old_isec->sclass, DIR__REPARENT, &ad);
1194                 if (rc)
1195                         return rc;
1196         }
1197
1198         ad.u.fs.dentry = new_dentry;
1199         av = DIR__ADD_NAME | DIR__SEARCH;
1200         if (new_dentry->d_inode)
1201                 av |= DIR__REMOVE_NAME;
1202         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1203         if (rc)
1204                 return rc;
1205         if (new_dentry->d_inode) {
1206                 new_isec = new_dentry->d_inode->i_security;
1207                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1208                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1209                                   new_isec->sclass,
1210                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1211                 if (rc)
1212                         return rc;
1213         }
1214
1215         return 0;
1216 }
1217
1218 /* Check whether a task can perform a filesystem operation. */
1219 static int superblock_has_perm(struct task_struct *tsk,
1220                                struct super_block *sb,
1221                                u32 perms,
1222                                struct avc_audit_data *ad)
1223 {
1224         struct task_security_struct *tsec;
1225         struct superblock_security_struct *sbsec;
1226
1227         tsec = tsk->security;
1228         sbsec = sb->s_security;
1229         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1230                             perms, ad);
1231 }
1232
1233 /* Convert a Linux mode and permission mask to an access vector. */
1234 static inline u32 file_mask_to_av(int mode, int mask)
1235 {
1236         u32 av = 0;
1237
1238         if ((mode & S_IFMT) != S_IFDIR) {
1239                 if (mask & MAY_EXEC)
1240                         av |= FILE__EXECUTE;
1241                 if (mask & MAY_READ)
1242                         av |= FILE__READ;
1243
1244                 if (mask & MAY_APPEND)
1245                         av |= FILE__APPEND;
1246                 else if (mask & MAY_WRITE)
1247                         av |= FILE__WRITE;
1248
1249         } else {
1250                 if (mask & MAY_EXEC)
1251                         av |= DIR__SEARCH;
1252                 if (mask & MAY_WRITE)
1253                         av |= DIR__WRITE;
1254                 if (mask & MAY_READ)
1255                         av |= DIR__READ;
1256         }
1257
1258         return av;
1259 }
1260
1261 /* Convert a Linux file to an access vector. */
1262 static inline u32 file_to_av(struct file *file)
1263 {
1264         u32 av = 0;
1265
1266         if (file->f_mode & FMODE_READ)
1267                 av |= FILE__READ;
1268         if (file->f_mode & FMODE_WRITE) {
1269                 if (file->f_flags & O_APPEND)
1270                         av |= FILE__APPEND;
1271                 else
1272                         av |= FILE__WRITE;
1273         }
1274
1275         return av;
1276 }
1277
1278 /* Set an inode's SID to a specified value. */
1279 static int inode_security_set_sid(struct inode *inode, u32 sid)
1280 {
1281         struct inode_security_struct *isec = inode->i_security;
1282         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1283
1284         if (!sbsec->initialized) {
1285                 /* Defer initialization to selinux_complete_init. */
1286                 return 0;
1287         }
1288
1289         down(&isec->sem);
1290         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1291         isec->sid = sid;
1292         isec->initialized = 1;
1293         up(&isec->sem);
1294         return 0;
1295 }
1296
1297 /* Hook functions begin here. */
1298
1299 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1300 {
1301         struct task_security_struct *psec = parent->security;
1302         struct task_security_struct *csec = child->security;
1303         int rc;
1304
1305         rc = secondary_ops->ptrace(parent,child);
1306         if (rc)
1307                 return rc;
1308
1309         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1310         /* Save the SID of the tracing process for later use in apply_creds. */
1311         if (!(child->ptrace & PT_PTRACED) && !rc)
1312                 csec->ptrace_sid = psec->sid;
1313         return rc;
1314 }
1315
1316 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1317                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1318 {
1319         int error;
1320
1321         error = task_has_perm(current, target, PROCESS__GETCAP);
1322         if (error)
1323                 return error;
1324
1325         return secondary_ops->capget(target, effective, inheritable, permitted);
1326 }
1327
1328 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1329                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1330 {
1331         int error;
1332
1333         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1334         if (error)
1335                 return error;
1336
1337         return task_has_perm(current, target, PROCESS__SETCAP);
1338 }
1339
1340 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1341                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1342 {
1343         secondary_ops->capset_set(target, effective, inheritable, permitted);
1344 }
1345
1346 static int selinux_capable(struct task_struct *tsk, int cap)
1347 {
1348         int rc;
1349
1350         rc = secondary_ops->capable(tsk, cap);
1351         if (rc)
1352                 return rc;
1353
1354         return task_has_capability(tsk,cap);
1355 }
1356
1357 static int selinux_sysctl(ctl_table *table, int op)
1358 {
1359         int error = 0;
1360         u32 av;
1361         struct task_security_struct *tsec;
1362         u32 tsid;
1363         int rc;
1364
1365         rc = secondary_ops->sysctl(table, op);
1366         if (rc)
1367                 return rc;
1368
1369         tsec = current->security;
1370
1371         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1372                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1373         if (rc) {
1374                 /* Default to the well-defined sysctl SID. */
1375                 tsid = SECINITSID_SYSCTL;
1376         }
1377
1378         /* The op values are "defined" in sysctl.c, thereby creating
1379          * a bad coupling between this module and sysctl.c */
1380         if(op == 001) {
1381                 error = avc_has_perm(tsec->sid, tsid,
1382                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1383         } else {
1384                 av = 0;
1385                 if (op & 004)
1386                         av |= FILE__READ;
1387                 if (op & 002)
1388                         av |= FILE__WRITE;
1389                 if (av)
1390                         error = avc_has_perm(tsec->sid, tsid,
1391                                              SECCLASS_FILE, av, NULL);
1392         }
1393
1394         return error;
1395 }
1396
1397 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1398 {
1399         int rc = 0;
1400
1401         if (!sb)
1402                 return 0;
1403
1404         switch (cmds) {
1405                 case Q_SYNC:
1406                 case Q_QUOTAON:
1407                 case Q_QUOTAOFF:
1408                 case Q_SETINFO:
1409                 case Q_SETQUOTA:
1410                         rc = superblock_has_perm(current,
1411                                                  sb,
1412                                                  FILESYSTEM__QUOTAMOD, NULL);
1413                         break;
1414                 case Q_GETFMT:
1415                 case Q_GETINFO:
1416                 case Q_GETQUOTA:
1417                         rc = superblock_has_perm(current,
1418                                                  sb,
1419                                                  FILESYSTEM__QUOTAGET, NULL);
1420                         break;
1421                 default:
1422                         rc = 0;  /* let the kernel handle invalid cmds */
1423                         break;
1424         }
1425         return rc;
1426 }
1427
1428 static int selinux_quota_on(struct dentry *dentry)
1429 {
1430         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1431 }
1432
1433 static int selinux_syslog(int type)
1434 {
1435         int rc;
1436
1437         rc = secondary_ops->syslog(type);
1438         if (rc)
1439                 return rc;
1440
1441         switch (type) {
1442                 case 3:         /* Read last kernel messages */
1443                 case 10:        /* Return size of the log buffer */
1444                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1445                         break;
1446                 case 6:         /* Disable logging to console */
1447                 case 7:         /* Enable logging to console */
1448                 case 8:         /* Set level of messages printed to console */
1449                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1450                         break;
1451                 case 0:         /* Close log */
1452                 case 1:         /* Open log */
1453                 case 2:         /* Read from log */
1454                 case 4:         /* Read/clear last kernel messages */
1455                 case 5:         /* Clear ring buffer */
1456                 default:
1457                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1458                         break;
1459         }
1460         return rc;
1461 }
1462
1463 /*
1464  * Check that a process has enough memory to allocate a new virtual
1465  * mapping. 0 means there is enough memory for the allocation to
1466  * succeed and -ENOMEM implies there is not.
1467  *
1468  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1469  * if the capability is granted, but __vm_enough_memory requires 1 if
1470  * the capability is granted.
1471  *
1472  * Do not audit the selinux permission check, as this is applied to all
1473  * processes that allocate mappings.
1474  */
1475 static int selinux_vm_enough_memory(long pages)
1476 {
1477         int rc, cap_sys_admin = 0;
1478         struct task_security_struct *tsec = current->security;
1479
1480         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1481         if (rc == 0)
1482                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1483                                         SECCLASS_CAPABILITY,
1484                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1485                                         NULL);
1486
1487         if (rc == 0)
1488                 cap_sys_admin = 1;
1489
1490         return __vm_enough_memory(pages, cap_sys_admin);
1491 }
1492
1493 /* binprm security operations */
1494
1495 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1496 {
1497         struct bprm_security_struct *bsec;
1498
1499         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1500         if (!bsec)
1501                 return -ENOMEM;
1502
1503         bsec->bprm = bprm;
1504         bsec->sid = SECINITSID_UNLABELED;
1505         bsec->set = 0;
1506
1507         bprm->security = bsec;
1508         return 0;
1509 }
1510
1511 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1512 {
1513         struct task_security_struct *tsec;
1514         struct inode *inode = bprm->file->f_dentry->d_inode;
1515         struct inode_security_struct *isec;
1516         struct bprm_security_struct *bsec;
1517         u32 newsid;
1518         struct avc_audit_data ad;
1519         int rc;
1520
1521         rc = secondary_ops->bprm_set_security(bprm);
1522         if (rc)
1523                 return rc;
1524
1525         bsec = bprm->security;
1526
1527         if (bsec->set)
1528                 return 0;
1529
1530         tsec = current->security;
1531         isec = inode->i_security;
1532
1533         /* Default to the current task SID. */
1534         bsec->sid = tsec->sid;
1535
1536         /* Reset fs, key, and sock SIDs on execve. */
1537         tsec->create_sid = 0;
1538         tsec->keycreate_sid = 0;
1539         tsec->sockcreate_sid = 0;
1540
1541         if (tsec->exec_sid) {
1542                 newsid = tsec->exec_sid;
1543                 /* Reset exec SID on execve. */
1544                 tsec->exec_sid = 0;
1545         } else {
1546                 /* Check for a default transition on this program. */
1547                 rc = security_transition_sid(tsec->sid, isec->sid,
1548                                              SECCLASS_PROCESS, &newsid);
1549                 if (rc)
1550                         return rc;
1551         }
1552
1553         AVC_AUDIT_DATA_INIT(&ad, FS);
1554         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1555         ad.u.fs.dentry = bprm->file->f_dentry;
1556
1557         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1558                 newsid = tsec->sid;
1559
1560         if (tsec->sid == newsid) {
1561                 rc = avc_has_perm(tsec->sid, isec->sid,
1562                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1563                 if (rc)
1564                         return rc;
1565         } else {
1566                 /* Check permissions for the transition. */
1567                 rc = avc_has_perm(tsec->sid, newsid,
1568                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1569                 if (rc)
1570                         return rc;
1571
1572                 rc = avc_has_perm(newsid, isec->sid,
1573                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1574                 if (rc)
1575                         return rc;
1576
1577                 /* Clear any possibly unsafe personality bits on exec: */
1578                 current->personality &= ~PER_CLEAR_ON_SETID;
1579
1580                 /* Set the security field to the new SID. */
1581                 bsec->sid = newsid;
1582         }
1583
1584         bsec->set = 1;
1585         return 0;
1586 }
1587
1588 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1589 {
1590         return secondary_ops->bprm_check_security(bprm);
1591 }
1592
1593
1594 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1595 {
1596         struct task_security_struct *tsec = current->security;
1597         int atsecure = 0;
1598
1599         if (tsec->osid != tsec->sid) {
1600                 /* Enable secure mode for SIDs transitions unless
1601                    the noatsecure permission is granted between
1602                    the two SIDs, i.e. ahp returns 0. */
1603                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1604                                          SECCLASS_PROCESS,
1605                                          PROCESS__NOATSECURE, NULL);
1606         }
1607
1608         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1609 }
1610
1611 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1612 {
1613         kfree(bprm->security);
1614         bprm->security = NULL;
1615 }
1616
1617 extern struct vfsmount *selinuxfs_mount;
1618 extern struct dentry *selinux_null;
1619
1620 /* Derived from fs/exec.c:flush_old_files. */
1621 static inline void flush_unauthorized_files(struct files_struct * files)
1622 {
1623         struct avc_audit_data ad;
1624         struct file *file, *devnull = NULL;
1625         struct tty_struct *tty = current->signal->tty;
1626         struct fdtable *fdt;
1627         long j = -1;
1628
1629         if (tty) {
1630                 file_list_lock();
1631                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1632                 if (file) {
1633                         /* Revalidate access to controlling tty.
