Linux 2.6.26-rc8
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *              Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/fdtable.h>
43 #include <linux/namei.h>
44 #include <linux/mount.h>
45 #include <linux/ext2_fs.h>
46 #include <linux/proc_fs.h>
47 #include <linux/kd.h>
48 #include <linux/netfilter_ipv4.h>
49 #include <linux/netfilter_ipv6.h>
50 #include <linux/tty.h>
51 #include <net/icmp.h>
52 #include <net/ip.h>             /* for local_port_range[] */
53 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
54 #include <net/net_namespace.h>
55 #include <net/netlabel.h>
56 #include <asm/uaccess.h>
57 #include <asm/ioctls.h>
58 #include <asm/atomic.h>
59 #include <linux/bitops.h>
60 #include <linux/interrupt.h>
61 #include <linux/netdevice.h>    /* for network interface checks */
62 #include <linux/netlink.h>
63 #include <linux/tcp.h>
64 #include <linux/udp.h>
65 #include <linux/dccp.h>
66 #include <linux/quota.h>
67 #include <linux/un.h>           /* for Unix socket types */
68 #include <net/af_unix.h>        /* for Unix socket types */
69 #include <linux/parser.h>
70 #include <linux/nfs_mount.h>
71 #include <net/ipv6.h>
72 #include <linux/hugetlb.h>
73 #include <linux/personality.h>
74 #include <linux/sysctl.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         selinux_enforcing = simple_strtol(str, NULL, 0);
108         return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118         selinux_enabled = simple_strtol(str, NULL, 0);
119         return 1;
120 }
121 __setup("selinux=", selinux_enabled_setup);
122 #else
123 int selinux_enabled = 1;
124 #endif
125
126 /* Original (dummy) security module. */
127 static struct security_operations *original_ops;
128
129 /* Minimal support for a secondary security module,
130    just to allow the use of the dummy or capability modules.
131    The owlsm module can alternatively be used as a secondary
132    module as long as CONFIG_OWLSM_FD is not enabled. */
133 static struct security_operations *secondary_ops;
134
135 /* Lists of inode and superblock security structures initialized
136    before the policy was loaded. */
137 static LIST_HEAD(superblock_security_head);
138 static DEFINE_SPINLOCK(sb_security_lock);
139
140 static struct kmem_cache *sel_inode_cache;
141
142 /**
143  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
144  *
145  * Description:
146  * This function checks the SECMARK reference counter to see if any SECMARK
147  * targets are currently configured, if the reference counter is greater than
148  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
149  * enabled, false (0) if SECMARK is disabled.
150  *
151  */
152 static int selinux_secmark_enabled(void)
153 {
154         return (atomic_read(&selinux_secmark_refcount) > 0);
155 }
156
157 /* Allocate and free functions for each kind of security blob. */
158
159 static int task_alloc_security(struct task_struct *task)
160 {
161         struct task_security_struct *tsec;
162
163         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
164         if (!tsec)
165                 return -ENOMEM;
166
167         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
168         task->security = tsec;
169
170         return 0;
171 }
172
173 static void task_free_security(struct task_struct *task)
174 {
175         struct task_security_struct *tsec = task->security;
176         task->security = NULL;
177         kfree(tsec);
178 }
179
180 static int inode_alloc_security(struct inode *inode)
181 {
182         struct task_security_struct *tsec = current->security;
183         struct inode_security_struct *isec;
184
185         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
186         if (!isec)
187                 return -ENOMEM;
188
189         mutex_init(&isec->lock);
190         INIT_LIST_HEAD(&isec->list);
191         isec->inode = inode;
192         isec->sid = SECINITSID_UNLABELED;
193         isec->sclass = SECCLASS_FILE;
194         isec->task_sid = tsec->sid;
195         inode->i_security = isec;
196
197         return 0;
198 }
199
200 static void inode_free_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec = inode->i_security;
203         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
205         spin_lock(&sbsec->isec_lock);
206         if (!list_empty(&isec->list))
207                 list_del_init(&isec->list);
208         spin_unlock(&sbsec->isec_lock);
209
210         inode->i_security = NULL;
211         kmem_cache_free(sel_inode_cache, isec);
212 }
213
214 static int file_alloc_security(struct file *file)
215 {
216         struct task_security_struct *tsec = current->security;
217         struct file_security_struct *fsec;
218
219         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220         if (!fsec)
221                 return -ENOMEM;
222
223         fsec->sid = tsec->sid;
224         fsec->fown_sid = tsec->sid;
225         file->f_security = fsec;
226
227         return 0;
228 }
229
230 static void file_free_security(struct file *file)
231 {
232         struct file_security_struct *fsec = file->f_security;
233         file->f_security = NULL;
234         kfree(fsec);
235 }
236
237 static int superblock_alloc_security(struct super_block *sb)
238 {
239         struct superblock_security_struct *sbsec;
240
241         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
242         if (!sbsec)
243                 return -ENOMEM;
244
245         mutex_init(&sbsec->lock);
246         INIT_LIST_HEAD(&sbsec->list);
247         INIT_LIST_HEAD(&sbsec->isec_head);
248         spin_lock_init(&sbsec->isec_lock);
249         sbsec->sb = sb;
250         sbsec->sid = SECINITSID_UNLABELED;
251         sbsec->def_sid = SECINITSID_FILE;
252         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
253         sb->s_security = sbsec;
254
255         return 0;
256 }
257
258 static void superblock_free_security(struct super_block *sb)
259 {
260         struct superblock_security_struct *sbsec = sb->s_security;
261
262         spin_lock(&sb_security_lock);
263         if (!list_empty(&sbsec->list))
264                 list_del_init(&sbsec->list);
265         spin_unlock(&sb_security_lock);
266
267         sb->s_security = NULL;
268         kfree(sbsec);
269 }
270
271 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 {
273         struct sk_security_struct *ssec;
274
275         ssec = kzalloc(sizeof(*ssec), priority);
276         if (!ssec)
277                 return -ENOMEM;
278
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_reset(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 3,
323         Opt_rootcontext = 4,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, CONTEXT_STR "%s"},
328         {Opt_fscontext, FSCONTEXT_STR "%s"},
329         {Opt_defcontext, DEFCONTEXT_STR "%s"},
330         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int sb_finish_set_opts(struct super_block *sb)
368 {
369         struct superblock_security_struct *sbsec = sb->s_security;
370         struct dentry *root = sb->s_root;
371         struct inode *root_inode = root->d_inode;
372         int rc = 0;
373
374         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375                 /* Make sure that the xattr handler exists and that no
376                    error other than -ENODATA is returned by getxattr on
377                    the root directory.  -ENODATA is ok, as this may be
378                    the first boot of the SELinux kernel before we have
379                    assigned xattr values to the filesystem. */
380                 if (!root_inode->i_op->getxattr) {
381                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382                                "xattr support\n", sb->s_id, sb->s_type->name);
383                         rc = -EOPNOTSUPP;
384                         goto out;
385                 }
386                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387                 if (rc < 0 && rc != -ENODATA) {
388                         if (rc == -EOPNOTSUPP)
389                                 printk(KERN_WARNING "SELinux: (dev %s, type "
390                                        "%s) has no security xattr handler\n",
391                                        sb->s_id, sb->s_type->name);
392                         else
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) getxattr errno %d\n", sb->s_id,
395                                        sb->s_type->name, -rc);
396                         goto out;
397                 }
398         }
399
400         sbsec->initialized = 1;
401
402         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404                        sb->s_id, sb->s_type->name);
405         else
406                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407                        sb->s_id, sb->s_type->name,
408                        labeling_behaviors[sbsec->behavior-1]);
409
410         /* Initialize the root inode. */
411         rc = inode_doinit_with_dentry(root_inode, root);
412
413         /* Initialize any other inodes associated with the superblock, e.g.
414            inodes created prior to initial policy load or inodes created
415            during get_sb by a pseudo filesystem that directly
416            populates itself. */
417         spin_lock(&sbsec->isec_lock);
418 next_inode:
419         if (!list_empty(&sbsec->isec_head)) {
420                 struct inode_security_struct *isec =
421                                 list_entry(sbsec->isec_head.next,
422                                            struct inode_security_struct, list);
423                 struct inode *inode = isec->inode;
424                 spin_unlock(&sbsec->isec_lock);
425                 inode = igrab(inode);
426                 if (inode) {
427                         if (!IS_PRIVATE(inode))
428                                 inode_doinit(inode);
429                         iput(inode);
430                 }
431                 spin_lock(&sbsec->isec_lock);
432                 list_del_init(&isec->list);
433                 goto next_inode;
434         }
435         spin_unlock(&sbsec->isec_lock);
436 out:
437         return rc;
438 }
439
440 /*
441  * This function should allow an FS to ask what it's mount security
442  * options were so it can use those later for submounts, displaying
443  * mount options, or whatever.
444  */
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446                                 struct security_mnt_opts *opts)
447 {
448         int rc = 0, i;
449         struct superblock_security_struct *sbsec = sb->s_security;
450         char *context = NULL;
451         u32 len;
452         char tmp;
453
454         security_init_mnt_opts(opts);
455
456         if (!sbsec->initialized)
457                 return -EINVAL;
458
459         if (!ss_initialized)
460                 return -EINVAL;
461
462         /*
463          * if we ever use sbsec flags for anything other than tracking mount
464          * settings this is going to need a mask
465          */
466         tmp = sbsec->flags;
467         /* count the number of mount options for this sb */
468         for (i = 0; i < 8; i++) {
469                 if (tmp & 0x01)
470                         opts->num_mnt_opts++;
471                 tmp >>= 1;
472         }
473
474         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475         if (!opts->mnt_opts) {
476                 rc = -ENOMEM;
477                 goto out_free;
478         }
479
480         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481         if (!opts->mnt_opts_flags) {
482                 rc = -ENOMEM;
483                 goto out_free;
484         }
485
486         i = 0;
487         if (sbsec->flags & FSCONTEXT_MNT) {
488                 rc = security_sid_to_context(sbsec->sid, &context, &len);
489                 if (rc)
490                         goto out_free;
491                 opts->mnt_opts[i] = context;
492                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
493         }
494         if (sbsec->flags & CONTEXT_MNT) {
495                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496                 if (rc)
497                         goto out_free;
498                 opts->mnt_opts[i] = context;
499                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
500         }
501         if (sbsec->flags & DEFCONTEXT_MNT) {
502                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503                 if (rc)
504                         goto out_free;
505                 opts->mnt_opts[i] = context;
506                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
507         }
508         if (sbsec->flags & ROOTCONTEXT_MNT) {
509                 struct inode *root = sbsec->sb->s_root->d_inode;
510                 struct inode_security_struct *isec = root->i_security;
511
512                 rc = security_sid_to_context(isec->sid, &context, &len);
513                 if (rc)
514                         goto out_free;
515                 opts->mnt_opts[i] = context;
516                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517         }
518
519         BUG_ON(i != opts->num_mnt_opts);
520
521         return 0;
522
523 out_free:
524         security_free_mnt_opts(opts);
525         return rc;
526 }
527
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529                       u32 old_sid, u32 new_sid)
530 {
531         /* check if the old mount command had the same options */
532         if (sbsec->initialized)
533                 if (!(sbsec->flags & flag) ||
534                     (old_sid != new_sid))
535                         return 1;
536
537         /* check if we were passed the same options twice,
538          * aka someone passed context=a,context=b
539          */
540         if (!sbsec->initialized)
541                 if (sbsec->flags & flag)
542                         return 1;
543         return 0;
544 }
545
546 /*
547  * Allow filesystems with binary mount data to explicitly set mount point
548  * labeling information.
549  */
550 static int selinux_set_mnt_opts(struct super_block *sb,
551                                 struct security_mnt_opts *opts)
552 {
553         int rc = 0, i;
554         struct task_security_struct *tsec = current->security;
555         struct superblock_security_struct *sbsec = sb->s_security;
556         const char *name = sb->s_type->name;
557         struct inode *inode = sbsec->sb->s_root->d_inode;
558         struct inode_security_struct *root_isec = inode->i_security;
559         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560         u32 defcontext_sid = 0;
561         char **mount_options = opts->mnt_opts;
562         int *flags = opts->mnt_opts_flags;
563         int num_opts = opts->num_mnt_opts;
564
565         mutex_lock(&sbsec->lock);
566
567         if (!ss_initialized) {
568                 if (!num_opts) {
569                         /* Defer initialization until selinux_complete_init,
570                            after the initial policy is loaded and the security
571                            server is ready to handle calls. */
572                         spin_lock(&sb_security_lock);
573                         if (list_empty(&sbsec->list))
574                                 list_add(&sbsec->list, &superblock_security_head);
575                         spin_unlock(&sb_security_lock);
576                         goto out;
577                 }
578                 rc = -EINVAL;
579                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
580                         "before the security server is initialized\n");
581                 goto out;
582         }
583
584         /*
585          * Binary mount data FS will come through this function twice.  Once
586          * from an explicit call and once from the generic calls from the vfs.
587          * Since the generic VFS calls will not contain any security mount data
588          * we need to skip the double mount verification.
589          *
590          * This does open a hole in which we will not notice if the first
591          * mount using this sb set explict options and a second mount using
592          * this sb does not set any security options.  (The first options
593          * will be used for both mounts)
594          */
595         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596             && (num_opts == 0))
597                 goto out;
598
599         /*
600          * parse the mount options, check if they are valid sids.
601          * also check if someone is trying to mount the same sb more
602          * than once with different security options.
603          */
604         for (i = 0; i < num_opts; i++) {
605                 u32 sid;
606                 rc = security_context_to_sid(mount_options[i],
607                                              strlen(mount_options[i]), &sid);
608                 if (rc) {
609                         printk(KERN_WARNING "SELinux: security_context_to_sid"
610                                "(%s) failed for (dev %s, type %s) errno=%d\n",
611                                mount_options[i], sb->s_id, name, rc);
612                         goto out;
613                 }
614                 switch (flags[i]) {
615                 case FSCONTEXT_MNT:
616                         fscontext_sid = sid;
617
618                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619                                         fscontext_sid))
620                                 goto out_double_mount;
621
622                         sbsec->flags |= FSCONTEXT_MNT;
623                         break;
624                 case CONTEXT_MNT:
625                         context_sid = sid;
626
627                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628                                         context_sid))
629                                 goto out_double_mount;
630
631                         sbsec->flags |= CONTEXT_MNT;
632                         break;
633                 case ROOTCONTEXT_MNT:
634                         rootcontext_sid = sid;
635
636                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637                                         rootcontext_sid))
638                                 goto out_double_mount;
639
640                         sbsec->flags |= ROOTCONTEXT_MNT;
641
642                         break;
643                 case DEFCONTEXT_MNT:
644                         defcontext_sid = sid;
645
646                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647                                         defcontext_sid))
648                                 goto out_double_mount;
649
650                         sbsec->flags |= DEFCONTEXT_MNT;
651
652                         break;
653                 default:
654                         rc = -EINVAL;
655                         goto out;
656                 }
657         }
658
659         if (sbsec->initialized) {
660                 /* previously mounted with options, but not on this attempt? */
661                 if (sbsec->flags && !num_opts)
662                         goto out_double_mount;
663                 rc = 0;
664                 goto out;
665         }
666
667         if (strcmp(sb->s_type->name, "proc") == 0)
668                 sbsec->proc = 1;
669
670         /* Determine the labeling behavior to use for this filesystem type. */
671         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672         if (rc) {
673                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674                        __func__, sb->s_type->name, rc);
675                 goto out;
676         }
677
678         /* sets the context of the superblock for the fs being mounted. */
679         if (fscontext_sid) {
680
681                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682                 if (rc)
683                         goto out;
684
685                 sbsec->sid = fscontext_sid;
686         }
687
688         /*
689          * Switch to using mount point labeling behavior.
690          * sets the label used on all file below the mountpoint, and will set
691          * the superblock context if not already set.
