b85afcf3852774166aeb5b9b65200388e8ee4a72
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72 #include <linux/selinux.h>
73
74 #include "avc.h"
75 #include "objsec.h"
76 #include "netif.h"
77 #include "xfrm.h"
78
79 #define XATTR_SELINUX_SUFFIX "selinux"
80 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81
82 extern unsigned int policydb_loaded_version;
83 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
84 extern int selinux_compat_net;
85
86 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
87 int selinux_enforcing = 0;
88
89 static int __init enforcing_setup(char *str)
90 {
91         selinux_enforcing = simple_strtol(str,NULL,0);
92         return 1;
93 }
94 __setup("enforcing=", enforcing_setup);
95 #endif
96
97 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
98 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
99
100 static int __init selinux_enabled_setup(char *str)
101 {
102         selinux_enabled = simple_strtol(str, NULL, 0);
103         return 1;
104 }
105 __setup("selinux=", selinux_enabled_setup);
106 #else
107 int selinux_enabled = 1;
108 #endif
109
110 /* Original (dummy) security module. */
111 static struct security_operations *original_ops = NULL;
112
113 /* Minimal support for a secondary security module,
114    just to allow the use of the dummy or capability modules.
115    The owlsm module can alternatively be used as a secondary
116    module as long as CONFIG_OWLSM_FD is not enabled. */
117 static struct security_operations *secondary_ops = NULL;
118
119 /* Lists of inode and superblock security structures initialized
120    before the policy was loaded. */
121 static LIST_HEAD(superblock_security_head);
122 static DEFINE_SPINLOCK(sb_security_lock);
123
124 static kmem_cache_t *sel_inode_cache;
125
126 /* Return security context for a given sid or just the context 
127    length if the buffer is null or length is 0 */
128 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
129 {
130         char *context;
131         unsigned len;
132         int rc;
133
134         rc = security_sid_to_context(sid, &context, &len);
135         if (rc)
136                 return rc;
137
138         if (!buffer || !size)
139                 goto getsecurity_exit;
140
141         if (size < len) {
142                 len = -ERANGE;
143                 goto getsecurity_exit;
144         }
145         memcpy(buffer, context, len);
146
147 getsecurity_exit:
148         kfree(context);
149         return len;
150 }
151
152 /* Allocate and free functions for each kind of security blob. */
153
154 static int task_alloc_security(struct task_struct *task)
155 {
156         struct task_security_struct *tsec;
157
158         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
159         if (!tsec)
160                 return -ENOMEM;
161
162         tsec->task = task;
163         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
164         task->security = tsec;
165
166         return 0;
167 }
168
169 static void task_free_security(struct task_struct *task)
170 {
171         struct task_security_struct *tsec = task->security;
172         task->security = NULL;
173         kfree(tsec);
174 }
175
176 static int inode_alloc_security(struct inode *inode)
177 {
178         struct task_security_struct *tsec = current->security;
179         struct inode_security_struct *isec;
180
181         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
182         if (!isec)
183                 return -ENOMEM;
184
185         memset(isec, 0, sizeof(*isec));
186         init_MUTEX(&isec->sem);
187         INIT_LIST_HEAD(&isec->list);
188         isec->inode = inode;
189         isec->sid = SECINITSID_UNLABELED;
190         isec->sclass = SECCLASS_FILE;
191         isec->task_sid = tsec->sid;
192         inode->i_security = isec;
193
194         return 0;
195 }
196
197 static void inode_free_security(struct inode *inode)
198 {
199         struct inode_security_struct *isec = inode->i_security;
200         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201
202         spin_lock(&sbsec->isec_lock);
203         if (!list_empty(&isec->list))
204                 list_del_init(&isec->list);
205         spin_unlock(&sbsec->isec_lock);
206
207         inode->i_security = NULL;
208         kmem_cache_free(sel_inode_cache, isec);
209 }
210
211 static int file_alloc_security(struct file *file)
212 {
213         struct task_security_struct *tsec = current->security;
214         struct file_security_struct *fsec;
215
216         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
217         if (!fsec)
218                 return -ENOMEM;
219
220         fsec->file = file;
221         fsec->sid = tsec->sid;
222         fsec->fown_sid = tsec->sid;
223         file->f_security = fsec;
224
225         return 0;
226 }
227
228 static void file_free_security(struct file *file)
229 {
230         struct file_security_struct *fsec = file->f_security;
231         file->f_security = NULL;
232         kfree(fsec);
233 }
234
235 static int superblock_alloc_security(struct super_block *sb)
236 {
237         struct superblock_security_struct *sbsec;
238
239         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
240         if (!sbsec)
241                 return -ENOMEM;
242
243         init_MUTEX(&sbsec->sem);
244         INIT_LIST_HEAD(&sbsec->list);
245         INIT_LIST_HEAD(&sbsec->isec_head);
246         spin_lock_init(&sbsec->isec_lock);
247         sbsec->sb = sb;
248         sbsec->sid = SECINITSID_UNLABELED;
249         sbsec->def_sid = SECINITSID_FILE;
250         sb->s_security = sbsec;
251
252         return 0;
253 }
254
255 static void superblock_free_security(struct super_block *sb)
256 {
257         struct superblock_security_struct *sbsec = sb->s_security;
258
259         spin_lock(&sb_security_lock);
260         if (!list_empty(&sbsec->list))
261                 list_del_init(&sbsec->list);
262         spin_unlock(&sb_security_lock);
263
264         sb->s_security = NULL;
265         kfree(sbsec);
266 }
267
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
269 {
270         struct sk_security_struct *ssec;
271
272         if (family != PF_UNIX)
273                 return 0;
274
275         ssec = kzalloc(sizeof(*ssec), priority);
276         if (!ssec)
277                 return -ENOMEM;
278
279         ssec->sk = sk;
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         return 0;
284 }
285
286 static void sk_free_security(struct sock *sk)
287 {
288         struct sk_security_struct *ssec = sk->sk_security;
289
290         if (sk->sk_family != PF_UNIX)
291                 return;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323 };
324
325 static match_table_t tokens = {
326         {Opt_context, "context=%s"},
327         {Opt_fscontext, "fscontext=%s"},
328         {Opt_defcontext, "defcontext=%s"},
329 };
330
331 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
332
333 static int try_context_mount(struct super_block *sb, void *data)
334 {
335         char *context = NULL, *defcontext = NULL;
336         const char *name;
337         u32 sid;
338         int alloc = 0, rc = 0, seen = 0;
339         struct task_security_struct *tsec = current->security;
340         struct superblock_security_struct *sbsec = sb->s_security;
341
342         if (!data)
343                 goto out;
344
345         name = sb->s_type->name;
346
347         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348
349                 /* NFS we understand. */
350                 if (!strcmp(name, "nfs")) {
351                         struct nfs_mount_data *d = data;
352
353                         if (d->version <  NFS_MOUNT_VERSION)
354                                 goto out;
355
356                         if (d->context[0]) {
357                                 context = d->context;
358                                 seen |= Opt_context;
359                         }
360                 } else
361                         goto out;
362
363         } else {
364                 /* Standard string-based options. */
365                 char *p, *options = data;
366
367                 while ((p = strsep(&options, ",")) != NULL) {
368                         int token;
369                         substring_t args[MAX_OPT_ARGS];
370
371                         if (!*p)
372                                 continue;
373
374                         token = match_token(p, tokens, args);
375
376                         switch (token) {
377                         case Opt_context:
378                                 if (seen) {
379                                         rc = -EINVAL;
380                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
381                                         goto out_free;
382                                 }
383                                 context = match_strdup(&args[0]);
384                                 if (!context) {
385                                         rc = -ENOMEM;
386                                         goto out_free;
387                                 }
388                                 if (!alloc)
389                                         alloc = 1;
390                                 seen |= Opt_context;
391                                 break;
392
393                         case Opt_fscontext:
394                                 if (seen & (Opt_context|Opt_fscontext)) {
395                                         rc = -EINVAL;
396                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397                                         goto out_free;
398                                 }
399                                 context = match_strdup(&args[0]);
400                                 if (!context) {
401                                         rc = -ENOMEM;
402                                         goto out_free;
403                                 }
404                                 if (!alloc)
405                                         alloc = 1;
406                                 seen |= Opt_fscontext;
407                                 break;
408
409                         case Opt_defcontext:
410                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411                                         rc = -EINVAL;
412                                         printk(KERN_WARNING "SELinux:  "
413                                                "defcontext option is invalid "
414                                                "for this filesystem type\n");
415                                         goto out_free;
416                                 }
417                                 if (seen & (Opt_context|Opt_defcontext)) {
418                                         rc = -EINVAL;
419                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420                                         goto out_free;
421                                 }
422                                 defcontext = match_strdup(&args[0]);
423                                 if (!defcontext) {
424                                         rc = -ENOMEM;
425                                         goto out_free;
426                                 }
427                                 if (!alloc)
428                                         alloc = 1;
429                                 seen |= Opt_defcontext;
430                                 break;
431
432                         default:
433                                 rc = -EINVAL;
434                                 printk(KERN_WARNING "SELinux:  unknown mount "
435                                        "option\n");
436                                 goto out_free;
437
438                         }
439                 }
440         }
441
442         if (!seen)
443                 goto out;
444
445         if (context) {
446                 rc = security_context_to_sid(context, strlen(context), &sid);
447                 if (rc) {
448                         printk(KERN_WARNING "SELinux: security_context_to_sid"
449                                "(%s) failed for (dev %s, type %s) errno=%d\n",
450                                context, sb->s_id, name, rc);
451                         goto out_free;
452                 }
453
454                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELFROM, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460                                   FILESYSTEM__RELABELTO, NULL);
461                 if (rc)
462                         goto out_free;
463
464                 sbsec->sid = sid;
465
466                 if (seen & Opt_context)
467                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468         }
469
470         if (defcontext) {
471                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472                 if (rc) {
473                         printk(KERN_WARNING "SELinux: security_context_to_sid"
474                                "(%s) failed for (dev %s, type %s) errno=%d\n",
475                                defcontext, sb->s_id, name, rc);
476                         goto out_free;
477                 }
478
479                 if (sid == sbsec->def_sid)
480                         goto out_free;
481
482                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__RELABELFROM, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488                                   FILESYSTEM__ASSOCIATE, NULL);
489                 if (rc)
490                         goto out_free;
491
492                 sbsec->def_sid = sid;
493         }
494
495 out_free:
496         if (alloc) {
497                 kfree(context);
498                 kfree(defcontext);
499         }
500 out:
501         return rc;
502 }
503
504 static int superblock_doinit(struct super_block *sb, void *data)
505 {
506         struct superblock_security_struct *sbsec = sb->s_security;
507         struct dentry *root = sb->s_root;
508         struct inode *inode = root->d_inode;
509         int rc = 0;
510
511         down(&sbsec->sem);
512         if (sbsec->initialized)
513                 goto out;
514
515         if (!ss_initialized) {
516                 /* Defer initialization until selinux_complete_init,
517                    after the initial policy is loaded and the security
518                    server is ready to handle calls. */
519                 spin_lock(&sb_security_lock);
520                 if (list_empty(&sbsec->list))
521                         list_add(&sbsec->list, &superblock_security_head);
522                 spin_unlock(&sb_security_lock);
523                 goto out;
524         }
525
526         /* Determine the labeling behavior to use for this filesystem type. */
527         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528         if (rc) {
529                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
530                        __FUNCTION__, sb->s_type->name, rc);
531                 goto out;
532         }
533
534         rc = try_context_mount(sb, data);
535         if (rc)
536                 goto out;
537
538         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539                 /* Make sure that the xattr handler exists and that no
540                    error other than -ENODATA is returned by getxattr on
541                    the root directory.  -ENODATA is ok, as this may be
542                    the first boot of the SELinux kernel before we have
543                    assigned xattr values to the filesystem. */
544                 if (!inode->i_op->getxattr) {
545                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546                                "xattr support\n", sb->s_id, sb->s_type->name);
547                         rc = -EOPNOTSUPP;
548                         goto out;
549                 }
550                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551                 if (rc < 0 && rc != -ENODATA) {
552                         if (rc == -EOPNOTSUPP)
553                                 printk(KERN_WARNING "SELinux: (dev %s, type "
554                                        "%s) has no security xattr handler\n",
555                                        sb->s_id, sb->s_type->name);
556                         else
557                                 printk(KERN_WARNING "SELinux: (dev %s, type "
558                                        "%s) getxattr errno %d\n", sb->s_id,
559                                        sb->s_type->name, -rc);
560                         goto out;
561                 }
562         }
563
564         if (strcmp(sb->s_type->name, "proc") == 0)
565                 sbsec->proc = 1;
566
567         sbsec->initialized = 1;
568
569         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571                        sb->s_id, sb->s_type->name);
572         }
573         else {
574                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575                        sb->s_id, sb->s_type->name,
576                        labeling_behaviors[sbsec->behavior-1]);
577         }
578
579         /* Initialize the root inode. */
580         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581
582         /* Initialize any other inodes associated with the superblock, e.g.
583            inodes created prior to initial policy load or inodes created
584            during get_sb by a pseudo filesystem that directly
585            populates itself. */
586         spin_lock(&sbsec->isec_lock);
587 next_inode:
588         if (!list_empty(&sbsec->isec_head)) {
589                 struct inode_security_struct *isec =
590                                 list_entry(sbsec->isec_head.next,
591                                            struct inode_security_struct, list);
592                 struct inode *inode = isec->inode;
593                 spin_unlock(&sbsec->isec_lock);
594                 inode = igrab(inode);
595                 if (inode) {
596                         if (!IS_PRIVATE (inode))
597                                 inode_doinit(inode);
598                         iput(inode);
599                 }
600                 spin_lock(&sbsec->isec_lock);
601                 list_del_init(&isec->list);
602                 goto next_inode;
603         }
604         spin_unlock(&sbsec->isec_lock);
605 out:
606         up(&sbsec->sem);
607         return rc;
608 }
609
610 static inline u16 inode_mode_to_security_class(umode_t mode)
611 {
612         switch (mode & S_IFMT) {
613         case S_IFSOCK:
614                 return SECCLASS_SOCK_FILE;
615         case S_IFLNK:
616                 return SECCLASS_LNK_FILE;
617         case S_IFREG:
618                 return SECCLASS_FILE;
619         case S_IFBLK:
620                 return SECCLASS_BLK_FILE;
621         case S_IFDIR:
622                 return SECCLASS_DIR;
623         case S_IFCHR:
624                 return SECCLASS_CHR_FILE;
625         case S_IFIFO:
626                 return SECCLASS_FIFO_FILE;
627
628         }
629
630         return SECCLASS_FILE;
631 }
632
633 static inline int default_protocol_stream(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
636 }
637
638 static inline int default_protocol_dgram(int protocol)
639 {
640         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
641 }
642
643 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
644 {
645         switch (family) {
646         case PF_UNIX:
647                 switch (type) {
648                 case SOCK_STREAM:
649                 case SOCK_SEQPACKET:
650                         return SECCLASS_UNIX_STREAM_SOCKET;
651                 case SOCK_DGRAM:
652                         return SECCLASS_UNIX_DGRAM_SOCKET;
653                 }
654                 break;
655         case PF_INET:
656         case PF_INET6:
657                 switch (type) {
658                 case SOCK_STREAM:
659                         if (default_protocol_stream(protocol))
660                                 return SECCLASS_TCP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 case SOCK_DGRAM:
664                         if (default_protocol_dgram(protocol))
665                                 return SECCLASS_UDP_SOCKET;
666                         else
667                                 return SECCLASS_RAWIP_SOCKET;
668                 default:
669                         return SECCLASS_RAWIP_SOCKET;
670                 }
671                 break;
672         case PF_NETLINK:
673                 switch (protocol) {
674                 case NETLINK_ROUTE:
675                         return SECCLASS_NETLINK_ROUTE_SOCKET;
676                 case NETLINK_FIREWALL:
677                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
678                 case NETLINK_INET_DIAG:
679                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
680                 case NETLINK_NFLOG:
681                         return SECCLASS_NETLINK_NFLOG_SOCKET;
682                 case NETLINK_XFRM:
683                         return SECCLASS_NETLINK_XFRM_SOCKET;
684                 case NETLINK_SELINUX:
685                         return SECCLASS_NETLINK_SELINUX_SOCKET;
686                 case NETLINK_AUDIT:
687                         return SECCLASS_NETLINK_AUDIT_SOCKET;
688                 case NETLINK_IP6_FW:
689                         return SECCLASS_NETLINK_IP6FW_SOCKET;
690                 case NETLINK_DNRTMSG:
691                         return SECCLASS_NETLINK_DNRT_SOCKET;
692                 case NETLINK_KOBJECT_UEVENT:
693                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
694                 default:
695                         return SECCLASS_NETLINK_SOCKET;
696                 }
697         case PF_PACKET:
698                 return SECCLASS_PACKET_SOCKET;
699         case PF_KEY:
700                 return SECCLASS_KEY_SOCKET;
701         case PF_APPLETALK:
702                 return SECCLASS_APPLETALK_SOCKET;
703         }
704
705         return SECCLASS_SOCKET;
706 }
707
708 #ifdef CONFIG_PROC_FS
709 static int selinux_proc_get_sid(struct proc_dir_entry *de,
710                                 u16 tclass,
711                                 u32 *sid)
712 {
713         int buflen, rc;
714         char *buffer, *path, *end;
715
716         buffer = (char*)__get_free_page(GFP_KERNEL);
717         if (!buffer)
718                 return -ENOMEM;
719
720         buflen = PAGE_SIZE;
721         end = buffer+buflen;
722         *--end = '\0';
723         buflen--;
724         path = end-1;
725         *path = '/';
726         while (de && de != de->parent) {
727                 buflen -= de->namelen + 1;
728                 if (buflen < 0)
729                         break;
730                 end -= de->namelen;
731                 memcpy(end, de->name, de->namelen);
732                 *--end = '/';
733                 path = end;
734                 de = de->parent;
735         }
736         rc = security_genfs_sid("proc", path, tclass, sid);
737         free_page((unsigned long)buffer);
738         return rc;
739 }
740 #else
741 static int selinux_proc_get_sid(struct proc_dir_entry *de,
742                                 u16 tclass,
743                                 u32 *sid)
744 {
745         return -EINVAL;
746 }
747 #endif
748
749 /* The inode's security attributes must be initialized before first use. */
750 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
751 {
752         struct superblock_security_struct *sbsec = NULL;
753         struct inode_security_struct *isec = inode->i_security;
754         u32 sid;
755         struct dentry *dentry;
756 #define INITCONTEXTLEN 255
757         char *context = NULL;
758         unsigned len = 0;
759         int rc = 0;
760         int hold_sem = 0;
761
762         if (isec->initialized)
763                 goto out;
764
765         down(&isec->sem);
766         hold_sem = 1;
767         if (isec->initialized)
768                 goto out;
769
770         sbsec = inode->i_sb->s_security;
771         if (!sbsec->initialized) {
772                 /* Defer initialization until selinux_complete_init,
773                    after the initial policy is loaded and the security
774                    server is ready to handle calls. */
775                 spin_lock(&sbsec->isec_lock);
776                 if (list_empty(&isec->list))
777                         list_add(&isec->list, &sbsec->isec_head);
778                 spin_unlock(&sbsec->isec_lock);
779                 goto out;
780         }
781
782         switch (sbsec->behavior) {
783         case SECURITY_FS_USE_XATTR:
784                 if (!inode->i_op->getxattr) {
785                         isec->sid = sbsec->def_sid;
786                         break;
787                 }
788
789                 /* Need a dentry, since the xattr API requires one.
