CRED: Inaugurate COW credentials
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132  * Minimal support for a secondary security module,
133  * just to allow the use of the capability module.
134  */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138    before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146  *
147  * Description:
148  * This function checks the SECMARK reference counter to see if any SECMARK
149  * targets are currently configured, if the reference counter is greater than
150  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
151  * enabled, false (0) if SECMARK is disabled.
152  *
153  */
154 static int selinux_secmark_enabled(void)
155 {
156         return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160  * initialise the security for the init task
161  */
162 static void cred_init_security(void)
163 {
164         struct cred *cred = (struct cred *) current->cred;
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 panic("SELinux:  Failed to initialize initial task.\n");
170
171         tsec->osid = tsec->sid = SECINITSID_KERNEL;
172         cred->security = tsec;
173 }
174
175 /*
176  * get the security ID of a set of credentials
177  */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180         const struct task_security_struct *tsec;
181
182         tsec = cred->security;
183         return tsec->sid;
184 }
185
186 /*
187  * get the security ID of a task
188  */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191         u32 sid;
192
193         rcu_read_lock();
194         sid = cred_sid(__task_cred(task));
195         rcu_read_unlock();
196         return sid;
197 }
198
199 /*
200  * get the security ID of the current task
201  */
202 static inline u32 current_sid(void)
203 {
204         const struct task_security_struct *tsec = current_cred()->security;
205
206         return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213         struct inode_security_struct *isec;
214         u32 sid = current_sid();
215
216         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217         if (!isec)
218                 return -ENOMEM;
219
220         mutex_init(&isec->lock);
221         INIT_LIST_HEAD(&isec->list);
222         isec->inode = inode;
223         isec->sid = SECINITSID_UNLABELED;
224         isec->sclass = SECCLASS_FILE;
225         isec->task_sid = sid;
226         inode->i_security = isec;
227
228         return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233         struct inode_security_struct *isec = inode->i_security;
234         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236         spin_lock(&sbsec->isec_lock);
237         if (!list_empty(&isec->list))
238                 list_del_init(&isec->list);
239         spin_unlock(&sbsec->isec_lock);
240
241         inode->i_security = NULL;
242         kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247         struct file_security_struct *fsec;
248         u32 sid = current_sid();
249
250         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251         if (!fsec)
252                 return -ENOMEM;
253
254         fsec->sid = sid;
255         fsec->fown_sid = sid;
256         file->f_security = fsec;
257
258         return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263         struct file_security_struct *fsec = file->f_security;
264         file->f_security = NULL;
265         kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270         struct superblock_security_struct *sbsec;
271
272         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273         if (!sbsec)
274                 return -ENOMEM;
275
276         mutex_init(&sbsec->lock);
277         INIT_LIST_HEAD(&sbsec->list);
278         INIT_LIST_HEAD(&sbsec->isec_head);
279         spin_lock_init(&sbsec->isec_lock);
280         sbsec->sb = sb;
281         sbsec->sid = SECINITSID_UNLABELED;
282         sbsec->def_sid = SECINITSID_FILE;
283         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284         sb->s_security = sbsec;
285
286         return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec = sb->s_security;
292
293         spin_lock(&sb_security_lock);
294         if (!list_empty(&sbsec->list))
295                 list_del_init(&sbsec->list);
296         spin_unlock(&sb_security_lock);
297
298         sb->s_security = NULL;
299         kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304         struct sk_security_struct *ssec;
305
306         ssec = kzalloc(sizeof(*ssec), priority);
307         if (!ssec)
308                 return -ENOMEM;
309
310         ssec->peer_sid = SECINITSID_UNLABELED;
311         ssec->sid = SECINITSID_UNLABELED;
312         sk->sk_security = ssec;
313
314         selinux_netlbl_sk_security_reset(ssec, family);
315
316         return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321         struct sk_security_struct *ssec = sk->sk_security;
322
323         sk->sk_security = NULL;
324         selinux_netlbl_sk_security_free(ssec);
325         kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329    any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335         "uses xattr",
336         "uses transition SIDs",
337         "uses task SIDs",
338         "uses genfs_contexts",
339         "not configured for labeling",
340         "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347         return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351         Opt_error = -1,
352         Opt_context = 1,
353         Opt_fscontext = 2,
354         Opt_defcontext = 3,
355         Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359         {Opt_context, CONTEXT_STR "%s"},
360         {Opt_fscontext, FSCONTEXT_STR "%s"},
361         {Opt_defcontext, DEFCONTEXT_STR "%s"},
362         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363         {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369                         struct superblock_security_struct *sbsec,
370                         const struct cred *cred)
371 {
372         const struct task_security_struct *tsec = cred->security;
373         int rc;
374
375         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376                           FILESYSTEM__RELABELFROM, NULL);
377         if (rc)
378                 return rc;
379
380         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381                           FILESYSTEM__RELABELTO, NULL);
382         return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386                         struct superblock_security_struct *sbsec,
387                         const struct cred *cred)
388 {
389         const struct task_security_struct *tsec = cred->security;
390         int rc;
391         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392                           FILESYSTEM__RELABELFROM, NULL);
393         if (rc)
394                 return rc;
395
396         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397                           FILESYSTEM__ASSOCIATE, NULL);
398         return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403         struct superblock_security_struct *sbsec = sb->s_security;
404         struct dentry *root = sb->s_root;
405         struct inode *root_inode = root->d_inode;
406         int rc = 0;
407
408         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409                 /* Make sure that the xattr handler exists and that no
410                    error other than -ENODATA is returned by getxattr on
411                    the root directory.  -ENODATA is ok, as this may be
412                    the first boot of the SELinux kernel before we have
413                    assigned xattr values to the filesystem. */
414                 if (!root_inode->i_op->getxattr) {
415                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416                                "xattr support\n", sb->s_id, sb->s_type->name);
417                         rc = -EOPNOTSUPP;
418                         goto out;
419                 }
420                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421                 if (rc < 0 && rc != -ENODATA) {
422                         if (rc == -EOPNOTSUPP)
423                                 printk(KERN_WARNING "SELinux: (dev %s, type "
424                                        "%s) has no security xattr handler\n",
425                                        sb->s_id, sb->s_type->name);
426                         else
427                                 printk(KERN_WARNING "SELinux: (dev %s, type "
428                                        "%s) getxattr errno %d\n", sb->s_id,
429                                        sb->s_type->name, -rc);
430                         goto out;
431                 }
432         }
433
434         sbsec->initialized = 1;
435
436         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438                        sb->s_id, sb->s_type->name);
439         else
440                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441                        sb->s_id, sb->s_type->name,
442                        labeling_behaviors[sbsec->behavior-1]);
443
444         /* Initialize the root inode. */
445         rc = inode_doinit_with_dentry(root_inode, root);
446
447         /* Initialize any other inodes associated with the superblock, e.g.
448            inodes created prior to initial policy load or inodes created
449            during get_sb by a pseudo filesystem that directly
450            populates itself. */
451         spin_lock(&sbsec->isec_lock);
452 next_inode:
453         if (!list_empty(&sbsec->isec_head)) {
454                 struct inode_security_struct *isec =
455                                 list_entry(sbsec->isec_head.next,
456                                            struct inode_security_struct, list);
457                 struct inode *inode = isec->inode;
458                 spin_unlock(&sbsec->isec_lock);
459                 inode = igrab(inode);
460                 if (inode) {
461                         if (!IS_PRIVATE(inode))
462                                 inode_doinit(inode);
463                         iput(inode);
464                 }
465                 spin_lock(&sbsec->isec_lock);
466                 list_del_init(&isec->list);
467                 goto next_inode;
468         }
469         spin_unlock(&sbsec->isec_lock);
470 out:
471         return rc;
472 }
473
474 /*
475  * This function should allow an FS to ask what it's mount security
476  * options were so it can use those later for submounts, displaying
477  * mount options, or whatever.
478  */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480                                 struct security_mnt_opts *opts)
481 {
482         int rc = 0, i;
483         struct superblock_security_struct *sbsec = sb->s_security;
484         char *context = NULL;
485         u32 len;
486         char tmp;
487
488         security_init_mnt_opts(opts);
489
490         if (!sbsec->initialized)
491                 return -EINVAL;
492
493         if (!ss_initialized)
494                 return -EINVAL;
495
496         /*
497          * if we ever use sbsec flags for anything other than tracking mount
498          * settings this is going to need a mask
499          */
500         tmp = sbsec->flags;
501         /* count the number of mount options for this sb */
502         for (i = 0; i < 8; i++) {
503                 if (tmp & 0x01)
504                         opts->num_mnt_opts++;
505                 tmp >>= 1;
506         }
507
508         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509         if (!opts->mnt_opts) {
510                 rc = -ENOMEM;
511                 goto out_free;
512         }
513
514         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515         if (!opts->mnt_opts_flags) {
516                 rc = -ENOMEM;
517                 goto out_free;
518         }
519
520         i = 0;
521         if (sbsec->flags & FSCONTEXT_MNT) {
522                 rc = security_sid_to_context(sbsec->sid, &context, &len);
523                 if (rc)
524                         goto out_free;
525                 opts->mnt_opts[i] = context;
526                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527         }
528         if (sbsec->flags & CONTEXT_MNT) {
529                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530                 if (rc)
531                         goto out_free;
532                 opts->mnt_opts[i] = context;
533                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534         }
535         if (sbsec->flags & DEFCONTEXT_MNT) {
536                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537                 if (rc)
538                         goto out_free;
539                 opts->mnt_opts[i] = context;
540                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541         }
542         if (sbsec->flags & ROOTCONTEXT_MNT) {
543                 struct inode *root = sbsec->sb->s_root->d_inode;
544                 struct inode_security_struct *isec = root->i_security;
545
546                 rc = security_sid_to_context(isec->sid, &context, &len);
547                 if (rc)
548                         goto out_free;
549                 opts->mnt_opts[i] = context;
550                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551         }
552
553         BUG_ON(i != opts->num_mnt_opts);
554
555         return 0;
556
557 out_free:
558         security_free_mnt_opts(opts);
559         return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563                       u32 old_sid, u32 new_sid)
564 {
565         /* check if the old mount command had the same options */
566         if (sbsec->initialized)
567                 if (!(sbsec->flags & flag) ||
568                     (old_sid != new_sid))
569                         return 1;
570
571         /* check if we were passed the same options twice,
572          * aka someone passed context=a,context=b
573          */
574         if (!sbsec->initialized)
575                 if (sbsec->flags & flag)
576                         return 1;
577         return 0;
578 }
579
580 /*
581  * Allow filesystems with binary mount data to explicitly set mount point
582  * labeling information.
583  */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585                                 struct security_mnt_opts *opts)
586 {
587         const struct cred *cred = current_cred();
588         int rc = 0, i;
589         struct superblock_security_struct *sbsec = sb->s_security;
590         const char *name = sb->s_type->name;
591         struct inode *inode = sbsec->sb->s_root->d_inode;
592         struct inode_security_struct *root_isec = inode->i_security;
593         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594         u32 defcontext_sid = 0;
595         char **mount_options = opts->mnt_opts;
596         int *flags = opts->mnt_opts_flags;
597         int num_opts = opts->num_mnt_opts;
598
599         mutex_lock(&sbsec->lock);
600
601         if (!ss_initialized) {
602                 if (!num_opts) {
603                         /* Defer initialization until selinux_complete_init,
604                            after the initial policy is loaded and the security
605                            server is ready to handle calls. */
606                         spin_lock(&sb_security_lock);
607                         if (list_empty(&sbsec->list))
608                                 list_add(&sbsec->list, &superblock_security_head);
609                         spin_unlock(&sb_security_lock);
610                         goto out;
611                 }
612                 rc = -EINVAL;
613                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614                         "before the security server is initialized\n");
615                 goto out;
616         }
617
618         /*
619          * Binary mount data FS will come through this function twice.  Once
620          * from an explicit call and once from the generic calls from the vfs.
621          * Since the generic VFS calls will not contain any security mount data
622          * we need to skip the double mount verification.
623          *
624          * This does open a hole in which we will not notice if the first
625          * mount using this sb set explict options and a second mount using
626          * this sb does not set any security options.  (The first options
627          * will be used for both mounts)
628          */
629         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630             && (num_opts == 0))
631                 goto out;
632
633         /*
634          * parse the mount options, check if they are valid sids.
635          * also check if someone is trying to mount the same sb more
636          * than once with different security options.
637          */
638         for (i = 0; i < num_opts; i++) {
639                 u32 sid;
640                 rc = security_context_to_sid(mount_options[i],
641                                              strlen(mount_options[i]), &sid);
642                 if (rc) {
643                         printk(KERN_WARNING "SELinux: security_context_to_sid"
644                                "(%s) failed for (dev %s, type %s) errno=%d\n",
645                                mount_options[i], sb->s_id, name, rc);
646                         goto out;
647                 }
648                 switch (flags[i]) {
649                 case FSCONTEXT_MNT:
650                         fscontext_sid = sid;
651
652                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653                                         fscontext_sid))
654                                 goto out_double_mount;
655
656                         sbsec->flags |= FSCONTEXT_MNT;
657                         break;
658                 case CONTEXT_MNT:
659                         context_sid = sid;
660
661                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662                                         context_sid))
663                                 goto out_double_mount;
664
665                         sbsec->flags |= CONTEXT_MNT;
666                         break;
667                 case ROOTCONTEXT_MNT:
668                         rootcontext_sid = sid;
669
670                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671                                         rootcontext_sid))
672                                 goto out_double_mount;
673
674                         sbsec->flags |= ROOTCONTEXT_MNT;
675
676                         break;
677                 case DEFCONTEXT_MNT:
678                         defcontext_sid = sid;
679
680                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681                                         defcontext_sid))
682                                 goto out_double_mount;
683
684                         sbsec->flags |= DEFCONTEXT_MNT;
685
686                         break;
687                 default:
688                         rc = -EINVAL;
689                         goto out;
690                 }
691         }
692
693         if (sbsec->initialized) {
694                 /* previously mounted with options, but not on this attempt? */
695                 if (sbsec->flags && !num_opts)
696                         goto out_double_mount;
697                 rc = 0;
698                 goto out;
699         }
700
701         if (strcmp(sb->s_type->name, "proc") == 0)
702                 sbsec->proc = 1;
703
704         /* Determine the labeling behavior to use for this filesystem type. */
705         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706         if (rc) {
707                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708                        __func__, sb->s_type->name, rc);
709                 goto out;
710         }
711
712         /* sets the context of the superblock for the fs being mounted. */
713         if (fscontext_sid) {
714                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715                 if (rc)
716                         goto out;
717
718                 sbsec->sid = fscontext_sid;
719         }
720
721         /*
722          * Switch to using mount point labeling behavior.
723          * sets the label used on all file below the mountpoint, and will set
724          * the superblock context if not already set.