692          */
693         if (context_sid) {
694                 if (!fscontext_sid) {
695                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696                         if (rc)
697                                 goto out;
698                         sbsec->sid = context_sid;
699                 } else {
700                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701                         if (rc)
702                                 goto out;
703                 }
704                 if (!rootcontext_sid)
705                         rootcontext_sid = context_sid;
706
707                 sbsec->mntpoint_sid = context_sid;
708                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709         }
710
711         if (rootcontext_sid) {
712                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713                 if (rc)
714                         goto out;
715
716                 root_isec->sid = rootcontext_sid;
717                 root_isec->initialized = 1;
718         }
719
720         if (defcontext_sid) {
721                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722                         rc = -EINVAL;
723                         printk(KERN_WARNING "SELinux: defcontext option is "
724                                "invalid for this filesystem type\n");
725                         goto out;
726                 }
727
728                 if (defcontext_sid != sbsec->def_sid) {
729                         rc = may_context_mount_inode_relabel(defcontext_sid,
730                                                              sbsec, tsec);
731                         if (rc)
732                                 goto out;
733                 }
734
735                 sbsec->def_sid = defcontext_sid;
736         }
737
738         rc = sb_finish_set_opts(sb);
739 out:
740         mutex_unlock(&sbsec->lock);
741         return rc;
742 out_double_mount:
743         rc = -EINVAL;
744         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
745                "security settings for (dev %s, type %s)\n", sb->s_id, name);
746         goto out;
747 }
748
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750                                         struct super_block *newsb)
751 {
752         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753         struct superblock_security_struct *newsbsec = newsb->s_security;
754
755         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
756         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
757         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
758
759         /*
760          * if the parent was able to be mounted it clearly had no special lsm
761          * mount options.  thus we can safely put this sb on the list and deal
762          * with it later
763          */
764         if (!ss_initialized) {
765                 spin_lock(&sb_security_lock);
766                 if (list_empty(&newsbsec->list))
767                         list_add(&newsbsec->list, &superblock_security_head);
768                 spin_unlock(&sb_security_lock);
769                 return;
770         }
771
772         /* how can we clone if the old one wasn't set up?? */
773         BUG_ON(!oldsbsec->initialized);
774
775         /* if fs is reusing a sb, just let its options stand... */
776         if (newsbsec->initialized)
777                 return;
778
779         mutex_lock(&newsbsec->lock);
780
781         newsbsec->flags = oldsbsec->flags;
782
783         newsbsec->sid = oldsbsec->sid;
784         newsbsec->def_sid = oldsbsec->def_sid;
785         newsbsec->behavior = oldsbsec->behavior;
786
787         if (set_context) {
788                 u32 sid = oldsbsec->mntpoint_sid;
789
790                 if (!set_fscontext)
791                         newsbsec->sid = sid;
792                 if (!set_rootcontext) {
793                         struct inode *newinode = newsb->s_root->d_inode;
794                         struct inode_security_struct *newisec = newinode->i_security;
795                         newisec->sid = sid;
796                 }
797                 newsbsec->mntpoint_sid = sid;
798         }
799         if (set_rootcontext) {
800                 const struct inode *oldinode = oldsb->s_root->d_inode;
801                 const struct inode_security_struct *oldisec = oldinode->i_security;
802                 struct inode *newinode = newsb->s_root->d_inode;
803                 struct inode_security_struct *newisec = newinode->i_security;
804
805                 newisec->sid = oldisec->sid;
806         }
807
808         sb_finish_set_opts(newsb);
809         mutex_unlock(&newsbsec->lock);
810 }
811
812 static int selinux_parse_opts_str(char *options,
813                                   struct security_mnt_opts *opts)
814 {
815         char *p;
816         char *context = NULL, *defcontext = NULL;
817         char *fscontext = NULL, *rootcontext = NULL;
818         int rc, num_mnt_opts = 0;
819
820         opts->num_mnt_opts = 0;
821
822         /* Standard string-based options. */
823         while ((p = strsep(&options, "|")) != NULL) {
824                 int token;
825                 substring_t args[MAX_OPT_ARGS];
826
827                 if (!*p)
828                         continue;
829
830                 token = match_token(p, tokens, args);
831
832                 switch (token) {
833                 case Opt_context:
834                         if (context || defcontext) {
835                                 rc = -EINVAL;
836                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
837                                 goto out_err;
838                         }
839                         context = match_strdup(&args[0]);
840                         if (!context) {
841                                 rc = -ENOMEM;
842                                 goto out_err;
843                         }
844                         break;
845
846                 case Opt_fscontext:
847                         if (fscontext) {
848                                 rc = -EINVAL;
849                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850                                 goto out_err;
851                         }
852                         fscontext = match_strdup(&args[0]);
853                         if (!fscontext) {
854                                 rc = -ENOMEM;
855                                 goto out_err;
856                         }
857                         break;
858
859                 case Opt_rootcontext:
860                         if (rootcontext) {
861                                 rc = -EINVAL;
862                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863                                 goto out_err;
864                         }
865                         rootcontext = match_strdup(&args[0]);
866                         if (!rootcontext) {
867                                 rc = -ENOMEM;
868                                 goto out_err;
869                         }
870                         break;
871
872                 case Opt_defcontext:
873                         if (context || defcontext) {
874                                 rc = -EINVAL;
875                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876                                 goto out_err;
877                         }
878                         defcontext = match_strdup(&args[0]);
879                         if (!defcontext) {
880                                 rc = -ENOMEM;
881                                 goto out_err;
882                         }
883                         break;
884
885                 default:
886                         rc = -EINVAL;
887                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
888                         goto out_err;
889
890                 }
891         }
892
893         rc = -ENOMEM;
894         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
895         if (!opts->mnt_opts)
896                 goto out_err;
897
898         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
899         if (!opts->mnt_opts_flags) {
900                 kfree(opts->mnt_opts);
901                 goto out_err;
902         }
903
904         if (fscontext) {
905                 opts->mnt_opts[num_mnt_opts] = fscontext;
906                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
907         }
908         if (context) {
909                 opts->mnt_opts[num_mnt_opts] = context;
910                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
911         }
912         if (rootcontext) {
913                 opts->mnt_opts[num_mnt_opts] = rootcontext;
914                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
915         }
916         if (defcontext) {
917                 opts->mnt_opts[num_mnt_opts] = defcontext;
918                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
919         }
920
921         opts->num_mnt_opts = num_mnt_opts;
922         return 0;
923
924 out_err:
925         kfree(context);
926         kfree(defcontext);
927         kfree(fscontext);
928         kfree(rootcontext);
929         return rc;
930 }
931 /*
932  * string mount options parsing and call set the sbsec
933  */
934 static int superblock_doinit(struct super_block *sb, void *data)
935 {
936         int rc = 0;
937         char *options = data;
938         struct security_mnt_opts opts;
939
940         security_init_mnt_opts(&opts);
941
942         if (!data)
943                 goto out;
944
945         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
946
947         rc = selinux_parse_opts_str(options, &opts);
948         if (rc)
949                 goto out_err;
950
951 out:
952         rc = selinux_set_mnt_opts(sb, &opts);
953
954 out_err:
955         security_free_mnt_opts(&opts);
956         return rc;
957 }
958
959 static inline u16 inode_mode_to_security_class(umode_t mode)
960 {
961         switch (mode & S_IFMT) {
962         case S_IFSOCK:
963                 return SECCLASS_SOCK_FILE;
964         case S_IFLNK:
965                 return SECCLASS_LNK_FILE;
966         case S_IFREG:
967                 return SECCLASS_FILE;
968         case S_IFBLK:
969                 return SECCLASS_BLK_FILE;
970         case S_IFDIR:
971                 return SECCLASS_DIR;
972         case S_IFCHR:
973                 return SECCLASS_CHR_FILE;
974         case S_IFIFO:
975                 return SECCLASS_FIFO_FILE;
976
977         }
978
979         return SECCLASS_FILE;
980 }
981
982 static inline int default_protocol_stream(int protocol)
983 {
984         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
985 }
986
987 static inline int default_protocol_dgram(int protocol)
988 {
989         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
990 }
991
992 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
993 {
994         switch (family) {
995         case PF_UNIX:
996                 switch (type) {
997                 case SOCK_STREAM:
998                 case SOCK_SEQPACKET:
999                         return SECCLASS_UNIX_STREAM_SOCKET;
1000                 case SOCK_DGRAM:
1001                         return SECCLASS_UNIX_DGRAM_SOCKET;
1002                 }
1003                 break;
1004         case PF_INET:
1005         case PF_INET6:
1006                 switch (type) {
1007                 case SOCK_STREAM:
1008                         if (default_protocol_stream(protocol))
1009                                 return SECCLASS_TCP_SOCKET;
1010                         else
1011                                 return SECCLASS_RAWIP_SOCKET;
1012                 case SOCK_DGRAM:
1013                         if (default_protocol_dgram(protocol))
1014                                 return SECCLASS_UDP_SOCKET;
1015                         else
1016                                 return SECCLASS_RAWIP_SOCKET;
1017                 case SOCK_DCCP:
1018                         return SECCLASS_DCCP_SOCKET;
1019                 default:
1020                         return SECCLASS_RAWIP_SOCKET;
1021                 }
1022                 break;
1023         case PF_NETLINK:
1024                 switch (protocol) {
1025                 case NETLINK_ROUTE:
1026                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1027                 case NETLINK_FIREWALL:
1028                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1029                 case NETLINK_INET_DIAG:
1030                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1031                 case NETLINK_NFLOG:
1032                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1033                 case NETLINK_XFRM:
1034                         return SECCLASS_NETLINK_XFRM_SOCKET;
1035                 case NETLINK_SELINUX:
1036                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1037                 case NETLINK_AUDIT:
1038                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1039                 case NETLINK_IP6_FW:
1040                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1041                 case NETLINK_DNRTMSG:
1042                         return SECCLASS_NETLINK_DNRT_SOCKET;
1043                 case NETLINK_KOBJECT_UEVENT:
1044                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1045                 default:
1046                         return SECCLASS_NETLINK_SOCKET;
1047                 }
1048         case PF_PACKET:
1049                 return SECCLASS_PACKET_SOCKET;
1050         case PF_KEY:
1051                 return SECCLASS_KEY_SOCKET;
1052         case PF_APPLETALK:
1053                 return SECCLASS_APPLETALK_SOCKET;
1054         }
1055
1056         return SECCLASS_SOCKET;
1057 }
1058
1059 #ifdef CONFIG_PROC_FS
1060 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1061                                 u16 tclass,
1062                                 u32 *sid)
1063 {
1064         int buflen, rc;
1065         char *buffer, *path, *end;
1066
1067         buffer = (char *)__get_free_page(GFP_KERNEL);
1068         if (!buffer)
1069                 return -ENOMEM;
1070
1071         buflen = PAGE_SIZE;
1072         end = buffer+buflen;
1073         *--end = '\0';
1074         buflen--;
1075         path = end-1;
1076         *path = '/';
1077         while (de && de != de->parent) {
1078                 buflen -= de->namelen + 1;
1079                 if (buflen < 0)
1080                         break;
1081                 end -= de->namelen;
1082                 memcpy(end, de->name, de->namelen);
1083                 *--end = '/';
1084                 path = end;
1085                 de = de->parent;
1086         }
1087         rc = security_genfs_sid("proc", path, tclass, sid);
1088         free_page((unsigned long)buffer);
1089         return rc;
1090 }
1091 #else
1092 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1093                                 u16 tclass,
1094                                 u32 *sid)
1095 {
1096         return -EINVAL;
1097 }
1098 #endif
1099
1100 /* The inode's security attributes must be initialized before first use. */
1101 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1102 {
1103         struct superblock_security_struct *sbsec = NULL;
1104         struct inode_security_struct *isec = inode->i_security;
1105         u32 sid;
1106         struct dentry *dentry;
1107 #define INITCONTEXTLEN 255
1108         char *context = NULL;
1109         unsigned len = 0;
1110         int rc = 0;
1111
1112         if (isec->initialized)
1113                 goto out;
1114
1115         mutex_lock(&isec->lock);
1116         if (isec->initialized)
1117                 goto out_unlock;
1118
1119         sbsec = inode->i_sb->s_security;
1120         if (!sbsec->initialized) {
1121                 /* Defer initialization until selinux_complete_init,
1122                    after the initial policy is loaded and the security
1123                    server is ready to handle calls. */
1124                 spin_lock(&sbsec->isec_lock);
1125                 if (list_empty(&isec->list))
1126                         list_add(&isec->list, &sbsec->isec_head);
1127                 spin_unlock(&sbsec->isec_lock);
1128                 goto out_unlock;
1129         }
1130
1131         switch (sbsec->behavior) {
1132         case SECURITY_FS_USE_XATTR:
1133                 if (!inode->i_op->getxattr) {
1134                         isec->sid = sbsec->def_sid;
1135                         break;
1136                 }
1137
1138                 /* Need a dentry, since the xattr API requires one.
1139                    Life would be simpler if we could just pass the inode. */
1140                 if (opt_dentry) {
1141                         /* Called from d_instantiate or d_splice_alias. */
1142                         dentry = dget(opt_dentry);
1143                 } else {
1144                         /* Called from selinux_complete_init, try to find a dentry. */
1145                         dentry = d_find_alias(inode);
1146                 }
1147                 if (!dentry) {
1148                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1149                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1150                                inode->i_ino);
1151                         goto out_unlock;
1152                 }
1153
1154                 len = INITCONTEXTLEN;
1155                 context = kmalloc(len, GFP_NOFS);
1156                 if (!context) {
1157                         rc = -ENOMEM;
1158                         dput(dentry);
1159                         goto out_unlock;
1160                 }
1161                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1162                                            context, len);
1163                 if (rc == -ERANGE) {
1164                         /* Need a larger buffer.  Query for the right size. */
1165                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1166                                                    NULL, 0);
1167                         if (rc < 0) {
1168                                 dput(dentry);
1169                                 goto out_unlock;
1170                         }
1171                         kfree(context);
1172                         len = rc;
1173                         context = kmalloc(len, GFP_NOFS);
1174                         if (!context) {
1175                                 rc = -ENOMEM;
1176                                 dput(dentry);
1177                                 goto out_unlock;
1178                         }
1179                         rc = inode->i_op->getxattr(dentry,
1180                                                    XATTR_NAME_SELINUX,
1181                                                    context, len);
1182                 }
1183                 dput(dentry);
1184                 if (rc < 0) {
1185                         if (rc != -ENODATA) {
1186                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1187                                        "%d for dev=%s ino=%ld\n", __func__,
1188                                        -rc, inode->i_sb->s_id, inode->i_ino);
1189                                 kfree(context);
1190                                 goto out_unlock;
1191                         }
1192                         /* Map ENODATA to the default file SID */
1193                         sid = sbsec->def_sid;
1194                         rc = 0;
1195                 } else {
1196                         rc = security_context_to_sid_default(context, rc, &sid,
1197                                                              sbsec->def_sid,
1198                                                              GFP_NOFS);
1199                         if (rc) {
1200                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1201                                        "returned %d for dev=%s ino=%ld\n",
1202                                        __func__, context, -rc,
1203                                        inode->i_sb->s_id, inode->i_ino);
1204                                 kfree(context);
1205                                 /* Leave with the unlabeled SID */
1206                                 rc = 0;
1207                                 break;
1208                         }
1209                 }
1210                 kfree(context);
1211                 isec->sid = sid;
1212                 break;
1213         case SECURITY_FS_USE_TASK:
1214                 isec->sid = isec->task_sid;
1215                 break;
1216         case SECURITY_FS_USE_TRANS:
1217                 /* Default to the fs SID. */
1218                 isec->sid = sbsec->sid;
1219
1220                 /* Try to obtain a transition SID. */
1221                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1222                 rc = security_transition_sid(isec->task_sid,
1223                                              sbsec->sid,
1224                                              isec->sclass,
1225                                              &sid);
1226                 if (rc)
1227                         goto out_unlock;
1228                 isec->sid = sid;
1229                 break;
1230         case SECURITY_FS_USE_MNTPOINT:
1231                 isec->sid = sbsec->mntpoint_sid;
1232                 break;
1233         default:
1234                 /* Default to the fs superblock SID. */
1235                 isec->sid = sbsec->sid;
1236
1237                 if (sbsec->proc) {
1238                         struct proc_inode *proci = PROC_I(inode);
1239                         if (proci->pde) {
1240                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1241                                 rc = selinux_proc_get_sid(proci->pde,
1242                                                           isec->sclass,
1243                                                           &sid);
1244                                 if (rc)
1245                                         goto out_unlock;
1246                                 isec->sid = sid;
1247                         }
1248                 }
1249                 break;
1250         }
1251
1252         isec->initialized = 1;
1253
1254 out_unlock:
1255         mutex_unlock(&isec->lock);
1256 out:
1257         if (isec->sclass == SECCLASS_FILE)
1258                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1259         return rc;
1260 }
1261
1262 /* Convert a Linux signal to an access vector. */
1263 static inline u32 signal_to_av(int sig)
1264 {
1265         u32 perm = 0;
1266
1267         switch (sig) {
1268         case SIGCHLD:
1269                 /* Commonly granted from child to parent. */
1270                 perm = PROCESS__SIGCHLD;
1271                 break;
1272         case SIGKILL:
1273                 /* Cannot be caught or ignored */
1274                 perm = PROCESS__SIGKILL;
1275                 break;
1276         case SIGSTOP:
1277                 /* Cannot be caught or ignored */
1278                 perm = PROCESS__SIGSTOP;
1279                 break;
1280         default:
1281                 /* All other signals. */
1282                 perm = PROCESS__SIGNAL;
1283                 break;
1284         }
1285
1286         return perm;
1287 }
1288
1289 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1290    fork check, ptrace check, etc. */
1291 static int task_has_perm(struct task_struct *tsk1,
1292                          struct task_struct *tsk2,
1293                          u32 perms)
1294 {
1295         struct task_security_struct *tsec1, *tsec2;
1296
1297         tsec1 = tsk1->security;
1298         tsec2 = tsk2->security;
1299         return avc_has_perm(tsec1->sid, tsec2->sid,
1300                             SECCLASS_PROCESS, perms, NULL);
1301 }
1302
1303 #if CAP_LAST_CAP > 63
1304 #error Fix SELinux to handle capabilities > 63.
1305 #endif
1306
1307 /* Check whether a task is allowed to use a capability. */
1308 static int task_has_capability(struct task_struct *tsk,
1309                                int cap)
1310 {
1311         struct task_security_struct *tsec;
1312         struct avc_audit_data ad;
1313         u16 sclass;
1314         u32 av = CAP_TO_MASK(cap);
1315
1316         tsec = tsk->security;
1317
1318         AVC_AUDIT_DATA_INIT(&ad, CAP);
1319         ad.tsk = tsk;
1320         ad.u.cap = cap;
1321
1322         switch (CAP_TO_INDEX(cap)) {
1323         case 0:
1324                 sclass = SECCLASS_CAPABILITY;
1325                 break;
1326         case 1:
1327                 sclass = SECCLASS_CAPABILITY2;
1328                 break;
1329         default:
1330                 printk(KERN_ERR
1331                        "SELinux:  out of range capability %d\n", cap);
1332                 BUG();
1333         }
1334         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1335 }
1336
1337 /* Check whether a task is allowed to use a system operation. */
1338 static int task_has_system(struct task_struct *tsk,
1339                            u32 perms)
1340 {
1341         struct task_security_struct *tsec;
1342
1343         tsec = tsk->security;
1344
1345         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1346                             SECCLASS_SYSTEM, perms, NULL);
1347 }
1348
1349 /* Check whether a task has a particular permission to an inode.
1350    The 'adp' parameter is optional and allows other audit
1351    data to be passed (e.g. the dentry). */
1352 static int inode_has_perm(struct task_struct *tsk,
1353                           struct inode *inode,
1354                           u32 perms,
1355                           struct avc_audit_data *adp)
1356 {
1357         struct task_security_struct *tsec;
1358         struct inode_security_struct *isec;
1359         struct avc_audit_data ad;
1360
1361         if (unlikely(IS_PRIVATE(inode)))
1362                 return 0;
1363
1364         tsec = tsk->security;
1365         isec = inode->i_security;
1366
1367         if (!adp) {
1368                 adp = &ad;
1369                 AVC_AUDIT_DATA_INIT(&ad, FS);
1370                 ad.u.fs.inode = inode;
1371         }
1372
1373         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1374 }
1375
1376 /* Same as inode_has_perm, but pass explicit audit data containing
1377    the dentry to help the auditing code to more easily generate the
1378    pathname if needed. */
1379 static inline int dentry_has_perm(struct task_struct *tsk,
1380                                   struct vfsmount *mnt,
1381                                   struct dentry *dentry,
1382                                   u32 av)
1383 {
1384         struct inode *inode = dentry->d_inode;
1385         struct avc_audit_data ad;
1386         AVC_AUDIT_DATA_INIT(&ad, FS);
1387         ad.u.fs.path.mnt = mnt;
1388         ad.u.fs.path.dentry = dentry;
1389         return inode_has_perm(tsk, inode, av, &ad);
1390 }
1391
1392 /* Check whether a task can use an open file descriptor to
1393    access an inode in a given way.  Check access to the
1394    descriptor itself, and then use dentry_has_perm to
1395    check a particular permission to the file.
