CRED: Make execve() take advantage of copy-on-write credentials
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132  * Minimal support for a secondary security module,
133  * just to allow the use of the capability module.
134  */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138    before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146  *
147  * Description:
148  * This function checks the SECMARK reference counter to see if any SECMARK
149  * targets are currently configured, if the reference counter is greater than
150  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
151  * enabled, false (0) if SECMARK is disabled.
152  *
153  */
154 static int selinux_secmark_enabled(void)
155 {
156         return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160  * initialise the security for the init task
161  */
162 static void cred_init_security(void)
163 {
164         struct cred *cred = (struct cred *) current->cred;
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 panic("SELinux:  Failed to initialize initial task.\n");
170
171         tsec->osid = tsec->sid = SECINITSID_KERNEL;
172         cred->security = tsec;
173 }
174
175 /*
176  * get the security ID of a set of credentials
177  */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180         const struct task_security_struct *tsec;
181
182         tsec = cred->security;
183         return tsec->sid;
184 }
185
186 /*
187  * get the security ID of a task
188  */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191         u32 sid;
192
193         rcu_read_lock();
194         sid = cred_sid(__task_cred(task));
195         rcu_read_unlock();
196         return sid;
197 }
198
199 /*
200  * get the security ID of the current task
201  */
202 static inline u32 current_sid(void)
203 {
204         const struct task_security_struct *tsec = current_cred()->security;
205
206         return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213         struct inode_security_struct *isec;
214         u32 sid = current_sid();
215
216         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217         if (!isec)
218                 return -ENOMEM;
219
220         mutex_init(&isec->lock);
221         INIT_LIST_HEAD(&isec->list);
222         isec->inode = inode;
223         isec->sid = SECINITSID_UNLABELED;
224         isec->sclass = SECCLASS_FILE;
225         isec->task_sid = sid;
226         inode->i_security = isec;
227
228         return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233         struct inode_security_struct *isec = inode->i_security;
234         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236         spin_lock(&sbsec->isec_lock);
237         if (!list_empty(&isec->list))
238                 list_del_init(&isec->list);
239         spin_unlock(&sbsec->isec_lock);
240
241         inode->i_security = NULL;
242         kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247         struct file_security_struct *fsec;
248         u32 sid = current_sid();
249
250         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251         if (!fsec)
252                 return -ENOMEM;
253
254         fsec->sid = sid;
255         fsec->fown_sid = sid;
256         file->f_security = fsec;
257
258         return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263         struct file_security_struct *fsec = file->f_security;
264         file->f_security = NULL;
265         kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270         struct superblock_security_struct *sbsec;
271
272         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273         if (!sbsec)
274                 return -ENOMEM;
275
276         mutex_init(&sbsec->lock);
277         INIT_LIST_HEAD(&sbsec->list);
278         INIT_LIST_HEAD(&sbsec->isec_head);
279         spin_lock_init(&sbsec->isec_lock);
280         sbsec->sb = sb;
281         sbsec->sid = SECINITSID_UNLABELED;
282         sbsec->def_sid = SECINITSID_FILE;
283         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284         sb->s_security = sbsec;
285
286         return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec = sb->s_security;
292
293         spin_lock(&sb_security_lock);
294         if (!list_empty(&sbsec->list))
295                 list_del_init(&sbsec->list);
296         spin_unlock(&sb_security_lock);
297
298         sb->s_security = NULL;
299         kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304         struct sk_security_struct *ssec;
305
306         ssec = kzalloc(sizeof(*ssec), priority);
307         if (!ssec)
308                 return -ENOMEM;
309
310         ssec->peer_sid = SECINITSID_UNLABELED;
311         ssec->sid = SECINITSID_UNLABELED;
312         sk->sk_security = ssec;
313
314         selinux_netlbl_sk_security_reset(ssec, family);
315
316         return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321         struct sk_security_struct *ssec = sk->sk_security;
322
323         sk->sk_security = NULL;
324         selinux_netlbl_sk_security_free(ssec);
325         kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329    any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335         "uses xattr",
336         "uses transition SIDs",
337         "uses task SIDs",
338         "uses genfs_contexts",
339         "not configured for labeling",
340         "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347         return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351         Opt_error = -1,
352         Opt_context = 1,
353         Opt_fscontext = 2,
354         Opt_defcontext = 3,
355         Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359         {Opt_context, CONTEXT_STR "%s"},
360         {Opt_fscontext, FSCONTEXT_STR "%s"},
361         {Opt_defcontext, DEFCONTEXT_STR "%s"},
362         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363         {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369                         struct superblock_security_struct *sbsec,
370                         const struct cred *cred)
371 {
372         const struct task_security_struct *tsec = cred->security;
373         int rc;
374
375         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376                           FILESYSTEM__RELABELFROM, NULL);
377         if (rc)
378                 return rc;
379
380         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381                           FILESYSTEM__RELABELTO, NULL);
382         return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386                         struct superblock_security_struct *sbsec,
387                         const struct cred *cred)
388 {
389         const struct task_security_struct *tsec = cred->security;
390         int rc;
391         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392                           FILESYSTEM__RELABELFROM, NULL);
393         if (rc)
394                 return rc;
395
396         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397                           FILESYSTEM__ASSOCIATE, NULL);
398         return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403         struct superblock_security_struct *sbsec = sb->s_security;
404         struct dentry *root = sb->s_root;
405         struct inode *root_inode = root->d_inode;
406         int rc = 0;
407
408         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409                 /* Make sure that the xattr handler exists and that no
410                    error other than -ENODATA is returned by getxattr on
411                    the root directory.  -ENODATA is ok, as this may be
412                    the first boot of the SELinux kernel before we have
413                    assigned xattr values to the filesystem. */
414                 if (!root_inode->i_op->getxattr) {
415                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416                                "xattr support\n", sb->s_id, sb->s_type->name);
417                         rc = -EOPNOTSUPP;
418                         goto out;
419                 }
420                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421                 if (rc < 0 && rc != -ENODATA) {
422                         if (rc == -EOPNOTSUPP)
423                                 printk(KERN_WARNING "SELinux: (dev %s, type "
424                                        "%s) has no security xattr handler\n",
425                                        sb->s_id, sb->s_type->name);
426                         else
427                                 printk(KERN_WARNING "SELinux: (dev %s, type "
428                                        "%s) getxattr errno %d\n", sb->s_id,
429                                        sb->s_type->name, -rc);
430                         goto out;
431                 }
432         }
433
434         sbsec->initialized = 1;
435
436         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438                        sb->s_id, sb->s_type->name);
439         else
440                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441                        sb->s_id, sb->s_type->name,
442                        labeling_behaviors[sbsec->behavior-1]);
443
444         /* Initialize the root inode. */
445         rc = inode_doinit_with_dentry(root_inode, root);
446
447         /* Initialize any other inodes associated with the superblock, e.g.
448            inodes created prior to initial policy load or inodes created
449            during get_sb by a pseudo filesystem that directly
450            populates itself. */
451         spin_lock(&sbsec->isec_lock);
452 next_inode:
453         if (!list_empty(&sbsec->isec_head)) {
454                 struct inode_security_struct *isec =
455                                 list_entry(sbsec->isec_head.next,
456                                            struct inode_security_struct, list);
457                 struct inode *inode = isec->inode;
458                 spin_unlock(&sbsec->isec_lock);
459                 inode = igrab(inode);
460                 if (inode) {
461                         if (!IS_PRIVATE(inode))
462                                 inode_doinit(inode);
463                         iput(inode);
464                 }
465                 spin_lock(&sbsec->isec_lock);
466                 list_del_init(&isec->list);
467                 goto next_inode;
468         }
469         spin_unlock(&sbsec->isec_lock);
470 out:
471         return rc;
472 }
473
474 /*
475  * This function should allow an FS to ask what it's mount security
476  * options were so it can use those later for submounts, displaying
477  * mount options, or whatever.
478  */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480                                 struct security_mnt_opts *opts)
481 {
482         int rc = 0, i;
483         struct superblock_security_struct *sbsec = sb->s_security;
484         char *context = NULL;
485         u32 len;
486         char tmp;
487
488         security_init_mnt_opts(opts);
489
490         if (!sbsec->initialized)
491                 return -EINVAL;
492
493         if (!ss_initialized)
494                 return -EINVAL;
495
496         /*
497          * if we ever use sbsec flags for anything other than tracking mount
498          * settings this is going to need a mask
499          */
500         tmp = sbsec->flags;
501         /* count the number of mount options for this sb */
502         for (i = 0; i < 8; i++) {
503                 if (tmp & 0x01)
504                         opts->num_mnt_opts++;
505                 tmp >>= 1;
506         }
507
508         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509         if (!opts->mnt_opts) {
510                 rc = -ENOMEM;
511                 goto out_free;
512         }
513
514         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515         if (!opts->mnt_opts_flags) {
516                 rc = -ENOMEM;
517                 goto out_free;
518         }
519
520         i = 0;
521         if (sbsec->flags & FSCONTEXT_MNT) {
522                 rc = security_sid_to_context(sbsec->sid, &context, &len);
523                 if (rc)
524                         goto out_free;
525                 opts->mnt_opts[i] = context;
526                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527         }
528         if (sbsec->flags & CONTEXT_MNT) {
529                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530                 if (rc)
531                         goto out_free;
532                 opts->mnt_opts[i] = context;
533                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534         }
535         if (sbsec->flags & DEFCONTEXT_MNT) {
536                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537                 if (rc)
538                         goto out_free;
539                 opts->mnt_opts[i] = context;
540                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541         }
542         if (sbsec->flags & ROOTCONTEXT_MNT) {
543                 struct inode *root = sbsec->sb->s_root->d_inode;
544                 struct inode_security_struct *isec = root->i_security;
545
546                 rc = security_sid_to_context(isec->sid, &context, &len);
547                 if (rc)
548                         goto out_free;
549                 opts->mnt_opts[i] = context;
550                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551         }
552
553         BUG_ON(i != opts->num_mnt_opts);
554
555         return 0;
556
557 out_free:
558         security_free_mnt_opts(opts);
559         return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563                       u32 old_sid, u32 new_sid)
564 {
565         /* check if the old mount command had the same options */
566         if (sbsec->initialized)
567                 if (!(sbsec->flags & flag) ||
568                     (old_sid != new_sid))
569                         return 1;
570
571         /* check if we were passed the same options twice,
572          * aka someone passed context=a,context=b
573          */
574         if (!sbsec->initialized)
575                 if (sbsec->flags & flag)
576                         return 1;
577         return 0;
578 }
579
580 /*
581  * Allow filesystems with binary mount data to explicitly set mount point
582  * labeling information.
583  */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585                                 struct security_mnt_opts *opts)
586 {
587         const struct cred *cred = current_cred();
588         int rc = 0, i;
589         struct superblock_security_struct *sbsec = sb->s_security;
590         const char *name = sb->s_type->name;
591         struct inode *inode = sbsec->sb->s_root->d_inode;
592         struct inode_security_struct *root_isec = inode->i_security;
593         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594         u32 defcontext_sid = 0;
595         char **mount_options = opts->mnt_opts;
596         int *flags = opts->mnt_opts_flags;
597         int num_opts = opts->num_mnt_opts;
598
599         mutex_lock(&sbsec->lock);
600
601         if (!ss_initialized) {
602                 if (!num_opts) {
603                         /* Defer initialization until selinux_complete_init,
604                            after the initial policy is loaded and the security
605                            server is ready to handle calls. */
606                         spin_lock(&sb_security_lock);
607                         if (list_empty(&sbsec->list))
608                                 list_add(&sbsec->list, &superblock_security_head);
609                         spin_unlock(&sb_security_lock);
610                         goto out;
611                 }
612                 rc = -EINVAL;
613                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614                         "before the security server is initialized\n");
615                 goto out;
616         }
617
618         /*
619          * Binary mount data FS will come through this function twice.  Once
620          * from an explicit call and once from the generic calls from the vfs.
621          * Since the generic VFS calls will not contain any security mount data
622          * we need to skip the double mount verification.
623          *
624          * This does open a hole in which we will not notice if the first
625          * mount using this sb set explict options and a second mount using
626          * this sb does not set any security options.  (The first options
627          * will be used for both mounts)
628          */
629         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630             && (num_opts == 0))
631                 goto out;
632
633         /*
634          * parse the mount options, check if they are valid sids.
635          * also check if someone is trying to mount the same sb more
636          * than once with different security options.
637          */
638         for (i = 0; i < num_opts; i++) {
639                 u32 sid;
640                 rc = security_context_to_sid(mount_options[i],
641                                              strlen(mount_options[i]), &sid);
642                 if (rc) {
643                         printk(KERN_WARNING "SELinux: security_context_to_sid"
644                                "(%s) failed for (dev %s, type %s) errno=%d\n",
645                                mount_options[i], sb->s_id, name, rc);
646                         goto out;
647                 }
648                 switch (flags[i]) {
649                 case FSCONTEXT_MNT:
650                         fscontext_sid = sid;
651
652                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653                                         fscontext_sid))
654                                 goto out_double_mount;
655
656                         sbsec->flags |= FSCONTEXT_MNT;
657                         break;
658                 case CONTEXT_MNT:
659                         context_sid = sid;
660
661                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662                                         context_sid))
663                                 goto out_double_mount;
664
665                         sbsec->flags |= CONTEXT_MNT;
666                         break;
667                 case ROOTCONTEXT_MNT:
668                         rootcontext_sid = sid;
669
670                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671                                         rootcontext_sid))
672                                 goto out_double_mount;
673
674                         sbsec->flags |= ROOTCONTEXT_MNT;
675
676                         break;
677                 case DEFCONTEXT_MNT:
678                         defcontext_sid = sid;
679
680                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681                                         defcontext_sid))
682                                 goto out_double_mount;
683
684                         sbsec->flags |= DEFCONTEXT_MNT;
685
686                         break;
687                 default:
688                         rc = -EINVAL;
689                         goto out;
690                 }
691         }
692
693         if (sbsec->initialized) {
694                 /* previously mounted with options, but not on this attempt? */
695                 if (sbsec->flags && !num_opts)
696                         goto out_double_mount;
697                 rc = 0;
698                 goto out;
699         }
700
701         if (strcmp(sb->s_type->name, "proc") == 0)
702                 sbsec->proc = 1;
703
704         /* Determine the labeling behavior to use for this filesystem type. */
705         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706         if (rc) {
707                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708                        __func__, sb->s_type->name, rc);
709                 goto out;
710         }
711
712         /* sets the context of the superblock for the fs being mounted. */
713         if (fscontext_sid) {
714                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715                 if (rc)
716                         goto out;
717
718                 sbsec->sid = fscontext_sid;
719         }
720
721         /*
722          * Switch to using mount point labeling behavior.
723          * sets the label used on all file below the mountpoint, and will set
724          * the superblock context if not already set.