725          */
726         if (context_sid) {
727                 if (!fscontext_sid) {
728                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
729                                                           cred);
730                         if (rc)
731                                 goto out;
732                         sbsec->sid = context_sid;
733                 } else {
734                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
735                                                              cred);
736                         if (rc)
737                                 goto out;
738                 }
739                 if (!rootcontext_sid)
740                         rootcontext_sid = context_sid;
741
742                 sbsec->mntpoint_sid = context_sid;
743                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744         }
745
746         if (rootcontext_sid) {
747                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748                                                      cred);
749                 if (rc)
750                         goto out;
751
752                 root_isec->sid = rootcontext_sid;
753                 root_isec->initialized = 1;
754         }
755
756         if (defcontext_sid) {
757                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758                         rc = -EINVAL;
759                         printk(KERN_WARNING "SELinux: defcontext option is "
760                                "invalid for this filesystem type\n");
761                         goto out;
762                 }
763
764                 if (defcontext_sid != sbsec->def_sid) {
765                         rc = may_context_mount_inode_relabel(defcontext_sid,
766                                                              sbsec, cred);
767                         if (rc)
768                                 goto out;
769                 }
770
771                 sbsec->def_sid = defcontext_sid;
772         }
773
774         rc = sb_finish_set_opts(sb);
775 out:
776         mutex_unlock(&sbsec->lock);
777         return rc;
778 out_double_mount:
779         rc = -EINVAL;
780         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
781                "security settings for (dev %s, type %s)\n", sb->s_id, name);
782         goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786                                         struct super_block *newsb)
787 {
788         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789         struct superblock_security_struct *newsbsec = newsb->s_security;
790
791         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
792         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
793         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795         /*
796          * if the parent was able to be mounted it clearly had no special lsm
797          * mount options.  thus we can safely put this sb on the list and deal
798          * with it later
799          */
800         if (!ss_initialized) {
801                 spin_lock(&sb_security_lock);
802                 if (list_empty(&newsbsec->list))
803                         list_add(&newsbsec->list, &superblock_security_head);
804                 spin_unlock(&sb_security_lock);
805                 return;
806         }
807
808         /* how can we clone if the old one wasn't set up?? */
809         BUG_ON(!oldsbsec->initialized);
810
811         /* if fs is reusing a sb, just let its options stand... */
812         if (newsbsec->initialized)
813                 return;
814
815         mutex_lock(&newsbsec->lock);
816
817         newsbsec->flags = oldsbsec->flags;
818
819         newsbsec->sid = oldsbsec->sid;
820         newsbsec->def_sid = oldsbsec->def_sid;
821         newsbsec->behavior = oldsbsec->behavior;
822
823         if (set_context) {
824                 u32 sid = oldsbsec->mntpoint_sid;
825
826                 if (!set_fscontext)
827                         newsbsec->sid = sid;
828                 if (!set_rootcontext) {
829                         struct inode *newinode = newsb->s_root->d_inode;
830                         struct inode_security_struct *newisec = newinode->i_security;
831                         newisec->sid = sid;
832                 }
833                 newsbsec->mntpoint_sid = sid;
834         }
835         if (set_rootcontext) {
836                 const struct inode *oldinode = oldsb->s_root->d_inode;
837                 const struct inode_security_struct *oldisec = oldinode->i_security;
838                 struct inode *newinode = newsb->s_root->d_inode;
839                 struct inode_security_struct *newisec = newinode->i_security;
840
841                 newisec->sid = oldisec->sid;
842         }
843
844         sb_finish_set_opts(newsb);
845         mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849                                   struct security_mnt_opts *opts)
850 {
851         char *p;
852         char *context = NULL, *defcontext = NULL;
853         char *fscontext = NULL, *rootcontext = NULL;
854         int rc, num_mnt_opts = 0;
855
856         opts->num_mnt_opts = 0;
857
858         /* Standard string-based options. */
859         while ((p = strsep(&options, "|")) != NULL) {
860                 int token;
861                 substring_t args[MAX_OPT_ARGS];
862
863                 if (!*p)
864                         continue;
865
866                 token = match_token(p, tokens, args);
867
868                 switch (token) {
869                 case Opt_context:
870                         if (context || defcontext) {
871                                 rc = -EINVAL;
872                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873                                 goto out_err;
874                         }
875                         context = match_strdup(&args[0]);
876                         if (!context) {
877                                 rc = -ENOMEM;
878                                 goto out_err;
879                         }
880                         break;
881
882                 case Opt_fscontext:
883                         if (fscontext) {
884                                 rc = -EINVAL;
885                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886                                 goto out_err;
887                         }
888                         fscontext = match_strdup(&args[0]);
889                         if (!fscontext) {
890                                 rc = -ENOMEM;
891                                 goto out_err;
892                         }
893                         break;
894
895                 case Opt_rootcontext:
896                         if (rootcontext) {
897                                 rc = -EINVAL;
898                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899                                 goto out_err;
900                         }
901                         rootcontext = match_strdup(&args[0]);
902                         if (!rootcontext) {
903                                 rc = -ENOMEM;
904                                 goto out_err;
905                         }
906                         break;
907
908                 case Opt_defcontext:
909                         if (context || defcontext) {
910                                 rc = -EINVAL;
911                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912                                 goto out_err;
913                         }
914                         defcontext = match_strdup(&args[0]);
915                         if (!defcontext) {
916                                 rc = -ENOMEM;
917                                 goto out_err;
918                         }
919                         break;
920
921                 default:
922                         rc = -EINVAL;
923                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
924                         goto out_err;
925
926                 }
927         }
928
929         rc = -ENOMEM;
930         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931         if (!opts->mnt_opts)
932                 goto out_err;
933
934         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935         if (!opts->mnt_opts_flags) {
936                 kfree(opts->mnt_opts);
937                 goto out_err;
938         }
939
940         if (fscontext) {
941                 opts->mnt_opts[num_mnt_opts] = fscontext;
942                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943         }
944         if (context) {
945                 opts->mnt_opts[num_mnt_opts] = context;
946                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947         }
948         if (rootcontext) {
949                 opts->mnt_opts[num_mnt_opts] = rootcontext;
950                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951         }
952         if (defcontext) {
953                 opts->mnt_opts[num_mnt_opts] = defcontext;
954                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955         }
956
957         opts->num_mnt_opts = num_mnt_opts;
958         return 0;
959
960 out_err:
961         kfree(context);
962         kfree(defcontext);
963         kfree(fscontext);
964         kfree(rootcontext);
965         return rc;
966 }
967 /*
968  * string mount options parsing and call set the sbsec
969  */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972         int rc = 0;
973         char *options = data;
974         struct security_mnt_opts opts;
975
976         security_init_mnt_opts(&opts);
977
978         if (!data)
979                 goto out;
980
981         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983         rc = selinux_parse_opts_str(options, &opts);
984         if (rc)
985                 goto out_err;
986
987 out:
988         rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991         security_free_mnt_opts(&opts);
992         return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996                                struct security_mnt_opts *opts)
997 {
998         int i;
999         char *prefix;
1000
1001         for (i = 0; i < opts->num_mnt_opts; i++) {
1002                 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004                 switch (opts->mnt_opts_flags[i]) {
1005                 case CONTEXT_MNT:
1006                         prefix = CONTEXT_STR;
1007                         break;
1008                 case FSCONTEXT_MNT:
1009                         prefix = FSCONTEXT_STR;
1010                         break;
1011                 case ROOTCONTEXT_MNT:
1012                         prefix = ROOTCONTEXT_STR;
1013                         break;
1014                 case DEFCONTEXT_MNT:
1015                         prefix = DEFCONTEXT_STR;
1016                         break;
1017                 default:
1018                         BUG();
1019                 };
1020                 /* we need a comma before each option */
1021                 seq_putc(m, ',');
1022                 seq_puts(m, prefix);
1023                 if (has_comma)
1024                         seq_putc(m, '\"');
1025                 seq_puts(m, opts->mnt_opts[i]);
1026                 if (has_comma)
1027                         seq_putc(m, '\"');
1028         }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033         struct security_mnt_opts opts;
1034         int rc;
1035
1036         rc = selinux_get_mnt_opts(sb, &opts);
1037         if (rc) {
1038                 /* before policy load we may get EINVAL, don't show anything */
1039                 if (rc == -EINVAL)
1040                         rc = 0;
1041                 return rc;
1042         }
1043
1044         selinux_write_opts(m, &opts);
1045
1046         security_free_mnt_opts(&opts);
1047
1048         return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053         switch (mode & S_IFMT) {
1054         case S_IFSOCK:
1055                 return SECCLASS_SOCK_FILE;
1056         case S_IFLNK:
1057                 return SECCLASS_LNK_FILE;
1058         case S_IFREG:
1059                 return SECCLASS_FILE;
1060         case S_IFBLK:
1061                 return SECCLASS_BLK_FILE;
1062         case S_IFDIR:
1063                 return SECCLASS_DIR;
1064         case S_IFCHR:
1065                 return SECCLASS_CHR_FILE;
1066         case S_IFIFO:
1067                 return SECCLASS_FIFO_FILE;
1068
1069         }
1070
1071         return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086         switch (family) {
1087         case PF_UNIX:
1088                 switch (type) {
1089                 case SOCK_STREAM:
1090                 case SOCK_SEQPACKET:
1091                         return SECCLASS_UNIX_STREAM_SOCKET;
1092                 case SOCK_DGRAM:
1093                         return SECCLASS_UNIX_DGRAM_SOCKET;
1094                 }
1095                 break;
1096         case PF_INET:
1097         case PF_INET6:
1098                 switch (type) {
1099                 case SOCK_STREAM:
1100                         if (default_protocol_stream(protocol))
1101                                 return SECCLASS_TCP_SOCKET;
1102                         else
1103                                 return SECCLASS_RAWIP_SOCKET;
1104                 case SOCK_DGRAM:
1105                         if (default_protocol_dgram(protocol))
1106                                 return SECCLASS_UDP_SOCKET;
1107                         else
1108                                 return SECCLASS_RAWIP_SOCKET;
1109                 case SOCK_DCCP:
1110                         return SECCLASS_DCCP_SOCKET;
1111                 default:
1112                         return SECCLASS_RAWIP_SOCKET;
1113                 }
1114                 break;
1115         case PF_NETLINK:
1116                 switch (protocol) {
1117                 case NETLINK_ROUTE:
1118                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1119                 case NETLINK_FIREWALL:
1120                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121                 case NETLINK_INET_DIAG:
1122                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123                 case NETLINK_NFLOG:
1124                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1125                 case NETLINK_XFRM:
1126                         return SECCLASS_NETLINK_XFRM_SOCKET;
1127                 case NETLINK_SELINUX:
1128                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1129                 case NETLINK_AUDIT:
1130                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1131                 case NETLINK_IP6_FW:
1132                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1133                 case NETLINK_DNRTMSG:
1134                         return SECCLASS_NETLINK_DNRT_SOCKET;
1135                 case NETLINK_KOBJECT_UEVENT:
1136                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137                 default:
1138                         return SECCLASS_NETLINK_SOCKET;
1139                 }
1140         case PF_PACKET:
1141                 return SECCLASS_PACKET_SOCKET;
1142         case PF_KEY:
1143                 return SECCLASS_KEY_SOCKET;
1144         case PF_APPLETALK:
1145                 return SECCLASS_APPLETALK_SOCKET;
1146         }
1147
1148         return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153                                 u16 tclass,
1154                                 u32 *sid)
1155 {
1156         int buflen, rc;
1157         char *buffer, *path, *end;
1158
1159         buffer = (char *)__get_free_page(GFP_KERNEL);
1160         if (!buffer)
1161                 return -ENOMEM;
1162
1163         buflen = PAGE_SIZE;
1164         end = buffer+buflen;
1165         *--end = '\0';
1166         buflen--;
1167         path = end-1;
1168         *path = '/';
1169         while (de && de != de->parent) {
1170                 buflen -= de->namelen + 1;
1171                 if (buflen < 0)
1172                         break;
1173                 end -= de->namelen;
1174                 memcpy(end, de->name, de->namelen);
1175                 *--end = '/';
1176                 path = end;
1177                 de = de->parent;
1178         }
1179         rc = security_genfs_sid("proc", path, tclass, sid);
1180         free_page((unsigned long)buffer);
1181         return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185                                 u16 tclass,
1186                                 u32 *sid)
1187 {
1188         return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195         struct superblock_security_struct *sbsec = NULL;
1196         struct inode_security_struct *isec = inode->i_security;
1197         u32 sid;
1198         struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200         char *context = NULL;
1201         unsigned len = 0;
1202         int rc = 0;
1203
1204         if (isec->initialized)
1205                 goto out;
1206
1207         mutex_lock(&isec->lock);
1208         if (isec->initialized)
1209                 goto out_unlock;
1210
1211         sbsec = inode->i_sb->s_security;
1212         if (!sbsec->initialized) {
1213                 /* Defer initialization until selinux_complete_init,
1214                    after the initial policy is loaded and the security
1215                    server is ready to handle calls. */
1216                 spin_lock(&sbsec->isec_lock);
1217                 if (list_empty(&isec->list))
1218                         list_add(&isec->list, &sbsec->isec_head);
1219                 spin_unlock(&sbsec->isec_lock);
1220                 goto out_unlock;
1221         }
1222
1223         switch (sbsec->behavior) {
1224         case SECURITY_FS_USE_XATTR:
1225                 if (!inode->i_op->getxattr) {
1226                         isec->sid = sbsec->def_sid;
1227                         break;
1228                 }
1229
1230                 /* Need a dentry, since the xattr API requires one.
1231                    Life would be simpler if we could just pass the inode. */
1232                 if (opt_dentry) {
1233                         /* Called from d_instantiate or d_splice_alias. */
1234                         dentry = dget(opt_dentry);
1235                 } else {
1236                         /* Called from selinux_complete_init, try to find a dentry. */
1237                         dentry = d_find_alias(inode);
1238                 }
1239                 if (!dentry) {
1240                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1241                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1242                                inode->i_ino);
1243                         goto out_unlock;
1244                 }
1245
1246                 len = INITCONTEXTLEN;
1247                 context = kmalloc(len, GFP_NOFS);
1248                 if (!context) {
1249                         rc = -ENOMEM;
1250                         dput(dentry);
1251                         goto out_unlock;
1252                 }
1253                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254                                            context, len);
1255                 if (rc == -ERANGE) {
1256                         /* Need a larger buffer.  Query for the right size. */
1257                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258                                                    NULL, 0);
1259                         if (rc < 0) {
1260                                 dput(dentry);
1261                                 goto out_unlock;
1262                         }
1263                         kfree(context);
1264                         len = rc;
1265                         context = kmalloc(len, GFP_NOFS);
1266                         if (!context) {
1267                                 rc = -ENOMEM;
1268                                 dput(dentry);
1269                                 goto out_unlock;
1270                         }
1271                         rc = inode->i_op->getxattr(dentry,
1272                                                    XATTR_NAME_SELINUX,
1273                                                    context, len);
1274                 }
1275                 dput(dentry);
1276                 if (rc < 0) {
1277                         if (rc != -ENODATA) {
1278                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1279                                        "%d for dev=%s ino=%ld\n", __func__,
1280                                        -rc, inode->i_sb->s_id, inode->i_ino);
1281                                 kfree(context);
1282                                 goto out_unlock;
1283                         }
1284                         /* Map ENODATA to the default file SID */
1285                         sid = sbsec->def_sid;
1286                         rc = 0;
1287                 } else {
1288                         rc = security_context_to_sid_default(context, rc, &sid,
1289                                                              sbsec->def_sid,
1290                                                              GFP_NOFS);
1291                         if (rc) {
1292                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1293                                        "returned %d for dev=%s ino=%ld\n",
1294                                        __func__, context, -rc,
1295                                        inode->i_sb->s_id, inode->i_ino);
1296                                 kfree(context);
1297                                 /* Leave with the unlabeled SID */
1298                                 rc = 0;
1299                                 break;
1300                         }
1301                 }
1302                 kfree(context);
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_TASK:
1306                 isec->sid = isec->task_sid;
1307                 break;
1308         case SECURITY_FS_USE_TRANS:
1309                 /* Default to the fs SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 /* Try to obtain a transition SID. */
1313                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314                 rc = security_transition_sid(isec->task_sid,
1315                                              sbsec->sid,
1316                                              isec->sclass,
1317                                              &sid);
1318                 if (rc)
1319                         goto out_unlock;
1320                 isec->sid = sid;
1321                 break;
1322         case SECURITY_FS_USE_MNTPOINT:
1323                 isec->sid = sbsec->mntpoint_sid;
1324                 break;
1325         default:
1326                 /* Default to the fs superblock SID. */
1327                 isec->sid = sbsec->sid;
1328
1329                 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330                         struct proc_inode *proci = PROC_I(inode);
1331                         if (proci->pde) {
1332                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333                                 rc = selinux_proc_get_sid(proci->pde,
1334                                                           isec->sclass,
1335                                                           &sid);
1336                                 if (rc)
1337                                         goto out_unlock;
1338                                 isec->sid = sid;
1339                         }
1340                 }
1341                 break;
1342         }
1343
1344         isec->initialized = 1;
1345
1346 out_unlock:
1347         mutex_unlock(&isec->lock);
1348 out:
1349         if (isec->sclass == SECCLASS_FILE)
1350                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351         return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357         u32 perm = 0;
1358
1359         switch (sig) {
1360         case SIGCHLD:
1361                 /* Commonly granted from child to parent. */
1362                 perm = PROCESS__SIGCHLD;
1363                 break;
1364         case SIGKILL:
1365                 /* Cannot be caught or ignored */
1366                 perm = PROCESS__SIGKILL;
1367                 break;
1368         case SIGSTOP:
1369                 /* Cannot be caught or ignored */
1370                 perm = PROCESS__SIGSTOP;
1371                 break;
1372         default:
1373                 /* All other signals. */
1374                 perm = PROCESS__SIGNAL;
1375                 break;
1376         }
1377
1378         return perm;
1379 }
1380
1381 /*
1382  * Check permission between a pair of credentials
1383  * fork check, ptrace check, etc.
1384  */
1385 static int cred_has_perm(const struct cred *actor,
1386                          const struct cred *target,
1387                          u32 perms)
1388 {
1389         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395  * Check permission between a pair of tasks, e.g. signal checks,
1396  * fork check, ptrace check, etc.
1397  * tsk1 is the actor and tsk2 is the target
1398  */
1399 static int task_has_perm(const struct task_struct *tsk1,
1400                          const struct task_struct *tsk2,
1401                          u32 perms)
1402 {
1403         const struct task_security_struct *__tsec1, *__tsec2;
1404         u32 sid1, sid2;
1405
1406         rcu_read_lock();
1407         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1408         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1409         rcu_read_unlock();
1410         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1411 }
1412
1413 #if CAP_LAST_CAP > 63
1414 #error Fix SELinux to handle capabilities > 63.
1415 #endif
1416
1417 /* Check whether a task is allowed to use a capability. */
1418 static int task_has_capability(struct task_struct *tsk,
1419                                int cap, int audit)
1420 {
1421         struct avc_audit_data ad;
1422         struct av_decision avd;
1423         u16 sclass;
1424         u32 sid = task_sid(tsk);
1425         u32 av = CAP_TO_MASK(cap);
1426         int rc;
1427
1428         AVC_AUDIT_DATA_INIT(&ad, CAP);
1429         ad.tsk = tsk;
1430         ad.u.cap = cap;
1431
1432         switch (CAP_TO_INDEX(cap)) {
1433         case 0:
1434                 sclass = SECCLASS_CAPABILITY;
1435                 break;
1436         case 1:
1437                 sclass = SECCLASS_CAPABILITY2;
1438                 break;
1439         default:
1440                 printk(KERN_ERR
1441                        "SELinux:  out of range capability %d\n", cap);
1442                 BUG();
1443         }
1444
1445         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1446         if (audit == SECURITY_CAP_AUDIT)
1447                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1448         return rc;
1449 }
1450
1451 /* Check whether a task is allowed to use a system operation. */
1452 static int task_has_system(struct task_struct *tsk,
1453                            u32 perms)
1454 {
1455         u32 sid = task_sid(tsk);
1456
1457         return avc_has_perm(sid, SECINITSID_KERNEL,
1458                             SECCLASS_SYSTEM, perms, NULL);
1459 }
1460
1461 /* Check whether a task has a particular permission to an inode.
1462    The 'adp' parameter is optional and allows other audit
1463    data to be passed (e.g. the dentry). */
1464 static int inode_has_perm(const struct cred *cred,
1465                           struct inode *inode,
1466                           u32 perms,
1467                           struct avc_audit_data *adp)
1468 {
1469         struct inode_security_struct *isec;
1470         struct avc_audit_data ad;
1471         u32 sid;
1472
1473         if (unlikely(IS_PRIVATE(inode)))
1474                 return 0;
1475
1476         sid = cred_sid(cred);
1477         isec = inode->i_security;
1478
1479         if (!adp) {
1480                 adp = &ad;
1481                 AVC_AUDIT_DATA_INIT(&ad, FS);
1482                 ad.u.fs.inode = inode;
1483         }
1484
1485         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1486 }
1487
1488 /* Same as inode_has_perm, but pass explicit audit data containing
1489    the dentry to help the auditing code to more easily generate the
1490    pathname if needed. */
1491 static inline int dentry_has_perm(const struct cred *cred,
1492                                   struct vfsmount *mnt,
1493                                   struct dentry *dentry,
1494                                   u32 av)
1495 {
1496         struct inode *inode = dentry->d_inode;
1497         struct avc_audit_data ad;
1498
1499         AVC_AUDIT_DATA_INIT(&ad, FS);
1500         ad.u.fs.path.mnt = mnt;
1501         ad.u.fs.path.dentry = dentry;
1502         return inode_has_perm(cred, inode, av, &ad);
1503 }
1504
1505 /* Check whether a task can use an open file descriptor to
1506    access an inode in a given way.  Check access to the
1507    descriptor itself, and then use dentry_has_perm to
1508    check a particular permission to the file.
1509    Access to the descriptor is implicitly granted if it
1510    has the same SID as the process.  If av is zero, then
1511    access to the file is not checked, e.g. for cases
1512    where only the descriptor is affected like seek. */
1513 static int file_has_perm(const struct cred *cred,
1514                          struct file *file,
1515                          u32 av)
1516 {
1517         struct file_security_struct *fsec = file->f_security;
1518         struct inode *inode = file->f_path.dentry->d_inode;
1519         struct avc_audit_data ad;
1520         u32 sid = cred_sid(cred);
1521         int rc;
1522
1523         AVC_AUDIT_DATA_INIT(&ad, FS);
1524         ad.u.fs.path = file->f_path;
1525
1526         if (sid != fsec->sid) {
1527                 rc = avc_has_perm(sid, fsec->sid,
1528                                   SECCLASS_FD,
1529                                   FD__USE,
1530                                   &ad);
1531                 if (rc)
1532                         goto out;
1533         }
1534
1535         /* av is zero if only checking access to the descriptor. */
1536         rc = 0;
1537         if (av)
1538                 rc = inode_has_perm(cred, inode, av, &ad);
1539
1540 out:
1541         return rc;
1542 }
1543
1544 /* Check whether a task can create a file. */
1545 static int may_create(struct inode *dir,
1546                       struct dentry *dentry,
1547                       u16 tclass)
1548 {
1549         const struct cred *cred = current_cred();
1550         const struct task_security_struct *tsec = cred->security;
1551         struct inode_security_struct *dsec;
1552         struct superblock_security_struct *sbsec;
1553         u32 sid, newsid;
1554         struct avc_audit_data ad;
1555         int rc;
1556
1557         dsec = dir->i_security;
1558         sbsec = dir->i_sb->s_security;
1559
1560         sid = tsec->sid;
1561         newsid = tsec->create_sid;
1562
1563         AVC_AUDIT_DATA_INIT(&ad, FS);
1564         ad.u.fs.path.dentry = dentry;
1565
1566         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1567                           DIR__ADD_NAME | DIR__SEARCH,
1568                           &ad);
1569         if (rc)
1570                 return rc;
1571
1572         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1573                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1574                 if (rc)
1575                         return rc;
1576         }
1577
1578         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1579         if (rc)
1580                 return rc;
1581
1582         return avc_has_perm(newsid, sbsec->sid,
1583                             SECCLASS_FILESYSTEM,
1584                             FILESYSTEM__ASSOCIATE, &ad);
1585 }
1586
1587 /* Check whether a task can create a key. */
1588 static int may_create_key(u32 ksid,
1589                           struct task_struct *ctx)
1590 {
1591         u32 sid = task_sid(ctx);
1592
1593         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1594 }
1595
1596 #define MAY_LINK        0
1597 #define MAY_UNLINK      1
1598 #define MAY_RMDIR       2
1599
1600 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1601 static int may_link(struct inode *dir,
1602                     struct dentry *dentry,
1603                     int kind)
1604
1605 {
1606         struct inode_security_struct *dsec, *isec;
1607         struct avc_audit_data ad;
1608         u32 sid = current_sid();
1609         u32 av;
1610         int rc;
1611
1612         dsec = dir->i_security;
1613         isec = dentry->d_inode->i_security;
1614
1615         AVC_AUDIT_DATA_INIT(&ad, FS);
1616         ad.u.fs.path.dentry = dentry;
1617
1618         av = DIR__SEARCH;
1619         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1620         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1621         if (rc)
1622                 return rc;
1623
1624         switch (kind) {
1625         case MAY_LINK:
1626                 av = FILE__LINK;
1627                 break;
1628         case MAY_UNLINK:
1629                 av = FILE__UNLINK;
1630                 break;
1631         case MAY_RMDIR:
1632                 av = DIR__RMDIR;
1633                 break;
1634         default:
1635                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1636                         __func__, kind);
1637                 return 0;
1638         }
1639
1640         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1641         return rc;
1642 }
1643
1644 static inline int may_rename(struct inode *old_dir,
1645                              struct dentry *old_dentry,
1646                              struct inode *new_dir,
1647                              struct dentry *new_dentry)
1648 {
1649         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1650         struct avc_audit_data ad;
1651         u32 sid = current_sid();
1652         u32 av;
1653         int old_is_dir, new_is_dir;
1654         int rc;
1655
1656         old_dsec = old_dir->i_security;
1657         old_isec = old_dentry->d_inode->i_security;
1658         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1659         new_dsec = new_dir->i_security;
1660
1661         AVC_AUDIT_DATA_INIT(&ad, FS);
1662
1663         ad.u.fs.path.dentry = old_dentry;
1664         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1665                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1666         if (rc)
1667                 return rc;
1668         rc = avc_has_perm(sid, old_isec->sid,
1669                           old_isec->sclass, FILE__RENAME, &ad);
1670         if (rc)
1671                 return rc;
1672         if (old_is_dir && new_dir != old_dir) {
1673                 rc = avc_has_perm(sid, old_isec->sid,
1674                                   old_isec->sclass, DIR__REPARENT, &ad);
1675                 if (rc)
1676                         return rc;
1677         }
1678
1679         ad.u.fs.path.dentry = new_dentry;
1680         av = DIR__ADD_NAME | DIR__SEARCH;
1681         if (new_dentry->d_inode)
1682                 av |= DIR__REMOVE_NAME;
1683         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1684         if (rc)
1685                 return rc;
1686         if (new_dentry->d_inode) {
1687                 new_isec = new_dentry->d_inode->i_security;
1688                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1689                 rc = avc_has_perm(sid, new_isec->sid,
1690                                   new_isec->sclass,
1691                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1692                 if (rc)
1693                         return rc;
1694         }
1695
1696         return 0;
1697 }
1698
1699 /* Check whether a task can perform a filesystem operation. */
1700 static int superblock_has_perm(const struct cred *cred,
1701                                struct super_block *sb,
1702                                u32 perms,
1703                                struct avc_audit_data *ad)
1704 {
1705         struct superblock_security_struct *sbsec;
1706         u32 sid = cred_sid(cred);
1707
1708         sbsec = sb->s_security;
1709         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1710 }
1711
1712 /* Convert a Linux mode and permission mask to an access vector. */
1713 static inline u32 file_mask_to_av(int mode, int mask)
1714 {
1715         u32 av = 0;
1716
1717         if ((mode & S_IFMT) != S_IFDIR) {
1718                 if (mask & MAY_EXEC)
1719                         av |= FILE__EXECUTE;
1720                 if (mask & MAY_READ)
1721                         av |= FILE__READ;
1722
1723                 if (mask & MAY_APPEND)
1724                         av |= FILE__APPEND;
1725                 else if (mask & MAY_WRITE)
1726                         av |= FILE__WRITE;
1727
1728         } else {
1729                 if (mask & MAY_EXEC)
1730                         av |= DIR__SEARCH;
1731                 if (mask & MAY_WRITE)
1732                         av |= DIR__WRITE;
1733                 if (mask & MAY_READ)
1734                         av |= DIR__READ;
1735         }
1736
1737         return av;
1738 }
1739
1740 /* Convert a Linux file to an access vector. */
1741 static inline u32 file_to_av(struct file *file)
1742 {
1743         u32 av = 0;
1744
1745         if (file->f_mode & FMODE_READ)
1746                 av |= FILE__READ;
1747         if (file->f_mode & FMODE_WRITE) {
1748                 if (file->f_flags & O_APPEND)
1749                         av |= FILE__APPEND;
1750                 else
1751                         av |= FILE__WRITE;
1752         }
1753         if (!av) {
1754                 /*
1755                  * Special file opened with flags 3 for ioctl-only use.