1634                            Use inode_has_perm on the tty inode directly rather
1635                            than using file_has_perm, as this particular open
1636                            file may belong to another process and we are only
1637                            interested in the inode-based check here. */
1638                         struct inode *inode = file->f_dentry->d_inode;
1639                         if (inode_has_perm(current, inode,
1640                                            FILE__READ | FILE__WRITE, NULL)) {
1641                                 /* Reset controlling tty. */
1642                                 current->signal->tty = NULL;
1643                                 current->signal->tty_old_pgrp = 0;
1644                         }
1645                 }
1646                 file_list_unlock();
1647         }
1648
1649         /* Revalidate access to inherited open files. */
1650
1651         AVC_AUDIT_DATA_INIT(&ad,FS);
1652
1653         spin_lock(&files->file_lock);
1654         for (;;) {
1655                 unsigned long set, i;
1656                 int fd;
1657
1658                 j++;
1659                 i = j * __NFDBITS;
1660                 fdt = files_fdtable(files);
1661                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1662                         break;
1663                 set = fdt->open_fds->fds_bits[j];
1664                 if (!set)
1665                         continue;
1666                 spin_unlock(&files->file_lock);
1667                 for ( ; set ; i++,set >>= 1) {
1668                         if (set & 1) {
1669                                 file = fget(i);
1670                                 if (!file)
1671                                         continue;
1672                                 if (file_has_perm(current,
1673                                                   file,
1674                                                   file_to_av(file))) {
1675                                         sys_close(i);
1676                                         fd = get_unused_fd();
1677                                         if (fd != i) {
1678                                                 if (fd >= 0)
1679                                                         put_unused_fd(fd);
1680                                                 fput(file);
1681                                                 continue;
1682                                         }
1683                                         if (devnull) {
1684                                                 get_file(devnull);
1685                                         } else {
1686                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1687                                                 if (!devnull) {
1688                                                         put_unused_fd(fd);
1689                                                         fput(file);
1690                                                         continue;
1691                                                 }
1692                                         }
1693                                         fd_install(fd, devnull);
1694                                 }
1695                                 fput(file);
1696                         }
1697                 }
1698                 spin_lock(&files->file_lock);
1699
1700         }
1701         spin_unlock(&files->file_lock);
1702 }
1703
1704 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1705 {
1706         struct task_security_struct *tsec;
1707         struct bprm_security_struct *bsec;
1708         u32 sid;
1709         int rc;
1710
1711         secondary_ops->bprm_apply_creds(bprm, unsafe);
1712
1713         tsec = current->security;
1714
1715         bsec = bprm->security;
1716         sid = bsec->sid;
1717
1718         tsec->osid = tsec->sid;
1719         bsec->unsafe = 0;
1720         if (tsec->sid != sid) {
1721                 /* Check for shared state.  If not ok, leave SID
1722                    unchanged and kill. */
1723                 if (unsafe & LSM_UNSAFE_SHARE) {
1724                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1725                                         PROCESS__SHARE, NULL);
1726                         if (rc) {
1727                                 bsec->unsafe = 1;
1728                                 return;
1729                         }
1730                 }
1731
1732                 /* Check for ptracing, and update the task SID if ok.
1733                    Otherwise, leave SID unchanged and kill. */
1734                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1735                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1736                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1737                                           NULL);
1738                         if (rc) {
1739                                 bsec->unsafe = 1;
1740                                 return;
1741                         }
1742                 }
1743                 tsec->sid = sid;
1744         }
1745 }
1746
1747 /*
1748  * called after apply_creds without the task lock held
1749  */
1750 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1751 {
1752         struct task_security_struct *tsec;
1753         struct rlimit *rlim, *initrlim;
1754         struct itimerval itimer;
1755         struct bprm_security_struct *bsec;
1756         int rc, i;
1757
1758         tsec = current->security;
1759         bsec = bprm->security;
1760
1761         if (bsec->unsafe) {
1762                 force_sig_specific(SIGKILL, current);
1763                 return;
1764         }
1765         if (tsec->osid == tsec->sid)
1766                 return;
1767
1768         /* Close files for which the new task SID is not authorized. */
1769         flush_unauthorized_files(current->files);
1770
1771         /* Check whether the new SID can inherit signal state
1772            from the old SID.  If not, clear itimers to avoid
1773            subsequent signal generation and flush and unblock
1774            signals. This must occur _after_ the task SID has
1775           been updated so that any kill done after the flush
1776           will be checked against the new SID. */
1777         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1778                           PROCESS__SIGINH, NULL);
1779         if (rc) {
1780                 memset(&itimer, 0, sizeof itimer);
1781                 for (i = 0; i < 3; i++)
1782                         do_setitimer(i, &itimer, NULL);
1783                 flush_signals(current);
1784                 spin_lock_irq(&current->sighand->siglock);
1785                 flush_signal_handlers(current, 1);
1786                 sigemptyset(&current->blocked);
1787                 recalc_sigpending();
1788                 spin_unlock_irq(&current->sighand->siglock);
1789         }
1790
1791         /* Check whether the new SID can inherit resource limits
1792            from the old SID.  If not, reset all soft limits to
1793            the lower of the current task's hard limit and the init
1794            task's soft limit.  Note that the setting of hard limits
1795            (even to lower them) can be controlled by the setrlimit
1796            check. The inclusion of the init task's soft limit into
1797            the computation is to avoid resetting soft limits higher
1798            than the default soft limit for cases where the default
1799            is lower than the hard limit, e.g. RLIMIT_CORE or
1800            RLIMIT_STACK.*/
1801         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1802                           PROCESS__RLIMITINH, NULL);
1803         if (rc) {
1804                 for (i = 0; i < RLIM_NLIMITS; i++) {
1805                         rlim = current->signal->rlim + i;
1806                         initrlim = init_task.signal->rlim+i;
1807                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1808                 }
1809                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1810                         /*
1811                          * This will cause RLIMIT_CPU calculations
1812                          * to be refigured.
1813                          */
1814                         current->it_prof_expires = jiffies_to_cputime(1);
1815                 }
1816         }
1817
1818         /* Wake up the parent if it is waiting so that it can
1819            recheck wait permission to the new task SID. */
1820         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1821 }
1822
1823 /* superblock security operations */
1824
1825 static int selinux_sb_alloc_security(struct super_block *sb)
1826 {
1827         return superblock_alloc_security(sb);
1828 }
1829
1830 static void selinux_sb_free_security(struct super_block *sb)
1831 {
1832         superblock_free_security(sb);
1833 }
1834
1835 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1836 {
1837         if (plen > olen)
1838                 return 0;
1839
1840         return !memcmp(prefix, option, plen);
1841 }
1842
1843 static inline int selinux_option(char *option, int len)
1844 {
1845         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1846                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1847                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1848 }
1849
1850 static inline void take_option(char **to, char *from, int *first, int len)
1851 {
1852         if (!*first) {
1853                 **to = ',';
1854                 *to += 1;
1855         }
1856         else
1857                 *first = 0;
1858         memcpy(*to, from, len);
1859         *to += len;
1860 }
1861
1862 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1863 {
1864         int fnosec, fsec, rc = 0;
1865         char *in_save, *in_curr, *in_end;
1866         char *sec_curr, *nosec_save, *nosec;
1867
1868         in_curr = orig;
1869         sec_curr = copy;
1870
1871         /* Binary mount data: just copy */
1872         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1873                 copy_page(sec_curr, in_curr);
1874                 goto out;
1875         }
1876
1877         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1878         if (!nosec) {
1879                 rc = -ENOMEM;
1880                 goto out;
1881         }
1882
1883         nosec_save = nosec;
1884         fnosec = fsec = 1;
1885         in_save = in_end = orig;
1886
1887         do {
1888                 if (*in_end == ',' || *in_end == '\0') {
1889                         int len = in_end - in_curr;
1890
1891                         if (selinux_option(in_curr, len))
1892                                 take_option(&sec_curr, in_curr, &fsec, len);
1893                         else
1894                                 take_option(&nosec, in_curr, &fnosec, len);
1895
1896                         in_curr = in_end + 1;
1897                 }
1898         } while (*in_end++);
1899
1900         strcpy(in_save, nosec_save);
1901         free_page((unsigned long)nosec_save);
1902 out:
1903         return rc;
1904 }
1905
1906 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1907 {
1908         struct avc_audit_data ad;
1909         int rc;
1910
1911         rc = superblock_doinit(sb, data);
1912         if (rc)
1913                 return rc;
1914
1915         AVC_AUDIT_DATA_INIT(&ad,FS);
1916         ad.u.fs.dentry = sb->s_root;
1917         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1918 }
1919
1920 static int selinux_sb_statfs(struct dentry *dentry)
1921 {
1922         struct avc_audit_data ad;
1923
1924         AVC_AUDIT_DATA_INIT(&ad,FS);
1925         ad.u.fs.dentry = dentry->d_sb->s_root;
1926         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1927 }
1928
1929 static int selinux_mount(char * dev_name,
1930                          struct nameidata *nd,
1931                          char * type,
1932                          unsigned long flags,
1933                          void * data)
1934 {
1935         int rc;
1936
1937         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1938         if (rc)
1939                 return rc;
1940
1941         if (flags & MS_REMOUNT)
1942                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1943                                            FILESYSTEM__REMOUNT, NULL);
1944         else
1945                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1946                                        FILE__MOUNTON);
1947 }
1948
1949 static int selinux_umount(struct vfsmount *mnt, int flags)
1950 {
1951         int rc;
1952
1953         rc = secondary_ops->sb_umount(mnt, flags);
1954         if (rc)
1955                 return rc;
1956
1957         return superblock_has_perm(current,mnt->mnt_sb,
1958                                    FILESYSTEM__UNMOUNT,NULL);
1959 }
1960
1961 /* inode security operations */
1962
1963 static int selinux_inode_alloc_security(struct inode *inode)
1964 {
1965         return inode_alloc_security(inode);
1966 }
1967
1968 static void selinux_inode_free_security(struct inode *inode)
1969 {
1970         inode_free_security(inode);
1971 }
1972
1973 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1974                                        char **name, void **value,
1975                                        size_t *len)
1976 {
1977         struct task_security_struct *tsec;
1978         struct inode_security_struct *dsec;
1979         struct superblock_security_struct *sbsec;
1980         u32 newsid, clen;
1981         int rc;
1982         char *namep = NULL, *context;
1983
1984         tsec = current->security;
1985         dsec = dir->i_security;
1986         sbsec = dir->i_sb->s_security;
1987
1988         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1989                 newsid = tsec->create_sid;
1990         } else {
1991                 rc = security_transition_sid(tsec->sid, dsec->sid,
1992                                              inode_mode_to_security_class(inode->i_mode),
1993                                              &newsid);
1994                 if (rc) {
1995                         printk(KERN_WARNING "%s:  "
1996                                "security_transition_sid failed, rc=%d (dev=%s "
1997                                "ino=%ld)\n",
1998                                __FUNCTION__,
1999                                -rc, inode->i_sb->s_id, inode->i_ino);
2000                         return rc;
2001                 }
2002         }
2003
2004         inode_security_set_sid(inode, newsid);
2005
2006         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2007                 return -EOPNOTSUPP;
2008
2009         if (name) {
2010                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2011                 if (!namep)
2012                         return -ENOMEM;
2013                 *name = namep;
2014         }
2015
2016         if (value && len) {
2017                 rc = security_sid_to_context(newsid, &context, &clen);
2018                 if (rc) {
2019                         kfree(namep);
2020                         return rc;
2021                 }
2022                 *value = context;
2023                 *len = clen;
2024         }
2025
2026         return 0;
2027 }
2028
2029 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2030 {
2031         return may_create(dir, dentry, SECCLASS_FILE);
2032 }
2033
2034 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2035 {
2036         int rc;
2037
2038         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2039         if (rc)
2040                 return rc;
2041         return may_link(dir, old_dentry, MAY_LINK);
2042 }
2043
2044 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2045 {
2046         int rc;
2047
2048         rc = secondary_ops->inode_unlink(dir, dentry);
2049         if (rc)
2050                 return rc;
2051         return may_link(dir, dentry, MAY_UNLINK);
2052 }
2053
2054 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2055 {
2056         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2057 }
2058
2059 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2060 {
2061         return may_create(dir, dentry, SECCLASS_DIR);
2062 }
2063
2064 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2065 {
2066         return may_link(dir, dentry, MAY_RMDIR);
2067 }
2068
2069 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2070 {
2071         int rc;
2072
2073         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2074         if (rc)
2075                 return rc;
2076
2077         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2078 }
2079
2080 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2081                                 struct inode *new_inode, struct dentry *new_dentry)
2082 {
2083         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2084 }
2085
2086 static int selinux_inode_readlink(struct dentry *dentry)
2087 {
2088         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2089 }
2090
2091 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2092 {
2093         int rc;
2094
2095         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2096         if (rc)
2097                 return rc;
2098         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2099 }
2100
2101 static int selinux_inode_permission(struct inode *inode, int mask,
2102                                     struct nameidata *nd)
2103 {
2104         int rc;
2105
2106         rc = secondary_ops->inode_permission(inode, mask, nd);
2107         if (rc)
2108                 return rc;
2109
2110         if (!mask) {
2111                 /* No permission to check.  Existence test. */
2112                 return 0;
2113         }
2114
2115         return inode_has_perm(current, inode,
2116                                file_mask_to_av(inode->i_mode, mask), NULL);
2117 }
2118
2119 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2120 {
2121         int rc;
2122
2123         rc = secondary_ops->inode_setattr(dentry, iattr);
2124         if (rc)
2125                 return rc;
2126
2127         if (iattr->ia_valid & ATTR_FORCE)
2128                 return 0;
2129
2130         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2131                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2132                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2133
2134         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2135 }
2136
2137 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2138 {
2139         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2140 }
2141
2142 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2143 {
2144         struct task_security_struct *tsec = current->security;
2145         struct inode *inode = dentry->d_inode;
2146         struct inode_security_struct *isec = inode->i_security;
2147         struct superblock_security_struct *sbsec;
2148         struct avc_audit_data ad;
2149         u32 newsid;
2150         int rc = 0;
2151
2152         if (strcmp(name, XATTR_NAME_SELINUX)) {
2153                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2154                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2155                     !capable(CAP_SYS_ADMIN)) {
2156                         /* A different attribute in the security namespace.