725          */
726         if (context_sid) {
727                 if (!fscontext_sid) {
728                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
729                                                           cred);
730                         if (rc)
731                                 goto out;
732                         sbsec->sid = context_sid;
733                 } else {
734                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
735                                                              cred);
736                         if (rc)
737                                 goto out;
738                 }
739                 if (!rootcontext_sid)
740                         rootcontext_sid = context_sid;
741
742                 sbsec->mntpoint_sid = context_sid;
743                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744         }
745
746         if (rootcontext_sid) {
747                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748                                                      cred);
749                 if (rc)
750                         goto out;
751
752                 root_isec->sid = rootcontext_sid;
753                 root_isec->initialized = 1;
754         }
755
756         if (defcontext_sid) {
757                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758                         rc = -EINVAL;
759                         printk(KERN_WARNING "SELinux: defcontext option is "
760                                "invalid for this filesystem type\n");
761                         goto out;
762                 }
763
764                 if (defcontext_sid != sbsec->def_sid) {
765                         rc = may_context_mount_inode_relabel(defcontext_sid,
766                                                              sbsec, cred);
767                         if (rc)
768                                 goto out;
769                 }
770
771                 sbsec->def_sid = defcontext_sid;
772         }
773
774         rc = sb_finish_set_opts(sb);
775 out:
776         mutex_unlock(&sbsec->lock);
777         return rc;
778 out_double_mount:
779         rc = -EINVAL;
780         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
781                "security settings for (dev %s, type %s)\n", sb->s_id, name);
782         goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786                                         struct super_block *newsb)
787 {
788         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789         struct superblock_security_struct *newsbsec = newsb->s_security;
790
791         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
792         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
793         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795         /*
796          * if the parent was able to be mounted it clearly had no special lsm
797          * mount options.  thus we can safely put this sb on the list and deal
798          * with it later
799          */
800         if (!ss_initialized) {
801                 spin_lock(&sb_security_lock);
802                 if (list_empty(&newsbsec->list))
803                         list_add(&newsbsec->list, &superblock_security_head);
804                 spin_unlock(&sb_security_lock);
805                 return;
806         }
807
808         /* how can we clone if the old one wasn't set up?? */
809         BUG_ON(!oldsbsec->initialized);
810
811         /* if fs is reusing a sb, just let its options stand... */
812         if (newsbsec->initialized)
813                 return;
814
815         mutex_lock(&newsbsec->lock);
816
817         newsbsec->flags = oldsbsec->flags;
818
819         newsbsec->sid = oldsbsec->sid;
820         newsbsec->def_sid = oldsbsec->def_sid;
821         newsbsec->behavior = oldsbsec->behavior;
822
823         if (set_context) {
824                 u32 sid = oldsbsec->mntpoint_sid;
825
826                 if (!set_fscontext)
827                         newsbsec->sid = sid;
828                 if (!set_rootcontext) {
829                         struct inode *newinode = newsb->s_root->d_inode;
830                         struct inode_security_struct *newisec = newinode->i_security;
831                         newisec->sid = sid;
832                 }
833                 newsbsec->mntpoint_sid = sid;
834         }
835         if (set_rootcontext) {
836                 const struct inode *oldinode = oldsb->s_root->d_inode;
837                 const struct inode_security_struct *oldisec = oldinode->i_security;
838                 struct inode *newinode = newsb->s_root->d_inode;
839                 struct inode_security_struct *newisec = newinode->i_security;
840
841                 newisec->sid = oldisec->sid;
842         }
843
844         sb_finish_set_opts(newsb);
845         mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849                                   struct security_mnt_opts *opts)
850 {
851         char *p;
852         char *context = NULL, *defcontext = NULL;
853         char *fscontext = NULL, *rootcontext = NULL;
854         int rc, num_mnt_opts = 0;
855
856         opts->num_mnt_opts = 0;
857
858         /* Standard string-based options. */
859         while ((p = strsep(&options, "|")) != NULL) {
860                 int token;
861                 substring_t args[MAX_OPT_ARGS];
862
863                 if (!*p)
864                         continue;
865
866                 token = match_token(p, tokens, args);
867
868                 switch (token) {
869                 case Opt_context:
870                         if (context || defcontext) {
871                                 rc = -EINVAL;
872                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873                                 goto out_err;
874                         }
875                         context = match_strdup(&args[0]);
876                         if (!context) {
877                                 rc = -ENOMEM;
878                                 goto out_err;
879                         }
880                         break;
881
882                 case Opt_fscontext:
883                         if (fscontext) {
884                                 rc = -EINVAL;
885                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886                                 goto out_err;
887                         }
888                         fscontext = match_strdup(&args[0]);
889                         if (!fscontext) {
890                                 rc = -ENOMEM;
891                                 goto out_err;
892                         }
893                         break;
894
895                 case Opt_rootcontext:
896                         if (rootcontext) {
897                                 rc = -EINVAL;
898                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899                                 goto out_err;
900                         }
901                         rootcontext = match_strdup(&args[0]);
902                         if (!rootcontext) {
903                                 rc = -ENOMEM;
904                                 goto out_err;
905                         }
906                         break;
907
908                 case Opt_defcontext:
909                         if (context || defcontext) {
910                                 rc = -EINVAL;
911                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912                                 goto out_err;
913                         }
914                         defcontext = match_strdup(&args[0]);
915                         if (!defcontext) {
916                                 rc = -ENOMEM;
917                                 goto out_err;
918                         }
919                         break;
920
921                 default:
922                         rc = -EINVAL;
923                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
924                         goto out_err;
925
926                 }
927         }
928
929         rc = -ENOMEM;
930         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931         if (!opts->mnt_opts)
932                 goto out_err;
933
934         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935         if (!opts->mnt_opts_flags) {
936                 kfree(opts->mnt_opts);
937                 goto out_err;
938         }
939
940         if (fscontext) {
941                 opts->mnt_opts[num_mnt_opts] = fscontext;
942                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943         }
944         if (context) {
945                 opts->mnt_opts[num_mnt_opts] = context;
946                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947         }
948         if (rootcontext) {
949                 opts->mnt_opts[num_mnt_opts] = rootcontext;
950                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951         }
952         if (defcontext) {
953                 opts->mnt_opts[num_mnt_opts] = defcontext;
954                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955         }
956
957         opts->num_mnt_opts = num_mnt_opts;
958         return 0;
959
960 out_err:
961         kfree(context);
962         kfree(defcontext);
963         kfree(fscontext);
964         kfree(rootcontext);
965         return rc;
966 }
967 /*
968  * string mount options parsing and call set the sbsec
969  */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972         int rc = 0;
973         char *options = data;
974         struct security_mnt_opts opts;
975
976         security_init_mnt_opts(&opts);
977
978         if (!data)
979                 goto out;
980
981         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983         rc = selinux_parse_opts_str(options, &opts);
984         if (rc)
985                 goto out_err;
986
987 out:
988         rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991         security_free_mnt_opts(&opts);
992         return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996                                struct security_mnt_opts *opts)
997 {
998         int i;
999         char *prefix;
1000
1001         for (i = 0; i < opts->num_mnt_opts; i++) {
1002                 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004                 switch (opts->mnt_opts_flags[i]) {
1005                 case CONTEXT_MNT:
1006                         prefix = CONTEXT_STR;
1007                         break;
1008                 case FSCONTEXT_MNT:
1009                         prefix = FSCONTEXT_STR;
1010                         break;
1011                 case ROOTCONTEXT_MNT:
1012                         prefix = ROOTCONTEXT_STR;
1013                         break;
1014                 case DEFCONTEXT_MNT:
1015                         prefix = DEFCONTEXT_STR;
1016                         break;
1017                 default:
1018                         BUG();
1019                 };
1020                 /* we need a comma before each option */
1021                 seq_putc(m, ',');
1022                 seq_puts(m, prefix);
1023                 if (has_comma)
1024                         seq_putc(m, '\"');
1025                 seq_puts(m, opts->mnt_opts[i]);
1026                 if (has_comma)
1027                         seq_putc(m, '\"');
1028         }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033         struct security_mnt_opts opts;
1034         int rc;
1035
1036         rc = selinux_get_mnt_opts(sb, &opts);
1037         if (rc) {
1038                 /* before policy load we may get EINVAL, don't show anything */
1039                 if (rc == -EINVAL)
1040                         rc = 0;
1041                 return rc;
1042         }
1043
1044         selinux_write_opts(m, &opts);
1045
1046         security_free_mnt_opts(&opts);
1047
1048         return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053         switch (mode & S_IFMT) {
1054         case S_IFSOCK:
1055                 return SECCLASS_SOCK_FILE;
1056         case S_IFLNK:
1057                 return SECCLASS_LNK_FILE;
1058         case S_IFREG:
1059                 return SECCLASS_FILE;
1060         case S_IFBLK:
1061                 return SECCLASS_BLK_FILE;
1062         case S_IFDIR:
1063                 return SECCLASS_DIR;
1064         case S_IFCHR:
1065                 return SECCLASS_CHR_FILE;
1066         case S_IFIFO:
1067                 return SECCLASS_FIFO_FILE;
1068
1069         }
1070
1071         return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086         switch (family) {
1087         case PF_UNIX:
1088                 switch (type) {
1089                 case SOCK_STREAM:
1090                 case SOCK_SEQPACKET:
1091                         return SECCLASS_UNIX_STREAM_SOCKET;
1092                 case SOCK_DGRAM:
1093                         return SECCLASS_UNIX_DGRAM_SOCKET;
1094                 }
1095                 break;
1096         case PF_INET:
1097         case PF_INET6:
1098                 switch (type) {
1099                 case SOCK_STREAM:
1100                         if (default_protocol_stream(protocol))
1101                                 return SECCLASS_TCP_SOCKET;
1102                         else
1103                                 return SECCLASS_RAWIP_SOCKET;
1104                 case SOCK_DGRAM:
1105                         if (default_protocol_dgram(protocol))
1106                                 return SECCLASS_UDP_SOCKET;
1107                         else
1108                                 return SECCLASS_RAWIP_SOCKET;
1109                 case SOCK_DCCP:
1110                         return SECCLASS_DCCP_SOCKET;
1111                 default:
1112                         return SECCLASS_RAWIP_SOCKET;
1113                 }
1114                 break;
1115         case PF_NETLINK:
1116                 switch (protocol) {
1117                 case NETLINK_ROUTE:
1118                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1119                 case NETLINK_FIREWALL:
1120                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121                 case NETLINK_INET_DIAG:
1122                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123                 case NETLINK_NFLOG:
1124                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1125                 case NETLINK_XFRM:
1126                         return SECCLASS_NETLINK_XFRM_SOCKET;
1127                 case NETLINK_SELINUX:
1128                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1129                 case NETLINK_AUDIT:
1130                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1131                 case NETLINK_IP6_FW:
1132                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1133                 case NETLINK_DNRTMSG:
1134                         return SECCLASS_NETLINK_DNRT_SOCKET;
1135                 case NETLINK_KOBJECT_UEVENT:
1136                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137                 default:
1138                         return SECCLASS_NETLINK_SOCKET;
1139                 }
1140         case PF_PACKET:
1141                 return SECCLASS_PACKET_SOCKET;
1142         case PF_KEY:
1143                 return SECCLASS_KEY_SOCKET;
1144         case PF_APPLETALK:
1145                 return SECCLASS_APPLETALK_SOCKET;
1146         }
1147
1148         return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153                                 u16 tclass,
1154                                 u32 *sid)
1155 {
1156         int buflen, rc;
1157         char *buffer, *path, *end;
1158
1159         buffer = (char *)__get_free_page(GFP_KERNEL);
1160         if (!buffer)
1161                 return -ENOMEM;
1162
1163         buflen = PAGE_SIZE;
1164         end = buffer+buflen;
1165         *--end = '\0';
1166         buflen--;
1167         path = end-1;
1168         *path = '/';
1169         while (de && de != de->parent) {
1170                 buflen -= de->namelen + 1;
1171                 if (buflen < 0)
1172                         break;
1173                 end -= de->namelen;
1174                 memcpy(end, de->name, de->namelen);
1175                 *--end = '/';
1176                 path = end;
1177                 de = de->parent;
1178         }
1179         rc = security_genfs_sid("proc", path, tclass, sid);
1180         free_page((unsigned long)buffer);
1181         return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185                                 u16 tclass,
1186                                 u32 *sid)
1187 {
1188         return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195         struct superblock_security_struct *sbsec = NULL;
1196         struct inode_security_struct *isec = inode->i_security;
1197         u32 sid;
1198         struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200         char *context = NULL;
1201         unsigned len = 0;
1202         int rc = 0;
1203
1204         if (isec->initialized)
1205                 goto out;
1206
1207         mutex_lock(&isec->lock);
1208         if (isec->initialized)
1209                 goto out_unlock;
1210
1211         sbsec = inode->i_sb->s_security;
1212         if (!sbsec->initialized) {
1213                 /* Defer initialization until selinux_complete_init,
1214                    after the initial policy is loaded and the security
1215                    server is ready to handle calls. */
1216                 spin_lock(&sbsec->isec_lock);
1217                 if (list_empty(&isec->list))
1218                         list_add(&isec->list, &sbsec->isec_head);
1219                 spin_unlock(&sbsec->isec_lock);
1220                 goto out_unlock;
1221         }
1222
1223         switch (sbsec->behavior) {
1224         case SECURITY_FS_USE_XATTR:
1225                 if (!inode->i_op->getxattr) {
1226                         isec->sid = sbsec->def_sid;
1227                         break;
1228                 }
1229
1230                 /* Need a dentry, since the xattr API requires one.
1231                    Life would be simpler if we could just pass the inode. */
1232                 if (opt_dentry) {
1233                         /* Called from d_instantiate or d_splice_alias. */
1234                         dentry = dget(opt_dentry);
1235                 } else {
1236                         /* Called from selinux_complete_init, try to find a dentry. */
1237                         dentry = d_find_alias(inode);
1238                 }
1239                 if (!dentry) {
1240                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1241                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1242                                inode->i_ino);
1243                         goto out_unlock;
1244                 }
1245
1246                 len = INITCONTEXTLEN;
1247                 context = kmalloc(len, GFP_NOFS);
1248                 if (!context) {
1249                         rc = -ENOMEM;
1250                         dput(dentry);
1251                         goto out_unlock;
1252                 }
1253                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254                                            context, len);
1255                 if (rc == -ERANGE) {
1256                         /* Need a larger buffer.  Query for the right size. */
1257                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258                                                    NULL, 0);
1259                         if (rc < 0) {
1260                                 dput(dentry);
1261                                 goto out_unlock;
1262                         }
1263                         kfree(context);
1264                         len = rc;
1265                         context = kmalloc(len, GFP_NOFS);
1266                         if (!context) {
1267                                 rc = -ENOMEM;
1268                                 dput(dentry);
1269                                 goto out_unlock;
1270                         }
1271                         rc = inode->i_op->getxattr(dentry,
1272                                                    XATTR_NAME_SELINUX,
1273                                                    context, len);
1274                 }
1275                 dput(dentry);
1276                 if (rc < 0) {
1277                         if (rc != -ENODATA) {
1278                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1279                                        "%d for dev=%s ino=%ld\n", __func__,
1280                                        -rc, inode->i_sb->s_id, inode->i_ino);
1281                                 kfree(context);
1282                                 goto out_unlock;
1283                         }
1284                         /* Map ENODATA to the default file SID */
1285                         sid = sbsec->def_sid;
1286                         rc = 0;
1287                 } else {
1288                         rc = security_context_to_sid_default(context, rc, &sid,
1289                                                              sbsec->def_sid,
1290                                                              GFP_NOFS);
1291                         if (rc) {
1292                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1293                                        "returned %d for dev=%s ino=%ld\n",
1294                                        __func__, context, -rc,
1295                                        inode->i_sb->s_id, inode->i_ino);
1296                                 kfree(context);
1297                                 /* Leave with the unlabeled SID */
1298                                 rc = 0;
1299                                 break;
1300                         }
1301                 }
1302                 kfree(context);
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_TASK:
1306                 isec->sid = isec->task_sid;
1307                 break;
1308         case SECURITY_FS_USE_TRANS:
1309                 /* Default to the fs SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 /* Try to obtain a transition SID. */
1313                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314                 rc = security_transition_sid(isec->task_sid,
1315                                              sbsec->sid,
1316                                              isec->sclass,
1317                                              &sid);
1318                 if (rc)
1319                         goto out_unlock;
1320                 isec->sid = sid;
1321                 break;
1322         case SECURITY_FS_USE_MNTPOINT:
1323                 isec->sid = sbsec->mntpoint_sid;
1324                 break;
1325         default:
1326                 /* Default to the fs superblock SID. */
1327                 isec->sid = sbsec->sid;
1328
1329                 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330                         struct proc_inode *proci = PROC_I(inode);
1331                         if (proci->pde) {
1332                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333                                 rc = selinux_proc_get_sid(proci->pde,
1334                                                           isec->sclass,
1335                                                           &sid);
1336                                 if (rc)
1337                                         goto out_unlock;
1338                                 isec->sid = sid;
1339                         }
1340                 }
1341                 break;
1342         }
1343
1344         isec->initialized = 1;
1345
1346 out_unlock:
1347         mutex_unlock(&isec->lock);
1348 out:
1349         if (isec->sclass == SECCLASS_FILE)
1350                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351         return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357         u32 perm = 0;
1358
1359         switch (sig) {
1360         case SIGCHLD:
1361                 /* Commonly granted from child to parent. */
1362                 perm = PROCESS__SIGCHLD;
1363                 break;
1364         case SIGKILL:
1365                 /* Cannot be caught or ignored */
1366                 perm = PROCESS__SIGKILL;
1367                 break;
1368         case SIGSTOP:
1369                 /* Cannot be caught or ignored */
1370                 perm = PROCESS__SIGSTOP;
1371                 break;
1372         default:
1373                 /* All other signals. */
1374                 perm = PROCESS__SIGNAL;
1375                 break;
1376         }
1377
1378         return perm;
1379 }
1380
1381 /*
1382  * Check permission between a pair of credentials
1383  * fork check, ptrace check, etc.
1384  */
1385 static int cred_has_perm(const struct cred *actor,
1386                          const struct cred *target,
1387                          u32 perms)
1388 {
1389         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395  * Check permission between a pair of tasks, e.g. signal checks,
1396  * fork check, ptrace check, etc.
1397  * tsk1 is the actor and tsk2 is the target
1398  */
1399 static int task_has_perm(const struct task_struct *tsk1,
1400                          const struct task_struct *tsk2,
1401                          u32 perms)
1402 {
1403         const struct task_security_struct *__tsec1, *__tsec2;
1404         u32 sid1, sid2;
1405
1406         rcu_read_lock();
1407         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1408         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1409         rcu_read_unlock();
1410         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1411 }
1412
1413 #if CAP_LAST_CAP > 63
1414 #error Fix SELinux to handle capabilities > 63.
1415 #endif
1416
1417 /* Check whether a task is allowed to use a capability. */
1418 static int task_has_capability(struct task_struct *tsk,
1419                                int cap, int audit)
1420 {
1421         struct avc_audit_data ad;
1422         struct av_decision avd;
1423         u16 sclass;
1424         u32 sid = task_sid(tsk);
1425         u32 av = CAP_TO_MASK(cap);
1426         int rc;
1427
1428         AVC_AUDIT_DATA_INIT(&ad, CAP);
1429         ad.tsk = tsk;
1430         ad.u.cap = cap;
1431
1432         switch (CAP_TO_INDEX(cap)) {
1433         case 0:
1434                 sclass = SECCLASS_CAPABILITY;
1435                 break;
1436         case 1:
1437                 sclass = SECCLASS_CAPABILITY2;
1438                 break;
1439         default:
1440                 printk(KERN_ERR
1441                        "SELinux:  out of range capability %d\n", cap);
1442                 BUG();
1443         }
1444
1445         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1446         if (audit == SECURITY_CAP_AUDIT)
1447                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1448         return rc;
1449 }
1450
1451 /* Check whether a task is allowed to use a system operation. */
1452 static int task_has_system(struct task_struct *tsk,
1453                            u32 perms)
1454 {
1455         u32 sid = task_sid(tsk);
1456
1457         return avc_has_perm(sid, SECINITSID_KERNEL,
1458                             SECCLASS_SYSTEM, perms, NULL);
1459 }
1460
1461 /* Check whether a task has a particular permission to an inode.
1462    The 'adp' parameter is optional and allows other audit
1463    data to be passed (e.g. the dentry). */
1464 static int inode_has_perm(const struct cred *cred,
1465                           struct inode *inode,
1466                           u32 perms,
1467                           struct avc_audit_data *adp)
1468 {
1469         struct inode_security_struct *isec;
1470         struct avc_audit_data ad;
1471         u32 sid;
1472
1473         if (unlikely(IS_PRIVATE(inode)))
1474                 return 0;
1475
1476         sid = cred_sid(cred);
1477         isec = inode->i_security;
1478
1479         if (!adp) {
1480                 adp = &ad;
1481                 AVC_AUDIT_DATA_INIT(&ad, FS);
1482                 ad.u.fs.inode = inode;
1483         }
1484
1485         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1486 }
1487
1488 /* Same as inode_has_perm, but pass explicit audit data containing
1489    the dentry to help the auditing code to more easily generate the
1490    pathname if needed. */
1491 static inline int dentry_has_perm(const struct cred *cred,
1492                                   struct vfsmount *mnt,
1493                                   struct dentry *dentry,
1494                                   u32 av)
1495 {
1496         struct inode *inode = dentry->d_inode;
1497         struct avc_audit_data ad;
1498
1499         AVC_AUDIT_DATA_INIT(&ad, FS);
1500         ad.u.fs.path.mnt = mnt;
1501         ad.u.fs.path.dentry = dentry;
1502         return inode_has_perm(cred, inode, av, &ad);
1503 }
1504
1505 /* Check whether a task can use an open file descriptor to
1506    access an inode in a given way.  Check access to the
1507    descriptor itself, and then use dentry_has_perm to
1508    check a particular permission to the file.
1509    Access to the descriptor is implicitly granted if it
1510    has the same SID as the process.  If av is zero, then
1511    access to the file is not checked, e.g. for cases
1512    where only the descriptor is affected like seek. */
1513 static int file_has_perm(const struct cred *cred,
1514                          struct file *file,
1515                          u32 av)
1516 {
1517         struct file_security_struct *fsec = file->f_security;
1518         struct inode *inode = file->f_path.dentry->d_inode;
1519         struct avc_audit_data ad;
1520         u32 sid = cred_sid(cred);
1521         int rc;
1522
1523         AVC_AUDIT_DATA_INIT(&ad, FS);
1524         ad.u.fs.path = file->f_path;
1525
1526         if (sid != fsec->sid) {
1527                 rc = avc_has_perm(sid, fsec->sid,
1528                                   SECCLASS_FD,
1529                                   FD__USE,
1530                                   &ad);
1531                 if (rc)
1532                         goto out;
1533         }
1534
1535         /* av is zero if only checking access to the descriptor. */
1536         rc = 0;
1537         if (av)
1538                 rc = inode_has_perm(cred, inode, av, &ad);
1539
1540 out:
1541         return rc;
1542 }
1543
1544 /* Check whether a task can create a file. */
1545 static int may_create(struct inode *dir,
1546                       struct dentry *dentry,
1547                       u16 tclass)
1548 {
1549         const struct cred *cred = current_cred();
1550         const struct task_security_struct *tsec = cred->security;
1551         struct inode_security_struct *dsec;
1552         struct superblock_security_struct *sbsec;
1553         u32 sid, newsid;
1554         struct avc_audit_data ad;
1555         int rc;
1556
1557         dsec = dir->i_security;
1558         sbsec = dir->i_sb->s_security;
1559
1560         sid = tsec->sid;
1561         newsid = tsec->create_sid;
1562
1563         AVC_AUDIT_DATA_INIT(&ad, FS);
1564         ad.u.fs.path.dentry = dentry;
1565
1566         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1567                           DIR__ADD_NAME | DIR__SEARCH,
1568                           &ad);
1569         if (rc)
1570                 return rc;
1571
1572         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1573                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1574                 if (rc)
1575                         return rc;
1576         }
1577
1578         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1579         if (rc)
1580                 return rc;
1581
1582         return avc_has_perm(newsid, sbsec->sid,
1583                             SECCLASS_FILESYSTEM,
1584                             FILESYSTEM__ASSOCIATE, &ad);
1585 }
1586
1587 /* Check whether a task can create a key. */
1588 static int may_create_key(u32 ksid,
1589                           struct task_struct *ctx)
1590 {
1591         u32 sid = task_sid(ctx);
1592
1593         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1594 }
1595
1596 #define MAY_LINK        0
1597 #define MAY_UNLINK      1
1598 #define MAY_RMDIR       2
1599
1600 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1601 static int may_link(struct inode *dir,
1602                     struct dentry *dentry,
1603                     int kind)
1604
1605 {
1606         struct inode_security_struct *dsec, *isec;
1607         struct avc_audit_data ad;
1608         u32 sid = current_sid();
1609         u32 av;
1610         int rc;
1611
1612         dsec = dir->i_security;
1613         isec = dentry->d_inode->i_security;
1614
1615         AVC_AUDIT_DATA_INIT(&ad, FS);
1616         ad.u.fs.path.dentry = dentry;
1617
1618         av = DIR__SEARCH;
1619         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1620         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1621         if (rc)
1622                 return rc;
1623
1624         switch (kind) {
1625         case MAY_LINK:
1626                 av = FILE__LINK;
1627                 break;
1628         case MAY_UNLINK:
1629                 av = FILE__UNLINK;
1630                 break;
1631         case MAY_RMDIR:
1632                 av = DIR__RMDIR;
1633                 break;
1634         default:
1635                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1636                         __func__, kind);
1637                 return 0;
1638         }
1639
1640         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1641         return rc;
1642 }
1643
1644 static inline int may_rename(struct inode *old_dir,
1645                              struct dentry *old_dentry,
1646                              struct inode *new_dir,
1647                              struct dentry *new_dentry)
1648 {
1649         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1650         struct avc_audit_data ad;
1651         u32 sid = current_sid();
1652         u32 av;
1653         int old_is_dir, new_is_dir;
1654         int rc;
1655
1656         old_dsec = old_dir->i_security;
1657         old_isec = old_dentry->d_inode->i_security;
1658         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1659         new_dsec = new_dir->i_security;
1660
1661         AVC_AUDIT_DATA_INIT(&ad, FS);
1662
1663         ad.u.fs.path.dentry = old_dentry;
1664         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1665                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1666         if (rc)
1667                 return rc;
1668         rc = avc_has_perm(sid, old_isec->sid,
1669                           old_isec->sclass, FILE__RENAME, &ad);
1670         if (rc)
1671                 return rc;
1672         if (old_is_dir && new_dir != old_dir) {
1673                 rc = avc_has_perm(sid, old_isec->sid,
1674                                   old_isec->sclass, DIR__REPARENT, &ad);
1675                 if (rc)
1676                         return rc;
1677         }
1678
1679         ad.u.fs.path.dentry = new_dentry;
1680         av = DIR__ADD_NAME | DIR__SEARCH;
1681         if (new_dentry->d_inode)
1682                 av |= DIR__REMOVE_NAME;
1683         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1684         if (rc)
1685                 return rc;
1686         if (new_dentry->d_inode) {
1687                 new_isec = new_dentry->d_inode->i_security;
1688                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1689                 rc = avc_has_perm(sid, new_isec->sid,
1690                                   new_isec->sclass,
1691                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1692                 if (rc)
1693                         return rc;
1694         }
1695
1696         return 0;
1697 }
1698
1699 /* Check whether a task can perform a filesystem operation. */
1700 static int superblock_has_perm(const struct cred *cred,
1701                                struct super_block *sb,
1702                                u32 perms,
1703                                struct avc_audit_data *ad)
1704 {
1705         struct superblock_security_struct *sbsec;
1706         u32 sid = cred_sid(cred);
1707
1708         sbsec = sb->s_security;
1709         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1710 }
1711
1712 /* Convert a Linux mode and permission mask to an access vector. */
1713 static inline u32 file_mask_to_av(int mode, int mask)
1714 {
1715         u32 av = 0;
1716
1717         if ((mode & S_IFMT) != S_IFDIR) {
1718                 if (mask & MAY_EXEC)
1719                         av |= FILE__EXECUTE;
1720                 if (mask & MAY_READ)
1721                         av |= FILE__READ;
1722
1723                 if (mask & MAY_APPEND)
1724                         av |= FILE__APPEND;
1725                 else if (mask & MAY_WRITE)
1726                         av |= FILE__WRITE;
1727
1728         } else {
1729                 if (mask & MAY_EXEC)
1730                         av |= DIR__SEARCH;
1731                 if (mask & MAY_WRITE)
1732                         av |= DIR__WRITE;
1733                 if (mask & MAY_READ)
1734                         av |= DIR__READ;
1735         }
1736
1737         return av;
1738 }
1739
1740 /* Convert a Linux file to an access vector. */
1741 static inline u32 file_to_av(struct file *file)
1742 {
1743         u32 av = 0;
1744
1745         if (file->f_mode & FMODE_READ)
1746                 av |= FILE__READ;
1747         if (file->f_mode & FMODE_WRITE) {
1748                 if (file->f_flags & O_APPEND)
1749                         av |= FILE__APPEND;
1750                 else
1751                         av |= FILE__WRITE;
1752         }
1753         if (!av) {
1754                 /*
1755                  * Special file opened with flags 3 for ioctl-only use.