1756                  */
1757                 av = FILE__IOCTL;
1758         }
1759
1760         return av;
1761 }
1762
1763 /*
1764  * Convert a file to an access vector and include the correct open
1765  * open permission.
1766  */
1767 static inline u32 open_file_to_av(struct file *file)
1768 {
1769         u32 av = file_to_av(file);
1770
1771         if (selinux_policycap_openperm) {
1772                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1773                 /*
1774                  * lnk files and socks do not really have an 'open'
1775                  */
1776                 if (S_ISREG(mode))
1777                         av |= FILE__OPEN;
1778                 else if (S_ISCHR(mode))
1779                         av |= CHR_FILE__OPEN;
1780                 else if (S_ISBLK(mode))
1781                         av |= BLK_FILE__OPEN;
1782                 else if (S_ISFIFO(mode))
1783                         av |= FIFO_FILE__OPEN;
1784                 else if (S_ISDIR(mode))
1785                         av |= DIR__OPEN;
1786                 else
1787                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1788                                 "unknown mode:%o\n", __func__, mode);
1789         }
1790         return av;
1791 }
1792
1793 /* Hook functions begin here. */
1794
1795 static int selinux_ptrace_may_access(struct task_struct *child,
1796                                      unsigned int mode)
1797 {
1798         int rc;
1799
1800         rc = secondary_ops->ptrace_may_access(child, mode);
1801         if (rc)
1802                 return rc;
1803
1804         if (mode == PTRACE_MODE_READ) {
1805                 u32 sid = current_sid();
1806                 u32 csid = task_sid(child);
1807                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1808         }
1809
1810         return task_has_perm(current, child, PROCESS__PTRACE);
1811 }
1812
1813 static int selinux_ptrace_traceme(struct task_struct *parent)
1814 {
1815         int rc;
1816
1817         rc = secondary_ops->ptrace_traceme(parent);
1818         if (rc)
1819                 return rc;
1820
1821         return task_has_perm(parent, current, PROCESS__PTRACE);
1822 }
1823
1824 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1825                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1826 {
1827         int error;
1828
1829         error = task_has_perm(current, target, PROCESS__GETCAP);
1830         if (error)
1831                 return error;
1832
1833         return secondary_ops->capget(target, effective, inheritable, permitted);
1834 }
1835
1836 static int selinux_capset(struct cred *new, const struct cred *old,
1837                           const kernel_cap_t *effective,
1838                           const kernel_cap_t *inheritable,
1839                           const kernel_cap_t *permitted)
1840 {
1841         int error;
1842
1843         error = secondary_ops->capset(new, old,
1844                                       effective, inheritable, permitted);
1845         if (error)
1846                 return error;
1847
1848         return cred_has_perm(old, new, PROCESS__SETCAP);
1849 }
1850
1851 static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1852 {
1853         int rc;
1854
1855         rc = secondary_ops->capable(tsk, cap, audit);
1856         if (rc)
1857                 return rc;
1858
1859         return task_has_capability(tsk, cap, audit);
1860 }
1861
1862 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1863 {
1864         int buflen, rc;
1865         char *buffer, *path, *end;
1866
1867         rc = -ENOMEM;
1868         buffer = (char *)__get_free_page(GFP_KERNEL);
1869         if (!buffer)
1870                 goto out;
1871
1872         buflen = PAGE_SIZE;
1873         end = buffer+buflen;
1874         *--end = '\0';
1875         buflen--;
1876         path = end-1;
1877         *path = '/';
1878         while (table) {
1879                 const char *name = table->procname;
1880                 size_t namelen = strlen(name);
1881                 buflen -= namelen + 1;
1882                 if (buflen < 0)
1883                         goto out_free;
1884                 end -= namelen;
1885                 memcpy(end, name, namelen);
1886                 *--end = '/';
1887                 path = end;
1888                 table = table->parent;
1889         }
1890         buflen -= 4;
1891         if (buflen < 0)
1892                 goto out_free;
1893         end -= 4;
1894         memcpy(end, "/sys", 4);
1895         path = end;
1896         rc = security_genfs_sid("proc", path, tclass, sid);
1897 out_free:
1898         free_page((unsigned long)buffer);
1899 out:
1900         return rc;
1901 }
1902
1903 static int selinux_sysctl(ctl_table *table, int op)
1904 {
1905         int error = 0;
1906         u32 av;
1907         u32 tsid, sid;
1908         int rc;
1909
1910         rc = secondary_ops->sysctl(table, op);
1911         if (rc)
1912                 return rc;
1913
1914         sid = current_sid();
1915
1916         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1917                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1918         if (rc) {
1919                 /* Default to the well-defined sysctl SID. */
1920                 tsid = SECINITSID_SYSCTL;
1921         }
1922
1923         /* The op values are "defined" in sysctl.c, thereby creating
1924          * a bad coupling between this module and sysctl.c */
1925         if (op == 001) {
1926                 error = avc_has_perm(sid, tsid,
1927                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1928         } else {
1929                 av = 0;
1930                 if (op & 004)
1931                         av |= FILE__READ;
1932                 if (op & 002)
1933                         av |= FILE__WRITE;
1934                 if (av)
1935                         error = avc_has_perm(sid, tsid,
1936                                              SECCLASS_FILE, av, NULL);
1937         }
1938
1939         return error;
1940 }
1941
1942 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1943 {
1944         const struct cred *cred = current_cred();
1945         int rc = 0;
1946
1947         if (!sb)
1948                 return 0;
1949
1950         switch (cmds) {
1951         case Q_SYNC:
1952         case Q_QUOTAON:
1953         case Q_QUOTAOFF:
1954         case Q_SETINFO:
1955         case Q_SETQUOTA:
1956                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1957                 break;
1958         case Q_GETFMT:
1959         case Q_GETINFO:
1960         case Q_GETQUOTA:
1961                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1962                 break;
1963         default:
1964                 rc = 0;  /* let the kernel handle invalid cmds */
1965                 break;
1966         }
1967         return rc;
1968 }
1969
1970 static int selinux_quota_on(struct dentry *dentry)
1971 {
1972         const struct cred *cred = current_cred();
1973
1974         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1975 }
1976
1977 static int selinux_syslog(int type)
1978 {
1979         int rc;
1980
1981         rc = secondary_ops->syslog(type);
1982         if (rc)
1983                 return rc;
1984
1985         switch (type) {
1986         case 3:         /* Read last kernel messages */
1987         case 10:        /* Return size of the log buffer */
1988                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1989                 break;
1990         case 6:         /* Disable logging to console */
1991         case 7:         /* Enable logging to console */
1992         case 8:         /* Set level of messages printed to console */
1993                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1994                 break;
1995         case 0:         /* Close log */
1996         case 1:         /* Open log */
1997         case 2:         /* Read from log */
1998         case 4:         /* Read/clear last kernel messages */
1999         case 5:         /* Clear ring buffer */
2000         default:
2001                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2002                 break;
2003         }
2004         return rc;
2005 }
2006
2007 /*
2008  * Check that a process has enough memory to allocate a new virtual
2009  * mapping. 0 means there is enough memory for the allocation to
2010  * succeed and -ENOMEM implies there is not.
2011  *
2012  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2013  * if the capability is granted, but __vm_enough_memory requires 1 if
2014  * the capability is granted.
2015  *
2016  * Do not audit the selinux permission check, as this is applied to all
2017  * processes that allocate mappings.
2018  */
2019 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2020 {
2021         int rc, cap_sys_admin = 0;
2022
2023         rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2024         if (rc == 0)
2025                 cap_sys_admin = 1;
2026
2027         return __vm_enough_memory(mm, pages, cap_sys_admin);
2028 }
2029
2030 /* binprm security operations */
2031
2032 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2033 {
2034         struct bprm_security_struct *bsec;
2035
2036         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2037         if (!bsec)
2038                 return -ENOMEM;
2039
2040         bsec->sid = SECINITSID_UNLABELED;
2041         bsec->set = 0;
2042
2043         bprm->security = bsec;
2044         return 0;
2045 }
2046
2047 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2048 {
2049         struct task_security_struct *tsec;
2050         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2051         struct inode_security_struct *isec;
2052         struct bprm_security_struct *bsec;
2053         u32 newsid;
2054         struct avc_audit_data ad;
2055         int rc;
2056
2057         rc = secondary_ops->bprm_set_security(bprm);
2058         if (rc)
2059                 return rc;
2060
2061         bsec = bprm->security;
2062
2063         if (bsec->set)
2064                 return 0;
2065
2066         tsec = current_security();
2067         isec = inode->i_security;
2068
2069         /* Default to the current task SID. */
2070         bsec->sid = tsec->sid;
2071
2072         /* Reset fs, key, and sock SIDs on execve. */
2073         tsec->create_sid = 0;
2074         tsec->keycreate_sid = 0;
2075         tsec->sockcreate_sid = 0;
2076
2077         if (tsec->exec_sid) {
2078                 newsid = tsec->exec_sid;
2079                 /* Reset exec SID on execve. */
2080                 tsec->exec_sid = 0;
2081         } else {
2082                 /* Check for a default transition on this program. */
2083                 rc = security_transition_sid(tsec->sid, isec->sid,
2084                                              SECCLASS_PROCESS, &newsid);
2085                 if (rc)
2086                         return rc;
2087         }
2088
2089         AVC_AUDIT_DATA_INIT(&ad, FS);
2090         ad.u.fs.path = bprm->file->f_path;
2091
2092         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2093                 newsid = tsec->sid;
2094
2095         if (tsec->sid == newsid) {
2096                 rc = avc_has_perm(tsec->sid, isec->sid,
2097                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2098                 if (rc)
2099                         return rc;
2100         } else {
2101                 /* Check permissions for the transition. */
2102                 rc = avc_has_perm(tsec->sid, newsid,
2103                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2104                 if (rc)
2105                         return rc;
2106
2107                 rc = avc_has_perm(newsid, isec->sid,
2108                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2109                 if (rc)
2110                         return rc;
2111
2112                 /* Clear any possibly unsafe personality bits on exec: */
2113                 current->personality &= ~PER_CLEAR_ON_SETID;
2114
2115                 /* Set the security field to the new SID. */
2116                 bsec->sid = newsid;
2117         }
2118
2119         bsec->set = 1;
2120         return 0;
2121 }
2122
2123 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2124 {
2125         return secondary_ops->bprm_check_security(bprm);
2126 }
2127
2128
2129 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2130 {
2131         const struct cred *cred = current_cred();
2132         const struct task_security_struct *tsec = cred->security;
2133         u32 sid, osid;
2134         int atsecure = 0;
2135
2136         sid = tsec->sid;
2137         osid = tsec->osid;
2138
2139         if (osid != sid) {
2140                 /* Enable secure mode for SIDs transitions unless
2141                    the noatsecure permission is granted between
2142                    the two SIDs, i.e. ahp returns 0. */
2143                 atsecure = avc_has_perm(osid, sid,
2144                                          SECCLASS_PROCESS,
2145                                          PROCESS__NOATSECURE, NULL);
2146         }
2147
2148         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2149 }
2150
2151 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2152 {
2153         kfree(bprm->security);
2154         bprm->security = NULL;
2155 }
2156
2157 extern struct vfsmount *selinuxfs_mount;
2158 extern struct dentry *selinux_null;
2159
2160 /* Derived from fs/exec.c:flush_old_files. */
2161 static inline void flush_unauthorized_files(const struct cred *cred,
2162                                             struct files_struct *files)
2163 {
2164         struct avc_audit_data ad;
2165         struct file *file, *devnull = NULL;
2166         struct tty_struct *tty;
2167         struct fdtable *fdt;
2168         long j = -1;
2169         int drop_tty = 0;
2170
2171         tty = get_current_tty();
2172         if (tty) {
2173                 file_list_lock();
2174                 if (!list_empty(&tty->tty_files)) {
2175                         struct inode *inode;
2176
2177                         /* Revalidate access to controlling tty.
2178                            Use inode_has_perm on the tty inode directly rather
2179                            than using file_has_perm, as this particular open
2180                            file may belong to another process and we are only
2181                            interested in the inode-based check here. */
2182                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2183                         inode = file->f_path.dentry->d_inode;
2184                         if (inode_has_perm(cred, inode,
2185                                            FILE__READ | FILE__WRITE, NULL)) {
2186                                 drop_tty = 1;
2187                         }
2188                 }
2189                 file_list_unlock();
2190                 tty_kref_put(tty);
2191         }
2192         /* Reset controlling tty. */
2193         if (drop_tty)
2194                 no_tty();
2195
2196         /* Revalidate access to inherited open files. */
2197
2198         AVC_AUDIT_DATA_INIT(&ad, FS);
2199
2200         spin_lock(&files->file_lock);
2201         for (;;) {
2202                 unsigned long set, i;
2203                 int fd;
2204
2205                 j++;
2206                 i = j * __NFDBITS;
2207                 fdt = files_fdtable(files);
2208                 if (i >= fdt->max_fds)
2209                         break;
2210                 set = fdt->open_fds->fds_bits[j];
2211                 if (!set)
2212                         continue;
2213                 spin_unlock(&files->file_lock);
2214                 for ( ; set ; i++, set >>= 1) {
2215                         if (set & 1) {
2216                                 file = fget(i);
2217                                 if (!file)
2218                                         continue;
2219                                 if (file_has_perm(cred,
2220                                                   file,
2221                                                   file_to_av(file))) {
2222                                         sys_close(i);
2223                                         fd = get_unused_fd();
2224                                         if (fd != i) {
2225                                                 if (fd >= 0)
2226                                                         put_unused_fd(fd);
2227                                                 fput(file);
2228                                                 continue;
2229                                         }
2230                                         if (devnull) {
2231                                                 get_file(devnull);
2232                                         } else {
2233                                                 devnull = dentry_open(
2234                                                         dget(selinux_null),
2235                                                         mntget(selinuxfs_mount),
2236                                                         O_RDWR, cred);
2237                                                 if (IS_ERR(devnull)) {
2238                                                         devnull = NULL;
2239                                                         put_unused_fd(fd);
2240                                                         fput(file);
2241                                                         continue;
2242                                                 }
2243                                         }
2244                                         fd_install(fd, devnull);
2245                                 }
2246                                 fput(file);
2247                         }
2248                 }
2249                 spin_lock(&files->file_lock);
2250
2251         }
2252         spin_unlock(&files->file_lock);
2253 }
2254
2255 static int selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2256 {
2257         struct task_security_struct *tsec;
2258         struct bprm_security_struct *bsec;
2259         struct cred *new;
2260         u32 sid;
2261         int rc;
2262
2263         rc = secondary_ops->bprm_apply_creds(bprm, unsafe);
2264         if (rc < 0)
2265                 return rc;
2266
2267         new = prepare_creds();
2268         if (!new)
2269                 return -ENOMEM;
2270
2271         tsec = new->security;
2272
2273         bsec = bprm->security;
2274         sid = bsec->sid;
2275
2276         tsec->osid = tsec->sid;
2277         bsec->unsafe = 0;
2278         if (tsec->sid != sid) {
2279                 /* Check for shared state.  If not ok, leave SID
2280                    unchanged and kill. */
2281                 if (unsafe & LSM_UNSAFE_SHARE) {
2282                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2283                                         PROCESS__SHARE, NULL);
2284                         if (rc) {
2285                                 bsec->unsafe = 1;
2286                                 goto out;
2287                         }
2288                 }
2289
2290                 /* Check for ptracing, and update the task SID if ok.