790                    Life would be simpler if we could just pass the inode. */
791                 if (opt_dentry) {
792                         /* Called from d_instantiate or d_splice_alias. */
793                         dentry = dget(opt_dentry);
794                 } else {
795                         /* Called from selinux_complete_init, try to find a dentry. */
796                         dentry = d_find_alias(inode);
797                 }
798                 if (!dentry) {
799                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
800                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
801                                inode->i_ino);
802                         goto out;
803                 }
804
805                 len = INITCONTEXTLEN;
806                 context = kmalloc(len, GFP_KERNEL);
807                 if (!context) {
808                         rc = -ENOMEM;
809                         dput(dentry);
810                         goto out;
811                 }
812                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
813                                            context, len);
814                 if (rc == -ERANGE) {
815                         /* Need a larger buffer.  Query for the right size. */
816                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
817                                                    NULL, 0);
818                         if (rc < 0) {
819                                 dput(dentry);
820                                 goto out;
821                         }
822                         kfree(context);
823                         len = rc;
824                         context = kmalloc(len, GFP_KERNEL);
825                         if (!context) {
826                                 rc = -ENOMEM;
827                                 dput(dentry);
828                                 goto out;
829                         }
830                         rc = inode->i_op->getxattr(dentry,
831                                                    XATTR_NAME_SELINUX,
832                                                    context, len);
833                 }
834                 dput(dentry);
835                 if (rc < 0) {
836                         if (rc != -ENODATA) {
837                                 printk(KERN_WARNING "%s:  getxattr returned "
838                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
839                                        -rc, inode->i_sb->s_id, inode->i_ino);
840                                 kfree(context);
841                                 goto out;
842                         }
843                         /* Map ENODATA to the default file SID */
844                         sid = sbsec->def_sid;
845                         rc = 0;
846                 } else {
847                         rc = security_context_to_sid_default(context, rc, &sid,
848                                                              sbsec->def_sid);
849                         if (rc) {
850                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
851                                        "returned %d for dev=%s ino=%ld\n",
852                                        __FUNCTION__, context, -rc,
853                                        inode->i_sb->s_id, inode->i_ino);
854                                 kfree(context);
855                                 /* Leave with the unlabeled SID */
856                                 rc = 0;
857                                 break;
858                         }
859                 }
860                 kfree(context);
861                 isec->sid = sid;
862                 break;
863         case SECURITY_FS_USE_TASK:
864                 isec->sid = isec->task_sid;
865                 break;
866         case SECURITY_FS_USE_TRANS:
867                 /* Default to the fs SID. */
868                 isec->sid = sbsec->sid;
869
870                 /* Try to obtain a transition SID. */
871                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
872                 rc = security_transition_sid(isec->task_sid,
873                                              sbsec->sid,
874                                              isec->sclass,
875                                              &sid);
876                 if (rc)
877                         goto out;
878                 isec->sid = sid;
879                 break;
880         default:
881                 /* Default to the fs SID. */
882                 isec->sid = sbsec->sid;
883
884                 if (sbsec->proc) {
885                         struct proc_inode *proci = PROC_I(inode);
886                         if (proci->pde) {
887                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
888                                 rc = selinux_proc_get_sid(proci->pde,
889                                                           isec->sclass,
890                                                           &sid);
891                                 if (rc)
892                                         goto out;
893                                 isec->sid = sid;
894                         }
895                 }
896                 break;
897         }
898
899         isec->initialized = 1;
900
901 out:
902         if (isec->sclass == SECCLASS_FILE)
903                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
904
905         if (hold_sem)
906                 up(&isec->sem);
907         return rc;
908 }
909
910 /* Convert a Linux signal to an access vector. */
911 static inline u32 signal_to_av(int sig)
912 {
913         u32 perm = 0;
914
915         switch (sig) {
916         case SIGCHLD:
917                 /* Commonly granted from child to parent. */
918                 perm = PROCESS__SIGCHLD;
919                 break;
920         case SIGKILL:
921                 /* Cannot be caught or ignored */
922                 perm = PROCESS__SIGKILL;
923                 break;
924         case SIGSTOP:
925                 /* Cannot be caught or ignored */
926                 perm = PROCESS__SIGSTOP;
927                 break;
928         default:
929                 /* All other signals. */
930                 perm = PROCESS__SIGNAL;
931                 break;
932         }
933
934         return perm;
935 }
936
937 /* Check permission betweeen a pair of tasks, e.g. signal checks,
938    fork check, ptrace check, etc. */
939 static int task_has_perm(struct task_struct *tsk1,
940                          struct task_struct *tsk2,
941                          u32 perms)
942 {
943         struct task_security_struct *tsec1, *tsec2;
944
945         tsec1 = tsk1->security;
946         tsec2 = tsk2->security;
947         return avc_has_perm(tsec1->sid, tsec2->sid,
948                             SECCLASS_PROCESS, perms, NULL);
949 }
950
951 /* Check whether a task is allowed to use a capability. */
952 static int task_has_capability(struct task_struct *tsk,
953                                int cap)
954 {
955         struct task_security_struct *tsec;
956         struct avc_audit_data ad;
957
958         tsec = tsk->security;
959
960         AVC_AUDIT_DATA_INIT(&ad,CAP);
961         ad.tsk = tsk;
962         ad.u.cap = cap;
963
964         return avc_has_perm(tsec->sid, tsec->sid,
965                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
966 }
967
968 /* Check whether a task is allowed to use a system operation. */
969 static int task_has_system(struct task_struct *tsk,
970                            u32 perms)
971 {
972         struct task_security_struct *tsec;
973
974         tsec = tsk->security;
975
976         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
977                             SECCLASS_SYSTEM, perms, NULL);
978 }
979
980 /* Check whether a task has a particular permission to an inode.
981    The 'adp' parameter is optional and allows other audit
982    data to be passed (e.g. the dentry). */
983 static int inode_has_perm(struct task_struct *tsk,
984                           struct inode *inode,
985                           u32 perms,
986                           struct avc_audit_data *adp)
987 {
988         struct task_security_struct *tsec;
989         struct inode_security_struct *isec;
990         struct avc_audit_data ad;
991
992         tsec = tsk->security;
993         isec = inode->i_security;
994
995         if (!adp) {
996                 adp = &ad;
997                 AVC_AUDIT_DATA_INIT(&ad, FS);
998                 ad.u.fs.inode = inode;
999         }
1000
1001         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1002 }
1003
1004 /* Same as inode_has_perm, but pass explicit audit data containing
1005    the dentry to help the auditing code to more easily generate the
1006    pathname if needed. */
1007 static inline int dentry_has_perm(struct task_struct *tsk,
1008                                   struct vfsmount *mnt,
1009                                   struct dentry *dentry,
1010                                   u32 av)
1011 {
1012         struct inode *inode = dentry->d_inode;
1013         struct avc_audit_data ad;
1014         AVC_AUDIT_DATA_INIT(&ad,FS);
1015         ad.u.fs.mnt = mnt;
1016         ad.u.fs.dentry = dentry;
1017         return inode_has_perm(tsk, inode, av, &ad);
1018 }
1019
1020 /* Check whether a task can use an open file descriptor to
1021    access an inode in a given way.  Check access to the
1022    descriptor itself, and then use dentry_has_perm to
1023    check a particular permission to the file.
1024    Access to the descriptor is implicitly granted if it
1025    has the same SID as the process.  If av is zero, then
1026    access to the file is not checked, e.g. for cases
1027    where only the descriptor is affected like seek. */
1028 static int file_has_perm(struct task_struct *tsk,
1029                                 struct file *file,
1030                                 u32 av)
1031 {
1032         struct task_security_struct *tsec = tsk->security;
1033         struct file_security_struct *fsec = file->f_security;
1034         struct vfsmount *mnt = file->f_vfsmnt;
1035         struct dentry *dentry = file->f_dentry;
1036         struct inode *inode = dentry->d_inode;
1037         struct avc_audit_data ad;
1038         int rc;
1039
1040         AVC_AUDIT_DATA_INIT(&ad, FS);
1041         ad.u.fs.mnt = mnt;
1042         ad.u.fs.dentry = dentry;
1043
1044         if (tsec->sid != fsec->sid) {
1045                 rc = avc_has_perm(tsec->sid, fsec->sid,
1046                                   SECCLASS_FD,
1047                                   FD__USE,
1048                                   &ad);
1049                 if (rc)
1050                         return rc;
1051         }
1052
1053         /* av is zero if only checking access to the descriptor. */
1054         if (av)
1055                 return inode_has_perm(tsk, inode, av, &ad);
1056
1057         return 0;
1058 }
1059
1060 /* Check whether a task can create a file. */
1061 static int may_create(struct inode *dir,
1062                       struct dentry *dentry,
1063                       u16 tclass)
1064 {
1065         struct task_security_struct *tsec;
1066         struct inode_security_struct *dsec;
1067         struct superblock_security_struct *sbsec;
1068         u32 newsid;
1069         struct avc_audit_data ad;
1070         int rc;
1071
1072         tsec = current->security;
1073         dsec = dir->i_security;
1074         sbsec = dir->i_sb->s_security;
1075
1076         AVC_AUDIT_DATA_INIT(&ad, FS);
1077         ad.u.fs.dentry = dentry;
1078
1079         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1080                           DIR__ADD_NAME | DIR__SEARCH,
1081                           &ad);
1082         if (rc)
1083                 return rc;
1084
1085         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1086                 newsid = tsec->create_sid;
1087         } else {
1088                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1089                                              &newsid);
1090                 if (rc)
1091                         return rc;
1092         }
1093
1094         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1095         if (rc)
1096                 return rc;
1097
1098         return avc_has_perm(newsid, sbsec->sid,
1099                             SECCLASS_FILESYSTEM,
1100                             FILESYSTEM__ASSOCIATE, &ad);
1101 }
1102
1103 /* Check whether a task can create a key. */
1104 static int may_create_key(u32 ksid,
1105                           struct task_struct *ctx)
1106 {
1107         struct task_security_struct *tsec;
1108
1109         tsec = ctx->security;
1110
1111         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1112 }
1113
1114 #define MAY_LINK   0
1115 #define MAY_UNLINK 1
1116 #define MAY_RMDIR  2
1117
1118 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1119 static int may_link(struct inode *dir,
1120                     struct dentry *dentry,
1121                     int kind)
1122
1123 {
1124         struct task_security_struct *tsec;
1125         struct inode_security_struct *dsec, *isec;
1126         struct avc_audit_data ad;
1127         u32 av;
1128         int rc;
1129
1130         tsec = current->security;
1131         dsec = dir->i_security;
1132         isec = dentry->d_inode->i_security;
1133
1134         AVC_AUDIT_DATA_INIT(&ad, FS);
1135         ad.u.fs.dentry = dentry;
1136
1137         av = DIR__SEARCH;
1138         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1139         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1140         if (rc)
1141                 return rc;
1142
1143         switch (kind) {
1144         case MAY_LINK:
1145                 av = FILE__LINK;
1146                 break;
1147         case MAY_UNLINK:
1148                 av = FILE__UNLINK;
1149                 break;
1150         case MAY_RMDIR:
1151                 av = DIR__RMDIR;
1152                 break;
1153         default:
1154                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1155                 return 0;
1156         }
1157
1158         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1159         return rc;
1160 }
1161
1162 static inline int may_rename(struct inode *old_dir,
1163                              struct dentry *old_dentry,
1164                              struct inode *new_dir,
1165                              struct dentry *new_dentry)
1166 {
1167         struct task_security_struct *tsec;
1168         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1169         struct avc_audit_data ad;
1170         u32 av;
1171         int old_is_dir, new_is_dir;
1172         int rc;
1173
1174         tsec = current->security;
1175         old_dsec = old_dir->i_security;
1176         old_isec = old_dentry->d_inode->i_security;
1177         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1178         new_dsec = new_dir->i_security;
1179
1180         AVC_AUDIT_DATA_INIT(&ad, FS);
1181
1182         ad.u.fs.dentry = old_dentry;
1183         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1184                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1185         if (rc)
1186                 return rc;
1187         rc = avc_has_perm(tsec->sid, old_isec->sid,
1188                           old_isec->sclass, FILE__RENAME, &ad);
1189         if (rc)
1190                 return rc;
1191         if (old_is_dir && new_dir != old_dir) {
1192                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1193                                   old_isec->sclass, DIR__REPARENT, &ad);
1194                 if (rc)
1195                         return rc;
1196         }
1197
1198         ad.u.fs.dentry = new_dentry;
1199         av = DIR__ADD_NAME | DIR__SEARCH;
1200         if (new_dentry->d_inode)
1201                 av |= DIR__REMOVE_NAME;
1202         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1203         if (rc)
1204                 return rc;
1205         if (new_dentry->d_inode) {
1206                 new_isec = new_dentry->d_inode->i_security;
1207                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1208                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1209                                   new_isec->sclass,
1210                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1211                 if (rc)
1212                         return rc;
1213         }
1214
1215         return 0;
1216 }
1217
1218 /* Check whether a task can perform a filesystem operation. */
1219 static int superblock_has_perm(struct task_struct *tsk,
1220                                struct super_block *sb,
1221                                u32 perms,
1222                                struct avc_audit_data *ad)
1223 {
1224         struct task_security_struct *tsec;
1225         struct superblock_security_struct *sbsec;
1226
1227         tsec = tsk->security;
1228         sbsec = sb->s_security;
1229         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1230                             perms, ad);
1231 }
1232
1233 /* Convert a Linux mode and permission mask to an access vector. */
1234 static inline u32 file_mask_to_av(int mode, int mask)
1235 {
1236         u32 av = 0;
1237
1238         if ((mode & S_IFMT) != S_IFDIR) {
1239                 if (mask & MAY_EXEC)
1240                         av |= FILE__EXECUTE;
1241                 if (mask & MAY_READ)
1242                         av |= FILE__READ;
1243
1244                 if (mask & MAY_APPEND)
1245                         av |= FILE__APPEND;
1246                 else if (mask & MAY_WRITE)
1247                         av |= FILE__WRITE;
1248
1249         } else {
1250                 if (mask & MAY_EXEC)
1251                         av |= DIR__SEARCH;
1252                 if (mask & MAY_WRITE)
1253                         av |= DIR__WRITE;
1254                 if (mask & MAY_READ)
1255                         av |= DIR__READ;
1256         }
1257
1258         return av;
1259 }
1260
1261 /* Convert a Linux file to an access vector. */
1262 static inline u32 file_to_av(struct file *file)
1263 {
1264         u32 av = 0;
1265
1266         if (file->f_mode & FMODE_READ)
1267                 av |= FILE__READ;
1268         if (file->f_mode & FMODE_WRITE) {
1269                 if (file->f_flags & O_APPEND)
1270                         av |= FILE__APPEND;
1271                 else
1272                         av |= FILE__WRITE;
1273         }
1274
1275         return av;
1276 }
1277
1278 /* Set an inode's SID to a specified value. */
1279 static int inode_security_set_sid(struct inode *inode, u32 sid)
1280 {
1281         struct inode_security_struct *isec = inode->i_security;
1282         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1283
1284         if (!sbsec->initialized) {
1285                 /* Defer initialization to selinux_complete_init. */
1286                 return 0;
1287         }
1288
1289         down(&isec->sem);
1290         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1291         isec->sid = sid;
1292         isec->initialized = 1;
1293         up(&isec->sem);
1294         return 0;
1295 }
1296
1297 /* Hook functions begin here. */
1298
1299 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1300 {
1301         struct task_security_struct *psec = parent->security;
1302         struct task_security_struct *csec = child->security;
1303         int rc;
1304
1305         rc = secondary_ops->ptrace(parent,child);
1306         if (rc)
1307                 return rc;
1308
1309         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1310         /* Save the SID of the tracing process for later use in apply_creds. */
