[PATCH] cleanup the usage of SEND_SIG_xxx constants
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
85
86 static int __init enforcing_setup(char *str)
87 {
88         selinux_enforcing = simple_strtol(str,NULL,0);
89         return 1;
90 }
91 __setup("enforcing=", enforcing_setup);
92 #endif
93
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96
97 static int __init selinux_enabled_setup(char *str)
98 {
99         selinux_enabled = simple_strtol(str, NULL, 0);
100         return 1;
101 }
102 __setup("selinux=", selinux_enabled_setup);
103 #endif
104
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
107
108 /* Minimal support for a secondary security module,
109    just to allow the use of the dummy or capability modules.
110    The owlsm module can alternatively be used as a secondary
111    module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
113
114 /* Lists of inode and superblock security structures initialized
115    before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
118
119 /* Allocate and free functions for each kind of security blob. */
120
121 static int task_alloc_security(struct task_struct *task)
122 {
123         struct task_security_struct *tsec;
124
125         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
126         if (!tsec)
127                 return -ENOMEM;
128
129         tsec->magic = SELINUX_MAGIC;
130         tsec->task = task;
131         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132         task->security = tsec;
133
134         return 0;
135 }
136
137 static void task_free_security(struct task_struct *task)
138 {
139         struct task_security_struct *tsec = task->security;
140
141         if (!tsec || tsec->magic != SELINUX_MAGIC)
142                 return;
143
144         task->security = NULL;
145         kfree(tsec);
146 }
147
148 static int inode_alloc_security(struct inode *inode)
149 {
150         struct task_security_struct *tsec = current->security;
151         struct inode_security_struct *isec;
152
153         isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
154         if (!isec)
155                 return -ENOMEM;
156
157         init_MUTEX(&isec->sem);
158         INIT_LIST_HEAD(&isec->list);
159         isec->magic = SELINUX_MAGIC;
160         isec->inode = inode;
161         isec->sid = SECINITSID_UNLABELED;
162         isec->sclass = SECCLASS_FILE;
163         if (tsec && tsec->magic == SELINUX_MAGIC)
164                 isec->task_sid = tsec->sid;
165         else
166                 isec->task_sid = SECINITSID_UNLABELED;
167         inode->i_security = isec;
168
169         return 0;
170 }
171
172 static void inode_free_security(struct inode *inode)
173 {
174         struct inode_security_struct *isec = inode->i_security;
175         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
176
177         if (!isec || isec->magic != SELINUX_MAGIC)
178                 return;
179
180         spin_lock(&sbsec->isec_lock);
181         if (!list_empty(&isec->list))
182                 list_del_init(&isec->list);
183         spin_unlock(&sbsec->isec_lock);
184
185         inode->i_security = NULL;
186         kfree(isec);
187 }
188
189 static int file_alloc_security(struct file *file)
190 {
191         struct task_security_struct *tsec = current->security;
192         struct file_security_struct *fsec;
193
194         fsec = kzalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
195         if (!fsec)
196                 return -ENOMEM;
197
198         fsec->magic = SELINUX_MAGIC;
199         fsec->file = file;
200         if (tsec && tsec->magic == SELINUX_MAGIC) {
201                 fsec->sid = tsec->sid;
202                 fsec->fown_sid = tsec->sid;
203         } else {
204                 fsec->sid = SECINITSID_UNLABELED;
205                 fsec->fown_sid = SECINITSID_UNLABELED;
206         }
207         file->f_security = fsec;
208
209         return 0;
210 }
211
212 static void file_free_security(struct file *file)
213 {
214         struct file_security_struct *fsec = file->f_security;
215
216         if (!fsec || fsec->magic != SELINUX_MAGIC)
217                 return;
218
219         file->f_security = NULL;
220         kfree(fsec);
221 }
222
223 static int superblock_alloc_security(struct super_block *sb)
224 {
225         struct superblock_security_struct *sbsec;
226
227         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
228         if (!sbsec)
229                 return -ENOMEM;
230
231         init_MUTEX(&sbsec->sem);
232         INIT_LIST_HEAD(&sbsec->list);
233         INIT_LIST_HEAD(&sbsec->isec_head);
234         spin_lock_init(&sbsec->isec_lock);
235         sbsec->magic = SELINUX_MAGIC;
236         sbsec->sb = sb;
237         sbsec->sid = SECINITSID_UNLABELED;
238         sbsec->def_sid = SECINITSID_FILE;
239         sb->s_security = sbsec;
240
241         return 0;
242 }
243
244 static void superblock_free_security(struct super_block *sb)
245 {
246         struct superblock_security_struct *sbsec = sb->s_security;
247
248         if (!sbsec || sbsec->magic != SELINUX_MAGIC)
249                 return;
250