1756                  */
1757                 av = FILE__IOCTL;
1758         }
1759
1760         return av;
1761 }
1762
1763 /*
1764  * Convert a file to an access vector and include the correct open
1765  * open permission.
1766  */
1767 static inline u32 open_file_to_av(struct file *file)
1768 {
1769         u32 av = file_to_av(file);
1770
1771         if (selinux_policycap_openperm) {
1772                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1773                 /*
1774                  * lnk files and socks do not really have an 'open'
1775                  */
1776                 if (S_ISREG(mode))
1777                         av |= FILE__OPEN;
1778                 else if (S_ISCHR(mode))
1779                         av |= CHR_FILE__OPEN;
1780                 else if (S_ISBLK(mode))
1781                         av |= BLK_FILE__OPEN;
1782                 else if (S_ISFIFO(mode))
1783                         av |= FIFO_FILE__OPEN;
1784                 else if (S_ISDIR(mode))
1785                         av |= DIR__OPEN;
1786                 else
1787                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1788                                 "unknown mode:%o\n", __func__, mode);
1789         }
1790         return av;
1791 }
1792
1793 /* Hook functions begin here. */
1794
1795 static int selinux_ptrace_may_access(struct task_struct *child,
1796                                      unsigned int mode)
1797 {
1798         int rc;
1799
1800         rc = secondary_ops->ptrace_may_access(child, mode);
1801         if (rc)
1802                 return rc;
1803
1804         if (mode == PTRACE_MODE_READ) {
1805                 u32 sid = current_sid();
1806                 u32 csid = task_sid(child);
1807                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1808         }
1809
1810         return task_has_perm(current, child, PROCESS__PTRACE);
1811 }
1812
1813 static int selinux_ptrace_traceme(struct task_struct *parent)
1814 {
1815         int rc;
1816
1817         rc = secondary_ops->ptrace_traceme(parent);
1818         if (rc)
1819                 return rc;
1820
1821         return task_has_perm(parent, current, PROCESS__PTRACE);
1822 }
1823
1824 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1825                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1826 {
1827         int error;
1828
1829         error = task_has_perm(current, target, PROCESS__GETCAP);
1830         if (error)
1831                 return error;
1832
1833         return secondary_ops->capget(target, effective, inheritable, permitted);
1834 }
1835
1836 static int selinux_capset(struct cred *new, const struct cred *old,
1837                           const kernel_cap_t *effective,
1838                           const kernel_cap_t *inheritable,
1839                           const kernel_cap_t *permitted)
1840 {
1841         int error;
1842
1843         error = secondary_ops->capset(new, old,
1844                                       effective, inheritable, permitted);
1845         if (error)
1846                 return error;
1847
1848         return cred_has_perm(old, new, PROCESS__SETCAP);
1849 }
1850
1851 static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1852 {
1853         int rc;
1854
1855         rc = secondary_ops->capable(tsk, cap, audit);
1856         if (rc)
1857                 return rc;
1858
1859         return task_has_capability(tsk, cap, audit);
1860 }
1861
1862 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1863 {
1864         int buflen, rc;
1865         char *buffer, *path, *end;
1866
1867         rc = -ENOMEM;
1868         buffer = (char *)__get_free_page(GFP_KERNEL);
1869         if (!buffer)
1870                 goto out;
1871
1872         buflen = PAGE_SIZE;
1873         end = buffer+buflen;
1874         *--end = '\0';
1875         buflen--;
1876         path = end-1;
1877         *path = '/';
1878         while (table) {
1879                 const char *name = table->procname;
1880                 size_t namelen = strlen(name);
1881                 buflen -= namelen + 1;
1882                 if (buflen < 0)
1883                         goto out_free;
1884                 end -= namelen;
1885                 memcpy(end, name, namelen);
1886                 *--end = '/';
1887                 path = end;
1888                 table = table->parent;
1889         }
1890         buflen -= 4;
1891         if (buflen < 0)
1892                 goto out_free;
1893         end -= 4;
1894         memcpy(end, "/sys", 4);
1895         path = end;
1896         rc = security_genfs_sid("proc", path, tclass, sid);
1897 out_free:
1898         free_page((unsigned long)buffer);
1899 out:
1900         return rc;
1901 }
1902
1903 static int selinux_sysctl(ctl_table *table, int op)
1904 {
1905         int error = 0;
1906         u32 av;
1907         u32 tsid, sid;
1908         int rc;
1909
1910         rc = secondary_ops->sysctl(table, op);
1911         if (rc)
1912                 return rc;
1913
1914         sid = current_sid();
1915
1916         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1917                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1918         if (rc) {
1919                 /* Default to the well-defined sysctl SID. */
1920                 tsid = SECINITSID_SYSCTL;
1921         }
1922
1923         /* The op values are "defined" in sysctl.c, thereby creating
1924          * a bad coupling between this module and sysctl.c */
1925         if (op == 001) {
1926                 error = avc_has_perm(sid, tsid,
1927                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1928         } else {
1929                 av = 0;
1930                 if (op & 004)
1931                         av |= FILE__READ;
1932                 if (op & 002)
1933                         av |= FILE__WRITE;
1934                 if (av)
1935                         error = avc_has_perm(sid, tsid,
1936                                              SECCLASS_FILE, av, NULL);
1937         }
1938
1939         return error;
1940 }
1941
1942 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1943 {
1944         const struct cred *cred = current_cred();
1945         int rc = 0;
1946
1947         if (!sb)
1948                 return 0;
1949
1950         switch (cmds) {
1951         case Q_SYNC:
1952         case Q_QUOTAON:
1953         case Q_QUOTAOFF:
1954         case Q_SETINFO:
1955         case Q_SETQUOTA:
1956                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1957                 break;
1958         case Q_GETFMT:
1959         case Q_GETINFO:
1960         case Q_GETQUOTA:
1961                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1962                 break;
1963         default:
1964                 rc = 0;  /* let the kernel handle invalid cmds */
1965                 break;
1966         }
1967         return rc;
1968 }
1969
1970 static int selinux_quota_on(struct dentry *dentry)
1971 {
1972         const struct cred *cred = current_cred();
1973
1974         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1975 }
1976
1977 static int selinux_syslog(int type)
1978 {
1979         int rc;
1980
1981         rc = secondary_ops->syslog(type);
1982         if (rc)
1983                 return rc;
1984
1985         switch (type) {
1986         case 3:         /* Read last kernel messages */
1987         case 10:        /* Return size of the log buffer */
1988                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1989                 break;
1990         case 6:         /* Disable logging to console */
1991         case 7:         /* Enable logging to console */
1992         case 8:         /* Set level of messages printed to console */
1993                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1994                 break;
1995         case 0:         /* Close log */
1996         case 1:         /* Open log */
1997         case 2:         /* Read from log */
1998         case 4:         /* Read/clear last kernel messages */
1999         case 5:         /* Clear ring buffer */
2000         default:
2001                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2002                 break;
2003         }
2004         return rc;
2005 }
2006
2007 /*
2008  * Check that a process has enough memory to allocate a new virtual
2009  * mapping. 0 means there is enough memory for the allocation to
2010  * succeed and -ENOMEM implies there is not.
2011  *
2012  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2013  * if the capability is granted, but __vm_enough_memory requires 1 if
2014  * the capability is granted.
2015  *
2016  * Do not audit the selinux permission check, as this is applied to all
2017  * processes that allocate mappings.
2018  */
2019 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2020 {
2021         int rc, cap_sys_admin = 0;
2022
2023         rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2024         if (rc == 0)
2025                 cap_sys_admin = 1;
2026
2027         return __vm_enough_memory(mm, pages, cap_sys_admin);
2028 }
2029
2030 /* binprm security operations */
2031
2032 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2033 {
2034         const struct task_security_struct *old_tsec;
2035         struct task_security_struct *new_tsec;
2036         struct inode_security_struct *isec;
2037         struct avc_audit_data ad;
2038         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2039         int rc;
2040
2041         rc = secondary_ops->bprm_set_creds(bprm);
2042         if (rc)
2043                 return rc;
2044
2045         /* SELinux context only depends on initial program or script and not
2046          * the script interpreter */
2047         if (bprm->cred_prepared)
2048                 return 0;
2049
2050         old_tsec = current_security();
2051         new_tsec = bprm->cred->security;
2052         isec = inode->i_security;
2053
2054         /* Default to the current task SID. */
2055         new_tsec->sid = old_tsec->sid;
2056         new_tsec->osid = old_tsec->sid;
2057
2058         /* Reset fs, key, and sock SIDs on execve. */
2059         new_tsec->create_sid = 0;
2060         new_tsec->keycreate_sid = 0;
2061         new_tsec->sockcreate_sid = 0;
2062
2063         if (old_tsec->exec_sid) {
2064                 new_tsec->sid = old_tsec->exec_sid;
2065                 /* Reset exec SID on execve. */
2066                 new_tsec->exec_sid = 0;
2067         } else {
2068                 /* Check for a default transition on this program. */
2069                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2070                                              SECCLASS_PROCESS, &new_tsec->sid);
2071                 if (rc)
2072                         return rc;
2073         }
2074
2075         AVC_AUDIT_DATA_INIT(&ad, FS);
2076         ad.u.fs.path = bprm->file->f_path;
2077
2078         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2079                 new_tsec->sid = old_tsec->sid;
2080
2081         if (new_tsec->sid == old_tsec->sid) {
2082                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2083                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2084                 if (rc)
2085                         return rc;
2086         } else {
2087                 /* Check permissions for the transition. */
2088                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2089                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2090                 if (rc)
2091                         return rc;
2092
2093                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2094                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2095                 if (rc)
2096                         return rc;
2097
2098                 /* Check for shared state */
2099                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2100                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2101                                           SECCLASS_PROCESS, PROCESS__SHARE,
2102                                           NULL);
2103                         if (rc)
2104                                 return -EPERM;
2105                 }
2106
2107                 /* Make sure that anyone attempting to ptrace over a task that
2108                  * changes its SID has the appropriate permit */
2109                 if (bprm->unsafe &
2110                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2111                         struct task_struct *tracer;
2112                         struct task_security_struct *sec;
2113                         u32 ptsid = 0;
2114
2115                         rcu_read_lock();
2116                         tracer = tracehook_tracer_task(current);
2117                         if (likely(tracer != NULL)) {
2118                                 sec = __task_cred(tracer)->security;
2119                                 ptsid = sec->sid;
2120                         }
2121                         rcu_read_unlock();
2122
2123                         if (ptsid != 0) {
2124                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2125                                                   SECCLASS_PROCESS,
2126                                                   PROCESS__PTRACE, NULL);
2127                                 if (rc)
2128                                         return -EPERM;
2129                         }
2130                 }
2131
2132                 /* Clear any possibly unsafe personality bits on exec: */
2133                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2134         }
2135
2136         return 0;
2137 }
2138
2139 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2140 {
2141         return secondary_ops->bprm_check_security(bprm);
2142 }
2143
2144 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2145 {
2146         const struct cred *cred = current_cred();
2147         const struct task_security_struct *tsec = cred->security;
2148         u32 sid, osid;
2149         int atsecure = 0;
2150
2151         sid = tsec->sid;
2152         osid = tsec->osid;
2153
2154         if (osid != sid) {
2155                 /* Enable secure mode for SIDs transitions unless
2156                    the noatsecure permission is granted between
2157                    the two SIDs, i.e. ahp returns 0. */
2158                 atsecure = avc_has_perm(osid, sid,
2159                                         SECCLASS_PROCESS,
2160                                         PROCESS__NOATSECURE, NULL);
2161         }
2162
2163         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2164 }
2165
2166 extern struct vfsmount *selinuxfs_mount;
2167 extern struct dentry *selinux_null;
2168
2169 /* Derived from fs/exec.c:flush_old_files. */
2170 static inline void flush_unauthorized_files(const struct cred *cred,
2171                                             struct files_struct *files)
2172 {
2173         struct avc_audit_data ad;
2174         struct file *file, *devnull = NULL;
2175         struct tty_struct *tty;
2176         struct fdtable *fdt;
2177         long j = -1;
2178         int drop_tty = 0;
2179
2180         tty = get_current_tty();
2181         if (tty) {
2182                 file_list_lock();
2183                 if (!list_empty(&tty->tty_files)) {
2184                         struct inode *inode;
2185
2186                         /* Revalidate access to controlling tty.
2187                            Use inode_has_perm on the tty inode directly rather
2188                            than using file_has_perm, as this particular open
2189                            file may belong to another process and we are only
2190                            interested in the inode-based check here. */
2191                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2192                         inode = file->f_path.dentry->d_inode;
2193                         if (inode_has_perm(cred, inode,
2194                                            FILE__READ | FILE__WRITE, NULL)) {
2195                                 drop_tty = 1;
2196                         }
2197                 }
2198                 file_list_unlock();
2199                 tty_kref_put(tty);
2200         }
2201         /* Reset controlling tty. */
2202         if (drop_tty)
2203                 no_tty();
2204
2205         /* Revalidate access to inherited open files. */
2206
2207         AVC_AUDIT_DATA_INIT(&ad, FS);
2208
2209         spin_lock(&files->file_lock);
2210         for (;;) {
2211                 unsigned long set, i;
2212                 int fd;
2213
2214                 j++;
2215                 i = j * __NFDBITS;
2216                 fdt = files_fdtable(files);
2217                 if (i >= fdt->max_fds)
2218                         break;
2219                 set = fdt->open_fds->fds_bits[j];
2220                 if (!set)
2221                         continue;
2222                 spin_unlock(&files->file_lock);
2223                 for ( ; set ; i++, set >>= 1) {
2224                         if (set & 1) {
2225                                 file = fget(i);
2226                                 if (!file)
2227                                         continue;
2228                                 if (file_has_perm(cred,
2229                                                   file,
2230                                                   file_to_av(file))) {
2231                                         sys_close(i);
2232                                         fd = get_unused_fd();
2233                                         if (fd != i) {
2234                                                 if (fd >= 0)
2235                                                         put_unused_fd(fd);
2236                                                 fput(file);
2237                                                 continue;
2238                                         }
2239                                         if (devnull) {
2240                                                 get_file(devnull);
2241                                         } else {
2242                                                 devnull = dentry_open(
2243                                                         dget(selinux_null),
2244                                                         mntget(selinuxfs_mount),
2245                                                         O_RDWR, cred);
2246                                                 if (IS_ERR(devnull)) {
2247                                                         devnull = NULL;
2248                                                         put_unused_fd(fd);
2249                                                         fput(file);
2250                                                         continue;
2251                                                 }
2252                                         }
2253                                         fd_install(fd, devnull);
2254                                 }
2255                                 fput(file);
2256                         }
2257                 }
2258                 spin_lock(&files->file_lock);
2259
2260         }
2261         spin_unlock(&files->file_lock);
2262 }
2263
2264 /*
2265  * Prepare a process for imminent new credential changes due to exec
2266  */
2267 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2268 {
2269         struct task_security_struct *new_tsec;
2270         struct rlimit *rlim, *initrlim;
2271         int rc, i;
2272
2273         secondary_ops->bprm_committing_creds(bprm);
2274
2275         new_tsec = bprm->cred->security;
2276         if (new_tsec->sid == new_tsec->osid)
2277                 return;
2278
2279         /* Close files for which the new task SID is not authorized. */
2280         flush_unauthorized_files(bprm->cred, current->files);
2281
2282         /* Always clear parent death signal on SID transitions. */
2283         current->pdeath_signal = 0;
2284
2285         /* Check whether the new SID can inherit resource limits from the old
2286          * SID.  If not, reset all soft limits to the lower of the current
2287          * task's hard limit and the init task's soft limit.
2288          *
2289          * Note that the setting of hard limits (even to lower them) can be
2290          * controlled by the setrlimit check.  The inclusion of the init task's
2291          * soft limit into the computation is to avoid resetting soft limits
2292          * higher than the default soft limit for cases where the default is
2293          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2294          */
2295         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2296                           PROCESS__RLIMITINH, NULL);
2297         if (rc) {
2298                 for (i = 0; i < RLIM_NLIMITS; i++) {
2299                         rlim = current->signal->rlim + i;
2300                         initrlim = init_task.signal->rlim + i;
2301                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2302                 }
2303                 update_rlimit_cpu(rlim->rlim_cur);
2304         }
2305 }
2306
2307 /*
2308  * Clean up the process immediately after the installation of new credentials
2309  * due to exec
2310  */
2311 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2312 {
2313         const struct task_security_struct *tsec = current_security();
2314         struct itimerval itimer;
2315         struct sighand_struct *psig;
2316         u32 osid, sid;
2317         int rc, i;
2318         unsigned long flags;
2319
2320         secondary_ops->bprm_committed_creds(bprm);
2321
2322         osid = tsec->osid;
2323         sid = tsec->sid;
2324
2325         if (sid == osid)
2326                 return;
2327
2328         /* Check whether the new SID can inherit signal state from the old SID.
2329          * If not, clear itimers to avoid subsequent signal generation and
2330          * flush and unblock signals.
2331          *
2332          * This must occur _after_ the task SID has been updated so that any
2333          * kill done after the flush will be checked against the new SID.