1311         if (!(child->ptrace & PT_PTRACED) && !rc)
1312                 csec->ptrace_sid = psec->sid;
1313         return rc;
1314 }
1315
1316 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1317                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1318 {
1319         int error;
1320
1321         error = task_has_perm(current, target, PROCESS__GETCAP);
1322         if (error)
1323                 return error;
1324
1325         return secondary_ops->capget(target, effective, inheritable, permitted);
1326 }
1327
1328 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1329                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1330 {
1331         int error;
1332
1333         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1334         if (error)
1335                 return error;
1336
1337         return task_has_perm(current, target, PROCESS__SETCAP);
1338 }
1339
1340 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1341                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1342 {
1343         secondary_ops->capset_set(target, effective, inheritable, permitted);
1344 }
1345
1346 static int selinux_capable(struct task_struct *tsk, int cap)
1347 {
1348         int rc;
1349
1350         rc = secondary_ops->capable(tsk, cap);
1351         if (rc)
1352                 return rc;
1353
1354         return task_has_capability(tsk,cap);
1355 }
1356
1357 static int selinux_sysctl(ctl_table *table, int op)
1358 {
1359         int error = 0;
1360         u32 av;
1361         struct task_security_struct *tsec;
1362         u32 tsid;
1363         int rc;
1364
1365         rc = secondary_ops->sysctl(table, op);
1366         if (rc)
1367                 return rc;
1368
1369         tsec = current->security;
1370
1371         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1372                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1373         if (rc) {
1374                 /* Default to the well-defined sysctl SID. */
1375                 tsid = SECINITSID_SYSCTL;
1376         }
1377
1378         /* The op values are "defined" in sysctl.c, thereby creating
1379          * a bad coupling between this module and sysctl.c */
1380         if(op == 001) {
1381                 error = avc_has_perm(tsec->sid, tsid,
1382                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1383         } else {
1384                 av = 0;
1385                 if (op & 004)
1386                         av |= FILE__READ;
1387                 if (op & 002)
1388                         av |= FILE__WRITE;
1389                 if (av)
1390                         error = avc_has_perm(tsec->sid, tsid,
1391                                              SECCLASS_FILE, av, NULL);
1392         }
1393
1394         return error;
1395 }
1396
1397 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1398 {
1399         int rc = 0;
1400
1401         if (!sb)
1402                 return 0;
1403
1404         switch (cmds) {
1405                 case Q_SYNC:
1406                 case Q_QUOTAON:
1407                 case Q_QUOTAOFF:
1408                 case Q_SETINFO:
1409                 case Q_SETQUOTA:
1410                         rc = superblock_has_perm(current,
1411                                                  sb,
1412                                                  FILESYSTEM__QUOTAMOD, NULL);
1413                         break;
1414                 case Q_GETFMT:
1415                 case Q_GETINFO:
1416                 case Q_GETQUOTA:
1417                         rc = superblock_has_perm(current,
1418                                                  sb,
1419                                                  FILESYSTEM__QUOTAGET, NULL);
1420                         break;
1421                 default:
1422                         rc = 0;  /* let the kernel handle invalid cmds */
1423                         break;
1424         }
1425         return rc;
1426 }
1427
1428 static int selinux_quota_on(struct dentry *dentry)
1429 {
1430         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1431 }
1432
1433 static int selinux_syslog(int type)
1434 {
1435         int rc;
1436
1437         rc = secondary_ops->syslog(type);
1438         if (rc)
1439                 return rc;
1440
1441         switch (type) {
1442                 case 3:         /* Read last kernel messages */
1443                 case 10:        /* Return size of the log buffer */
1444                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1445                         break;
1446                 case 6:         /* Disable logging to console */
1447                 case 7:         /* Enable logging to console */
1448                 case 8:         /* Set level of messages printed to console */
1449                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1450                         break;
1451                 case 0:         /* Close log */
1452                 case 1:         /* Open log */
1453                 case 2:         /* Read from log */
1454                 case 4:         /* Read/clear last kernel messages */
1455                 case 5:         /* Clear ring buffer */
1456                 default:
1457                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1458                         break;
1459         }
1460         return rc;
1461 }
1462
1463 /*
1464  * Check that a process has enough memory to allocate a new virtual
1465  * mapping. 0 means there is enough memory for the allocation to
1466  * succeed and -ENOMEM implies there is not.
1467  *
1468  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1469  * if the capability is granted, but __vm_enough_memory requires 1 if
1470  * the capability is granted.
1471  *
1472  * Do not audit the selinux permission check, as this is applied to all
1473  * processes that allocate mappings.
1474  */
1475 static int selinux_vm_enough_memory(long pages)
1476 {
1477         int rc, cap_sys_admin = 0;
1478         struct task_security_struct *tsec = current->security;
1479
1480         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1481         if (rc == 0)
1482                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1483                                         SECCLASS_CAPABILITY,
1484                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1485                                         NULL);
1486
1487         if (rc == 0)
1488                 cap_sys_admin = 1;
1489
1490         return __vm_enough_memory(pages, cap_sys_admin);
1491 }
1492
1493 /* binprm security operations */
1494
1495 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1496 {
1497         struct bprm_security_struct *bsec;
1498
1499         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1500         if (!bsec)
1501                 return -ENOMEM;
1502
1503         bsec->bprm = bprm;
1504         bsec->sid = SECINITSID_UNLABELED;
1505         bsec->set = 0;
1506
1507         bprm->security = bsec;
1508         return 0;
1509 }
1510
1511 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1512 {
1513         struct task_security_struct *tsec;
1514         struct inode *inode = bprm->file->f_dentry->d_inode;
1515         struct inode_security_struct *isec;
1516         struct bprm_security_struct *bsec;
1517         u32 newsid;
1518         struct avc_audit_data ad;
1519         int rc;
1520
1521         rc = secondary_ops->bprm_set_security(bprm);
1522         if (rc)
1523                 return rc;
1524
1525         bsec = bprm->security;
1526
1527         if (bsec->set)
1528                 return 0;
1529
1530         tsec = current->security;
1531         isec = inode->i_security;
1532
1533         /* Default to the current task SID. */
1534         bsec->sid = tsec->sid;
1535
1536         /* Reset fs, key, and sock SIDs on execve. */
1537         tsec->create_sid = 0;
1538         tsec->keycreate_sid = 0;
1539         tsec->sockcreate_sid = 0;
1540
1541         if (tsec->exec_sid) {
1542                 newsid = tsec->exec_sid;
1543                 /* Reset exec SID on execve. */
1544                 tsec->exec_sid = 0;
1545         } else {
1546                 /* Check for a default transition on this program. */
1547                 rc = security_transition_sid(tsec->sid, isec->sid,
1548                                              SECCLASS_PROCESS, &newsid);
1549                 if (rc)
1550                         return rc;
1551         }
1552
1553         AVC_AUDIT_DATA_INIT(&ad, FS);
1554         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1555         ad.u.fs.dentry = bprm->file->f_dentry;
1556
1557         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1558                 newsid = tsec->sid;
1559
1560         if (tsec->sid == newsid) {
1561                 rc = avc_has_perm(tsec->sid, isec->sid,
1562                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1563                 if (rc)
1564                         return rc;
1565         } else {
1566                 /* Check permissions for the transition. */
1567                 rc = avc_has_perm(tsec->sid, newsid,
1568                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1569                 if (rc)
1570                         return rc;
1571
1572                 rc = avc_has_perm(newsid, isec->sid,
1573                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1574                 if (rc)
1575                         return rc;
1576
1577                 /* Clear any possibly unsafe personality bits on exec: */
1578                 current->personality &= ~PER_CLEAR_ON_SETID;
1579
1580                 /* Set the security field to the new SID. */
1581                 bsec->sid = newsid;
1582         }
1583
1584         bsec->set = 1;
1585         return 0;
1586 }
1587
1588 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1589 {
1590         return secondary_ops->bprm_check_security(bprm);
1591 }
1592
1593
1594 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1595 {
1596         struct task_security_struct *tsec = current->security;
1597         int atsecure = 0;
1598
1599         if (tsec->osid != tsec->sid) {
1600                 /* Enable secure mode for SIDs transitions unless
1601                    the noatsecure permission is granted between
1602                    the two SIDs, i.e. ahp returns 0. */
1603                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1604                                          SECCLASS_PROCESS,
1605                                          PROCESS__NOATSECURE, NULL);
1606         }
1607
1608         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1609 }
1610
1611 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1612 {
1613         kfree(bprm->security);
1614         bprm->security = NULL;
1615 }
1616
1617 extern struct vfsmount *selinuxfs_mount;
1618 extern struct dentry *selinux_null;
1619
1620 /* Derived from fs/exec.c:flush_old_files. */
1621 static inline void flush_unauthorized_files(struct files_struct * files)
1622 {
1623         struct avc_audit_data ad;
1624         struct file *file, *devnull = NULL;
1625         struct tty_struct *tty = current->signal->tty;
1626         struct fdtable *fdt;
1627         long j = -1;
1628
1629         if (tty) {
1630                 file_list_lock();
1631                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1632                 if (file) {
1633                         /* Revalidate access to controlling tty.
1634                            Use inode_has_perm on the tty inode directly rather
1635                            than using file_has_perm, as this particular open
1636                            file may belong to another process and we are only
1637                            interested in the inode-based check here. */
1638                         struct inode *inode = file->f_dentry->d_inode;
1639                         if (inode_has_perm(current, inode,
1640                                            FILE__READ | FILE__WRITE, NULL)) {
1641                                 /* Reset controlling tty. */
1642                                 current->signal->tty = NULL;
1643                                 current->signal->tty_old_pgrp = 0;
1644                         }
1645                 }
1646                 file_list_unlock();
1647         }
1648
1649         /* Revalidate access to inherited open files. */
1650
1651         AVC_AUDIT_DATA_INIT(&ad,FS);
1652
1653         spin_lock(&files->file_lock);
1654         for (;;) {
1655                 unsigned long set, i;
1656                 int fd;
1657
1658                 j++;
1659                 i = j * __NFDBITS;
1660                 fdt = files_fdtable(files);
1661                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1662                         break;
1663                 set = fdt->open_fds->fds_bits[j];
1664                 if (!set)
1665                         continue;
1666                 spin_unlock(&files->file_lock);
1667                 for ( ; set ; i++,set >>= 1) {
1668                         if (set & 1) {
1669                                 file = fget(i);
1670                                 if (!file)
1671                                         continue;
1672                                 if (file_has_perm(current,
1673                                                   file,
1674                                                   file_to_av(file))) {
1675                                         sys_close(i);
1676                                         fd = get_unused_fd();
1677                                         if (fd != i) {
1678                                                 if (fd >= 0)
1679                                                         put_unused_fd(fd);
1680                                                 fput(file);
1681                                                 continue;
1682                                         }
1683                                         if (devnull) {
1684                                                 get_file(devnull);
1685                                         } else {
1686                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1687                                                 if (!devnull) {
1688                                                         put_unused_fd(fd);
1689                                                         fput(file);
1690                                                         continue;
1691                                                 }
1692                                         }
1693                                         fd_install(fd, devnull);
1694                                 }
1695                                 fput(file);
1696                         }
1697                 }
1698                 spin_lock(&files->file_lock);
1699
1700         }
1701         spin_unlock(&files->file_lock);
1702 }
1703
1704 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1705 {
1706         struct task_security_struct *tsec;
1707         struct bprm_security_struct *bsec;
1708         u32 sid;
1709         int rc;
1710
1711         secondary_ops->bprm_apply_creds(bprm, unsafe);
1712
1713         tsec = current->security;
1714
1715         bsec = bprm->security;
1716         sid = bsec->sid;
1717
1718         tsec->osid = tsec->sid;
1719         bsec->unsafe = 0;
1720         if (tsec->sid != sid) {
1721                 /* Check for shared state.  If not ok, leave SID
1722                    unchanged and kill. */
1723                 if (unsafe & LSM_UNSAFE_SHARE) {
1724                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1725                                         PROCESS__SHARE, NULL);
1726                         if (rc) {
1727                                 bsec->unsafe = 1;
1728                                 return;
1729                         }
1730                 }
1731
1732                 /* Check for ptracing, and update the task SID if ok.
1733                    Otherwise, leave SID unchanged and kill. */
1734                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1735                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1736                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1737                                           NULL);
1738                         if (rc) {
1739                                 bsec->unsafe = 1;
1740                                 return;
1741                         }
1742                 }
1743                 tsec->sid = sid;
1744         }
1745 }
1746
1747 /*
1748  * called after apply_creds without the task lock held
1749  */
1750 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1751 {
1752         struct task_security_struct *tsec;
1753         struct rlimit *rlim, *initrlim;
1754         struct itimerval itimer;
1755         struct bprm_security_struct *bsec;
1756         int rc, i;
1757
1758         tsec = current->security;
1759         bsec = bprm->security;
1760
1761         if (bsec->unsafe) {
1762                 force_sig_specific(SIGKILL, current);
1763                 return;
1764         }
1765         if (tsec->osid == tsec->sid)
1766                 return;
1767
1768         /* Close files for which the new task SID is not authorized. */
1769         flush_unauthorized_files(current->files);
1770
1771         /* Check whether the new SID can inherit signal state
1772            from the old SID.  If not, clear itimers to avoid
1773            subsequent signal generation and flush and unblock
1774            signals. This must occur _after_ the task SID has
1775           been updated so that any kill done after the flush
1776           will be checked against the new SID. */
1777         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1778                           PROCESS__SIGINH, NULL);
1779         if (rc) {
1780                 memset(&itimer, 0, sizeof itimer);
1781                 for (i = 0; i < 3; i++)
1782                         do_setitimer(i, &itimer, NULL);
1783                 flush_signals(current);
1784                 spin_lock_irq(&current->sighand->siglock);
1785                 flush_signal_handlers(current, 1);
1786                 sigemptyset(&current->blocked);
1787                 recalc_sigpending();
1788                 spin_unlock_irq(&current->sighand->siglock);
1789         }
1790
1791         /* Check whether the new SID can inherit resource limits
1792            from the old SID.  If not, reset all soft limits to
1793            the lower of the current task's hard limit and the init
1794            task's soft limit.  Note that the setting of hard limits
1795            (even to lower them) can be controlled by the setrlimit
1796            check. The inclusion of the init task's soft limit into
1797            the computation is to avoid resetting soft limits higher
1798            than the default soft limit for cases where the default
1799            is lower than the hard limit, e.g. RLIMIT_CORE or
1800            RLIMIT_STACK.*/
1801         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1802                           PROCESS__RLIMITINH, NULL);
1803         if (rc) {
1804                 for (i = 0; i < RLIM_NLIMITS; i++) {
1805                         rlim = current->signal->rlim + i;
1806                         initrlim = init_task.signal->rlim+i;
1807                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1808                 }
1809                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1810                         /*
1811                          * This will cause RLIMIT_CPU calculations
1812                          * to be refigured.