2291                    Otherwise, leave SID unchanged and kill. */
2292                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2293                         struct task_struct *tracer;
2294                         struct task_security_struct *sec;
2295                         u32 ptsid = 0;
2296
2297                         rcu_read_lock();
2298                         tracer = tracehook_tracer_task(current);
2299                         if (likely(tracer != NULL)) {
2300                                 sec = __task_cred(tracer)->security;
2301                                 ptsid = sec->sid;
2302                         }
2303                         rcu_read_unlock();
2304
2305                         if (ptsid != 0) {
2306                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2307                                                   PROCESS__PTRACE, NULL);
2308                                 if (rc) {
2309                                         bsec->unsafe = 1;
2310                                         goto out;
2311                                 }
2312                         }
2313                 }
2314                 tsec->sid = sid;
2315         }
2316
2317 out:
2318         commit_creds(new);
2319         return 0;
2320 }
2321
2322 /*
2323  * called after apply_creds without the task lock held
2324  */
2325 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2326 {
2327         const struct cred *cred = current_cred();
2328         struct task_security_struct *tsec;
2329         struct rlimit *rlim, *initrlim;
2330         struct itimerval itimer;
2331         struct bprm_security_struct *bsec;
2332         struct sighand_struct *psig;
2333         int rc, i;
2334         unsigned long flags;
2335
2336         tsec = current_security();
2337         bsec = bprm->security;
2338
2339         if (bsec->unsafe) {
2340                 force_sig_specific(SIGKILL, current);
2341                 return;
2342         }
2343         if (tsec->osid == tsec->sid)
2344                 return;
2345
2346         /* Close files for which the new task SID is not authorized. */
2347         flush_unauthorized_files(cred, current->files);
2348
2349         /* Check whether the new SID can inherit signal state
2350            from the old SID.  If not, clear itimers to avoid
2351            subsequent signal generation and flush and unblock
2352            signals. This must occur _after_ the task SID has
2353           been updated so that any kill done after the flush
2354           will be checked against the new SID. */
2355         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2356                           PROCESS__SIGINH, NULL);
2357         if (rc) {
2358                 memset(&itimer, 0, sizeof itimer);
2359                 for (i = 0; i < 3; i++)
2360                         do_setitimer(i, &itimer, NULL);
2361                 flush_signals(current);
2362                 spin_lock_irq(&current->sighand->siglock);
2363                 flush_signal_handlers(current, 1);
2364                 sigemptyset(&current->blocked);
2365                 recalc_sigpending();
2366                 spin_unlock_irq(&current->sighand->siglock);
2367         }
2368
2369         /* Always clear parent death signal on SID transitions. */
2370         current->pdeath_signal = 0;
2371
2372         /* Check whether the new SID can inherit resource limits
2373            from the old SID.  If not, reset all soft limits to
2374            the lower of the current task's hard limit and the init
2375            task's soft limit.  Note that the setting of hard limits
2376            (even to lower them) can be controlled by the setrlimit
2377            check. The inclusion of the init task's soft limit into
2378            the computation is to avoid resetting soft limits higher
2379            than the default soft limit for cases where the default
2380            is lower than the hard limit, e.g. RLIMIT_CORE or
2381            RLIMIT_STACK.*/
2382         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2383                           PROCESS__RLIMITINH, NULL);
2384         if (rc) {
2385                 for (i = 0; i < RLIM_NLIMITS; i++) {
2386                         rlim = current->signal->rlim + i;
2387                         initrlim = init_task.signal->rlim+i;
2388                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2389                 }
2390                 update_rlimit_cpu(rlim->rlim_cur);
2391         }
2392
2393         /* Wake up the parent if it is waiting so that it can
2394            recheck wait permission to the new task SID. */
2395         read_lock_irq(&tasklist_lock);
2396         psig = current->parent->sighand;
2397         spin_lock_irqsave(&psig->siglock, flags);
2398         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2399         spin_unlock_irqrestore(&psig->siglock, flags);
2400         read_unlock_irq(&tasklist_lock);
2401 }
2402
2403 /* superblock security operations */
2404
2405 static int selinux_sb_alloc_security(struct super_block *sb)
2406 {
2407         return superblock_alloc_security(sb);
2408 }
2409
2410 static void selinux_sb_free_security(struct super_block *sb)
2411 {
2412         superblock_free_security(sb);
2413 }
2414
2415 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2416 {
2417         if (plen > olen)
2418                 return 0;
2419
2420         return !memcmp(prefix, option, plen);
2421 }
2422
2423 static inline int selinux_option(char *option, int len)
2424 {
2425         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2426                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2427                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2428                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2429 }
2430
2431 static inline void take_option(char **to, char *from, int *first, int len)
2432 {
2433         if (!*first) {
2434                 **to = ',';
2435                 *to += 1;
2436         } else
2437                 *first = 0;
2438         memcpy(*to, from, len);
2439         *to += len;
2440 }
2441
2442 static inline void take_selinux_option(char **to, char *from, int *first,
2443                                        int len)
2444 {
2445         int current_size = 0;
2446
2447         if (!*first) {
2448                 **to = '|';
2449                 *to += 1;
2450         } else
2451                 *first = 0;
2452
2453         while (current_size < len) {
2454                 if (*from != '"') {
2455                         **to = *from;
2456                         *to += 1;
2457                 }
2458                 from += 1;
2459                 current_size += 1;
2460         }
2461 }
2462
2463 static int selinux_sb_copy_data(char *orig, char *copy)
2464 {
2465         int fnosec, fsec, rc = 0;
2466         char *in_save, *in_curr, *in_end;
2467         char *sec_curr, *nosec_save, *nosec;
2468         int open_quote = 0;
2469
2470         in_curr = orig;
2471         sec_curr = copy;
2472
2473         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2474         if (!nosec) {
2475                 rc = -ENOMEM;
2476                 goto out;
2477         }
2478
2479         nosec_save = nosec;
2480         fnosec = fsec = 1;
2481         in_save = in_end = orig;
2482
2483         do {
2484                 if (*in_end == '"')
2485                         open_quote = !open_quote;
2486                 if ((*in_end == ',' && open_quote == 0) ||
2487                                 *in_end == '\0') {
2488                         int len = in_end - in_curr;
2489
2490                         if (selinux_option(in_curr, len))
2491                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2492                         else
2493                                 take_option(&nosec, in_curr, &fnosec, len);
2494
2495                         in_curr = in_end + 1;
2496                 }
2497         } while (*in_end++);
2498
2499         strcpy(in_save, nosec_save);
2500         free_page((unsigned long)nosec_save);
2501 out:
2502         return rc;
2503 }
2504
2505 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2506 {
2507         const struct cred *cred = current_cred();
2508         struct avc_audit_data ad;
2509         int rc;
2510
2511         rc = superblock_doinit(sb, data);
2512         if (rc)
2513                 return rc;
2514
2515         AVC_AUDIT_DATA_INIT(&ad, FS);
2516         ad.u.fs.path.dentry = sb->s_root;
2517         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2518 }
2519
2520 static int selinux_sb_statfs(struct dentry *dentry)
2521 {
2522         const struct cred *cred = current_cred();
2523         struct avc_audit_data ad;
2524
2525         AVC_AUDIT_DATA_INIT(&ad, FS);
2526         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2527         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2528 }
2529
2530 static int selinux_mount(char *dev_name,
2531                          struct path *path,
2532                          char *type,
2533                          unsigned long flags,
2534                          void *data)
2535 {
2536         const struct cred *cred = current_cred();
2537         int rc;
2538
2539         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2540         if (rc)
2541                 return rc;
2542
2543         if (flags & MS_REMOUNT)
2544                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2545                                            FILESYSTEM__REMOUNT, NULL);
2546         else
2547                 return dentry_has_perm(cred, path->mnt, path->dentry,
2548                                        FILE__MOUNTON);
2549 }
2550
2551 static int selinux_umount(struct vfsmount *mnt, int flags)
2552 {
2553         const struct cred *cred = current_cred();
2554         int rc;
2555
2556         rc = secondary_ops->sb_umount(mnt, flags);
2557         if (rc)
2558                 return rc;
2559
2560         return superblock_has_perm(cred, mnt->mnt_sb,
2561                                    FILESYSTEM__UNMOUNT, NULL);
2562 }
2563
2564 /* inode security operations */
2565
2566 static int selinux_inode_alloc_security(struct inode *inode)
2567 {
2568         return inode_alloc_security(inode);
2569 }
2570
2571 static void selinux_inode_free_security(struct inode *inode)
2572 {
2573         inode_free_security(inode);
2574 }
2575
2576 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2577                                        char **name, void **value,
2578                                        size_t *len)
2579 {
2580         const struct cred *cred = current_cred();
2581         const struct task_security_struct *tsec = cred->security;
2582         struct inode_security_struct *dsec;
2583         struct superblock_security_struct *sbsec;
2584         u32 sid, newsid, clen;
2585         int rc;
2586         char *namep = NULL, *context;
2587
2588         dsec = dir->i_security;
2589         sbsec = dir->i_sb->s_security;
2590
2591         sid = tsec->sid;
2592         newsid = tsec->create_sid;
2593
2594         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2595                 rc = security_transition_sid(sid, dsec->sid,
2596                                              inode_mode_to_security_class(inode->i_mode),
2597                                              &newsid);
2598                 if (rc) {
2599                         printk(KERN_WARNING "%s:  "
2600                                "security_transition_sid failed, rc=%d (dev=%s "
2601                                "ino=%ld)\n",
2602                                __func__,
2603                                -rc, inode->i_sb->s_id, inode->i_ino);
2604                         return rc;
2605                 }
2606         }
2607
2608         /* Possibly defer initialization to selinux_complete_init. */
2609         if (sbsec->initialized) {
2610                 struct inode_security_struct *isec = inode->i_security;
2611                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2612                 isec->sid = newsid;
2613                 isec->initialized = 1;
2614         }
2615
2616         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2617                 return -EOPNOTSUPP;
2618
2619         if (name) {
2620                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2621                 if (!namep)
2622                         return -ENOMEM;
2623                 *name = namep;
2624         }
2625
2626         if (value && len) {
2627                 rc = security_sid_to_context_force(newsid, &context, &clen);
2628                 if (rc) {
2629                         kfree(namep);
2630                         return rc;
2631                 }
2632                 *value = context;
2633                 *len = clen;
2634         }
2635
2636         return 0;
2637 }
2638
2639 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2640 {
2641         return may_create(dir, dentry, SECCLASS_FILE);
2642 }
2643
2644 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2645 {
2646         int rc;
2647
2648         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2649         if (rc)
2650                 return rc;
2651         return may_link(dir, old_dentry, MAY_LINK);
2652 }
2653
2654 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2655 {
2656         int rc;
2657
2658         rc = secondary_ops->inode_unlink(dir, dentry);
2659         if (rc)
2660                 return rc;
2661         return may_link(dir, dentry, MAY_UNLINK);
2662 }
2663
2664 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2665 {
2666         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2667 }
2668
2669 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2670 {
2671         return may_create(dir, dentry, SECCLASS_DIR);
2672 }
2673
2674 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2675 {
2676         return may_link(dir, dentry, MAY_RMDIR);
2677 }
2678
2679 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2680 {
2681         int rc;
2682
2683         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2684         if (rc)
2685                 return rc;
2686
2687         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2688 }
2689
2690 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2691                                 struct inode *new_inode, struct dentry *new_dentry)
2692 {
2693         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2694 }
2695
2696 static int selinux_inode_readlink(struct dentry *dentry)
2697 {
2698         const struct cred *cred = current_cred();
2699
2700         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2701 }
2702
2703 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2704 {
2705         const struct cred *cred = current_cred();
2706         int rc;
2707
2708         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2709         if (rc)
2710                 return rc;
2711         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2712 }
2713
2714 static int selinux_inode_permission(struct inode *inode, int mask)
2715 {
2716         const struct cred *cred = current_cred();
2717         int rc;
2718
2719         rc = secondary_ops->inode_permission(inode, mask);
2720         if (rc)
2721                 return rc;
2722
2723         if (!mask) {
2724                 /* No permission to check.  Existence test. */
2725                 return 0;
2726         }
2727
2728         return inode_has_perm(cred, inode,
2729                               file_mask_to_av(inode->i_mode, mask), NULL);
2730 }
2731
2732 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2733 {
2734         const struct cred *cred = current_cred();
2735         int rc;
2736
2737         rc = secondary_ops->inode_setattr(dentry, iattr);
2738         if (rc)
2739                 return rc;
2740
2741         if (iattr->ia_valid & ATTR_FORCE)
2742                 return 0;
2743
2744         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2745                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2746                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2747
2748         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2749 }
2750
2751 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2752 {
2753         const struct cred *cred = current_cred();
2754
2755         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2756 }
2757
2758 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2759 {
2760         const struct cred *cred = current_cred();
2761
2762         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2763                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2764                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2765                         if (!capable(CAP_SETFCAP))
2766                                 return -EPERM;
2767                 } else if (!capable(CAP_SYS_ADMIN)) {
2768                         /* A different attribute in the security namespace.
2769                            Restrict to administrator. */
2770                         return -EPERM;
2771                 }
2772         }
2773
2774         /* Not an attribute we recognize, so just check the
2775            ordinary setattr permission. */
2776         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2777 }
2778
2779 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2780                                   const void *value, size_t size, int flags)
2781 {
2782         struct inode *inode = dentry->d_inode;
2783         struct inode_security_struct *isec = inode->i_security;
2784         struct superblock_security_struct *sbsec;
2785         struct avc_audit_data ad;
2786         u32 newsid, sid = current_sid();
2787         int rc = 0;
2788
2789         if (strcmp(name, XATTR_NAME_SELINUX))
2790                 return selinux_inode_setotherxattr(dentry, name);
2791
2792         sbsec = inode->i_sb->s_security;
2793         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2794                 return -EOPNOTSUPP;
2795
2796         if (!is_owner_or_cap(inode))
2797                 return -EPERM;
2798
2799         AVC_AUDIT_DATA_INIT(&ad, FS);
2800         ad.u.fs.path.dentry = dentry;
2801
2802         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2803                           FILE__RELABELFROM, &ad);
2804         if (rc)
2805                 return rc;
2806
2807         rc = security_context_to_sid(value, size, &newsid);
2808         if (rc == -EINVAL) {
2809                 if (!capable(CAP_MAC_ADMIN))
2810                         return rc;
2811                 rc = security_context_to_sid_force(value, size, &newsid);
2812         }
2813         if (rc)
2814                 return rc;
2815
2816         rc = avc_has_perm(sid, newsid, isec->sclass,
2817                           FILE__RELABELTO, &ad);
2818         if (rc)
2819                 return rc;
2820
2821         rc = security_validate_transition(isec->sid, newsid, sid,
2822                                           isec->sclass);
2823         if (rc)
2824                 return rc;
2825
2826         return avc_has_perm(newsid,
2827                             sbsec->sid,
2828                             SECCLASS_FILESYSTEM,
2829                             FILESYSTEM__ASSOCIATE,
2830                             &ad);
2831 }
2832
2833 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2834                                         const void *value, size_t size,
2835                                         int flags)
2836 {
2837         struct inode *inode = dentry->d_inode;
2838         struct inode_security_struct *isec = inode->i_security;
2839         u32 newsid;
2840         int rc;
2841
2842         if (strcmp(name, XATTR_NAME_SELINUX)) {
2843                 /* Not an attribute we recognize, so nothing to do. */
2844                 return;
2845         }
2846
2847         rc = security_context_to_sid_force(value, size, &newsid);
2848         if (rc) {
2849                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2850                        "for (%s, %lu), rc=%d\n",
2851                        inode->i_sb->s_id, inode->i_ino, -rc);
2852                 return;
2853         }
2854
2855         isec->sid = newsid;
2856         return;
2857 }
2858
2859 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2860 {
2861         const struct cred *cred = current_cred();
2862
2863         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2864 }
2865
2866 static int selinux_inode_listxattr(struct dentry *dentry)
2867 {
2868         const struct cred *cred = current_cred();
2869
2870         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2871 }
2872
2873 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2874 {
2875         if (strcmp(name, XATTR_NAME_SELINUX))
2876                 return selinux_inode_setotherxattr(dentry, name);
2877
2878         /* No one is allowed to remove a SELinux security label.
2879            You can change the label, but all data must be labeled. */
2880         return -EACCES;
2881 }
2882
2883 /*
2884  * Copy the inode security context value to the user.
2885  *
2886  * Permission check is handled by selinux_inode_getxattr hook.
2887  */
2888 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2889 {
2890         u32 size;
2891         int error;
2892         char *context = NULL;
2893         struct inode_security_struct *isec = inode->i_security;
2894
2895         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2896                 return -EOPNOTSUPP;
2897
2898         /*
2899          * If the caller has CAP_MAC_ADMIN, then get the raw context
2900          * value even if it is not defined by current policy; otherwise,
2901          * use the in-core value under current policy.
2902          * Use the non-auditing forms of the permission checks since
2903          * getxattr may be called by unprivileged processes commonly
2904          * and lack of permission just means that we fall back to the
2905          * in-core context value, not a denial.
2906          */
2907         error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2908         if (!error)
2909                 error = security_sid_to_context_force(isec->sid, &context,
2910                                                       &size);
2911         else
2912                 error = security_sid_to_context(isec->sid, &context, &size);
2913         if (error)
2914                 return error;
2915         error = size;
2916         if (alloc) {
2917                 *buffer = context;
2918                 goto out_nofree;
2919         }
2920         kfree(context);
2921 out_nofree:
2922         return error;
2923 }
2924
2925 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2926                                      const void *value, size_t size, int flags)
2927 {
2928         struct inode_security_struct *isec = inode->i_security;
2929         u32 newsid;
2930         int rc;
2931
2932         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2933                 return -EOPNOTSUPP;
2934
2935         if (!value || !size)
2936                 return -EACCES;
2937
2938         rc = security_context_to_sid((void *)value, size, &newsid);
2939         if (rc)
2940                 return rc;
2941
2942         isec->sid = newsid;
2943         return 0;
2944 }
2945
2946 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2947 {
2948         const int len = sizeof(XATTR_NAME_SELINUX);
2949         if (buffer && len <= buffer_size)
2950                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2951         return len;
2952 }
2953
2954 static int selinux_inode_need_killpriv(struct dentry *dentry)
2955 {
2956         return secondary_ops->inode_need_killpriv(dentry);
2957 }
2958
2959 static int selinux_inode_killpriv(struct dentry *dentry)
2960 {
2961         return secondary_ops->inode_killpriv(dentry);
2962 }
2963
2964 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2965 {
2966         struct inode_security_struct *isec = inode->i_security;
2967         *secid = isec->sid;
2968 }
2969
2970 /* file security operations */
2971
2972 static int selinux_revalidate_file_permission(struct file *file, int mask)
2973 {
2974         const struct cred *cred = current_cred();
2975         int rc;
2976         struct inode *inode = file->f_path.dentry->d_inode;
2977
2978         if (!mask) {
2979                 /* No permission to check.  Existence test. */
2980                 return 0;
2981         }
2982
2983         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2984         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2985                 mask |= MAY_APPEND;
2986
2987         rc = file_has_perm(cred, file,
2988                            file_mask_to_av(inode->i_mode, mask));
2989         if (rc)
2990                 return rc;
2991
2992         return selinux_netlbl_inode_permission(inode, mask);
2993 }
2994
2995 static int selinux_file_permission(struct file *file, int mask)
2996 {
2997         struct inode *inode = file->f_path.dentry->d_inode;
2998         struct file_security_struct *fsec = file->f_security;
2999         struct inode_security_struct *isec = inode->i_security;
3000         u32 sid = current_sid();
3001
3002         if (!mask) {
3003                 /* No permission to check.  Existence test. */
3004                 return 0;
3005         }
3006
3007         if (sid == fsec->sid && fsec->isid == isec->sid
3008             && fsec->pseqno == avc_policy_seqno())
3009                 return selinux_netlbl_inode_permission(inode, mask);
3010
3011         return selinux_revalidate_file_permission(file, mask);
3012 }
3013
3014 static int selinux_file_alloc_security(struct file *file)
3015 {
3016         return file_alloc_security(file);
3017 }
3018
3019 static void selinux_file_free_security(struct file *file)
3020 {
3021         file_free_security(file);
3022 }
3023
3024 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3025                               unsigned long arg)
3026 {
3027         const struct cred *cred = current_cred();
3028         u32 av = 0;
3029
3030         if (_IOC_DIR(cmd) & _IOC_WRITE)
3031                 av |= FILE__WRITE;
3032         if (_IOC_DIR(cmd) & _IOC_READ)
3033                 av |= FILE__READ;
3034         if (!av)
3035                 av = FILE__IOCTL;
3036
3037         return file_has_perm(cred, file, av);
3038 }
3039
3040 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3041 {
3042         const struct cred *cred = current_cred();
3043         int rc = 0;
3044
3045 #ifndef CONFIG_PPC32
3046         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3047                 /*
3048                  * We are making executable an anonymous mapping or a
3049                  * private file mapping that will also be writable.
3050                  * This has an additional check.
3051                  */
3052                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3053                 if (rc)
3054                         goto error;
3055         }
3056 #endif
3057
3058         if (file) {
3059                 /* read access is always possible with a mapping */
3060                 u32 av = FILE__READ;
3061
3062                 /* write access only matters if the mapping is shared */
3063                 if (shared && (prot & PROT_WRITE))
3064                         av |= FILE__WRITE;
3065
3066                 if (prot & PROT_EXEC)
3067                         av |= FILE__EXECUTE;
3068
3069                 return file_has_perm(cred, file, av);
3070         }
3071
3072 error:
3073         return rc;
3074 }
3075
3076 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3077                              unsigned long prot, unsigned long flags,
3078                              unsigned long addr, unsigned long addr_only)
3079 {
3080         int rc = 0;
3081         u32 sid = current_sid();
3082
3083         if (addr < mmap_min_addr)
3084                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3085                                   MEMPROTECT__MMAP_ZERO, NULL);
3086         if (rc || addr_only)
3087                 return rc;
3088
3089         if (selinux_checkreqprot)
3090                 prot = reqprot;
3091
3092         return file_map_prot_check(file, prot,
3093                                    (flags & MAP_TYPE) == MAP_SHARED);
3094 }
3095
3096 static int selinux_file_mprotect(struct vm_area_struct *vma,
3097                                  unsigned long reqprot,
3098                                  unsigned long prot)
3099 {
3100         const struct cred *cred = current_cred();
3101         int rc;
3102
3103         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3104         if (rc)
3105                 return rc;
3106
3107         if (selinux_checkreqprot)
3108                 prot = reqprot;
3109
3110 #ifndef CONFIG_PPC32
3111         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3112                 rc = 0;
3113                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3114                     vma->vm_end <= vma->vm_mm->brk) {
3115                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3116                 } else if (!vma->vm_file &&
3117                            vma->vm_start <= vma->vm_mm->start_stack &&
3118                            vma->vm_end >= vma->vm_mm->start_stack) {
3119                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3120                 } else if (vma->vm_file && vma->anon_vma) {
3121                         /*
3122                          * We are making executable a file mapping that has
3123                          * had some COW done. Since pages might have been
3124                          * written, check ability to execute the possibly
3125                          * modified content.  This typically should only
3126                          * occur for text relocations.