251         spin_lock(&sb_security_lock);
252         if (!list_empty(&sbsec->list))
253                 list_del_init(&sbsec->list);
254         spin_unlock(&sb_security_lock);
255
256         sb->s_security = NULL;
257         kfree(sbsec);
258 }
259
260 #ifdef CONFIG_SECURITY_NETWORK
261 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
262 {
263         struct sk_security_struct *ssec;
264
265         if (family != PF_UNIX)
266                 return 0;
267
268         ssec = kzalloc(sizeof(*ssec), priority);
269         if (!ssec)
270                 return -ENOMEM;
271
272         ssec->magic = SELINUX_MAGIC;
273         ssec->sk = sk;
274         ssec->peer_sid = SECINITSID_UNLABELED;
275         sk->sk_security = ssec;
276
277         return 0;
278 }
279
280 static void sk_free_security(struct sock *sk)
281 {
282         struct sk_security_struct *ssec = sk->sk_security;
283
284         if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
285                 return;
286
287         sk->sk_security = NULL;
288         kfree(ssec);
289 }
290 #endif  /* CONFIG_SECURITY_NETWORK */
291
292 /* The security server must be initialized before
293    any labeling or access decisions can be provided. */
294 extern int ss_initialized;
295
296 /* The file system's label must be initialized prior to use. */
297
298 static char *labeling_behaviors[6] = {
299         "uses xattr",
300         "uses transition SIDs",
301         "uses task SIDs",
302         "uses genfs_contexts",
303         "not configured for labeling",
304         "uses mountpoint labeling",
305 };
306
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308
309 static inline int inode_doinit(struct inode *inode)
310 {
311         return inode_doinit_with_dentry(inode, NULL);
312 }
313
314 enum {
315         Opt_context = 1,
316         Opt_fscontext = 2,
317         Opt_defcontext = 4,
318 };
319
320 static match_table_t tokens = {
321         {Opt_context, "context=%s"},
322         {Opt_fscontext, "fscontext=%s"},
323         {Opt_defcontext, "defcontext=%s"},
324 };
325
326 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
327
328 static int try_context_mount(struct super_block *sb, void *data)
329 {
330         char *context = NULL, *defcontext = NULL;
331         const char *name;
332         u32 sid;
333         int alloc = 0, rc = 0, seen = 0;
334         struct task_security_struct *tsec = current->security;
335         struct superblock_security_struct *sbsec = sb->s_security;
336
337         if (!data)
338                 goto out;
339
340         name = sb->s_type->name;
341
342         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
343
344                 /* NFS we understand. */
345                 if (!strcmp(name, "nfs")) {
346                         struct nfs_mount_data *d = data;
347
348                         if (d->version <  NFS_MOUNT_VERSION)
349                                 goto out;
350
351                         if (d->context[0]) {
352                                 context = d->context;
353                                 seen |= Opt_context;
354                         }
355                 } else
356                         goto out;
357
358         } else {
359                 /* Standard string-based options. */
360                 char *p, *options = data;
361
362                 while ((p = strsep(&options, ",")) != NULL) {
363                         int token;
364                         substring_t args[MAX_OPT_ARGS];
365
366                         if (!*p)
367                                 continue;
368
369                         token = match_token(p, tokens, args);
370
371                         switch (token) {
372                         case Opt_context:
373                                 if (seen) {
374                                         rc = -EINVAL;
375                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
376                                         goto out_free;
377                                 }
378                                 context = match_strdup(&args[0]);
379                                 if (!context) {
380                                         rc = -ENOMEM;
381                                         goto out_free;
382                                 }
383                                 if (!alloc)
384                                         alloc = 1;
385                                 seen |= Opt_context;
386                                 break;
387
388                         case Opt_fscontext:
389                                 if (seen & (Opt_context|Opt_fscontext)) {
390                                         rc = -EINVAL;
391                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
392                                         goto out_free;
393                                 }
394                                 context = match_strdup(&args[0]);
395                                 if (!context) {
396                                         rc = -ENOMEM;
397                                         goto out_free;
398                                 }