1813                          */
1814                         current->it_prof_expires = jiffies_to_cputime(1);
1815                 }
1816         }
1817
1818         /* Wake up the parent if it is waiting so that it can
1819            recheck wait permission to the new task SID. */
1820         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1821 }
1822
1823 /* superblock security operations */
1824
1825 static int selinux_sb_alloc_security(struct super_block *sb)
1826 {
1827         return superblock_alloc_security(sb);
1828 }
1829
1830 static void selinux_sb_free_security(struct super_block *sb)
1831 {
1832         superblock_free_security(sb);
1833 }
1834
1835 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1836 {
1837         if (plen > olen)
1838                 return 0;
1839
1840         return !memcmp(prefix, option, plen);
1841 }
1842
1843 static inline int selinux_option(char *option, int len)
1844 {
1845         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1846                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1847                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1848 }
1849
1850 static inline void take_option(char **to, char *from, int *first, int len)
1851 {
1852         if (!*first) {
1853                 **to = ',';
1854                 *to += 1;
1855         }
1856         else
1857                 *first = 0;
1858         memcpy(*to, from, len);
1859         *to += len;
1860 }
1861
1862 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1863 {
1864         int fnosec, fsec, rc = 0;
1865         char *in_save, *in_curr, *in_end;
1866         char *sec_curr, *nosec_save, *nosec;
1867
1868         in_curr = orig;
1869         sec_curr = copy;
1870
1871         /* Binary mount data: just copy */
1872         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1873                 copy_page(sec_curr, in_curr);
1874                 goto out;
1875         }
1876
1877         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1878         if (!nosec) {
1879                 rc = -ENOMEM;
1880                 goto out;
1881         }
1882
1883         nosec_save = nosec;
1884         fnosec = fsec = 1;
1885         in_save = in_end = orig;
1886
1887         do {
1888                 if (*in_end == ',' || *in_end == '\0') {
1889                         int len = in_end - in_curr;
1890
1891                         if (selinux_option(in_curr, len))
1892                                 take_option(&sec_curr, in_curr, &fsec, len);
1893                         else
1894                                 take_option(&nosec, in_curr, &fnosec, len);
1895
1896                         in_curr = in_end + 1;
1897                 }
1898         } while (*in_end++);
1899
1900         strcpy(in_save, nosec_save);
1901         free_page((unsigned long)nosec_save);
1902 out:
1903         return rc;
1904 }
1905
1906 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1907 {
1908         struct avc_audit_data ad;
1909         int rc;
1910
1911         rc = superblock_doinit(sb, data);
1912         if (rc)
1913                 return rc;
1914
1915         AVC_AUDIT_DATA_INIT(&ad,FS);
1916         ad.u.fs.dentry = sb->s_root;
1917         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1918 }
1919
1920 static int selinux_sb_statfs(struct dentry *dentry)
1921 {
1922         struct avc_audit_data ad;
1923
1924         AVC_AUDIT_DATA_INIT(&ad,FS);
1925         ad.u.fs.dentry = dentry->d_sb->s_root;
1926         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
1927 }
1928
1929 static int selinux_mount(char * dev_name,
1930                          struct nameidata *nd,
1931                          char * type,
1932                          unsigned long flags,
1933                          void * data)
1934 {
1935         int rc;
1936
1937         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1938         if (rc)
1939                 return rc;
1940
1941         if (flags & MS_REMOUNT)
1942                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1943                                            FILESYSTEM__REMOUNT, NULL);
1944         else
1945                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1946                                        FILE__MOUNTON);
1947 }
1948
1949 static int selinux_umount(struct vfsmount *mnt, int flags)
1950 {
1951         int rc;
1952
1953         rc = secondary_ops->sb_umount(mnt, flags);
1954         if (rc)
1955                 return rc;
1956
1957         return superblock_has_perm(current,mnt->mnt_sb,
1958                                    FILESYSTEM__UNMOUNT,NULL);
1959 }
1960
1961 /* inode security operations */
1962
1963 static int selinux_inode_alloc_security(struct inode *inode)
1964 {
1965         return inode_alloc_security(inode);
1966 }
1967
1968 static void selinux_inode_free_security(struct inode *inode)
1969 {
1970         inode_free_security(inode);
1971 }
1972
1973 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1974                                        char **name, void **value,
1975                                        size_t *len)
1976 {
1977         struct task_security_struct *tsec;
1978         struct inode_security_struct *dsec;
1979         struct superblock_security_struct *sbsec;
1980         u32 newsid, clen;
1981         int rc;
1982         char *namep = NULL, *context;
1983
1984         tsec = current->security;
1985         dsec = dir->i_security;
1986         sbsec = dir->i_sb->s_security;
1987
1988         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1989                 newsid = tsec->create_sid;
1990         } else {
1991                 rc = security_transition_sid(tsec->sid, dsec->sid,
1992                                              inode_mode_to_security_class(inode->i_mode),
1993                                              &newsid);
1994                 if (rc) {
1995                         printk(KERN_WARNING "%s:  "
1996                                "security_transition_sid failed, rc=%d (dev=%s "
1997                                "ino=%ld)\n",
1998                                __FUNCTION__,
1999                                -rc, inode->i_sb->s_id, inode->i_ino);
2000                         return rc;
2001                 }
2002         }
2003
2004         inode_security_set_sid(inode, newsid);
2005
2006         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2007                 return -EOPNOTSUPP;
2008
2009         if (name) {
2010                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2011                 if (!namep)
2012                         return -ENOMEM;
2013                 *name = namep;
2014         }
2015
2016         if (value && len) {
2017                 rc = security_sid_to_context(newsid, &context, &clen);
2018                 if (rc) {
2019                         kfree(namep);
2020                         return rc;
2021                 }
2022                 *value = context;
2023                 *len = clen;
2024         }
2025
2026         return 0;
2027 }
2028
2029 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2030 {
2031         return may_create(dir, dentry, SECCLASS_FILE);
2032 }
2033
2034 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2035 {
2036         int rc;
2037
2038         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2039         if (rc)
2040                 return rc;
2041         return may_link(dir, old_dentry, MAY_LINK);
2042 }
2043
2044 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2045 {
2046         int rc;
2047
2048         rc = secondary_ops->inode_unlink(dir, dentry);
2049         if (rc)
2050                 return rc;
2051         return may_link(dir, dentry, MAY_UNLINK);
2052 }
2053
2054 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2055 {
2056         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2057 }
2058
2059 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2060 {
2061         return may_create(dir, dentry, SECCLASS_DIR);
2062 }
2063
2064 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2065 {
2066         return may_link(dir, dentry, MAY_RMDIR);
2067 }
2068
2069 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2070 {
2071         int rc;
2072
2073         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2074         if (rc)
2075                 return rc;
2076
2077         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2078 }
2079
2080 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2081                                 struct inode *new_inode, struct dentry *new_dentry)
2082 {
2083         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2084 }
2085
2086 static int selinux_inode_readlink(struct dentry *dentry)
2087 {
2088         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2089 }
2090
2091 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2092 {
2093         int rc;
2094
2095         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2096         if (rc)
2097                 return rc;
2098         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2099 }
2100
2101 static int selinux_inode_permission(struct inode *inode, int mask,
2102                                     struct nameidata *nd)
2103 {
2104         int rc;
2105
2106         rc = secondary_ops->inode_permission(inode, mask, nd);
2107         if (rc)
2108                 return rc;
2109
2110         if (!mask) {
2111                 /* No permission to check.  Existence test. */
2112                 return 0;
2113         }
2114
2115         return inode_has_perm(current, inode,
2116                                file_mask_to_av(inode->i_mode, mask), NULL);
2117 }
2118
2119 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2120 {
2121         int rc;
2122
2123         rc = secondary_ops->inode_setattr(dentry, iattr);
2124         if (rc)
2125                 return rc;
2126
2127         if (iattr->ia_valid & ATTR_FORCE)
2128                 return 0;
2129
2130         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2131                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2132                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2133
2134         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2135 }
2136
2137 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2138 {
2139         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2140 }
2141
2142 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2143 {
2144         struct task_security_struct *tsec = current->security;
2145         struct inode *inode = dentry->d_inode;
2146         struct inode_security_struct *isec = inode->i_security;
2147         struct superblock_security_struct *sbsec;
2148         struct avc_audit_data ad;
2149         u32 newsid;
2150         int rc = 0;
2151
2152         if (strcmp(name, XATTR_NAME_SELINUX)) {
2153                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2154                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2155                     !capable(CAP_SYS_ADMIN)) {
2156                         /* A different attribute in the security namespace.
2157                            Restrict to administrator. */
2158                         return -EPERM;
2159                 }
2160
2161                 /* Not an attribute we recognize, so just check the
2162                    ordinary setattr permission. */
2163                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2164         }
2165
2166         sbsec = inode->i_sb->s_security;
2167         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2168                 return -EOPNOTSUPP;
2169
2170         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2171                 return -EPERM;
2172
2173         AVC_AUDIT_DATA_INIT(&ad,FS);
2174         ad.u.fs.dentry = dentry;
2175
2176         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2177                           FILE__RELABELFROM, &ad);
2178         if (rc)
2179                 return rc;
2180
2181         rc = security_context_to_sid(value, size, &newsid);
2182         if (rc)
2183                 return rc;
2184
2185         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2186                           FILE__RELABELTO, &ad);
2187         if (rc)
2188                 return rc;
2189
2190         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2191                                           isec->sclass);
2192         if (rc)
2193                 return rc;
2194
2195         return avc_has_perm(newsid,
2196                             sbsec->sid,
2197                             SECCLASS_FILESYSTEM,
2198                             FILESYSTEM__ASSOCIATE,
2199                             &ad);
2200 }
2201
2202 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2203                                         void *value, size_t size, int flags)
2204 {
2205         struct inode *inode = dentry->d_inode;
2206         struct inode_security_struct *isec = inode->i_security;
2207         u32 newsid;
2208         int rc;
2209
2210         if (strcmp(name, XATTR_NAME_SELINUX)) {
2211                 /* Not an attribute we recognize, so nothing to do. */
2212                 return;
2213         }
2214
2215         rc = security_context_to_sid(value, size, &newsid);
2216         if (rc) {
2217                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2218                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2219                 return;
2220         }
2221
2222         isec->sid = newsid;
2223         return;
2224 }
2225
2226 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2227 {
2228         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2229 }
2230
2231 static int selinux_inode_listxattr (struct dentry *dentry)
2232 {
2233         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2234 }
2235
2236 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2237 {
2238         if (strcmp(name, XATTR_NAME_SELINUX)) {
2239                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2240                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2241                     !capable(CAP_SYS_ADMIN)) {
2242                         /* A different attribute in the security namespace.
2243                            Restrict to administrator. */
2244                         return -EPERM;
2245                 }
2246
2247                 /* Not an attribute we recognize, so just check the
2248                    ordinary setattr permission. Might want a separate
2249                    permission for removexattr. */
2250                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2251         }
2252
2253         /* No one is allowed to remove a SELinux security label.
2254            You can change the label, but all data must be labeled. */
2255         return -EACCES;
2256 }
2257
2258 static const char *selinux_inode_xattr_getsuffix(void)
2259 {
2260       return XATTR_SELINUX_SUFFIX;
2261 }
2262
2263 /*
2264  * Copy the in-core inode security context value to the user.  If the
2265  * getxattr() prior to this succeeded, check to see if we need to
2266  * canonicalize the value to be finally returned to the user.
2267  *
2268  * Permission check is handled by selinux_inode_getxattr hook.
2269  */
2270 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2271 {
2272         struct inode_security_struct *isec = inode->i_security;
2273
2274         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2275                 return -EOPNOTSUPP;
2276
2277         return selinux_getsecurity(isec->sid, buffer, size);
2278 }
2279
2280 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2281                                      const void *value, size_t size, int flags)
2282 {
2283         struct inode_security_struct *isec = inode->i_security;
2284         u32 newsid;
2285         int rc;
2286
2287         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2288                 return -EOPNOTSUPP;
2289
2290         if (!value || !size)
2291                 return -EACCES;
2292
2293         rc = security_context_to_sid((void*)value, size, &newsid);
2294         if (rc)
2295                 return rc;
2296
2297         isec->sid = newsid;
2298         return 0;
2299 }
2300
2301 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2302 {
2303         const int len = sizeof(XATTR_NAME_SELINUX);
2304         if (buffer && len <= buffer_size)
2305                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2306         return len;
2307 }
2308
2309 /* file security operations */
2310
2311 static int selinux_file_permission(struct file *file, int mask)
2312 {
2313         struct inode *inode = file->f_dentry->d_inode;
2314
2315         if (!mask) {
2316                 /* No permission to check.  Existence test. */
2317                 return 0;
2318         }
2319
2320         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2321         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2322                 mask |= MAY_APPEND;
2323
2324         return file_has_perm(current, file,
2325                              file_mask_to_av(inode->i_mode, mask));
2326 }
2327
2328 static int selinux_file_alloc_security(struct file *file)
2329 {
2330         return file_alloc_security(file);
2331 }
2332
2333 static void selinux_file_free_security(struct file *file)
2334 {
2335         file_free_security(file);
2336 }
2337
2338 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2339                               unsigned long arg)
2340 {
2341         int error = 0;
2342
2343         switch (cmd) {
2344                 case FIONREAD:
2345                 /* fall through */
2346                 case FIBMAP:
2347                 /* fall through */
2348                 case FIGETBSZ:
2349                 /* fall through */
2350                 case EXT2_IOC_GETFLAGS:
2351                 /* fall through */
2352                 case EXT2_IOC_GETVERSION:
2353                         error = file_has_perm(current, file, FILE__GETATTR);
2354                         break;
2355
2356                 case EXT2_IOC_SETFLAGS:
2357                 /* fall through */
2358                 case EXT2_IOC_SETVERSION:
2359                         error = file_has_perm(current, file, FILE__SETATTR);
2360                         break;
2361
2362                 /* sys_ioctl() checks */
2363                 case FIONBIO:
2364                 /* fall through */
2365                 case FIOASYNC:
2366                         error = file_has_perm(current, file, 0);
2367                         break;
2368
2369                 case KDSKBENT:
2370                 case KDSKBSENT:
2371                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2372                         break;
2373
2374                 /* default case assumes that the command will go
2375                  * to the file's ioctl() function.
2376                  */
2377                 default:
2378                         error = file_has_perm(current, file, FILE__IOCTL);
2379
2380         }
2381         return error;
2382 }
2383
2384 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2385 {
2386 #ifndef CONFIG_PPC32
2387         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2388                 /*
2389                  * We are making executable an anonymous mapping or a
2390                  * private file mapping that will also be writable.
2391                  * This has an additional check.
2392                  */
2393                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2394                 if (rc)
2395                         return rc;
2396         }
2397 #endif
2398
2399         if (file) {
2400                 /* read access is always possible with a mapping */
2401                 u32 av = FILE__READ;
2402
2403                 /* write access only matters if the mapping is shared */
2404                 if (shared && (prot & PROT_WRITE))
2405                         av |= FILE__WRITE;
2406
2407                 if (prot & PROT_EXEC)
2408                         av |= FILE__EXECUTE;
2409
2410                 return file_has_perm(current, file, av);
2411         }
2412         return 0;
2413 }
2414
2415 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2416                              unsigned long prot, unsigned long flags)
2417 {
2418         int rc;
2419
2420         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2421         if (rc)
2422                 return rc;
2423
2424         if (selinux_checkreqprot)
2425                 prot = reqprot;
2426
2427         return file_map_prot_check(file, prot,
2428                                    (flags & MAP_TYPE) == MAP_SHARED);
2429 }
2430
2431 static int selinux_file_mprotect(struct vm_area_struct *vma,
2432                                  unsigned long reqprot,
2433                                  unsigned long prot)
2434 {
2435         int rc;
2436
2437         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2438         if (rc)
2439                 return rc;
2440
2441         if (selinux_checkreqprot)
2442                 prot = reqprot;
2443
2444 #ifndef CONFIG_PPC32
2445         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2446                 rc = 0;
2447                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2448                     vma->vm_end <= vma->vm_mm->brk) {
2449                         rc = task_has_perm(current, current,
2450                                            PROCESS__EXECHEAP);
2451                 } else if (!vma->vm_file &&
2452                            vma->vm_start <= vma->vm_mm->start_stack &&
2453                            vma->vm_end >= vma->vm_mm->start_stack) {
2454                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2455                 } else if (vma->vm_file && vma->anon_vma) {
2456                         /*
2457                          * We are making executable a file mapping that has
2458                          * had some COW done. Since pages might have been
2459                          * written, check ability to execute the possibly
2460                          * modified content.  This typically should only
2461                          * occur for text relocations.