2157                            Restrict to administrator. */
2158                         return -EPERM;
2159                 }
2160
2161                 /* Not an attribute we recognize, so just check the
2162                    ordinary setattr permission. */
2163                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2164         }
2165
2166         sbsec = inode->i_sb->s_security;
2167         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2168                 return -EOPNOTSUPP;
2169
2170         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2171                 return -EPERM;
2172
2173         AVC_AUDIT_DATA_INIT(&ad,FS);
2174         ad.u.fs.dentry = dentry;
2175
2176         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2177                           FILE__RELABELFROM, &ad);
2178         if (rc)
2179                 return rc;
2180
2181         rc = security_context_to_sid(value, size, &newsid);
2182         if (rc)
2183                 return rc;
2184
2185         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2186                           FILE__RELABELTO, &ad);
2187         if (rc)
2188                 return rc;
2189
2190         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2191                                           isec->sclass);
2192         if (rc)
2193                 return rc;
2194
2195         return avc_has_perm(newsid,
2196                             sbsec->sid,
2197                             SECCLASS_FILESYSTEM,
2198                             FILESYSTEM__ASSOCIATE,
2199                             &ad);
2200 }
2201
2202 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2203                                         void *value, size_t size, int flags)
2204 {
2205         struct inode *inode = dentry->d_inode;
2206         struct inode_security_struct *isec = inode->i_security;
2207         u32 newsid;
2208         int rc;
2209
2210         if (strcmp(name, XATTR_NAME_SELINUX)) {
2211                 /* Not an attribute we recognize, so nothing to do. */
2212                 return;
2213         }
2214
2215         rc = security_context_to_sid(value, size, &newsid);
2216         if (rc) {
2217                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2218                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2219                 return;
2220         }
2221
2222         isec->sid = newsid;
2223         return;
2224 }
2225
2226 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2227 {
2228         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2229 }
2230
2231 static int selinux_inode_listxattr (struct dentry *dentry)
2232 {
2233         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2234 }
2235
2236 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2237 {
2238         if (strcmp(name, XATTR_NAME_SELINUX)) {
2239                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2240                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2241                     !capable(CAP_SYS_ADMIN)) {
2242                         /* A different attribute in the security namespace.
2243                            Restrict to administrator. */
2244                         return -EPERM;
2245                 }
2246
2247                 /* Not an attribute we recognize, so just check the
2248                    ordinary setattr permission. Might want a separate
2249                    permission for removexattr. */
2250                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2251         }
2252
2253         /* No one is allowed to remove a SELinux security label.
2254            You can change the label, but all data must be labeled. */
2255         return -EACCES;
2256 }
2257
2258 static const char *selinux_inode_xattr_getsuffix(void)
2259 {
2260       return XATTR_SELINUX_SUFFIX;
2261 }
2262
2263 /*
2264  * Copy the in-core inode security context value to the user.  If the
2265  * getxattr() prior to this succeeded, check to see if we need to
2266  * canonicalize the value to be finally returned to the user.
2267  *
2268  * Permission check is handled by selinux_inode_getxattr hook.
2269  */
2270 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2271 {
2272         struct inode_security_struct *isec = inode->i_security;
2273
2274         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2275                 return -EOPNOTSUPP;
2276
2277         return selinux_getsecurity(isec->sid, buffer, size);
2278 }
2279
2280 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2281                                      const void *value, size_t size, int flags)
2282 {
2283         struct inode_security_struct *isec = inode->i_security;
2284         u32 newsid;
2285         int rc;
2286
2287         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2288                 return -EOPNOTSUPP;
2289
2290         if (!value || !size)
2291                 return -EACCES;
2292
2293         rc = security_context_to_sid((void*)value, size, &newsid);
2294         if (rc)
2295                 return rc;
2296
2297         isec->sid = newsid;
2298         return 0;
2299 }
2300
2301 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2302 {
2303         const int len = sizeof(XATTR_NAME_SELINUX);
2304         if (buffer && len <= buffer_size)
2305                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2306         return len;
2307 }
2308
2309 /* file security operations */
2310
2311 static int selinux_file_permission(struct file *file, int mask)
2312 {
2313         struct inode *inode = file->f_dentry->d_inode;
2314
2315         if (!mask) {
2316                 /* No permission to check.  Existence test. */
2317                 return 0;
2318         }
2319
2320         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2321         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2322                 mask |= MAY_APPEND;
2323
2324         return file_has_perm(current, file,
2325                              file_mask_to_av(inode->i_mode, mask));
2326 }
2327
2328 static int selinux_file_alloc_security(struct file *file)
2329 {
2330         return file_alloc_security(file);
2331 }
2332
2333 static void selinux_file_free_security(struct file *file)
2334 {
2335         file_free_security(file);
2336 }
2337
2338 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2339                               unsigned long arg)
2340 {
2341         int error = 0;
2342
2343         switch (cmd) {
2344                 case FIONREAD:
2345                 /* fall through */
2346                 case FIBMAP:
2347                 /* fall through */
2348                 case FIGETBSZ:
2349                 /* fall through */
2350                 case EXT2_IOC_GETFLAGS:
2351                 /* fall through */
2352                 case EXT2_IOC_GETVERSION:
2353                         error = file_has_perm(current, file, FILE__GETATTR);
2354                         break;
2355
2356                 case EXT2_IOC_SETFLAGS:
2357                 /* fall through */
2358                 case EXT2_IOC_SETVERSION:
2359                         error = file_has_perm(current, file, FILE__SETATTR);
2360                         break;
2361
2362                 /* sys_ioctl() checks */
2363                 case FIONBIO:
2364                 /* fall through */
2365                 case FIOASYNC:
2366                         error = file_has_perm(current, file, 0);
2367                         break;
2368
2369                 case KDSKBENT:
2370                 case KDSKBSENT:
2371                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2372                         break;
2373
2374                 /* default case assumes that the command will go
2375                  * to the file's ioctl() function.
2376                  */
2377                 default:
2378                         error = file_has_perm(current, file, FILE__IOCTL);
2379
2380         }
2381         return error;
2382 }
2383
2384 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2385 {
2386 #ifndef CONFIG_PPC32
2387         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2388                 /*
2389                  * We are making executable an anonymous mapping or a
2390                  * private file mapping that will also be writable.
2391                  * This has an additional check.
2392                  */
2393                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2394                 if (rc)
2395                         return rc;
2396         }
2397 #endif
2398
2399         if (file) {
2400                 /* read access is always possible with a mapping */
2401                 u32 av = FILE__READ;
2402
2403                 /* write access only matters if the mapping is shared */
2404                 if (shared && (prot & PROT_WRITE))
2405                         av |= FILE__WRITE;
2406
2407                 if (prot & PROT_EXEC)
2408                         av |= FILE__EXECUTE;
2409
2410                 return file_has_perm(current, file, av);
2411         }
2412         return 0;
2413 }
2414
2415 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2416                              unsigned long prot, unsigned long flags)
2417 {
2418         int rc;
2419
2420         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2421         if (rc)
2422                 return rc;
2423
2424         if (selinux_checkreqprot)
2425                 prot = reqprot;
2426
2427         return file_map_prot_check(file, prot,
2428                                    (flags & MAP_TYPE) == MAP_SHARED);
2429 }
2430
2431 static int selinux_file_mprotect(struct vm_area_struct *vma,
2432                                  unsigned long reqprot,
2433                                  unsigned long prot)
2434 {
2435         int rc;
2436
2437         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2438         if (rc)
2439                 return rc;
2440
2441         if (selinux_checkreqprot)
2442                 prot = reqprot;
2443
2444 #ifndef CONFIG_PPC32
2445         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2446                 rc = 0;
2447                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2448                     vma->vm_end <= vma->vm_mm->brk) {
2449                         rc = task_has_perm(current, current,
2450                                            PROCESS__EXECHEAP);
2451                 } else if (!vma->vm_file &&
2452                            vma->vm_start <= vma->vm_mm->start_stack &&
2453                            vma->vm_end >= vma->vm_mm->start_stack) {
2454                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2455                 } else if (vma->vm_file && vma->anon_vma) {
2456                         /*
2457                          * We are making executable a file mapping that has
2458                          * had some COW done. Since pages might have been
2459                          * written, check ability to execute the possibly
2460                          * modified content.  This typically should only
2461                          * occur for text relocations.
2462                          */
2463                         rc = file_has_perm(current, vma->vm_file,
2464                                            FILE__EXECMOD);
2465                 }
2466                 if (rc)
2467                         return rc;
2468         }
2469 #endif
2470
2471         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2472 }
2473
2474 static int selinux_file_lock(struct file *file, unsigned int cmd)
2475 {
2476         return file_has_perm(current, file, FILE__LOCK);
2477 }
2478
2479 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2480                               unsigned long arg)
2481 {
2482         int err = 0;
2483
2484         switch (cmd) {
2485                 case F_SETFL:
2486                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2487                                 err = -EINVAL;
2488                                 break;
2489                         }
2490
2491                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2492                                 err = file_has_perm(current, file,FILE__WRITE);
2493                                 break;
2494                         }
2495                         /* fall through */
2496                 case F_SETOWN:
2497                 case F_SETSIG:
2498                 case F_GETFL:
2499                 case F_GETOWN:
2500                 case F_GETSIG:
2501                         /* Just check FD__USE permission */
2502                         err = file_has_perm(current, file, 0);
2503                         break;
2504                 case F_GETLK:
2505                 case F_SETLK:
2506                 case F_SETLKW:
2507 #if BITS_PER_LONG == 32
2508                 case F_GETLK64:
2509                 case F_SETLK64:
2510                 case F_SETLKW64:
2511 #endif
2512                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2513                                 err = -EINVAL;
2514                                 break;
2515                         }
2516                         err = file_has_perm(current, file, FILE__LOCK);
2517                         break;
2518         }
2519
2520         return err;
2521 }
2522
2523 static int selinux_file_set_fowner(struct file *file)
2524 {
2525         struct task_security_struct *tsec;
2526         struct file_security_struct *fsec;
2527
2528         tsec = current->security;
2529         fsec = file->f_security;
2530         fsec->fown_sid = tsec->sid;
2531
2532         return 0;
2533 }
2534
2535 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2536                                        struct fown_struct *fown, int signum)
2537 {
2538         struct file *file;
2539         u32 perm;
2540         struct task_security_struct *tsec;
2541         struct file_security_struct *fsec;
2542
2543         /* struct fown_struct is never outside the context of a struct file */
2544         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2545
2546         tsec = tsk->security;
2547         fsec = file->f_security;
2548
2549         if (!signum)
2550                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2551         else
2552                 perm = signal_to_av(signum);
2553
2554         return avc_has_perm(fsec->fown_sid, tsec->sid,
2555                             SECCLASS_PROCESS, perm, NULL);
2556 }
2557
2558 static int selinux_file_receive(struct file *file)
2559 {
2560         return file_has_perm(current, file, file_to_av(file));
2561 }
2562
2563 /* task security operations */
2564
2565 static int selinux_task_create(unsigned long clone_flags)
2566 {
2567         int rc;
2568
2569         rc = secondary_ops->task_create(clone_flags);
2570         if (rc)
2571                 return rc;
2572
2573         return task_has_perm(current, current, PROCESS__FORK);
2574 }
2575
2576 static int selinux_task_alloc_security(struct task_struct *tsk)
2577 {
2578         struct task_security_struct *tsec1, *tsec2;
2579         int rc;
2580
2581         tsec1 = current->security;
2582
2583         rc = task_alloc_security(tsk);
2584         if (rc)
2585                 return rc;
2586         tsec2 = tsk->security;
2587
2588         tsec2->osid = tsec1->osid;
2589         tsec2->sid = tsec1->sid;
2590
2591         /* Retain the exec, fs, key, and sock SIDs across fork */
2592         tsec2->exec_sid = tsec1->exec_sid;
2593         tsec2->create_sid = tsec1->create_sid;
2594         tsec2->keycreate_sid = tsec1->keycreate_sid;
2595         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2596
2597         /* Retain ptracer SID across fork, if any.