3127                          */
3128                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3129                 }
3130                 if (rc)
3131                         return rc;
3132         }
3133 #endif
3134
3135         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3136 }
3137
3138 static int selinux_file_lock(struct file *file, unsigned int cmd)
3139 {
3140         const struct cred *cred = current_cred();
3141
3142         return file_has_perm(cred, file, FILE__LOCK);
3143 }
3144
3145 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3146                               unsigned long arg)
3147 {
3148         const struct cred *cred = current_cred();
3149         int err = 0;
3150
3151         switch (cmd) {
3152         case F_SETFL:
3153                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3154                         err = -EINVAL;
3155                         break;
3156                 }
3157
3158                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3159                         err = file_has_perm(cred, file, FILE__WRITE);
3160                         break;
3161                 }
3162                 /* fall through */
3163         case F_SETOWN:
3164         case F_SETSIG:
3165         case F_GETFL:
3166         case F_GETOWN:
3167         case F_GETSIG:
3168                 /* Just check FD__USE permission */
3169                 err = file_has_perm(cred, file, 0);
3170                 break;
3171         case F_GETLK:
3172         case F_SETLK:
3173         case F_SETLKW:
3174 #if BITS_PER_LONG == 32
3175         case F_GETLK64:
3176         case F_SETLK64:
3177         case F_SETLKW64:
3178 #endif
3179                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3180                         err = -EINVAL;
3181                         break;
3182                 }
3183                 err = file_has_perm(cred, file, FILE__LOCK);
3184                 break;
3185         }
3186
3187         return err;
3188 }
3189
3190 static int selinux_file_set_fowner(struct file *file)
3191 {
3192         struct file_security_struct *fsec;
3193
3194         fsec = file->f_security;
3195         fsec->fown_sid = current_sid();
3196
3197         return 0;
3198 }
3199
3200 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3201                                        struct fown_struct *fown, int signum)
3202 {
3203         struct file *file;
3204         u32 sid = current_sid();
3205         u32 perm;
3206         struct file_security_struct *fsec;
3207
3208         /* struct fown_struct is never outside the context of a struct file */
3209         file = container_of(fown, struct file, f_owner);
3210
3211         fsec = file->f_security;
3212
3213         if (!signum)
3214                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3215         else
3216                 perm = signal_to_av(signum);
3217
3218         return avc_has_perm(fsec->fown_sid, sid,
3219                             SECCLASS_PROCESS, perm, NULL);
3220 }
3221
3222 static int selinux_file_receive(struct file *file)
3223 {
3224         const struct cred *cred = current_cred();
3225
3226         return file_has_perm(cred, file, file_to_av(file));
3227 }
3228
3229 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3230 {
3231         struct file_security_struct *fsec;
3232         struct inode *inode;
3233         struct inode_security_struct *isec;
3234
3235         inode = file->f_path.dentry->d_inode;
3236         fsec = file->f_security;
3237         isec = inode->i_security;
3238         /*
3239          * Save inode label and policy sequence number
3240          * at open-time so that selinux_file_permission
3241          * can determine whether revalidation is necessary.
3242          * Task label is already saved in the file security
3243          * struct as its SID.
3244          */
3245         fsec->isid = isec->sid;
3246         fsec->pseqno = avc_policy_seqno();
3247         /*
3248          * Since the inode label or policy seqno may have changed
3249          * between the selinux_inode_permission check and the saving
3250          * of state above, recheck that access is still permitted.
3251          * Otherwise, access might never be revalidated against the
3252          * new inode label or new policy.
3253          * This check is not redundant - do not remove.
3254          */
3255         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3256 }
3257
3258 /* task security operations */
3259
3260 static int selinux_task_create(unsigned long clone_flags)
3261 {
3262         int rc;
3263
3264         rc = secondary_ops->task_create(clone_flags);
3265         if (rc)
3266                 return rc;
3267
3268         return task_has_perm(current, current, PROCESS__FORK);
3269 }
3270
3271 /*
3272  * detach and free the LSM part of a set of credentials
3273  */
3274 static void selinux_cred_free(struct cred *cred)
3275 {
3276         struct task_security_struct *tsec = cred->security;
3277         cred->security = NULL;
3278         kfree(tsec);
3279 }
3280
3281 /*
3282  * prepare a new set of credentials for modification
3283  */
3284 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3285                                 gfp_t gfp)
3286 {
3287         const struct task_security_struct *old_tsec;
3288         struct task_security_struct *tsec;
3289
3290         old_tsec = old->security;
3291
3292         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3293         if (!tsec)
3294                 return -ENOMEM;
3295
3296         new->security = tsec;
3297         return 0;
3298 }
3299
3300 /*
3301  * commit new credentials
3302  */
3303 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3304 {
3305         secondary_ops->cred_commit(new, old);
3306 }
3307
3308 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3309 {
3310         /* Since setuid only affects the current process, and
3311            since the SELinux controls are not based on the Linux
3312            identity attributes, SELinux does not need to control
3313            this operation.  However, SELinux does control the use
3314            of the CAP_SETUID and CAP_SETGID capabilities using the
3315            capable hook. */
3316         return 0;
3317 }
3318
3319 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3320                                    int flags)
3321 {
3322         return secondary_ops->task_fix_setuid(new, old, flags);
3323 }
3324
3325 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3326 {
3327         /* See the comment for setuid above. */
3328         return 0;
3329 }
3330
3331 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3332 {
3333         return task_has_perm(current, p, PROCESS__SETPGID);
3334 }
3335
3336 static int selinux_task_getpgid(struct task_struct *p)
3337 {
3338         return task_has_perm(current, p, PROCESS__GETPGID);
3339 }
3340
3341 static int selinux_task_getsid(struct task_struct *p)
3342 {
3343         return task_has_perm(current, p, PROCESS__GETSESSION);
3344 }
3345
3346 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3347 {
3348         *secid = task_sid(p);
3349 }
3350
3351 static int selinux_task_setgroups(struct group_info *group_info)
3352 {
3353         /* See the comment for setuid above. */
3354         return 0;
3355 }
3356
3357 static int selinux_task_setnice(struct task_struct *p, int nice)
3358 {
3359         int rc;
3360
3361         rc = secondary_ops->task_setnice(p, nice);
3362         if (rc)
3363                 return rc;
3364
3365         return task_has_perm(current, p, PROCESS__SETSCHED);
3366 }
3367
3368 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3369 {
3370         int rc;
3371
3372         rc = secondary_ops->task_setioprio(p, ioprio);
3373         if (rc)
3374                 return rc;
3375
3376         return task_has_perm(current, p, PROCESS__SETSCHED);
3377 }
3378
3379 static int selinux_task_getioprio(struct task_struct *p)
3380 {
3381         return task_has_perm(current, p, PROCESS__GETSCHED);
3382 }
3383
3384 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3385 {
3386         struct rlimit *old_rlim = current->signal->rlim + resource;
3387         int rc;
3388
3389         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3390         if (rc)
3391                 return rc;
3392
3393         /* Control the ability to change the hard limit (whether
3394            lowering or raising it), so that the hard limit can
3395            later be used as a safe reset point for the soft limit
3396            upon context transitions.  See selinux_bprm_committing_creds. */
3397         if (old_rlim->rlim_max != new_rlim->rlim_max)
3398                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3399
3400         return 0;
3401 }
3402
3403 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3404 {
3405         int rc;
3406
3407         rc = secondary_ops->task_setscheduler(p, policy, lp);
3408         if (rc)
3409                 return rc;
3410
3411         return task_has_perm(current, p, PROCESS__SETSCHED);
3412 }
3413
3414 static int selinux_task_getscheduler(struct task_struct *p)
3415 {
3416         return task_has_perm(current, p, PROCESS__GETSCHED);
3417 }
3418
3419 static int selinux_task_movememory(struct task_struct *p)
3420 {
3421         return task_has_perm(current, p, PROCESS__SETSCHED);
3422 }
3423
3424 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3425                                 int sig, u32 secid)
3426 {
3427         u32 perm;
3428         int rc;
3429
3430         rc = secondary_ops->task_kill(p, info, sig, secid);
3431         if (rc)
3432                 return rc;
3433
3434         if (!sig)
3435                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3436         else
3437                 perm = signal_to_av(sig);
3438         if (secid)
3439                 rc = avc_has_perm(secid, task_sid(p),
3440                                   SECCLASS_PROCESS, perm, NULL);
3441         else
3442                 rc = task_has_perm(current, p, perm);
3443         return rc;
3444 }
3445
3446 static int selinux_task_prctl(int option,
3447                               unsigned long arg2,
3448                               unsigned long arg3,
3449                               unsigned long arg4,
3450                               unsigned long arg5)
3451 {
3452         /* The current prctl operations do not appear to require
3453            any SELinux controls since they merely observe or modify
3454            the state of the current process. */
3455         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3456 }
3457
3458 static int selinux_task_wait(struct task_struct *p)
3459 {
3460         return task_has_perm(p, current, PROCESS__SIGCHLD);
3461 }
3462
3463 static void selinux_task_to_inode(struct task_struct *p,
3464                                   struct inode *inode)
3465 {
3466         struct inode_security_struct *isec = inode->i_security;
3467         u32 sid = task_sid(p);
3468
3469         isec->sid = sid;
3470         isec->initialized = 1;
3471 }
3472
3473 /* Returns error only if unable to parse addresses */
3474 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3475                         struct avc_audit_data *ad, u8 *proto)
3476 {
3477         int offset, ihlen, ret = -EINVAL;
3478         struct iphdr _iph, *ih;
3479
3480         offset = skb_network_offset(skb);
3481         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3482         if (ih == NULL)
3483                 goto out;
3484
3485         ihlen = ih->ihl * 4;
3486         if (ihlen < sizeof(_iph))
3487                 goto out;
3488
3489         ad->u.net.v4info.saddr = ih->saddr;
3490         ad->u.net.v4info.daddr = ih->daddr;
3491         ret = 0;
3492
3493         if (proto)
3494                 *proto = ih->protocol;
3495
3496         switch (ih->protocol) {
3497         case IPPROTO_TCP: {
3498                 struct tcphdr _tcph, *th;
3499
3500                 if (ntohs(ih->frag_off) & IP_OFFSET)
3501                         break;
3502
3503                 offset += ihlen;
3504                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3505                 if (th == NULL)
3506                         break;
3507
3508                 ad->u.net.sport = th->source;
3509                 ad->u.net.dport = th->dest;
3510                 break;
3511         }
3512
3513         case IPPROTO_UDP: {
3514                 struct udphdr _udph, *uh;
3515
3516                 if (ntohs(ih->frag_off) & IP_OFFSET)
3517                         break;
3518
3519                 offset += ihlen;
3520                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3521                 if (uh == NULL)
3522                         break;
3523
3524                 ad->u.net.sport = uh->source;
3525                 ad->u.net.dport = uh->dest;
3526                 break;
3527         }
3528
3529         case IPPROTO_DCCP: {
3530                 struct dccp_hdr _dccph, *dh;
3531
3532                 if (ntohs(ih->frag_off) & IP_OFFSET)
3533                         break;
3534
3535                 offset += ihlen;
3536                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3537                 if (dh == NULL)
3538                         break;
3539
3540                 ad->u.net.sport = dh->dccph_sport;
3541                 ad->u.net.dport = dh->dccph_dport;
3542                 break;
3543         }
3544
3545         default:
3546                 break;
3547         }
3548 out:
3549         return ret;
3550 }
3551
3552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3553
3554 /* Returns error only if unable to parse addresses */
3555 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3556                         struct avc_audit_data *ad, u8 *proto)
3557 {
3558         u8 nexthdr;
3559         int ret = -EINVAL, offset;
3560         struct ipv6hdr _ipv6h, *ip6;
3561
3562         offset = skb_network_offset(skb);
3563         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3564         if (ip6 == NULL)
3565                 goto out;
3566
3567         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3568         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3569         ret = 0;
3570
3571         nexthdr = ip6->nexthdr;
3572         offset += sizeof(_ipv6h);
3573         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3574         if (offset < 0)
3575                 goto out;
3576
3577         if (proto)
3578                 *proto = nexthdr;
3579
3580         switch (nexthdr) {
3581         case IPPROTO_TCP: {
3582                 struct tcphdr _tcph, *th;
3583
3584                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3585                 if (th == NULL)
3586                         break;
3587
3588                 ad->u.net.sport = th->source;
3589                 ad->u.net.dport = th->dest;
3590                 break;
3591         }
3592
3593         case IPPROTO_UDP: {
3594                 struct udphdr _udph, *uh;
3595
3596                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3597                 if (uh == NULL)
3598                         break;
3599
3600                 ad->u.net.sport = uh->source;
3601                 ad->u.net.dport = uh->dest;
3602                 break;
3603         }
3604
3605         case IPPROTO_DCCP: {
3606                 struct dccp_hdr _dccph, *dh;
3607
3608                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3609                 if (dh == NULL)
3610                         break;
3611
3612                 ad->u.net.sport = dh->dccph_sport;
3613                 ad->u.net.dport = dh->dccph_dport;
3614                 break;
3615         }
3616
3617         /* includes fragments */
3618         default:
3619                 break;
3620         }
3621 out:
3622         return ret;
3623 }
3624
3625 #endif /* IPV6 */
3626
3627 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3628                              char **_addrp, int src, u8 *proto)
3629 {
3630         char *addrp;
3631         int ret;
3632
3633         switch (ad->u.net.family) {
3634         case PF_INET:
3635                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3636                 if (ret)
3637                         goto parse_error;
3638                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3639                                        &ad->u.net.v4info.daddr);
3640                 goto okay;
3641
3642 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3643         case PF_INET6:
3644                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3645                 if (ret)
3646                         goto parse_error;
3647                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3648                                        &ad->u.net.v6info.daddr);
3649                 goto okay;
3650 #endif  /* IPV6 */
3651         default:
3652                 addrp = NULL;
3653                 goto okay;
3654         }
3655
3656 parse_error:
3657         printk(KERN_WARNING
3658                "SELinux: failure in selinux_parse_skb(),"
3659                " unable to parse packet\n");
3660         return ret;
3661
3662 okay:
3663         if (_addrp)
3664                 *_addrp = addrp;
3665         return 0;
3666 }
3667
3668 /**
3669  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3670  * @skb: the packet
3671  * @family: protocol family
3672  * @sid: the packet's peer label SID
3673  *
3674  * Description:
3675  * Check the various different forms of network peer labeling and determine
3676  * the peer label/SID for the packet; most of the magic actually occurs in
3677  * the security server function security_net_peersid_cmp().  The function
3678  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3679  * or -EACCES if @sid is invalid due to inconsistencies with the different
3680  * peer labels.
3681  *
3682  */
3683 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3684 {
3685         int err;
3686         u32 xfrm_sid;
3687         u32 nlbl_sid;
3688         u32 nlbl_type;
3689
3690         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3691         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3692
3693         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3694         if (unlikely(err)) {
3695                 printk(KERN_WARNING
3696                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3697                        " unable to determine packet's peer label\n");
3698                 return -EACCES;
3699         }
3700
3701         return 0;
3702 }
3703
3704 /* socket security operations */
3705 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3706                            u32 perms)
3707 {
3708         struct inode_security_struct *isec;
3709         struct avc_audit_data ad;
3710         u32 sid;
3711         int err = 0;
3712
3713         isec = SOCK_INODE(sock)->i_security;
3714
3715         if (isec->sid == SECINITSID_KERNEL)
3716                 goto out;
3717         sid = task_sid(task);
3718
3719         AVC_AUDIT_DATA_INIT(&ad, NET);
3720         ad.u.net.sk = sock->sk;
3721         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3722
3723 out:
3724         return err;
3725 }
3726
3727 static int selinux_socket_create(int family, int type,
3728                                  int protocol, int kern)
3729 {
3730         const struct cred *cred = current_cred();
3731         const struct task_security_struct *tsec = cred->security;
3732         u32 sid, newsid;
3733         u16 secclass;
3734         int err = 0;
3735
3736         if (kern)
3737                 goto out;
3738
3739         sid = tsec->sid;
3740         newsid = tsec->sockcreate_sid ?: sid;
3741
3742         secclass = socket_type_to_security_class(family, type, protocol);
3743         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3744
3745 out:
3746         return err;
3747 }
3748
3749 static int selinux_socket_post_create(struct socket *sock, int family,
3750                                       int type, int protocol, int kern)
3751 {
3752         const struct cred *cred = current_cred();
3753         const struct task_security_struct *tsec = cred->security;
3754         struct inode_security_struct *isec;
3755         struct sk_security_struct *sksec;
3756         u32 sid, newsid;
3757         int err = 0;
3758
3759         sid = tsec->sid;
3760         newsid = tsec->sockcreate_sid;
3761
3762         isec = SOCK_INODE(sock)->i_security;
3763
3764         if (kern)
3765                 isec->sid = SECINITSID_KERNEL;
3766         else if (newsid)
3767                 isec->sid = newsid;
3768         else
3769                 isec->sid = sid;
3770
3771         isec->sclass = socket_type_to_security_class(family, type, protocol);
3772         isec->initialized = 1;
3773
3774         if (sock->sk) {
3775                 sksec = sock->sk->sk_security;
3776                 sksec->sid = isec->sid;
3777                 sksec->sclass = isec->sclass;
3778                 err = selinux_netlbl_socket_post_create(sock);
3779         }
3780
3781         return err;
3782 }
3783
3784 /* Range of port numbers used to automatically bind.
3785    Need to determine whether we should perform a name_bind
3786    permission check between the socket and the port number. */
3787
3788 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3789 {
3790         u16 family;
3791         int err;
3792
3793         err = socket_has_perm(current, sock, SOCKET__BIND);
3794         if (err)
3795                 goto out;
3796
3797         /*
3798          * If PF_INET or PF_INET6, check name_bind permission for the port.
3799          * Multiple address binding for SCTP is not supported yet: we just
3800          * check the first address now.
3801          */
3802         family = sock->sk->sk_family;
3803         if (family == PF_INET || family == PF_INET6) {
3804                 char *addrp;
3805                 struct inode_security_struct *isec;
3806                 struct avc_audit_data ad;
3807                 struct sockaddr_in *addr4 = NULL;
3808                 struct sockaddr_in6 *addr6 = NULL;
3809                 unsigned short snum;
3810                 struct sock *sk = sock->sk;
3811                 u32 sid, node_perm;
3812
3813                 isec = SOCK_INODE(sock)->i_security;
3814
3815                 if (family == PF_INET) {
3816                         addr4 = (struct sockaddr_in *)address;
3817                         snum = ntohs(addr4->sin_port);
3818                         addrp = (char *)&addr4->sin_addr.s_addr;
3819                 } else {
3820                         addr6 = (struct sockaddr_in6 *)address;
3821                         snum = ntohs(addr6->sin6_port);
3822                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3823                 }
3824
3825                 if (snum) {
3826                         int low, high;
3827
3828                         inet_get_local_port_range(&low, &high);
3829
3830                         if (snum < max(PROT_SOCK, low) || snum > high) {
3831                                 err = sel_netport_sid(sk->sk_protocol,
3832                                                       snum, &sid);
3833                                 if (err)
3834                                         goto out;
3835                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3836                                 ad.u.net.sport = htons(snum);
3837                                 ad.u.net.family = family;
3838                                 err = avc_has_perm(isec->sid, sid,
3839                                                    isec->sclass,
3840                                                    SOCKET__NAME_BIND, &ad);
3841                                 if (err)
3842                                         goto out;
3843                         }
3844                 }
3845
3846                 switch (isec->sclass) {
3847                 case SECCLASS_TCP_SOCKET:
3848                         node_perm = TCP_SOCKET__NODE_BIND;
3849                         break;
3850
3851                 case SECCLASS_UDP_SOCKET:
3852                         node_perm = UDP_SOCKET__NODE_BIND;
3853                         break;
3854
3855                 case SECCLASS_DCCP_SOCKET:
3856                         node_perm = DCCP_SOCKET__NODE_BIND;
3857                         break;
3858
3859                 default:
3860                         node_perm = RAWIP_SOCKET__NODE_BIND;
3861                         break;
3862                 }
3863
3864                 err = sel_netnode_sid(addrp, family, &sid);
3865                 if (err)
3866                         goto out;
3867
3868                 AVC_AUDIT_DATA_INIT(&ad, NET);
3869                 ad.u.net.sport = htons(snum);
3870                 ad.u.net.family = family;
3871
3872                 if (family == PF_INET)
3873                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3874                 else
3875                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3876
3877                 err = avc_has_perm(isec->sid, sid,
3878                                    isec->sclass, node_perm, &ad);
3879                 if (err)
3880                         goto out;
3881         }
3882 out:
3883         return err;
3884 }
3885
3886 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3887 {
3888         struct sock *sk = sock->sk;
3889         struct inode_security_struct *isec;
3890         int err;
3891
3892         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3893         if (err)
3894                 return err;
3895
3896         /*
3897          * If a TCP or DCCP socket, check name_connect permission for the port.