399                                 if (!alloc)
400                                         alloc = 1;
401                                 seen |= Opt_fscontext;
402                                 break;
403
404                         case Opt_defcontext:
405                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
406                                         rc = -EINVAL;
407                                         printk(KERN_WARNING "SELinux:  "
408                                                "defcontext option is invalid "
409                                                "for this filesystem type\n");
410                                         goto out_free;
411                                 }
412                                 if (seen & (Opt_context|Opt_defcontext)) {
413                                         rc = -EINVAL;
414                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
415                                         goto out_free;
416                                 }
417                                 defcontext = match_strdup(&args[0]);
418                                 if (!defcontext) {
419                                         rc = -ENOMEM;
420                                         goto out_free;
421                                 }
422                                 if (!alloc)
423                                         alloc = 1;
424                                 seen |= Opt_defcontext;
425                                 break;
426
427                         default:
428                                 rc = -EINVAL;
429                                 printk(KERN_WARNING "SELinux:  unknown mount "
430                                        "option\n");
431                                 goto out_free;
432
433                         }
434                 }
435         }
436
437         if (!seen)
438                 goto out;
439
440         if (context) {
441                 rc = security_context_to_sid(context, strlen(context), &sid);
442                 if (rc) {
443                         printk(KERN_WARNING "SELinux: security_context_to_sid"
444                                "(%s) failed for (dev %s, type %s) errno=%d\n",
445                                context, sb->s_id, name, rc);
446                         goto out_free;
447                 }
448
449                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450                                   FILESYSTEM__RELABELFROM, NULL);
451                 if (rc)
452                         goto out_free;
453
454                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455                                   FILESYSTEM__RELABELTO, NULL);
456                 if (rc)
457                         goto out_free;
458
459                 sbsec->sid = sid;
460
461                 if (seen & Opt_context)
462                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
463         }
464
465         if (defcontext) {
466                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
467                 if (rc) {
468                         printk(KERN_WARNING "SELinux: security_context_to_sid"
469                                "(%s) failed for (dev %s, type %s) errno=%d\n",
470                                defcontext, sb->s_id, name, rc);
471                         goto out_free;
472                 }
473
474                 if (sid == sbsec->def_sid)
475                         goto out_free;
476
477                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
478                                   FILESYSTEM__RELABELFROM, NULL);
479                 if (rc)
480                         goto out_free;
481
482                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
483                                   FILESYSTEM__ASSOCIATE, NULL);
484                 if (rc)
485                         goto out_free;
486
487                 sbsec->def_sid = sid;
488         }
489
490 out_free:
491         if (alloc) {
492                 kfree(context);
493                 kfree(defcontext);
494         }
495 out:
496         return rc;
497 }
498
499 static int superblock_doinit(struct super_block *sb, void *data)
500 {
501         struct superblock_security_struct *sbsec = sb->s_security;
502         struct dentry *root = sb->s_root;
503         struct inode *inode = root->d_inode;
504         int rc = 0;
505
506         down(&sbsec->sem);
507         if (sbsec->initialized)
508                 goto out;
509
510         if (!ss_initialized) {
511                 /* Defer initialization until selinux_complete_init,
512                    after the initial policy is loaded and the security
513                    server is ready to handle calls. */
514                 spin_lock(&sb_security_lock);
515                 if (list_empty(&sbsec->list))
516                         list_add(&sbsec->list, &superblock_security_head);
517                 spin_unlock(&sb_security_lock);
518                 goto out;
519         }
520
521         /* Determine the labeling behavior to use for this filesystem type. */