1396    Access to the descriptor is implicitly granted if it
1397    has the same SID as the process.  If av is zero, then
1398    access to the file is not checked, e.g. for cases
1399    where only the descriptor is affected like seek. */
1400 static int file_has_perm(struct task_struct *tsk,
1401                                 struct file *file,
1402                                 u32 av)
1403 {
1404         struct task_security_struct *tsec = tsk->security;
1405         struct file_security_struct *fsec = file->f_security;
1406         struct inode *inode = file->f_path.dentry->d_inode;
1407         struct avc_audit_data ad;
1408         int rc;
1409
1410         AVC_AUDIT_DATA_INIT(&ad, FS);
1411         ad.u.fs.path = file->f_path;
1412
1413         if (tsec->sid != fsec->sid) {
1414                 rc = avc_has_perm(tsec->sid, fsec->sid,
1415                                   SECCLASS_FD,
1416                                   FD__USE,
1417                                   &ad);
1418                 if (rc)
1419                         return rc;
1420         }
1421
1422         /* av is zero if only checking access to the descriptor. */
1423         if (av)
1424                 return inode_has_perm(tsk, inode, av, &ad);
1425
1426         return 0;
1427 }
1428
1429 /* Check whether a task can create a file. */
1430 static int may_create(struct inode *dir,
1431                       struct dentry *dentry,
1432                       u16 tclass)
1433 {
1434         struct task_security_struct *tsec;
1435         struct inode_security_struct *dsec;
1436         struct superblock_security_struct *sbsec;
1437         u32 newsid;
1438         struct avc_audit_data ad;
1439         int rc;
1440
1441         tsec = current->security;
1442         dsec = dir->i_security;
1443         sbsec = dir->i_sb->s_security;
1444
1445         AVC_AUDIT_DATA_INIT(&ad, FS);
1446         ad.u.fs.path.dentry = dentry;
1447
1448         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1449                           DIR__ADD_NAME | DIR__SEARCH,
1450                           &ad);
1451         if (rc)
1452                 return rc;
1453
1454         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1455                 newsid = tsec->create_sid;
1456         } else {
1457                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1458                                              &newsid);
1459                 if (rc)
1460                         return rc;
1461         }
1462
1463         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1464         if (rc)
1465                 return rc;
1466
1467         return avc_has_perm(newsid, sbsec->sid,
1468                             SECCLASS_FILESYSTEM,
1469                             FILESYSTEM__ASSOCIATE, &ad);
1470 }
1471
1472 /* Check whether a task can create a key. */
1473 static int may_create_key(u32 ksid,
1474                           struct task_struct *ctx)
1475 {
1476         struct task_security_struct *tsec;
1477
1478         tsec = ctx->security;
1479
1480         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1481 }
1482
1483 #define MAY_LINK        0
1484 #define MAY_UNLINK      1
1485 #define MAY_RMDIR       2
1486
1487 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1488 static int may_link(struct inode *dir,
1489                     struct dentry *dentry,
1490                     int kind)
1491
1492 {
1493         struct task_security_struct *tsec;
1494         struct inode_security_struct *dsec, *isec;
1495         struct avc_audit_data ad;
1496         u32 av;
1497         int rc;
1498
1499         tsec = current->security;
1500         dsec = dir->i_security;
1501         isec = dentry->d_inode->i_security;
1502
1503         AVC_AUDIT_DATA_INIT(&ad, FS);
1504         ad.u.fs.path.dentry = dentry;
1505
1506         av = DIR__SEARCH;
1507         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1508         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1509         if (rc)
1510                 return rc;
1511
1512         switch (kind) {
1513         case MAY_LINK:
1514                 av = FILE__LINK;
1515                 break;
1516         case MAY_UNLINK:
1517                 av = FILE__UNLINK;
1518                 break;
1519         case MAY_RMDIR:
1520                 av = DIR__RMDIR;
1521                 break;
1522         default:
1523                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1524                         __func__, kind);
1525                 return 0;
1526         }
1527
1528         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1529         return rc;
1530 }
1531
1532 static inline int may_rename(struct inode *old_dir,
1533                              struct dentry *old_dentry,
1534                              struct inode *new_dir,
1535                              struct dentry *new_dentry)
1536 {
1537         struct task_security_struct *tsec;
1538         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1539         struct avc_audit_data ad;
1540         u32 av;
1541         int old_is_dir, new_is_dir;
1542         int rc;
1543
1544         tsec = current->security;
1545         old_dsec = old_dir->i_security;
1546         old_isec = old_dentry->d_inode->i_security;
1547         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1548         new_dsec = new_dir->i_security;
1549
1550         AVC_AUDIT_DATA_INIT(&ad, FS);
1551
1552         ad.u.fs.path.dentry = old_dentry;
1553         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1554                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1555         if (rc)
1556                 return rc;
1557         rc = avc_has_perm(tsec->sid, old_isec->sid,
1558                           old_isec->sclass, FILE__RENAME, &ad);
1559         if (rc)
1560                 return rc;
1561         if (old_is_dir && new_dir != old_dir) {
1562                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1563                                   old_isec->sclass, DIR__REPARENT, &ad);
1564                 if (rc)
1565                         return rc;
1566         }
1567
1568         ad.u.fs.path.dentry = new_dentry;
1569         av = DIR__ADD_NAME | DIR__SEARCH;
1570         if (new_dentry->d_inode)
1571                 av |= DIR__REMOVE_NAME;
1572         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1573         if (rc)
1574                 return rc;
1575         if (new_dentry->d_inode) {
1576                 new_isec = new_dentry->d_inode->i_security;
1577                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1578                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1579                                   new_isec->sclass,
1580                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1581                 if (rc)
1582                         return rc;
1583         }
1584
1585         return 0;
1586 }
1587
1588 /* Check whether a task can perform a filesystem operation. */
1589 static int superblock_has_perm(struct task_struct *tsk,
1590                                struct super_block *sb,
1591                                u32 perms,
1592                                struct avc_audit_data *ad)
1593 {
1594         struct task_security_struct *tsec;
1595         struct superblock_security_struct *sbsec;
1596
1597         tsec = tsk->security;
1598         sbsec = sb->s_security;
1599         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1600                             perms, ad);
1601 }
1602
1603 /* Convert a Linux mode and permission mask to an access vector. */
1604 static inline u32 file_mask_to_av(int mode, int mask)
1605 {
1606         u32 av = 0;
1607
1608         if ((mode & S_IFMT) != S_IFDIR) {
1609                 if (mask & MAY_EXEC)
1610                         av |= FILE__EXECUTE;
1611                 if (mask & MAY_READ)
1612                         av |= FILE__READ;
1613
1614                 if (mask & MAY_APPEND)
1615                         av |= FILE__APPEND;
1616                 else if (mask & MAY_WRITE)
1617                         av |= FILE__WRITE;
1618
1619         } else {
1620                 if (mask & MAY_EXEC)
1621                         av |= DIR__SEARCH;
1622                 if (mask & MAY_WRITE)
1623                         av |= DIR__WRITE;
1624                 if (mask & MAY_READ)
1625                         av |= DIR__READ;
1626         }
1627
1628         return av;
1629 }
1630
1631 /*
1632  * Convert a file mask to an access vector and include the correct open
1633  * open permission.
1634  */
1635 static inline u32 open_file_mask_to_av(int mode, int mask)
1636 {
1637         u32 av = file_mask_to_av(mode, mask);
1638
1639         if (selinux_policycap_openperm) {
1640                 /*
1641                  * lnk files and socks do not really have an 'open'
1642                  */
1643                 if (S_ISREG(mode))
1644                         av |= FILE__OPEN;
1645                 else if (S_ISCHR(mode))
1646                         av |= CHR_FILE__OPEN;
1647                 else if (S_ISBLK(mode))
1648                         av |= BLK_FILE__OPEN;
1649                 else if (S_ISFIFO(mode))
1650                         av |= FIFO_FILE__OPEN;
1651                 else if (S_ISDIR(mode))
1652                         av |= DIR__OPEN;
1653                 else
1654                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1655                                 "unknown mode:%x\n", __func__, mode);
1656         }
1657         return av;
1658 }
1659
1660 /* Convert a Linux file to an access vector. */
1661 static inline u32 file_to_av(struct file *file)
1662 {
1663         u32 av = 0;
1664
1665         if (file->f_mode & FMODE_READ)
1666                 av |= FILE__READ;
1667         if (file->f_mode & FMODE_WRITE) {
1668                 if (file->f_flags & O_APPEND)
1669                         av |= FILE__APPEND;
1670                 else
1671                         av |= FILE__WRITE;
1672         }
1673         if (!av) {
1674                 /*
1675                  * Special file opened with flags 3 for ioctl-only use.
1676                  */
1677                 av = FILE__IOCTL;
1678         }
1679
1680         return av;
1681 }
1682
1683 /* Hook functions begin here. */
1684
1685 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1686 {
1687         int rc;
1688
1689         rc = secondary_ops->ptrace(parent, child);
1690         if (rc)
1691                 return rc;
1692
1693         return task_has_perm(parent, child, PROCESS__PTRACE);
1694 }
1695
1696 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1697                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1698 {
1699         int error;
1700
1701         error = task_has_perm(current, target, PROCESS__GETCAP);
1702         if (error)
1703                 return error;
1704
1705         return secondary_ops->capget(target, effective, inheritable, permitted);
1706 }
1707
1708 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1709                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1710 {
1711         int error;
1712
1713         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1714         if (error)
1715                 return error;
1716
1717         return task_has_perm(current, target, PROCESS__SETCAP);
1718 }
1719
1720 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1721                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1722 {
1723         secondary_ops->capset_set(target, effective, inheritable, permitted);
1724 }
1725
1726 static int selinux_capable(struct task_struct *tsk, int cap)
1727 {
1728         int rc;
1729
1730         rc = secondary_ops->capable(tsk, cap);
1731         if (rc)
1732                 return rc;
1733
1734         return task_has_capability(tsk, cap);
1735 }
1736
1737 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1738 {
1739         int buflen, rc;
1740         char *buffer, *path, *end;
1741
1742         rc = -ENOMEM;
1743         buffer = (char *)__get_free_page(GFP_KERNEL);
1744         if (!buffer)
1745                 goto out;
1746
1747         buflen = PAGE_SIZE;
1748         end = buffer+buflen;
1749         *--end = '\0';
1750         buflen--;
1751         path = end-1;
1752         *path = '/';
1753         while (table) {
1754                 const char *name = table->procname;
1755                 size_t namelen = strlen(name);
1756                 buflen -= namelen + 1;
1757                 if (buflen < 0)
1758                         goto out_free;
1759                 end -= namelen;
1760                 memcpy(end, name, namelen);
1761                 *--end = '/';
1762                 path = end;
1763                 table = table->parent;
1764         }
1765         buflen -= 4;
1766         if (buflen < 0)
1767                 goto out_free;
1768         end -= 4;
1769         memcpy(end, "/sys", 4);
1770         path = end;
1771         rc = security_genfs_sid("proc", path, tclass, sid);
1772 out_free:
1773         free_page((unsigned long)buffer);
1774 out:
1775         return rc;
1776 }
1777
1778 static int selinux_sysctl(ctl_table *table, int op)
1779 {
1780         int error = 0;
1781         u32 av;
1782         struct task_security_struct *tsec;
1783         u32 tsid;
1784         int rc;
1785
1786         rc = secondary_ops->sysctl(table, op);
1787         if (rc)
1788                 return rc;
1789
1790         tsec = current->security;
1791
1792         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1793                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1794         if (rc) {
1795                 /* Default to the well-defined sysctl SID. */
1796                 tsid = SECINITSID_SYSCTL;
1797         }
1798
1799         /* The op values are "defined" in sysctl.c, thereby creating
1800          * a bad coupling between this module and sysctl.c */
1801         if (op == 001) {
1802                 error = avc_has_perm(tsec->sid, tsid,
1803                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1804         } else {
1805                 av = 0;
1806                 if (op & 004)
1807                         av |= FILE__READ;
1808                 if (op & 002)
1809                         av |= FILE__WRITE;
1810                 if (av)
1811                         error = avc_has_perm(tsec->sid, tsid,
1812                                              SECCLASS_FILE, av, NULL);
1813         }
1814
1815         return error;
1816 }
1817
1818 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1819 {
1820         int rc = 0;
1821
1822         if (!sb)
1823                 return 0;
1824
1825         switch (cmds) {
1826         case Q_SYNC:
1827         case Q_QUOTAON:
1828         case Q_QUOTAOFF:
1829         case Q_SETINFO:
1830         case Q_SETQUOTA:
1831                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1832                                          NULL);
1833                 break;
1834         case Q_GETFMT:
1835         case Q_GETINFO:
1836         case Q_GETQUOTA:
1837                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1838                                          NULL);
1839                 break;
1840         default:
1841                 rc = 0;  /* let the kernel handle invalid cmds */
1842                 break;
1843         }
1844         return rc;
1845 }
1846
1847 static int selinux_quota_on(struct dentry *dentry)
1848 {
1849         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1850 }
1851
1852 static int selinux_syslog(int type)
1853 {
1854         int rc;
1855
1856         rc = secondary_ops->syslog(type);
1857         if (rc)
1858                 return rc;
1859
1860         switch (type) {
1861         case 3:         /* Read last kernel messages */
1862         case 10:        /* Return size of the log buffer */
1863                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1864                 break;
1865         case 6:         /* Disable logging to console */
1866         case 7:         /* Enable logging to console */
1867         case 8:         /* Set level of messages printed to console */
1868                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1869                 break;
1870         case 0:         /* Close log */
1871         case 1:         /* Open log */
1872         case 2:         /* Read from log */
1873         case 4:         /* Read/clear last kernel messages */
1874         case 5:         /* Clear ring buffer */
1875         default:
1876                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1877                 break;
1878         }
1879         return rc;
1880 }
1881
1882 /*
1883  * Check that a process has enough memory to allocate a new virtual
1884  * mapping. 0 means there is enough memory for the allocation to
1885  * succeed and -ENOMEM implies there is not.
1886  *
1887  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1888  * if the capability is granted, but __vm_enough_memory requires 1 if
1889  * the capability is granted.
1890  *
1891  * Do not audit the selinux permission check, as this is applied to all
1892  * processes that allocate mappings.
1893  */
1894 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1895 {
1896         int rc, cap_sys_admin = 0;
1897         struct task_security_struct *tsec = current->security;
1898
1899         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1900         if (rc == 0)
1901                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1902                                           SECCLASS_CAPABILITY,
1903                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1904                                           0,
1905                                           NULL);
1906
1907         if (rc == 0)
1908                 cap_sys_admin = 1;
1909
1910         return __vm_enough_memory(mm, pages, cap_sys_admin);
1911 }
1912
1913 /**
1914  * task_tracer_task - return the task that is tracing the given task
1915  * @task:               task to consider
1916  *
1917  * Returns NULL if noone is tracing @task, or the &struct task_struct
1918  * pointer to its tracer.
1919  *
1920  * Must be called under rcu_read_lock().
1921  */
1922 static struct task_struct *task_tracer_task(struct task_struct *task)
1923 {
1924         if (task->ptrace & PT_PTRACED)
1925                 return rcu_dereference(task->parent);
1926         return NULL;
1927 }
1928
1929 /* binprm security operations */
1930
1931 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1932 {
1933         struct bprm_security_struct *bsec;
1934
1935         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1936         if (!bsec)
1937                 return -ENOMEM;
1938
1939         bsec->sid = SECINITSID_UNLABELED;
1940         bsec->set = 0;
1941
1942         bprm->security = bsec;
1943         return 0;
1944 }
1945
1946 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1947 {
1948         struct task_security_struct *tsec;
1949         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1950         struct inode_security_struct *isec;
1951         struct bprm_security_struct *bsec;
1952         u32 newsid;
1953         struct avc_audit_data ad;
1954         int rc;
1955
1956         rc = secondary_ops->bprm_set_security(bprm);
1957         if (rc)
1958                 return rc;
1959
1960         bsec = bprm->security;
1961
1962         if (bsec->set)
1963                 return 0;
1964
1965         tsec = current->security;
1966         isec = inode->i_security;
1967
1968         /* Default to the current task SID. */
1969         bsec->sid = tsec->sid;
1970
1971         /* Reset fs, key, and sock SIDs on execve. */
1972         tsec->create_sid = 0;
1973         tsec->keycreate_sid = 0;
1974         tsec->sockcreate_sid = 0;
1975
1976         if (tsec->exec_sid) {
1977                 newsid = tsec->exec_sid;
1978                 /* Reset exec SID on execve. */
1979                 tsec->exec_sid = 0;
1980         } else {
1981                 /* Check for a default transition on this program. */
1982                 rc = security_transition_sid(tsec->sid, isec->sid,
1983                                              SECCLASS_PROCESS, &newsid);
1984                 if (rc)
1985                         return rc;
1986         }
1987
1988         AVC_AUDIT_DATA_INIT(&ad, FS);
1989         ad.u.fs.path = bprm->file->f_path;
1990
1991         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1992                 newsid = tsec->sid;
1993
1994         if (tsec->sid == newsid) {
1995                 rc = avc_has_perm(tsec->sid, isec->sid,
1996                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1997                 if (rc)
1998                         return rc;
1999         } else {
2000                 /* Check permissions for the transition. */
2001                 rc = avc_has_perm(tsec->sid, newsid,
2002                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2003                 if (rc)
2004                         return rc;
2005
2006                 rc = avc_has_perm(newsid, isec->sid,
2007                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2008                 if (rc)
2009                         return rc;
2010
2011                 /* Clear any possibly unsafe personality bits on exec: */
2012                 current->personality &= ~PER_CLEAR_ON_SETID;
2013
2014                 /* Set the security field to the new SID. */
2015                 bsec->sid = newsid;
2016         }
2017
2018         bsec->set = 1;
2019         return 0;
2020 }
2021
2022 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2023 {
2024         return secondary_ops->bprm_check_security(bprm);
2025 }
2026
2027
2028 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2029 {
2030         struct task_security_struct *tsec = current->security;
2031         int atsecure = 0;
2032
2033         if (tsec->osid != tsec->sid) {
2034                 /* Enable secure mode for SIDs transitions unless
2035                    the noatsecure permission is granted between
2036                    the two SIDs, i.e. ahp returns 0. */
2037                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2038                                          SECCLASS_PROCESS,
2039                                          PROCESS__NOATSECURE, NULL);
2040         }
2041
2042         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2043 }
2044
2045 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2046 {
2047         kfree(bprm->security);
2048         bprm->security = NULL;
2049 }
2050
2051 extern struct vfsmount *selinuxfs_mount;
2052 extern struct dentry *selinux_null;
2053
2054 /* Derived from fs/exec.c:flush_old_files. */
2055 static inline void flush_unauthorized_files(struct files_struct *files)
2056 {
2057         struct avc_audit_data ad;
2058         struct file *file, *devnull = NULL;
2059         struct tty_struct *tty;
2060         struct fdtable *fdt;
2061         long j = -1;
2062         int drop_tty = 0;
2063
2064         mutex_lock(&tty_mutex);
2065         tty = get_current_tty();
2066         if (tty) {
2067                 file_list_lock();
2068                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2069                 if (file) {
2070                         /* Revalidate access to controlling tty.
2071                            Use inode_has_perm on the tty inode directly rather
2072                            than using file_has_perm, as this particular open
2073                            file may belong to another process and we are only
2074                            interested in the inode-based check here. */
2075                         struct inode *inode = file->f_path.dentry->d_inode;
2076                         if (inode_has_perm(current, inode,
2077                                            FILE__READ | FILE__WRITE, NULL)) {
2078                                 drop_tty = 1;
2079                         }
2080                 }
2081                 file_list_unlock();
2082         }
2083         mutex_unlock(&tty_mutex);
2084         /* Reset controlling tty. */
2085         if (drop_tty)
2086                 no_tty();
2087
2088         /* Revalidate access to inherited open files. */
2089
2090         AVC_AUDIT_DATA_INIT(&ad, FS);
2091
2092         spin_lock(&files->file_lock);
2093         for (;;) {
2094                 unsigned long set, i;
2095                 int fd;
2096
2097                 j++;
2098                 i = j * __NFDBITS;
2099                 fdt = files_fdtable(files);
2100                 if (i >= fdt->max_fds)
2101                         break;
2102                 set = fdt->open_fds->fds_bits[j];
2103                 if (!set)
2104                         continue;
2105                 spin_unlock(&files->file_lock);
2106                 for ( ; set ; i++, set >>= 1) {
2107                         if (set & 1) {
2108                                 file = fget(i);
2109                                 if (!file)
2110                                         continue;
2111                                 if (file_has_perm(current,
2112                                                   file,
2113                                                   file_to_av(file))) {
2114                                         sys_close(i);
2115                                         fd = get_unused_fd();
2116                                         if (fd != i) {
2117                                                 if (fd >= 0)
2118                                                         put_unused_fd(fd);
2119                                                 fput(file);
2120                                                 continue;
2121                                         }
2122                                         if (devnull) {
2123                                                 get_file(devnull);
2124                                         } else {
2125                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2126                                                 if (IS_ERR(devnull)) {
2127                                                         devnull = NULL;
2128                                                         put_unused_fd(fd);
2129                                                         fput(file);
2130                                                         continue;
2131                                                 }
2132                                         }
2133                                         fd_install(fd, devnull);
2134                                 }
2135                                 fput(file);
2136                         }
2137                 }
2138                 spin_lock(&files->file_lock);
2139
2140         }
2141         spin_unlock(&files->file_lock);
2142 }
2143
2144 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2145 {
2146         struct task_security_struct *tsec;
2147         struct bprm_security_struct *bsec;
2148         u32 sid;
2149         int rc;
2150
2151         secondary_ops->bprm_apply_creds(bprm, unsafe);
2152
2153         tsec = current->security;
2154
2155         bsec = bprm->security;
2156         sid = bsec->sid;
2157
2158         tsec->osid = tsec->sid;
2159         bsec->unsafe = 0;
2160         if (tsec->sid != sid) {
2161                 /* Check for shared state.  If not ok, leave SID
2162                    unchanged and kill. */
2163                 if (unsafe & LSM_UNSAFE_SHARE) {
2164                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2165                                         PROCESS__SHARE, NULL);
2166                         if (rc) {
2167                                 bsec->unsafe = 1;
2168                                 return;
2169                         }
2170                 }
2171
2172                 /* Check for ptracing, and update the task SID if ok.