2598            This will be reset by the ptrace hook upon any
2599            subsequent ptrace_attach operations. */
2600         tsec2->ptrace_sid = tsec1->ptrace_sid;
2601
2602         return 0;
2603 }
2604
2605 static void selinux_task_free_security(struct task_struct *tsk)
2606 {
2607         task_free_security(tsk);
2608 }
2609
2610 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2611 {
2612         /* Since setuid only affects the current process, and
2613            since the SELinux controls are not based on the Linux
2614            identity attributes, SELinux does not need to control
2615            this operation.  However, SELinux does control the use
2616            of the CAP_SETUID and CAP_SETGID capabilities using the
2617            capable hook. */
2618         return 0;
2619 }
2620
2621 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2622 {
2623         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2624 }
2625
2626 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2627 {
2628         /* See the comment for setuid above. */
2629         return 0;
2630 }
2631
2632 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2633 {
2634         return task_has_perm(current, p, PROCESS__SETPGID);
2635 }
2636
2637 static int selinux_task_getpgid(struct task_struct *p)
2638 {
2639         return task_has_perm(current, p, PROCESS__GETPGID);
2640 }
2641
2642 static int selinux_task_getsid(struct task_struct *p)
2643 {
2644         return task_has_perm(current, p, PROCESS__GETSESSION);
2645 }
2646
2647 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2648 {
2649         selinux_get_task_sid(p, secid);
2650 }
2651
2652 static int selinux_task_setgroups(struct group_info *group_info)
2653 {
2654         /* See the comment for setuid above. */
2655         return 0;
2656 }
2657
2658 static int selinux_task_setnice(struct task_struct *p, int nice)
2659 {
2660         int rc;
2661
2662         rc = secondary_ops->task_setnice(p, nice);
2663         if (rc)
2664                 return rc;
2665
2666         return task_has_perm(current,p, PROCESS__SETSCHED);
2667 }
2668
2669 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2670 {
2671         return task_has_perm(current, p, PROCESS__SETSCHED);
2672 }
2673
2674 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2675 {
2676         struct rlimit *old_rlim = current->signal->rlim + resource;
2677         int rc;
2678
2679         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2680         if (rc)
2681                 return rc;
2682
2683         /* Control the ability to change the hard limit (whether
2684            lowering or raising it), so that the hard limit can
2685            later be used as a safe reset point for the soft limit
2686            upon context transitions. See selinux_bprm_apply_creds. */
2687         if (old_rlim->rlim_max != new_rlim->rlim_max)
2688                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2689
2690         return 0;
2691 }
2692
2693 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2694 {
2695         return task_has_perm(current, p, PROCESS__SETSCHED);
2696 }
2697
2698 static int selinux_task_getscheduler(struct task_struct *p)
2699 {
2700         return task_has_perm(current, p, PROCESS__GETSCHED);
2701 }
2702
2703 static int selinux_task_movememory(struct task_struct *p)
2704 {
2705         return task_has_perm(current, p, PROCESS__SETSCHED);
2706 }
2707
2708 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2709                                 int sig, u32 secid)
2710 {
2711         u32 perm;
2712         int rc;
2713         struct task_security_struct *tsec;
2714
2715         rc = secondary_ops->task_kill(p, info, sig, secid);
2716         if (rc)
2717                 return rc;
2718
2719         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2720                 return 0;
2721
2722         if (!sig)
2723                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2724         else
2725                 perm = signal_to_av(sig);
2726         tsec = p->security;
2727         if (secid)
2728                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2729         else
2730                 rc = task_has_perm(current, p, perm);
2731         return rc;
2732 }
2733
2734 static int selinux_task_prctl(int option,
2735                               unsigned long arg2,
2736                               unsigned long arg3,
2737                               unsigned long arg4,
2738                               unsigned long arg5)
2739 {
2740         /* The current prctl operations do not appear to require
2741            any SELinux controls since they merely observe or modify
2742            the state of the current process. */
2743         return 0;
2744 }
2745
2746 static int selinux_task_wait(struct task_struct *p)
2747 {
2748         u32 perm;
2749
2750         perm = signal_to_av(p->exit_signal);
2751
2752         return task_has_perm(p, current, perm);
2753 }
2754
2755 static void selinux_task_reparent_to_init(struct task_struct *p)
2756 {
2757         struct task_security_struct *tsec;
2758
2759         secondary_ops->task_reparent_to_init(p);
2760
2761         tsec = p->security;
2762         tsec->osid = tsec->sid;
2763         tsec->sid = SECINITSID_KERNEL;
2764         return;
2765 }
2766
2767 static void selinux_task_to_inode(struct task_struct *p,
2768                                   struct inode *inode)
2769 {
2770         struct task_security_struct *tsec = p->security;
2771         struct inode_security_struct *isec = inode->i_security;
2772
2773         isec->sid = tsec->sid;
2774         isec->initialized = 1;
2775         return;
2776 }
2777
2778 /* Returns error only if unable to parse addresses */
2779 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2780 {
2781         int offset, ihlen, ret = -EINVAL;
2782         struct iphdr _iph, *ih;
2783
2784         offset = skb->nh.raw - skb->data;
2785         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2786         if (ih == NULL)
2787                 goto out;
2788
2789         ihlen = ih->ihl * 4;
2790         if (ihlen < sizeof(_iph))
2791                 goto out;
2792
2793         ad->u.net.v4info.saddr = ih->saddr;
2794         ad->u.net.v4info.daddr = ih->daddr;
2795         ret = 0;
2796
2797         switch (ih->protocol) {
2798         case IPPROTO_TCP: {
2799                 struct tcphdr _tcph, *th;
2800
2801                 if (ntohs(ih->frag_off) & IP_OFFSET)
2802                         break;
2803
2804                 offset += ihlen;
2805                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2806                 if (th == NULL)
2807                         break;
2808
2809                 ad->u.net.sport = th->source;
2810                 ad->u.net.dport = th->dest;
2811                 break;
2812         }
2813         
2814         case IPPROTO_UDP: {
2815                 struct udphdr _udph, *uh;
2816                 
2817                 if (ntohs(ih->frag_off) & IP_OFFSET)
2818                         break;
2819                         
2820                 offset += ihlen;
2821                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2822                 if (uh == NULL)
2823                         break;  
2824
2825                 ad->u.net.sport = uh->source;
2826                 ad->u.net.dport = uh->dest;
2827                 break;
2828         }
2829
2830         default:
2831                 break;
2832         }
2833 out:
2834         return ret;
2835 }
2836
2837 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2838
2839 /* Returns error only if unable to parse addresses */
2840 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2841 {
2842         u8 nexthdr;
2843         int ret = -EINVAL, offset;
2844         struct ipv6hdr _ipv6h, *ip6;
2845
2846         offset = skb->nh.raw - skb->data;
2847         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2848         if (ip6 == NULL)
2849                 goto out;
2850
2851         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2852         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2853         ret = 0;
2854
2855         nexthdr = ip6->nexthdr;
2856         offset += sizeof(_ipv6h);
2857         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2858         if (offset < 0)
2859                 goto out;
2860
2861         switch (nexthdr) {
2862         case IPPROTO_TCP: {
2863                 struct tcphdr _tcph, *th;
2864
2865                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2866                 if (th == NULL)
2867                         break;
2868
2869                 ad->u.net.sport = th->source;
2870                 ad->u.net.dport = th->dest;
2871                 break;
2872         }
2873
2874         case IPPROTO_UDP: {
2875                 struct udphdr _udph, *uh;
2876
2877                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2878                 if (uh == NULL)
2879                         break;
2880
2881                 ad->u.net.sport = uh->source;
2882                 ad->u.net.dport = uh->dest;
2883                 break;
2884         }
2885
2886         /* includes fragments */
2887         default:
2888                 break;
2889         }
2890 out:
2891         return ret;
2892 }
2893
2894 #endif /* IPV6 */
2895
2896 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2897                              char **addrp, int *len, int src)
2898 {
2899         int ret = 0;
2900
2901         switch (ad->u.net.family) {
2902         case PF_INET:
2903                 ret = selinux_parse_skb_ipv4(skb, ad);
2904                 if (ret || !addrp)
2905                         break;
2906                 *len = 4;
2907                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2908                                         &ad->u.net.v4info.daddr);
2909                 break;
2910
2911 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2912         case PF_INET6:
2913                 ret = selinux_parse_skb_ipv6(skb, ad);
2914                 if (ret || !addrp)
2915                         break;
2916                 *len = 16;
2917                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2918                                         &ad->u.net.v6info.daddr);
2919                 break;
2920 #endif  /* IPV6 */
2921         default:
2922                 break;
2923         }
2924
2925         return ret;
2926 }
2927
2928 /* socket security operations */
2929 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2930                            u32 perms)
2931 {
2932         struct inode_security_struct *isec;
2933         struct task_security_struct *tsec;
2934         struct avc_audit_data ad;
2935         int err = 0;
2936
2937         tsec = task->security;
2938         isec = SOCK_INODE(sock)->i_security;
2939
2940         if (isec->sid == SECINITSID_KERNEL)
2941                 goto out;
2942
2943         AVC_AUDIT_DATA_INIT(&ad,NET);
2944         ad.u.net.sk = sock->sk;
2945         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2946
2947 out:
2948         return err;
2949 }
2950
2951 static int selinux_socket_create(int family, int type,
2952                                  int protocol, int kern)
2953 {
2954         int err = 0;
2955         struct task_security_struct *tsec;
2956         u32 newsid;
2957
2958         if (kern)
2959                 goto out;
2960
2961         tsec = current->security;
2962         newsid = tsec->sockcreate_sid ? : tsec->sid;
2963         err = avc_has_perm(tsec->sid, newsid,
2964                            socket_type_to_security_class(family, type,
2965                            protocol), SOCKET__CREATE, NULL);
2966
2967 out:
2968         return err;
2969 }
2970
2971 static void selinux_socket_post_create(struct socket *sock, int family,
2972                                        int type, int protocol, int kern)
2973 {
2974         struct inode_security_struct *isec;
2975         struct task_security_struct *tsec;
2976         u32 newsid;
2977
2978         isec = SOCK_INODE(sock)->i_security;
2979
2980         tsec = current->security;
2981         newsid = tsec->sockcreate_sid ? : tsec->sid;
2982         isec->sclass = socket_type_to_security_class(family, type, protocol);
2983         isec->sid = kern ? SECINITSID_KERNEL : newsid;
2984         isec->initialized = 1;
2985
2986         return;
2987 }
2988
2989 /* Range of port numbers used to automatically bind.
2990    Need to determine whether we should perform a name_bind
2991    permission check between the socket and the port number. */
2992 #define ip_local_port_range_0 sysctl_local_port_range[0]
2993 #define ip_local_port_range_1 sysctl_local_port_range[1]
2994
2995 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2996 {
2997         u16 family;
2998         int err;
2999
3000         err = socket_has_perm(current, sock, SOCKET__BIND);
3001         if (err)
3002                 goto out;
3003
3004         /*
3005          * If PF_INET or PF_INET6, check name_bind permission for the port.
3006          * Multiple address binding for SCTP is not supported yet: we just
3007          * check the first address now.