2462                          */
2463                         rc = file_has_perm(current, vma->vm_file,
2464                                            FILE__EXECMOD);
2465                 }
2466                 if (rc)
2467                         return rc;
2468         }
2469 #endif
2470
2471         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2472 }
2473
2474 static int selinux_file_lock(struct file *file, unsigned int cmd)
2475 {
2476         return file_has_perm(current, file, FILE__LOCK);
2477 }
2478
2479 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2480                               unsigned long arg)
2481 {
2482         int err = 0;
2483
2484         switch (cmd) {
2485                 case F_SETFL:
2486                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2487                                 err = -EINVAL;
2488                                 break;
2489                         }
2490
2491                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2492                                 err = file_has_perm(current, file,FILE__WRITE);
2493                                 break;
2494                         }
2495                         /* fall through */
2496                 case F_SETOWN:
2497                 case F_SETSIG:
2498                 case F_GETFL:
2499                 case F_GETOWN:
2500                 case F_GETSIG:
2501                         /* Just check FD__USE permission */
2502                         err = file_has_perm(current, file, 0);
2503                         break;
2504                 case F_GETLK:
2505                 case F_SETLK:
2506                 case F_SETLKW:
2507 #if BITS_PER_LONG == 32
2508                 case F_GETLK64:
2509                 case F_SETLK64:
2510                 case F_SETLKW64:
2511 #endif
2512                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2513                                 err = -EINVAL;
2514                                 break;
2515                         }
2516                         err = file_has_perm(current, file, FILE__LOCK);
2517                         break;
2518         }
2519
2520         return err;
2521 }
2522
2523 static int selinux_file_set_fowner(struct file *file)
2524 {
2525         struct task_security_struct *tsec;
2526         struct file_security_struct *fsec;
2527
2528         tsec = current->security;
2529         fsec = file->f_security;
2530         fsec->fown_sid = tsec->sid;
2531
2532         return 0;
2533 }
2534
2535 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2536                                        struct fown_struct *fown, int signum)
2537 {
2538         struct file *file;
2539         u32 perm;
2540         struct task_security_struct *tsec;
2541         struct file_security_struct *fsec;
2542
2543         /* struct fown_struct is never outside the context of a struct file */
2544         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2545
2546         tsec = tsk->security;
2547         fsec = file->f_security;
2548
2549         if (!signum)
2550                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2551         else
2552                 perm = signal_to_av(signum);
2553
2554         return avc_has_perm(fsec->fown_sid, tsec->sid,
2555                             SECCLASS_PROCESS, perm, NULL);
2556 }
2557
2558 static int selinux_file_receive(struct file *file)
2559 {
2560         return file_has_perm(current, file, file_to_av(file));
2561 }
2562
2563 /* task security operations */
2564
2565 static int selinux_task_create(unsigned long clone_flags)
2566 {
2567         int rc;
2568
2569         rc = secondary_ops->task_create(clone_flags);
2570         if (rc)
2571                 return rc;
2572
2573         return task_has_perm(current, current, PROCESS__FORK);
2574 }
2575
2576 static int selinux_task_alloc_security(struct task_struct *tsk)
2577 {
2578         struct task_security_struct *tsec1, *tsec2;
2579         int rc;
2580
2581         tsec1 = current->security;
2582
2583         rc = task_alloc_security(tsk);
2584         if (rc)
2585                 return rc;
2586         tsec2 = tsk->security;
2587
2588         tsec2->osid = tsec1->osid;
2589         tsec2->sid = tsec1->sid;
2590
2591         /* Retain the exec, fs, key, and sock SIDs across fork */
2592         tsec2->exec_sid = tsec1->exec_sid;
2593         tsec2->create_sid = tsec1->create_sid;
2594         tsec2->keycreate_sid = tsec1->keycreate_sid;
2595         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2596
2597         /* Retain ptracer SID across fork, if any.
2598            This will be reset by the ptrace hook upon any
2599            subsequent ptrace_attach operations. */
2600         tsec2->ptrace_sid = tsec1->ptrace_sid;
2601
2602         return 0;
2603 }
2604
2605 static void selinux_task_free_security(struct task_struct *tsk)
2606 {
2607         task_free_security(tsk);
2608 }
2609
2610 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2611 {
2612         /* Since setuid only affects the current process, and
2613            since the SELinux controls are not based on the Linux
2614            identity attributes, SELinux does not need to control
2615            this operation.  However, SELinux does control the use
2616            of the CAP_SETUID and CAP_SETGID capabilities using the
2617            capable hook. */
2618         return 0;
2619 }
2620
2621 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2622 {
2623         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2624 }
2625
2626 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2627 {
2628         /* See the comment for setuid above. */
2629         return 0;
2630 }
2631
2632 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2633 {
2634         return task_has_perm(current, p, PROCESS__SETPGID);
2635 }
2636
2637 static int selinux_task_getpgid(struct task_struct *p)
2638 {
2639         return task_has_perm(current, p, PROCESS__GETPGID);
2640 }
2641
2642 static int selinux_task_getsid(struct task_struct *p)
2643 {
2644         return task_has_perm(current, p, PROCESS__GETSESSION);
2645 }
2646
2647 static int selinux_task_setgroups(struct group_info *group_info)
2648 {
2649         /* See the comment for setuid above. */
2650         return 0;
2651 }
2652
2653 static int selinux_task_setnice(struct task_struct *p, int nice)
2654 {
2655         int rc;
2656
2657         rc = secondary_ops->task_setnice(p, nice);
2658         if (rc)
2659                 return rc;
2660
2661         return task_has_perm(current,p, PROCESS__SETSCHED);
2662 }
2663
2664 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2665 {
2666         return task_has_perm(current, p, PROCESS__SETSCHED);
2667 }
2668
2669 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2670 {
2671         struct rlimit *old_rlim = current->signal->rlim + resource;
2672         int rc;
2673
2674         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2675         if (rc)
2676                 return rc;
2677
2678         /* Control the ability to change the hard limit (whether
2679            lowering or raising it), so that the hard limit can
2680            later be used as a safe reset point for the soft limit
2681            upon context transitions. See selinux_bprm_apply_creds. */
2682         if (old_rlim->rlim_max != new_rlim->rlim_max)
2683                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2684
2685         return 0;
2686 }
2687
2688 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2689 {
2690         return task_has_perm(current, p, PROCESS__SETSCHED);
2691 }
2692
2693 static int selinux_task_getscheduler(struct task_struct *p)
2694 {
2695         return task_has_perm(current, p, PROCESS__GETSCHED);
2696 }
2697
2698 static int selinux_task_movememory(struct task_struct *p)
2699 {
2700         return task_has_perm(current, p, PROCESS__SETSCHED);
2701 }
2702
2703 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2704 {
2705         u32 perm;
2706         int rc;
2707
2708         rc = secondary_ops->task_kill(p, info, sig);
2709         if (rc)
2710                 return rc;
2711
2712         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2713                 return 0;
2714
2715         if (!sig)
2716                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2717         else
2718                 perm = signal_to_av(sig);
2719
2720         return task_has_perm(current, p, perm);
2721 }
2722
2723 static int selinux_task_prctl(int option,
2724                               unsigned long arg2,
2725                               unsigned long arg3,
2726                               unsigned long arg4,
2727                               unsigned long arg5)
2728 {
2729         /* The current prctl operations do not appear to require
2730            any SELinux controls since they merely observe or modify
2731            the state of the current process. */
2732         return 0;
2733 }
2734
2735 static int selinux_task_wait(struct task_struct *p)
2736 {
2737         u32 perm;
2738
2739         perm = signal_to_av(p->exit_signal);
2740
2741         return task_has_perm(p, current, perm);
2742 }
2743
2744 static void selinux_task_reparent_to_init(struct task_struct *p)
2745 {
2746         struct task_security_struct *tsec;
2747
2748         secondary_ops->task_reparent_to_init(p);
2749
2750         tsec = p->security;
2751         tsec->osid = tsec->sid;
2752         tsec->sid = SECINITSID_KERNEL;
2753         return;
2754 }
2755
2756 static void selinux_task_to_inode(struct task_struct *p,
2757                                   struct inode *inode)
2758 {
2759         struct task_security_struct *tsec = p->security;
2760         struct inode_security_struct *isec = inode->i_security;
2761
2762         isec->sid = tsec->sid;
2763         isec->initialized = 1;
2764         return;
2765 }
2766
2767 /* Returns error only if unable to parse addresses */
2768 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2769 {
2770         int offset, ihlen, ret = -EINVAL;
2771         struct iphdr _iph, *ih;
2772
2773         offset = skb->nh.raw - skb->data;
2774         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2775         if (ih == NULL)
2776                 goto out;
2777
2778         ihlen = ih->ihl * 4;
2779         if (ihlen < sizeof(_iph))
2780                 goto out;
2781
2782         ad->u.net.v4info.saddr = ih->saddr;
2783         ad->u.net.v4info.daddr = ih->daddr;
2784         ret = 0;
2785
2786         switch (ih->protocol) {
2787         case IPPROTO_TCP: {
2788                 struct tcphdr _tcph, *th;
2789
2790                 if (ntohs(ih->frag_off) & IP_OFFSET)
2791                         break;
2792
2793                 offset += ihlen;
2794                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2795                 if (th == NULL)
2796                         break;
2797
2798                 ad->u.net.sport = th->source;
2799                 ad->u.net.dport = th->dest;
2800                 break;
2801         }
2802         
2803         case IPPROTO_UDP: {
2804                 struct udphdr _udph, *uh;
2805                 
2806                 if (ntohs(ih->frag_off) & IP_OFFSET)
2807                         break;
2808                         
2809                 offset += ihlen;
2810                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2811                 if (uh == NULL)
2812                         break;  
2813
2814                 ad->u.net.sport = uh->source;
2815                 ad->u.net.dport = uh->dest;
2816                 break;
2817         }
2818
2819         default:
2820                 break;
2821         }
2822 out:
2823         return ret;
2824 }
2825
2826 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2827
2828 /* Returns error only if unable to parse addresses */
2829 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2830 {
2831         u8 nexthdr;
2832         int ret = -EINVAL, offset;
2833         struct ipv6hdr _ipv6h, *ip6;
2834
2835         offset = skb->nh.raw - skb->data;
2836         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2837         if (ip6 == NULL)
2838                 goto out;
2839
2840         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2841         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2842         ret = 0;
2843
2844         nexthdr = ip6->nexthdr;
2845         offset += sizeof(_ipv6h);
2846         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2847         if (offset < 0)
2848                 goto out;
2849
2850         switch (nexthdr) {
2851         case IPPROTO_TCP: {
2852                 struct tcphdr _tcph, *th;
2853
2854                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2855                 if (th == NULL)
2856                         break;
2857
2858                 ad->u.net.sport = th->source;
2859                 ad->u.net.dport = th->dest;
2860                 break;
2861         }
2862
2863         case IPPROTO_UDP: {
2864                 struct udphdr _udph, *uh;
2865
2866                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2867                 if (uh == NULL)
2868                         break;
2869
2870                 ad->u.net.sport = uh->source;
2871                 ad->u.net.dport = uh->dest;
2872                 break;
2873         }
2874
2875         /* includes fragments */
2876         default:
2877                 break;
2878         }
2879 out:
2880         return ret;
2881 }
2882
2883 #endif /* IPV6 */
2884
2885 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2886                              char **addrp, int *len, int src)
2887 {
2888         int ret = 0;
2889
2890         switch (ad->u.net.family) {
2891         case PF_INET:
2892                 ret = selinux_parse_skb_ipv4(skb, ad);
2893                 if (ret || !addrp)
2894                         break;
2895                 *len = 4;
2896                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2897                                         &ad->u.net.v4info.daddr);
2898                 break;
2899
2900 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2901         case PF_INET6:
2902                 ret = selinux_parse_skb_ipv6(skb, ad);
2903                 if (ret || !addrp)
2904                         break;
2905                 *len = 16;
2906                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2907                                         &ad->u.net.v6info.daddr);
2908                 break;
2909 #endif  /* IPV6 */
2910         default:
2911                 break;
2912         }
2913
2914         return ret;
2915 }
2916
2917 /* socket security operations */
2918 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2919                            u32 perms)
2920 {
2921         struct inode_security_struct *isec;
2922         struct task_security_struct *tsec;
2923         struct avc_audit_data ad;
2924         int err = 0;
2925
2926         tsec = task->security;
2927         isec = SOCK_INODE(sock)->i_security;
2928
2929         if (isec->sid == SECINITSID_KERNEL)
2930                 goto out;
2931
2932         AVC_AUDIT_DATA_INIT(&ad,NET);
2933         ad.u.net.sk = sock->sk;
2934         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2935
2936 out:
2937         return err;
2938 }
2939
2940 static int selinux_socket_create(int family, int type,
2941                                  int protocol, int kern)
2942 {
2943         int err = 0;
2944         struct task_security_struct *tsec;
2945         u32 newsid;
2946
2947         if (kern)
2948                 goto out;
2949
2950         tsec = current->security;
2951         newsid = tsec->sockcreate_sid ? : tsec->sid;
2952         err = avc_has_perm(tsec->sid, newsid,
2953                            socket_type_to_security_class(family, type,
2954                            protocol), SOCKET__CREATE, NULL);
2955
2956 out:
2957         return err;
2958 }
2959
2960 static void selinux_socket_post_create(struct socket *sock, int family,
2961                                        int type, int protocol, int kern)
2962 {
2963         struct inode_security_struct *isec;
2964         struct task_security_struct *tsec;
2965         u32 newsid;
2966
2967         isec = SOCK_INODE(sock)->i_security;
2968
2969         tsec = current->security;
2970         newsid = tsec->sockcreate_sid ? : tsec->sid;
2971         isec->sclass = socket_type_to_security_class(family, type, protocol);
2972         isec->sid = kern ? SECINITSID_KERNEL : newsid;
2973         isec->initialized = 1;
2974
2975         return;
2976 }
2977
2978 /* Range of port numbers used to automatically bind.
2979    Need to determine whether we should perform a name_bind
2980    permission check between the socket and the port number. */
2981 #define ip_local_port_range_0 sysctl_local_port_range[0]
2982 #define ip_local_port_range_1 sysctl_local_port_range[1]
2983
2984 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2985 {
2986         u16 family;
2987         int err;
2988
2989         err = socket_has_perm(current, sock, SOCKET__BIND);
2990         if (err)
2991                 goto out;
2992
2993         /*
2994          * If PF_INET or PF_INET6, check name_bind permission for the port.
2995          * Multiple address binding for SCTP is not supported yet: we just
2996          * check the first address now.
2997          */
2998         family = sock->sk->sk_family;
2999         if (family == PF_INET || family == PF_INET6) {
3000                 char *addrp;
3001                 struct inode_security_struct *isec;
3002                 struct task_security_struct *tsec;
3003                 struct avc_audit_data ad;
3004                 struct sockaddr_in *addr4 = NULL;
3005                 struct sockaddr_in6 *addr6 = NULL;
3006                 unsigned short snum;
3007                 struct sock *sk = sock->sk;
3008                 u32 sid, node_perm, addrlen;
3009
3010                 tsec = current->security;
3011                 isec = SOCK_INODE(sock)->i_security;
3012
3013                 if (family == PF_INET) {
3014                         addr4 = (struct sockaddr_in *)address;
3015                         snum = ntohs(addr4->sin_port);
3016                         addrlen = sizeof(addr4->sin_addr.s_addr);
3017                         addrp = (char *)&addr4->sin_addr.s_addr;
3018                 } else {
3019                         addr6 = (struct sockaddr_in6 *)address;
3020                         snum = ntohs(addr6->sin6_port);
3021                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3022                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3023                 }
3024
3025                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3026                            snum > ip_local_port_range_1)) {
3027                         err = security_port_sid(sk->sk_family, sk->sk_type,
3028                                                 sk->sk_protocol, snum, &sid);
3029                         if (err)
3030                                 goto out;
3031                         AVC_AUDIT_DATA_INIT(&ad,NET);
3032                         ad.u.net.sport = htons(snum);
3033                         ad.u.net.family = family;
3034                         err = avc_has_perm(isec->sid, sid,
3035                                            isec->sclass,
3036                                            SOCKET__NAME_BIND, &ad);
3037                         if (err)
3038                                 goto out;
3039                 }
3040                 
3041                 switch(isec->sclass) {
3042                 case SECCLASS_TCP_SOCKET:
3043                         node_perm = TCP_SOCKET__NODE_BIND;
3044                         break;
3045                         
3046                 case SECCLASS_UDP_SOCKET:
3047                         node_perm = UDP_SOCKET__NODE_BIND;
3048                         break;
3049                         
3050                 default:
3051                         node_perm = RAWIP_SOCKET__NODE_BIND;
3052                         break;
3053                 }
3054                 
3055                 err = security_node_sid(family, addrp, addrlen, &sid);
3056                 if (err)
3057                         goto out;
3058                 
3059                 AVC_AUDIT_DATA_INIT(&ad,NET);
3060                 ad.u.net.sport = htons(snum);
3061                 ad.u.net.family = family;
3062
3063                 if (family == PF_INET)
3064                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3065                 else
3066                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3067
3068                 err = avc_has_perm(isec->sid, sid,
3069                                    isec->sclass, node_perm, &ad);
3070                 if (err)
3071                         goto out;
3072         }
3073 out:
3074         return err;
3075 }
3076
3077 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3078 {
3079         struct inode_security_struct *isec;
3080         int err;
3081
3082         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3083         if (err)
3084                 return err;
3085
3086         /*
3087          * If a TCP socket, check name_connect permission for the port.