2173                    Otherwise, leave SID unchanged and kill. */
2174                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2175                         struct task_struct *tracer;
2176                         struct task_security_struct *sec;
2177                         u32 ptsid = 0;
2178
2179                         rcu_read_lock();
2180                         tracer = task_tracer_task(current);
2181                         if (likely(tracer != NULL)) {
2182                                 sec = tracer->security;
2183                                 ptsid = sec->sid;
2184                         }
2185                         rcu_read_unlock();
2186
2187                         if (ptsid != 0) {
2188                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2189                                                   PROCESS__PTRACE, NULL);
2190                                 if (rc) {
2191                                         bsec->unsafe = 1;
2192                                         return;
2193                                 }
2194                         }
2195                 }
2196                 tsec->sid = sid;
2197         }
2198 }
2199
2200 /*
2201  * called after apply_creds without the task lock held
2202  */
2203 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2204 {
2205         struct task_security_struct *tsec;
2206         struct rlimit *rlim, *initrlim;
2207         struct itimerval itimer;
2208         struct bprm_security_struct *bsec;
2209         int rc, i;
2210
2211         tsec = current->security;
2212         bsec = bprm->security;
2213
2214         if (bsec->unsafe) {
2215                 force_sig_specific(SIGKILL, current);
2216                 return;
2217         }
2218         if (tsec->osid == tsec->sid)
2219                 return;
2220
2221         /* Close files for which the new task SID is not authorized. */
2222         flush_unauthorized_files(current->files);
2223
2224         /* Check whether the new SID can inherit signal state
2225            from the old SID.  If not, clear itimers to avoid
2226            subsequent signal generation and flush and unblock
2227            signals. This must occur _after_ the task SID has
2228           been updated so that any kill done after the flush
2229           will be checked against the new SID. */
2230         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2231                           PROCESS__SIGINH, NULL);
2232         if (rc) {
2233                 memset(&itimer, 0, sizeof itimer);
2234                 for (i = 0; i < 3; i++)
2235                         do_setitimer(i, &itimer, NULL);
2236                 flush_signals(current);
2237                 spin_lock_irq(&current->sighand->siglock);
2238                 flush_signal_handlers(current, 1);
2239                 sigemptyset(&current->blocked);
2240                 recalc_sigpending();
2241                 spin_unlock_irq(&current->sighand->siglock);
2242         }
2243
2244         /* Always clear parent death signal on SID transitions. */
2245         current->pdeath_signal = 0;
2246
2247         /* Check whether the new SID can inherit resource limits
2248            from the old SID.  If not, reset all soft limits to
2249            the lower of the current task's hard limit and the init
2250            task's soft limit.  Note that the setting of hard limits
2251            (even to lower them) can be controlled by the setrlimit
2252            check. The inclusion of the init task's soft limit into
2253            the computation is to avoid resetting soft limits higher
2254            than the default soft limit for cases where the default
2255            is lower than the hard limit, e.g. RLIMIT_CORE or
2256            RLIMIT_STACK.*/
2257         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2258                           PROCESS__RLIMITINH, NULL);
2259         if (rc) {
2260                 for (i = 0; i < RLIM_NLIMITS; i++) {
2261                         rlim = current->signal->rlim + i;
2262                         initrlim = init_task.signal->rlim+i;
2263                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2264                 }
2265                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2266                         /*
2267                          * This will cause RLIMIT_CPU calculations
2268                          * to be refigured.
2269                          */
2270                         current->it_prof_expires = jiffies_to_cputime(1);
2271                 }
2272         }
2273
2274         /* Wake up the parent if it is waiting so that it can
2275            recheck wait permission to the new task SID. */
2276         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2277 }
2278
2279 /* superblock security operations */
2280
2281 static int selinux_sb_alloc_security(struct super_block *sb)
2282 {
2283         return superblock_alloc_security(sb);
2284 }
2285
2286 static void selinux_sb_free_security(struct super_block *sb)
2287 {
2288         superblock_free_security(sb);
2289 }
2290
2291 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2292 {
2293         if (plen > olen)
2294                 return 0;
2295
2296         return !memcmp(prefix, option, plen);
2297 }
2298
2299 static inline int selinux_option(char *option, int len)
2300 {
2301         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2302                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2303                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2304                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2305 }
2306
2307 static inline void take_option(char **to, char *from, int *first, int len)
2308 {
2309         if (!*first) {
2310                 **to = ',';
2311                 *to += 1;
2312         } else
2313                 *first = 0;
2314         memcpy(*to, from, len);
2315         *to += len;
2316 }
2317
2318 static inline void take_selinux_option(char **to, char *from, int *first,
2319                                        int len)
2320 {
2321         int current_size = 0;
2322
2323         if (!*first) {
2324                 **to = '|';
2325                 *to += 1;
2326         } else
2327                 *first = 0;
2328
2329         while (current_size < len) {
2330                 if (*from != '"') {
2331                         **to = *from;
2332                         *to += 1;
2333                 }
2334                 from += 1;
2335                 current_size += 1;
2336         }
2337 }
2338
2339 static int selinux_sb_copy_data(char *orig, char *copy)
2340 {
2341         int fnosec, fsec, rc = 0;
2342         char *in_save, *in_curr, *in_end;
2343         char *sec_curr, *nosec_save, *nosec;
2344         int open_quote = 0;
2345
2346         in_curr = orig;
2347         sec_curr = copy;
2348
2349         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2350         if (!nosec) {
2351                 rc = -ENOMEM;
2352                 goto out;
2353         }
2354
2355         nosec_save = nosec;
2356         fnosec = fsec = 1;
2357         in_save = in_end = orig;
2358
2359         do {
2360                 if (*in_end == '"')
2361                         open_quote = !open_quote;
2362                 if ((*in_end == ',' && open_quote == 0) ||
2363                                 *in_end == '\0') {
2364                         int len = in_end - in_curr;
2365
2366                         if (selinux_option(in_curr, len))
2367                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2368                         else
2369                                 take_option(&nosec, in_curr, &fnosec, len);
2370
2371                         in_curr = in_end + 1;
2372                 }
2373         } while (*in_end++);
2374
2375         strcpy(in_save, nosec_save);
2376         free_page((unsigned long)nosec_save);
2377 out:
2378         return rc;
2379 }
2380
2381 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2382 {
2383         struct avc_audit_data ad;
2384         int rc;
2385
2386         rc = superblock_doinit(sb, data);
2387         if (rc)
2388                 return rc;
2389
2390         AVC_AUDIT_DATA_INIT(&ad, FS);
2391         ad.u.fs.path.dentry = sb->s_root;
2392         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2393 }
2394
2395 static int selinux_sb_statfs(struct dentry *dentry)
2396 {
2397         struct avc_audit_data ad;
2398
2399         AVC_AUDIT_DATA_INIT(&ad, FS);
2400         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2401         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2402 }
2403
2404 static int selinux_mount(char *dev_name,
2405                          struct path *path,
2406                          char *type,
2407                          unsigned long flags,
2408                          void *data)
2409 {
2410         int rc;
2411
2412         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2413         if (rc)
2414                 return rc;
2415
2416         if (flags & MS_REMOUNT)
2417                 return superblock_has_perm(current, path->mnt->mnt_sb,
2418                                            FILESYSTEM__REMOUNT, NULL);
2419         else
2420                 return dentry_has_perm(current, path->mnt, path->dentry,
2421                                        FILE__MOUNTON);
2422 }
2423
2424 static int selinux_umount(struct vfsmount *mnt, int flags)
2425 {
2426         int rc;
2427
2428         rc = secondary_ops->sb_umount(mnt, flags);
2429         if (rc)
2430                 return rc;
2431
2432         return superblock_has_perm(current, mnt->mnt_sb,
2433                                    FILESYSTEM__UNMOUNT, NULL);
2434 }
2435
2436 /* inode security operations */
2437
2438 static int selinux_inode_alloc_security(struct inode *inode)
2439 {
2440         return inode_alloc_security(inode);
2441 }
2442
2443 static void selinux_inode_free_security(struct inode *inode)
2444 {
2445         inode_free_security(inode);
2446 }
2447
2448 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2449                                        char **name, void **value,
2450                                        size_t *len)
2451 {
2452         struct task_security_struct *tsec;
2453         struct inode_security_struct *dsec;
2454         struct superblock_security_struct *sbsec;
2455         u32 newsid, clen;
2456         int rc;
2457         char *namep = NULL, *context;
2458
2459         tsec = current->security;
2460         dsec = dir->i_security;
2461         sbsec = dir->i_sb->s_security;
2462
2463         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2464                 newsid = tsec->create_sid;
2465         } else {
2466                 rc = security_transition_sid(tsec->sid, dsec->sid,
2467                                              inode_mode_to_security_class(inode->i_mode),
2468                                              &newsid);
2469                 if (rc) {
2470                         printk(KERN_WARNING "%s:  "
2471                                "security_transition_sid failed, rc=%d (dev=%s "
2472                                "ino=%ld)\n",
2473                                __func__,
2474                                -rc, inode->i_sb->s_id, inode->i_ino);
2475                         return rc;
2476                 }
2477         }
2478
2479         /* Possibly defer initialization to selinux_complete_init. */
2480         if (sbsec->initialized) {
2481                 struct inode_security_struct *isec = inode->i_security;
2482                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2483                 isec->sid = newsid;
2484                 isec->initialized = 1;
2485         }
2486
2487         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2488                 return -EOPNOTSUPP;
2489
2490         if (name) {
2491                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2492                 if (!namep)
2493                         return -ENOMEM;
2494                 *name = namep;
2495         }
2496
2497         if (value && len) {
2498                 rc = security_sid_to_context(newsid, &context, &clen);
2499                 if (rc) {
2500                         kfree(namep);
2501                         return rc;
2502                 }
2503                 *value = context;
2504                 *len = clen;
2505         }
2506
2507         return 0;
2508 }
2509
2510 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2511 {
2512         return may_create(dir, dentry, SECCLASS_FILE);
2513 }
2514
2515 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2516 {
2517         int rc;
2518
2519         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2520         if (rc)
2521                 return rc;
2522         return may_link(dir, old_dentry, MAY_LINK);
2523 }
2524
2525 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2526 {
2527         int rc;
2528
2529         rc = secondary_ops->inode_unlink(dir, dentry);
2530         if (rc)
2531                 return rc;
2532         return may_link(dir, dentry, MAY_UNLINK);
2533 }
2534
2535 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2536 {
2537         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2538 }
2539
2540 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2541 {
2542         return may_create(dir, dentry, SECCLASS_DIR);
2543 }
2544
2545 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2546 {
2547         return may_link(dir, dentry, MAY_RMDIR);
2548 }
2549
2550 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2551 {
2552         int rc;
2553
2554         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2555         if (rc)
2556                 return rc;
2557
2558         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2559 }
2560
2561 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2562                                 struct inode *new_inode, struct dentry *new_dentry)
2563 {
2564         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2565 }
2566
2567 static int selinux_inode_readlink(struct dentry *dentry)
2568 {
2569         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2570 }
2571
2572 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2573 {
2574         int rc;
2575
2576         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2577         if (rc)
2578                 return rc;
2579         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2580 }
2581
2582 static int selinux_inode_permission(struct inode *inode, int mask,
2583                                     struct nameidata *nd)
2584 {
2585         int rc;
2586
2587         rc = secondary_ops->inode_permission(inode, mask, nd);
2588         if (rc)
2589                 return rc;
2590
2591         if (!mask) {
2592                 /* No permission to check.  Existence test. */
2593                 return 0;
2594         }
2595
2596         return inode_has_perm(current, inode,
2597                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2598 }
2599
2600 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2601 {
2602         int rc;
2603
2604         rc = secondary_ops->inode_setattr(dentry, iattr);
2605         if (rc)
2606                 return rc;
2607
2608         if (iattr->ia_valid & ATTR_FORCE)
2609                 return 0;
2610
2611         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2612                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2613                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2614
2615         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2616 }
2617
2618 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2619 {
2620         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2621 }
2622
2623 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2624 {
2625         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2626                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2627                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2628                         if (!capable(CAP_SETFCAP))
2629                                 return -EPERM;
2630                 } else if (!capable(CAP_SYS_ADMIN)) {
2631                         /* A different attribute in the security namespace.
2632                            Restrict to administrator. */
2633                         return -EPERM;
2634                 }
2635         }
2636
2637         /* Not an attribute we recognize, so just check the
2638            ordinary setattr permission. */
2639         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2640 }
2641
2642 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2643                                   const void *value, size_t size, int flags)
2644 {
2645         struct task_security_struct *tsec = current->security;
2646         struct inode *inode = dentry->d_inode;
2647         struct inode_security_struct *isec = inode->i_security;
2648         struct superblock_security_struct *sbsec;
2649         struct avc_audit_data ad;
2650         u32 newsid;
2651         int rc = 0;
2652
2653         if (strcmp(name, XATTR_NAME_SELINUX))
2654                 return selinux_inode_setotherxattr(dentry, name);
2655
2656         sbsec = inode->i_sb->s_security;
2657         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2658                 return -EOPNOTSUPP;
2659
2660         if (!is_owner_or_cap(inode))
2661                 return -EPERM;
2662
2663         AVC_AUDIT_DATA_INIT(&ad, FS);
2664         ad.u.fs.path.dentry = dentry;
2665
2666         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2667                           FILE__RELABELFROM, &ad);
2668         if (rc)
2669                 return rc;
2670
2671         rc = security_context_to_sid(value, size, &newsid);
2672         if (rc)
2673                 return rc;
2674
2675         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2676                           FILE__RELABELTO, &ad);
2677         if (rc)
2678                 return rc;
2679
2680         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2681                                           isec->sclass);
2682         if (rc)
2683                 return rc;
2684
2685         return avc_has_perm(newsid,
2686                             sbsec->sid,
2687                             SECCLASS_FILESYSTEM,
2688                             FILESYSTEM__ASSOCIATE,
2689                             &ad);
2690 }
2691
2692 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2693                                         const void *value, size_t size,
2694                                         int flags)
2695 {
2696         struct inode *inode = dentry->d_inode;
2697         struct inode_security_struct *isec = inode->i_security;
2698         u32 newsid;
2699         int rc;
2700
2701         if (strcmp(name, XATTR_NAME_SELINUX)) {
2702                 /* Not an attribute we recognize, so nothing to do. */
2703                 return;
2704         }
2705
2706         rc = security_context_to_sid(value, size, &newsid);
2707         if (rc) {
2708                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2709                        "%s, rc=%d\n", __func__, (char *)value, -rc);
2710                 return;
2711         }
2712
2713         isec->sid = newsid;
2714         return;
2715 }
2716
2717 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2718 {
2719         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2720 }
2721
2722 static int selinux_inode_listxattr(struct dentry *dentry)
2723 {
2724         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2725 }
2726
2727 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2728 {
2729         if (strcmp(name, XATTR_NAME_SELINUX))
2730                 return selinux_inode_setotherxattr(dentry, name);
2731
2732         /* No one is allowed to remove a SELinux security label.
2733            You can change the label, but all data must be labeled. */
2734         return -EACCES;
2735 }
2736
2737 /*
2738  * Copy the in-core inode security context value to the user.  If the
2739  * getxattr() prior to this succeeded, check to see if we need to
2740  * canonicalize the value to be finally returned to the user.
2741  *
2742  * Permission check is handled by selinux_inode_getxattr hook.
2743  */
2744 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2745 {
2746         u32 size;
2747         int error;
2748         char *context = NULL;
2749         struct inode_security_struct *isec = inode->i_security;
2750
2751         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2752                 return -EOPNOTSUPP;
2753
2754         error = security_sid_to_context(isec->sid, &context, &size);
2755         if (error)
2756                 return error;
2757         error = size;
2758         if (alloc) {
2759                 *buffer = context;
2760                 goto out_nofree;
2761         }
2762         kfree(context);
2763 out_nofree:
2764         return error;
2765 }
2766
2767 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2768                                      const void *value, size_t size, int flags)
2769 {
2770         struct inode_security_struct *isec = inode->i_security;
2771         u32 newsid;
2772         int rc;
2773
2774         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2775                 return -EOPNOTSUPP;
2776
2777         if (!value || !size)
2778                 return -EACCES;
2779
2780         rc = security_context_to_sid((void *)value, size, &newsid);
2781         if (rc)
2782                 return rc;
2783
2784         isec->sid = newsid;
2785         return 0;
2786 }
2787
2788 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2789 {
2790         const int len = sizeof(XATTR_NAME_SELINUX);
2791         if (buffer && len <= buffer_size)
2792                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2793         return len;
2794 }
2795
2796 static int selinux_inode_need_killpriv(struct dentry *dentry)
2797 {
2798         return secondary_ops->inode_need_killpriv(dentry);
2799 }
2800
2801 static int selinux_inode_killpriv(struct dentry *dentry)
2802 {
2803         return secondary_ops->inode_killpriv(dentry);
2804 }
2805
2806 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2807 {
2808         struct inode_security_struct *isec = inode->i_security;
2809         *secid = isec->sid;
2810 }
2811
2812 /* file security operations */
2813
2814 static int selinux_revalidate_file_permission(struct file *file, int mask)
2815 {
2816         int rc;
2817         struct inode *inode = file->f_path.dentry->d_inode;
2818
2819         if (!mask) {
2820                 /* No permission to check.  Existence test. */
2821                 return 0;
2822         }
2823
2824         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2825         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2826                 mask |= MAY_APPEND;
2827
2828         rc = file_has_perm(current, file,
2829                            file_mask_to_av(inode->i_mode, mask));
2830         if (rc)
2831                 return rc;
2832
2833         return selinux_netlbl_inode_permission(inode, mask);
2834 }
2835
2836 static int selinux_file_permission(struct file *file, int mask)
2837 {
2838         struct inode *inode = file->f_path.dentry->d_inode;
2839         struct task_security_struct *tsec = current->security;
2840         struct file_security_struct *fsec = file->f_security;
2841         struct inode_security_struct *isec = inode->i_security;
2842
2843         if (!mask) {
2844                 /* No permission to check.  Existence test. */
2845                 return 0;
2846         }
2847
2848         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2849             && fsec->pseqno == avc_policy_seqno())
2850                 return selinux_netlbl_inode_permission(inode, mask);
2851
2852         return selinux_revalidate_file_permission(file, mask);
2853 }
2854
2855 static int selinux_file_alloc_security(struct file *file)
2856 {
2857         return file_alloc_security(file);
2858 }
2859
2860 static void selinux_file_free_security(struct file *file)
2861 {
2862         file_free_security(file);
2863 }
2864
2865 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2866                               unsigned long arg)
2867 {
2868         int error = 0;
2869
2870         switch (cmd) {
2871         case FIONREAD:
2872         /* fall through */
2873         case FIBMAP:
2874         /* fall through */
2875         case FIGETBSZ:
2876         /* fall through */
2877         case EXT2_IOC_GETFLAGS:
2878         /* fall through */
2879         case EXT2_IOC_GETVERSION:
2880                 error = file_has_perm(current, file, FILE__GETATTR);
2881                 break;
2882
2883         case EXT2_IOC_SETFLAGS:
2884         /* fall through */
2885         case EXT2_IOC_SETVERSION:
2886                 error = file_has_perm(current, file, FILE__SETATTR);
2887                 break;
2888
2889         /* sys_ioctl() checks */
2890         case FIONBIO:
2891         /* fall through */
2892         case FIOASYNC:
2893                 error = file_has_perm(current, file, 0);
2894                 break;
2895
2896         case KDSKBENT:
2897         case KDSKBSENT:
2898                 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2899                 break;
2900
2901         /* default case assumes that the command will go
2902          * to the file's ioctl() function.
2903          */
2904         default:
2905                 error = file_has_perm(current, file, FILE__IOCTL);
2906         }
2907         return error;
2908 }
2909
2910 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2911 {
2912 #ifndef CONFIG_PPC32
2913         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2914                 /*
2915                  * We are making executable an anonymous mapping or a
2916                  * private file mapping that will also be writable.
2917                  * This has an additional check.
2918                  */
2919                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2920                 if (rc)
2921                         return rc;
2922         }
2923 #endif
2924
2925         if (file) {
2926                 /* read access is always possible with a mapping */
2927                 u32 av = FILE__READ;
2928
2929                 /* write access only matters if the mapping is shared */
2930                 if (shared && (prot & PROT_WRITE))
2931                         av |= FILE__WRITE;
2932
2933                 if (prot & PROT_EXEC)
2934                         av |= FILE__EXECUTE;
2935
2936                 return file_has_perm(current, file, av);
2937         }
2938         return 0;
2939 }
2940
2941 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2942                              unsigned long prot, unsigned long flags,
2943                              unsigned long addr, unsigned long addr_only)
2944 {
2945         int rc = 0;
2946         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2947
2948         if (addr < mmap_min_addr)
2949                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2950                                   MEMPROTECT__MMAP_ZERO, NULL);
2951         if (rc || addr_only)
2952                 return rc;
2953
2954         if (selinux_checkreqprot)
2955                 prot = reqprot;
2956
2957         return file_map_prot_check(file, prot,
2958                                    (flags & MAP_TYPE) == MAP_SHARED);
2959 }
2960
2961 static int selinux_file_mprotect(struct vm_area_struct *vma,
2962                                  unsigned long reqprot,
2963                                  unsigned long prot)
2964 {
2965         int rc;
2966
2967         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2968         if (rc)
2969                 return rc;
2970
2971         if (selinux_checkreqprot)
2972                 prot = reqprot;
2973
2974 #ifndef CONFIG_PPC32
2975         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2976                 rc = 0;
2977                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2978                     vma->vm_end <= vma->vm_mm->brk) {
2979                         rc = task_has_perm(current, current,
2980                                            PROCESS__EXECHEAP);
2981                 } else if (!vma->vm_file &&
2982                            vma->vm_start <= vma->vm_mm->start_stack &&
2983                            vma->vm_end >= vma->vm_mm->start_stack) {
2984                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2985                 } else if (vma->vm_file && vma->anon_vma) {
2986                         /*
2987                          * We are making executable a file mapping that has
2988                          * had some COW done. Since pages might have been
2989                          * written, check ability to execute the possibly
2990                          * modified content.  This typically should only
2991                          * occur for text relocations.