2334          */
2335         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2336         if (rc) {
2337                 memset(&itimer, 0, sizeof itimer);
2338                 for (i = 0; i < 3; i++)
2339                         do_setitimer(i, &itimer, NULL);
2340                 flush_signals(current);
2341                 spin_lock_irq(&current->sighand->siglock);
2342                 flush_signal_handlers(current, 1);
2343                 sigemptyset(&current->blocked);
2344                 recalc_sigpending();
2345                 spin_unlock_irq(&current->sighand->siglock);
2346         }
2347
2348         /* Wake up the parent if it is waiting so that it can recheck
2349          * wait permission to the new task SID. */
2350         read_lock_irq(&tasklist_lock);
2351         psig = current->parent->sighand;
2352         spin_lock_irqsave(&psig->siglock, flags);
2353         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2354         spin_unlock_irqrestore(&psig->siglock, flags);
2355         read_unlock_irq(&tasklist_lock);
2356 }
2357
2358 /* superblock security operations */
2359
2360 static int selinux_sb_alloc_security(struct super_block *sb)
2361 {
2362         return superblock_alloc_security(sb);
2363 }
2364
2365 static void selinux_sb_free_security(struct super_block *sb)
2366 {
2367         superblock_free_security(sb);
2368 }
2369
2370 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2371 {
2372         if (plen > olen)
2373                 return 0;
2374
2375         return !memcmp(prefix, option, plen);
2376 }
2377
2378 static inline int selinux_option(char *option, int len)
2379 {
2380         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2381                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2382                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2383                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2384 }
2385
2386 static inline void take_option(char **to, char *from, int *first, int len)
2387 {
2388         if (!*first) {
2389                 **to = ',';
2390                 *to += 1;
2391         } else
2392                 *first = 0;
2393         memcpy(*to, from, len);
2394         *to += len;
2395 }
2396
2397 static inline void take_selinux_option(char **to, char *from, int *first,
2398                                        int len)
2399 {
2400         int current_size = 0;
2401
2402         if (!*first) {
2403                 **to = '|';
2404                 *to += 1;
2405         } else
2406                 *first = 0;
2407
2408         while (current_size < len) {
2409                 if (*from != '"') {
2410                         **to = *from;
2411                         *to += 1;
2412                 }
2413                 from += 1;
2414                 current_size += 1;
2415         }
2416 }
2417
2418 static int selinux_sb_copy_data(char *orig, char *copy)
2419 {
2420         int fnosec, fsec, rc = 0;
2421         char *in_save, *in_curr, *in_end;
2422         char *sec_curr, *nosec_save, *nosec;
2423         int open_quote = 0;
2424
2425         in_curr = orig;
2426         sec_curr = copy;
2427
2428         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2429         if (!nosec) {
2430                 rc = -ENOMEM;
2431                 goto out;
2432         }
2433
2434         nosec_save = nosec;
2435         fnosec = fsec = 1;
2436         in_save = in_end = orig;
2437
2438         do {
2439                 if (*in_end == '"')
2440                         open_quote = !open_quote;
2441                 if ((*in_end == ',' && open_quote == 0) ||
2442                                 *in_end == '\0') {
2443                         int len = in_end - in_curr;
2444
2445                         if (selinux_option(in_curr, len))
2446                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2447                         else
2448                                 take_option(&nosec, in_curr, &fnosec, len);
2449
2450                         in_curr = in_end + 1;
2451                 }
2452         } while (*in_end++);
2453
2454         strcpy(in_save, nosec_save);
2455         free_page((unsigned long)nosec_save);
2456 out:
2457         return rc;
2458 }
2459
2460 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2461 {
2462         const struct cred *cred = current_cred();
2463         struct avc_audit_data ad;
2464         int rc;
2465
2466         rc = superblock_doinit(sb, data);
2467         if (rc)
2468                 return rc;
2469
2470         AVC_AUDIT_DATA_INIT(&ad, FS);
2471         ad.u.fs.path.dentry = sb->s_root;
2472         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2473 }
2474
2475 static int selinux_sb_statfs(struct dentry *dentry)
2476 {
2477         const struct cred *cred = current_cred();
2478         struct avc_audit_data ad;
2479
2480         AVC_AUDIT_DATA_INIT(&ad, FS);
2481         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2482         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2483 }
2484
2485 static int selinux_mount(char *dev_name,
2486                          struct path *path,
2487                          char *type,
2488                          unsigned long flags,
2489                          void *data)
2490 {
2491         const struct cred *cred = current_cred();
2492         int rc;
2493
2494         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2495         if (rc)
2496                 return rc;
2497
2498         if (flags & MS_REMOUNT)
2499                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2500                                            FILESYSTEM__REMOUNT, NULL);
2501         else
2502                 return dentry_has_perm(cred, path->mnt, path->dentry,
2503                                        FILE__MOUNTON);
2504 }
2505
2506 static int selinux_umount(struct vfsmount *mnt, int flags)
2507 {
2508         const struct cred *cred = current_cred();
2509         int rc;
2510
2511         rc = secondary_ops->sb_umount(mnt, flags);
2512         if (rc)
2513                 return rc;
2514
2515         return superblock_has_perm(cred, mnt->mnt_sb,
2516                                    FILESYSTEM__UNMOUNT, NULL);
2517 }
2518
2519 /* inode security operations */
2520
2521 static int selinux_inode_alloc_security(struct inode *inode)
2522 {
2523         return inode_alloc_security(inode);
2524 }
2525
2526 static void selinux_inode_free_security(struct inode *inode)
2527 {
2528         inode_free_security(inode);
2529 }
2530
2531 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2532                                        char **name, void **value,
2533                                        size_t *len)
2534 {
2535         const struct cred *cred = current_cred();
2536         const struct task_security_struct *tsec = cred->security;
2537         struct inode_security_struct *dsec;
2538         struct superblock_security_struct *sbsec;
2539         u32 sid, newsid, clen;
2540         int rc;
2541         char *namep = NULL, *context;
2542
2543         dsec = dir->i_security;
2544         sbsec = dir->i_sb->s_security;
2545
2546         sid = tsec->sid;
2547         newsid = tsec->create_sid;
2548
2549         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2550                 rc = security_transition_sid(sid, dsec->sid,
2551                                              inode_mode_to_security_class(inode->i_mode),
2552                                              &newsid);
2553                 if (rc) {
2554                         printk(KERN_WARNING "%s:  "
2555                                "security_transition_sid failed, rc=%d (dev=%s "
2556                                "ino=%ld)\n",
2557                                __func__,
2558                                -rc, inode->i_sb->s_id, inode->i_ino);
2559                         return rc;
2560                 }
2561         }
2562
2563         /* Possibly defer initialization to selinux_complete_init. */
2564         if (sbsec->initialized) {
2565                 struct inode_security_struct *isec = inode->i_security;
2566                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2567                 isec->sid = newsid;
2568                 isec->initialized = 1;
2569         }
2570
2571         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2572                 return -EOPNOTSUPP;
2573
2574         if (name) {
2575                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2576                 if (!namep)
2577                         return -ENOMEM;
2578                 *name = namep;
2579         }
2580
2581         if (value && len) {
2582                 rc = security_sid_to_context_force(newsid, &context, &clen);
2583                 if (rc) {
2584                         kfree(namep);
2585                         return rc;
2586                 }
2587                 *value = context;
2588                 *len = clen;
2589         }
2590
2591         return 0;
2592 }
2593
2594 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2595 {
2596         return may_create(dir, dentry, SECCLASS_FILE);
2597 }
2598
2599 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2600 {
2601         int rc;
2602
2603         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2604         if (rc)
2605                 return rc;
2606         return may_link(dir, old_dentry, MAY_LINK);
2607 }
2608
2609 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2610 {
2611         int rc;
2612
2613         rc = secondary_ops->inode_unlink(dir, dentry);
2614         if (rc)
2615                 return rc;
2616         return may_link(dir, dentry, MAY_UNLINK);
2617 }
2618
2619 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2620 {
2621         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2622 }
2623
2624 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2625 {
2626         return may_create(dir, dentry, SECCLASS_DIR);
2627 }
2628
2629 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2630 {
2631         return may_link(dir, dentry, MAY_RMDIR);
2632 }
2633
2634 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2635 {
2636         int rc;
2637
2638         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2639         if (rc)
2640                 return rc;
2641
2642         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2643 }
2644
2645 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2646                                 struct inode *new_inode, struct dentry *new_dentry)
2647 {
2648         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2649 }
2650
2651 static int selinux_inode_readlink(struct dentry *dentry)
2652 {
2653         const struct cred *cred = current_cred();
2654
2655         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2656 }
2657
2658 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2659 {
2660         const struct cred *cred = current_cred();
2661         int rc;
2662
2663         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2664         if (rc)
2665                 return rc;
2666         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2667 }
2668
2669 static int selinux_inode_permission(struct inode *inode, int mask)
2670 {
2671         const struct cred *cred = current_cred();
2672         int rc;
2673
2674         rc = secondary_ops->inode_permission(inode, mask);
2675         if (rc)
2676                 return rc;
2677
2678         if (!mask) {
2679                 /* No permission to check.  Existence test. */
2680                 return 0;
2681         }
2682
2683         return inode_has_perm(cred, inode,
2684                               file_mask_to_av(inode->i_mode, mask), NULL);
2685 }
2686
2687 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2688 {
2689         const struct cred *cred = current_cred();
2690         int rc;
2691
2692         rc = secondary_ops->inode_setattr(dentry, iattr);
2693         if (rc)
2694                 return rc;
2695
2696         if (iattr->ia_valid & ATTR_FORCE)
2697                 return 0;
2698
2699         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2700                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2701                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2702
2703         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2704 }
2705
2706 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2707 {
2708         const struct cred *cred = current_cred();
2709
2710         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2711 }
2712
2713 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2714 {
2715         const struct cred *cred = current_cred();
2716
2717         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2718                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2719                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2720                         if (!capable(CAP_SETFCAP))
2721                                 return -EPERM;
2722                 } else if (!capable(CAP_SYS_ADMIN)) {
2723                         /* A different attribute in the security namespace.
2724                            Restrict to administrator. */
2725                         return -EPERM;
2726                 }
2727         }
2728
2729         /* Not an attribute we recognize, so just check the
2730            ordinary setattr permission. */
2731         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2732 }
2733
2734 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2735                                   const void *value, size_t size, int flags)
2736 {
2737         struct inode *inode = dentry->d_inode;
2738         struct inode_security_struct *isec = inode->i_security;
2739         struct superblock_security_struct *sbsec;
2740         struct avc_audit_data ad;
2741         u32 newsid, sid = current_sid();
2742         int rc = 0;
2743
2744         if (strcmp(name, XATTR_NAME_SELINUX))
2745                 return selinux_inode_setotherxattr(dentry, name);
2746
2747         sbsec = inode->i_sb->s_security;
2748         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2749                 return -EOPNOTSUPP;
2750
2751         if (!is_owner_or_cap(inode))
2752                 return -EPERM;
2753
2754         AVC_AUDIT_DATA_INIT(&ad, FS);
2755         ad.u.fs.path.dentry = dentry;
2756
2757         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2758                           FILE__RELABELFROM, &ad);
2759         if (rc)
2760                 return rc;
2761
2762         rc = security_context_to_sid(value, size, &newsid);
2763         if (rc == -EINVAL) {
2764                 if (!capable(CAP_MAC_ADMIN))
2765                         return rc;
2766                 rc = security_context_to_sid_force(value, size, &newsid);
2767         }
2768         if (rc)
2769                 return rc;
2770
2771         rc = avc_has_perm(sid, newsid, isec->sclass,
2772                           FILE__RELABELTO, &ad);
2773         if (rc)
2774                 return rc;
2775
2776         rc = security_validate_transition(isec->sid, newsid, sid,
2777                                           isec->sclass);
2778         if (rc)
2779                 return rc;
2780
2781         return avc_has_perm(newsid,
2782                             sbsec->sid,
2783                             SECCLASS_FILESYSTEM,
2784                             FILESYSTEM__ASSOCIATE,
2785                             &ad);
2786 }
2787
2788 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2789                                         const void *value, size_t size,
2790                                         int flags)
2791 {
2792         struct inode *inode = dentry->d_inode;
2793         struct inode_security_struct *isec = inode->i_security;
2794         u32 newsid;
2795         int rc;
2796
2797         if (strcmp(name, XATTR_NAME_SELINUX)) {
2798                 /* Not an attribute we recognize, so nothing to do. */
2799                 return;
2800         }
2801
2802         rc = security_context_to_sid_force(value, size, &newsid);
2803         if (rc) {
2804                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2805                        "for (%s, %lu), rc=%d\n",
2806                        inode->i_sb->s_id, inode->i_ino, -rc);
2807                 return;
2808         }
2809
2810         isec->sid = newsid;
2811         return;
2812 }
2813
2814 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2815 {
2816         const struct cred *cred = current_cred();
2817
2818         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2819 }
2820
2821 static int selinux_inode_listxattr(struct dentry *dentry)
2822 {
2823         const struct cred *cred = current_cred();
2824
2825         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2826 }
2827
2828 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2829 {
2830         if (strcmp(name, XATTR_NAME_SELINUX))
2831                 return selinux_inode_setotherxattr(dentry, name);
2832
2833         /* No one is allowed to remove a SELinux security label.
2834            You can change the label, but all data must be labeled. */
2835         return -EACCES;
2836 }
2837
2838 /*
2839  * Copy the inode security context value to the user.
2840  *
2841  * Permission check is handled by selinux_inode_getxattr hook.
2842  */
2843 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2844 {
2845         u32 size;
2846         int error;
2847         char *context = NULL;
2848         struct inode_security_struct *isec = inode->i_security;
2849
2850         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2851                 return -EOPNOTSUPP;
2852
2853         /*
2854          * If the caller has CAP_MAC_ADMIN, then get the raw context
2855          * value even if it is not defined by current policy; otherwise,
2856          * use the in-core value under current policy.
2857          * Use the non-auditing forms of the permission checks since
2858          * getxattr may be called by unprivileged processes commonly
2859          * and lack of permission just means that we fall back to the
2860          * in-core context value, not a denial.
2861          */
2862         error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2863         if (!error)
2864                 error = security_sid_to_context_force(isec->sid, &context,
2865                                                       &size);
2866         else
2867                 error = security_sid_to_context(isec->sid, &context, &size);
2868         if (error)
2869                 return error;
2870         error = size;
2871         if (alloc) {
2872                 *buffer = context;
2873                 goto out_nofree;
2874         }
2875         kfree(context);
2876 out_nofree:
2877         return error;
2878 }
2879
2880 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2881                                      const void *value, size_t size, int flags)
2882 {
2883         struct inode_security_struct *isec = inode->i_security;
2884         u32 newsid;
2885         int rc;
2886
2887         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2888                 return -EOPNOTSUPP;
2889
2890         if (!value || !size)
2891                 return -EACCES;
2892
2893         rc = security_context_to_sid((void *)value, size, &newsid);
2894         if (rc)
2895                 return rc;
2896
2897         isec->sid = newsid;
2898         return 0;
2899 }
2900
2901 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2902 {
2903         const int len = sizeof(XATTR_NAME_SELINUX);
2904         if (buffer && len <= buffer_size)
2905                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2906         return len;
2907 }
2908
2909 static int selinux_inode_need_killpriv(struct dentry *dentry)
2910 {
2911         return secondary_ops->inode_need_killpriv(dentry);
2912 }
2913
2914 static int selinux_inode_killpriv(struct dentry *dentry)
2915 {
2916         return secondary_ops->inode_killpriv(dentry);
2917 }
2918
2919 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2920 {
2921         struct inode_security_struct *isec = inode->i_security;
2922         *secid = isec->sid;
2923 }
2924
2925 /* file security operations */
2926
2927 static int selinux_revalidate_file_permission(struct file *file, int mask)
2928 {
2929         const struct cred *cred = current_cred();
2930         int rc;
2931         struct inode *inode = file->f_path.dentry->d_inode;
2932
2933         if (!mask) {
2934                 /* No permission to check.  Existence test. */
2935                 return 0;
2936         }
2937
2938         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2939         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2940                 mask |= MAY_APPEND;
2941
2942         rc = file_has_perm(cred, file,
2943                            file_mask_to_av(inode->i_mode, mask));
2944         if (rc)
2945                 return rc;
2946
2947         return selinux_netlbl_inode_permission(inode, mask);
2948 }
2949
2950 static int selinux_file_permission(struct file *file, int mask)
2951 {
2952         struct inode *inode = file->f_path.dentry->d_inode;
2953         struct file_security_struct *fsec = file->f_security;
2954         struct inode_security_struct *isec = inode->i_security;
2955         u32 sid = current_sid();
2956
2957         if (!mask) {
2958                 /* No permission to check.  Existence test. */
2959                 return 0;
2960         }
2961
2962         if (sid == fsec->sid && fsec->isid == isec->sid
2963             && fsec->pseqno == avc_policy_seqno())
2964                 return selinux_netlbl_inode_permission(inode, mask);
2965
2966         return selinux_revalidate_file_permission(file, mask);
2967 }
2968
2969 static int selinux_file_alloc_security(struct file *file)
2970 {
2971         return file_alloc_security(file);
2972 }
2973
2974 static void selinux_file_free_security(struct file *file)
2975 {
2976         file_free_security(file);
2977 }
2978
2979 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2980                               unsigned long arg)
2981 {
2982         const struct cred *cred = current_cred();
2983         u32 av = 0;
2984
2985         if (_IOC_DIR(cmd) & _IOC_WRITE)
2986                 av |= FILE__WRITE;
2987         if (_IOC_DIR(cmd) & _IOC_READ)
2988                 av |= FILE__READ;
2989         if (!av)
2990                 av = FILE__IOCTL;
2991
2992         return file_has_perm(cred, file, av);
2993 }
2994
2995 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2996 {
2997         const struct cred *cred = current_cred();
2998         int rc = 0;
2999
3000 #ifndef CONFIG_PPC32
3001         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3002                 /*
3003                  * We are making executable an anonymous mapping or a
3004                  * private file mapping that will also be writable.
3005                  * This has an additional check.
3006                  */
3007                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3008                 if (rc)
3009                         goto error;
3010         }
3011 #endif
3012
3013         if (file) {
3014                 /* read access is always possible with a mapping */
3015                 u32 av = FILE__READ;
3016
3017                 /* write access only matters if the mapping is shared */
3018                 if (shared && (prot & PROT_WRITE))
3019                         av |= FILE__WRITE;
3020
3021                 if (prot & PROT_EXEC)
3022                         av |= FILE__EXECUTE;
3023
3024                 return file_has_perm(cred, file, av);
3025         }
3026
3027 error:
3028         return rc;
3029 }
3030
3031 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3032                              unsigned long prot, unsigned long flags,
3033                              unsigned long addr, unsigned long addr_only)
3034 {
3035         int rc = 0;
3036         u32 sid = current_sid();
3037
3038         if (addr < mmap_min_addr)
3039                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3040                                   MEMPROTECT__MMAP_ZERO, NULL);
3041         if (rc || addr_only)
3042                 return rc;
3043
3044         if (selinux_checkreqprot)
3045                 prot = reqprot;
3046
3047         return file_map_prot_check(file, prot,
3048                                    (flags & MAP_TYPE) == MAP_SHARED);
3049 }
3050
3051 static int selinux_file_mprotect(struct vm_area_struct *vma,
3052                                  unsigned long reqprot,
3053                                  unsigned long prot)
3054 {
3055         const struct cred *cred = current_cred();
3056         int rc;
3057
3058         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3059         if (rc)
3060                 return rc;
3061
3062         if (selinux_checkreqprot)
3063                 prot = reqprot;
3064
3065 #ifndef CONFIG_PPC32
3066         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3067                 rc = 0;
3068                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3069                     vma->vm_end <= vma->vm_mm->brk) {
3070                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3071                 } else if (!vma->vm_file &&
3072                            vma->vm_start <= vma->vm_mm->start_stack &&
3073                            vma->vm_end >= vma->vm_mm->start_stack) {
3074                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3075                 } else if (vma->vm_file && vma->anon_vma) {
3076                         /*
3077                          * We are making executable a file mapping that has
3078                          * had some COW done. Since pages might have been
3079                          * written, check ability to execute the possibly
3080                          * modified content.  This typically should only
3081                          * occur for text relocations.