522         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
523         if (rc) {
524                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
525                        __FUNCTION__, sb->s_type->name, rc);
526                 goto out;
527         }
528
529         rc = try_context_mount(sb, data);
530         if (rc)
531                 goto out;
532
533         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
534                 /* Make sure that the xattr handler exists and that no
535                    error other than -ENODATA is returned by getxattr on
536                    the root directory.  -ENODATA is ok, as this may be
537                    the first boot of the SELinux kernel before we have
538                    assigned xattr values to the filesystem. */
539                 if (!inode->i_op->getxattr) {
540                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
541                                "xattr support\n", sb->s_id, sb->s_type->name);
542                         rc = -EOPNOTSUPP;
543                         goto out;
544                 }
545                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
546                 if (rc < 0 && rc != -ENODATA) {
547                         if (rc == -EOPNOTSUPP)
548                                 printk(KERN_WARNING "SELinux: (dev %s, type "
549                                        "%s) has no security xattr handler\n",
550                                        sb->s_id, sb->s_type->name);
551                         else
552                                 printk(KERN_WARNING "SELinux: (dev %s, type "
553                                        "%s) getxattr errno %d\n", sb->s_id,
554                                        sb->s_type->name, -rc);
555                         goto out;
556                 }
557         }
558
559         if (strcmp(sb->s_type->name, "proc") == 0)
560                 sbsec->proc = 1;
561
562         sbsec->initialized = 1;
563
564         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
565                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
566                        sb->s_id, sb->s_type->name);
567         }
568         else {
569                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
570                        sb->s_id, sb->s_type->name,
571                        labeling_behaviors[sbsec->behavior-1]);
572         }
573
574         /* Initialize the root inode. */
575         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
576
577         /* Initialize any other inodes associated with the superblock, e.g.
578            inodes created prior to initial policy load or inodes created
579            during get_sb by a pseudo filesystem that directly
580            populates itself. */
581         spin_lock(&sbsec->isec_lock);
582 next_inode:
583         if (!list_empty(&sbsec->isec_head)) {
584                 struct inode_security_struct *isec =
585                                 list_entry(sbsec->isec_head.next,
586                                            struct inode_security_struct, list);
587                 struct inode *inode = isec->inode;
588                 spin_unlock(&sbsec->isec_lock);
589                 inode = igrab(inode);
590                 if (inode) {
591                         if (!IS_PRIVATE (inode))
592                                 inode_doinit(inode);
593                         iput(inode);
594                 }
595                 spin_lock(&sbsec->isec_lock);
596                 list_del_init(&isec->list);
597                 goto next_inode;
598         }
599         spin_unlock(&sbsec->isec_lock);
600 out:
601         up(&sbsec->sem);
602         return rc;
603 }
604
605 static inline u16 inode_mode_to_security_class(umode_t mode)
606 {
607         switch (mode & S_IFMT) {
608         case S_IFSOCK:
609                 return SECCLASS_SOCK_FILE;
610         case S_IFLNK:
611                 return SECCLASS_LNK_FILE;
612         case S_IFREG:
613                 return SECCLASS_FILE;
614         case S_IFBLK:
615                 return SECCLASS_BLK_FILE;
616         case S_IFDIR:
617                 return SECCLASS_DIR;
618         case S_IFCHR:
619                 return SECCLASS_CHR_FILE;
620         case S_IFIFO:
621                 return SECCLASS_FIFO_FILE;
622
623         }
624
625         return SECCLASS_FILE;
626 }
627
628 static inline int default_protocol_stream(int protocol)
629 {
630         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
631 }
632
633 static inline int default_protocol_dgram(int protocol)
634 {
635         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
636 }
637
638 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
639 {
640         switch (family) {
641         case PF_UNIX:
642                 switch (type) {
643                 case SOCK_STREAM:
644                 case SOCK_SEQPACKET:
645                         return SECCLASS_UNIX_STREAM_SOCKET;
646                 case SOCK_DGRAM:
647                         return SECCLASS_UNIX_DGRAM_SOCKET;