2992                          */
2993                         rc = file_has_perm(current, vma->vm_file,
2994                                            FILE__EXECMOD);
2995                 }
2996                 if (rc)
2997                         return rc;
2998         }
2999 #endif
3000
3001         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3002 }
3003
3004 static int selinux_file_lock(struct file *file, unsigned int cmd)
3005 {
3006         return file_has_perm(current, file, FILE__LOCK);
3007 }
3008
3009 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3010                               unsigned long arg)
3011 {
3012         int err = 0;
3013
3014         switch (cmd) {
3015         case F_SETFL:
3016                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3017                         err = -EINVAL;
3018                         break;
3019                 }
3020
3021                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3022                         err = file_has_perm(current, file, FILE__WRITE);
3023                         break;
3024                 }
3025                 /* fall through */
3026         case F_SETOWN:
3027         case F_SETSIG:
3028         case F_GETFL:
3029         case F_GETOWN:
3030         case F_GETSIG:
3031                 /* Just check FD__USE permission */
3032                 err = file_has_perm(current, file, 0);
3033                 break;
3034         case F_GETLK:
3035         case F_SETLK:
3036         case F_SETLKW:
3037 #if BITS_PER_LONG == 32
3038         case F_GETLK64:
3039         case F_SETLK64:
3040         case F_SETLKW64:
3041 #endif
3042                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3043                         err = -EINVAL;
3044                         break;
3045                 }
3046                 err = file_has_perm(current, file, FILE__LOCK);
3047                 break;
3048         }
3049
3050         return err;
3051 }
3052
3053 static int selinux_file_set_fowner(struct file *file)
3054 {
3055         struct task_security_struct *tsec;
3056         struct file_security_struct *fsec;
3057
3058         tsec = current->security;
3059         fsec = file->f_security;
3060         fsec->fown_sid = tsec->sid;
3061
3062         return 0;
3063 }
3064
3065 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3066                                        struct fown_struct *fown, int signum)
3067 {
3068         struct file *file;
3069         u32 perm;
3070         struct task_security_struct *tsec;
3071         struct file_security_struct *fsec;
3072
3073         /* struct fown_struct is never outside the context of a struct file */
3074         file = container_of(fown, struct file, f_owner);
3075
3076         tsec = tsk->security;
3077         fsec = file->f_security;
3078
3079         if (!signum)
3080                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3081         else
3082                 perm = signal_to_av(signum);
3083
3084         return avc_has_perm(fsec->fown_sid, tsec->sid,
3085                             SECCLASS_PROCESS, perm, NULL);
3086 }
3087
3088 static int selinux_file_receive(struct file *file)
3089 {
3090         return file_has_perm(current, file, file_to_av(file));
3091 }
3092
3093 static int selinux_dentry_open(struct file *file)
3094 {
3095         struct file_security_struct *fsec;
3096         struct inode *inode;
3097         struct inode_security_struct *isec;
3098         inode = file->f_path.dentry->d_inode;
3099         fsec = file->f_security;
3100         isec = inode->i_security;
3101         /*
3102          * Save inode label and policy sequence number
3103          * at open-time so that selinux_file_permission
3104          * can determine whether revalidation is necessary.
3105          * Task label is already saved in the file security
3106          * struct as its SID.
3107          */
3108         fsec->isid = isec->sid;
3109         fsec->pseqno = avc_policy_seqno();
3110         /*
3111          * Since the inode label or policy seqno may have changed
3112          * between the selinux_inode_permission check and the saving
3113          * of state above, recheck that access is still permitted.
3114          * Otherwise, access might never be revalidated against the
3115          * new inode label or new policy.
3116          * This check is not redundant - do not remove.
3117          */
3118         return inode_has_perm(current, inode, file_to_av(file), NULL);
3119 }
3120
3121 /* task security operations */
3122
3123 static int selinux_task_create(unsigned long clone_flags)
3124 {
3125         int rc;
3126
3127         rc = secondary_ops->task_create(clone_flags);
3128         if (rc)
3129                 return rc;
3130
3131         return task_has_perm(current, current, PROCESS__FORK);
3132 }
3133
3134 static int selinux_task_alloc_security(struct task_struct *tsk)
3135 {
3136         struct task_security_struct *tsec1, *tsec2;
3137         int rc;
3138
3139         tsec1 = current->security;
3140
3141         rc = task_alloc_security(tsk);
3142         if (rc)
3143                 return rc;
3144         tsec2 = tsk->security;
3145
3146         tsec2->osid = tsec1->osid;
3147         tsec2->sid = tsec1->sid;
3148
3149         /* Retain the exec, fs, key, and sock SIDs across fork */
3150         tsec2->exec_sid = tsec1->exec_sid;
3151         tsec2->create_sid = tsec1->create_sid;
3152         tsec2->keycreate_sid = tsec1->keycreate_sid;
3153         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3154
3155         return 0;
3156 }
3157
3158 static void selinux_task_free_security(struct task_struct *tsk)
3159 {
3160         task_free_security(tsk);
3161 }
3162
3163 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3164 {
3165         /* Since setuid only affects the current process, and
3166            since the SELinux controls are not based on the Linux
3167            identity attributes, SELinux does not need to control
3168            this operation.  However, SELinux does control the use
3169            of the CAP_SETUID and CAP_SETGID capabilities using the
3170            capable hook. */
3171         return 0;
3172 }
3173
3174 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3175 {
3176         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3177 }
3178
3179 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3180 {
3181         /* See the comment for setuid above. */
3182         return 0;
3183 }
3184
3185 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3186 {
3187         return task_has_perm(current, p, PROCESS__SETPGID);
3188 }
3189
3190 static int selinux_task_getpgid(struct task_struct *p)
3191 {
3192         return task_has_perm(current, p, PROCESS__GETPGID);
3193 }
3194
3195 static int selinux_task_getsid(struct task_struct *p)
3196 {
3197         return task_has_perm(current, p, PROCESS__GETSESSION);
3198 }
3199
3200 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3201 {
3202         struct task_security_struct *tsec = p->security;
3203         *secid = tsec->sid;
3204 }
3205
3206 static int selinux_task_setgroups(struct group_info *group_info)
3207 {
3208         /* See the comment for setuid above. */
3209         return 0;
3210 }
3211
3212 static int selinux_task_setnice(struct task_struct *p, int nice)
3213 {
3214         int rc;
3215
3216         rc = secondary_ops->task_setnice(p, nice);
3217         if (rc)
3218                 return rc;
3219
3220         return task_has_perm(current, p, PROCESS__SETSCHED);
3221 }
3222
3223 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3224 {
3225         int rc;
3226
3227         rc = secondary_ops->task_setioprio(p, ioprio);
3228         if (rc)
3229                 return rc;
3230
3231         return task_has_perm(current, p, PROCESS__SETSCHED);
3232 }
3233
3234 static int selinux_task_getioprio(struct task_struct *p)
3235 {
3236         return task_has_perm(current, p, PROCESS__GETSCHED);
3237 }
3238
3239 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3240 {
3241         struct rlimit *old_rlim = current->signal->rlim + resource;
3242         int rc;
3243
3244         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3245         if (rc)
3246                 return rc;
3247
3248         /* Control the ability to change the hard limit (whether
3249            lowering or raising it), so that the hard limit can
3250            later be used as a safe reset point for the soft limit
3251            upon context transitions. See selinux_bprm_apply_creds. */
3252         if (old_rlim->rlim_max != new_rlim->rlim_max)
3253                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3254
3255         return 0;
3256 }
3257
3258 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3259 {
3260         int rc;
3261
3262         rc = secondary_ops->task_setscheduler(p, policy, lp);
3263         if (rc)
3264                 return rc;
3265
3266         return task_has_perm(current, p, PROCESS__SETSCHED);
3267 }
3268
3269 static int selinux_task_getscheduler(struct task_struct *p)
3270 {
3271         return task_has_perm(current, p, PROCESS__GETSCHED);
3272 }
3273
3274 static int selinux_task_movememory(struct task_struct *p)
3275 {
3276         return task_has_perm(current, p, PROCESS__SETSCHED);
3277 }
3278
3279 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3280                                 int sig, u32 secid)
3281 {
3282         u32 perm;
3283         int rc;
3284         struct task_security_struct *tsec;
3285
3286         rc = secondary_ops->task_kill(p, info, sig, secid);
3287         if (rc)
3288                 return rc;
3289
3290         if (!sig)
3291                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3292         else
3293                 perm = signal_to_av(sig);
3294         tsec = p->security;
3295         if (secid)
3296                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3297         else
3298                 rc = task_has_perm(current, p, perm);
3299         return rc;
3300 }
3301
3302 static int selinux_task_prctl(int option,
3303                               unsigned long arg2,
3304                               unsigned long arg3,
3305                               unsigned long arg4,
3306                               unsigned long arg5,
3307                               long *rc_p)
3308 {
3309         /* The current prctl operations do not appear to require
3310            any SELinux controls since they merely observe or modify
3311            the state of the current process. */
3312         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3313 }
3314
3315 static int selinux_task_wait(struct task_struct *p)
3316 {
3317         return task_has_perm(p, current, PROCESS__SIGCHLD);
3318 }
3319
3320 static void selinux_task_reparent_to_init(struct task_struct *p)
3321 {
3322         struct task_security_struct *tsec;
3323
3324         secondary_ops->task_reparent_to_init(p);
3325
3326         tsec = p->security;
3327         tsec->osid = tsec->sid;
3328         tsec->sid = SECINITSID_KERNEL;
3329         return;
3330 }
3331
3332 static void selinux_task_to_inode(struct task_struct *p,
3333                                   struct inode *inode)
3334 {
3335         struct task_security_struct *tsec = p->security;
3336         struct inode_security_struct *isec = inode->i_security;
3337
3338         isec->sid = tsec->sid;
3339         isec->initialized = 1;
3340         return;
3341 }
3342
3343 /* Returns error only if unable to parse addresses */
3344 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3345                         struct avc_audit_data *ad, u8 *proto)
3346 {
3347         int offset, ihlen, ret = -EINVAL;
3348         struct iphdr _iph, *ih;
3349
3350         offset = skb_network_offset(skb);
3351         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3352         if (ih == NULL)
3353                 goto out;
3354
3355         ihlen = ih->ihl * 4;
3356         if (ihlen < sizeof(_iph))
3357                 goto out;
3358
3359         ad->u.net.v4info.saddr = ih->saddr;
3360         ad->u.net.v4info.daddr = ih->daddr;
3361         ret = 0;
3362
3363         if (proto)
3364                 *proto = ih->protocol;
3365
3366         switch (ih->protocol) {
3367         case IPPROTO_TCP: {
3368                 struct tcphdr _tcph, *th;
3369
3370                 if (ntohs(ih->frag_off) & IP_OFFSET)
3371                         break;
3372
3373                 offset += ihlen;
3374                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3375                 if (th == NULL)
3376                         break;
3377
3378                 ad->u.net.sport = th->source;
3379                 ad->u.net.dport = th->dest;
3380                 break;
3381         }
3382
3383         case IPPROTO_UDP: {
3384                 struct udphdr _udph, *uh;
3385
3386                 if (ntohs(ih->frag_off) & IP_OFFSET)
3387                         break;
3388
3389                 offset += ihlen;
3390                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3391                 if (uh == NULL)
3392                         break;
3393
3394                 ad->u.net.sport = uh->source;
3395                 ad->u.net.dport = uh->dest;
3396                 break;
3397         }
3398
3399         case IPPROTO_DCCP: {
3400                 struct dccp_hdr _dccph, *dh;
3401
3402                 if (ntohs(ih->frag_off) & IP_OFFSET)
3403                         break;
3404
3405                 offset += ihlen;
3406                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3407                 if (dh == NULL)
3408                         break;
3409
3410                 ad->u.net.sport = dh->dccph_sport;
3411                 ad->u.net.dport = dh->dccph_dport;
3412                 break;
3413         }
3414
3415         default:
3416                 break;
3417         }
3418 out:
3419         return ret;
3420 }
3421
3422 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3423
3424 /* Returns error only if unable to parse addresses */
3425 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3426                         struct avc_audit_data *ad, u8 *proto)
3427 {
3428         u8 nexthdr;
3429         int ret = -EINVAL, offset;
3430         struct ipv6hdr _ipv6h, *ip6;
3431
3432         offset = skb_network_offset(skb);
3433         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3434         if (ip6 == NULL)
3435                 goto out;
3436
3437         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3438         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3439         ret = 0;
3440
3441         nexthdr = ip6->nexthdr;
3442         offset += sizeof(_ipv6h);
3443         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3444         if (offset < 0)
3445                 goto out;
3446
3447         if (proto)
3448                 *proto = nexthdr;
3449
3450         switch (nexthdr) {
3451         case IPPROTO_TCP: {
3452                 struct tcphdr _tcph, *th;
3453
3454                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3455                 if (th == NULL)
3456                         break;
3457
3458                 ad->u.net.sport = th->source;
3459                 ad->u.net.dport = th->dest;
3460                 break;
3461         }
3462
3463         case IPPROTO_UDP: {
3464                 struct udphdr _udph, *uh;
3465
3466                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3467                 if (uh == NULL)
3468                         break;
3469
3470                 ad->u.net.sport = uh->source;
3471                 ad->u.net.dport = uh->dest;
3472                 break;
3473         }
3474
3475         case IPPROTO_DCCP: {
3476                 struct dccp_hdr _dccph, *dh;
3477
3478                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3479                 if (dh == NULL)
3480                         break;
3481
3482                 ad->u.net.sport = dh->dccph_sport;
3483                 ad->u.net.dport = dh->dccph_dport;
3484                 break;
3485         }
3486
3487         /* includes fragments */
3488         default:
3489                 break;
3490         }
3491 out:
3492         return ret;
3493 }
3494
3495 #endif /* IPV6 */
3496
3497 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3498                              char **addrp, int src, u8 *proto)
3499 {
3500         int ret = 0;
3501
3502         switch (ad->u.net.family) {
3503         case PF_INET:
3504                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3505                 if (ret || !addrp)
3506                         break;
3507                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3508                                         &ad->u.net.v4info.daddr);
3509                 break;
3510
3511 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3512         case PF_INET6:
3513                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3514                 if (ret || !addrp)
3515                         break;
3516                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3517                                         &ad->u.net.v6info.daddr);
3518                 break;
3519 #endif  /* IPV6 */
3520         default:
3521                 break;
3522         }
3523
3524         if (unlikely(ret))
3525                 printk(KERN_WARNING
3526                        "SELinux: failure in selinux_parse_skb(),"
3527                        " unable to parse packet\n");
3528
3529         return ret;
3530 }
3531
3532 /**
3533  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3534  * @skb: the packet
3535  * @family: protocol family
3536  * @sid: the packet's peer label SID
3537  *
3538  * Description:
3539  * Check the various different forms of network peer labeling and determine
3540  * the peer label/SID for the packet; most of the magic actually occurs in
3541  * the security server function security_net_peersid_cmp().  The function
3542  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3543  * or -EACCES if @sid is invalid due to inconsistencies with the different
3544  * peer labels.
3545  *
3546  */
3547 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3548 {
3549         int err;
3550         u32 xfrm_sid;
3551         u32 nlbl_sid;
3552         u32 nlbl_type;
3553
3554         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3555         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3556
3557         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3558         if (unlikely(err)) {
3559                 printk(KERN_WARNING
3560                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3561                        " unable to determine packet's peer label\n");
3562                 return -EACCES;
3563         }
3564
3565         return 0;
3566 }
3567
3568 /* socket security operations */
3569 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3570                            u32 perms)
3571 {
3572         struct inode_security_struct *isec;
3573         struct task_security_struct *tsec;
3574         struct avc_audit_data ad;
3575         int err = 0;
3576
3577         tsec = task->security;
3578         isec = SOCK_INODE(sock)->i_security;
3579
3580         if (isec->sid == SECINITSID_KERNEL)
3581                 goto out;
3582
3583         AVC_AUDIT_DATA_INIT(&ad, NET);
3584         ad.u.net.sk = sock->sk;
3585         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3586
3587 out:
3588         return err;
3589 }
3590
3591 static int selinux_socket_create(int family, int type,
3592                                  int protocol, int kern)
3593 {
3594         int err = 0;
3595         struct task_security_struct *tsec;
3596         u32 newsid;
3597
3598         if (kern)
3599                 goto out;
3600
3601         tsec = current->security;
3602         newsid = tsec->sockcreate_sid ? : tsec->sid;
3603         err = avc_has_perm(tsec->sid, newsid,
3604                            socket_type_to_security_class(family, type,
3605                            protocol), SOCKET__CREATE, NULL);
3606
3607 out:
3608         return err;
3609 }
3610
3611 static int selinux_socket_post_create(struct socket *sock, int family,
3612                                       int type, int protocol, int kern)
3613 {
3614         int err = 0;
3615         struct inode_security_struct *isec;
3616         struct task_security_struct *tsec;
3617         struct sk_security_struct *sksec;
3618         u32 newsid;
3619
3620         isec = SOCK_INODE(sock)->i_security;
3621
3622         tsec = current->security;
3623         newsid = tsec->sockcreate_sid ? : tsec->sid;
3624         isec->sclass = socket_type_to_security_class(family, type, protocol);
3625         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3626         isec->initialized = 1;
3627
3628         if (sock->sk) {
3629                 sksec = sock->sk->sk_security;
3630                 sksec->sid = isec->sid;
3631                 sksec->sclass = isec->sclass;
3632                 err = selinux_netlbl_socket_post_create(sock);
3633         }
3634
3635         return err;
3636 }
3637
3638 /* Range of port numbers used to automatically bind.
3639    Need to determine whether we should perform a name_bind
3640    permission check between the socket and the port number. */
3641
3642 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3643 {
3644         u16 family;
3645         int err;
3646
3647         err = socket_has_perm(current, sock, SOCKET__BIND);
3648         if (err)
3649                 goto out;
3650
3651         /*
3652          * If PF_INET or PF_INET6, check name_bind permission for the port.
3653          * Multiple address binding for SCTP is not supported yet: we just
3654          * check the first address now.
3655          */
3656         family = sock->sk->sk_family;
3657         if (family == PF_INET || family == PF_INET6) {
3658                 char *addrp;
3659                 struct inode_security_struct *isec;
3660                 struct task_security_struct *tsec;
3661                 struct avc_audit_data ad;
3662                 struct sockaddr_in *addr4 = NULL;
3663                 struct sockaddr_in6 *addr6 = NULL;
3664                 unsigned short snum;
3665                 struct sock *sk = sock->sk;
3666                 u32 sid, node_perm, addrlen;
3667
3668                 tsec = current->security;
3669                 isec = SOCK_INODE(sock)->i_security;
3670
3671                 if (family == PF_INET) {
3672                         addr4 = (struct sockaddr_in *)address;
3673                         snum = ntohs(addr4->sin_port);
3674                         addrlen = sizeof(addr4->sin_addr.s_addr);
3675                         addrp = (char *)&addr4->sin_addr.s_addr;
3676                 } else {
3677                         addr6 = (struct sockaddr_in6 *)address;
3678                         snum = ntohs(addr6->sin6_port);
3679                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3680                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3681                 }
3682
3683                 if (snum) {
3684                         int low, high;
3685
3686                         inet_get_local_port_range(&low, &high);
3687
3688                         if (snum < max(PROT_SOCK, low) || snum > high) {
3689                                 err = sel_netport_sid(sk->sk_protocol,
3690                                                       snum, &sid);
3691                                 if (err)
3692                                         goto out;
3693                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3694                                 ad.u.net.sport = htons(snum);
3695                                 ad.u.net.family = family;
3696                                 err = avc_has_perm(isec->sid, sid,
3697                                                    isec->sclass,
3698                                                    SOCKET__NAME_BIND, &ad);
3699                                 if (err)
3700                                         goto out;
3701                         }
3702                 }
3703
3704                 switch (isec->sclass) {
3705                 case SECCLASS_TCP_SOCKET:
3706                         node_perm = TCP_SOCKET__NODE_BIND;
3707                         break;
3708
3709                 case SECCLASS_UDP_SOCKET:
3710                         node_perm = UDP_SOCKET__NODE_BIND;
3711                         break;
3712
3713                 case SECCLASS_DCCP_SOCKET:
3714                         node_perm = DCCP_SOCKET__NODE_BIND;
3715                         break;
3716
3717                 default:
3718                         node_perm = RAWIP_SOCKET__NODE_BIND;
3719                         break;
3720                 }
3721
3722                 err = sel_netnode_sid(addrp, family, &sid);
3723                 if (err)
3724                         goto out;
3725
3726                 AVC_AUDIT_DATA_INIT(&ad, NET);
3727                 ad.u.net.sport = htons(snum);
3728                 ad.u.net.family = family;
3729
3730                 if (family == PF_INET)
3731                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3732                 else
3733                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3734
3735                 err = avc_has_perm(isec->sid, sid,
3736                                    isec->sclass, node_perm, &ad);
3737                 if (err)
3738                         goto out;
3739         }
3740 out:
3741         return err;
3742 }
3743
3744 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3745 {
3746         struct inode_security_struct *isec;
3747         int err;
3748
3749         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3750         if (err)
3751                 return err;
3752
3753         /*
3754          * If a TCP or DCCP socket, check name_connect permission for the port.