3082                          */
3083                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3084                 }
3085                 if (rc)
3086                         return rc;
3087         }
3088 #endif
3089
3090         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3091 }
3092
3093 static int selinux_file_lock(struct file *file, unsigned int cmd)
3094 {
3095         const struct cred *cred = current_cred();
3096
3097         return file_has_perm(cred, file, FILE__LOCK);
3098 }
3099
3100 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3101                               unsigned long arg)
3102 {
3103         const struct cred *cred = current_cred();
3104         int err = 0;
3105
3106         switch (cmd) {
3107         case F_SETFL:
3108                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3109                         err = -EINVAL;
3110                         break;
3111                 }
3112
3113                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3114                         err = file_has_perm(cred, file, FILE__WRITE);
3115                         break;
3116                 }
3117                 /* fall through */
3118         case F_SETOWN:
3119         case F_SETSIG:
3120         case F_GETFL:
3121         case F_GETOWN:
3122         case F_GETSIG:
3123                 /* Just check FD__USE permission */
3124                 err = file_has_perm(cred, file, 0);
3125                 break;
3126         case F_GETLK:
3127         case F_SETLK:
3128         case F_SETLKW:
3129 #if BITS_PER_LONG == 32
3130         case F_GETLK64:
3131         case F_SETLK64:
3132         case F_SETLKW64:
3133 #endif
3134                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3135                         err = -EINVAL;
3136                         break;
3137                 }
3138                 err = file_has_perm(cred, file, FILE__LOCK);
3139                 break;
3140         }
3141
3142         return err;
3143 }
3144
3145 static int selinux_file_set_fowner(struct file *file)
3146 {
3147         struct file_security_struct *fsec;
3148
3149         fsec = file->f_security;
3150         fsec->fown_sid = current_sid();
3151
3152         return 0;
3153 }
3154
3155 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3156                                        struct fown_struct *fown, int signum)
3157 {
3158         struct file *file;
3159         u32 sid = current_sid();
3160         u32 perm;
3161         struct file_security_struct *fsec;
3162
3163         /* struct fown_struct is never outside the context of a struct file */
3164         file = container_of(fown, struct file, f_owner);
3165
3166         fsec = file->f_security;
3167
3168         if (!signum)
3169                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3170         else
3171                 perm = signal_to_av(signum);
3172
3173         return avc_has_perm(fsec->fown_sid, sid,
3174                             SECCLASS_PROCESS, perm, NULL);
3175 }
3176
3177 static int selinux_file_receive(struct file *file)
3178 {
3179         const struct cred *cred = current_cred();
3180
3181         return file_has_perm(cred, file, file_to_av(file));
3182 }
3183
3184 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3185 {
3186         struct file_security_struct *fsec;
3187         struct inode *inode;
3188         struct inode_security_struct *isec;
3189
3190         inode = file->f_path.dentry->d_inode;
3191         fsec = file->f_security;
3192         isec = inode->i_security;
3193         /*
3194          * Save inode label and policy sequence number
3195          * at open-time so that selinux_file_permission
3196          * can determine whether revalidation is necessary.
3197          * Task label is already saved in the file security
3198          * struct as its SID.
3199          */
3200         fsec->isid = isec->sid;
3201         fsec->pseqno = avc_policy_seqno();
3202         /*
3203          * Since the inode label or policy seqno may have changed
3204          * between the selinux_inode_permission check and the saving
3205          * of state above, recheck that access is still permitted.
3206          * Otherwise, access might never be revalidated against the
3207          * new inode label or new policy.
3208          * This check is not redundant - do not remove.
3209          */
3210         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3211 }
3212
3213 /* task security operations */
3214
3215 static int selinux_task_create(unsigned long clone_flags)
3216 {
3217         int rc;
3218
3219         rc = secondary_ops->task_create(clone_flags);
3220         if (rc)
3221                 return rc;
3222
3223         return task_has_perm(current, current, PROCESS__FORK);
3224 }
3225
3226 /*
3227  * detach and free the LSM part of a set of credentials
3228  */
3229 static void selinux_cred_free(struct cred *cred)
3230 {
3231         struct task_security_struct *tsec = cred->security;
3232         cred->security = NULL;
3233         kfree(tsec);
3234 }
3235
3236 /*
3237  * prepare a new set of credentials for modification
3238  */
3239 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3240                                 gfp_t gfp)
3241 {
3242         const struct task_security_struct *old_tsec;
3243         struct task_security_struct *tsec;
3244
3245         old_tsec = old->security;
3246
3247         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3248         if (!tsec)
3249                 return -ENOMEM;
3250
3251         new->security = tsec;
3252         return 0;
3253 }
3254
3255 /*
3256  * commit new credentials
3257  */
3258 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3259 {
3260         secondary_ops->cred_commit(new, old);
3261 }
3262
3263 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3264 {
3265         /* Since setuid only affects the current process, and
3266            since the SELinux controls are not based on the Linux
3267            identity attributes, SELinux does not need to control
3268            this operation.  However, SELinux does control the use
3269            of the CAP_SETUID and CAP_SETGID capabilities using the
3270            capable hook. */
3271         return 0;
3272 }
3273
3274 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3275                                    int flags)
3276 {
3277         return secondary_ops->task_fix_setuid(new, old, flags);
3278 }
3279
3280 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3281 {
3282         /* See the comment for setuid above. */
3283         return 0;
3284 }
3285
3286 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3287 {
3288         return task_has_perm(current, p, PROCESS__SETPGID);
3289 }
3290
3291 static int selinux_task_getpgid(struct task_struct *p)
3292 {
3293         return task_has_perm(current, p, PROCESS__GETPGID);
3294 }
3295
3296 static int selinux_task_getsid(struct task_struct *p)
3297 {
3298         return task_has_perm(current, p, PROCESS__GETSESSION);
3299 }
3300
3301 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3302 {
3303         *secid = task_sid(p);
3304 }
3305
3306 static int selinux_task_setgroups(struct group_info *group_info)
3307 {
3308         /* See the comment for setuid above. */
3309         return 0;
3310 }
3311
3312 static int selinux_task_setnice(struct task_struct *p, int nice)
3313 {
3314         int rc;
3315
3316         rc = secondary_ops->task_setnice(p, nice);
3317         if (rc)
3318                 return rc;
3319
3320         return task_has_perm(current, p, PROCESS__SETSCHED);
3321 }
3322
3323 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3324 {
3325         int rc;
3326
3327         rc = secondary_ops->task_setioprio(p, ioprio);
3328         if (rc)
3329                 return rc;
3330
3331         return task_has_perm(current, p, PROCESS__SETSCHED);
3332 }
3333
3334 static int selinux_task_getioprio(struct task_struct *p)
3335 {
3336         return task_has_perm(current, p, PROCESS__GETSCHED);
3337 }
3338
3339 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3340 {
3341         struct rlimit *old_rlim = current->signal->rlim + resource;
3342         int rc;
3343
3344         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3345         if (rc)
3346                 return rc;
3347
3348         /* Control the ability to change the hard limit (whether
3349            lowering or raising it), so that the hard limit can
3350            later be used as a safe reset point for the soft limit
3351            upon context transitions.  See selinux_bprm_committing_creds. */
3352         if (old_rlim->rlim_max != new_rlim->rlim_max)
3353                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3354
3355         return 0;
3356 }
3357
3358 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3359 {
3360         int rc;
3361
3362         rc = secondary_ops->task_setscheduler(p, policy, lp);
3363         if (rc)
3364                 return rc;
3365
3366         return task_has_perm(current, p, PROCESS__SETSCHED);
3367 }
3368
3369 static int selinux_task_getscheduler(struct task_struct *p)
3370 {
3371         return task_has_perm(current, p, PROCESS__GETSCHED);
3372 }
3373
3374 static int selinux_task_movememory(struct task_struct *p)
3375 {
3376         return task_has_perm(current, p, PROCESS__SETSCHED);
3377 }
3378
3379 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3380                                 int sig, u32 secid)
3381 {
3382         u32 perm;
3383         int rc;
3384
3385         rc = secondary_ops->task_kill(p, info, sig, secid);
3386         if (rc)
3387                 return rc;
3388
3389         if (!sig)
3390                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3391         else
3392                 perm = signal_to_av(sig);
3393         if (secid)
3394                 rc = avc_has_perm(secid, task_sid(p),
3395                                   SECCLASS_PROCESS, perm, NULL);
3396         else
3397                 rc = task_has_perm(current, p, perm);
3398         return rc;
3399 }
3400
3401 static int selinux_task_prctl(int option,
3402                               unsigned long arg2,
3403                               unsigned long arg3,
3404                               unsigned long arg4,
3405                               unsigned long arg5)
3406 {
3407         /* The current prctl operations do not appear to require
3408            any SELinux controls since they merely observe or modify
3409            the state of the current process. */
3410         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3411 }
3412
3413 static int selinux_task_wait(struct task_struct *p)
3414 {
3415         return task_has_perm(p, current, PROCESS__SIGCHLD);
3416 }
3417
3418 static void selinux_task_to_inode(struct task_struct *p,
3419                                   struct inode *inode)
3420 {
3421         struct inode_security_struct *isec = inode->i_security;
3422         u32 sid = task_sid(p);
3423
3424         isec->sid = sid;
3425         isec->initialized = 1;
3426 }
3427
3428 /* Returns error only if unable to parse addresses */
3429 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3430                         struct avc_audit_data *ad, u8 *proto)
3431 {
3432         int offset, ihlen, ret = -EINVAL;
3433         struct iphdr _iph, *ih;
3434
3435         offset = skb_network_offset(skb);
3436         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3437         if (ih == NULL)
3438                 goto out;
3439
3440         ihlen = ih->ihl * 4;
3441         if (ihlen < sizeof(_iph))
3442                 goto out;
3443
3444         ad->u.net.v4info.saddr = ih->saddr;
3445         ad->u.net.v4info.daddr = ih->daddr;
3446         ret = 0;
3447
3448         if (proto)
3449                 *proto = ih->protocol;
3450
3451         switch (ih->protocol) {
3452         case IPPROTO_TCP: {
3453                 struct tcphdr _tcph, *th;
3454
3455                 if (ntohs(ih->frag_off) & IP_OFFSET)
3456                         break;
3457
3458                 offset += ihlen;
3459                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3460                 if (th == NULL)
3461                         break;
3462
3463                 ad->u.net.sport = th->source;
3464                 ad->u.net.dport = th->dest;
3465                 break;
3466         }
3467
3468         case IPPROTO_UDP: {
3469                 struct udphdr _udph, *uh;
3470
3471                 if (ntohs(ih->frag_off) & IP_OFFSET)
3472                         break;
3473
3474                 offset += ihlen;
3475                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3476                 if (uh == NULL)
3477                         break;
3478
3479                 ad->u.net.sport = uh->source;
3480                 ad->u.net.dport = uh->dest;
3481                 break;
3482         }
3483
3484         case IPPROTO_DCCP: {
3485                 struct dccp_hdr _dccph, *dh;
3486
3487                 if (ntohs(ih->frag_off) & IP_OFFSET)
3488                         break;
3489
3490                 offset += ihlen;
3491                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3492                 if (dh == NULL)
3493                         break;
3494
3495                 ad->u.net.sport = dh->dccph_sport;
3496                 ad->u.net.dport = dh->dccph_dport;
3497                 break;
3498         }
3499
3500         default:
3501                 break;
3502         }
3503 out:
3504         return ret;
3505 }
3506
3507 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3508
3509 /* Returns error only if unable to parse addresses */
3510 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3511                         struct avc_audit_data *ad, u8 *proto)
3512 {
3513         u8 nexthdr;
3514         int ret = -EINVAL, offset;
3515         struct ipv6hdr _ipv6h, *ip6;
3516
3517         offset = skb_network_offset(skb);
3518         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3519         if (ip6 == NULL)
3520                 goto out;
3521
3522         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3523         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3524         ret = 0;
3525
3526         nexthdr = ip6->nexthdr;
3527         offset += sizeof(_ipv6h);
3528         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3529         if (offset < 0)
3530                 goto out;
3531
3532         if (proto)
3533                 *proto = nexthdr;
3534
3535         switch (nexthdr) {
3536         case IPPROTO_TCP: {
3537                 struct tcphdr _tcph, *th;
3538
3539                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3540                 if (th == NULL)
3541                         break;
3542
3543                 ad->u.net.sport = th->source;
3544                 ad->u.net.dport = th->dest;
3545                 break;
3546         }
3547
3548         case IPPROTO_UDP: {
3549                 struct udphdr _udph, *uh;
3550
3551                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3552                 if (uh == NULL)
3553                         break;
3554
3555                 ad->u.net.sport = uh->source;
3556                 ad->u.net.dport = uh->dest;
3557                 break;
3558         }
3559
3560         case IPPROTO_DCCP: {
3561                 struct dccp_hdr _dccph, *dh;
3562
3563                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3564                 if (dh == NULL)
3565                         break;
3566
3567                 ad->u.net.sport = dh->dccph_sport;
3568                 ad->u.net.dport = dh->dccph_dport;
3569                 break;
3570         }
3571
3572         /* includes fragments */
3573         default:
3574                 break;
3575         }
3576 out:
3577         return ret;
3578 }
3579
3580 #endif /* IPV6 */
3581
3582 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3583                              char **_addrp, int src, u8 *proto)
3584 {
3585         char *addrp;
3586         int ret;
3587
3588         switch (ad->u.net.family) {
3589         case PF_INET:
3590                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3591                 if (ret)
3592                         goto parse_error;
3593                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3594                                        &ad->u.net.v4info.daddr);
3595                 goto okay;
3596
3597 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3598         case PF_INET6:
3599                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3600                 if (ret)
3601                         goto parse_error;
3602                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3603                                        &ad->u.net.v6info.daddr);
3604                 goto okay;
3605 #endif  /* IPV6 */
3606         default:
3607                 addrp = NULL;
3608                 goto okay;
3609         }
3610
3611 parse_error:
3612         printk(KERN_WARNING
3613                "SELinux: failure in selinux_parse_skb(),"
3614                " unable to parse packet\n");
3615         return ret;
3616
3617 okay:
3618         if (_addrp)
3619                 *_addrp = addrp;
3620         return 0;
3621 }
3622
3623 /**
3624  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3625  * @skb: the packet
3626  * @family: protocol family
3627  * @sid: the packet's peer label SID
3628  *
3629  * Description:
3630  * Check the various different forms of network peer labeling and determine
3631  * the peer label/SID for the packet; most of the magic actually occurs in
3632  * the security server function security_net_peersid_cmp().  The function
3633  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3634  * or -EACCES if @sid is invalid due to inconsistencies with the different
3635  * peer labels.
3636  *
3637  */
3638 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3639 {
3640         int err;
3641         u32 xfrm_sid;
3642         u32 nlbl_sid;
3643         u32 nlbl_type;
3644
3645         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3646         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3647
3648         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3649         if (unlikely(err)) {
3650                 printk(KERN_WARNING
3651                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3652                        " unable to determine packet's peer label\n");
3653                 return -EACCES;
3654         }
3655
3656         return 0;
3657 }
3658
3659 /* socket security operations */
3660 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3661                            u32 perms)
3662 {
3663         struct inode_security_struct *isec;
3664         struct avc_audit_data ad;
3665         u32 sid;
3666         int err = 0;
3667
3668         isec = SOCK_INODE(sock)->i_security;
3669
3670         if (isec->sid == SECINITSID_KERNEL)
3671                 goto out;
3672         sid = task_sid(task);
3673
3674         AVC_AUDIT_DATA_INIT(&ad, NET);
3675         ad.u.net.sk = sock->sk;
3676         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3677
3678 out:
3679         return err;
3680 }
3681
3682 static int selinux_socket_create(int family, int type,
3683                                  int protocol, int kern)
3684 {
3685         const struct cred *cred = current_cred();
3686         const struct task_security_struct *tsec = cred->security;
3687         u32 sid, newsid;
3688         u16 secclass;
3689         int err = 0;
3690
3691         if (kern)
3692                 goto out;
3693
3694         sid = tsec->sid;
3695         newsid = tsec->sockcreate_sid ?: sid;
3696
3697         secclass = socket_type_to_security_class(family, type, protocol);
3698         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3699
3700 out:
3701         return err;
3702 }
3703
3704 static int selinux_socket_post_create(struct socket *sock, int family,
3705                                       int type, int protocol, int kern)
3706 {
3707         const struct cred *cred = current_cred();
3708         const struct task_security_struct *tsec = cred->security;
3709         struct inode_security_struct *isec;
3710         struct sk_security_struct *sksec;
3711         u32 sid, newsid;
3712         int err = 0;
3713
3714         sid = tsec->sid;
3715         newsid = tsec->sockcreate_sid;
3716
3717         isec = SOCK_INODE(sock)->i_security;
3718
3719         if (kern)
3720                 isec->sid = SECINITSID_KERNEL;
3721         else if (newsid)
3722                 isec->sid = newsid;
3723         else
3724                 isec->sid = sid;
3725
3726         isec->sclass = socket_type_to_security_class(family, type, protocol);
3727         isec->initialized = 1;
3728
3729         if (sock->sk) {
3730                 sksec = sock->sk->sk_security;
3731                 sksec->sid = isec->sid;
3732                 sksec->sclass = isec->sclass;
3733                 err = selinux_netlbl_socket_post_create(sock);
3734         }
3735
3736         return err;
3737 }
3738
3739 /* Range of port numbers used to automatically bind.
3740    Need to determine whether we should perform a name_bind
3741    permission check between the socket and the port number. */
3742
3743 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3744 {
3745         u16 family;
3746         int err;
3747
3748         err = socket_has_perm(current, sock, SOCKET__BIND);
3749         if (err)
3750                 goto out;
3751
3752         /*
3753          * If PF_INET or PF_INET6, check name_bind permission for the port.
3754          * Multiple address binding for SCTP is not supported yet: we just
3755          * check the first address now.
3756          */
3757         family = sock->sk->sk_family;
3758         if (family == PF_INET || family == PF_INET6) {
3759                 char *addrp;
3760                 struct inode_security_struct *isec;
3761                 struct avc_audit_data ad;
3762                 struct sockaddr_in *addr4 = NULL;
3763                 struct sockaddr_in6 *addr6 = NULL;
3764                 unsigned short snum;
3765                 struct sock *sk = sock->sk;
3766                 u32 sid, node_perm;
3767
3768                 isec = SOCK_INODE(sock)->i_security;
3769
3770                 if (family == PF_INET) {
3771                         addr4 = (struct sockaddr_in *)address;
3772                         snum = ntohs(addr4->sin_port);
3773                         addrp = (char *)&addr4->sin_addr.s_addr;
3774                 } else {
3775                         addr6 = (struct sockaddr_in6 *)address;
3776                         snum = ntohs(addr6->sin6_port);
3777                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3778                 }
3779
3780                 if (snum) {
3781                         int low, high;
3782
3783                         inet_get_local_port_range(&low, &high);
3784
3785                         if (snum < max(PROT_SOCK, low) || snum > high) {
3786                                 err = sel_netport_sid(sk->sk_protocol,
3787                                                       snum, &sid);
3788                                 if (err)
3789                                         goto out;
3790                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3791                                 ad.u.net.sport = htons(snum);
3792                                 ad.u.net.family = family;
3793                                 err = avc_has_perm(isec->sid, sid,
3794                                                    isec->sclass,
3795                                                    SOCKET__NAME_BIND, &ad);
3796                                 if (err)
3797                                         goto out;
3798                         }
3799                 }
3800
3801                 switch (isec->sclass) {
3802                 case SECCLASS_TCP_SOCKET:
3803                         node_perm = TCP_SOCKET__NODE_BIND;
3804                         break;
3805
3806                 case SECCLASS_UDP_SOCKET:
3807                         node_perm = UDP_SOCKET__NODE_BIND;
3808                         break;
3809
3810                 case SECCLASS_DCCP_SOCKET:
3811                         node_perm = DCCP_SOCKET__NODE_BIND;
3812                         break;
3813
3814                 default:
3815                         node_perm = RAWIP_SOCKET__NODE_BIND;
3816                         break;
3817                 }
3818
3819                 err = sel_netnode_sid(addrp, family, &sid);
3820                 if (err)
3821                         goto out;
3822
3823                 AVC_AUDIT_DATA_INIT(&ad, NET);
3824                 ad.u.net.sport = htons(snum);
3825                 ad.u.net.family = family;
3826
3827                 if (family == PF_INET)
3828                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3829                 else
3830                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3831
3832                 err = avc_has_perm(isec->sid, sid,
3833                                    isec->sclass, node_perm, &ad);
3834                 if (err)
3835                         goto out;
3836         }
3837 out:
3838         return err;
3839 }
3840
3841 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3842 {
3843         struct sock *sk = sock->sk;
3844         struct inode_security_struct *isec;
3845         int err;
3846
3847         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3848         if (err)
3849                 return err;
3850
3851         /*
3852          * If a TCP or DCCP socket, check name_connect permission for the port.