648                 }
649                 break;
650         case PF_INET:
651         case PF_INET6:
652                 switch (type) {
653                 case SOCK_STREAM:
654                         if (default_protocol_stream(protocol))
655                                 return SECCLASS_TCP_SOCKET;
656                         else
657                                 return SECCLASS_RAWIP_SOCKET;
658                 case SOCK_DGRAM:
659                         if (default_protocol_dgram(protocol))
660                                 return SECCLASS_UDP_SOCKET;
661                         else
662                                 return SECCLASS_RAWIP_SOCKET;
663                 default:
664                         return SECCLASS_RAWIP_SOCKET;
665                 }
666                 break;
667         case PF_NETLINK:
668                 switch (protocol) {
669                 case NETLINK_ROUTE:
670                         return SECCLASS_NETLINK_ROUTE_SOCKET;
671                 case NETLINK_FIREWALL:
672                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
673                 case NETLINK_INET_DIAG:
674                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
675                 case NETLINK_NFLOG:
676                         return SECCLASS_NETLINK_NFLOG_SOCKET;
677                 case NETLINK_XFRM:
678                         return SECCLASS_NETLINK_XFRM_SOCKET;
679                 case NETLINK_SELINUX:
680                         return SECCLASS_NETLINK_SELINUX_SOCKET;
681                 case NETLINK_AUDIT:
682                         return SECCLASS_NETLINK_AUDIT_SOCKET;
683                 case NETLINK_IP6_FW:
684                         return SECCLASS_NETLINK_IP6FW_SOCKET;
685                 case NETLINK_DNRTMSG:
686                         return SECCLASS_NETLINK_DNRT_SOCKET;
687                 case NETLINK_KOBJECT_UEVENT:
688                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
689                 default:
690                         return SECCLASS_NETLINK_SOCKET;
691                 }
692         case PF_PACKET:
693                 return SECCLASS_PACKET_SOCKET;
694         case PF_KEY:
695                 return SECCLASS_KEY_SOCKET;
696         }
697
698         return SECCLASS_SOCKET;
699 }
700
701 #ifdef CONFIG_PROC_FS
702 static int selinux_proc_get_sid(struct proc_dir_entry *de,
703                                 u16 tclass,
704                                 u32 *sid)
705 {
706         int buflen, rc;
707         char *buffer, *path, *end;
708
709         buffer = (char*)__get_free_page(GFP_KERNEL);
710         if (!buffer)
711                 return -ENOMEM;
712
713         buflen = PAGE_SIZE;
714         end = buffer+buflen;
715         *--end = '\0';
716         buflen--;
717         path = end-1;
718         *path = '/';
719         while (de && de != de->parent) {
720                 buflen -= de->namelen + 1;
721                 if (buflen < 0)
722                         break;
723                 end -= de->namelen;
724                 memcpy(end, de->name, de->namelen);
725                 *--end = '/';
726                 path = end;
727                 de = de->parent;
728         }
729         rc = security_genfs_sid("proc", path, tclass, sid);
730         free_page((unsigned long)buffer);
731         return rc;
732 }
733 #else
734 static int selinux_proc_get_sid(struct proc_dir_entry *de,
735                                 u16 tclass,
736                                 u32 *sid)
737 {
738         return -EINVAL;
739 }
740 #endif
741
742 /* The inode's security attributes must be initialized before first use. */
743 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
744 {
745         struct superblock_security_struct *sbsec = NULL;
746         struct inode_security_struct *isec = inode->i_security;
747         u32 sid;
748         struct dentry *dentry;
749 #define INITCONTEXTLEN 255
750         char *context = NULL;
751         unsigned len = 0;
752         int rc = 0;
753         int hold_sem = 0;
754
755         if (isec->initialized)
756                 goto out;
757
758         down(&isec->sem);
759         hold_sem = 1;
760         if (isec->initialized)
761                 goto out;
762
763         sbsec = inode->i_sb->s_security;
764         if (!sbsec->initialized) {
765                 /* Defer initialization until selinux_complete_init,
766                    after the initial policy is loaded and the security
767                    server is ready to handle calls. */
768                 spin_lock(&sbsec->isec_lock);
769                 if (list_empty(&isec->list))
770                         list_add(&isec->list, &sbsec->isec_head);
771                 spin_unlock(&sbsec->isec_lock);
772                 goto out;
773         }
774
775         switch (sbsec->behavior) {
776         case SECURITY_FS_USE_XATTR:
777                 if (!inode->i_op->getxattr) {
778                         isec->sid = sbsec->def_sid;
779                         break;
780                 }
781
782                 /* Need a dentry, since the xattr API requires one.