3755          */
3756         isec = SOCK_INODE(sock)->i_security;
3757         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3758             isec->sclass == SECCLASS_DCCP_SOCKET) {
3759                 struct sock *sk = sock->sk;
3760                 struct avc_audit_data ad;
3761                 struct sockaddr_in *addr4 = NULL;
3762                 struct sockaddr_in6 *addr6 = NULL;
3763                 unsigned short snum;
3764                 u32 sid, perm;
3765
3766                 if (sk->sk_family == PF_INET) {
3767                         addr4 = (struct sockaddr_in *)address;
3768                         if (addrlen < sizeof(struct sockaddr_in))
3769                                 return -EINVAL;
3770                         snum = ntohs(addr4->sin_port);
3771                 } else {
3772                         addr6 = (struct sockaddr_in6 *)address;
3773                         if (addrlen < SIN6_LEN_RFC2133)
3774                                 return -EINVAL;
3775                         snum = ntohs(addr6->sin6_port);
3776                 }
3777
3778                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3779                 if (err)
3780                         goto out;
3781
3782                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3783                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3784
3785                 AVC_AUDIT_DATA_INIT(&ad, NET);
3786                 ad.u.net.dport = htons(snum);
3787                 ad.u.net.family = sk->sk_family;
3788                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3789                 if (err)
3790                         goto out;
3791         }
3792
3793 out:
3794         return err;
3795 }
3796
3797 static int selinux_socket_listen(struct socket *sock, int backlog)
3798 {
3799         return socket_has_perm(current, sock, SOCKET__LISTEN);
3800 }
3801
3802 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3803 {
3804         int err;
3805         struct inode_security_struct *isec;
3806         struct inode_security_struct *newisec;
3807
3808         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3809         if (err)
3810                 return err;
3811
3812         newisec = SOCK_INODE(newsock)->i_security;
3813
3814         isec = SOCK_INODE(sock)->i_security;
3815         newisec->sclass = isec->sclass;
3816         newisec->sid = isec->sid;
3817         newisec->initialized = 1;
3818
3819         return 0;
3820 }
3821
3822 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3823                                   int size)
3824 {
3825         int rc;
3826
3827         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3828         if (rc)
3829                 return rc;
3830
3831         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3832 }
3833
3834 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3835                                   int size, int flags)
3836 {
3837         return socket_has_perm(current, sock, SOCKET__READ);
3838 }
3839
3840 static int selinux_socket_getsockname(struct socket *sock)
3841 {
3842         return socket_has_perm(current, sock, SOCKET__GETATTR);
3843 }
3844
3845 static int selinux_socket_getpeername(struct socket *sock)
3846 {
3847         return socket_has_perm(current, sock, SOCKET__GETATTR);
3848 }
3849
3850 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3851 {
3852         int err;
3853
3854         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3855         if (err)
3856                 return err;
3857
3858         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3859 }
3860
3861 static int selinux_socket_getsockopt(struct socket *sock, int level,
3862                                      int optname)
3863 {
3864         return socket_has_perm(current, sock, SOCKET__GETOPT);
3865 }
3866
3867 static int selinux_socket_shutdown(struct socket *sock, int how)
3868 {
3869         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3870 }
3871
3872 static int selinux_socket_unix_stream_connect(struct socket *sock,
3873                                               struct socket *other,
3874                                               struct sock *newsk)
3875 {
3876         struct sk_security_struct *ssec;
3877         struct inode_security_struct *isec;
3878         struct inode_security_struct *other_isec;
3879         struct avc_audit_data ad;
3880         int err;
3881
3882         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3883         if (err)
3884                 return err;
3885
3886         isec = SOCK_INODE(sock)->i_security;
3887         other_isec = SOCK_INODE(other)->i_security;
3888
3889         AVC_AUDIT_DATA_INIT(&ad, NET);
3890         ad.u.net.sk = other->sk;
3891
3892         err = avc_has_perm(isec->sid, other_isec->sid,
3893                            isec->sclass,
3894                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3895         if (err)
3896                 return err;
3897
3898         /* connecting socket */
3899         ssec = sock->sk->sk_security;
3900         ssec->peer_sid = other_isec->sid;
3901
3902         /* server child socket */
3903         ssec = newsk->sk_security;
3904         ssec->peer_sid = isec->sid;
3905         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3906
3907         return err;
3908 }
3909
3910 static int selinux_socket_unix_may_send(struct socket *sock,
3911                                         struct socket *other)
3912 {
3913         struct inode_security_struct *isec;
3914         struct inode_security_struct *other_isec;
3915         struct avc_audit_data ad;
3916         int err;
3917
3918         isec = SOCK_INODE(sock)->i_security;
3919         other_isec = SOCK_INODE(other)->i_security;
3920
3921         AVC_AUDIT_DATA_INIT(&ad, NET);
3922         ad.u.net.sk = other->sk;
3923
3924         err = avc_has_perm(isec->sid, other_isec->sid,
3925                            isec->sclass, SOCKET__SENDTO, &ad);
3926         if (err)
3927                 return err;
3928
3929         return 0;
3930 }
3931
3932 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3933                                     u32 peer_sid,
3934                                     struct avc_audit_data *ad)
3935 {
3936         int err;
3937         u32 if_sid;
3938         u32 node_sid;
3939
3940         err = sel_netif_sid(ifindex, &if_sid);
3941         if (err)
3942                 return err;
3943         err = avc_has_perm(peer_sid, if_sid,
3944                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3945         if (err)
3946                 return err;
3947
3948         err = sel_netnode_sid(addrp, family, &node_sid);
3949         if (err)
3950                 return err;
3951         return avc_has_perm(peer_sid, node_sid,
3952                             SECCLASS_NODE, NODE__RECVFROM, ad);
3953 }
3954
3955 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3956                                                 struct sk_buff *skb,
3957                                                 struct avc_audit_data *ad,
3958                                                 u16 family,
3959                                                 char *addrp)
3960 {
3961         int err;
3962         struct sk_security_struct *sksec = sk->sk_security;
3963         u16 sk_class;
3964         u32 netif_perm, node_perm, recv_perm;
3965         u32 port_sid, node_sid, if_sid, sk_sid;
3966
3967         sk_sid = sksec->sid;
3968         sk_class = sksec->sclass;
3969
3970         switch (sk_class) {
3971         case SECCLASS_UDP_SOCKET:
3972                 netif_perm = NETIF__UDP_RECV;
3973                 node_perm = NODE__UDP_RECV;
3974                 recv_perm = UDP_SOCKET__RECV_MSG;
3975                 break;
3976         case SECCLASS_TCP_SOCKET:
3977                 netif_perm = NETIF__TCP_RECV;
3978                 node_perm = NODE__TCP_RECV;
3979                 recv_perm = TCP_SOCKET__RECV_MSG;
3980                 break;
3981         case SECCLASS_DCCP_SOCKET:
3982                 netif_perm = NETIF__DCCP_RECV;
3983                 node_perm = NODE__DCCP_RECV;
3984                 recv_perm = DCCP_SOCKET__RECV_MSG;
3985                 break;
3986         default:
3987                 netif_perm = NETIF__RAWIP_RECV;
3988                 node_perm = NODE__RAWIP_RECV;
3989                 recv_perm = 0;
3990                 break;
3991         }
3992
3993         err = sel_netif_sid(skb->iif, &if_sid);
3994         if (err)
3995                 return err;
3996         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3997         if (err)
3998                 return err;
3999
4000         err = sel_netnode_sid(addrp, family, &node_sid);
4001         if (err)
4002                 return err;
4003         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4004         if (err)
4005                 return err;
4006
4007         if (!recv_perm)
4008                 return 0;
4009         err = sel_netport_sid(sk->sk_protocol,
4010                               ntohs(ad->u.net.sport), &port_sid);
4011         if (unlikely(err)) {
4012                 printk(KERN_WARNING
4013                        "SELinux: failure in"
4014                        " selinux_sock_rcv_skb_iptables_compat(),"
4015                        " network port label not found\n");
4016                 return err;
4017         }
4018         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4019 }
4020
4021 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4022                                        struct avc_audit_data *ad,
4023                                        u16 family, char *addrp)
4024 {
4025         int err;
4026         struct sk_security_struct *sksec = sk->sk_security;
4027         u32 peer_sid;
4028         u32 sk_sid = sksec->sid;
4029
4030         if (selinux_compat_net)
4031                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4032                                                            family, addrp);
4033         else
4034                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4035                                    PACKET__RECV, ad);
4036         if (err)
4037                 return err;
4038
4039         if (selinux_policycap_netpeer) {
4040                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4041                 if (err)
4042                         return err;
4043                 err = avc_has_perm(sk_sid, peer_sid,
4044                                    SECCLASS_PEER, PEER__RECV, ad);
4045         } else {
4046                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4047                 if (err)
4048                         return err;
4049                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4050         }
4051
4052         return err;
4053 }
4054
4055 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4056 {
4057         int err;
4058         struct sk_security_struct *sksec = sk->sk_security;
4059         u16 family = sk->sk_family;
4060         u32 sk_sid = sksec->sid;
4061         struct avc_audit_data ad;
4062         char *addrp;
4063
4064         if (family != PF_INET && family != PF_INET6)
4065                 return 0;
4066
4067         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4068         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4069                 family = PF_INET;
4070
4071         AVC_AUDIT_DATA_INIT(&ad, NET);
4072         ad.u.net.netif = skb->iif;
4073         ad.u.net.family = family;
4074         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4075         if (err)
4076                 return err;
4077
4078         /* If any sort of compatibility mode is enabled then handoff processing
4079          * to the selinux_sock_rcv_skb_compat() function to deal with the
4080          * special handling.  We do this in an attempt to keep this function
4081          * as fast and as clean as possible. */
4082         if (selinux_compat_net || !selinux_policycap_netpeer)
4083                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4084                                                    family, addrp);
4085
4086         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4087                 u32 peer_sid;
4088
4089                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4090                 if (err)
4091                         return err;
4092                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4093                                                peer_sid, &ad);
4094                 if (err)
4095                         return err;
4096                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4097                                    PEER__RECV, &ad);
4098         }
4099
4100         if (selinux_secmark_enabled()) {
4101                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4102                                    PACKET__RECV, &ad);
4103                 if (err)
4104                         return err;
4105         }
4106
4107         return err;
4108 }
4109
4110 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4111                                             int __user *optlen, unsigned len)
4112 {
4113         int err = 0;
4114         char *scontext;
4115         u32 scontext_len;
4116         struct sk_security_struct *ssec;
4117         struct inode_security_struct *isec;
4118         u32 peer_sid = SECSID_NULL;
4119
4120         isec = SOCK_INODE(sock)->i_security;
4121
4122         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4123             isec->sclass == SECCLASS_TCP_SOCKET) {
4124                 ssec = sock->sk->sk_security;
4125                 peer_sid = ssec->peer_sid;
4126         }
4127         if (peer_sid == SECSID_NULL) {
4128                 err = -ENOPROTOOPT;
4129                 goto out;
4130         }
4131
4132         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4133
4134         if (err)
4135                 goto out;
4136
4137         if (scontext_len > len) {
4138                 err = -ERANGE;
4139                 goto out_len;
4140         }
4141
4142         if (copy_to_user(optval, scontext, scontext_len))
4143                 err = -EFAULT;
4144
4145 out_len:
4146         if (put_user(scontext_len, optlen))
4147                 err = -EFAULT;
4148
4149         kfree(scontext);
4150 out:
4151         return err;
4152 }
4153
4154 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4155 {
4156         u32 peer_secid = SECSID_NULL;
4157         u16 family;
4158
4159         if (sock)
4160                 family = sock->sk->sk_family;
4161         else if (skb && skb->sk)
4162                 family = skb->sk->sk_family;
4163         else
4164                 goto out;
4165
4166         if (sock && family == PF_UNIX)
4167                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4168         else if (skb)
4169                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4170
4171 out:
4172         *secid = peer_secid;
4173         if (peer_secid == SECSID_NULL)
4174                 return -EINVAL;
4175         return 0;
4176 }
4177
4178 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4179 {
4180         return sk_alloc_security(sk, family, priority);
4181 }
4182
4183 static void selinux_sk_free_security(struct sock *sk)
4184 {
4185         sk_free_security(sk);
4186 }
4187
4188 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4189 {
4190         struct sk_security_struct *ssec = sk->sk_security;
4191         struct sk_security_struct *newssec = newsk->sk_security;
4192
4193         newssec->sid = ssec->sid;
4194         newssec->peer_sid = ssec->peer_sid;
4195         newssec->sclass = ssec->sclass;
4196
4197         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4198 }
4199
4200 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4201 {
4202         if (!sk)
4203                 *secid = SECINITSID_ANY_SOCKET;
4204         else {
4205                 struct sk_security_struct *sksec = sk->sk_security;
4206
4207                 *secid = sksec->sid;
4208         }
4209 }
4210
4211 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4212 {
4213         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4214         struct sk_security_struct *sksec = sk->sk_security;
4215
4216         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4217             sk->sk_family == PF_UNIX)
4218                 isec->sid = sksec->sid;
4219         sksec->sclass = isec->sclass;
4220
4221         selinux_netlbl_sock_graft(sk, parent);
4222 }
4223
4224 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4225                                      struct request_sock *req)
4226 {
4227         struct sk_security_struct *sksec = sk->sk_security;
4228         int err;
4229         u32 newsid;
4230         u32 peersid;
4231
4232         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4233         if (err)
4234                 return err;
4235         if (peersid == SECSID_NULL) {
4236                 req->secid = sksec->sid;
4237                 req->peer_secid = SECSID_NULL;
4238                 return 0;
4239         }
4240
4241         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4242         if (err)
4243                 return err;
4244
4245         req->secid = newsid;
4246         req->peer_secid = peersid;
4247         return 0;
4248 }
4249
4250 static void selinux_inet_csk_clone(struct sock *newsk,
4251                                    const struct request_sock *req)
4252 {
4253         struct sk_security_struct *newsksec = newsk->sk_security;
4254
4255         newsksec->sid = req->secid;
4256         newsksec->peer_sid = req->peer_secid;
4257         /* NOTE: Ideally, we should also get the isec->sid for the
4258            new socket in sync, but we don't have the isec available yet.
4259            So we will wait until sock_graft to do it, by which
4260            time it will have been created and available. */
4261
4262         /* We don't need to take any sort of lock here as we are the only
4263          * thread with access to newsksec */
4264         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4265 }
4266
4267 static void selinux_inet_conn_established(struct sock *sk,
4268                                 struct sk_buff *skb)
4269 {
4270         struct sk_security_struct *sksec = sk->sk_security;
4271
4272         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4273 }
4274
4275 static void selinux_req_classify_flow(const struct request_sock *req,
4276                                       struct flowi *fl)
4277 {
4278         fl->secid = req->secid;
4279 }
4280
4281 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4282 {
4283         int err = 0;
4284         u32 perm;
4285         struct nlmsghdr *nlh;
4286         struct socket *sock = sk->sk_socket;
4287         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4288
4289         if (skb->len < NLMSG_SPACE(0)) {
4290                 err = -EINVAL;
4291                 goto out;
4292         }
4293         nlh = nlmsg_hdr(skb);
4294
4295         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4296         if (err) {
4297                 if (err == -EINVAL) {
4298                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4299                                   "SELinux:  unrecognized netlink message"
4300                                   " type=%hu for sclass=%hu\n",
4301                                   nlh->nlmsg_type, isec->sclass);
4302                         if (!selinux_enforcing)
4303                                 err = 0;
4304                 }
4305
4306                 /* Ignore */
4307                 if (err == -ENOENT)
4308                         err = 0;
4309                 goto out;
4310         }
4311
4312         err = socket_has_perm(current, sock, perm);
4313 out:
4314         return err;
4315 }
4316
4317 #ifdef CONFIG_NETFILTER
4318
4319 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4320                                        u16 family)
4321 {
4322         char *addrp;
4323         u32 peer_sid;
4324         struct avc_audit_data ad;
4325         u8 secmark_active;
4326         u8 peerlbl_active;
4327
4328         if (!selinux_policycap_netpeer)
4329                 return NF_ACCEPT;
4330
4331         secmark_active = selinux_secmark_enabled();
4332         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4333         if (!secmark_active && !peerlbl_active)
4334                 return NF_ACCEPT;
4335
4336         AVC_AUDIT_DATA_INIT(&ad, NET);
4337         ad.u.net.netif = ifindex;
4338         ad.u.net.family = family;
4339         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4340                 return NF_DROP;
4341
4342         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4343                 return NF_DROP;
4344
4345         if (peerlbl_active)
4346                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4347                                              peer_sid, &ad) != 0)
4348                         return NF_DROP;
4349
4350         if (secmark_active)
4351                 if (avc_has_perm(peer_sid, skb->secmark,
4352                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4353                         return NF_DROP;
4354
4355         return NF_ACCEPT;
4356 }
4357
4358 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4359                                          struct sk_buff *skb,
4360                                          const struct net_device *in,
4361                                          const struct net_device *out,
4362                                          int (*okfn)(struct sk_buff *))
4363 {
4364         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4365 }
4366
4367 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4368 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4369                                          struct sk_buff *skb,
4370                                          const struct net_device *in,
4371                                          const struct net_device *out,
4372                                          int (*okfn)(struct sk_buff *))
4373 {
4374         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4375 }
4376 #endif  /* IPV6 */
4377
4378 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4379                                                 int ifindex,
4380                                                 struct avc_audit_data *ad,
4381                                                 u16 family, char *addrp)
4382 {
4383         int err;
4384         struct sk_security_struct *sksec = sk->sk_security;
4385         u16 sk_class;
4386         u32 netif_perm, node_perm, send_perm;
4387         u32 port_sid, node_sid, if_sid, sk_sid;
4388
4389         sk_sid = sksec->sid;
4390         sk_class = sksec->sclass;
4391
4392         switch (sk_class) {
4393         case SECCLASS_UDP_SOCKET:
4394                 netif_perm = NETIF__UDP_SEND;
4395                 node_perm = NODE__UDP_SEND;
4396                 send_perm = UDP_SOCKET__SEND_MSG;
4397                 break;
4398         case SECCLASS_TCP_SOCKET:
4399                 netif_perm = NETIF__TCP_SEND;
4400                 node_perm = NODE__TCP_SEND;
4401                 send_perm = TCP_SOCKET__SEND_MSG;
4402                 break;
4403         case SECCLASS_DCCP_SOCKET:
4404                 netif_perm = NETIF__DCCP_SEND;
4405                 node_perm = NODE__DCCP_SEND;
4406                 send_perm = DCCP_SOCKET__SEND_MSG;
4407                 break;
4408         default:
4409                 netif_perm = NETIF__RAWIP_SEND;
4410                 node_perm = NODE__RAWIP_SEND;
4411                 send_perm = 0;
4412                 break;
4413         }
4414
4415         err = sel_netif_sid(ifindex, &if_sid);
4416         if (err)
4417                 return err;
4418         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4419                 return err;
4420
4421         err = sel_netnode_sid(addrp, family, &node_sid);
4422         if (err)
4423                 return err;
4424         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4425         if (err)
4426                 return err;
4427
4428         if (send_perm != 0)
4429                 return 0;
4430
4431         err = sel_netport_sid(sk->sk_protocol,
4432                               ntohs(ad->u.net.dport), &port_sid);
4433         if (unlikely(err)) {
4434                 printk(KERN_WARNING
4435                        "SELinux: failure in"
4436                        " selinux_ip_postroute_iptables_compat(),"
4437                        " network port label not found\n");
4438                 return err;
4439         }
4440         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4441 }
4442
4443 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4444                                                 int ifindex,
4445                                                 struct avc_audit_data *ad,
4446                                                 u16 family,
4447                                                 char *addrp,
4448                                                 u8 proto)
4449 {
4450         struct sock *sk = skb->sk;
4451         struct sk_security_struct *sksec;
4452
4453         if (sk == NULL)
4454                 return NF_ACCEPT;
4455         sksec = sk->sk_security;
4456
4457         if (selinux_compat_net) {
4458                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4459                                                          ad, family, addrp))
4460                         return NF_DROP;
4461         } else {
4462                 if (avc_has_perm(sksec->sid, skb->secmark,
4463                                  SECCLASS_PACKET, PACKET__SEND, ad))
4464                         return NF_DROP;
4465         }
4466
4467         if (selinux_policycap_netpeer)
4468                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4469                         return NF_DROP;
4470
4471         return NF_ACCEPT;
4472 }
4473
4474 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4475                                          u16 family)
4476 {
4477         u32 secmark_perm;
4478         u32 peer_sid;
4479         struct sock *sk;
4480         struct avc_audit_data ad;
4481         char *addrp;
4482         u8 proto;
4483         u8 secmark_active;
4484         u8 peerlbl_active;
4485
4486         AVC_AUDIT_DATA_INIT(&ad, NET);
4487         ad.u.net.netif = ifindex;
4488         ad.u.net.family = family;
4489         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4490                 return NF_DROP;
4491
4492         /* If any sort of compatibility mode is enabled then handoff processing
4493          * to the selinux_ip_postroute_compat() function to deal with the
4494          * special handling.  We do this in an attempt to keep this function
4495          * as fast and as clean as possible. */
4496         if (selinux_compat_net || !selinux_policycap_netpeer)
4497                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4498                                                    family, addrp, proto);
4499
4500         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4501          * packet transformation so allow the packet to pass without any checks
4502          * since we'll have another chance to perform access control checks
4503          * when the packet is on it's final way out.