3853          */
3854         isec = SOCK_INODE(sock)->i_security;
3855         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3856             isec->sclass == SECCLASS_DCCP_SOCKET) {
3857                 struct avc_audit_data ad;
3858                 struct sockaddr_in *addr4 = NULL;
3859                 struct sockaddr_in6 *addr6 = NULL;
3860                 unsigned short snum;
3861                 u32 sid, perm;
3862
3863                 if (sk->sk_family == PF_INET) {
3864                         addr4 = (struct sockaddr_in *)address;
3865                         if (addrlen < sizeof(struct sockaddr_in))
3866                                 return -EINVAL;
3867                         snum = ntohs(addr4->sin_port);
3868                 } else {
3869                         addr6 = (struct sockaddr_in6 *)address;
3870                         if (addrlen < SIN6_LEN_RFC2133)
3871                                 return -EINVAL;
3872                         snum = ntohs(addr6->sin6_port);
3873                 }
3874
3875                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3876                 if (err)
3877                         goto out;
3878
3879                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3880                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3881
3882                 AVC_AUDIT_DATA_INIT(&ad, NET);
3883                 ad.u.net.dport = htons(snum);
3884                 ad.u.net.family = sk->sk_family;
3885                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3886                 if (err)
3887                         goto out;
3888         }
3889
3890         err = selinux_netlbl_socket_connect(sk, address);
3891
3892 out:
3893         return err;
3894 }
3895
3896 static int selinux_socket_listen(struct socket *sock, int backlog)
3897 {
3898         return socket_has_perm(current, sock, SOCKET__LISTEN);
3899 }
3900
3901 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3902 {
3903         int err;
3904         struct inode_security_struct *isec;
3905         struct inode_security_struct *newisec;
3906
3907         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3908         if (err)
3909                 return err;
3910
3911         newisec = SOCK_INODE(newsock)->i_security;
3912
3913         isec = SOCK_INODE(sock)->i_security;
3914         newisec->sclass = isec->sclass;
3915         newisec->sid = isec->sid;
3916         newisec->initialized = 1;
3917
3918         return 0;
3919 }
3920
3921 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3922                                   int size)
3923 {
3924         int rc;
3925
3926         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3927         if (rc)
3928                 return rc;
3929
3930         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3931 }
3932
3933 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3934                                   int size, int flags)
3935 {
3936         return socket_has_perm(current, sock, SOCKET__READ);
3937 }
3938
3939 static int selinux_socket_getsockname(struct socket *sock)
3940 {
3941         return socket_has_perm(current, sock, SOCKET__GETATTR);
3942 }
3943
3944 static int selinux_socket_getpeername(struct socket *sock)
3945 {
3946         return socket_has_perm(current, sock, SOCKET__GETATTR);
3947 }
3948
3949 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3950 {
3951         int err;
3952
3953         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3954         if (err)
3955                 return err;
3956
3957         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3958 }
3959
3960 static int selinux_socket_getsockopt(struct socket *sock, int level,
3961                                      int optname)
3962 {
3963         return socket_has_perm(current, sock, SOCKET__GETOPT);
3964 }
3965
3966 static int selinux_socket_shutdown(struct socket *sock, int how)
3967 {
3968         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3969 }
3970
3971 static int selinux_socket_unix_stream_connect(struct socket *sock,
3972                                               struct socket *other,
3973                                               struct sock *newsk)
3974 {
3975         struct sk_security_struct *ssec;
3976         struct inode_security_struct *isec;
3977         struct inode_security_struct *other_isec;
3978         struct avc_audit_data ad;
3979         int err;
3980
3981         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3982         if (err)
3983                 return err;
3984
3985         isec = SOCK_INODE(sock)->i_security;
3986         other_isec = SOCK_INODE(other)->i_security;
3987
3988         AVC_AUDIT_DATA_INIT(&ad, NET);
3989         ad.u.net.sk = other->sk;
3990
3991         err = avc_has_perm(isec->sid, other_isec->sid,
3992                            isec->sclass,
3993                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3994         if (err)
3995                 return err;
3996
3997         /* connecting socket */
3998         ssec = sock->sk->sk_security;
3999         ssec->peer_sid = other_isec->sid;
4000
4001         /* server child socket */
4002         ssec = newsk->sk_security;
4003         ssec->peer_sid = isec->sid;
4004         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4005
4006         return err;
4007 }
4008
4009 static int selinux_socket_unix_may_send(struct socket *sock,
4010                                         struct socket *other)
4011 {
4012         struct inode_security_struct *isec;
4013         struct inode_security_struct *other_isec;
4014         struct avc_audit_data ad;
4015         int err;
4016
4017         isec = SOCK_INODE(sock)->i_security;
4018         other_isec = SOCK_INODE(other)->i_security;
4019
4020         AVC_AUDIT_DATA_INIT(&ad, NET);
4021         ad.u.net.sk = other->sk;
4022
4023         err = avc_has_perm(isec->sid, other_isec->sid,
4024                            isec->sclass, SOCKET__SENDTO, &ad);
4025         if (err)
4026                 return err;
4027
4028         return 0;
4029 }
4030
4031 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4032                                     u32 peer_sid,
4033                                     struct avc_audit_data *ad)
4034 {
4035         int err;
4036         u32 if_sid;
4037         u32 node_sid;
4038
4039         err = sel_netif_sid(ifindex, &if_sid);
4040         if (err)
4041                 return err;
4042         err = avc_has_perm(peer_sid, if_sid,
4043                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4044         if (err)
4045                 return err;
4046
4047         err = sel_netnode_sid(addrp, family, &node_sid);
4048         if (err)
4049                 return err;
4050         return avc_has_perm(peer_sid, node_sid,
4051                             SECCLASS_NODE, NODE__RECVFROM, ad);
4052 }
4053
4054 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4055                                                 struct sk_buff *skb,
4056                                                 struct avc_audit_data *ad,
4057                                                 u16 family,
4058                                                 char *addrp)
4059 {
4060         int err;
4061         struct sk_security_struct *sksec = sk->sk_security;
4062         u16 sk_class;
4063         u32 netif_perm, node_perm, recv_perm;
4064         u32 port_sid, node_sid, if_sid, sk_sid;
4065
4066         sk_sid = sksec->sid;
4067         sk_class = sksec->sclass;
4068
4069         switch (sk_class) {
4070         case SECCLASS_UDP_SOCKET:
4071                 netif_perm = NETIF__UDP_RECV;
4072                 node_perm = NODE__UDP_RECV;
4073                 recv_perm = UDP_SOCKET__RECV_MSG;
4074                 break;
4075         case SECCLASS_TCP_SOCKET:
4076                 netif_perm = NETIF__TCP_RECV;
4077                 node_perm = NODE__TCP_RECV;
4078                 recv_perm = TCP_SOCKET__RECV_MSG;
4079                 break;
4080         case SECCLASS_DCCP_SOCKET:
4081                 netif_perm = NETIF__DCCP_RECV;
4082                 node_perm = NODE__DCCP_RECV;
4083                 recv_perm = DCCP_SOCKET__RECV_MSG;
4084                 break;
4085         default:
4086                 netif_perm = NETIF__RAWIP_RECV;
4087                 node_perm = NODE__RAWIP_RECV;
4088                 recv_perm = 0;
4089                 break;
4090         }
4091
4092         err = sel_netif_sid(skb->iif, &if_sid);
4093         if (err)
4094                 return err;
4095         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4096         if (err)
4097                 return err;
4098
4099         err = sel_netnode_sid(addrp, family, &node_sid);
4100         if (err)
4101                 return err;
4102         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4103         if (err)
4104                 return err;
4105
4106         if (!recv_perm)
4107                 return 0;
4108         err = sel_netport_sid(sk->sk_protocol,
4109                               ntohs(ad->u.net.sport), &port_sid);
4110         if (unlikely(err)) {
4111                 printk(KERN_WARNING
4112                        "SELinux: failure in"
4113                        " selinux_sock_rcv_skb_iptables_compat(),"
4114                        " network port label not found\n");
4115                 return err;
4116         }
4117         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4118 }
4119
4120 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4121                                        u16 family)
4122 {
4123         int err;
4124         struct sk_security_struct *sksec = sk->sk_security;
4125         u32 peer_sid;
4126         u32 sk_sid = sksec->sid;
4127         struct avc_audit_data ad;
4128         char *addrp;
4129
4130         AVC_AUDIT_DATA_INIT(&ad, NET);
4131         ad.u.net.netif = skb->iif;
4132         ad.u.net.family = family;
4133         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4134         if (err)
4135                 return err;
4136
4137         if (selinux_compat_net)
4138                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4139                                                            family, addrp);
4140         else
4141                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4142                                    PACKET__RECV, &ad);
4143         if (err)
4144                 return err;
4145
4146         if (selinux_policycap_netpeer) {
4147                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4148                 if (err)
4149                         return err;
4150                 err = avc_has_perm(sk_sid, peer_sid,
4151                                    SECCLASS_PEER, PEER__RECV, &ad);
4152                 if (err)
4153                         selinux_netlbl_err(skb, err, 0);
4154         } else {
4155                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4156                 if (err)
4157                         return err;
4158                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4159         }
4160
4161         return err;
4162 }
4163
4164 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4165 {
4166         int err;
4167         struct sk_security_struct *sksec = sk->sk_security;
4168         u16 family = sk->sk_family;
4169         u32 sk_sid = sksec->sid;
4170         struct avc_audit_data ad;
4171         char *addrp;
4172         u8 secmark_active;
4173         u8 peerlbl_active;
4174
4175         if (family != PF_INET && family != PF_INET6)
4176                 return 0;
4177
4178         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4179         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4180                 family = PF_INET;
4181
4182         /* If any sort of compatibility mode is enabled then handoff processing
4183          * to the selinux_sock_rcv_skb_compat() function to deal with the
4184          * special handling.  We do this in an attempt to keep this function
4185          * as fast and as clean as possible. */
4186         if (selinux_compat_net || !selinux_policycap_netpeer)
4187                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4188
4189         secmark_active = selinux_secmark_enabled();
4190         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4191         if (!secmark_active && !peerlbl_active)
4192                 return 0;
4193
4194         AVC_AUDIT_DATA_INIT(&ad, NET);
4195         ad.u.net.netif = skb->iif;
4196         ad.u.net.family = family;
4197         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4198         if (err)
4199                 return err;
4200
4201         if (peerlbl_active) {
4202                 u32 peer_sid;
4203
4204                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4205                 if (err)
4206                         return err;
4207                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4208                                                peer_sid, &ad);
4209                 if (err) {
4210                         selinux_netlbl_err(skb, err, 0);
4211                         return err;
4212                 }
4213                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4214                                    PEER__RECV, &ad);
4215                 if (err)
4216                         selinux_netlbl_err(skb, err, 0);
4217         }
4218
4219         if (secmark_active) {
4220                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4221                                    PACKET__RECV, &ad);
4222                 if (err)
4223                         return err;
4224         }
4225
4226         return err;
4227 }
4228
4229 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4230                                             int __user *optlen, unsigned len)
4231 {
4232         int err = 0;
4233         char *scontext;
4234         u32 scontext_len;
4235         struct sk_security_struct *ssec;
4236         struct inode_security_struct *isec;
4237         u32 peer_sid = SECSID_NULL;
4238
4239         isec = SOCK_INODE(sock)->i_security;
4240
4241         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4242             isec->sclass == SECCLASS_TCP_SOCKET) {
4243                 ssec = sock->sk->sk_security;
4244                 peer_sid = ssec->peer_sid;
4245         }
4246         if (peer_sid == SECSID_NULL) {
4247                 err = -ENOPROTOOPT;
4248                 goto out;
4249         }
4250
4251         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4252
4253         if (err)
4254                 goto out;
4255
4256         if (scontext_len > len) {
4257                 err = -ERANGE;
4258                 goto out_len;
4259         }
4260
4261         if (copy_to_user(optval, scontext, scontext_len))
4262                 err = -EFAULT;
4263
4264 out_len:
4265         if (put_user(scontext_len, optlen))
4266                 err = -EFAULT;
4267
4268         kfree(scontext);
4269 out:
4270         return err;
4271 }
4272
4273 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4274 {
4275         u32 peer_secid = SECSID_NULL;
4276         u16 family;
4277
4278         if (skb && skb->protocol == htons(ETH_P_IP))
4279                 family = PF_INET;
4280         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4281                 family = PF_INET6;
4282         else if (sock)
4283                 family = sock->sk->sk_family;
4284         else
4285                 goto out;
4286
4287         if (sock && family == PF_UNIX)
4288                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4289         else if (skb)
4290                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4291
4292 out:
4293         *secid = peer_secid;
4294         if (peer_secid == SECSID_NULL)
4295                 return -EINVAL;
4296         return 0;
4297 }
4298
4299 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4300 {
4301         return sk_alloc_security(sk, family, priority);
4302 }
4303
4304 static void selinux_sk_free_security(struct sock *sk)
4305 {
4306         sk_free_security(sk);
4307 }
4308
4309 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4310 {
4311         struct sk_security_struct *ssec = sk->sk_security;
4312         struct sk_security_struct *newssec = newsk->sk_security;
4313
4314         newssec->sid = ssec->sid;
4315         newssec->peer_sid = ssec->peer_sid;
4316         newssec->sclass = ssec->sclass;
4317
4318         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4319 }
4320
4321 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4322 {
4323         if (!sk)
4324                 *secid = SECINITSID_ANY_SOCKET;
4325         else {
4326                 struct sk_security_struct *sksec = sk->sk_security;
4327
4328                 *secid = sksec->sid;
4329         }
4330 }
4331
4332 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4333 {
4334         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4335         struct sk_security_struct *sksec = sk->sk_security;
4336
4337         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4338             sk->sk_family == PF_UNIX)
4339                 isec->sid = sksec->sid;
4340         sksec->sclass = isec->sclass;
4341 }
4342
4343 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4344                                      struct request_sock *req)
4345 {
4346         struct sk_security_struct *sksec = sk->sk_security;
4347         int err;
4348         u16 family = sk->sk_family;
4349         u32 newsid;
4350         u32 peersid;
4351
4352         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4353         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4354                 family = PF_INET;
4355
4356         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4357         if (err)
4358                 return err;
4359         if (peersid == SECSID_NULL) {
4360                 req->secid = sksec->sid;
4361                 req->peer_secid = SECSID_NULL;
4362                 return 0;
4363         }
4364
4365         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4366         if (err)
4367                 return err;
4368
4369         req->secid = newsid;
4370         req->peer_secid = peersid;
4371         return 0;
4372 }
4373
4374 static void selinux_inet_csk_clone(struct sock *newsk,
4375                                    const struct request_sock *req)
4376 {
4377         struct sk_security_struct *newsksec = newsk->sk_security;
4378
4379         newsksec->sid = req->secid;
4380         newsksec->peer_sid = req->peer_secid;
4381         /* NOTE: Ideally, we should also get the isec->sid for the
4382            new socket in sync, but we don't have the isec available yet.
4383            So we will wait until sock_graft to do it, by which
4384            time it will have been created and available. */
4385
4386         /* We don't need to take any sort of lock here as we are the only
4387          * thread with access to newsksec */
4388         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4389 }
4390
4391 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4392 {
4393         u16 family = sk->sk_family;
4394         struct sk_security_struct *sksec = sk->sk_security;
4395
4396         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4397         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4398                 family = PF_INET;
4399
4400         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4401
4402         selinux_netlbl_inet_conn_established(sk, family);
4403 }
4404
4405 static void selinux_req_classify_flow(const struct request_sock *req,
4406                                       struct flowi *fl)
4407 {
4408         fl->secid = req->secid;
4409 }
4410
4411 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4412 {
4413         int err = 0;
4414         u32 perm;
4415         struct nlmsghdr *nlh;
4416         struct socket *sock = sk->sk_socket;
4417         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4418
4419         if (skb->len < NLMSG_SPACE(0)) {
4420                 err = -EINVAL;
4421                 goto out;
4422         }
4423         nlh = nlmsg_hdr(skb);
4424
4425         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4426         if (err) {
4427                 if (err == -EINVAL) {
4428                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4429                                   "SELinux:  unrecognized netlink message"
4430                                   " type=%hu for sclass=%hu\n",
4431                                   nlh->nlmsg_type, isec->sclass);
4432                         if (!selinux_enforcing || security_get_allow_unknown())
4433                                 err = 0;
4434                 }
4435
4436                 /* Ignore */
4437                 if (err == -ENOENT)
4438                         err = 0;
4439                 goto out;
4440         }
4441
4442         err = socket_has_perm(current, sock, perm);
4443 out:
4444         return err;
4445 }
4446
4447 #ifdef CONFIG_NETFILTER
4448
4449 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4450                                        u16 family)
4451 {
4452         int err;
4453         char *addrp;
4454         u32 peer_sid;
4455         struct avc_audit_data ad;
4456         u8 secmark_active;
4457         u8 netlbl_active;
4458         u8 peerlbl_active;
4459
4460         if (!selinux_policycap_netpeer)
4461                 return NF_ACCEPT;
4462
4463         secmark_active = selinux_secmark_enabled();
4464         netlbl_active = netlbl_enabled();
4465         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4466         if (!secmark_active && !peerlbl_active)
4467                 return NF_ACCEPT;
4468
4469         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4470                 return NF_DROP;
4471
4472         AVC_AUDIT_DATA_INIT(&ad, NET);
4473         ad.u.net.netif = ifindex;
4474         ad.u.net.family = family;
4475         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4476                 return NF_DROP;
4477
4478         if (peerlbl_active) {
4479                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4480                                                peer_sid, &ad);
4481                 if (err) {
4482                         selinux_netlbl_err(skb, err, 1);
4483                         return NF_DROP;
4484                 }
4485         }
4486
4487         if (secmark_active)
4488                 if (avc_has_perm(peer_sid, skb->secmark,
4489                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4490                         return NF_DROP;
4491
4492         if (netlbl_active)
4493                 /* we do this in the FORWARD path and not the POST_ROUTING
4494                  * path because we want to make sure we apply the necessary
4495                  * labeling before IPsec is applied so we can leverage AH
4496                  * protection */
4497                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4498                         return NF_DROP;
4499
4500         return NF_ACCEPT;
4501 }
4502
4503 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4504                                          struct sk_buff *skb,
4505                                          const struct net_device *in,
4506                                          const struct net_device *out,
4507                                          int (*okfn)(struct sk_buff *))
4508 {
4509         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4510 }
4511
4512 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4513 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4514                                          struct sk_buff *skb,
4515                                          const struct net_device *in,
4516                                          const struct net_device *out,
4517                                          int (*okfn)(struct sk_buff *))
4518 {
4519         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4520 }
4521 #endif  /* IPV6 */
4522
4523 static unsigned int selinux_ip_output(struct sk_buff *skb,
4524                                       u16 family)
4525 {
4526         u32 sid;
4527
4528         if (!netlbl_enabled())
4529                 return NF_ACCEPT;
4530
4531         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4532          * because we want to make sure we apply the necessary labeling
4533          * before IPsec is applied so we can leverage AH protection */
4534         if (skb->sk) {
4535                 struct sk_security_struct *sksec = skb->sk->sk_security;
4536                 sid = sksec->sid;
4537         } else
4538                 sid = SECINITSID_KERNEL;
4539         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4540                 return NF_DROP;
4541
4542         return NF_ACCEPT;
4543 }
4544
4545 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4546                                         struct sk_buff *skb,
4547                                         const struct net_device *in,
4548                                         const struct net_device *out,
4549                                         int (*okfn)(struct sk_buff *))
4550 {
4551         return selinux_ip_output(skb, PF_INET);
4552 }
4553
4554 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4555                                                 int ifindex,
4556                                                 struct avc_audit_data *ad,
4557                                                 u16 family, char *addrp)
4558 {
4559         int err;
4560         struct sk_security_struct *sksec = sk->sk_security;
4561         u16 sk_class;
4562         u32 netif_perm, node_perm, send_perm;
4563         u32 port_sid, node_sid, if_sid, sk_sid;
4564
4565         sk_sid = sksec->sid;
4566         sk_class = sksec->sclass;
4567
4568         switch (sk_class) {
4569         case SECCLASS_UDP_SOCKET:
4570                 netif_perm = NETIF__UDP_SEND;
4571                 node_perm = NODE__UDP_SEND;
4572                 send_perm = UDP_SOCKET__SEND_MSG;
4573                 break;
4574         case SECCLASS_TCP_SOCKET:
4575                 netif_perm = NETIF__TCP_SEND;
4576                 node_perm = NODE__TCP_SEND;
4577                 send_perm = TCP_SOCKET__SEND_MSG;
4578                 break;
4579         case SECCLASS_DCCP_SOCKET:
4580                 netif_perm = NETIF__DCCP_SEND;
4581                 node_perm = NODE__DCCP_SEND;
4582                 send_perm = DCCP_SOCKET__SEND_MSG;
4583                 break;
4584         default:
4585                 netif_perm = NETIF__RAWIP_SEND;
4586                 node_perm = NODE__RAWIP_SEND;
4587                 send_perm = 0;
4588                 break;
4589         }
4590
4591         err = sel_netif_sid(ifindex, &if_sid);
4592         if (err)
4593                 return err;
4594         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4595                 return err;
4596
4597         err = sel_netnode_sid(addrp, family, &node_sid);
4598         if (err)
4599                 return err;
4600         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4601         if (err)
4602                 return err;
4603
4604         if (send_perm != 0)
4605                 return 0;
4606
4607         err = sel_netport_sid(sk->sk_protocol,
4608                               ntohs(ad->u.net.dport), &port_sid);
4609         if (unlikely(err)) {
4610                 printk(KERN_WARNING
4611                        "SELinux: failure in"
4612                        " selinux_ip_postroute_iptables_compat(),"
4613                        " network port label not found\n");
4614                 return err;
4615         }
4616         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4617 }
4618
4619 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4620                                                 int ifindex,
4621                                                 u16 family)
4622 {
4623         struct sock *sk = skb->sk;
4624         struct sk_security_struct *sksec;
4625         struct avc_audit_data ad;
4626         char *addrp;
4627         u8 proto;
4628
4629         if (sk == NULL)
4630                 return NF_ACCEPT;
4631         sksec = sk->sk_security;
4632
4633         AVC_AUDIT_DATA_INIT(&ad, NET);
4634         ad.u.net.netif = ifindex;
4635         ad.u.net.family = family;
4636         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4637                 return NF_DROP;
4638
4639         if (selinux_compat_net) {
4640                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4641                                                          &ad, family, addrp))
4642                         return NF_DROP;
4643         } else {
4644                 if (avc_has_perm(sksec->sid, skb->secmark,
4645                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4646                         return NF_DROP;
4647         }
4648
4649         if (selinux_policycap_netpeer)
4650                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4651                         return NF_DROP;
4652
4653         return NF_ACCEPT;
4654 }
4655
4656 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4657                                          u16 family)
4658 {
4659         u32 secmark_perm;
4660         u32 peer_sid;
4661         struct sock *sk;
4662         struct avc_audit_data ad;
4663         char *addrp;
4664         u8 secmark_active;
4665         u8 peerlbl_active;
4666
4667         /* If any sort of compatibility mode is enabled then handoff processing
4668          * to the selinux_ip_postroute_compat() function to deal with the
4669          * special handling.  We do this in an attempt to keep this function
4670          * as fast and as clean as possible. */
4671         if (selinux_compat_net || !selinux_policycap_netpeer)
4672                 return selinux_ip_postroute_compat(skb, ifindex, family);
4673
4674         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4675          * packet transformation so allow the packet to pass without any checks
4676          * since we'll have another chance to perform access control checks
4677          * when the packet is on it's final way out.