3898          */
3899         isec = SOCK_INODE(sock)->i_security;
3900         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3901             isec->sclass == SECCLASS_DCCP_SOCKET) {
3902                 struct avc_audit_data ad;
3903                 struct sockaddr_in *addr4 = NULL;
3904                 struct sockaddr_in6 *addr6 = NULL;
3905                 unsigned short snum;
3906                 u32 sid, perm;
3907
3908                 if (sk->sk_family == PF_INET) {
3909                         addr4 = (struct sockaddr_in *)address;
3910                         if (addrlen < sizeof(struct sockaddr_in))
3911                                 return -EINVAL;
3912                         snum = ntohs(addr4->sin_port);
3913                 } else {
3914                         addr6 = (struct sockaddr_in6 *)address;
3915                         if (addrlen < SIN6_LEN_RFC2133)
3916                                 return -EINVAL;
3917                         snum = ntohs(addr6->sin6_port);
3918                 }
3919
3920                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3921                 if (err)
3922                         goto out;
3923
3924                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3925                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3926
3927                 AVC_AUDIT_DATA_INIT(&ad, NET);
3928                 ad.u.net.dport = htons(snum);
3929                 ad.u.net.family = sk->sk_family;
3930                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3931                 if (err)
3932                         goto out;
3933         }
3934
3935         err = selinux_netlbl_socket_connect(sk, address);
3936
3937 out:
3938         return err;
3939 }
3940
3941 static int selinux_socket_listen(struct socket *sock, int backlog)
3942 {
3943         return socket_has_perm(current, sock, SOCKET__LISTEN);
3944 }
3945
3946 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3947 {
3948         int err;
3949         struct inode_security_struct *isec;
3950         struct inode_security_struct *newisec;
3951
3952         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3953         if (err)
3954                 return err;
3955
3956         newisec = SOCK_INODE(newsock)->i_security;
3957
3958         isec = SOCK_INODE(sock)->i_security;
3959         newisec->sclass = isec->sclass;
3960         newisec->sid = isec->sid;
3961         newisec->initialized = 1;
3962
3963         return 0;
3964 }
3965
3966 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3967                                   int size)
3968 {
3969         int rc;
3970
3971         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3972         if (rc)
3973                 return rc;
3974
3975         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3976 }
3977
3978 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3979                                   int size, int flags)
3980 {
3981         return socket_has_perm(current, sock, SOCKET__READ);
3982 }
3983
3984 static int selinux_socket_getsockname(struct socket *sock)
3985 {
3986         return socket_has_perm(current, sock, SOCKET__GETATTR);
3987 }
3988
3989 static int selinux_socket_getpeername(struct socket *sock)
3990 {
3991         return socket_has_perm(current, sock, SOCKET__GETATTR);
3992 }
3993
3994 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3995 {
3996         int err;
3997
3998         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3999         if (err)
4000                 return err;
4001
4002         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4003 }
4004
4005 static int selinux_socket_getsockopt(struct socket *sock, int level,
4006                                      int optname)
4007 {
4008         return socket_has_perm(current, sock, SOCKET__GETOPT);
4009 }
4010
4011 static int selinux_socket_shutdown(struct socket *sock, int how)
4012 {
4013         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4014 }
4015
4016 static int selinux_socket_unix_stream_connect(struct socket *sock,
4017                                               struct socket *other,
4018                                               struct sock *newsk)
4019 {
4020         struct sk_security_struct *ssec;
4021         struct inode_security_struct *isec;
4022         struct inode_security_struct *other_isec;
4023         struct avc_audit_data ad;
4024         int err;
4025
4026         err = secondary_ops->unix_stream_connect(sock, other, newsk);
4027         if (err)
4028                 return err;
4029
4030         isec = SOCK_INODE(sock)->i_security;
4031         other_isec = SOCK_INODE(other)->i_security;
4032
4033         AVC_AUDIT_DATA_INIT(&ad, NET);
4034         ad.u.net.sk = other->sk;
4035
4036         err = avc_has_perm(isec->sid, other_isec->sid,
4037                            isec->sclass,
4038                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4039         if (err)
4040                 return err;
4041
4042         /* connecting socket */
4043         ssec = sock->sk->sk_security;
4044         ssec->peer_sid = other_isec->sid;
4045
4046         /* server child socket */
4047         ssec = newsk->sk_security;
4048         ssec->peer_sid = isec->sid;
4049         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4050
4051         return err;
4052 }
4053
4054 static int selinux_socket_unix_may_send(struct socket *sock,
4055                                         struct socket *other)
4056 {
4057         struct inode_security_struct *isec;
4058         struct inode_security_struct *other_isec;
4059         struct avc_audit_data ad;
4060         int err;
4061
4062         isec = SOCK_INODE(sock)->i_security;
4063         other_isec = SOCK_INODE(other)->i_security;
4064
4065         AVC_AUDIT_DATA_INIT(&ad, NET);
4066         ad.u.net.sk = other->sk;
4067
4068         err = avc_has_perm(isec->sid, other_isec->sid,
4069                            isec->sclass, SOCKET__SENDTO, &ad);
4070         if (err)
4071                 return err;
4072
4073         return 0;
4074 }
4075
4076 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4077                                     u32 peer_sid,
4078                                     struct avc_audit_data *ad)
4079 {
4080         int err;
4081         u32 if_sid;
4082         u32 node_sid;
4083
4084         err = sel_netif_sid(ifindex, &if_sid);
4085         if (err)
4086                 return err;
4087         err = avc_has_perm(peer_sid, if_sid,
4088                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4089         if (err)
4090                 return err;
4091
4092         err = sel_netnode_sid(addrp, family, &node_sid);
4093         if (err)
4094                 return err;
4095         return avc_has_perm(peer_sid, node_sid,
4096                             SECCLASS_NODE, NODE__RECVFROM, ad);
4097 }
4098
4099 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4100                                                 struct sk_buff *skb,
4101                                                 struct avc_audit_data *ad,
4102                                                 u16 family,
4103                                                 char *addrp)
4104 {
4105         int err;
4106         struct sk_security_struct *sksec = sk->sk_security;
4107         u16 sk_class;
4108         u32 netif_perm, node_perm, recv_perm;
4109         u32 port_sid, node_sid, if_sid, sk_sid;
4110
4111         sk_sid = sksec->sid;
4112         sk_class = sksec->sclass;
4113
4114         switch (sk_class) {
4115         case SECCLASS_UDP_SOCKET:
4116                 netif_perm = NETIF__UDP_RECV;
4117                 node_perm = NODE__UDP_RECV;
4118                 recv_perm = UDP_SOCKET__RECV_MSG;
4119                 break;
4120         case SECCLASS_TCP_SOCKET:
4121                 netif_perm = NETIF__TCP_RECV;
4122                 node_perm = NODE__TCP_RECV;
4123                 recv_perm = TCP_SOCKET__RECV_MSG;
4124                 break;
4125         case SECCLASS_DCCP_SOCKET:
4126                 netif_perm = NETIF__DCCP_RECV;
4127                 node_perm = NODE__DCCP_RECV;
4128                 recv_perm = DCCP_SOCKET__RECV_MSG;
4129                 break;
4130         default:
4131                 netif_perm = NETIF__RAWIP_RECV;
4132                 node_perm = NODE__RAWIP_RECV;
4133                 recv_perm = 0;
4134                 break;
4135         }
4136
4137         err = sel_netif_sid(skb->iif, &if_sid);
4138         if (err)
4139                 return err;
4140         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4141         if (err)
4142                 return err;
4143
4144         err = sel_netnode_sid(addrp, family, &node_sid);
4145         if (err)
4146                 return err;
4147         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4148         if (err)
4149                 return err;
4150
4151         if (!recv_perm)
4152                 return 0;
4153         err = sel_netport_sid(sk->sk_protocol,
4154                               ntohs(ad->u.net.sport), &port_sid);
4155         if (unlikely(err)) {
4156                 printk(KERN_WARNING
4157                        "SELinux: failure in"
4158                        " selinux_sock_rcv_skb_iptables_compat(),"
4159                        " network port label not found\n");
4160                 return err;
4161         }
4162         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4163 }
4164
4165 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4166                                        u16 family)
4167 {
4168         int err;
4169         struct sk_security_struct *sksec = sk->sk_security;
4170         u32 peer_sid;
4171         u32 sk_sid = sksec->sid;
4172         struct avc_audit_data ad;
4173         char *addrp;
4174
4175         AVC_AUDIT_DATA_INIT(&ad, NET);
4176         ad.u.net.netif = skb->iif;
4177         ad.u.net.family = family;
4178         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4179         if (err)
4180                 return err;
4181
4182         if (selinux_compat_net)
4183                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4184                                                            family, addrp);
4185         else
4186                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4187                                    PACKET__RECV, &ad);
4188         if (err)
4189                 return err;
4190
4191         if (selinux_policycap_netpeer) {
4192                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4193                 if (err)
4194                         return err;
4195                 err = avc_has_perm(sk_sid, peer_sid,
4196                                    SECCLASS_PEER, PEER__RECV, &ad);
4197                 if (err)
4198                         selinux_netlbl_err(skb, err, 0);
4199         } else {
4200                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4201                 if (err)
4202                         return err;
4203                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4204         }
4205
4206         return err;
4207 }
4208
4209 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4210 {
4211         int err;
4212         struct sk_security_struct *sksec = sk->sk_security;
4213         u16 family = sk->sk_family;
4214         u32 sk_sid = sksec->sid;
4215         struct avc_audit_data ad;
4216         char *addrp;
4217         u8 secmark_active;
4218         u8 peerlbl_active;
4219
4220         if (family != PF_INET && family != PF_INET6)
4221                 return 0;
4222
4223         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4224         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4225                 family = PF_INET;
4226
4227         /* If any sort of compatibility mode is enabled then handoff processing
4228          * to the selinux_sock_rcv_skb_compat() function to deal with the
4229          * special handling.  We do this in an attempt to keep this function
4230          * as fast and as clean as possible. */
4231         if (selinux_compat_net || !selinux_policycap_netpeer)
4232                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4233
4234         secmark_active = selinux_secmark_enabled();
4235         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4236         if (!secmark_active && !peerlbl_active)
4237                 return 0;
4238
4239         AVC_AUDIT_DATA_INIT(&ad, NET);
4240         ad.u.net.netif = skb->iif;
4241         ad.u.net.family = family;
4242         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4243         if (err)
4244                 return err;
4245
4246         if (peerlbl_active) {
4247                 u32 peer_sid;
4248
4249                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4250                 if (err)
4251                         return err;
4252                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4253                                                peer_sid, &ad);
4254                 if (err) {
4255                         selinux_netlbl_err(skb, err, 0);
4256                         return err;
4257                 }
4258                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4259                                    PEER__RECV, &ad);
4260                 if (err)
4261                         selinux_netlbl_err(skb, err, 0);
4262         }
4263
4264         if (secmark_active) {
4265                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4266                                    PACKET__RECV, &ad);
4267                 if (err)
4268                         return err;
4269         }
4270
4271         return err;
4272 }
4273
4274 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4275                                             int __user *optlen, unsigned len)
4276 {
4277         int err = 0;
4278         char *scontext;
4279         u32 scontext_len;
4280         struct sk_security_struct *ssec;
4281         struct inode_security_struct *isec;
4282         u32 peer_sid = SECSID_NULL;
4283
4284         isec = SOCK_INODE(sock)->i_security;
4285
4286         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4287             isec->sclass == SECCLASS_TCP_SOCKET) {
4288                 ssec = sock->sk->sk_security;
4289                 peer_sid = ssec->peer_sid;
4290         }
4291         if (peer_sid == SECSID_NULL) {
4292                 err = -ENOPROTOOPT;
4293                 goto out;
4294         }
4295
4296         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4297
4298         if (err)
4299                 goto out;
4300
4301         if (scontext_len > len) {
4302                 err = -ERANGE;
4303                 goto out_len;
4304         }
4305
4306         if (copy_to_user(optval, scontext, scontext_len))
4307                 err = -EFAULT;
4308
4309 out_len:
4310         if (put_user(scontext_len, optlen))
4311                 err = -EFAULT;
4312
4313         kfree(scontext);
4314 out:
4315         return err;
4316 }
4317
4318 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4319 {
4320         u32 peer_secid = SECSID_NULL;
4321         u16 family;
4322
4323         if (skb && skb->protocol == htons(ETH_P_IP))
4324                 family = PF_INET;
4325         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4326                 family = PF_INET6;
4327         else if (sock)
4328                 family = sock->sk->sk_family;
4329         else
4330                 goto out;
4331
4332         if (sock && family == PF_UNIX)
4333                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4334         else if (skb)
4335                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4336
4337 out:
4338         *secid = peer_secid;
4339         if (peer_secid == SECSID_NULL)
4340                 return -EINVAL;
4341         return 0;
4342 }
4343
4344 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4345 {
4346         return sk_alloc_security(sk, family, priority);
4347 }
4348
4349 static void selinux_sk_free_security(struct sock *sk)
4350 {
4351         sk_free_security(sk);
4352 }
4353
4354 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4355 {
4356         struct sk_security_struct *ssec = sk->sk_security;
4357         struct sk_security_struct *newssec = newsk->sk_security;
4358
4359         newssec->sid = ssec->sid;
4360         newssec->peer_sid = ssec->peer_sid;
4361         newssec->sclass = ssec->sclass;
4362
4363         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4364 }
4365
4366 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4367 {
4368         if (!sk)
4369                 *secid = SECINITSID_ANY_SOCKET;
4370         else {
4371                 struct sk_security_struct *sksec = sk->sk_security;
4372
4373                 *secid = sksec->sid;
4374         }
4375 }
4376
4377 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4378 {
4379         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4380         struct sk_security_struct *sksec = sk->sk_security;
4381
4382         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4383             sk->sk_family == PF_UNIX)
4384                 isec->sid = sksec->sid;
4385         sksec->sclass = isec->sclass;
4386 }
4387
4388 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4389                                      struct request_sock *req)
4390 {
4391         struct sk_security_struct *sksec = sk->sk_security;
4392         int err;
4393         u16 family = sk->sk_family;
4394         u32 newsid;
4395         u32 peersid;
4396
4397         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4398         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4399                 family = PF_INET;
4400
4401         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4402         if (err)
4403                 return err;
4404         if (peersid == SECSID_NULL) {
4405                 req->secid = sksec->sid;
4406                 req->peer_secid = SECSID_NULL;
4407                 return 0;
4408         }
4409
4410         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4411         if (err)
4412                 return err;
4413
4414         req->secid = newsid;
4415         req->peer_secid = peersid;
4416         return 0;
4417 }
4418
4419 static void selinux_inet_csk_clone(struct sock *newsk,
4420                                    const struct request_sock *req)
4421 {
4422         struct sk_security_struct *newsksec = newsk->sk_security;
4423
4424         newsksec->sid = req->secid;
4425         newsksec->peer_sid = req->peer_secid;
4426         /* NOTE: Ideally, we should also get the isec->sid for the
4427            new socket in sync, but we don't have the isec available yet.
4428            So we will wait until sock_graft to do it, by which
4429            time it will have been created and available. */
4430
4431         /* We don't need to take any sort of lock here as we are the only
4432          * thread with access to newsksec */
4433         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4434 }
4435
4436 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4437 {
4438         u16 family = sk->sk_family;
4439         struct sk_security_struct *sksec = sk->sk_security;
4440
4441         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4442         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4443                 family = PF_INET;
4444
4445         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4446
4447         selinux_netlbl_inet_conn_established(sk, family);
4448 }
4449
4450 static void selinux_req_classify_flow(const struct request_sock *req,
4451                                       struct flowi *fl)
4452 {
4453         fl->secid = req->secid;
4454 }
4455
4456 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4457 {
4458         int err = 0;
4459         u32 perm;
4460         struct nlmsghdr *nlh;
4461         struct socket *sock = sk->sk_socket;
4462         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4463
4464         if (skb->len < NLMSG_SPACE(0)) {
4465                 err = -EINVAL;
4466                 goto out;
4467         }
4468         nlh = nlmsg_hdr(skb);
4469
4470         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4471         if (err) {
4472                 if (err == -EINVAL) {
4473                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4474                                   "SELinux:  unrecognized netlink message"
4475                                   " type=%hu for sclass=%hu\n",
4476                                   nlh->nlmsg_type, isec->sclass);
4477                         if (!selinux_enforcing || security_get_allow_unknown())
4478                                 err = 0;
4479                 }
4480
4481                 /* Ignore */
4482                 if (err == -ENOENT)
4483                         err = 0;
4484                 goto out;
4485         }
4486
4487         err = socket_has_perm(current, sock, perm);
4488 out:
4489         return err;
4490 }
4491
4492 #ifdef CONFIG_NETFILTER
4493
4494 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4495                                        u16 family)
4496 {
4497         int err;
4498         char *addrp;
4499         u32 peer_sid;
4500         struct avc_audit_data ad;
4501         u8 secmark_active;
4502         u8 netlbl_active;
4503         u8 peerlbl_active;
4504
4505         if (!selinux_policycap_netpeer)
4506                 return NF_ACCEPT;
4507
4508         secmark_active = selinux_secmark_enabled();
4509         netlbl_active = netlbl_enabled();
4510         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4511         if (!secmark_active && !peerlbl_active)
4512                 return NF_ACCEPT;
4513
4514         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4515                 return NF_DROP;
4516
4517         AVC_AUDIT_DATA_INIT(&ad, NET);
4518         ad.u.net.netif = ifindex;
4519         ad.u.net.family = family;
4520         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4521                 return NF_DROP;
4522
4523         if (peerlbl_active) {
4524                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4525                                                peer_sid, &ad);
4526                 if (err) {
4527                         selinux_netlbl_err(skb, err, 1);
4528                         return NF_DROP;
4529                 }
4530         }
4531
4532         if (secmark_active)
4533                 if (avc_has_perm(peer_sid, skb->secmark,
4534                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4535                         return NF_DROP;
4536
4537         if (netlbl_active)
4538                 /* we do this in the FORWARD path and not the POST_ROUTING
4539                  * path because we want to make sure we apply the necessary
4540                  * labeling before IPsec is applied so we can leverage AH
4541                  * protection */
4542                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4543                         return NF_DROP;
4544
4545         return NF_ACCEPT;
4546 }
4547
4548 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4549                                          struct sk_buff *skb,
4550                                          const struct net_device *in,
4551                                          const struct net_device *out,
4552                                          int (*okfn)(struct sk_buff *))
4553 {
4554         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4555 }
4556
4557 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4558 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4559                                          struct sk_buff *skb,
4560                                          const struct net_device *in,
4561                                          const struct net_device *out,
4562                                          int (*okfn)(struct sk_buff *))
4563 {
4564         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4565 }
4566 #endif  /* IPV6 */
4567
4568 static unsigned int selinux_ip_output(struct sk_buff *skb,
4569                                       u16 family)
4570 {
4571         u32 sid;
4572
4573         if (!netlbl_enabled())
4574                 return NF_ACCEPT;
4575
4576         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4577          * because we want to make sure we apply the necessary labeling
4578          * before IPsec is applied so we can leverage AH protection */
4579         if (skb->sk) {
4580                 struct sk_security_struct *sksec = skb->sk->sk_security;
4581                 sid = sksec->sid;
4582         } else
4583                 sid = SECINITSID_KERNEL;
4584         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4585                 return NF_DROP;
4586
4587         return NF_ACCEPT;
4588 }
4589
4590 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4591                                         struct sk_buff *skb,
4592                                         const struct net_device *in,
4593                                         const struct net_device *out,
4594                                         int (*okfn)(struct sk_buff *))
4595 {
4596         return selinux_ip_output(skb, PF_INET);
4597 }
4598
4599 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4600                                                 int ifindex,
4601                                                 struct avc_audit_data *ad,
4602                                                 u16 family, char *addrp)
4603 {
4604         int err;
4605         struct sk_security_struct *sksec = sk->sk_security;
4606         u16 sk_class;
4607         u32 netif_perm, node_perm, send_perm;
4608         u32 port_sid, node_sid, if_sid, sk_sid;
4609
4610         sk_sid = sksec->sid;
4611         sk_class = sksec->sclass;
4612
4613         switch (sk_class) {
4614         case SECCLASS_UDP_SOCKET:
4615                 netif_perm = NETIF__UDP_SEND;
4616                 node_perm = NODE__UDP_SEND;
4617                 send_perm = UDP_SOCKET__SEND_MSG;
4618                 break;
4619         case SECCLASS_TCP_SOCKET:
4620                 netif_perm = NETIF__TCP_SEND;
4621                 node_perm = NODE__TCP_SEND;
4622                 send_perm = TCP_SOCKET__SEND_MSG;
4623                 break;
4624         case SECCLASS_DCCP_SOCKET:
4625                 netif_perm = NETIF__DCCP_SEND;
4626                 node_perm = NODE__DCCP_SEND;
4627                 send_perm = DCCP_SOCKET__SEND_MSG;
4628                 break;
4629         default:
4630                 netif_perm = NETIF__RAWIP_SEND;
4631                 node_perm = NODE__RAWIP_SEND;
4632                 send_perm = 0;
4633                 break;
4634         }
4635
4636         err = sel_netif_sid(ifindex, &if_sid);
4637         if (err)
4638                 return err;
4639         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4640                 return err;
4641
4642         err = sel_netnode_sid(addrp, family, &node_sid);
4643         if (err)
4644                 return err;
4645         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4646         if (err)
4647                 return err;
4648
4649         if (send_perm != 0)
4650                 return 0;
4651
4652         err = sel_netport_sid(sk->sk_protocol,
4653                               ntohs(ad->u.net.dport), &port_sid);
4654         if (unlikely(err)) {
4655                 printk(KERN_WARNING
4656                        "SELinux: failure in"
4657                        " selinux_ip_postroute_iptables_compat(),"
4658                        " network port label not found\n");
4659                 return err;
4660         }
4661         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4662 }
4663
4664 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4665                                                 int ifindex,
4666                                                 u16 family)
4667 {
4668         struct sock *sk = skb->sk;
4669         struct sk_security_struct *sksec;
4670         struct avc_audit_data ad;
4671         char *addrp;
4672         u8 proto;
4673
4674         if (sk == NULL)
4675                 return NF_ACCEPT;
4676         sksec = sk->sk_security;
4677
4678         AVC_AUDIT_DATA_INIT(&ad, NET);
4679         ad.u.net.netif = ifindex;
4680         ad.u.net.family = family;
4681         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4682                 return NF_DROP;
4683
4684         if (selinux_compat_net) {
4685                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4686                                                          &ad, family, addrp))
4687                         return NF_DROP;
4688         } else {
4689                 if (avc_has_perm(sksec->sid, skb->secmark,
4690                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4691                         return NF_DROP;
4692         }
4693
4694         if (selinux_policycap_netpeer)
4695                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4696                         return NF_DROP;
4697
4698         return NF_ACCEPT;
4699 }
4700
4701 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4702                                          u16 family)
4703 {
4704         u32 secmark_perm;
4705         u32 peer_sid;
4706         struct sock *sk;
4707         struct avc_audit_data ad;
4708         char *addrp;
4709         u8 secmark_active;
4710         u8 peerlbl_active;
4711
4712         /* If any sort of compatibility mode is enabled then handoff processing
4713          * to the selinux_ip_postroute_compat() function to deal with the
4714          * special handling.  We do this in an attempt to keep this function
4715          * as fast and as clean as possible. */
4716         if (selinux_compat_net || !selinux_policycap_netpeer)
4717                 return selinux_ip_postroute_compat(skb, ifindex, family);
4718
4719         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4720          * packet transformation so allow the packet to pass without any checks
4721          * since we'll have another chance to perform access control checks
4722          * when the packet is on it's final way out.