783                    Life would be simpler if we could just pass the inode. */
784                 if (opt_dentry) {
785                         /* Called from d_instantiate or d_splice_alias. */
786                         dentry = dget(opt_dentry);
787                 } else {
788                         /* Called from selinux_complete_init, try to find a dentry. */
789                         dentry = d_find_alias(inode);
790                 }
791                 if (!dentry) {
792                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
793                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
794                                inode->i_ino);
795                         goto out;
796                 }
797
798                 len = INITCONTEXTLEN;
799                 context = kmalloc(len, GFP_KERNEL);
800                 if (!context) {
801                         rc = -ENOMEM;
802                         dput(dentry);
803                         goto out;
804                 }
805                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
806                                            context, len);
807                 if (rc == -ERANGE) {
808                         /* Need a larger buffer.  Query for the right size. */
809                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
810                                                    NULL, 0);
811                         if (rc < 0) {
812                                 dput(dentry);
813                                 goto out;
814                         }
815                         kfree(context);
816                         len = rc;
817                         context = kmalloc(len, GFP_KERNEL);
818                         if (!context) {
819                                 rc = -ENOMEM;
820                                 dput(dentry);
821                                 goto out;
822                         }
823                         rc = inode->i_op->getxattr(dentry,
824                                                    XATTR_NAME_SELINUX,
825                                                    context, len);
826                 }
827                 dput(dentry);
828                 if (rc < 0) {
829                         if (rc != -ENODATA) {
830                                 printk(KERN_WARNING "%s:  getxattr returned "
831                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
832                                        -rc, inode->i_sb->s_id, inode->i_ino);
833                                 kfree(context);
834                                 goto out;
835                         }
836                         /* Map ENODATA to the default file SID */
837                         sid = sbsec->def_sid;
838                         rc = 0;
839                 } else {
840                         rc = security_context_to_sid_default(context, rc, &sid,
841                                                              sbsec->def_sid);
842                         if (rc) {
843                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
844                                        "returned %d for dev=%s ino=%ld\n",
845                                        __FUNCTION__, context, -rc,
846                                        inode->i_sb->s_id, inode->i_ino);
847                                 kfree(context);
848                                 /* Leave with the unlabeled SID */
849                                 rc = 0;
850                                 break;
851                         }
852                 }
853                 kfree(context);
854                 isec->sid = sid;
855                 break;
856         case SECURITY_FS_USE_TASK:
857                 isec->sid = isec->task_sid;
858                 break;
859         case SECURITY_FS_USE_TRANS:
860                 /* Default to the fs SID. */
861                 isec->sid = sbsec->sid;
862
863                 /* Try to obtain a transition SID. */
864                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
865                 rc = security_transition_sid(isec->task_sid,
866                                              sbsec->sid,
867                                              isec->sclass,
868                                              &sid);
869                 if (rc)
870                         goto out;
871                 isec->sid = sid;
872                 break;
873         default:
874                 /* Default to the fs SID. */
875                 isec->sid = sbsec->sid;
876
877                 if (sbsec->proc) {
878                         struct proc_inode *proci = PROC_I(inode);
879                         if (proci->pde) {
880                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
881                                 rc = selinux_proc_get_sid(proci->pde,
882                                                           isec->sclass,
883                                                           &sid);
884                                 if (rc)
885                                         goto out;
886                                 isec->sid = sid;
887                         }
888                 }
889                 break;
890         }
891
892         isec->initialized = 1;