3008          */
3009         family = sock->sk->sk_family;
3010         if (family == PF_INET || family == PF_INET6) {
3011                 char *addrp;
3012                 struct inode_security_struct *isec;
3013                 struct task_security_struct *tsec;
3014                 struct avc_audit_data ad;
3015                 struct sockaddr_in *addr4 = NULL;
3016                 struct sockaddr_in6 *addr6 = NULL;
3017                 unsigned short snum;
3018                 struct sock *sk = sock->sk;
3019                 u32 sid, node_perm, addrlen;
3020
3021                 tsec = current->security;
3022                 isec = SOCK_INODE(sock)->i_security;
3023
3024                 if (family == PF_INET) {
3025                         addr4 = (struct sockaddr_in *)address;
3026                         snum = ntohs(addr4->sin_port);
3027                         addrlen = sizeof(addr4->sin_addr.s_addr);
3028                         addrp = (char *)&addr4->sin_addr.s_addr;
3029                 } else {
3030                         addr6 = (struct sockaddr_in6 *)address;
3031                         snum = ntohs(addr6->sin6_port);
3032                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3033                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3034                 }
3035
3036                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3037                            snum > ip_local_port_range_1)) {
3038                         err = security_port_sid(sk->sk_family, sk->sk_type,
3039                                                 sk->sk_protocol, snum, &sid);
3040                         if (err)
3041                                 goto out;
3042                         AVC_AUDIT_DATA_INIT(&ad,NET);
3043                         ad.u.net.sport = htons(snum);
3044                         ad.u.net.family = family;
3045                         err = avc_has_perm(isec->sid, sid,
3046                                            isec->sclass,
3047                                            SOCKET__NAME_BIND, &ad);
3048                         if (err)
3049                                 goto out;
3050                 }
3051                 
3052                 switch(isec->sclass) {
3053                 case SECCLASS_TCP_SOCKET:
3054                         node_perm = TCP_SOCKET__NODE_BIND;
3055                         break;
3056                         
3057                 case SECCLASS_UDP_SOCKET:
3058                         node_perm = UDP_SOCKET__NODE_BIND;
3059                         break;
3060                         
3061                 default:
3062                         node_perm = RAWIP_SOCKET__NODE_BIND;
3063                         break;
3064                 }
3065                 
3066                 err = security_node_sid(family, addrp, addrlen, &sid);
3067                 if (err)
3068                         goto out;
3069                 
3070                 AVC_AUDIT_DATA_INIT(&ad,NET);
3071                 ad.u.net.sport = htons(snum);
3072                 ad.u.net.family = family;
3073
3074                 if (family == PF_INET)
3075                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3076                 else
3077                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3078
3079                 err = avc_has_perm(isec->sid, sid,
3080                                    isec->sclass, node_perm, &ad);
3081                 if (err)
3082                         goto out;
3083         }
3084 out:
3085         return err;
3086 }
3087
3088 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3089 {
3090         struct inode_security_struct *isec;
3091         int err;
3092
3093         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3094         if (err)
3095                 return err;
3096
3097         /*
3098          * If a TCP socket, check name_connect permission for the port.
3099          */
3100         isec = SOCK_INODE(sock)->i_security;
3101         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3102                 struct sock *sk = sock->sk;
3103                 struct avc_audit_data ad;
3104                 struct sockaddr_in *addr4 = NULL;
3105                 struct sockaddr_in6 *addr6 = NULL;
3106                 unsigned short snum;
3107                 u32 sid;
3108
3109                 if (sk->sk_family == PF_INET) {
3110                         addr4 = (struct sockaddr_in *)address;
3111                         if (addrlen < sizeof(struct sockaddr_in))
3112                                 return -EINVAL;
3113                         snum = ntohs(addr4->sin_port);
3114                 } else {
3115                         addr6 = (struct sockaddr_in6 *)address;
3116                         if (addrlen < SIN6_LEN_RFC2133)
3117                                 return -EINVAL;
3118                         snum = ntohs(addr6->sin6_port);
3119                 }
3120
3121                 err = security_port_sid(sk->sk_family, sk->sk_type,
3122                                         sk->sk_protocol, snum, &sid);
3123                 if (err)
3124                         goto out;
3125
3126                 AVC_AUDIT_DATA_INIT(&ad,NET);
3127                 ad.u.net.dport = htons(snum);
3128                 ad.u.net.family = sk->sk_family;
3129                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3130                                    TCP_SOCKET__NAME_CONNECT, &ad);
3131                 if (err)
3132                         goto out;
3133         }
3134
3135 out:
3136         return err;
3137 }
3138
3139 static int selinux_socket_listen(struct socket *sock, int backlog)
3140 {
3141         return socket_has_perm(current, sock, SOCKET__LISTEN);
3142 }
3143
3144 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3145 {
3146         int err;
3147         struct inode_security_struct *isec;
3148         struct inode_security_struct *newisec;
3149
3150         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3151         if (err)
3152                 return err;
3153
3154         newisec = SOCK_INODE(newsock)->i_security;
3155
3156         isec = SOCK_INODE(sock)->i_security;
3157         newisec->sclass = isec->sclass;
3158         newisec->sid = isec->sid;
3159         newisec->initialized = 1;
3160
3161         return 0;
3162 }
3163
3164 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3165                                   int size)
3166 {
3167         return socket_has_perm(current, sock, SOCKET__WRITE);
3168 }
3169
3170 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3171                                   int size, int flags)
3172 {
3173         return socket_has_perm(current, sock, SOCKET__READ);
3174 }
3175
3176 static int selinux_socket_getsockname(struct socket *sock)
3177 {
3178         return socket_has_perm(current, sock, SOCKET__GETATTR);
3179 }
3180
3181 static int selinux_socket_getpeername(struct socket *sock)
3182 {
3183         return socket_has_perm(current, sock, SOCKET__GETATTR);
3184 }
3185
3186 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3187 {
3188         return socket_has_perm(current, sock, SOCKET__SETOPT);
3189 }
3190
3191 static int selinux_socket_getsockopt(struct socket *sock, int level,
3192                                      int optname)
3193 {
3194         return socket_has_perm(current, sock, SOCKET__GETOPT);
3195 }
3196
3197 static int selinux_socket_shutdown(struct socket *sock, int how)
3198 {
3199         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3200 }
3201
3202 static int selinux_socket_unix_stream_connect(struct socket *sock,
3203                                               struct socket *other,
3204                                               struct sock *newsk)
3205 {
3206         struct sk_security_struct *ssec;
3207         struct inode_security_struct *isec;
3208         struct inode_security_struct *other_isec;
3209         struct avc_audit_data ad;
3210         int err;
3211
3212         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3213         if (err)
3214                 return err;
3215
3216         isec = SOCK_INODE(sock)->i_security;
3217         other_isec = SOCK_INODE(other)->i_security;
3218
3219         AVC_AUDIT_DATA_INIT(&ad,NET);
3220         ad.u.net.sk = other->sk;
3221
3222         err = avc_has_perm(isec->sid, other_isec->sid,
3223                            isec->sclass,
3224                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3225         if (err)
3226                 return err;
3227
3228         /* connecting socket */
3229         ssec = sock->sk->sk_security;
3230         ssec->peer_sid = other_isec->sid;
3231         
3232         /* server child socket */
3233         ssec = newsk->sk_security;
3234         ssec->peer_sid = isec->sid;
3235         
3236         return 0;
3237 }
3238
3239 static int selinux_socket_unix_may_send(struct socket *sock,
3240                                         struct socket *other)
3241 {
3242         struct inode_security_struct *isec;
3243         struct inode_security_struct *other_isec;
3244         struct avc_audit_data ad;
3245         int err;
3246
3247         isec = SOCK_INODE(sock)->i_security;
3248         other_isec = SOCK_INODE(other)->i_security;
3249
3250         AVC_AUDIT_DATA_INIT(&ad,NET);
3251         ad.u.net.sk = other->sk;
3252
3253         err = avc_has_perm(isec->sid, other_isec->sid,
3254                            isec->sclass, SOCKET__SENDTO, &ad);
3255         if (err)
3256                 return err;
3257
3258         return 0;
3259 }
3260
3261 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3262                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3263                 u16 family, char *addrp, int len)
3264 {
3265         int err = 0;
3266         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3267
3268         if (!skb->dev)
3269                 goto out;
3270
3271         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3272         if (err)
3273                 goto out;
3274
3275         switch (sock_class) {
3276         case SECCLASS_UDP_SOCKET:
3277                 netif_perm = NETIF__UDP_RECV;
3278                 node_perm = NODE__UDP_RECV;
3279                 recv_perm = UDP_SOCKET__RECV_MSG;
3280                 break;
3281         
3282         case SECCLASS_TCP_SOCKET:
3283                 netif_perm = NETIF__TCP_RECV;
3284                 node_perm = NODE__TCP_RECV;
3285                 recv_perm = TCP_SOCKET__RECV_MSG;
3286                 break;
3287         
3288         default:
3289                 netif_perm = NETIF__RAWIP_RECV;
3290                 node_perm = NODE__RAWIP_RECV;
3291                 break;
3292         }
3293
3294         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3295         if (err)
3296                 goto out;
3297         
3298         err = security_node_sid(family, addrp, len, &node_sid);
3299         if (err)
3300                 goto out;
3301         
3302         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3303         if (err)
3304                 goto out;
3305
3306         if (recv_perm) {
3307                 u32 port_sid;
3308
3309                 err = security_port_sid(sk->sk_family, sk->sk_type,
3310                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3311                                         &port_sid);
3312                 if (err)
3313                         goto out;
3314
3315                 err = avc_has_perm(sock_sid, port_sid,
3316                                    sock_class, recv_perm, ad);
3317         }
3318
3319 out:
3320         return err;
3321 }
3322
3323 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3324 {
3325         u16 family;
3326         u16 sock_class = 0;
3327         char *addrp;
3328         int len, err = 0;
3329         u32 sock_sid = 0;
3330         struct socket *sock;
3331         struct avc_audit_data ad;
3332
3333         family = sk->sk_family;
3334         if (family != PF_INET && family != PF_INET6)
3335                 goto out;
3336
3337         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3338         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3339                 family = PF_INET;
3340
3341         read_lock_bh(&sk->sk_callback_lock);
3342         sock = sk->sk_socket;
3343         if (sock) {
3344                 struct inode *inode;
3345                 inode = SOCK_INODE(sock);
3346                 if (inode) {
3347                         struct inode_security_struct *isec;
3348                         isec = inode->i_security;
3349                         sock_sid = isec->sid;
3350                         sock_class = isec->sclass;
3351                 }
3352         }
3353         read_unlock_bh(&sk->sk_callback_lock);
3354         if (!sock_sid)
3355                 goto out;
3356
3357         AVC_AUDIT_DATA_INIT(&ad, NET);
3358         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3359         ad.u.net.family = family;
3360
3361         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3362         if (err)
3363                 goto out;
3364
3365         if (selinux_compat_net)
3366                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3367                                                   sock_class, family,
3368                                                   addrp, len);
3369         else
3370                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3371                                    PACKET__RECV, &ad);
3372         if (err)
3373                 goto out;
3374
3375         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3376 out:    
3377         return err;
3378 }
3379
3380 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3381                                             int __user *optlen, unsigned len)
3382 {
3383         int err = 0;
3384         char *scontext;
3385         u32 scontext_len;
3386         struct sk_security_struct *ssec;
3387         struct inode_security_struct *isec;
3388         u32 peer_sid = 0;
3389
3390         isec = SOCK_INODE(sock)->i_security;
3391
3392         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3393         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3394                 ssec = sock->sk->sk_security;
3395                 peer_sid = ssec->peer_sid;
3396         }
3397         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3398                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3399
3400                 if (peer_sid == SECSID_NULL) {
3401                         err = -ENOPROTOOPT;
3402                         goto out;
3403                 }
3404         }
3405         else {
3406                 err = -ENOPROTOOPT;
3407                 goto out;
3408         }
3409