3088          */
3089         isec = SOCK_INODE(sock)->i_security;
3090         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3091                 struct sock *sk = sock->sk;
3092                 struct avc_audit_data ad;
3093                 struct sockaddr_in *addr4 = NULL;
3094                 struct sockaddr_in6 *addr6 = NULL;
3095                 unsigned short snum;
3096                 u32 sid;
3097
3098                 if (sk->sk_family == PF_INET) {
3099                         addr4 = (struct sockaddr_in *)address;
3100                         if (addrlen < sizeof(struct sockaddr_in))
3101                                 return -EINVAL;
3102                         snum = ntohs(addr4->sin_port);
3103                 } else {
3104                         addr6 = (struct sockaddr_in6 *)address;
3105                         if (addrlen < SIN6_LEN_RFC2133)
3106                                 return -EINVAL;
3107                         snum = ntohs(addr6->sin6_port);
3108                 }
3109
3110                 err = security_port_sid(sk->sk_family, sk->sk_type,
3111                                         sk->sk_protocol, snum, &sid);
3112                 if (err)
3113                         goto out;
3114
3115                 AVC_AUDIT_DATA_INIT(&ad,NET);
3116                 ad.u.net.dport = htons(snum);
3117                 ad.u.net.family = sk->sk_family;
3118                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3119                                    TCP_SOCKET__NAME_CONNECT, &ad);
3120                 if (err)
3121                         goto out;
3122         }
3123
3124 out:
3125         return err;
3126 }
3127
3128 static int selinux_socket_listen(struct socket *sock, int backlog)
3129 {
3130         return socket_has_perm(current, sock, SOCKET__LISTEN);
3131 }
3132
3133 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3134 {
3135         int err;
3136         struct inode_security_struct *isec;
3137         struct inode_security_struct *newisec;
3138
3139         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3140         if (err)
3141                 return err;
3142
3143         newisec = SOCK_INODE(newsock)->i_security;
3144
3145         isec = SOCK_INODE(sock)->i_security;
3146         newisec->sclass = isec->sclass;
3147         newisec->sid = isec->sid;
3148         newisec->initialized = 1;
3149
3150         return 0;
3151 }
3152
3153 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3154                                   int size)
3155 {
3156         return socket_has_perm(current, sock, SOCKET__WRITE);
3157 }
3158
3159 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3160                                   int size, int flags)
3161 {
3162         return socket_has_perm(current, sock, SOCKET__READ);
3163 }
3164
3165 static int selinux_socket_getsockname(struct socket *sock)
3166 {
3167         return socket_has_perm(current, sock, SOCKET__GETATTR);
3168 }
3169
3170 static int selinux_socket_getpeername(struct socket *sock)
3171 {
3172         return socket_has_perm(current, sock, SOCKET__GETATTR);
3173 }
3174
3175 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3176 {
3177         return socket_has_perm(current, sock, SOCKET__SETOPT);
3178 }
3179
3180 static int selinux_socket_getsockopt(struct socket *sock, int level,
3181                                      int optname)
3182 {
3183         return socket_has_perm(current, sock, SOCKET__GETOPT);
3184 }
3185
3186 static int selinux_socket_shutdown(struct socket *sock, int how)
3187 {
3188         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3189 }
3190
3191 static int selinux_socket_unix_stream_connect(struct socket *sock,
3192                                               struct socket *other,
3193                                               struct sock *newsk)
3194 {
3195         struct sk_security_struct *ssec;
3196         struct inode_security_struct *isec;
3197         struct inode_security_struct *other_isec;
3198         struct avc_audit_data ad;
3199         int err;
3200
3201         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3202         if (err)
3203                 return err;
3204
3205         isec = SOCK_INODE(sock)->i_security;
3206         other_isec = SOCK_INODE(other)->i_security;
3207
3208         AVC_AUDIT_DATA_INIT(&ad,NET);
3209         ad.u.net.sk = other->sk;
3210
3211         err = avc_has_perm(isec->sid, other_isec->sid,
3212                            isec->sclass,
3213                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3214         if (err)
3215                 return err;
3216
3217         /* connecting socket */
3218         ssec = sock->sk->sk_security;
3219         ssec->peer_sid = other_isec->sid;
3220         
3221         /* server child socket */
3222         ssec = newsk->sk_security;
3223         ssec->peer_sid = isec->sid;
3224         
3225         return 0;
3226 }
3227
3228 static int selinux_socket_unix_may_send(struct socket *sock,
3229                                         struct socket *other)
3230 {
3231         struct inode_security_struct *isec;
3232         struct inode_security_struct *other_isec;
3233         struct avc_audit_data ad;
3234         int err;
3235
3236         isec = SOCK_INODE(sock)->i_security;
3237         other_isec = SOCK_INODE(other)->i_security;
3238
3239         AVC_AUDIT_DATA_INIT(&ad,NET);
3240         ad.u.net.sk = other->sk;
3241
3242         err = avc_has_perm(isec->sid, other_isec->sid,
3243                            isec->sclass, SOCKET__SENDTO, &ad);
3244         if (err)
3245                 return err;
3246
3247         return 0;
3248 }
3249
3250 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3251                 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3252                 u16 family, char *addrp, int len)
3253 {
3254         int err = 0;
3255         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3256
3257         if (!skb->dev)
3258                 goto out;
3259
3260         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3261         if (err)
3262                 goto out;
3263
3264         switch (sock_class) {
3265         case SECCLASS_UDP_SOCKET:
3266                 netif_perm = NETIF__UDP_RECV;
3267                 node_perm = NODE__UDP_RECV;
3268                 recv_perm = UDP_SOCKET__RECV_MSG;
3269                 break;
3270         
3271         case SECCLASS_TCP_SOCKET:
3272                 netif_perm = NETIF__TCP_RECV;
3273                 node_perm = NODE__TCP_RECV;
3274                 recv_perm = TCP_SOCKET__RECV_MSG;
3275                 break;
3276         
3277         default:
3278                 netif_perm = NETIF__RAWIP_RECV;
3279                 node_perm = NODE__RAWIP_RECV;
3280                 break;
3281         }
3282
3283         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3284         if (err)
3285                 goto out;
3286         
3287         err = security_node_sid(family, addrp, len, &node_sid);
3288         if (err)
3289                 goto out;
3290         
3291         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3292         if (err)
3293                 goto out;
3294
3295         if (recv_perm) {
3296                 u32 port_sid;
3297
3298                 err = security_port_sid(sk->sk_family, sk->sk_type,
3299                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3300                                         &port_sid);
3301                 if (err)
3302                         goto out;
3303
3304                 err = avc_has_perm(sock_sid, port_sid,
3305                                    sock_class, recv_perm, ad);
3306         }
3307
3308 out:
3309         return err;
3310 }
3311
3312 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3313 {
3314         u16 family;
3315         u16 sock_class = 0;
3316         char *addrp;
3317         int len, err = 0;
3318         u32 sock_sid = 0;
3319         struct socket *sock;
3320         struct avc_audit_data ad;
3321
3322         family = sk->sk_family;
3323         if (family != PF_INET && family != PF_INET6)
3324                 goto out;
3325
3326         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3327         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3328                 family = PF_INET;
3329
3330         read_lock_bh(&sk->sk_callback_lock);
3331         sock = sk->sk_socket;
3332         if (sock) {
3333                 struct inode *inode;
3334                 inode = SOCK_INODE(sock);
3335                 if (inode) {
3336                         struct inode_security_struct *isec;
3337                         isec = inode->i_security;
3338                         sock_sid = isec->sid;
3339                         sock_class = isec->sclass;
3340                 }
3341         }
3342         read_unlock_bh(&sk->sk_callback_lock);
3343         if (!sock_sid)
3344                 goto out;
3345
3346         AVC_AUDIT_DATA_INIT(&ad, NET);
3347         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3348         ad.u.net.family = family;
3349
3350         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3351         if (err)
3352                 goto out;
3353
3354         if (selinux_compat_net)
3355                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3356                                                   sock_class, family,
3357                                                   addrp, len);
3358         else
3359                 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3360                                    PACKET__RECV, &ad);
3361         if (err)
3362                 goto out;
3363
3364         err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3365 out:    
3366         return err;
3367 }
3368
3369 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3370                                             int __user *optlen, unsigned len)
3371 {
3372         int err = 0;
3373         char *scontext;
3374         u32 scontext_len;
3375         struct sk_security_struct *ssec;
3376         struct inode_security_struct *isec;
3377         u32 peer_sid = 0;
3378
3379         isec = SOCK_INODE(sock)->i_security;
3380
3381         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3382         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3383                 ssec = sock->sk->sk_security;
3384                 peer_sid = ssec->peer_sid;
3385         }
3386         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3387                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3388
3389                 if (peer_sid == SECSID_NULL) {
3390                         err = -ENOPROTOOPT;
3391                         goto out;
3392                 }
3393         }
3394         else {
3395                 err = -ENOPROTOOPT;
3396                 goto out;
3397         }
3398
3399         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3400
3401         if (err)
3402                 goto out;
3403
3404         if (scontext_len > len) {
3405                 err = -ERANGE;
3406                 goto out_len;
3407         }
3408
3409         if (copy_to_user(optval, scontext, scontext_len))
3410                 err = -EFAULT;
3411
3412 out_len:
3413         if (put_user(scontext_len, optlen))
3414                 err = -EFAULT;
3415
3416         kfree(scontext);
3417 out:    
3418         return err;
3419 }
3420
3421 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3422 {
3423         int err = 0;
3424         u32 peer_sid;
3425
3426         if (skb->sk->sk_family == PF_UNIX)
3427                 selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
3428                                       &peer_sid);
3429         else
3430                 peer_sid = selinux_socket_getpeer_dgram(skb);
3431
3432         if (peer_sid == SECSID_NULL)
3433                 return -EINVAL;
3434
3435         err = security_sid_to_context(peer_sid, secdata, seclen);
3436         if (err)
3437                 return err;
3438
3439         return 0;
3440 }
3441
3442 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3443 {
3444         return sk_alloc_security(sk, family, priority);
3445 }
3446
3447 static void selinux_sk_free_security(struct sock *sk)
3448 {
3449         sk_free_security(sk);
3450 }
3451
3452 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3453 {
3454         struct inode_security_struct *isec;
3455         u32 sock_sid = SECINITSID_ANY_SOCKET;
3456
3457         if (!sk)
3458                 return selinux_no_sk_sid(fl);
3459
3460         read_lock_bh(&sk->sk_callback_lock);
3461         isec = get_sock_isec(sk);
3462
3463         if (isec)
3464                 sock_sid = isec->sid;
3465
3466         read_unlock_bh(&sk->sk_callback_lock);
3467         return sock_sid;
3468 }
3469
3470 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3471 {
3472         int err = 0;
3473         u32 perm;
3474         struct nlmsghdr *nlh;
3475         struct socket *sock = sk->sk_socket;
3476         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3477         
3478         if (skb->len < NLMSG_SPACE(0)) {
3479                 err = -EINVAL;
3480                 goto out;
3481         }
3482         nlh = (struct nlmsghdr *)skb->data;
3483         
3484         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3485         if (err) {
3486                 if (err == -EINVAL) {
3487                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3488                                   "SELinux:  unrecognized netlink message"
3489                                   " type=%hu for sclass=%hu\n",
3490                                   nlh->nlmsg_type, isec->sclass);
3491                         if (!selinux_enforcing)
3492                                 err = 0;
3493                 }
3494
3495                 /* Ignore */
3496                 if (err == -ENOENT)
3497                         err = 0;
3498                 goto out;
3499         }
3500
3501         err = socket_has_perm(current, sock, perm);
3502 out:
3503         return err;
3504 }
3505
3506 #ifdef CONFIG_NETFILTER
3507
3508 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3509                                             struct inode_security_struct *isec,
3510                                             struct avc_audit_data *ad,
3511                                             u16 family, char *addrp, int len)
3512 {
3513         int err;
3514         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3515         
3516         err = sel_netif_sids(dev, &if_sid, NULL);
3517         if (err)
3518                 goto out;
3519
3520         switch (isec->sclass) {
3521         case SECCLASS_UDP_SOCKET:
3522                 netif_perm = NETIF__UDP_SEND;
3523                 node_perm = NODE__UDP_SEND;
3524                 send_perm = UDP_SOCKET__SEND_MSG;
3525                 break;
3526         
3527         case SECCLASS_TCP_SOCKET:
3528                 netif_perm = NETIF__TCP_SEND;
3529                 node_perm = NODE__TCP_SEND;
3530                 send_perm = TCP_SOCKET__SEND_MSG;
3531                 break;
3532         
3533         default:
3534                 netif_perm = NETIF__RAWIP_SEND;
3535                 node_perm = NODE__RAWIP_SEND;
3536                 break;
3537         }
3538
3539         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3540         if (err)
3541                 goto out;
3542                 
3543         err = security_node_sid(family, addrp, len, &node_sid);
3544         if (err)
3545                 goto out;
3546         
3547         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3548         if (err)
3549                 goto out;
3550
3551         if (send_perm) {
3552                 u32 port_sid;
3553                 
3554                 err = security_port_sid(sk->sk_family,
3555                                         sk->sk_type,
3556                                         sk->sk_protocol,
3557                                         ntohs(ad->u.net.dport),
3558                                         &port_sid);
3559                 if (err)
3560                         goto out;
3561
3562                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3563                                    send_perm, ad);
3564         }
3565 out:
3566         return err;
3567 }
3568
3569 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3570                                               struct sk_buff **pskb,
3571                                               const struct net_device *in,
3572                                               const struct net_device *out,
3573                                               int (*okfn)(struct sk_buff *),
3574                                               u16 family)
3575 {
3576         char *addrp;
3577         int len, err = 0;
3578         struct sock *sk;
3579         struct socket *sock;
3580         struct inode *inode;
3581         struct sk_buff *skb = *pskb;
3582         struct inode_security_struct *isec;
3583         struct avc_audit_data ad;
3584         struct net_device *dev = (struct net_device *)out;
3585
3586         sk = skb->sk;
3587         if (!sk)
3588                 goto out;
3589
3590         sock = sk->sk_socket;
3591         if (!sock)
3592                 goto out;
3593
3594         inode = SOCK_INODE(sock);
3595         if (!inode)
3596                 goto out;
3597
3598         isec = inode->i_security;
3599
3600         AVC_AUDIT_DATA_INIT(&ad, NET);
3601         ad.u.net.netif = dev->name;
3602         ad.u.net.family = family;
3603
3604         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3605         if (err)
3606                 goto out;
3607
3608         if (selinux_compat_net)
3609                 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3610                                                        family, addrp, len);
3611         else
3612                 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3613                                    PACKET__SEND, &ad);
3614
3615         if (err)
3616                 goto out;
3617
3618         err = selinux_xfrm_postroute_last(isec->sid, skb);
3619 out:
3620         return err ? NF_DROP : NF_ACCEPT;
3621 }
3622
3623 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3624                                                 struct sk_buff **pskb,
3625                                                 const struct net_device *in,
3626                                                 const struct net_device *out,