4504          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4505          *       is NULL, in this case go ahead and apply access control. */
4506         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4507                 return NF_ACCEPT;
4508
4509         secmark_active = selinux_secmark_enabled();
4510         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4511         if (!secmark_active && !peerlbl_active)
4512                 return NF_ACCEPT;
4513
4514         /* if the packet is locally generated (skb->sk != NULL) then use the
4515          * socket's label as the peer label, otherwise the packet is being
4516          * forwarded through this system and we need to fetch the peer label
4517          * directly from the packet */
4518         sk = skb->sk;
4519         if (sk) {
4520                 struct sk_security_struct *sksec = sk->sk_security;
4521                 peer_sid = sksec->sid;
4522                 secmark_perm = PACKET__SEND;
4523         } else {
4524                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4525                                 return NF_DROP;
4526                 secmark_perm = PACKET__FORWARD_OUT;
4527         }
4528
4529         if (secmark_active)
4530                 if (avc_has_perm(peer_sid, skb->secmark,
4531                                  SECCLASS_PACKET, secmark_perm, &ad))
4532                         return NF_DROP;
4533
4534         if (peerlbl_active) {
4535                 u32 if_sid;
4536                 u32 node_sid;
4537
4538                 if (sel_netif_sid(ifindex, &if_sid))
4539                         return NF_DROP;
4540                 if (avc_has_perm(peer_sid, if_sid,
4541                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4542                         return NF_DROP;
4543
4544                 if (sel_netnode_sid(addrp, family, &node_sid))
4545                         return NF_DROP;
4546                 if (avc_has_perm(peer_sid, node_sid,
4547                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4548                         return NF_DROP;
4549         }
4550
4551         return NF_ACCEPT;
4552 }
4553
4554 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4555                                            struct sk_buff *skb,
4556                                            const struct net_device *in,
4557                                            const struct net_device *out,
4558                                            int (*okfn)(struct sk_buff *))
4559 {
4560         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4561 }
4562
4563 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4564 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4565                                            struct sk_buff *skb,
4566                                            const struct net_device *in,
4567                                            const struct net_device *out,
4568                                            int (*okfn)(struct sk_buff *))
4569 {
4570         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4571 }
4572 #endif  /* IPV6 */
4573
4574 #endif  /* CONFIG_NETFILTER */
4575
4576 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4577 {
4578         int err;
4579
4580         err = secondary_ops->netlink_send(sk, skb);
4581         if (err)
4582                 return err;
4583
4584         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4585                 err = selinux_nlmsg_perm(sk, skb);
4586
4587         return err;
4588 }
4589
4590 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4591 {
4592         int err;
4593         struct avc_audit_data ad;
4594
4595         err = secondary_ops->netlink_recv(skb, capability);
4596         if (err)
4597                 return err;
4598
4599         AVC_AUDIT_DATA_INIT(&ad, CAP);
4600         ad.u.cap = capability;
4601
4602         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4603                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4604 }
4605
4606 static int ipc_alloc_security(struct task_struct *task,
4607                               struct kern_ipc_perm *perm,
4608                               u16 sclass)
4609 {
4610         struct task_security_struct *tsec = task->security;
4611         struct ipc_security_struct *isec;
4612
4613         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4614         if (!isec)
4615                 return -ENOMEM;
4616
4617         isec->sclass = sclass;
4618         isec->sid = tsec->sid;
4619         perm->security = isec;
4620
4621         return 0;
4622 }
4623
4624 static void ipc_free_security(struct kern_ipc_perm *perm)
4625 {
4626         struct ipc_security_struct *isec = perm->security;
4627         perm->security = NULL;
4628         kfree(isec);
4629 }
4630
4631 static int msg_msg_alloc_security(struct msg_msg *msg)
4632 {
4633         struct msg_security_struct *msec;
4634
4635         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4636         if (!msec)
4637                 return -ENOMEM;
4638
4639         msec->sid = SECINITSID_UNLABELED;
4640         msg->security = msec;
4641
4642         return 0;
4643 }
4644
4645 static void msg_msg_free_security(struct msg_msg *msg)
4646 {
4647         struct msg_security_struct *msec = msg->security;
4648
4649         msg->security = NULL;
4650         kfree(msec);
4651 }
4652
4653 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4654                         u32 perms)
4655 {
4656         struct task_security_struct *tsec;
4657         struct ipc_security_struct *isec;
4658         struct avc_audit_data ad;
4659
4660         tsec = current->security;
4661         isec = ipc_perms->security;
4662
4663         AVC_AUDIT_DATA_INIT(&ad, IPC);
4664         ad.u.ipc_id = ipc_perms->key;
4665
4666         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4667 }
4668
4669 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4670 {
4671         return msg_msg_alloc_security(msg);
4672 }
4673
4674 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4675 {
4676         msg_msg_free_security(msg);
4677 }
4678
4679 /* message queue security operations */
4680 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4681 {
4682         struct task_security_struct *tsec;
4683         struct ipc_security_struct *isec;
4684         struct avc_audit_data ad;
4685         int rc;
4686
4687         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4688         if (rc)
4689                 return rc;
4690
4691         tsec = current->security;
4692         isec = msq->q_perm.security;
4693
4694         AVC_AUDIT_DATA_INIT(&ad, IPC);
4695         ad.u.ipc_id = msq->q_perm.key;
4696
4697         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4698                           MSGQ__CREATE, &ad);
4699         if (rc) {
4700                 ipc_free_security(&msq->q_perm);
4701                 return rc;
4702         }
4703         return 0;
4704 }
4705
4706 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4707 {
4708         ipc_free_security(&msq->q_perm);
4709 }
4710
4711 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4712 {
4713         struct task_security_struct *tsec;
4714         struct ipc_security_struct *isec;
4715         struct avc_audit_data ad;
4716
4717         tsec = current->security;
4718         isec = msq->q_perm.security;
4719
4720         AVC_AUDIT_DATA_INIT(&ad, IPC);
4721         ad.u.ipc_id = msq->q_perm.key;
4722
4723         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4724                             MSGQ__ASSOCIATE, &ad);
4725 }
4726
4727 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4728 {
4729         int err;
4730         int perms;
4731
4732         switch (cmd) {
4733         case IPC_INFO:
4734         case MSG_INFO:
4735                 /* No specific object, just general system-wide information. */
4736                 return task_has_system(current, SYSTEM__IPC_INFO);
4737         case IPC_STAT:
4738         case MSG_STAT:
4739                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4740                 break;
4741         case IPC_SET:
4742                 perms = MSGQ__SETATTR;
4743                 break;
4744         case IPC_RMID:
4745                 perms = MSGQ__DESTROY;
4746                 break;
4747         default:
4748                 return 0;
4749         }
4750
4751         err = ipc_has_perm(&msq->q_perm, perms);
4752         return err;
4753 }
4754
4755 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4756 {
4757         struct task_security_struct *tsec;
4758         struct ipc_security_struct *isec;
4759         struct msg_security_struct *msec;
4760         struct avc_audit_data ad;
4761         int rc;
4762
4763         tsec = current->security;
4764         isec = msq->q_perm.security;
4765         msec = msg->security;
4766
4767         /*
4768          * First time through, need to assign label to the message
4769          */
4770         if (msec->sid == SECINITSID_UNLABELED) {
4771                 /*
4772                  * Compute new sid based on current process and
4773                  * message queue this message will be stored in
4774                  */
4775                 rc = security_transition_sid(tsec->sid,
4776                                              isec->sid,
4777                                              SECCLASS_MSG,
4778                                              &msec->sid);
4779                 if (rc)
4780                         return rc;
4781         }
4782
4783         AVC_AUDIT_DATA_INIT(&ad, IPC);
4784         ad.u.ipc_id = msq->q_perm.key;
4785
4786         /* Can this process write to the queue? */
4787         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4788                           MSGQ__WRITE, &ad);
4789         if (!rc)
4790                 /* Can this process send the message */
4791                 rc = avc_has_perm(tsec->sid, msec->sid,
4792                                   SECCLASS_MSG, MSG__SEND, &ad);
4793         if (!rc)
4794                 /* Can the message be put in the queue? */
4795                 rc = avc_has_perm(msec->sid, isec->sid,
4796                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4797
4798         return rc;
4799 }
4800
4801 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4802                                     struct task_struct *target,
4803                                     long type, int mode)
4804 {
4805         struct task_security_struct *tsec;
4806         struct ipc_security_struct *isec;
4807         struct msg_security_struct *msec;
4808         struct avc_audit_data ad;
4809         int rc;
4810
4811         tsec = target->security;
4812         isec = msq->q_perm.security;
4813         msec = msg->security;
4814
4815         AVC_AUDIT_DATA_INIT(&ad, IPC);
4816         ad.u.ipc_id = msq->q_perm.key;
4817
4818         rc = avc_has_perm(tsec->sid, isec->sid,
4819                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4820         if (!rc)
4821                 rc = avc_has_perm(tsec->sid, msec->sid,
4822                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4823         return rc;
4824 }
4825
4826 /* Shared Memory security operations */
4827 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4828 {
4829         struct task_security_struct *tsec;
4830         struct ipc_security_struct *isec;
4831         struct avc_audit_data ad;
4832         int rc;
4833
4834         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4835         if (rc)
4836                 return rc;
4837
4838         tsec = current->security;
4839         isec = shp->shm_perm.security;
4840
4841         AVC_AUDIT_DATA_INIT(&ad, IPC);
4842         ad.u.ipc_id = shp->shm_perm.key;
4843
4844         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4845                           SHM__CREATE, &ad);
4846         if (rc) {
4847                 ipc_free_security(&shp->shm_perm);
4848                 return rc;
4849         }
4850         return 0;
4851 }
4852
4853 static void selinux_shm_free_security(struct shmid_kernel *shp)
4854 {
4855         ipc_free_security(&shp->shm_perm);
4856 }
4857
4858 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4859 {
4860         struct task_security_struct *tsec;
4861         struct ipc_security_struct *isec;
4862         struct avc_audit_data ad;
4863
4864         tsec = current->security;
4865         isec = shp->shm_perm.security;
4866
4867         AVC_AUDIT_DATA_INIT(&ad, IPC);
4868         ad.u.ipc_id = shp->shm_perm.key;
4869
4870         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4871                             SHM__ASSOCIATE, &ad);
4872 }
4873
4874 /* Note, at this point, shp is locked down */
4875 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4876 {
4877         int perms;
4878         int err;
4879
4880         switch (cmd) {
4881         case IPC_INFO:
4882         case SHM_INFO:
4883                 /* No specific object, just general system-wide information. */
4884                 return task_has_system(current, SYSTEM__IPC_INFO);
4885         case IPC_STAT:
4886         case SHM_STAT:
4887                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4888                 break;
4889         case IPC_SET:
4890                 perms = SHM__SETATTR;
4891                 break;
4892         case SHM_LOCK:
4893         case SHM_UNLOCK:
4894                 perms = SHM__LOCK;
4895                 break;
4896         case IPC_RMID:
4897                 perms = SHM__DESTROY;
4898                 break;
4899         default:
4900                 return 0;
4901         }
4902
4903         err = ipc_has_perm(&shp->shm_perm, perms);
4904         return err;
4905 }
4906
4907 static int selinux_shm_shmat(struct shmid_kernel *shp,
4908                              char __user *shmaddr, int shmflg)
4909 {
4910         u32 perms;
4911         int rc;
4912
4913         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4914         if (rc)
4915                 return rc;
4916
4917         if (shmflg & SHM_RDONLY)
4918                 perms = SHM__READ;
4919         else
4920                 perms = SHM__READ | SHM__WRITE;
4921
4922         return ipc_has_perm(&shp->shm_perm, perms);
4923 }
4924
4925 /* Semaphore security operations */
4926 static int selinux_sem_alloc_security(struct sem_array *sma)
4927 {
4928         struct task_security_struct *tsec;
4929         struct ipc_security_struct *isec;
4930         struct avc_audit_data ad;
4931         int rc;
4932
4933         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4934         if (rc)
4935                 return rc;
4936
4937         tsec = current->security;
4938         isec = sma->sem_perm.security;
4939
4940         AVC_AUDIT_DATA_INIT(&ad, IPC);
4941         ad.u.ipc_id = sma->sem_perm.key;
4942
4943         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4944                           SEM__CREATE, &ad);
4945         if (rc) {
4946                 ipc_free_security(&sma->sem_perm);
4947                 return rc;
4948         }
4949         return 0;
4950 }
4951
4952 static void selinux_sem_free_security(struct sem_array *sma)
4953 {
4954         ipc_free_security(&sma->sem_perm);
4955 }
4956
4957 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4958 {
4959         struct task_security_struct *tsec;
4960         struct ipc_security_struct *isec;
4961         struct avc_audit_data ad;
4962
4963         tsec = current->security;
4964         isec = sma->sem_perm.security;
4965
4966         AVC_AUDIT_DATA_INIT(&ad, IPC);
4967         ad.u.ipc_id = sma->sem_perm.key;
4968
4969         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4970                             SEM__ASSOCIATE, &ad);
4971 }
4972
4973 /* Note, at this point, sma is locked down */
4974 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4975 {
4976         int err;
4977         u32 perms;
4978
4979         switch (cmd) {
4980         case IPC_INFO:
4981         case SEM_INFO:
4982                 /* No specific object, just general system-wide information. */
4983                 return task_has_system(current, SYSTEM__IPC_INFO);
4984         case GETPID:
4985         case GETNCNT:
4986         case GETZCNT:
4987                 perms = SEM__GETATTR;
4988                 break;
4989         case GETVAL:
4990         case GETALL:
4991                 perms = SEM__READ;
4992                 break;
4993         case SETVAL:
4994         case SETALL:
4995                 perms = SEM__WRITE;
4996                 break;
4997         case IPC_RMID:
4998                 perms = SEM__DESTROY;
4999                 break;
5000         case IPC_SET:
5001                 perms = SEM__SETATTR;
5002                 break;
5003         case IPC_STAT:
5004         case SEM_STAT:
5005                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5006                 break;
5007         default:
5008                 return 0;
5009         }
5010
5011         err = ipc_has_perm(&sma->sem_perm, perms);
5012         return err;
5013 }
5014
5015 static int selinux_sem_semop(struct sem_array *sma,
5016                              struct sembuf *sops, unsigned nsops, int alter)
5017 {
5018         u32 perms;
5019
5020         if (alter)
5021                 perms = SEM__READ | SEM__WRITE;
5022         else
5023                 perms = SEM__READ;
5024
5025         return ipc_has_perm(&sma->sem_perm, perms);
5026 }
5027
5028 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5029 {
5030         u32 av = 0;
5031
5032         av = 0;
5033         if (flag & S_IRUGO)
5034                 av |= IPC__UNIX_READ;
5035         if (flag & S_IWUGO)
5036                 av |= IPC__UNIX_WRITE;
5037
5038         if (av == 0)
5039                 return 0;
5040
5041         return ipc_has_perm(ipcp, av);
5042 }
5043
5044 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5045 {
5046         struct ipc_security_struct *isec = ipcp->security;
5047         *secid = isec->sid;
5048 }
5049
5050 /* module stacking operations */
5051 static int selinux_register_security(const char *name, struct security_operations *ops)
5052 {
5053         if (secondary_ops != original_ops) {
5054                 printk(KERN_ERR "%s:  There is already a secondary security "
5055                        "module registered.\n", __func__);
5056                 return -EINVAL;
5057         }
5058
5059         secondary_ops = ops;
5060
5061         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5062                __func__,
5063                name);
5064
5065         return 0;
5066 }
5067
5068 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5069 {
5070         if (inode)
5071                 inode_doinit_with_dentry(inode, dentry);
5072 }
5073
5074 static int selinux_getprocattr(struct task_struct *p,
5075                                char *name, char **value)
5076 {
5077         struct task_security_struct *tsec;
5078         u32 sid;
5079         int error;
5080         unsigned len;
5081
5082         if (current != p) {
5083                 error = task_has_perm(current, p, PROCESS__GETATTR);
5084                 if (error)
5085                         return error;
5086         }
5087
5088         tsec = p->security;
5089
5090         if (!strcmp(name, "current"))
5091                 sid = tsec->sid;
5092         else if (!strcmp(name, "prev"))
5093                 sid = tsec->osid;
5094         else if (!strcmp(name, "exec"))
5095                 sid = tsec->exec_sid;
5096         else if (!strcmp(name, "fscreate"))
5097                 sid = tsec->create_sid;
5098         else if (!strcmp(name, "keycreate"))
5099                 sid = tsec->keycreate_sid;
5100         else if (!strcmp(name, "sockcreate"))
5101                 sid = tsec->sockcreate_sid;
5102         else
5103                 return -EINVAL;
5104
5105         if (!sid)
5106                 return 0;
5107
5108         error = security_sid_to_context(sid, value, &len);
5109         if (error)
5110                 return error;
5111         return len;
5112 }
5113
5114 static int selinux_setprocattr(struct task_struct *p,
5115                                char *name, void *value, size_t size)
5116 {
5117         struct task_security_struct *tsec;
5118         struct task_struct *tracer;
5119         u32 sid = 0;
5120         int error;
5121         char *str = value;
5122
5123         if (current != p) {
5124                 /* SELinux only allows a process to change its own
5125                    security attributes. */
5126                 return -EACCES;
5127         }
5128
5129         /*
5130          * Basic control over ability to set these attributes at all.
5131          * current == p, but we'll pass them separately in case the
5132          * above restriction is ever removed.