4723          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4724          *       is NULL, in this case go ahead and apply access control. */
4725         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4726                 return NF_ACCEPT;
4727
4728         secmark_active = selinux_secmark_enabled();
4729         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4730         if (!secmark_active && !peerlbl_active)
4731                 return NF_ACCEPT;
4732
4733         /* if the packet is being forwarded then get the peer label from the
4734          * packet itself; otherwise check to see if it is from a local
4735          * application or the kernel, if from an application get the peer label
4736          * from the sending socket, otherwise use the kernel's sid */
4737         sk = skb->sk;
4738         if (sk == NULL) {
4739                 switch (family) {
4740                 case PF_INET:
4741                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4742                                 secmark_perm = PACKET__FORWARD_OUT;
4743                         else
4744                                 secmark_perm = PACKET__SEND;
4745                         break;
4746                 case PF_INET6:
4747                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4748                                 secmark_perm = PACKET__FORWARD_OUT;
4749                         else
4750                                 secmark_perm = PACKET__SEND;
4751                         break;
4752                 default:
4753                         return NF_DROP;
4754                 }
4755                 if (secmark_perm == PACKET__FORWARD_OUT) {
4756                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4757                                 return NF_DROP;
4758                 } else
4759                         peer_sid = SECINITSID_KERNEL;
4760         } else {
4761                 struct sk_security_struct *sksec = sk->sk_security;
4762                 peer_sid = sksec->sid;
4763                 secmark_perm = PACKET__SEND;
4764         }
4765
4766         AVC_AUDIT_DATA_INIT(&ad, NET);
4767         ad.u.net.netif = ifindex;
4768         ad.u.net.family = family;
4769         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4770                 return NF_DROP;
4771
4772         if (secmark_active)
4773                 if (avc_has_perm(peer_sid, skb->secmark,
4774                                  SECCLASS_PACKET, secmark_perm, &ad))
4775                         return NF_DROP;
4776
4777         if (peerlbl_active) {
4778                 u32 if_sid;
4779                 u32 node_sid;
4780
4781                 if (sel_netif_sid(ifindex, &if_sid))
4782                         return NF_DROP;
4783                 if (avc_has_perm(peer_sid, if_sid,
4784                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4785                         return NF_DROP;
4786
4787                 if (sel_netnode_sid(addrp, family, &node_sid))
4788                         return NF_DROP;
4789                 if (avc_has_perm(peer_sid, node_sid,
4790                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4791                         return NF_DROP;
4792         }
4793
4794         return NF_ACCEPT;
4795 }
4796
4797 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4798                                            struct sk_buff *skb,
4799                                            const struct net_device *in,
4800                                            const struct net_device *out,
4801                                            int (*okfn)(struct sk_buff *))
4802 {
4803         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4804 }
4805
4806 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4807 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4808                                            struct sk_buff *skb,
4809                                            const struct net_device *in,
4810                                            const struct net_device *out,
4811                                            int (*okfn)(struct sk_buff *))
4812 {
4813         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4814 }
4815 #endif  /* IPV6 */
4816
4817 #endif  /* CONFIG_NETFILTER */
4818
4819 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4820 {
4821         int err;
4822
4823         err = secondary_ops->netlink_send(sk, skb);
4824         if (err)
4825                 return err;
4826
4827         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4828                 err = selinux_nlmsg_perm(sk, skb);
4829
4830         return err;
4831 }
4832
4833 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4834 {
4835         int err;
4836         struct avc_audit_data ad;
4837
4838         err = secondary_ops->netlink_recv(skb, capability);
4839         if (err)
4840                 return err;
4841
4842         AVC_AUDIT_DATA_INIT(&ad, CAP);
4843         ad.u.cap = capability;
4844
4845         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4846                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4847 }
4848
4849 static int ipc_alloc_security(struct task_struct *task,
4850                               struct kern_ipc_perm *perm,
4851                               u16 sclass)
4852 {
4853         struct ipc_security_struct *isec;
4854         u32 sid;
4855
4856         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4857         if (!isec)
4858                 return -ENOMEM;
4859
4860         sid = task_sid(task);
4861         isec->sclass = sclass;
4862         isec->sid = sid;
4863         perm->security = isec;
4864
4865         return 0;
4866 }
4867
4868 static void ipc_free_security(struct kern_ipc_perm *perm)
4869 {
4870         struct ipc_security_struct *isec = perm->security;
4871         perm->security = NULL;
4872         kfree(isec);
4873 }
4874
4875 static int msg_msg_alloc_security(struct msg_msg *msg)
4876 {
4877         struct msg_security_struct *msec;
4878
4879         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4880         if (!msec)
4881                 return -ENOMEM;
4882
4883         msec->sid = SECINITSID_UNLABELED;
4884         msg->security = msec;
4885
4886         return 0;
4887 }
4888
4889 static void msg_msg_free_security(struct msg_msg *msg)
4890 {
4891         struct msg_security_struct *msec = msg->security;
4892
4893         msg->security = NULL;
4894         kfree(msec);
4895 }
4896
4897 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4898                         u32 perms)
4899 {
4900         struct ipc_security_struct *isec;
4901         struct avc_audit_data ad;
4902         u32 sid = current_sid();
4903
4904         isec = ipc_perms->security;
4905
4906         AVC_AUDIT_DATA_INIT(&ad, IPC);
4907         ad.u.ipc_id = ipc_perms->key;
4908
4909         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4910 }
4911
4912 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4913 {
4914         return msg_msg_alloc_security(msg);
4915 }
4916
4917 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4918 {
4919         msg_msg_free_security(msg);
4920 }
4921
4922 /* message queue security operations */
4923 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4924 {
4925         struct ipc_security_struct *isec;
4926         struct avc_audit_data ad;
4927         u32 sid = current_sid();
4928         int rc;
4929
4930         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4931         if (rc)
4932                 return rc;
4933
4934         isec = msq->q_perm.security;
4935
4936         AVC_AUDIT_DATA_INIT(&ad, IPC);
4937         ad.u.ipc_id = msq->q_perm.key;
4938
4939         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4940                           MSGQ__CREATE, &ad);
4941         if (rc) {
4942                 ipc_free_security(&msq->q_perm);
4943                 return rc;
4944         }
4945         return 0;
4946 }
4947
4948 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4949 {
4950         ipc_free_security(&msq->q_perm);
4951 }
4952
4953 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4954 {
4955         struct ipc_security_struct *isec;
4956         struct avc_audit_data ad;
4957         u32 sid = current_sid();
4958
4959         isec = msq->q_perm.security;
4960
4961         AVC_AUDIT_DATA_INIT(&ad, IPC);
4962         ad.u.ipc_id = msq->q_perm.key;
4963
4964         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4965                             MSGQ__ASSOCIATE, &ad);
4966 }
4967
4968 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4969 {
4970         int err;
4971         int perms;
4972
4973         switch (cmd) {
4974         case IPC_INFO:
4975         case MSG_INFO:
4976                 /* No specific object, just general system-wide information. */
4977                 return task_has_system(current, SYSTEM__IPC_INFO);
4978         case IPC_STAT:
4979         case MSG_STAT:
4980                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4981                 break;
4982         case IPC_SET:
4983                 perms = MSGQ__SETATTR;
4984                 break;
4985         case IPC_RMID:
4986                 perms = MSGQ__DESTROY;
4987                 break;
4988         default:
4989                 return 0;
4990         }
4991
4992         err = ipc_has_perm(&msq->q_perm, perms);
4993         return err;
4994 }
4995
4996 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4997 {
4998         struct ipc_security_struct *isec;
4999         struct msg_security_struct *msec;
5000         struct avc_audit_data ad;
5001         u32 sid = current_sid();
5002         int rc;
5003
5004         isec = msq->q_perm.security;
5005         msec = msg->security;
5006
5007         /*
5008          * First time through, need to assign label to the message
5009          */
5010         if (msec->sid == SECINITSID_UNLABELED) {
5011                 /*
5012                  * Compute new sid based on current process and
5013                  * message queue this message will be stored in
5014                  */
5015                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5016                                              &msec->sid);
5017                 if (rc)
5018                         return rc;
5019         }
5020
5021         AVC_AUDIT_DATA_INIT(&ad, IPC);
5022         ad.u.ipc_id = msq->q_perm.key;
5023
5024         /* Can this process write to the queue? */
5025         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5026                           MSGQ__WRITE, &ad);
5027         if (!rc)
5028                 /* Can this process send the message */
5029                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5030                                   MSG__SEND, &ad);
5031         if (!rc)
5032                 /* Can the message be put in the queue? */
5033                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5034                                   MSGQ__ENQUEUE, &ad);
5035
5036         return rc;
5037 }
5038
5039 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5040                                     struct task_struct *target,
5041                                     long type, int mode)
5042 {
5043         struct ipc_security_struct *isec;
5044         struct msg_security_struct *msec;
5045         struct avc_audit_data ad;
5046         u32 sid = task_sid(target);
5047         int rc;
5048
5049         isec = msq->q_perm.security;
5050         msec = msg->security;
5051
5052         AVC_AUDIT_DATA_INIT(&ad, IPC);
5053         ad.u.ipc_id = msq->q_perm.key;
5054
5055         rc = avc_has_perm(sid, isec->sid,
5056                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5057         if (!rc)
5058                 rc = avc_has_perm(sid, msec->sid,
5059                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5060         return rc;
5061 }
5062
5063 /* Shared Memory security operations */
5064 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5065 {
5066         struct ipc_security_struct *isec;
5067         struct avc_audit_data ad;
5068         u32 sid = current_sid();
5069         int rc;
5070
5071         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5072         if (rc)
5073                 return rc;
5074
5075         isec = shp->shm_perm.security;
5076
5077         AVC_AUDIT_DATA_INIT(&ad, IPC);
5078         ad.u.ipc_id = shp->shm_perm.key;
5079
5080         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5081                           SHM__CREATE, &ad);
5082         if (rc) {
5083                 ipc_free_security(&shp->shm_perm);
5084                 return rc;
5085         }
5086         return 0;
5087 }
5088
5089 static void selinux_shm_free_security(struct shmid_kernel *shp)
5090 {
5091         ipc_free_security(&shp->shm_perm);
5092 }
5093
5094 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5095 {
5096         struct ipc_security_struct *isec;
5097         struct avc_audit_data ad;
5098         u32 sid = current_sid();
5099
5100         isec = shp->shm_perm.security;
5101
5102         AVC_AUDIT_DATA_INIT(&ad, IPC);
5103         ad.u.ipc_id = shp->shm_perm.key;
5104
5105         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5106                             SHM__ASSOCIATE, &ad);
5107 }
5108
5109 /* Note, at this point, shp is locked down */
5110 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5111 {
5112         int perms;
5113         int err;
5114
5115         switch (cmd) {
5116         case IPC_INFO:
5117         case SHM_INFO:
5118                 /* No specific object, just general system-wide information. */
5119                 return task_has_system(current, SYSTEM__IPC_INFO);
5120         case IPC_STAT:
5121         case SHM_STAT:
5122                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5123                 break;
5124         case IPC_SET:
5125                 perms = SHM__SETATTR;
5126                 break;
5127         case SHM_LOCK:
5128         case SHM_UNLOCK:
5129                 perms = SHM__LOCK;
5130                 break;
5131         case IPC_RMID:
5132                 perms = SHM__DESTROY;
5133                 break;
5134         default:
5135                 return 0;
5136         }
5137
5138         err = ipc_has_perm(&shp->shm_perm, perms);
5139         return err;
5140 }
5141
5142 static int selinux_shm_shmat(struct shmid_kernel *shp,
5143                              char __user *shmaddr, int shmflg)
5144 {
5145         u32 perms;
5146         int rc;
5147
5148         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5149         if (rc)
5150                 return rc;
5151
5152         if (shmflg & SHM_RDONLY)
5153                 perms = SHM__READ;
5154         else
5155                 perms = SHM__READ | SHM__WRITE;
5156
5157         return ipc_has_perm(&shp->shm_perm, perms);
5158 }
5159
5160 /* Semaphore security operations */
5161 static int selinux_sem_alloc_security(struct sem_array *sma)
5162 {
5163         struct ipc_security_struct *isec;
5164         struct avc_audit_data ad;
5165         u32 sid = current_sid();
5166         int rc;
5167
5168         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5169         if (rc)
5170                 return rc;
5171
5172         isec = sma->sem_perm.security;
5173
5174         AVC_AUDIT_DATA_INIT(&ad, IPC);
5175         ad.u.ipc_id = sma->sem_perm.key;
5176
5177         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5178                           SEM__CREATE, &ad);
5179         if (rc) {
5180                 ipc_free_security(&sma->sem_perm);
5181                 return rc;
5182         }
5183         return 0;
5184 }
5185
5186 static void selinux_sem_free_security(struct sem_array *sma)
5187 {
5188         ipc_free_security(&sma->sem_perm);
5189 }
5190
5191 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5192 {
5193         struct ipc_security_struct *isec;
5194         struct avc_audit_data ad;
5195         u32 sid = current_sid();
5196
5197         isec = sma->sem_perm.security;
5198
5199         AVC_AUDIT_DATA_INIT(&ad, IPC);
5200         ad.u.ipc_id = sma->sem_perm.key;
5201
5202         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5203                             SEM__ASSOCIATE, &ad);
5204 }
5205
5206 /* Note, at this point, sma is locked down */
5207 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5208 {
5209         int err;
5210         u32 perms;
5211
5212         switch (cmd) {
5213         case IPC_INFO:
5214         case SEM_INFO:
5215                 /* No specific object, just general system-wide information. */
5216                 return task_has_system(current, SYSTEM__IPC_INFO);
5217         case GETPID:
5218         case GETNCNT:
5219         case GETZCNT:
5220                 perms = SEM__GETATTR;
5221                 break;
5222         case GETVAL:
5223         case GETALL:
5224                 perms = SEM__READ;
5225                 break;
5226         case SETVAL:
5227         case SETALL:
5228                 perms = SEM__WRITE;
5229                 break;
5230         case IPC_RMID:
5231                 perms = SEM__DESTROY;
5232                 break;
5233         case IPC_SET:
5234                 perms = SEM__SETATTR;
5235                 break;
5236         case IPC_STAT:
5237         case SEM_STAT:
5238                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5239                 break;
5240         default:
5241                 return 0;
5242         }
5243
5244         err = ipc_has_perm(&sma->sem_perm, perms);
5245         return err;
5246 }
5247
5248 static int selinux_sem_semop(struct sem_array *sma,
5249                              struct sembuf *sops, unsigned nsops, int alter)
5250 {
5251         u32 perms;
5252
5253         if (alter)
5254                 perms = SEM__READ | SEM__WRITE;
5255         else
5256                 perms = SEM__READ;
5257
5258         return ipc_has_perm(&sma->sem_perm, perms);
5259 }
5260
5261 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5262 {
5263         u32 av = 0;
5264
5265         av = 0;
5266         if (flag & S_IRUGO)
5267                 av |= IPC__UNIX_READ;
5268         if (flag & S_IWUGO)
5269                 av |= IPC__UNIX_WRITE;
5270
5271         if (av == 0)
5272                 return 0;
5273
5274         return ipc_has_perm(ipcp, av);
5275 }
5276
5277 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5278 {
5279         struct ipc_security_struct *isec = ipcp->security;
5280         *secid = isec->sid;
5281 }
5282
5283 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5284 {
5285         if (inode)
5286                 inode_doinit_with_dentry(inode, dentry);
5287 }
5288
5289 static int selinux_getprocattr(struct task_struct *p,
5290                                char *name, char **value)
5291 {
5292         const struct task_security_struct *__tsec;
5293         u32 sid;
5294         int error;
5295         unsigned len;
5296
5297         if (current != p) {
5298                 error = task_has_perm(current, p, PROCESS__GETATTR);
5299                 if (error)
5300                         return error;
5301         }
5302
5303         rcu_read_lock();
5304         __tsec = __task_cred(p)->security;
5305
5306         if (!strcmp(name, "current"))
5307                 sid = __tsec->sid;
5308         else if (!strcmp(name, "prev"))
5309                 sid = __tsec->osid;
5310         else if (!strcmp(name, "exec"))
5311                 sid = __tsec->exec_sid;
5312         else if (!strcmp(name, "fscreate"))
5313                 sid = __tsec->create_sid;
5314         else if (!strcmp(name, "keycreate"))
5315                 sid = __tsec->keycreate_sid;
5316         else if (!strcmp(name, "sockcreate"))
5317                 sid = __tsec->sockcreate_sid;
5318         else
5319                 goto invalid;
5320         rcu_read_unlock();
5321
5322         if (!sid)
5323                 return 0;
5324
5325         error = security_sid_to_context(sid, value, &len);
5326         if (error)
5327                 return error;
5328         return len;
5329
5330 invalid:
5331         rcu_read_unlock();
5332         return -EINVAL;
5333 }
5334
5335 static int selinux_setprocattr(struct task_struct *p,
5336                                char *name, void *value, size_t size)
5337 {
5338         struct task_security_struct *tsec;
5339         struct task_struct *tracer;
5340         struct cred *new;
5341         u32 sid = 0, ptsid;
5342         int error;
5343         char *str = value;
5344
5345         if (current != p) {
5346                 /* SELinux only allows a process to change its own
5347                    security attributes. */
5348                 return -EACCES;
5349         }
5350
5351         /*
5352          * Basic control over ability to set these attributes at all.