3627                                                 int (*okfn)(struct sk_buff *))
3628 {
3629         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3630 }
3631
3632 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3633
3634 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3635                                                 struct sk_buff **pskb,
3636                                                 const struct net_device *in,
3637                                                 const struct net_device *out,
3638                                                 int (*okfn)(struct sk_buff *))
3639 {
3640         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3641 }
3642
3643 #endif  /* IPV6 */
3644
3645 #endif  /* CONFIG_NETFILTER */
3646
3647 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3648 {
3649         int err;
3650
3651         err = secondary_ops->netlink_send(sk, skb);
3652         if (err)
3653                 return err;
3654
3655         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3656                 err = selinux_nlmsg_perm(sk, skb);
3657
3658         return err;
3659 }
3660
3661 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3662 {
3663         int err;
3664         struct avc_audit_data ad;
3665
3666         err = secondary_ops->netlink_recv(skb, capability);
3667         if (err)
3668                 return err;
3669
3670         AVC_AUDIT_DATA_INIT(&ad, CAP);
3671         ad.u.cap = capability;
3672
3673         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3674                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3675 }
3676
3677 static int ipc_alloc_security(struct task_struct *task,
3678                               struct kern_ipc_perm *perm,
3679                               u16 sclass)
3680 {
3681         struct task_security_struct *tsec = task->security;
3682         struct ipc_security_struct *isec;
3683
3684         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3685         if (!isec)
3686                 return -ENOMEM;
3687
3688         isec->sclass = sclass;
3689         isec->ipc_perm = perm;
3690         isec->sid = tsec->sid;
3691         perm->security = isec;
3692
3693         return 0;
3694 }
3695
3696 static void ipc_free_security(struct kern_ipc_perm *perm)
3697 {
3698         struct ipc_security_struct *isec = perm->security;
3699         perm->security = NULL;
3700         kfree(isec);
3701 }
3702
3703 static int msg_msg_alloc_security(struct msg_msg *msg)
3704 {
3705         struct msg_security_struct *msec;
3706
3707         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3708         if (!msec)
3709                 return -ENOMEM;
3710
3711         msec->msg = msg;
3712         msec->sid = SECINITSID_UNLABELED;
3713         msg->security = msec;
3714
3715         return 0;
3716 }
3717
3718 static void msg_msg_free_security(struct msg_msg *msg)
3719 {
3720         struct msg_security_struct *msec = msg->security;
3721
3722         msg->security = NULL;
3723         kfree(msec);
3724 }
3725
3726 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3727                         u32 perms)
3728 {
3729         struct task_security_struct *tsec;
3730         struct ipc_security_struct *isec;
3731         struct avc_audit_data ad;
3732
3733         tsec = current->security;
3734         isec = ipc_perms->security;
3735
3736         AVC_AUDIT_DATA_INIT(&ad, IPC);
3737         ad.u.ipc_id = ipc_perms->key;
3738
3739         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3740 }
3741
3742 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3743 {
3744         return msg_msg_alloc_security(msg);
3745 }
3746
3747 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3748 {
3749         msg_msg_free_security(msg);
3750 }
3751
3752 /* message queue security operations */
3753 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3754 {
3755         struct task_security_struct *tsec;
3756         struct ipc_security_struct *isec;
3757         struct avc_audit_data ad;
3758         int rc;
3759
3760         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3761         if (rc)
3762                 return rc;
3763
3764         tsec = current->security;
3765         isec = msq->q_perm.security;
3766
3767         AVC_AUDIT_DATA_INIT(&ad, IPC);
3768         ad.u.ipc_id = msq->q_perm.key;
3769
3770         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3771                           MSGQ__CREATE, &ad);
3772         if (rc) {
3773                 ipc_free_security(&msq->q_perm);
3774                 return rc;
3775         }
3776         return 0;
3777 }
3778
3779 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3780 {
3781         ipc_free_security(&msq->q_perm);
3782 }
3783
3784 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3785 {
3786         struct task_security_struct *tsec;
3787         struct ipc_security_struct *isec;
3788         struct avc_audit_data ad;
3789
3790         tsec = current->security;
3791         isec = msq->q_perm.security;
3792
3793         AVC_AUDIT_DATA_INIT(&ad, IPC);
3794         ad.u.ipc_id = msq->q_perm.key;
3795
3796         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3797                             MSGQ__ASSOCIATE, &ad);
3798 }
3799
3800 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3801 {
3802         int err;
3803         int perms;
3804
3805         switch(cmd) {
3806         case IPC_INFO:
3807         case MSG_INFO:
3808                 /* No specific object, just general system-wide information. */
3809                 return task_has_system(current, SYSTEM__IPC_INFO);
3810         case IPC_STAT:
3811         case MSG_STAT:
3812                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3813                 break;
3814         case IPC_SET:
3815                 perms = MSGQ__SETATTR;
3816                 break;
3817         case IPC_RMID:
3818                 perms = MSGQ__DESTROY;
3819                 break;
3820         default:
3821                 return 0;
3822         }
3823
3824         err = ipc_has_perm(&msq->q_perm, perms);
3825         return err;
3826 }
3827
3828 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3829 {
3830         struct task_security_struct *tsec;
3831         struct ipc_security_struct *isec;
3832         struct msg_security_struct *msec;
3833         struct avc_audit_data ad;
3834         int rc;
3835
3836         tsec = current->security;
3837         isec = msq->q_perm.security;
3838         msec = msg->security;
3839
3840         /*
3841          * First time through, need to assign label to the message
3842          */
3843         if (msec->sid == SECINITSID_UNLABELED) {
3844                 /*
3845                  * Compute new sid based on current process and
3846                  * message queue this message will be stored in
3847                  */
3848                 rc = security_transition_sid(tsec->sid,
3849                                              isec->sid,
3850                                              SECCLASS_MSG,
3851                                              &msec->sid);
3852                 if (rc)
3853                         return rc;
3854         }
3855
3856         AVC_AUDIT_DATA_INIT(&ad, IPC);
3857         ad.u.ipc_id = msq->q_perm.key;
3858
3859         /* Can this process write to the queue? */
3860         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3861                           MSGQ__WRITE, &ad);
3862         if (!rc)
3863                 /* Can this process send the message */
3864                 rc = avc_has_perm(tsec->sid, msec->sid,
3865                                   SECCLASS_MSG, MSG__SEND, &ad);
3866         if (!rc)
3867                 /* Can the message be put in the queue? */
3868                 rc = avc_has_perm(msec->sid, isec->sid,
3869                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3870
3871         return rc;
3872 }
3873
3874 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3875                                     struct task_struct *target,
3876                                     long type, int mode)
3877 {
3878         struct task_security_struct *tsec;
3879         struct ipc_security_struct *isec;
3880         struct msg_security_struct *msec;
3881         struct avc_audit_data ad;
3882         int rc;
3883
3884         tsec = target->security;
3885         isec = msq->q_perm.security;
3886         msec = msg->security;
3887
3888         AVC_AUDIT_DATA_INIT(&ad, IPC);
3889         ad.u.ipc_id = msq->q_perm.key;
3890
3891         rc = avc_has_perm(tsec->sid, isec->sid,
3892                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3893         if (!rc)
3894                 rc = avc_has_perm(tsec->sid, msec->sid,
3895                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3896         return rc;
3897 }
3898
3899 /* Shared Memory security operations */
3900 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3901 {
3902         struct task_security_struct *tsec;
3903         struct ipc_security_struct *isec;
3904         struct avc_audit_data ad;
3905         int rc;
3906
3907         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3908         if (rc)
3909                 return rc;
3910
3911         tsec = current->security;
3912         isec = shp->shm_perm.security;
3913
3914         AVC_AUDIT_DATA_INIT(&ad, IPC);
3915         ad.u.ipc_id = shp->shm_perm.key;
3916
3917         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3918                           SHM__CREATE, &ad);
3919         if (rc) {
3920                 ipc_free_security(&shp->shm_perm);
3921                 return rc;
3922         }
3923         return 0;
3924 }
3925
3926 static void selinux_shm_free_security(struct shmid_kernel *shp)
3927 {
3928         ipc_free_security(&shp->shm_perm);
3929 }
3930
3931 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3932 {
3933         struct task_security_struct *tsec;
3934         struct ipc_security_struct *isec;
3935         struct avc_audit_data ad;
3936
3937         tsec = current->security;
3938         isec = shp->shm_perm.security;
3939
3940         AVC_AUDIT_DATA_INIT(&ad, IPC);
3941         ad.u.ipc_id = shp->shm_perm.key;
3942
3943         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3944                             SHM__ASSOCIATE, &ad);
3945 }
3946
3947 /* Note, at this point, shp is locked down */
3948 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3949 {
3950         int perms;
3951         int err;
3952
3953         switch(cmd) {
3954         case IPC_INFO:
3955         case SHM_INFO:
3956                 /* No specific object, just general system-wide information. */
3957                 return task_has_system(current, SYSTEM__IPC_INFO);
3958         case IPC_STAT:
3959         case SHM_STAT:
3960                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3961                 break;
3962         case IPC_SET:
3963                 perms = SHM__SETATTR;
3964                 break;
3965         case SHM_LOCK:
3966         case SHM_UNLOCK:
3967                 perms = SHM__LOCK;
3968                 break;
3969         case IPC_RMID:
3970                 perms = SHM__DESTROY;
3971                 break;
3972         default:
3973                 return 0;
3974         }
3975
3976         err = ipc_has_perm(&shp->shm_perm, perms);
3977         return err;
3978 }
3979
3980 static int selinux_shm_shmat(struct shmid_kernel *shp,
3981                              char __user *shmaddr, int shmflg)
3982 {
3983         u32 perms;
3984         int rc;
3985
3986         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3987         if (rc)
3988                 return rc;
3989
3990         if (shmflg & SHM_RDONLY)
3991                 perms = SHM__READ;
3992         else
3993                 perms = SHM__READ | SHM__WRITE;
3994
3995         return ipc_has_perm(&shp->shm_perm, perms);
3996 }
3997
3998 /* Semaphore security operations */
3999 static int selinux_sem_alloc_security(struct sem_array *sma)
4000 {
4001         struct task_security_struct *tsec;
4002         struct ipc_security_struct *isec;
4003         struct avc_audit_data ad;
4004         int rc;
4005
4006         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4007         if (rc)
4008                 return rc;
4009
4010         tsec = current->security;
4011         isec = sma->sem_perm.security;
4012
4013         AVC_AUDIT_DATA_INIT(&ad, IPC);
4014         ad.u.ipc_id = sma->sem_perm.key;
4015
4016         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4017                           SEM__CREATE, &ad);
4018         if (rc) {
4019                 ipc_free_security(&sma->sem_perm);
4020                 return rc;
4021         }
4022         return 0;
4023 }
4024
4025 static void selinux_sem_free_security(struct sem_array *sma)
4026 {
4027         ipc_free_security(&sma->sem_perm);
4028 }
4029
4030 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4031 {
4032         struct task_security_struct *tsec;
4033         struct ipc_security_struct *isec;
4034         struct avc_audit_data ad;
4035
4036         tsec = current->security;
4037         isec = sma->sem_perm.security;
4038
4039         AVC_AUDIT_DATA_INIT(&ad, IPC);
4040         ad.u.ipc_id = sma->sem_perm.key;
4041
4042         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4043                             SEM__ASSOCIATE, &ad);
4044 }
4045
4046 /* Note, at this point, sma is locked down */
4047 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4048 {
4049         int err;
4050         u32 perms;
4051
4052         switch(cmd) {
4053         case IPC_INFO:
4054         case SEM_INFO:
4055                 /* No specific object, just general system-wide information. */
4056                 return task_has_system(current, SYSTEM__IPC_INFO);
4057         case GETPID:
4058         case GETNCNT:
4059         case GETZCNT:
4060                 perms = SEM__GETATTR;
4061                 break;
4062         case GETVAL:
4063         case GETALL:
4064                 perms = SEM__READ;
4065                 break;
4066         case SETVAL:
4067         case SETALL:
4068                 perms = SEM__WRITE;
4069                 break;
4070         case IPC_RMID:
4071                 perms = SEM__DESTROY;
4072                 break;
4073         case IPC_SET:
4074                 perms = SEM__SETATTR;
4075                 break;
4076         case IPC_STAT:
4077         case SEM_STAT:
4078                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4079                 break;
4080         default:
4081                 return 0;
4082         }
4083
4084         err = ipc_has_perm(&sma->sem_perm, perms);
4085         return err;
4086 }
4087
4088 static int selinux_sem_semop(struct sem_array *sma,
4089                              struct sembuf *sops, unsigned nsops, int alter)
4090 {
4091         u32 perms;
4092
4093         if (alter)
4094                 perms = SEM__READ | SEM__WRITE;
4095         else
4096                 perms = SEM__READ;
4097
4098         return ipc_has_perm(&sma->sem_perm, perms);
4099 }
4100
4101 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4102 {
4103         u32 av = 0;
4104
4105         av = 0;
4106         if (flag & S_IRUGO)
4107                 av |= IPC__UNIX_READ;
4108         if (flag & S_IWUGO)
4109                 av |= IPC__UNIX_WRITE;
4110
4111         if (av == 0)
4112                 return 0;
4113
4114         return ipc_has_perm(ipcp, av);
4115 }
4116
4117 /* module stacking operations */
4118 static int selinux_register_security (const char *name, struct security_operations *ops)
4119 {
4120         if (secondary_ops != original_ops) {
4121                 printk(KERN_INFO "%s:  There is already a secondary security "
4122                        "module registered.\n", __FUNCTION__);
4123                 return -EINVAL;
4124         }
4125
4126         secondary_ops = ops;
4127
4128         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4129                __FUNCTION__,
4130                name);
4131
4132         return 0;
4133 }
4134
4135 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4136 {
4137         if (ops != secondary_ops) {
4138                 printk (KERN_INFO "%s:  trying to unregister a security module "
4139                         "that is not registered.\n", __FUNCTION__);
4140                 return -EINVAL;
4141         }
4142
4143         secondary_ops = original_ops;
4144
4145         return 0;
4146 }
4147
4148 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4149 {
4150         if (inode)
4151                 inode_doinit_with_dentry(inode, dentry);
4152 }
4153
4154 static int selinux_getprocattr(struct task_struct *p,
4155                                char *name, void *value, size_t size)
4156 {
4157         struct task_security_struct *tsec;
4158         u32 sid;
4159         int error;
4160
4161         if (current != p) {
4162                 error = task_has_perm(current, p, PROCESS__GETATTR);
4163                 if (error)
4164                         return error;
4165         }
4166
4167         tsec = p->security;
4168
4169         if (!strcmp(name, "current"))
4170                 sid = tsec->sid;
4171         else if (!strcmp(name, "prev"))
4172                 sid = tsec->osid;
4173         else if (!strcmp(name, "exec"))
4174                 sid = tsec->exec_sid;
4175         else if (!strcmp(name, "fscreate"))
4176                 sid = tsec->create_sid;
4177         else if (!strcmp(name, "keycreate"))
4178                 sid = tsec->keycreate_sid;
4179         else if (!strcmp(name, "sockcreate"))
4180                 sid = tsec->sockcreate_sid;
4181         else
4182                 return -EINVAL;
4183
4184         if (!sid)
4185                 return 0;
4186
4187         return selinux_getsecurity(sid, value, size);
4188 }
4189
4190 static int selinux_setprocattr(struct task_struct *p,
4191                                char *name, void *value, size_t size)
4192 {
4193         struct task_security_struct *tsec;
4194         u32 sid = 0;
4195         int error;
4196         char *str = value;
4197
4198         if (current != p) {
4199                 /* SELinux only allows a process to change its own
4200                    security attributes. */
4201                 return -EACCES;
4202         }
4203
4204         /*
4205          * Basic control over ability to set these attributes at all.
4206          * current == p, but we'll pass them separately in case the
4207          * above restriction is ever removed.