3410         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3411
3412         if (err)
3413                 goto out;
3414
3415         if (scontext_len > len) {
3416                 err = -ERANGE;
3417                 goto out_len;
3418         }
3419
3420         if (copy_to_user(optval, scontext, scontext_len))
3421                 err = -EFAULT;
3422
3423 out_len:
3424         if (put_user(scontext_len, optlen))
3425                 err = -EFAULT;
3426
3427         kfree(scontext);
3428 out:    
3429         return err;
3430 }
3431
3432 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3433 {
3434         int err = 0;
3435         u32 peer_sid;
3436
3437         if (skb->sk->sk_family == PF_UNIX)
3438                 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
3439                                       &peer_sid);
3440         else
3441                 peer_sid = selinux_socket_getpeer_dgram(skb);
3442
3443         if (peer_sid == SECSID_NULL)
3444                 return -EINVAL;
3445
3446         err = security_sid_to_context(peer_sid, secdata, seclen);
3447         if (err)
3448                 return err;
3449
3450         return 0;
3451 }
3452
3453 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3454 {
3455         return sk_alloc_security(sk, family, priority);
3456 }
3457
3458 static void selinux_sk_free_security(struct sock *sk)
3459 {
3460         sk_free_security(sk);
3461 }
3462
3463 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3464 {
3465         struct inode_security_struct *isec;
3466         u32 sock_sid = SECINITSID_ANY_SOCKET;
3467
3468         if (!sk)
3469                 return selinux_no_sk_sid(fl);
3470
3471         read_lock_bh(&sk->sk_callback_lock);
3472         isec = get_sock_isec(sk);
3473
3474         if (isec)
3475                 sock_sid = isec->sid;
3476
3477         read_unlock_bh(&sk->sk_callback_lock);
3478         return sock_sid;
3479 }
3480
3481 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3482 {
3483         int err = 0;
3484         u32 perm;
3485         struct nlmsghdr *nlh;
3486         struct socket *sock = sk->sk_socket;
3487         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3488         
3489         if (skb->len < NLMSG_SPACE(0)) {
3490                 err = -EINVAL;
3491                 goto out;
3492         }
3493         nlh = (struct nlmsghdr *)skb->data;
3494         
3495         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3496         if (err) {
3497                 if (err == -EINVAL) {
3498                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3499                                   "SELinux:  unrecognized netlink message"
3500                                   " type=%hu for sclass=%hu\n",
3501                                   nlh->nlmsg_type, isec->sclass);
3502                         if (!selinux_enforcing)
3503                                 err = 0;
3504                 }
3505
3506                 /* Ignore */
3507                 if (err == -ENOENT)
3508                         err = 0;
3509                 goto out;
3510         }
3511
3512         err = socket_has_perm(current, sock, perm);
3513 out:
3514         return err;
3515 }
3516
3517 #ifdef CONFIG_NETFILTER
3518
3519 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3520                                             struct inode_security_struct *isec,
3521                                             struct avc_audit_data *ad,
3522                                             u16 family, char *addrp, int len)
3523 {
3524         int err;
3525         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3526         
3527         err = sel_netif_sids(dev, &if_sid, NULL);
3528         if (err)
3529                 goto out;
3530
3531         switch (isec->sclass) {
3532         case SECCLASS_UDP_SOCKET:
3533                 netif_perm = NETIF__UDP_SEND;
3534                 node_perm = NODE__UDP_SEND;
3535                 send_perm = UDP_SOCKET__SEND_MSG;
3536                 break;
3537         
3538         case SECCLASS_TCP_SOCKET:
3539                 netif_perm = NETIF__TCP_SEND;
3540                 node_perm = NODE__TCP_SEND;
3541                 send_perm = TCP_SOCKET__SEND_MSG;
3542                 break;
3543         
3544         default:
3545                 netif_perm = NETIF__RAWIP_SEND;
3546                 node_perm = NODE__RAWIP_SEND;
3547                 break;
3548         }
3549
3550         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3551         if (err)
3552                 goto out;
3553                 
3554         err = security_node_sid(family, addrp, len, &node_sid);
3555         if (err)
3556                 goto out;
3557         
3558         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3559         if (err)
3560                 goto out;
3561
3562         if (send_perm) {
3563                 u32 port_sid;
3564                 
3565                 err = security_port_sid(sk->sk_family,
3566                                         sk->sk_type,
3567                                         sk->sk_protocol,
3568                                         ntohs(ad->u.net.dport),
3569                                         &port_sid);
3570                 if (err)
3571                         goto out;
3572
3573                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3574                                    send_perm, ad);
3575         }
3576 out:
3577         return err;
3578 }
3579
3580 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3581                                               struct sk_buff **pskb,
3582                                               const struct net_device *in,
3583                                               const struct net_device *out,
3584                                               int (*okfn)(struct sk_buff *),
3585                                               u16 family)
3586 {
3587         char *addrp;
3588         int len, err = 0;
3589         struct sock *sk;
3590         struct socket *sock;
3591         struct inode *inode;
3592         struct sk_buff *skb = *pskb;
3593         struct inode_security_struct *isec;
3594         struct avc_audit_data ad;
3595         struct net_device *dev = (struct net_device *)out;
3596
3597         sk = skb->sk;
3598         if (!sk)
3599                 goto out;
3600
3601         sock = sk->sk_socket;
3602         if (!sock)
3603                 goto out;
3604
3605         inode = SOCK_INODE(sock);
3606         if (!inode)
3607                 goto out;
3608
3609         isec = inode->i_security;
3610
3611         AVC_AUDIT_DATA_INIT(&ad, NET);
3612         ad.u.net.netif = dev->name;
3613         ad.u.net.family = family;
3614
3615         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3616         if (err)
3617                 goto out;
3618
3619         if (selinux_compat_net)
3620                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3621                                                        family, addrp, len);
3622         else
3623                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3624                                    PACKET__SEND, &ad);
3625
3626         if (err)
3627                 goto out;
3628
3629         err = selinux_xfrm_postroute_last(isec->sid, skb);
3630 out:
3631         return err ? NF_DROP : NF_ACCEPT;
3632 }
3633
3634 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3635                                                 struct sk_buff **pskb,
3636                                                 const struct net_device *in,
3637                                                 const struct net_device *out,
3638                                                 int (*okfn)(struct sk_buff *))
3639 {
3640         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3641 }
3642
3643 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3644
3645 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3646                                                 struct sk_buff **pskb,
3647                                                 const struct net_device *in,
3648                                                 const struct net_device *out,
3649                                                 int (*okfn)(struct sk_buff *))
3650 {
3651         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3652 }
3653
3654 #endif  /* IPV6 */
3655
3656 #endif  /* CONFIG_NETFILTER */
3657
3658 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3659 {
3660         int err;
3661
3662         err = secondary_ops->netlink_send(sk, skb);
3663         if (err)
3664                 return err;
3665
3666         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3667                 err = selinux_nlmsg_perm(sk, skb);
3668
3669         return err;
3670 }
3671
3672 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3673 {
3674         int err;
3675         struct avc_audit_data ad;
3676
3677         err = secondary_ops->netlink_recv(skb, capability);
3678         if (err)
3679                 return err;
3680
3681         AVC_AUDIT_DATA_INIT(&ad, CAP);
3682         ad.u.cap = capability;
3683
3684         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3685                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3686 }
3687
3688 static int ipc_alloc_security(struct task_struct *task,
3689                               struct kern_ipc_perm *perm,
3690                               u16 sclass)
3691 {
3692         struct task_security_struct *tsec = task->security;
3693         struct ipc_security_struct *isec;
3694
3695         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3696         if (!isec)
3697                 return -ENOMEM;
3698
3699         isec->sclass = sclass;
3700         isec->ipc_perm = perm;
3701         isec->sid = tsec->sid;
3702         perm->security = isec;
3703
3704         return 0;
3705 }
3706
3707 static void ipc_free_security(struct kern_ipc_perm *perm)
3708 {
3709         struct ipc_security_struct *isec = perm->security;
3710         perm->security = NULL;
3711         kfree(isec);
3712 }
3713
3714 static int msg_msg_alloc_security(struct msg_msg *msg)
3715 {
3716         struct msg_security_struct *msec;
3717
3718         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3719         if (!msec)
3720                 return -ENOMEM;
3721
3722         msec->msg = msg;
3723         msec->sid = SECINITSID_UNLABELED;
3724         msg->security = msec;
3725
3726         return 0;
3727 }
3728
3729 static void msg_msg_free_security(struct msg_msg *msg)
3730 {
3731         struct msg_security_struct *msec = msg->security;
3732
3733         msg->security = NULL;
3734         kfree(msec);
3735 }
3736
3737 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3738                         u32 perms)
3739 {
3740         struct task_security_struct *tsec;
3741         struct ipc_security_struct *isec;
3742         struct avc_audit_data ad;
3743
3744         tsec = current->security;
3745         isec = ipc_perms->security;
3746
3747         AVC_AUDIT_DATA_INIT(&ad, IPC);
3748         ad.u.ipc_id = ipc_perms->key;
3749
3750         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3751 }
3752
3753 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3754 {
3755         return msg_msg_alloc_security(msg);
3756 }
3757
3758 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3759 {
3760         msg_msg_free_security(msg);
3761 }
3762
3763 /* message queue security operations */
3764 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3765 {
3766         struct task_security_struct *tsec;
3767         struct ipc_security_struct *isec;
3768         struct avc_audit_data ad;
3769         int rc;
3770
3771         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3772         if (rc)
3773                 return rc;
3774
3775         tsec = current->security;
3776         isec = msq->q_perm.security;
3777
3778         AVC_AUDIT_DATA_INIT(&ad, IPC);
3779         ad.u.ipc_id = msq->q_perm.key;
3780
3781         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3782                           MSGQ__CREATE, &ad);
3783         if (rc) {
3784                 ipc_free_security(&msq->q_perm);
3785                 return rc;
3786         }
3787         return 0;
3788 }
3789
3790 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3791 {
3792         ipc_free_security(&msq->q_perm);
3793 }
3794
3795 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3796 {
3797         struct task_security_struct *tsec;
3798         struct ipc_security_struct *isec;
3799         struct avc_audit_data ad;
3800
3801         tsec = current->security;
3802         isec = msq->q_perm.security;
3803
3804         AVC_AUDIT_DATA_INIT(&ad, IPC);
3805         ad.u.ipc_id = msq->q_perm.key;
3806
3807         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3808                             MSGQ__ASSOCIATE, &ad);
3809 }
3810
3811 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3812 {
3813         int err;
3814         int perms;
3815
3816         switch(cmd) {
3817         case IPC_INFO:
3818         case MSG_INFO:
3819                 /* No specific object, just general system-wide information. */
3820                 return task_has_system(current, SYSTEM__IPC_INFO);
3821         case IPC_STAT:
3822         case MSG_STAT:
3823                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3824                 break;
3825         case IPC_SET:
3826                 perms = MSGQ__SETATTR;
3827                 break;
3828         case IPC_RMID:
3829                 perms = MSGQ__DESTROY;
3830                 break;
3831         default:
3832                 return 0;
3833         }
3834
3835         err = ipc_has_perm(&msq->q_perm, perms);
3836         return err;
3837 }
3838
3839 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3840 {
3841         struct task_security_struct *tsec;
3842         struct ipc_security_struct *isec;
3843         struct msg_security_struct *msec;
3844         struct avc_audit_data ad;
3845         int rc;
3846
3847         tsec = current->security;
3848         isec = msq->q_perm.security;
3849         msec = msg->security;
3850
3851         /*
3852          * First time through, need to assign label to the message
3853          */
3854         if (msec->sid == SECINITSID_UNLABELED) {
3855                 /*
3856                  * Compute new sid based on current process and
3857                  * message queue this message will be stored in
3858                  */
3859                 rc = security_transition_sid(tsec->sid,
3860                                              isec->sid,
3861                                              SECCLASS_MSG,
3862                                              &msec->sid);
3863                 if (rc)
3864                         return rc;