5133          */
5134         if (!strcmp(name, "exec"))
5135                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5136         else if (!strcmp(name, "fscreate"))
5137                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5138         else if (!strcmp(name, "keycreate"))
5139                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5140         else if (!strcmp(name, "sockcreate"))
5141                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5142         else if (!strcmp(name, "current"))
5143                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5144         else
5145                 error = -EINVAL;
5146         if (error)
5147                 return error;
5148
5149         /* Obtain a SID for the context, if one was specified. */
5150         if (size && str[1] && str[1] != '\n') {
5151                 if (str[size-1] == '\n') {
5152                         str[size-1] = 0;
5153                         size--;
5154                 }
5155                 error = security_context_to_sid(value, size, &sid);
5156                 if (error)
5157                         return error;
5158         }
5159
5160         /* Permission checking based on the specified context is
5161            performed during the actual operation (execve,
5162            open/mkdir/...), when we know the full context of the
5163            operation.  See selinux_bprm_set_security for the execve
5164            checks and may_create for the file creation checks. The
5165            operation will then fail if the context is not permitted. */
5166         tsec = p->security;
5167         if (!strcmp(name, "exec"))
5168                 tsec->exec_sid = sid;
5169         else if (!strcmp(name, "fscreate"))
5170                 tsec->create_sid = sid;
5171         else if (!strcmp(name, "keycreate")) {
5172                 error = may_create_key(sid, p);
5173                 if (error)
5174                         return error;
5175                 tsec->keycreate_sid = sid;
5176         } else if (!strcmp(name, "sockcreate"))
5177                 tsec->sockcreate_sid = sid;
5178         else if (!strcmp(name, "current")) {
5179                 struct av_decision avd;
5180
5181                 if (sid == 0)
5182                         return -EINVAL;
5183
5184                 /* Only allow single threaded processes to change context */
5185                 if (atomic_read(&p->mm->mm_users) != 1) {
5186                         struct task_struct *g, *t;
5187                         struct mm_struct *mm = p->mm;
5188                         read_lock(&tasklist_lock);
5189                         do_each_thread(g, t)
5190                                 if (t->mm == mm && t != p) {
5191                                         read_unlock(&tasklist_lock);
5192                                         return -EPERM;
5193                                 }
5194                         while_each_thread(g, t);
5195                         read_unlock(&tasklist_lock);
5196                 }
5197
5198                 /* Check permissions for the transition. */
5199                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5200                                      PROCESS__DYNTRANSITION, NULL);
5201                 if (error)
5202                         return error;
5203
5204                 /* Check for ptracing, and update the task SID if ok.
5205                    Otherwise, leave SID unchanged and fail. */
5206                 task_lock(p);
5207                 rcu_read_lock();
5208                 tracer = task_tracer_task(p);
5209                 if (tracer != NULL) {
5210                         struct task_security_struct *ptsec = tracer->security;
5211                         u32 ptsid = ptsec->sid;
5212                         rcu_read_unlock();
5213                         error = avc_has_perm_noaudit(ptsid, sid,
5214                                                      SECCLASS_PROCESS,
5215                                                      PROCESS__PTRACE, 0, &avd);
5216                         if (!error)
5217                                 tsec->sid = sid;
5218                         task_unlock(p);
5219                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5220                                   PROCESS__PTRACE, &avd, error, NULL);
5221                         if (error)
5222                                 return error;
5223                 } else {
5224                         rcu_read_unlock();
5225                         tsec->sid = sid;
5226                         task_unlock(p);
5227                 }
5228         } else
5229                 return -EINVAL;
5230
5231         return size;
5232 }
5233
5234 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5235 {
5236         return security_sid_to_context(secid, secdata, seclen);
5237 }
5238
5239 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5240 {
5241         return security_context_to_sid(secdata, seclen, secid);
5242 }
5243
5244 static void selinux_release_secctx(char *secdata, u32 seclen)
5245 {
5246         kfree(secdata);
5247 }
5248
5249 #ifdef CONFIG_KEYS
5250
5251 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5252                              unsigned long flags)
5253 {
5254         struct task_security_struct *tsec = tsk->security;
5255         struct key_security_struct *ksec;
5256
5257         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5258         if (!ksec)
5259                 return -ENOMEM;
5260
5261         if (tsec->keycreate_sid)
5262                 ksec->sid = tsec->keycreate_sid;
5263         else
5264                 ksec->sid = tsec->sid;
5265         k->security = ksec;
5266
5267         return 0;
5268 }
5269
5270 static void selinux_key_free(struct key *k)
5271 {
5272         struct key_security_struct *ksec = k->security;
5273
5274         k->security = NULL;
5275         kfree(ksec);
5276 }
5277
5278 static int selinux_key_permission(key_ref_t key_ref,
5279                             struct task_struct *ctx,
5280                             key_perm_t perm)
5281 {
5282         struct key *key;
5283         struct task_security_struct *tsec;
5284         struct key_security_struct *ksec;
5285
5286         key = key_ref_to_ptr(key_ref);
5287
5288         tsec = ctx->security;
5289         ksec = key->security;
5290
5291         /* if no specific permissions are requested, we skip the
5292            permission check. No serious, additional covert channels
5293            appear to be created. */
5294         if (perm == 0)
5295                 return 0;
5296
5297         return avc_has_perm(tsec->sid, ksec->sid,
5298                             SECCLASS_KEY, perm, NULL);
5299 }
5300
5301 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5302 {
5303         struct key_security_struct *ksec = key->security;
5304         char *context = NULL;
5305         unsigned len;
5306         int rc;
5307
5308         rc = security_sid_to_context(ksec->sid, &context, &len);
5309         if (!rc)
5310                 rc = len;
5311         *_buffer = context;
5312         return rc;
5313 }
5314
5315 #endif
5316
5317 static struct security_operations selinux_ops = {
5318         .name =                         "selinux",
5319
5320         .ptrace =                       selinux_ptrace,
5321         .capget =                       selinux_capget,
5322         .capset_check =                 selinux_capset_check,
5323         .capset_set =                   selinux_capset_set,
5324         .sysctl =                       selinux_sysctl,
5325         .capable =                      selinux_capable,
5326         .quotactl =                     selinux_quotactl,
5327         .quota_on =                     selinux_quota_on,
5328         .syslog =                       selinux_syslog,
5329         .vm_enough_memory =             selinux_vm_enough_memory,
5330
5331         .netlink_send =                 selinux_netlink_send,
5332         .netlink_recv =                 selinux_netlink_recv,
5333
5334         .bprm_alloc_security =          selinux_bprm_alloc_security,
5335         .bprm_free_security =           selinux_bprm_free_security,
5336         .bprm_apply_creds =             selinux_bprm_apply_creds,
5337         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5338         .bprm_set_security =            selinux_bprm_set_security,
5339         .bprm_check_security =          selinux_bprm_check_security,
5340         .bprm_secureexec =              selinux_bprm_secureexec,
5341
5342         .sb_alloc_security =            selinux_sb_alloc_security,
5343         .sb_free_security =             selinux_sb_free_security,
5344         .sb_copy_data =                 selinux_sb_copy_data,
5345         .sb_kern_mount =                selinux_sb_kern_mount,
5346         .sb_statfs =                    selinux_sb_statfs,
5347         .sb_mount =                     selinux_mount,
5348         .sb_umount =                    selinux_umount,
5349         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5350         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5351         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5352         .sb_parse_opts_str =            selinux_parse_opts_str,
5353
5354
5355         .inode_alloc_security =         selinux_inode_alloc_security,
5356         .inode_free_security =          selinux_inode_free_security,
5357         .inode_init_security =          selinux_inode_init_security,
5358         .inode_create =                 selinux_inode_create,
5359         .inode_link =                   selinux_inode_link,
5360         .inode_unlink =                 selinux_inode_unlink,
5361         .inode_symlink =                selinux_inode_symlink,
5362         .inode_mkdir =                  selinux_inode_mkdir,
5363         .inode_rmdir =                  selinux_inode_rmdir,
5364         .inode_mknod =                  selinux_inode_mknod,
5365         .inode_rename =                 selinux_inode_rename,
5366         .inode_readlink =               selinux_inode_readlink,
5367         .inode_follow_link =            selinux_inode_follow_link,
5368         .inode_permission =             selinux_inode_permission,
5369         .inode_setattr =                selinux_inode_setattr,
5370         .inode_getattr =                selinux_inode_getattr,
5371         .inode_setxattr =               selinux_inode_setxattr,
5372         .inode_post_setxattr =          selinux_inode_post_setxattr,
5373         .inode_getxattr =               selinux_inode_getxattr,
5374         .inode_listxattr =              selinux_inode_listxattr,
5375         .inode_removexattr =            selinux_inode_removexattr,
5376         .inode_getsecurity =            selinux_inode_getsecurity,
5377         .inode_setsecurity =            selinux_inode_setsecurity,
5378         .inode_listsecurity =           selinux_inode_listsecurity,
5379         .inode_need_killpriv =          selinux_inode_need_killpriv,
5380         .inode_killpriv =               selinux_inode_killpriv,
5381         .inode_getsecid =               selinux_inode_getsecid,
5382
5383         .file_permission =              selinux_file_permission,
5384         .file_alloc_security =          selinux_file_alloc_security,
5385         .file_free_security =           selinux_file_free_security,
5386         .file_ioctl =                   selinux_file_ioctl,
5387         .file_mmap =                    selinux_file_mmap,
5388         .file_mprotect =                selinux_file_mprotect,
5389         .file_lock =                    selinux_file_lock,
5390         .file_fcntl =                   selinux_file_fcntl,
5391         .file_set_fowner =              selinux_file_set_fowner,
5392         .file_send_sigiotask =          selinux_file_send_sigiotask,
5393         .file_receive =                 selinux_file_receive,
5394
5395         .dentry_open =                  selinux_dentry_open,
5396
5397         .task_create =                  selinux_task_create,
5398         .task_alloc_security =          selinux_task_alloc_security,
5399         .task_free_security =           selinux_task_free_security,
5400         .task_setuid =                  selinux_task_setuid,
5401         .task_post_setuid =             selinux_task_post_setuid,
5402         .task_setgid =                  selinux_task_setgid,
5403         .task_setpgid =                 selinux_task_setpgid,
5404         .task_getpgid =                 selinux_task_getpgid,
5405         .task_getsid =                  selinux_task_getsid,
5406         .task_getsecid =                selinux_task_getsecid,
5407         .task_setgroups =               selinux_task_setgroups,
5408         .task_setnice =                 selinux_task_setnice,
5409         .task_setioprio =               selinux_task_setioprio,
5410         .task_getioprio =               selinux_task_getioprio,
5411         .task_setrlimit =               selinux_task_setrlimit,
5412         .task_setscheduler =            selinux_task_setscheduler,
5413         .task_getscheduler =            selinux_task_getscheduler,
5414         .task_movememory =              selinux_task_movememory,
5415         .task_kill =                    selinux_task_kill,
5416         .task_wait =                    selinux_task_wait,
5417         .task_prctl =                   selinux_task_prctl,
5418         .task_reparent_to_init =        selinux_task_reparent_to_init,
5419         .task_to_inode =                selinux_task_to_inode,
5420
5421         .ipc_permission =               selinux_ipc_permission,
5422         .ipc_getsecid =                 selinux_ipc_getsecid,
5423
5424         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5425         .msg_msg_free_security =        selinux_msg_msg_free_security,
5426
5427         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5428         .msg_queue_free_security =      selinux_msg_queue_free_security,
5429         .msg_queue_associate =          selinux_msg_queue_associate,
5430         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5431         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5432         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5433
5434         .shm_alloc_security =           selinux_shm_alloc_security,
5435         .shm_free_security =            selinux_shm_free_security,
5436         .shm_associate =                selinux_shm_associate,
5437         .shm_shmctl =                   selinux_shm_shmctl,
5438         .shm_shmat =                    selinux_shm_shmat,
5439
5440         .sem_alloc_security =           selinux_sem_alloc_security,
5441         .sem_free_security =            selinux_sem_free_security,
5442         .sem_associate =                selinux_sem_associate,
5443         .sem_semctl =                   selinux_sem_semctl,
5444         .sem_semop =                    selinux_sem_semop,
5445
5446         .register_security =            selinux_register_security,
5447
5448         .d_instantiate =                selinux_d_instantiate,
5449
5450         .getprocattr =                  selinux_getprocattr,
5451         .setprocattr =                  selinux_setprocattr,
5452
5453         .secid_to_secctx =              selinux_secid_to_secctx,
5454         .secctx_to_secid =              selinux_secctx_to_secid,
5455         .release_secctx =               selinux_release_secctx,
5456
5457         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5458         .unix_may_send =                selinux_socket_unix_may_send,
5459
5460         .socket_create =                selinux_socket_create,
5461         .socket_post_create =           selinux_socket_post_create,
5462         .socket_bind =                  selinux_socket_bind,
5463         .socket_connect =               selinux_socket_connect,
5464         .socket_listen =                selinux_socket_listen,
5465         .socket_accept =                selinux_socket_accept,
5466         .socket_sendmsg =               selinux_socket_sendmsg,
5467         .socket_recvmsg =               selinux_socket_recvmsg,
5468         .socket_getsockname =           selinux_socket_getsockname,
5469         .socket_getpeername =           selinux_socket_getpeername,
5470         .socket_getsockopt =            selinux_socket_getsockopt,
5471         .socket_setsockopt =            selinux_socket_setsockopt,
5472         .socket_shutdown =              selinux_socket_shutdown,
5473         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5474         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5475         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5476         .sk_alloc_security =            selinux_sk_alloc_security,
5477         .sk_free_security =             selinux_sk_free_security,
5478         .sk_clone_security =            selinux_sk_clone_security,
5479         .sk_getsecid =                  selinux_sk_getsecid,
5480         .sock_graft =                   selinux_sock_graft,
5481         .inet_conn_request =            selinux_inet_conn_request,
5482         .inet_csk_clone =               selinux_inet_csk_clone,
5483         .inet_conn_established =        selinux_inet_conn_established,
5484         .req_classify_flow =            selinux_req_classify_flow,
5485
5486 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5487         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5488         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5489         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5490         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5491         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5492         .xfrm_state_free_security =     selinux_xfrm_state_free,
5493         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5494         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5495         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5496         .xfrm_decode_session =          selinux_xfrm_decode_session,
5497 #endif
5498
5499 #ifdef CONFIG_KEYS
5500         .key_alloc =                    selinux_key_alloc,
5501         .key_free =                     selinux_key_free,
5502         .key_permission =               selinux_key_permission,
5503         .key_getsecurity =              selinux_key_getsecurity,
5504 #endif
5505
5506 #ifdef CONFIG_AUDIT
5507         .audit_rule_init =              selinux_audit_rule_init,
5508         .audit_rule_known =             selinux_audit_rule_known,
5509         .audit_rule_match =             selinux_audit_rule_match,
5510         .audit_rule_free =              selinux_audit_rule_free,
5511 #endif
5512 };
5513
5514 static __init int selinux_init(void)
5515 {
5516         struct task_security_struct *tsec;
5517
5518         if (!security_module_enable(&selinux_ops)) {
5519                 selinux_enabled = 0;
5520                 return 0;
5521         }
5522
5523         if (!selinux_enabled) {
5524                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5525                 return 0;
5526         }
5527
5528         printk(KERN_INFO "SELinux:  Initializing.\n");
5529
5530         /* Set the security state for the initial task. */
5531         if (task_alloc_security(current))
5532                 panic("SELinux:  Failed to initialize initial task.\n");
5533         tsec = current->security;
5534         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5535
5536         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5537                                             sizeof(struct inode_security_struct),
5538                                             0, SLAB_PANIC, NULL);
5539         avc_init();
5540
5541         original_ops = secondary_ops = security_ops;
5542         if (!secondary_ops)
5543                 panic("SELinux: No initial security operations\n");
5544         if (register_security(&selinux_ops))
5545                 panic("SELinux: Unable to register with kernel.\n");
5546
5547         if (selinux_enforcing)
5548                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5549         else
5550                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5551
5552         return 0;
5553 }
5554
5555 void selinux_complete_init(void)
5556 {
5557         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5558
5559         /* Set up any superblocks initialized prior to the policy load. */
5560         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5561         spin_lock(&sb_lock);
5562         spin_lock(&sb_security_lock);
5563 next_sb:
5564         if (!list_empty(&superblock_security_head)) {
5565                 struct superblock_security_struct *sbsec =
5566                                 list_entry(superblock_security_head.next,
5567                                            struct superblock_security_struct,
5568                                            list);
5569                 struct super_block *sb = sbsec->sb;
5570                 sb->s_count++;
5571                 spin_unlock(&sb_security_lock);
5572                 spin_unlock(&sb_lock);
5573                 down_read(&sb->s_umount);
5574                 if (sb->s_root)
5575                         superblock_doinit(sb, NULL);
5576                 drop_super(sb);
5577                 spin_lock(&sb_lock);
5578                 spin_lock(&sb_security_lock);
5579                 list_del_init(&sbsec->list);
5580                 goto next_sb;
5581         }
5582         spin_unlock(&sb_security_lock);
5583         spin_unlock(&sb_lock);
5584 }
5585
5586 /* SELinux requires early initialization in order to label
5587    all processes and objects when they are created. */
5588 security_initcall(selinux_init);
5589
5590 #if defined(CONFIG_NETFILTER)
5591
5592 static struct nf_hook_ops selinux_ipv4_ops[] = {
5593         {
5594                 .hook =         selinux_ipv4_postroute,
5595                 .owner =        THIS_MODULE,
5596                 .pf =           PF_INET,
5597                 .hooknum =      NF_INET_POST_ROUTING,
5598                 .priority =     NF_IP_PRI_SELINUX_LAST,
5599         },
5600         {
5601                 .hook =         selinux_ipv4_forward,
5602                 .owner =        THIS_MODULE,
5603                 .pf =           PF_INET,
5604                 .hooknum =      NF_INET_FORWARD,
5605                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5606         }
5607 };
5608
5609 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5610
5611 static struct nf_hook_ops selinux_ipv6_ops[] = {
5612         {
5613                 .hook =         selinux_ipv6_postroute,
5614                 .owner =        THIS_MODULE,
5615                 .pf =           PF_INET6,
5616                 .hooknum =      NF_INET_POST_ROUTING,
5617                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5618         },
5619         {
5620                 .hook =         selinux_ipv6_forward,
5621                 .owner =        THIS_MODULE,
5622                 .pf =           PF_INET6,
5623                 .hooknum =      NF_INET_FORWARD,
5624                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5625         }
5626 };
5627
5628 #endif  /* IPV6 */
5629
5630 static int __init selinux_nf_ip_init(void)
5631 {
5632         int err = 0;
5633         u32 iter;
5634
5635         if (!selinux_enabled)
5636                 goto out;
5637
5638         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5639
5640         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5641                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5642                 if (err)
5643                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5644                               err);
5645         }
5646
5647 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5648         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5649                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5650                 if (err)
5651                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5652                               err);
5653         }
5654 #endif  /* IPV6 */
5655
5656 out:
5657         return err;
5658 }
5659
5660 __initcall(selinux_nf_ip_init);
5661
5662 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5663 static void selinux_nf_ip_exit(void)
5664 {
5665         u32 iter;
5666
5667         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5668
5669         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5670                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5671 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5672         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5673                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5674 #endif  /* IPV6 */
5675 }
5676 #endif
5677
5678 #else /* CONFIG_NETFILTER */
5679
5680 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5681 #define selinux_nf_ip_exit()
5682 #endif
5683
5684 #endif /* CONFIG_NETFILTER */
5685
5686 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5687 static int selinux_disabled;
5688
5689 int selinux_disable(void)
5690 {
5691         extern void exit_sel_fs(void);
5692
5693         if (ss_initialized) {
5694                 /* Not permitted after initial policy load. */
5695                 return -EINVAL;
5696         }
5697
5698         if (selinux_disabled) {
5699                 /* Only do this once. */
5700                 return -EINVAL;
5701         }
5702
5703         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5704
5705         selinux_disabled = 1;
5706         selinux_enabled = 0;
5707
5708         /* Reset security_ops to the secondary module, dummy or capability. */
5709         security_ops = secondary_ops;
5710
5711         /* Unregister netfilter hooks. */
5712         selinux_nf_ip_exit();
5713
5714         /* Unregister selinuxfs. */
5715         exit_sel_fs();
5716
5717         return 0;
5718 }
5719 #endif