4208          */
4209         if (!strcmp(name, "exec"))
4210                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4211         else if (!strcmp(name, "fscreate"))
4212                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4213         else if (!strcmp(name, "keycreate"))
4214                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4215         else if (!strcmp(name, "sockcreate"))
4216                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4217         else if (!strcmp(name, "current"))
4218                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4219         else
4220                 error = -EINVAL;
4221         if (error)
4222                 return error;
4223
4224         /* Obtain a SID for the context, if one was specified. */
4225         if (size && str[1] && str[1] != '\n') {
4226                 if (str[size-1] == '\n') {
4227                         str[size-1] = 0;
4228                         size--;
4229                 }
4230                 error = security_context_to_sid(value, size, &sid);
4231                 if (error)
4232                         return error;
4233         }
4234
4235         /* Permission checking based on the specified context is
4236            performed during the actual operation (execve,
4237            open/mkdir/...), when we know the full context of the
4238            operation.  See selinux_bprm_set_security for the execve
4239            checks and may_create for the file creation checks. The
4240            operation will then fail if the context is not permitted. */
4241         tsec = p->security;
4242         if (!strcmp(name, "exec"))
4243                 tsec->exec_sid = sid;
4244         else if (!strcmp(name, "fscreate"))
4245                 tsec->create_sid = sid;
4246         else if (!strcmp(name, "keycreate")) {
4247                 error = may_create_key(sid, p);
4248                 if (error)
4249                         return error;
4250                 tsec->keycreate_sid = sid;
4251         } else if (!strcmp(name, "sockcreate"))
4252                 tsec->sockcreate_sid = sid;
4253         else if (!strcmp(name, "current")) {
4254                 struct av_decision avd;
4255
4256                 if (sid == 0)
4257                         return -EINVAL;
4258
4259                 /* Only allow single threaded processes to change context */
4260                 if (atomic_read(&p->mm->mm_users) != 1) {
4261                         struct task_struct *g, *t;
4262                         struct mm_struct *mm = p->mm;
4263                         read_lock(&tasklist_lock);
4264                         do_each_thread(g, t)
4265                                 if (t->mm == mm && t != p) {
4266                                         read_unlock(&tasklist_lock);
4267                                         return -EPERM;
4268                                 }
4269                         while_each_thread(g, t);
4270                         read_unlock(&tasklist_lock);
4271                 }
4272
4273                 /* Check permissions for the transition. */
4274                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4275                                      PROCESS__DYNTRANSITION, NULL);
4276                 if (error)
4277                         return error;
4278
4279                 /* Check for ptracing, and update the task SID if ok.
4280                    Otherwise, leave SID unchanged and fail. */
4281                 task_lock(p);
4282                 if (p->ptrace & PT_PTRACED) {
4283                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4284                                                      SECCLASS_PROCESS,
4285                                                      PROCESS__PTRACE, &avd);
4286                         if (!error)
4287                                 tsec->sid = sid;
4288                         task_unlock(p);
4289                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4290                                   PROCESS__PTRACE, &avd, error, NULL);
4291                         if (error)
4292                                 return error;
4293                 } else {
4294                         tsec->sid = sid;
4295                         task_unlock(p);
4296                 }
4297         }
4298         else
4299                 return -EINVAL;
4300
4301         return size;
4302 }
4303
4304 #ifdef CONFIG_KEYS
4305
4306 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4307                              unsigned long flags)
4308 {
4309         struct task_security_struct *tsec = tsk->security;
4310         struct key_security_struct *ksec;
4311
4312         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4313         if (!ksec)
4314                 return -ENOMEM;
4315
4316         ksec->obj = k;
4317         if (tsec->keycreate_sid)
4318                 ksec->sid = tsec->keycreate_sid;
4319         else
4320                 ksec->sid = tsec->sid;
4321         k->security = ksec;
4322
4323         return 0;
4324 }
4325
4326 static void selinux_key_free(struct key *k)
4327 {
4328         struct key_security_struct *ksec = k->security;
4329
4330         k->security = NULL;
4331         kfree(ksec);
4332 }
4333
4334 static int selinux_key_permission(key_ref_t key_ref,
4335                             struct task_struct *ctx,
4336                             key_perm_t perm)
4337 {
4338         struct key *key;
4339         struct task_security_struct *tsec;
4340         struct key_security_struct *ksec;
4341
4342         key = key_ref_to_ptr(key_ref);
4343
4344         tsec = ctx->security;
4345         ksec = key->security;
4346
4347         /* if no specific permissions are requested, we skip the
4348            permission check. No serious, additional covert channels
4349            appear to be created. */
4350         if (perm == 0)
4351                 return 0;
4352
4353         return avc_has_perm(tsec->sid, ksec->sid,
4354                             SECCLASS_KEY, perm, NULL);
4355 }
4356
4357 #endif
4358
4359 static struct security_operations selinux_ops = {
4360         .ptrace =                       selinux_ptrace,
4361         .capget =                       selinux_capget,
4362         .capset_check =                 selinux_capset_check,
4363         .capset_set =                   selinux_capset_set,
4364         .sysctl =                       selinux_sysctl,
4365         .capable =                      selinux_capable,
4366         .quotactl =                     selinux_quotactl,
4367         .quota_on =                     selinux_quota_on,
4368         .syslog =                       selinux_syslog,
4369         .vm_enough_memory =             selinux_vm_enough_memory,
4370
4371         .netlink_send =                 selinux_netlink_send,
4372         .netlink_recv =                 selinux_netlink_recv,
4373
4374         .bprm_alloc_security =          selinux_bprm_alloc_security,
4375         .bprm_free_security =           selinux_bprm_free_security,
4376         .bprm_apply_creds =             selinux_bprm_apply_creds,
4377         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4378         .bprm_set_security =            selinux_bprm_set_security,
4379         .bprm_check_security =          selinux_bprm_check_security,
4380         .bprm_secureexec =              selinux_bprm_secureexec,
4381
4382         .sb_alloc_security =            selinux_sb_alloc_security,
4383         .sb_free_security =             selinux_sb_free_security,
4384         .sb_copy_data =                 selinux_sb_copy_data,
4385         .sb_kern_mount =                selinux_sb_kern_mount,
4386         .sb_statfs =                    selinux_sb_statfs,
4387         .sb_mount =                     selinux_mount,
4388         .sb_umount =                    selinux_umount,
4389
4390         .inode_alloc_security =         selinux_inode_alloc_security,
4391         .inode_free_security =          selinux_inode_free_security,
4392         .inode_init_security =          selinux_inode_init_security,
4393         .inode_create =                 selinux_inode_create,
4394         .inode_link =                   selinux_inode_link,
4395         .inode_unlink =                 selinux_inode_unlink,
4396         .inode_symlink =                selinux_inode_symlink,
4397         .inode_mkdir =                  selinux_inode_mkdir,
4398         .inode_rmdir =                  selinux_inode_rmdir,
4399         .inode_mknod =                  selinux_inode_mknod,
4400         .inode_rename =                 selinux_inode_rename,
4401         .inode_readlink =               selinux_inode_readlink,
4402         .inode_follow_link =            selinux_inode_follow_link,
4403         .inode_permission =             selinux_inode_permission,
4404         .inode_setattr =                selinux_inode_setattr,
4405         .inode_getattr =                selinux_inode_getattr,
4406         .inode_setxattr =               selinux_inode_setxattr,
4407         .inode_post_setxattr =          selinux_inode_post_setxattr,
4408         .inode_getxattr =               selinux_inode_getxattr,
4409         .inode_listxattr =              selinux_inode_listxattr,
4410         .inode_removexattr =            selinux_inode_removexattr,
4411         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4412         .inode_getsecurity =            selinux_inode_getsecurity,
4413         .inode_setsecurity =            selinux_inode_setsecurity,
4414         .inode_listsecurity =           selinux_inode_listsecurity,
4415
4416         .file_permission =              selinux_file_permission,
4417         .file_alloc_security =          selinux_file_alloc_security,
4418         .file_free_security =           selinux_file_free_security,
4419         .file_ioctl =                   selinux_file_ioctl,
4420         .file_mmap =                    selinux_file_mmap,
4421         .file_mprotect =                selinux_file_mprotect,
4422         .file_lock =                    selinux_file_lock,
4423         .file_fcntl =                   selinux_file_fcntl,
4424         .file_set_fowner =              selinux_file_set_fowner,
4425         .file_send_sigiotask =          selinux_file_send_sigiotask,
4426         .file_receive =                 selinux_file_receive,
4427
4428         .task_create =                  selinux_task_create,
4429         .task_alloc_security =          selinux_task_alloc_security,
4430         .task_free_security =           selinux_task_free_security,
4431         .task_setuid =                  selinux_task_setuid,
4432         .task_post_setuid =             selinux_task_post_setuid,
4433         .task_setgid =                  selinux_task_setgid,
4434         .task_setpgid =                 selinux_task_setpgid,
4435         .task_getpgid =                 selinux_task_getpgid,
4436         .task_getsid =                  selinux_task_getsid,
4437         .task_setgroups =               selinux_task_setgroups,
4438         .task_setnice =                 selinux_task_setnice,
4439         .task_setioprio =               selinux_task_setioprio,
4440         .task_setrlimit =               selinux_task_setrlimit,
4441         .task_setscheduler =            selinux_task_setscheduler,
4442         .task_getscheduler =            selinux_task_getscheduler,
4443         .task_movememory =              selinux_task_movememory,
4444         .task_kill =                    selinux_task_kill,
4445         .task_wait =                    selinux_task_wait,
4446         .task_prctl =                   selinux_task_prctl,
4447         .task_reparent_to_init =        selinux_task_reparent_to_init,
4448         .task_to_inode =                selinux_task_to_inode,
4449
4450         .ipc_permission =               selinux_ipc_permission,
4451
4452         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4453         .msg_msg_free_security =        selinux_msg_msg_free_security,
4454
4455         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4456         .msg_queue_free_security =      selinux_msg_queue_free_security,
4457         .msg_queue_associate =          selinux_msg_queue_associate,
4458         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4459         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4460         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4461
4462         .shm_alloc_security =           selinux_shm_alloc_security,
4463         .shm_free_security =            selinux_shm_free_security,
4464         .shm_associate =                selinux_shm_associate,
4465         .shm_shmctl =                   selinux_shm_shmctl,
4466         .shm_shmat =                    selinux_shm_shmat,
4467
4468         .sem_alloc_security =           selinux_sem_alloc_security,
4469         .sem_free_security =            selinux_sem_free_security,
4470         .sem_associate =                selinux_sem_associate,
4471         .sem_semctl =                   selinux_sem_semctl,
4472         .sem_semop =                    selinux_sem_semop,
4473
4474         .register_security =            selinux_register_security,
4475         .unregister_security =          selinux_unregister_security,
4476
4477         .d_instantiate =                selinux_d_instantiate,
4478
4479         .getprocattr =                  selinux_getprocattr,
4480         .setprocattr =                  selinux_setprocattr,
4481
4482         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4483         .unix_may_send =                selinux_socket_unix_may_send,
4484
4485         .socket_create =                selinux_socket_create,
4486         .socket_post_create =           selinux_socket_post_create,
4487         .socket_bind =                  selinux_socket_bind,
4488         .socket_connect =               selinux_socket_connect,
4489         .socket_listen =                selinux_socket_listen,
4490         .socket_accept =                selinux_socket_accept,
4491         .socket_sendmsg =               selinux_socket_sendmsg,
4492         .socket_recvmsg =               selinux_socket_recvmsg,
4493         .socket_getsockname =           selinux_socket_getsockname,
4494         .socket_getpeername =           selinux_socket_getpeername,
4495         .socket_getsockopt =            selinux_socket_getsockopt,
4496         .socket_setsockopt =            selinux_socket_setsockopt,
4497         .socket_shutdown =              selinux_socket_shutdown,
4498         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4499         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4500         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4501         .sk_alloc_security =            selinux_sk_alloc_security,
4502         .sk_free_security =             selinux_sk_free_security,
4503         .sk_getsid =                    selinux_sk_getsid_security,
4504
4505 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4506         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4507         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4508         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4509         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4510         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4511         .xfrm_state_free_security =     selinux_xfrm_state_free,
4512         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4513         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4514 #endif
4515
4516 #ifdef CONFIG_KEYS
4517         .key_alloc =                    selinux_key_alloc,
4518         .key_free =                     selinux_key_free,
4519         .key_permission =               selinux_key_permission,
4520 #endif
4521 };
4522
4523 static __init int selinux_init(void)
4524 {
4525         struct task_security_struct *tsec;
4526
4527         if (!selinux_enabled) {
4528                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4529                 return 0;
4530         }
4531
4532         printk(KERN_INFO "SELinux:  Initializing.\n");
4533
4534         /* Set the security state for the initial task. */
4535         if (task_alloc_security(current))
4536                 panic("SELinux:  Failed to initialize initial task.\n");
4537         tsec = current->security;
4538         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4539
4540         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4541                                             sizeof(struct inode_security_struct),
4542                                             0, SLAB_PANIC, NULL, NULL);
4543         avc_init();
4544
4545         original_ops = secondary_ops = security_ops;
4546         if (!secondary_ops)
4547                 panic ("SELinux: No initial security operations\n");
4548         if (register_security (&selinux_ops))
4549                 panic("SELinux: Unable to register with kernel.\n");
4550
4551         if (selinux_enforcing) {
4552                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4553         } else {
4554                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4555         }
4556
4557 #ifdef CONFIG_KEYS
4558         /* Add security information to initial keyrings */
4559         selinux_key_alloc(&root_user_keyring, current,
4560                           KEY_ALLOC_NOT_IN_QUOTA);
4561         selinux_key_alloc(&root_session_keyring, current,
4562                           KEY_ALLOC_NOT_IN_QUOTA);
4563 #endif
4564
4565         return 0;
4566 }
4567
4568 void selinux_complete_init(void)
4569 {
4570         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4571
4572         /* Set up any superblocks initialized prior to the policy load. */
4573         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4574         spin_lock(&sb_lock);
4575         spin_lock(&sb_security_lock);
4576 next_sb:
4577         if (!list_empty(&superblock_security_head)) {
4578                 struct superblock_security_struct *sbsec =
4579                                 list_entry(superblock_security_head.next,
4580                                            struct superblock_security_struct,
4581                                            list);
4582                 struct super_block *sb = sbsec->sb;
4583                 sb->s_count++;
4584                 spin_unlock(&sb_security_lock);
4585                 spin_unlock(&sb_lock);
4586                 down_read(&sb->s_umount);
4587                 if (sb->s_root)
4588                         superblock_doinit(sb, NULL);
4589                 drop_super(sb);
4590                 spin_lock(&sb_lock);
4591                 spin_lock(&sb_security_lock);
4592                 list_del_init(&sbsec->list);
4593                 goto next_sb;
4594         }
4595         spin_unlock(&sb_security_lock);
4596         spin_unlock(&sb_lock);
4597 }
4598
4599 /* SELinux requires early initialization in order to label
4600    all processes and objects when they are created. */
4601 security_initcall(selinux_init);
4602
4603 #if defined(CONFIG_NETFILTER)
4604
4605 static struct nf_hook_ops selinux_ipv4_op = {
4606         .hook =         selinux_ipv4_postroute_last,
4607         .owner =        THIS_MODULE,
4608         .pf =           PF_INET,
4609         .hooknum =      NF_IP_POST_ROUTING,
4610         .priority =     NF_IP_PRI_SELINUX_LAST,
4611 };
4612
4613 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4614
4615 static struct nf_hook_ops selinux_ipv6_op = {
4616         .hook =         selinux_ipv6_postroute_last,
4617         .owner =        THIS_MODULE,
4618         .pf =           PF_INET6,
4619         .hooknum =      NF_IP6_POST_ROUTING,
4620         .priority =     NF_IP6_PRI_SELINUX_LAST,
4621 };
4622
4623 #endif  /* IPV6 */
4624
4625 static int __init selinux_nf_ip_init(void)
4626 {
4627         int err = 0;
4628
4629         if (!selinux_enabled)
4630                 goto out;
4631                 
4632         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4633         
4634         err = nf_register_hook(&selinux_ipv4_op);
4635         if (err)
4636                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4637
4638 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4639
4640         err = nf_register_hook(&selinux_ipv6_op);
4641         if (err)
4642                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4643
4644 #endif  /* IPV6 */
4645
4646 out:
4647         return err;
4648 }
4649
4650 __initcall(selinux_nf_ip_init);
4651
4652 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4653 static void selinux_nf_ip_exit(void)
4654 {
4655         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4656
4657         nf_unregister_hook(&selinux_ipv4_op);
4658 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4659         nf_unregister_hook(&selinux_ipv6_op);
4660 #endif  /* IPV6 */
4661 }
4662 #endif
4663
4664 #else /* CONFIG_NETFILTER */
4665
4666 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4667 #define selinux_nf_ip_exit()
4668 #endif
4669
4670 #endif /* CONFIG_NETFILTER */
4671
4672 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4673 int selinux_disable(void)
4674 {
4675         extern void exit_sel_fs(void);
4676         static int selinux_disabled = 0;
4677
4678         if (ss_initialized) {
4679                 /* Not permitted after initial policy load. */
4680                 return -EINVAL;
4681         }
4682
4683         if (selinux_disabled) {
4684                 /* Only do this once. */
4685                 return -EINVAL;
4686         }
4687
4688         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4689
4690         selinux_disabled = 1;
4691         selinux_enabled = 0;
4692
4693         /* Reset security_ops to the secondary module, dummy or capability. */
4694         security_ops = secondary_ops;
4695
4696         /* Unregister netfilter hooks. */
4697         selinux_nf_ip_exit();
4698
4699         /* Unregister selinuxfs. */
4700         exit_sel_fs();
4701
4702         return 0;
4703 }
4704 #endif
4705
4706