5353          * current == p, but we'll pass them separately in case the
5354          * above restriction is ever removed.
5355          */
5356         if (!strcmp(name, "exec"))
5357                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5358         else if (!strcmp(name, "fscreate"))
5359                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5360         else if (!strcmp(name, "keycreate"))
5361                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5362         else if (!strcmp(name, "sockcreate"))
5363                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5364         else if (!strcmp(name, "current"))
5365                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5366         else
5367                 error = -EINVAL;
5368         if (error)
5369                 return error;
5370
5371         /* Obtain a SID for the context, if one was specified. */
5372         if (size && str[1] && str[1] != '\n') {
5373                 if (str[size-1] == '\n') {
5374                         str[size-1] = 0;
5375                         size--;
5376                 }
5377                 error = security_context_to_sid(value, size, &sid);
5378                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5379                         if (!capable(CAP_MAC_ADMIN))
5380                                 return error;
5381                         error = security_context_to_sid_force(value, size,
5382                                                               &sid);
5383                 }
5384                 if (error)
5385                         return error;
5386         }
5387
5388         new = prepare_creds();
5389         if (!new)
5390                 return -ENOMEM;
5391
5392         /* Permission checking based on the specified context is
5393            performed during the actual operation (execve,
5394            open/mkdir/...), when we know the full context of the
5395            operation.  See selinux_bprm_set_creds for the execve
5396            checks and may_create for the file creation checks. The
5397            operation will then fail if the context is not permitted. */
5398         tsec = new->security;
5399         if (!strcmp(name, "exec")) {
5400                 tsec->exec_sid = sid;
5401         } else if (!strcmp(name, "fscreate")) {
5402                 tsec->create_sid = sid;
5403         } else if (!strcmp(name, "keycreate")) {
5404                 error = may_create_key(sid, p);
5405                 if (error)
5406                         goto abort_change;
5407                 tsec->keycreate_sid = sid;
5408         } else if (!strcmp(name, "sockcreate")) {
5409                 tsec->sockcreate_sid = sid;
5410         } else if (!strcmp(name, "current")) {
5411                 error = -EINVAL;
5412                 if (sid == 0)
5413                         goto abort_change;
5414
5415                 /* Only allow single threaded processes to change context */
5416                 error = -EPERM;
5417                 if (!is_single_threaded(p)) {
5418                         error = security_bounded_transition(tsec->sid, sid);
5419                         if (error)
5420                                 goto abort_change;
5421                 }
5422
5423                 /* Check permissions for the transition. */
5424                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5425                                      PROCESS__DYNTRANSITION, NULL);
5426                 if (error)
5427                         goto abort_change;
5428
5429                 /* Check for ptracing, and update the task SID if ok.
5430                    Otherwise, leave SID unchanged and fail. */
5431                 ptsid = 0;
5432                 task_lock(p);
5433                 tracer = tracehook_tracer_task(p);
5434                 if (tracer)
5435                         ptsid = task_sid(tracer);
5436                 task_unlock(p);
5437
5438                 if (tracer) {
5439                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5440                                              PROCESS__PTRACE, NULL);
5441                         if (error)
5442                                 goto abort_change;
5443                 }
5444
5445                 tsec->sid = sid;
5446         } else {
5447                 error = -EINVAL;
5448                 goto abort_change;
5449         }
5450
5451         commit_creds(new);
5452         return size;
5453
5454 abort_change:
5455         abort_creds(new);
5456         return error;
5457 }
5458
5459 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5460 {
5461         return security_sid_to_context(secid, secdata, seclen);
5462 }
5463
5464 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5465 {
5466         return security_context_to_sid(secdata, seclen, secid);
5467 }
5468
5469 static void selinux_release_secctx(char *secdata, u32 seclen)
5470 {
5471         kfree(secdata);
5472 }
5473
5474 #ifdef CONFIG_KEYS
5475
5476 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5477                              unsigned long flags)
5478 {
5479         const struct task_security_struct *tsec;
5480         struct key_security_struct *ksec;
5481
5482         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5483         if (!ksec)
5484                 return -ENOMEM;
5485
5486         tsec = cred->security;
5487         if (tsec->keycreate_sid)
5488                 ksec->sid = tsec->keycreate_sid;
5489         else
5490                 ksec->sid = tsec->sid;
5491
5492         k->security = ksec;
5493         return 0;
5494 }
5495
5496 static void selinux_key_free(struct key *k)
5497 {
5498         struct key_security_struct *ksec = k->security;
5499
5500         k->security = NULL;
5501         kfree(ksec);
5502 }
5503
5504 static int selinux_key_permission(key_ref_t key_ref,
5505                                   const struct cred *cred,
5506                                   key_perm_t perm)
5507 {
5508         struct key *key;
5509         struct key_security_struct *ksec;
5510         u32 sid;
5511
5512         /* if no specific permissions are requested, we skip the
5513            permission check. No serious, additional covert channels
5514            appear to be created. */
5515         if (perm == 0)
5516                 return 0;
5517
5518         sid = cred_sid(cred);
5519
5520         key = key_ref_to_ptr(key_ref);
5521         ksec = key->security;
5522
5523         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5524 }
5525
5526 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5527 {
5528         struct key_security_struct *ksec = key->security;
5529         char *context = NULL;
5530         unsigned len;
5531         int rc;
5532
5533         rc = security_sid_to_context(ksec->sid, &context, &len);
5534         if (!rc)
5535                 rc = len;
5536         *_buffer = context;
5537         return rc;
5538 }
5539
5540 #endif
5541
5542 static struct security_operations selinux_ops = {
5543         .name =                         "selinux",
5544
5545         .ptrace_may_access =            selinux_ptrace_may_access,
5546         .ptrace_traceme =               selinux_ptrace_traceme,
5547         .capget =                       selinux_capget,
5548         .capset =                       selinux_capset,
5549         .sysctl =                       selinux_sysctl,
5550         .capable =                      selinux_capable,
5551         .quotactl =                     selinux_quotactl,
5552         .quota_on =                     selinux_quota_on,
5553         .syslog =                       selinux_syslog,
5554         .vm_enough_memory =             selinux_vm_enough_memory,
5555
5556         .netlink_send =                 selinux_netlink_send,
5557         .netlink_recv =                 selinux_netlink_recv,
5558
5559         .bprm_alloc_security =          selinux_bprm_alloc_security,
5560         .bprm_free_security =           selinux_bprm_free_security,
5561         .bprm_apply_creds =             selinux_bprm_apply_creds,
5562         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5563         .bprm_set_security =            selinux_bprm_set_security,
5564         .bprm_check_security =          selinux_bprm_check_security,
5565         .bprm_secureexec =              selinux_bprm_secureexec,
5566
5567         .sb_alloc_security =            selinux_sb_alloc_security,
5568         .sb_free_security =             selinux_sb_free_security,
5569         .sb_copy_data =                 selinux_sb_copy_data,
5570         .sb_kern_mount =                selinux_sb_kern_mount,
5571         .sb_show_options =              selinux_sb_show_options,
5572         .sb_statfs =                    selinux_sb_statfs,
5573         .sb_mount =                     selinux_mount,
5574         .sb_umount =                    selinux_umount,
5575         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5576         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5577         .sb_parse_opts_str =            selinux_parse_opts_str,
5578
5579
5580         .inode_alloc_security =         selinux_inode_alloc_security,
5581         .inode_free_security =          selinux_inode_free_security,
5582         .inode_init_security =          selinux_inode_init_security,
5583         .inode_create =                 selinux_inode_create,
5584         .inode_link =                   selinux_inode_link,
5585         .inode_unlink =                 selinux_inode_unlink,
5586         .inode_symlink =                selinux_inode_symlink,
5587         .inode_mkdir =                  selinux_inode_mkdir,
5588         .inode_rmdir =                  selinux_inode_rmdir,
5589         .inode_mknod =                  selinux_inode_mknod,
5590         .inode_rename =                 selinux_inode_rename,
5591         .inode_readlink =               selinux_inode_readlink,
5592         .inode_follow_link =            selinux_inode_follow_link,
5593         .inode_permission =             selinux_inode_permission,
5594         .inode_setattr =                selinux_inode_setattr,
5595         .inode_getattr =                selinux_inode_getattr,
5596         .inode_setxattr =               selinux_inode_setxattr,
5597         .inode_post_setxattr =          selinux_inode_post_setxattr,
5598         .inode_getxattr =               selinux_inode_getxattr,
5599         .inode_listxattr =              selinux_inode_listxattr,
5600         .inode_removexattr =            selinux_inode_removexattr,
5601         .inode_getsecurity =            selinux_inode_getsecurity,
5602         .inode_setsecurity =            selinux_inode_setsecurity,
5603         .inode_listsecurity =           selinux_inode_listsecurity,
5604         .inode_need_killpriv =          selinux_inode_need_killpriv,
5605         .inode_killpriv =               selinux_inode_killpriv,
5606         .inode_getsecid =               selinux_inode_getsecid,
5607
5608         .file_permission =              selinux_file_permission,
5609         .file_alloc_security =          selinux_file_alloc_security,
5610         .file_free_security =           selinux_file_free_security,
5611         .file_ioctl =                   selinux_file_ioctl,
5612         .file_mmap =                    selinux_file_mmap,
5613         .file_mprotect =                selinux_file_mprotect,
5614         .file_lock =                    selinux_file_lock,
5615         .file_fcntl =                   selinux_file_fcntl,
5616         .file_set_fowner =              selinux_file_set_fowner,
5617         .file_send_sigiotask =          selinux_file_send_sigiotask,
5618         .file_receive =                 selinux_file_receive,
5619
5620         .dentry_open =                  selinux_dentry_open,
5621
5622         .task_create =                  selinux_task_create,
5623         .cred_free =                    selinux_cred_free,
5624         .cred_prepare =                 selinux_cred_prepare,
5625         .cred_commit =                  selinux_cred_commit,
5626         .task_setuid =                  selinux_task_setuid,
5627         .task_fix_setuid =              selinux_task_fix_setuid,
5628         .task_setgid =                  selinux_task_setgid,
5629         .task_setpgid =                 selinux_task_setpgid,
5630         .task_getpgid =                 selinux_task_getpgid,
5631         .task_getsid =                  selinux_task_getsid,
5632         .task_getsecid =                selinux_task_getsecid,
5633         .task_setgroups =               selinux_task_setgroups,
5634         .task_setnice =                 selinux_task_setnice,
5635         .task_setioprio =               selinux_task_setioprio,
5636         .task_getioprio =               selinux_task_getioprio,
5637         .task_setrlimit =               selinux_task_setrlimit,
5638         .task_setscheduler =            selinux_task_setscheduler,
5639         .task_getscheduler =            selinux_task_getscheduler,
5640         .task_movememory =              selinux_task_movememory,
5641         .task_kill =                    selinux_task_kill,
5642         .task_wait =                    selinux_task_wait,
5643         .task_prctl =                   selinux_task_prctl,
5644         .task_to_inode =                selinux_task_to_inode,
5645
5646         .ipc_permission =               selinux_ipc_permission,
5647         .ipc_getsecid =                 selinux_ipc_getsecid,
5648
5649         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5650         .msg_msg_free_security =        selinux_msg_msg_free_security,
5651
5652         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5653         .msg_queue_free_security =      selinux_msg_queue_free_security,
5654         .msg_queue_associate =          selinux_msg_queue_associate,
5655         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5656         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5657         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5658
5659         .shm_alloc_security =           selinux_shm_alloc_security,
5660         .shm_free_security =            selinux_shm_free_security,
5661         .shm_associate =                selinux_shm_associate,
5662         .shm_shmctl =                   selinux_shm_shmctl,
5663         .shm_shmat =                    selinux_shm_shmat,
5664
5665         .sem_alloc_security =           selinux_sem_alloc_security,
5666         .sem_free_security =            selinux_sem_free_security,
5667         .sem_associate =                selinux_sem_associate,
5668         .sem_semctl =                   selinux_sem_semctl,
5669         .sem_semop =                    selinux_sem_semop,
5670
5671         .d_instantiate =                selinux_d_instantiate,
5672
5673         .getprocattr =                  selinux_getprocattr,
5674         .setprocattr =                  selinux_setprocattr,
5675
5676         .secid_to_secctx =              selinux_secid_to_secctx,
5677         .secctx_to_secid =              selinux_secctx_to_secid,
5678         .release_secctx =               selinux_release_secctx,
5679
5680         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5681         .unix_may_send =                selinux_socket_unix_may_send,
5682
5683         .socket_create =                selinux_socket_create,
5684         .socket_post_create =           selinux_socket_post_create,
5685         .socket_bind =                  selinux_socket_bind,
5686         .socket_connect =               selinux_socket_connect,
5687         .socket_listen =                selinux_socket_listen,
5688         .socket_accept =                selinux_socket_accept,
5689         .socket_sendmsg =               selinux_socket_sendmsg,
5690         .socket_recvmsg =               selinux_socket_recvmsg,
5691         .socket_getsockname =           selinux_socket_getsockname,
5692         .socket_getpeername =           selinux_socket_getpeername,
5693         .socket_getsockopt =            selinux_socket_getsockopt,
5694         .socket_setsockopt =            selinux_socket_setsockopt,
5695         .socket_shutdown =              selinux_socket_shutdown,
5696         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5697         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5698         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5699         .sk_alloc_security =            selinux_sk_alloc_security,
5700         .sk_free_security =             selinux_sk_free_security,
5701         .sk_clone_security =            selinux_sk_clone_security,
5702         .sk_getsecid =                  selinux_sk_getsecid,
5703         .sock_graft =                   selinux_sock_graft,
5704         .inet_conn_request =            selinux_inet_conn_request,
5705         .inet_csk_clone =               selinux_inet_csk_clone,
5706         .inet_conn_established =        selinux_inet_conn_established,
5707         .req_classify_flow =            selinux_req_classify_flow,
5708
5709 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5710         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5711         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5712         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5713         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5714         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5715         .xfrm_state_free_security =     selinux_xfrm_state_free,
5716         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5717         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5718         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5719         .xfrm_decode_session =          selinux_xfrm_decode_session,
5720 #endif
5721
5722 #ifdef CONFIG_KEYS
5723         .key_alloc =                    selinux_key_alloc,
5724         .key_free =                     selinux_key_free,
5725         .key_permission =               selinux_key_permission,
5726         .key_getsecurity =              selinux_key_getsecurity,
5727 #endif
5728
5729 #ifdef CONFIG_AUDIT
5730         .audit_rule_init =              selinux_audit_rule_init,
5731         .audit_rule_known =             selinux_audit_rule_known,
5732         .audit_rule_match =             selinux_audit_rule_match,
5733         .audit_rule_free =              selinux_audit_rule_free,
5734 #endif
5735 };
5736
5737 static __init int selinux_init(void)
5738 {
5739         if (!security_module_enable(&selinux_ops)) {
5740                 selinux_enabled = 0;
5741                 return 0;
5742         }
5743
5744         if (!selinux_enabled) {
5745                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5746                 return 0;
5747         }
5748
5749         printk(KERN_INFO "SELinux:  Initializing.\n");
5750
5751         /* Set the security state for the initial task. */
5752         cred_init_security();
5753
5754         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5755                                             sizeof(struct inode_security_struct),
5756                                             0, SLAB_PANIC, NULL);
5757         avc_init();
5758
5759         secondary_ops = security_ops;
5760         if (!secondary_ops)
5761                 panic("SELinux: No initial security operations\n");
5762         if (register_security(&selinux_ops))
5763                 panic("SELinux: Unable to register with kernel.\n");
5764
5765         if (selinux_enforcing)
5766                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5767         else
5768                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5769
5770         return 0;
5771 }
5772
5773 void selinux_complete_init(void)
5774 {
5775         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5776
5777         /* Set up any superblocks initialized prior to the policy load. */
5778         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5779         spin_lock(&sb_lock);
5780         spin_lock(&sb_security_lock);
5781 next_sb:
5782         if (!list_empty(&superblock_security_head)) {
5783                 struct superblock_security_struct *sbsec =
5784                                 list_entry(superblock_security_head.next,
5785                                            struct superblock_security_struct,
5786                                            list);
5787                 struct super_block *sb = sbsec->sb;
5788                 sb->s_count++;
5789                 spin_unlock(&sb_security_lock);
5790                 spin_unlock(&sb_lock);
5791                 down_read(&sb->s_umount);
5792                 if (sb->s_root)
5793                         superblock_doinit(sb, NULL);
5794                 drop_super(sb);
5795                 spin_lock(&sb_lock);
5796                 spin_lock(&sb_security_lock);
5797                 list_del_init(&sbsec->list);
5798                 goto next_sb;
5799         }
5800         spin_unlock(&sb_security_lock);
5801         spin_unlock(&sb_lock);
5802 }
5803
5804 /* SELinux requires early initialization in order to label
5805    all processes and objects when they are created. */
5806 security_initcall(selinux_init);
5807
5808 #if defined(CONFIG_NETFILTER)
5809
5810 static struct nf_hook_ops selinux_ipv4_ops[] = {
5811         {
5812                 .hook =         selinux_ipv4_postroute,
5813                 .owner =        THIS_MODULE,
5814                 .pf =           PF_INET,
5815                 .hooknum =      NF_INET_POST_ROUTING,
5816                 .priority =     NF_IP_PRI_SELINUX_LAST,
5817         },
5818         {
5819                 .hook =         selinux_ipv4_forward,
5820                 .owner =        THIS_MODULE,
5821                 .pf =           PF_INET,
5822                 .hooknum =      NF_INET_FORWARD,
5823                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5824         },
5825         {
5826                 .hook =         selinux_ipv4_output,
5827                 .owner =        THIS_MODULE,
5828                 .pf =           PF_INET,
5829                 .hooknum =      NF_INET_LOCAL_OUT,
5830                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5831         }
5832 };
5833
5834 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5835
5836 static struct nf_hook_ops selinux_ipv6_ops[] = {
5837         {
5838                 .hook =         selinux_ipv6_postroute,
5839                 .owner =        THIS_MODULE,
5840                 .pf =           PF_INET6,
5841                 .hooknum =      NF_INET_POST_ROUTING,
5842                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5843         },
5844         {
5845                 .hook =         selinux_ipv6_forward,
5846                 .owner =        THIS_MODULE,
5847                 .pf =           PF_INET6,
5848                 .hooknum =      NF_INET_FORWARD,
5849                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5850         }
5851 };
5852
5853 #endif  /* IPV6 */
5854
5855 static int __init selinux_nf_ip_init(void)
5856 {
5857         int err = 0;
5858
5859         if (!selinux_enabled)
5860                 goto out;
5861
5862         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5863
5864         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5865         if (err)
5866                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5867
5868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5869         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5870         if (err)
5871                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5872 #endif  /* IPV6 */
5873
5874 out:
5875         return err;
5876 }
5877
5878 __initcall(selinux_nf_ip_init);
5879
5880 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5881 static void selinux_nf_ip_exit(void)
5882 {
5883         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5884
5885         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5886 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5887         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5888 #endif  /* IPV6 */
5889 }
5890 #endif
5891
5892 #else /* CONFIG_NETFILTER */
5893
5894 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5895 #define selinux_nf_ip_exit()
5896 #endif
5897
5898 #endif /* CONFIG_NETFILTER */
5899
5900 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5901 static int selinux_disabled;
5902
5903 int selinux_disable(void)
5904 {
5905         extern void exit_sel_fs(void);
5906
5907         if (ss_initialized) {
5908                 /* Not permitted after initial policy load. */
5909                 return -EINVAL;
5910         }
5911
5912         if (selinux_disabled) {
5913                 /* Only do this once. */
5914                 return -EINVAL;
5915         }
5916
5917         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5918
5919         selinux_disabled = 1;
5920         selinux_enabled = 0;
5921
5922         /* Reset security_ops to the secondary module, dummy or capability. */
5923         security_ops = secondary_ops;
5924
5925         /* Unregister netfilter hooks. */
5926         selinux_nf_ip_exit();
5927
5928         /* Unregister selinuxfs. */
5929         exit_sel_fs();
5930
5931         return 0;
5932 }
5933 #endif