4678          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4679          *       is NULL, in this case go ahead and apply access control. */
4680         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4681                 return NF_ACCEPT;
4682
4683         secmark_active = selinux_secmark_enabled();
4684         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4685         if (!secmark_active && !peerlbl_active)
4686                 return NF_ACCEPT;
4687
4688         /* if the packet is being forwarded then get the peer label from the
4689          * packet itself; otherwise check to see if it is from a local
4690          * application or the kernel, if from an application get the peer label
4691          * from the sending socket, otherwise use the kernel's sid */
4692         sk = skb->sk;
4693         if (sk == NULL) {
4694                 switch (family) {
4695                 case PF_INET:
4696                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4697                                 secmark_perm = PACKET__FORWARD_OUT;
4698                         else
4699                                 secmark_perm = PACKET__SEND;
4700                         break;
4701                 case PF_INET6:
4702                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4703                                 secmark_perm = PACKET__FORWARD_OUT;
4704                         else
4705                                 secmark_perm = PACKET__SEND;
4706                         break;
4707                 default:
4708                         return NF_DROP;
4709                 }
4710                 if (secmark_perm == PACKET__FORWARD_OUT) {
4711                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4712                                 return NF_DROP;
4713                 } else
4714                         peer_sid = SECINITSID_KERNEL;
4715         } else {
4716                 struct sk_security_struct *sksec = sk->sk_security;
4717                 peer_sid = sksec->sid;
4718                 secmark_perm = PACKET__SEND;
4719         }
4720
4721         AVC_AUDIT_DATA_INIT(&ad, NET);
4722         ad.u.net.netif = ifindex;
4723         ad.u.net.family = family;
4724         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4725                 return NF_DROP;
4726
4727         if (secmark_active)
4728                 if (avc_has_perm(peer_sid, skb->secmark,
4729                                  SECCLASS_PACKET, secmark_perm, &ad))
4730                         return NF_DROP;
4731
4732         if (peerlbl_active) {
4733                 u32 if_sid;
4734                 u32 node_sid;
4735
4736                 if (sel_netif_sid(ifindex, &if_sid))
4737                         return NF_DROP;
4738                 if (avc_has_perm(peer_sid, if_sid,
4739                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4740                         return NF_DROP;
4741
4742                 if (sel_netnode_sid(addrp, family, &node_sid))
4743                         return NF_DROP;
4744                 if (avc_has_perm(peer_sid, node_sid,
4745                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4746                         return NF_DROP;
4747         }
4748
4749         return NF_ACCEPT;
4750 }
4751
4752 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4753                                            struct sk_buff *skb,
4754                                            const struct net_device *in,
4755                                            const struct net_device *out,
4756                                            int (*okfn)(struct sk_buff *))
4757 {
4758         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4759 }
4760
4761 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4762 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4763                                            struct sk_buff *skb,
4764                                            const struct net_device *in,
4765                                            const struct net_device *out,
4766                                            int (*okfn)(struct sk_buff *))
4767 {
4768         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4769 }
4770 #endif  /* IPV6 */
4771
4772 #endif  /* CONFIG_NETFILTER */
4773
4774 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4775 {
4776         int err;
4777
4778         err = secondary_ops->netlink_send(sk, skb);
4779         if (err)
4780                 return err;
4781
4782         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4783                 err = selinux_nlmsg_perm(sk, skb);
4784
4785         return err;
4786 }
4787
4788 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4789 {
4790         int err;
4791         struct avc_audit_data ad;
4792
4793         err = secondary_ops->netlink_recv(skb, capability);
4794         if (err)
4795                 return err;
4796
4797         AVC_AUDIT_DATA_INIT(&ad, CAP);
4798         ad.u.cap = capability;
4799
4800         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4801                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4802 }
4803
4804 static int ipc_alloc_security(struct task_struct *task,
4805                               struct kern_ipc_perm *perm,
4806                               u16 sclass)
4807 {
4808         struct ipc_security_struct *isec;
4809         u32 sid;
4810
4811         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4812         if (!isec)
4813                 return -ENOMEM;
4814
4815         sid = task_sid(task);
4816         isec->sclass = sclass;
4817         isec->sid = sid;
4818         perm->security = isec;
4819
4820         return 0;
4821 }
4822
4823 static void ipc_free_security(struct kern_ipc_perm *perm)
4824 {
4825         struct ipc_security_struct *isec = perm->security;
4826         perm->security = NULL;
4827         kfree(isec);
4828 }
4829
4830 static int msg_msg_alloc_security(struct msg_msg *msg)
4831 {
4832         struct msg_security_struct *msec;
4833
4834         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4835         if (!msec)
4836                 return -ENOMEM;
4837
4838         msec->sid = SECINITSID_UNLABELED;
4839         msg->security = msec;
4840
4841         return 0;
4842 }
4843
4844 static void msg_msg_free_security(struct msg_msg *msg)
4845 {
4846         struct msg_security_struct *msec = msg->security;
4847
4848         msg->security = NULL;
4849         kfree(msec);
4850 }
4851
4852 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4853                         u32 perms)
4854 {
4855         struct ipc_security_struct *isec;
4856         struct avc_audit_data ad;
4857         u32 sid = current_sid();
4858
4859         isec = ipc_perms->security;
4860
4861         AVC_AUDIT_DATA_INIT(&ad, IPC);
4862         ad.u.ipc_id = ipc_perms->key;
4863
4864         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4865 }
4866
4867 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4868 {
4869         return msg_msg_alloc_security(msg);
4870 }
4871
4872 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4873 {
4874         msg_msg_free_security(msg);
4875 }
4876
4877 /* message queue security operations */
4878 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4879 {
4880         struct ipc_security_struct *isec;
4881         struct avc_audit_data ad;
4882         u32 sid = current_sid();
4883         int rc;
4884
4885         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4886         if (rc)
4887                 return rc;
4888
4889         isec = msq->q_perm.security;
4890
4891         AVC_AUDIT_DATA_INIT(&ad, IPC);
4892         ad.u.ipc_id = msq->q_perm.key;
4893
4894         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4895                           MSGQ__CREATE, &ad);
4896         if (rc) {
4897                 ipc_free_security(&msq->q_perm);
4898                 return rc;
4899         }
4900         return 0;
4901 }
4902
4903 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4904 {
4905         ipc_free_security(&msq->q_perm);
4906 }
4907
4908 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4909 {
4910         struct ipc_security_struct *isec;
4911         struct avc_audit_data ad;
4912         u32 sid = current_sid();
4913
4914         isec = msq->q_perm.security;
4915
4916         AVC_AUDIT_DATA_INIT(&ad, IPC);
4917         ad.u.ipc_id = msq->q_perm.key;
4918
4919         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4920                             MSGQ__ASSOCIATE, &ad);
4921 }
4922
4923 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4924 {
4925         int err;
4926         int perms;
4927
4928         switch (cmd) {
4929         case IPC_INFO:
4930         case MSG_INFO:
4931                 /* No specific object, just general system-wide information. */
4932                 return task_has_system(current, SYSTEM__IPC_INFO);
4933         case IPC_STAT:
4934         case MSG_STAT:
4935                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4936                 break;
4937         case IPC_SET:
4938                 perms = MSGQ__SETATTR;
4939                 break;
4940         case IPC_RMID:
4941                 perms = MSGQ__DESTROY;
4942                 break;
4943         default:
4944                 return 0;
4945         }
4946
4947         err = ipc_has_perm(&msq->q_perm, perms);
4948         return err;
4949 }
4950
4951 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4952 {
4953         struct ipc_security_struct *isec;
4954         struct msg_security_struct *msec;
4955         struct avc_audit_data ad;
4956         u32 sid = current_sid();
4957         int rc;
4958
4959         isec = msq->q_perm.security;
4960         msec = msg->security;
4961
4962         /*
4963          * First time through, need to assign label to the message
4964          */
4965         if (msec->sid == SECINITSID_UNLABELED) {
4966                 /*
4967                  * Compute new sid based on current process and
4968                  * message queue this message will be stored in
4969                  */
4970                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
4971                                              &msec->sid);
4972                 if (rc)
4973                         return rc;
4974         }
4975
4976         AVC_AUDIT_DATA_INIT(&ad, IPC);
4977         ad.u.ipc_id = msq->q_perm.key;
4978
4979         /* Can this process write to the queue? */
4980         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4981                           MSGQ__WRITE, &ad);
4982         if (!rc)
4983                 /* Can this process send the message */
4984                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
4985                                   MSG__SEND, &ad);
4986         if (!rc)
4987                 /* Can the message be put in the queue? */
4988                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
4989                                   MSGQ__ENQUEUE, &ad);
4990
4991         return rc;
4992 }
4993
4994 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4995                                     struct task_struct *target,
4996                                     long type, int mode)
4997 {
4998         struct ipc_security_struct *isec;
4999         struct msg_security_struct *msec;
5000         struct avc_audit_data ad;
5001         u32 sid = task_sid(target);
5002         int rc;
5003
5004         isec = msq->q_perm.security;
5005         msec = msg->security;
5006
5007         AVC_AUDIT_DATA_INIT(&ad, IPC);
5008         ad.u.ipc_id = msq->q_perm.key;
5009
5010         rc = avc_has_perm(sid, isec->sid,
5011                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5012         if (!rc)
5013                 rc = avc_has_perm(sid, msec->sid,
5014                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5015         return rc;
5016 }
5017
5018 /* Shared Memory security operations */
5019 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5020 {
5021         struct ipc_security_struct *isec;
5022         struct avc_audit_data ad;
5023         u32 sid = current_sid();
5024         int rc;
5025
5026         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5027         if (rc)
5028                 return rc;
5029
5030         isec = shp->shm_perm.security;
5031
5032         AVC_AUDIT_DATA_INIT(&ad, IPC);
5033         ad.u.ipc_id = shp->shm_perm.key;
5034
5035         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5036                           SHM__CREATE, &ad);
5037         if (rc) {
5038                 ipc_free_security(&shp->shm_perm);
5039                 return rc;
5040         }
5041         return 0;
5042 }
5043
5044 static void selinux_shm_free_security(struct shmid_kernel *shp)
5045 {
5046         ipc_free_security(&shp->shm_perm);
5047 }
5048
5049 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5050 {
5051         struct ipc_security_struct *isec;
5052         struct avc_audit_data ad;
5053         u32 sid = current_sid();
5054
5055         isec = shp->shm_perm.security;
5056
5057         AVC_AUDIT_DATA_INIT(&ad, IPC);
5058         ad.u.ipc_id = shp->shm_perm.key;
5059
5060         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5061                             SHM__ASSOCIATE, &ad);
5062 }
5063
5064 /* Note, at this point, shp is locked down */
5065 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5066 {
5067         int perms;
5068         int err;
5069
5070         switch (cmd) {
5071         case IPC_INFO:
5072         case SHM_INFO:
5073                 /* No specific object, just general system-wide information. */
5074                 return task_has_system(current, SYSTEM__IPC_INFO);
5075         case IPC_STAT:
5076         case SHM_STAT:
5077                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5078                 break;
5079         case IPC_SET:
5080                 perms = SHM__SETATTR;
5081                 break;
5082         case SHM_LOCK:
5083         case SHM_UNLOCK:
5084                 perms = SHM__LOCK;
5085                 break;
5086         case IPC_RMID:
5087                 perms = SHM__DESTROY;
5088                 break;
5089         default:
5090                 return 0;
5091         }
5092
5093         err = ipc_has_perm(&shp->shm_perm, perms);
5094         return err;
5095 }
5096
5097 static int selinux_shm_shmat(struct shmid_kernel *shp,
5098                              char __user *shmaddr, int shmflg)
5099 {
5100         u32 perms;
5101         int rc;
5102
5103         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5104         if (rc)
5105                 return rc;
5106
5107         if (shmflg & SHM_RDONLY)
5108                 perms = SHM__READ;
5109         else
5110                 perms = SHM__READ | SHM__WRITE;
5111
5112         return ipc_has_perm(&shp->shm_perm, perms);
5113 }
5114
5115 /* Semaphore security operations */
5116 static int selinux_sem_alloc_security(struct sem_array *sma)
5117 {
5118         struct ipc_security_struct *isec;
5119         struct avc_audit_data ad;
5120         u32 sid = current_sid();
5121         int rc;
5122
5123         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5124         if (rc)
5125                 return rc;
5126
5127         isec = sma->sem_perm.security;
5128
5129         AVC_AUDIT_DATA_INIT(&ad, IPC);
5130         ad.u.ipc_id = sma->sem_perm.key;
5131
5132         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5133                           SEM__CREATE, &ad);
5134         if (rc) {
5135                 ipc_free_security(&sma->sem_perm);
5136                 return rc;
5137         }
5138         return 0;
5139 }
5140
5141 static void selinux_sem_free_security(struct sem_array *sma)
5142 {
5143         ipc_free_security(&sma->sem_perm);
5144 }
5145
5146 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5147 {
5148         struct ipc_security_struct *isec;
5149         struct avc_audit_data ad;
5150         u32 sid = current_sid();
5151
5152         isec = sma->sem_perm.security;
5153
5154         AVC_AUDIT_DATA_INIT(&ad, IPC);
5155         ad.u.ipc_id = sma->sem_perm.key;
5156
5157         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5158                             SEM__ASSOCIATE, &ad);
5159 }
5160
5161 /* Note, at this point, sma is locked down */
5162 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5163 {
5164         int err;
5165         u32 perms;
5166
5167         switch (cmd) {
5168         case IPC_INFO:
5169         case SEM_INFO:
5170                 /* No specific object, just general system-wide information. */
5171                 return task_has_system(current, SYSTEM__IPC_INFO);
5172         case GETPID:
5173         case GETNCNT:
5174         case GETZCNT:
5175                 perms = SEM__GETATTR;
5176                 break;
5177         case GETVAL:
5178         case GETALL:
5179                 perms = SEM__READ;
5180                 break;
5181         case SETVAL:
5182         case SETALL:
5183                 perms = SEM__WRITE;
5184                 break;
5185         case IPC_RMID:
5186                 perms = SEM__DESTROY;
5187                 break;
5188         case IPC_SET:
5189                 perms = SEM__SETATTR;
5190                 break;
5191         case IPC_STAT:
5192         case SEM_STAT:
5193                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5194                 break;
5195         default:
5196                 return 0;
5197         }
5198
5199         err = ipc_has_perm(&sma->sem_perm, perms);
5200         return err;
5201 }
5202
5203 static int selinux_sem_semop(struct sem_array *sma,
5204                              struct sembuf *sops, unsigned nsops, int alter)
5205 {
5206         u32 perms;
5207
5208         if (alter)
5209                 perms = SEM__READ | SEM__WRITE;
5210         else
5211                 perms = SEM__READ;
5212
5213         return ipc_has_perm(&sma->sem_perm, perms);
5214 }
5215
5216 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5217 {
5218         u32 av = 0;
5219
5220         av = 0;
5221         if (flag & S_IRUGO)
5222                 av |= IPC__UNIX_READ;
5223         if (flag & S_IWUGO)
5224                 av |= IPC__UNIX_WRITE;
5225
5226         if (av == 0)
5227                 return 0;
5228
5229         return ipc_has_perm(ipcp, av);
5230 }
5231
5232 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5233 {
5234         struct ipc_security_struct *isec = ipcp->security;
5235         *secid = isec->sid;
5236 }
5237
5238 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5239 {
5240         if (inode)
5241                 inode_doinit_with_dentry(inode, dentry);
5242 }
5243
5244 static int selinux_getprocattr(struct task_struct *p,
5245                                char *name, char **value)
5246 {
5247         const struct task_security_struct *__tsec;
5248         u32 sid;
5249         int error;
5250         unsigned len;
5251
5252         if (current != p) {
5253                 error = task_has_perm(current, p, PROCESS__GETATTR);
5254                 if (error)
5255                         return error;
5256         }
5257
5258         rcu_read_lock();
5259         __tsec = __task_cred(p)->security;
5260
5261         if (!strcmp(name, "current"))
5262                 sid = __tsec->sid;
5263         else if (!strcmp(name, "prev"))
5264                 sid = __tsec->osid;
5265         else if (!strcmp(name, "exec"))
5266                 sid = __tsec->exec_sid;
5267         else if (!strcmp(name, "fscreate"))
5268                 sid = __tsec->create_sid;
5269         else if (!strcmp(name, "keycreate"))
5270                 sid = __tsec->keycreate_sid;
5271         else if (!strcmp(name, "sockcreate"))
5272                 sid = __tsec->sockcreate_sid;
5273         else
5274                 goto invalid;
5275         rcu_read_unlock();
5276
5277         if (!sid)
5278                 return 0;
5279
5280         error = security_sid_to_context(sid, value, &len);
5281         if (error)
5282                 return error;
5283         return len;
5284
5285 invalid:
5286         rcu_read_unlock();
5287         return -EINVAL;
5288 }
5289
5290 static int selinux_setprocattr(struct task_struct *p,
5291                                char *name, void *value, size_t size)
5292 {
5293         struct task_security_struct *tsec;
5294         struct task_struct *tracer;
5295         struct cred *new;
5296         u32 sid = 0, ptsid;
5297         int error;
5298         char *str = value;
5299
5300         if (current != p) {
5301                 /* SELinux only allows a process to change its own
5302                    security attributes. */
5303                 return -EACCES;
5304         }
5305
5306         /*
5307          * Basic control over ability to set these attributes at all.