3865         }
3866
3867         AVC_AUDIT_DATA_INIT(&ad, IPC);
3868         ad.u.ipc_id = msq->q_perm.key;
3869
3870         /* Can this process write to the queue? */
3871         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3872                           MSGQ__WRITE, &ad);
3873         if (!rc)
3874                 /* Can this process send the message */
3875                 rc = avc_has_perm(tsec->sid, msec->sid,
3876                                   SECCLASS_MSG, MSG__SEND, &ad);
3877         if (!rc)
3878                 /* Can the message be put in the queue? */
3879                 rc = avc_has_perm(msec->sid, isec->sid,
3880                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3881
3882         return rc;
3883 }
3884
3885 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3886                                     struct task_struct *target,
3887                                     long type, int mode)
3888 {
3889         struct task_security_struct *tsec;
3890         struct ipc_security_struct *isec;
3891         struct msg_security_struct *msec;
3892         struct avc_audit_data ad;
3893         int rc;
3894
3895         tsec = target->security;
3896         isec = msq->q_perm.security;
3897         msec = msg->security;
3898
3899         AVC_AUDIT_DATA_INIT(&ad, IPC);
3900         ad.u.ipc_id = msq->q_perm.key;
3901
3902         rc = avc_has_perm(tsec->sid, isec->sid,
3903                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3904         if (!rc)
3905                 rc = avc_has_perm(tsec->sid, msec->sid,
3906                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3907         return rc;
3908 }
3909
3910 /* Shared Memory security operations */
3911 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3912 {
3913         struct task_security_struct *tsec;
3914         struct ipc_security_struct *isec;
3915         struct avc_audit_data ad;
3916         int rc;
3917
3918         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3919         if (rc)
3920                 return rc;
3921
3922         tsec = current->security;
3923         isec = shp->shm_perm.security;
3924
3925         AVC_AUDIT_DATA_INIT(&ad, IPC);
3926         ad.u.ipc_id = shp->shm_perm.key;
3927
3928         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3929                           SHM__CREATE, &ad);
3930         if (rc) {
3931                 ipc_free_security(&shp->shm_perm);
3932                 return rc;
3933         }
3934         return 0;
3935 }
3936
3937 static void selinux_shm_free_security(struct shmid_kernel *shp)
3938 {
3939         ipc_free_security(&shp->shm_perm);
3940 }
3941
3942 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3943 {
3944         struct task_security_struct *tsec;
3945         struct ipc_security_struct *isec;
3946         struct avc_audit_data ad;
3947
3948         tsec = current->security;
3949         isec = shp->shm_perm.security;
3950
3951         AVC_AUDIT_DATA_INIT(&ad, IPC);
3952         ad.u.ipc_id = shp->shm_perm.key;
3953
3954         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3955                             SHM__ASSOCIATE, &ad);
3956 }
3957
3958 /* Note, at this point, shp is locked down */
3959 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3960 {
3961         int perms;
3962         int err;
3963
3964         switch(cmd) {
3965         case IPC_INFO:
3966         case SHM_INFO:
3967                 /* No specific object, just general system-wide information. */
3968                 return task_has_system(current, SYSTEM__IPC_INFO);
3969         case IPC_STAT:
3970         case SHM_STAT:
3971                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3972                 break;
3973         case IPC_SET:
3974                 perms = SHM__SETATTR;
3975                 break;
3976         case SHM_LOCK:
3977         case SHM_UNLOCK:
3978                 perms = SHM__LOCK;
3979                 break;
3980         case IPC_RMID:
3981                 perms = SHM__DESTROY;
3982                 break;
3983         default:
3984                 return 0;
3985         }
3986
3987         err = ipc_has_perm(&shp->shm_perm, perms);
3988         return err;
3989 }
3990
3991 static int selinux_shm_shmat(struct shmid_kernel *shp,
3992                              char __user *shmaddr, int shmflg)
3993 {
3994         u32 perms;
3995         int rc;
3996
3997         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3998         if (rc)
3999                 return rc;
4000
4001         if (shmflg & SHM_RDONLY)
4002                 perms = SHM__READ;
4003         else
4004                 perms = SHM__READ | SHM__WRITE;
4005
4006         return ipc_has_perm(&shp->shm_perm, perms);
4007 }
4008
4009 /* Semaphore security operations */
4010 static int selinux_sem_alloc_security(struct sem_array *sma)
4011 {
4012         struct task_security_struct *tsec;
4013         struct ipc_security_struct *isec;
4014         struct avc_audit_data ad;
4015         int rc;
4016
4017         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4018         if (rc)
4019                 return rc;
4020
4021         tsec = current->security;
4022         isec = sma->sem_perm.security;
4023
4024         AVC_AUDIT_DATA_INIT(&ad, IPC);
4025         ad.u.ipc_id = sma->sem_perm.key;
4026
4027         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4028                           SEM__CREATE, &ad);
4029         if (rc) {
4030                 ipc_free_security(&sma->sem_perm);
4031                 return rc;
4032         }
4033         return 0;
4034 }
4035
4036 static void selinux_sem_free_security(struct sem_array *sma)
4037 {
4038         ipc_free_security(&sma->sem_perm);
4039 }
4040
4041 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4042 {
4043         struct task_security_struct *tsec;
4044         struct ipc_security_struct *isec;
4045         struct avc_audit_data ad;
4046
4047         tsec = current->security;
4048         isec = sma->sem_perm.security;
4049
4050         AVC_AUDIT_DATA_INIT(&ad, IPC);
4051         ad.u.ipc_id = sma->sem_perm.key;
4052
4053         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4054                             SEM__ASSOCIATE, &ad);
4055 }
4056
4057 /* Note, at this point, sma is locked down */
4058 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4059 {
4060         int err;
4061         u32 perms;
4062
4063         switch(cmd) {
4064         case IPC_INFO:
4065         case SEM_INFO:
4066                 /* No specific object, just general system-wide information. */
4067                 return task_has_system(current, SYSTEM__IPC_INFO);
4068         case GETPID:
4069         case GETNCNT:
4070         case GETZCNT:
4071                 perms = SEM__GETATTR;
4072                 break;
4073         case GETVAL:
4074         case GETALL:
4075                 perms = SEM__READ;
4076                 break;
4077         case SETVAL:
4078         case SETALL:
4079                 perms = SEM__WRITE;
4080                 break;
4081         case IPC_RMID:
4082                 perms = SEM__DESTROY;
4083                 break;
4084         case IPC_SET:
4085                 perms = SEM__SETATTR;
4086                 break;
4087         case IPC_STAT:
4088         case SEM_STAT:
4089                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4090                 break;
4091         default:
4092                 return 0;
4093         }
4094
4095         err = ipc_has_perm(&sma->sem_perm, perms);
4096         return err;
4097 }
4098
4099 static int selinux_sem_semop(struct sem_array *sma,
4100                              struct sembuf *sops, unsigned nsops, int alter)
4101 {
4102         u32 perms;
4103
4104         if (alter)
4105                 perms = SEM__READ | SEM__WRITE;
4106         else
4107                 perms = SEM__READ;
4108
4109         return ipc_has_perm(&sma->sem_perm, perms);
4110 }
4111
4112 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4113 {
4114         u32 av = 0;
4115
4116         av = 0;
4117         if (flag & S_IRUGO)
4118                 av |= IPC__UNIX_READ;
4119         if (flag & S_IWUGO)
4120                 av |= IPC__UNIX_WRITE;
4121
4122         if (av == 0)
4123                 return 0;
4124
4125         return ipc_has_perm(ipcp, av);
4126 }
4127
4128 /* module stacking operations */
4129 static int selinux_register_security (const char *name, struct security_operations *ops)
4130 {
4131         if (secondary_ops != original_ops) {
4132                 printk(KERN_INFO "%s:  There is already a secondary security "
4133                        "module registered.\n", __FUNCTION__);
4134                 return -EINVAL;
4135         }
4136
4137         secondary_ops = ops;
4138
4139         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4140                __FUNCTION__,
4141                name);
4142
4143         return 0;
4144 }
4145
4146 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4147 {
4148         if (ops != secondary_ops) {
4149                 printk (KERN_INFO "%s:  trying to unregister a security module "
4150                         "that is not registered.\n", __FUNCTION__);
4151                 return -EINVAL;
4152         }
4153
4154         secondary_ops = original_ops;
4155
4156         return 0;
4157 }
4158
4159 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4160 {
4161         if (inode)
4162                 inode_doinit_with_dentry(inode, dentry);
4163 }
4164
4165 static int selinux_getprocattr(struct task_struct *p,
4166                                char *name, void *value, size_t size)
4167 {
4168         struct task_security_struct *tsec;
4169         u32 sid;
4170         int error;
4171
4172         if (current != p) {
4173                 error = task_has_perm(current, p, PROCESS__GETATTR);
4174                 if (error)
4175                         return error;
4176         }
4177
4178         tsec = p->security;
4179
4180         if (!strcmp(name, "current"))
4181                 sid = tsec->sid;
4182         else if (!strcmp(name, "prev"))
4183                 sid = tsec->osid;
4184         else if (!strcmp(name, "exec"))
4185                 sid = tsec->exec_sid;
4186         else if (!strcmp(name, "fscreate"))
4187                 sid = tsec->create_sid;
4188         else if (!strcmp(name, "keycreate"))
4189                 sid = tsec->keycreate_sid;
4190         else if (!strcmp(name, "sockcreate"))
4191                 sid = tsec->sockcreate_sid;
4192         else
4193                 return -EINVAL;
4194
4195         if (!sid)
4196                 return 0;
4197
4198         return selinux_getsecurity(sid, value, size);
4199 }
4200
4201 static int selinux_setprocattr(struct task_struct *p,
4202                                char *name, void *value, size_t size)
4203 {
4204         struct task_security_struct *tsec;
4205         u32 sid = 0;
4206         int error;
4207         char *str = value;
4208
4209         if (current != p) {
4210                 /* SELinux only allows a process to change its own
4211                    security attributes. */
4212                 return -EACCES;
4213         }
4214
4215         /*
4216          * Basic control over ability to set these attributes at all.
4217          * current == p, but we'll pass them separately in case the
4218          * above restriction is ever removed.
4219          */
4220         if (!strcmp(name, "exec"))
4221                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4222         else if (!strcmp(name, "fscreate"))
4223                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4224         else if (!strcmp(name, "keycreate"))
4225                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4226         else if (!strcmp(name, "sockcreate"))
4227                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4228         else if (!strcmp(name, "current"))
4229                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4230         else
4231                 error = -EINVAL;
4232         if (error)
4233                 return error;
4234
4235         /* Obtain a SID for the context, if one was specified. */
4236         if (size && str[1] && str[1] != '\n') {
4237                 if (str[size-1] == '\n') {
4238                         str[size-1] = 0;
4239                         size--;
4240                 }
4241                 error = security_context_to_sid(value, size, &sid);
4242                 if (error)
4243                         return error;
4244         }
4245
4246         /* Permission checking based on the specified context is
4247            performed during the actual operation (execve,
4248            open/mkdir/...), when we know the full context of the
4249            operation.  See selinux_bprm_set_security for the execve
4250            checks and may_create for the file creation checks. The
4251            operation will then fail if the context is not permitted. */
4252         tsec = p->security;
4253         if (!strcmp(name, "exec"))
4254                 tsec->exec_sid = sid;
4255         else if (!strcmp(name, "fscreate"))
4256                 tsec->create_sid = sid;
4257         else if (!strcmp(name, "keycreate")) {
4258                 error = may_create_key(sid, p);
4259                 if (error)
4260                         return error;
4261                 tsec->keycreate_sid = sid;
4262         } else if (!strcmp(name, "sockcreate"))
4263                 tsec->sockcreate_sid = sid;
4264         else if (!strcmp(name, "current")) {
4265                 struct av_decision avd;
4266
4267                 if (sid == 0)
4268                         return -EINVAL;
4269
4270                 /* Only allow single threaded processes to change context */
4271                 if (atomic_read(&p->mm->mm_users) != 1) {
4272                         struct task_struct *g, *t;
4273                         struct mm_struct *mm = p->mm;
4274                         read_lock(&tasklist_lock);
4275                         do_each_thread(g, t)
4276                                 if (t->mm == mm && t != p) {
4277                                         read_unlock(&tasklist_lock);
4278                                         return -EPERM;
4279                                 }
4280                         while_each_thread(g, t);
4281                         read_unlock(&tasklist_lock);
4282                 }
4283
4284                 /* Check permissions for the transition. */
4285                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4286                                      PROCESS__DYNTRANSITION, NULL);
4287                 if (error)
4288                         return error;
4289
4290                 /* Check for ptracing, and update the task SID if ok.