5308          * current == p, but we'll pass them separately in case the
5309          * above restriction is ever removed.
5310          */
5311         if (!strcmp(name, "exec"))
5312                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5313         else if (!strcmp(name, "fscreate"))
5314                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5315         else if (!strcmp(name, "keycreate"))
5316                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5317         else if (!strcmp(name, "sockcreate"))
5318                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5319         else if (!strcmp(name, "current"))
5320                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5321         else
5322                 error = -EINVAL;
5323         if (error)
5324                 return error;
5325
5326         /* Obtain a SID for the context, if one was specified. */
5327         if (size && str[1] && str[1] != '\n') {
5328                 if (str[size-1] == '\n') {
5329                         str[size-1] = 0;
5330                         size--;
5331                 }
5332                 error = security_context_to_sid(value, size, &sid);
5333                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5334                         if (!capable(CAP_MAC_ADMIN))
5335                                 return error;
5336                         error = security_context_to_sid_force(value, size,
5337                                                               &sid);
5338                 }
5339                 if (error)
5340                         return error;
5341         }
5342
5343         new = prepare_creds();
5344         if (!new)
5345                 return -ENOMEM;
5346
5347         /* Permission checking based on the specified context is
5348            performed during the actual operation (execve,
5349            open/mkdir/...), when we know the full context of the
5350            operation.  See selinux_bprm_set_creds for the execve
5351            checks and may_create for the file creation checks. The
5352            operation will then fail if the context is not permitted. */
5353         tsec = new->security;
5354         if (!strcmp(name, "exec")) {
5355                 tsec->exec_sid = sid;
5356         } else if (!strcmp(name, "fscreate")) {
5357                 tsec->create_sid = sid;
5358         } else if (!strcmp(name, "keycreate")) {
5359                 error = may_create_key(sid, p);
5360                 if (error)
5361                         goto abort_change;
5362                 tsec->keycreate_sid = sid;
5363         } else if (!strcmp(name, "sockcreate")) {
5364                 tsec->sockcreate_sid = sid;
5365         } else if (!strcmp(name, "current")) {
5366                 error = -EINVAL;
5367                 if (sid == 0)
5368                         goto abort_change;
5369
5370                 /* Only allow single threaded processes to change context */
5371                 error = -EPERM;
5372                 if (!is_single_threaded(p)) {
5373                         error = security_bounded_transition(tsec->sid, sid);
5374                         if (error)
5375                                 goto abort_change;
5376                 }
5377
5378                 /* Check permissions for the transition. */
5379                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5380                                      PROCESS__DYNTRANSITION, NULL);
5381                 if (error)
5382                         goto abort_change;
5383
5384                 /* Check for ptracing, and update the task SID if ok.
5385                    Otherwise, leave SID unchanged and fail. */
5386                 ptsid = 0;
5387                 task_lock(p);
5388                 tracer = tracehook_tracer_task(p);
5389                 if (tracer)
5390                         ptsid = task_sid(tracer);
5391                 task_unlock(p);
5392
5393                 if (tracer) {
5394                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5395                                              PROCESS__PTRACE, NULL);
5396                         if (error)
5397                                 goto abort_change;
5398                 }
5399
5400                 tsec->sid = sid;
5401         } else {
5402                 error = -EINVAL;
5403                 goto abort_change;
5404         }
5405
5406         commit_creds(new);
5407         return size;
5408
5409 abort_change:
5410         abort_creds(new);
5411         return error;
5412 }
5413
5414 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5415 {
5416         return security_sid_to_context(secid, secdata, seclen);
5417 }
5418
5419 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5420 {
5421         return security_context_to_sid(secdata, seclen, secid);
5422 }
5423
5424 static void selinux_release_secctx(char *secdata, u32 seclen)
5425 {
5426         kfree(secdata);
5427 }
5428
5429 #ifdef CONFIG_KEYS
5430
5431 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5432                              unsigned long flags)
5433 {
5434         const struct task_security_struct *tsec;
5435         struct key_security_struct *ksec;
5436
5437         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5438         if (!ksec)
5439                 return -ENOMEM;
5440
5441         tsec = cred->security;
5442         if (tsec->keycreate_sid)
5443                 ksec->sid = tsec->keycreate_sid;
5444         else
5445                 ksec->sid = tsec->sid;
5446
5447         k->security = ksec;
5448         return 0;
5449 }
5450
5451 static void selinux_key_free(struct key *k)
5452 {
5453         struct key_security_struct *ksec = k->security;
5454
5455         k->security = NULL;
5456         kfree(ksec);
5457 }
5458
5459 static int selinux_key_permission(key_ref_t key_ref,
5460                                   const struct cred *cred,
5461                                   key_perm_t perm)
5462 {
5463         struct key *key;
5464         struct key_security_struct *ksec;
5465         u32 sid;
5466
5467         /* if no specific permissions are requested, we skip the
5468            permission check. No serious, additional covert channels
5469            appear to be created. */
5470         if (perm == 0)
5471                 return 0;
5472
5473         sid = cred_sid(cred);
5474
5475         key = key_ref_to_ptr(key_ref);
5476         ksec = key->security;
5477
5478         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5479 }
5480
5481 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5482 {
5483         struct key_security_struct *ksec = key->security;
5484         char *context = NULL;
5485         unsigned len;
5486         int rc;
5487
5488         rc = security_sid_to_context(ksec->sid, &context, &len);
5489         if (!rc)
5490                 rc = len;
5491         *_buffer = context;
5492         return rc;
5493 }
5494
5495 #endif
5496
5497 static struct security_operations selinux_ops = {
5498         .name =                         "selinux",
5499
5500         .ptrace_may_access =            selinux_ptrace_may_access,
5501         .ptrace_traceme =               selinux_ptrace_traceme,
5502         .capget =                       selinux_capget,
5503         .capset =                       selinux_capset,
5504         .sysctl =                       selinux_sysctl,
5505         .capable =                      selinux_capable,
5506         .quotactl =                     selinux_quotactl,
5507         .quota_on =                     selinux_quota_on,
5508         .syslog =                       selinux_syslog,
5509         .vm_enough_memory =             selinux_vm_enough_memory,
5510
5511         .netlink_send =                 selinux_netlink_send,
5512         .netlink_recv =                 selinux_netlink_recv,
5513
5514         .bprm_set_creds =               selinux_bprm_set_creds,
5515         .bprm_check_security =          selinux_bprm_check_security,
5516         .bprm_committing_creds =        selinux_bprm_committing_creds,
5517         .bprm_committed_creds =         selinux_bprm_committed_creds,
5518         .bprm_secureexec =              selinux_bprm_secureexec,
5519
5520         .sb_alloc_security =            selinux_sb_alloc_security,
5521         .sb_free_security =             selinux_sb_free_security,
5522         .sb_copy_data =                 selinux_sb_copy_data,
5523         .sb_kern_mount =                selinux_sb_kern_mount,
5524         .sb_show_options =              selinux_sb_show_options,
5525         .sb_statfs =                    selinux_sb_statfs,
5526         .sb_mount =                     selinux_mount,
5527         .sb_umount =                    selinux_umount,
5528         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5529         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5530         .sb_parse_opts_str =            selinux_parse_opts_str,
5531
5532
5533         .inode_alloc_security =         selinux_inode_alloc_security,
5534         .inode_free_security =          selinux_inode_free_security,
5535         .inode_init_security =          selinux_inode_init_security,
5536         .inode_create =                 selinux_inode_create,
5537         .inode_link =                   selinux_inode_link,
5538         .inode_unlink =                 selinux_inode_unlink,
5539         .inode_symlink =                selinux_inode_symlink,
5540         .inode_mkdir =                  selinux_inode_mkdir,
5541         .inode_rmdir =                  selinux_inode_rmdir,
5542         .inode_mknod =                  selinux_inode_mknod,
5543         .inode_rename =                 selinux_inode_rename,
5544         .inode_readlink =               selinux_inode_readlink,
5545         .inode_follow_link =            selinux_inode_follow_link,
5546         .inode_permission =             selinux_inode_permission,
5547         .inode_setattr =                selinux_inode_setattr,
5548         .inode_getattr =                selinux_inode_getattr,
5549         .inode_setxattr =               selinux_inode_setxattr,
5550         .inode_post_setxattr =          selinux_inode_post_setxattr,
5551         .inode_getxattr =               selinux_inode_getxattr,
5552         .inode_listxattr =              selinux_inode_listxattr,
5553         .inode_removexattr =            selinux_inode_removexattr,
5554         .inode_getsecurity =            selinux_inode_getsecurity,
5555         .inode_setsecurity =            selinux_inode_setsecurity,
5556         .inode_listsecurity =           selinux_inode_listsecurity,
5557         .inode_need_killpriv =          selinux_inode_need_killpriv,
5558         .inode_killpriv =               selinux_inode_killpriv,
5559         .inode_getsecid =               selinux_inode_getsecid,
5560
5561         .file_permission =              selinux_file_permission,
5562         .file_alloc_security =          selinux_file_alloc_security,
5563         .file_free_security =           selinux_file_free_security,
5564         .file_ioctl =                   selinux_file_ioctl,
5565         .file_mmap =                    selinux_file_mmap,
5566         .file_mprotect =                selinux_file_mprotect,
5567         .file_lock =                    selinux_file_lock,
5568         .file_fcntl =                   selinux_file_fcntl,
5569         .file_set_fowner =              selinux_file_set_fowner,
5570         .file_send_sigiotask =          selinux_file_send_sigiotask,
5571         .file_receive =                 selinux_file_receive,
5572
5573         .dentry_open =                  selinux_dentry_open,
5574
5575         .task_create =                  selinux_task_create,
5576         .cred_free =                    selinux_cred_free,
5577         .cred_prepare =                 selinux_cred_prepare,
5578         .cred_commit =                  selinux_cred_commit,
5579         .task_setuid =                  selinux_task_setuid,
5580         .task_fix_setuid =              selinux_task_fix_setuid,
5581         .task_setgid =                  selinux_task_setgid,
5582         .task_setpgid =                 selinux_task_setpgid,
5583         .task_getpgid =                 selinux_task_getpgid,
5584         .task_getsid =                  selinux_task_getsid,
5585         .task_getsecid =                selinux_task_getsecid,
5586         .task_setgroups =               selinux_task_setgroups,
5587         .task_setnice =                 selinux_task_setnice,
5588         .task_setioprio =               selinux_task_setioprio,
5589         .task_getioprio =               selinux_task_getioprio,
5590         .task_setrlimit =               selinux_task_setrlimit,
5591         .task_setscheduler =            selinux_task_setscheduler,
5592         .task_getscheduler =            selinux_task_getscheduler,
5593         .task_movememory =              selinux_task_movememory,
5594         .task_kill =                    selinux_task_kill,
5595         .task_wait =                    selinux_task_wait,
5596         .task_prctl =                   selinux_task_prctl,
5597         .task_to_inode =                selinux_task_to_inode,
5598
5599         .ipc_permission =               selinux_ipc_permission,
5600         .ipc_getsecid =                 selinux_ipc_getsecid,
5601
5602         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5603         .msg_msg_free_security =        selinux_msg_msg_free_security,
5604
5605         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5606         .msg_queue_free_security =      selinux_msg_queue_free_security,
5607         .msg_queue_associate =          selinux_msg_queue_associate,
5608         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5609         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5610         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5611
5612         .shm_alloc_security =           selinux_shm_alloc_security,
5613         .shm_free_security =            selinux_shm_free_security,
5614         .shm_associate =                selinux_shm_associate,
5615         .shm_shmctl =                   selinux_shm_shmctl,
5616         .shm_shmat =                    selinux_shm_shmat,
5617
5618         .sem_alloc_security =           selinux_sem_alloc_security,
5619         .sem_free_security =            selinux_sem_free_security,
5620         .sem_associate =                selinux_sem_associate,
5621         .sem_semctl =                   selinux_sem_semctl,
5622         .sem_semop =                    selinux_sem_semop,
5623
5624         .d_instantiate =                selinux_d_instantiate,
5625
5626         .getprocattr =                  selinux_getprocattr,
5627         .setprocattr =                  selinux_setprocattr,
5628
5629         .secid_to_secctx =              selinux_secid_to_secctx,
5630         .secctx_to_secid =              selinux_secctx_to_secid,
5631         .release_secctx =               selinux_release_secctx,
5632
5633         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5634         .unix_may_send =                selinux_socket_unix_may_send,
5635
5636         .socket_create =                selinux_socket_create,
5637         .socket_post_create =           selinux_socket_post_create,
5638         .socket_bind =                  selinux_socket_bind,
5639         .socket_connect =               selinux_socket_connect,
5640         .socket_listen =                selinux_socket_listen,
5641         .socket_accept =                selinux_socket_accept,
5642         .socket_sendmsg =               selinux_socket_sendmsg,
5643         .socket_recvmsg =               selinux_socket_recvmsg,
5644         .socket_getsockname =           selinux_socket_getsockname,
5645         .socket_getpeername =           selinux_socket_getpeername,
5646         .socket_getsockopt =            selinux_socket_getsockopt,
5647         .socket_setsockopt =            selinux_socket_setsockopt,
5648         .socket_shutdown =              selinux_socket_shutdown,
5649         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5650         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5651         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5652         .sk_alloc_security =            selinux_sk_alloc_security,
5653         .sk_free_security =             selinux_sk_free_security,
5654         .sk_clone_security =            selinux_sk_clone_security,
5655         .sk_getsecid =                  selinux_sk_getsecid,
5656         .sock_graft =                   selinux_sock_graft,
5657         .inet_conn_request =            selinux_inet_conn_request,
5658         .inet_csk_clone =               selinux_inet_csk_clone,
5659         .inet_conn_established =        selinux_inet_conn_established,
5660         .req_classify_flow =            selinux_req_classify_flow,
5661
5662 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5663         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5664         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5665         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5666         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5667         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5668         .xfrm_state_free_security =     selinux_xfrm_state_free,
5669         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5670         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5671         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5672         .xfrm_decode_session =          selinux_xfrm_decode_session,
5673 #endif
5674
5675 #ifdef CONFIG_KEYS
5676         .key_alloc =                    selinux_key_alloc,
5677         .key_free =                     selinux_key_free,
5678         .key_permission =               selinux_key_permission,
5679         .key_getsecurity =              selinux_key_getsecurity,
5680 #endif
5681
5682 #ifdef CONFIG_AUDIT
5683         .audit_rule_init =              selinux_audit_rule_init,
5684         .audit_rule_known =             selinux_audit_rule_known,
5685         .audit_rule_match =             selinux_audit_rule_match,
5686         .audit_rule_free =              selinux_audit_rule_free,
5687 #endif
5688 };
5689
5690 static __init int selinux_init(void)
5691 {
5692         if (!security_module_enable(&selinux_ops)) {
5693                 selinux_enabled = 0;
5694                 return 0;
5695         }
5696
5697         if (!selinux_enabled) {
5698                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5699                 return 0;
5700         }
5701
5702         printk(KERN_INFO "SELinux:  Initializing.\n");
5703
5704         /* Set the security state for the initial task. */
5705         cred_init_security();
5706
5707         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5708                                             sizeof(struct inode_security_struct),
5709                                             0, SLAB_PANIC, NULL);
5710         avc_init();
5711
5712         secondary_ops = security_ops;
5713         if (!secondary_ops)
5714                 panic("SELinux: No initial security operations\n");
5715         if (register_security(&selinux_ops))
5716                 panic("SELinux: Unable to register with kernel.\n");
5717
5718         if (selinux_enforcing)
5719                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5720         else
5721                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5722
5723         return 0;
5724 }
5725
5726 void selinux_complete_init(void)
5727 {
5728         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5729
5730         /* Set up any superblocks initialized prior to the policy load. */
5731         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5732         spin_lock(&sb_lock);
5733         spin_lock(&sb_security_lock);
5734 next_sb:
5735         if (!list_empty(&superblock_security_head)) {
5736                 struct superblock_security_struct *sbsec =
5737                                 list_entry(superblock_security_head.next,
5738                                            struct superblock_security_struct,
5739                                            list);
5740                 struct super_block *sb = sbsec->sb;
5741                 sb->s_count++;
5742                 spin_unlock(&sb_security_lock);
5743                 spin_unlock(&sb_lock);
5744                 down_read(&sb->s_umount);
5745                 if (sb->s_root)
5746                         superblock_doinit(sb, NULL);
5747                 drop_super(sb);
5748                 spin_lock(&sb_lock);
5749                 spin_lock(&sb_security_lock);
5750                 list_del_init(&sbsec->list);
5751                 goto next_sb;
5752         }
5753         spin_unlock(&sb_security_lock);
5754         spin_unlock(&sb_lock);
5755 }
5756
5757 /* SELinux requires early initialization in order to label
5758    all processes and objects when they are created. */
5759 security_initcall(selinux_init);
5760
5761 #if defined(CONFIG_NETFILTER)
5762
5763 static struct nf_hook_ops selinux_ipv4_ops[] = {
5764         {
5765                 .hook =         selinux_ipv4_postroute,
5766                 .owner =        THIS_MODULE,
5767                 .pf =           PF_INET,
5768                 .hooknum =      NF_INET_POST_ROUTING,
5769                 .priority =     NF_IP_PRI_SELINUX_LAST,
5770         },
5771         {
5772                 .hook =         selinux_ipv4_forward,
5773                 .owner =        THIS_MODULE,
5774                 .pf =           PF_INET,
5775                 .hooknum =      NF_INET_FORWARD,
5776                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5777         },
5778         {
5779                 .hook =         selinux_ipv4_output,
5780                 .owner =        THIS_MODULE,
5781                 .pf =           PF_INET,
5782                 .hooknum =      NF_INET_LOCAL_OUT,
5783                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5784         }
5785 };
5786
5787 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5788
5789 static struct nf_hook_ops selinux_ipv6_ops[] = {
5790         {
5791                 .hook =         selinux_ipv6_postroute,
5792                 .owner =        THIS_MODULE,
5793                 .pf =           PF_INET6,
5794                 .hooknum =      NF_INET_POST_ROUTING,
5795                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5796         },
5797         {
5798                 .hook =         selinux_ipv6_forward,
5799                 .owner =        THIS_MODULE,
5800                 .pf =           PF_INET6,
5801                 .hooknum =      NF_INET_FORWARD,
5802                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5803         }
5804 };
5805
5806 #endif  /* IPV6 */
5807
5808 static int __init selinux_nf_ip_init(void)
5809 {
5810         int err = 0;
5811
5812         if (!selinux_enabled)
5813                 goto out;
5814
5815         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5816
5817         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5818         if (err)
5819                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5820
5821 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5822         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5823         if (err)
5824                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5825 #endif  /* IPV6 */
5826
5827 out:
5828         return err;
5829 }
5830
5831 __initcall(selinux_nf_ip_init);
5832
5833 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5834 static void selinux_nf_ip_exit(void)
5835 {
5836         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5837
5838         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5839 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5840         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5841 #endif  /* IPV6 */
5842 }
5843 #endif
5844
5845 #else /* CONFIG_NETFILTER */
5846
5847 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5848 #define selinux_nf_ip_exit()
5849 #endif
5850
5851 #endif /* CONFIG_NETFILTER */
5852
5853 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5854 static int selinux_disabled;
5855
5856 int selinux_disable(void)
5857 {
5858         extern void exit_sel_fs(void);
5859
5860         if (ss_initialized) {
5861                 /* Not permitted after initial policy load. */
5862                 return -EINVAL;
5863         }
5864
5865         if (selinux_disabled) {
5866                 /* Only do this once. */
5867                 return -EINVAL;
5868         }
5869
5870         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5871
5872         selinux_disabled = 1;
5873         selinux_enabled = 0;
5874
5875         /* Reset security_ops to the secondary module, dummy or capability. */
5876         security_ops = secondary_ops;
5877
5878         /* Unregister netfilter hooks. */
5879         selinux_nf_ip_exit();
5880
5881         /* Unregister selinuxfs. */
5882         exit_sel_fs();
5883
5884         return 0;
5885 }
5886 #endif