4291                    Otherwise, leave SID unchanged and fail. */
4292                 task_lock(p);
4293                 if (p->ptrace & PT_PTRACED) {
4294                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4295                                                      SECCLASS_PROCESS,
4296                                                      PROCESS__PTRACE, &avd);
4297                         if (!error)
4298                                 tsec->sid = sid;
4299                         task_unlock(p);
4300                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4301                                   PROCESS__PTRACE, &avd, error, NULL);
4302                         if (error)
4303                                 return error;
4304                 } else {
4305                         tsec->sid = sid;
4306                         task_unlock(p);
4307                 }
4308         }
4309         else
4310                 return -EINVAL;
4311
4312         return size;
4313 }
4314
4315 #ifdef CONFIG_KEYS
4316
4317 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4318                              unsigned long flags)
4319 {
4320         struct task_security_struct *tsec = tsk->security;
4321         struct key_security_struct *ksec;
4322
4323         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4324         if (!ksec)
4325                 return -ENOMEM;
4326
4327         ksec->obj = k;
4328         if (tsec->keycreate_sid)
4329                 ksec->sid = tsec->keycreate_sid;
4330         else
4331                 ksec->sid = tsec->sid;
4332         k->security = ksec;
4333
4334         return 0;
4335 }
4336
4337 static void selinux_key_free(struct key *k)
4338 {
4339         struct key_security_struct *ksec = k->security;
4340
4341         k->security = NULL;
4342         kfree(ksec);
4343 }
4344
4345 static int selinux_key_permission(key_ref_t key_ref,
4346                             struct task_struct *ctx,
4347                             key_perm_t perm)
4348 {
4349         struct key *key;
4350         struct task_security_struct *tsec;
4351         struct key_security_struct *ksec;
4352
4353         key = key_ref_to_ptr(key_ref);
4354
4355         tsec = ctx->security;
4356         ksec = key->security;
4357
4358         /* if no specific permissions are requested, we skip the
4359            permission check. No serious, additional covert channels
4360            appear to be created. */
4361         if (perm == 0)
4362                 return 0;
4363
4364         return avc_has_perm(tsec->sid, ksec->sid,
4365                             SECCLASS_KEY, perm, NULL);
4366 }
4367
4368 #endif
4369
4370 static struct security_operations selinux_ops = {
4371         .ptrace =                       selinux_ptrace,
4372         .capget =                       selinux_capget,
4373         .capset_check =                 selinux_capset_check,
4374         .capset_set =                   selinux_capset_set,
4375         .sysctl =                       selinux_sysctl,
4376         .capable =                      selinux_capable,
4377         .quotactl =                     selinux_quotactl,
4378         .quota_on =                     selinux_quota_on,
4379         .syslog =                       selinux_syslog,
4380         .vm_enough_memory =             selinux_vm_enough_memory,
4381
4382         .netlink_send =                 selinux_netlink_send,
4383         .netlink_recv =                 selinux_netlink_recv,
4384
4385         .bprm_alloc_security =          selinux_bprm_alloc_security,
4386         .bprm_free_security =           selinux_bprm_free_security,
4387         .bprm_apply_creds =             selinux_bprm_apply_creds,
4388         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4389         .bprm_set_security =            selinux_bprm_set_security,
4390         .bprm_check_security =          selinux_bprm_check_security,
4391         .bprm_secureexec =              selinux_bprm_secureexec,
4392
4393         .sb_alloc_security =            selinux_sb_alloc_security,
4394         .sb_free_security =             selinux_sb_free_security,
4395         .sb_copy_data =                 selinux_sb_copy_data,
4396         .sb_kern_mount =                selinux_sb_kern_mount,
4397         .sb_statfs =                    selinux_sb_statfs,
4398         .sb_mount =                     selinux_mount,
4399         .sb_umount =                    selinux_umount,
4400
4401         .inode_alloc_security =         selinux_inode_alloc_security,
4402         .inode_free_security =          selinux_inode_free_security,
4403         .inode_init_security =          selinux_inode_init_security,
4404         .inode_create =                 selinux_inode_create,
4405         .inode_link =                   selinux_inode_link,
4406         .inode_unlink =                 selinux_inode_unlink,
4407         .inode_symlink =                selinux_inode_symlink,
4408         .inode_mkdir =                  selinux_inode_mkdir,
4409         .inode_rmdir =                  selinux_inode_rmdir,
4410         .inode_mknod =                  selinux_inode_mknod,
4411         .inode_rename =                 selinux_inode_rename,
4412         .inode_readlink =               selinux_inode_readlink,
4413         .inode_follow_link =            selinux_inode_follow_link,
4414         .inode_permission =             selinux_inode_permission,
4415         .inode_setattr =                selinux_inode_setattr,
4416         .inode_getattr =                selinux_inode_getattr,
4417         .inode_setxattr =               selinux_inode_setxattr,
4418         .inode_post_setxattr =          selinux_inode_post_setxattr,
4419         .inode_getxattr =               selinux_inode_getxattr,
4420         .inode_listxattr =              selinux_inode_listxattr,
4421         .inode_removexattr =            selinux_inode_removexattr,
4422         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4423         .inode_getsecurity =            selinux_inode_getsecurity,
4424         .inode_setsecurity =            selinux_inode_setsecurity,
4425         .inode_listsecurity =           selinux_inode_listsecurity,
4426
4427         .file_permission =              selinux_file_permission,
4428         .file_alloc_security =          selinux_file_alloc_security,
4429         .file_free_security =           selinux_file_free_security,
4430         .file_ioctl =                   selinux_file_ioctl,
4431         .file_mmap =                    selinux_file_mmap,
4432         .file_mprotect =                selinux_file_mprotect,
4433         .file_lock =                    selinux_file_lock,
4434         .file_fcntl =                   selinux_file_fcntl,
4435         .file_set_fowner =              selinux_file_set_fowner,
4436         .file_send_sigiotask =          selinux_file_send_sigiotask,
4437         .file_receive =                 selinux_file_receive,
4438
4439         .task_create =                  selinux_task_create,
4440         .task_alloc_security =          selinux_task_alloc_security,
4441         .task_free_security =           selinux_task_free_security,
4442         .task_setuid =                  selinux_task_setuid,
4443         .task_post_setuid =             selinux_task_post_setuid,
4444         .task_setgid =                  selinux_task_setgid,
4445         .task_setpgid =                 selinux_task_setpgid,
4446         .task_getpgid =                 selinux_task_getpgid,
4447         .task_getsid =                  selinux_task_getsid,
4448         .task_getsecid =                selinux_task_getsecid,
4449         .task_setgroups =               selinux_task_setgroups,
4450         .task_setnice =                 selinux_task_setnice,
4451         .task_setioprio =               selinux_task_setioprio,
4452         .task_setrlimit =               selinux_task_setrlimit,
4453         .task_setscheduler =            selinux_task_setscheduler,
4454         .task_getscheduler =            selinux_task_getscheduler,
4455         .task_movememory =              selinux_task_movememory,
4456         .task_kill =                    selinux_task_kill,
4457         .task_wait =                    selinux_task_wait,
4458         .task_prctl =                   selinux_task_prctl,
4459         .task_reparent_to_init =        selinux_task_reparent_to_init,
4460         .task_to_inode =                selinux_task_to_inode,
4461
4462         .ipc_permission =               selinux_ipc_permission,
4463
4464         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4465         .msg_msg_free_security =        selinux_msg_msg_free_security,
4466
4467         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4468         .msg_queue_free_security =      selinux_msg_queue_free_security,
4469         .msg_queue_associate =          selinux_msg_queue_associate,
4470         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4471         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4472         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4473
4474         .shm_alloc_security =           selinux_shm_alloc_security,
4475         .shm_free_security =            selinux_shm_free_security,
4476         .shm_associate =                selinux_shm_associate,
4477         .shm_shmctl =                   selinux_shm_shmctl,
4478         .shm_shmat =                    selinux_shm_shmat,
4479
4480         .sem_alloc_security =           selinux_sem_alloc_security,
4481         .sem_free_security =            selinux_sem_free_security,
4482         .sem_associate =                selinux_sem_associate,
4483         .sem_semctl =                   selinux_sem_semctl,
4484         .sem_semop =                    selinux_sem_semop,
4485
4486         .register_security =            selinux_register_security,
4487         .unregister_security =          selinux_unregister_security,
4488
4489         .d_instantiate =                selinux_d_instantiate,
4490
4491         .getprocattr =                  selinux_getprocattr,
4492         .setprocattr =                  selinux_setprocattr,
4493
4494         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4495         .unix_may_send =                selinux_socket_unix_may_send,
4496
4497         .socket_create =                selinux_socket_create,
4498         .socket_post_create =           selinux_socket_post_create,
4499         .socket_bind =                  selinux_socket_bind,
4500         .socket_connect =               selinux_socket_connect,
4501         .socket_listen =                selinux_socket_listen,
4502         .socket_accept =                selinux_socket_accept,
4503         .socket_sendmsg =               selinux_socket_sendmsg,
4504         .socket_recvmsg =               selinux_socket_recvmsg,
4505         .socket_getsockname =           selinux_socket_getsockname,
4506         .socket_getpeername =           selinux_socket_getpeername,
4507         .socket_getsockopt =            selinux_socket_getsockopt,
4508         .socket_setsockopt =            selinux_socket_setsockopt,
4509         .socket_shutdown =              selinux_socket_shutdown,
4510         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4511         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4512         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4513         .sk_alloc_security =            selinux_sk_alloc_security,
4514         .sk_free_security =             selinux_sk_free_security,
4515         .sk_getsid =                    selinux_sk_getsid_security,
4516
4517 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4518         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4519         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4520         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4521         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4522         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4523         .xfrm_state_free_security =     selinux_xfrm_state_free,
4524         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4525         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4526 #endif
4527
4528 #ifdef CONFIG_KEYS
4529         .key_alloc =                    selinux_key_alloc,
4530         .key_free =                     selinux_key_free,
4531         .key_permission =               selinux_key_permission,
4532 #endif
4533 };
4534
4535 static __init int selinux_init(void)
4536 {
4537         struct task_security_struct *tsec;
4538
4539         if (!selinux_enabled) {
4540                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4541                 return 0;
4542         }
4543
4544         printk(KERN_INFO "SELinux:  Initializing.\n");
4545
4546         /* Set the security state for the initial task. */
4547         if (task_alloc_security(current))
4548                 panic("SELinux:  Failed to initialize initial task.\n");
4549         tsec = current->security;
4550         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4551
4552         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4553                                             sizeof(struct inode_security_struct),
4554                                             0, SLAB_PANIC, NULL, NULL);
4555         avc_init();
4556
4557         original_ops = secondary_ops = security_ops;
4558         if (!secondary_ops)
4559                 panic ("SELinux: No initial security operations\n");
4560         if (register_security (&selinux_ops))
4561                 panic("SELinux: Unable to register with kernel.\n");
4562
4563         if (selinux_enforcing) {
4564                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4565         } else {
4566                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4567         }
4568
4569 #ifdef CONFIG_KEYS
4570         /* Add security information to initial keyrings */
4571         selinux_key_alloc(&root_user_keyring, current,
4572                           KEY_ALLOC_NOT_IN_QUOTA);
4573         selinux_key_alloc(&root_session_keyring, current,
4574                           KEY_ALLOC_NOT_IN_QUOTA);
4575 #endif
4576
4577         return 0;
4578 }
4579
4580 void selinux_complete_init(void)
4581 {
4582         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4583
4584         /* Set up any superblocks initialized prior to the policy load. */
4585         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4586         spin_lock(&sb_lock);
4587         spin_lock(&sb_security_lock);
4588 next_sb:
4589         if (!list_empty(&superblock_security_head)) {
4590                 struct superblock_security_struct *sbsec =
4591                                 list_entry(superblock_security_head.next,
4592                                            struct superblock_security_struct,
4593                                            list);
4594                 struct super_block *sb = sbsec->sb;
4595                 sb->s_count++;
4596                 spin_unlock(&sb_security_lock);
4597                 spin_unlock(&sb_lock);
4598                 down_read(&sb->s_umount);
4599                 if (sb->s_root)
4600                         superblock_doinit(sb, NULL);
4601                 drop_super(sb);
4602                 spin_lock(&sb_lock);
4603                 spin_lock(&sb_security_lock);
4604                 list_del_init(&sbsec->list);
4605                 goto next_sb;
4606         }
4607         spin_unlock(&sb_security_lock);
4608         spin_unlock(&sb_lock);
4609 }
4610
4611 /* SELinux requires early initialization in order to label
4612    all processes and objects when they are created. */
4613 security_initcall(selinux_init);
4614
4615 #if defined(CONFIG_NETFILTER)
4616
4617 static struct nf_hook_ops selinux_ipv4_op = {
4618         .hook =         selinux_ipv4_postroute_last,
4619         .owner =        THIS_MODULE,
4620         .pf =           PF_INET,
4621         .hooknum =      NF_IP_POST_ROUTING,
4622         .priority =     NF_IP_PRI_SELINUX_LAST,
4623 };
4624
4625 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4626
4627 static struct nf_hook_ops selinux_ipv6_op = {
4628         .hook =         selinux_ipv6_postroute_last,
4629         .owner =        THIS_MODULE,
4630         .pf =           PF_INET6,
4631         .hooknum =      NF_IP6_POST_ROUTING,
4632         .priority =     NF_IP6_PRI_SELINUX_LAST,
4633 };
4634
4635 #endif  /* IPV6 */
4636
4637 static int __init selinux_nf_ip_init(void)
4638 {
4639         int err = 0;
4640
4641         if (!selinux_enabled)
4642                 goto out;
4643                 
4644         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4645         
4646         err = nf_register_hook(&selinux_ipv4_op);
4647         if (err)
4648                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4649
4650 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4651
4652         err = nf_register_hook(&selinux_ipv6_op);
4653         if (err)
4654                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4655
4656 #endif  /* IPV6 */
4657
4658 out:
4659         return err;
4660 }
4661
4662 __initcall(selinux_nf_ip_init);
4663
4664 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4665 static void selinux_nf_ip_exit(void)
4666 {
4667         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4668
4669         nf_unregister_hook(&selinux_ipv4_op);
4670 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4671         nf_unregister_hook(&selinux_ipv6_op);
4672 #endif  /* IPV6 */
4673 }
4674 #endif
4675
4676 #else /* CONFIG_NETFILTER */
4677
4678 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4679 #define selinux_nf_ip_exit()
4680 #endif
4681
4682 #endif /* CONFIG_NETFILTER */
4683
4684 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4685 int selinux_disable(void)
4686 {
4687         extern void exit_sel_fs(void);
4688         static int selinux_disabled = 0;
4689
4690         if (ss_initialized) {
4691                 /* Not permitted after initial policy load. */
4692                 return -EINVAL;
4693         }
4694
4695         if (selinux_disabled) {
4696                 /* Only do this once. */
4697                 return -EINVAL;
4698         }
4699
4700         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4701
4702         selinux_disabled = 1;
4703         selinux_enabled = 0;
4704
4705         /* Reset security_ops to the secondary module, dummy or capability. */
4706         security_ops = secondary_ops;
4707
4708         /* Unregister netfilter hooks. */
4709         selinux_nf_ip_exit();
4710
4711         /* Unregister selinuxfs. */
4712         exit_sel_fs();
4713
4714         return 0;
4715 }
4716 #endif
4717
4718