893
894 out:
895         if (isec->sclass == SECCLASS_FILE)
896                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
897
898         if (hold_sem)
899                 up(&isec->sem);
900         return rc;
901 }
902
903 /* Convert a Linux signal to an access vector. */
904 static inline u32 signal_to_av(int sig)
905 {
906         u32 perm = 0;
907
908         switch (sig) {
909         case SIGCHLD:
910                 /* Commonly granted from child to parent. */
911                 perm = PROCESS__SIGCHLD;
912                 break;
913         case SIGKILL:
914                 /* Cannot be caught or ignored */
915                 perm = PROCESS__SIGKILL;
916                 break;
917         case SIGSTOP:
918                 /* Cannot be caught or ignored */
919                 perm = PROCESS__SIGSTOP;
920                 break;
921         default:
922                 /* All other signals. */
923                 perm = PROCESS__SIGNAL;
924                 break;
925         }
926
927         return perm;
928 }
929
930 /* Check permission betweeen a pair of tasks, e.g. signal checks,
931    fork check, ptrace check, etc. */
932 static int task_has_perm(struct task_struct *tsk1,
933                          struct task_struct *tsk2,
934                          u32 perms)
935 {
936         struct task_security_struct *tsec1, *tsec2;
937
938         tsec1 = tsk1->security;
939         tsec2 = tsk2->security;
940         return avc_has_perm(tsec1->sid, tsec2->sid,
941                             SECCLASS_PROCESS, perms, NULL);
942 }
943
944 /* Check whether a task is allowed to use a capability. */
945 static int task_has_capability(struct task_struct *tsk,
946                                int cap)
947 {
948         struct task_security_struct *tsec;
949         struct avc_audit_data ad;
950
951         tsec = tsk->security;
952
953         AVC_AUDIT_DATA_INIT(&ad,CAP);
954         ad.tsk = tsk;
955         ad.u.cap = cap;
956
957         return avc_has_perm(tsec->sid, tsec->sid,
958                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
959 }
960
961 /* Check whether a task is allowed to use a system operation. */
962 static int task_has_system(struct task_struct *tsk,
963                            u32 perms)
964 {
965         struct task_security_struct *tsec;
966
967         tsec = tsk->security;
968
969         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
970                             SECCLASS_SYSTEM, perms, NULL);
971 }
972
973 /* Check whether a task has a particular permission to an inode.
974    The 'adp' parameter is optional and allows other audit
975    data to be passed (e.g. the dentry). */
976 static int inode_has_perm(struct task_struct *tsk,
977                           struct inode *inode,
978                           u32 perms,
979                           struct avc_audit_data *adp)
980 {
981         struct task_security_struct *tsec;
982         struct inode_security_struct *isec;
983         struct avc_audit_data ad;
984
985         tsec = tsk->security;
986         isec = inode->i_security;
987
988         if (!adp) {
989                 adp = &ad;
990                 AVC_AUDIT_DATA_INIT(&ad, FS);
991                 ad.u.fs.inode = inode;
992         }
993
994         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
995 }
996
997 /* Same as inode_has_perm, but pass explicit audit data containing
998    the dentry to help the auditing code to more easily generate the
999    pathname if needed. */
1000 static inline int dentry_has_perm(struct task_struct *tsk,
1001                                   struct vfsmount *mnt,
1002                                   struct dentry *dentry,
1003                                   u32 av)
1004 {
1005         struct inode *inode = dentry->d_inode;
1006         struct avc_audit_data ad;
1007         AVC_AUDIT_DATA_INIT(&ad,FS);
1008         ad.u.fs.mnt = mnt;
1009         ad.u.fs.dentry = dentry;
1010         return inode_has_perm(tsk, inode, av, &ad);
1011 }
1012
1013 /* Check whether a task can use an open file descriptor to
1014    access an inode in a given way.  Check access to the
1015    descriptor itself, and then use dentry_has_perm to
1016    check a particular permission to the file.
1017    Access to the descriptor is implicitly granted if it
1018    has the same SID as the process.  If av is zero, then
1019    access to the file is not checked, e.g. for cases
1020    where only the descriptor is affected like seek. */
1021 static inline int file_has_perm(struct task_struct *tsk,
1022                                 struct file *file,
1023                                 u32 av)
1024 {
1025         struct task_security_struct *tsec = tsk->security;
1026         struct file_security_struct *fsec = file->f_security;
1027         struct vfsmount *mnt = file->f_vfsmnt;
1028         struct dentry *dentry = file->f_dentry;
1029         struct inode *inode = dentry->d_inode;
1030         struct avc_audit_data ad;
1031         int rc;
1032
1033         AVC_AUDIT_DATA_INIT(&ad, FS);
1034         ad.u.fs.mnt = mnt;
1035         ad.u.fs.dentry = dentry;
1036
1037         if (tsec->sid != fsec->sid) {
1038                 rc = avc_has_perm(tsec->sid, fsec->sid,
1039                                   SECCLASS_FD,
1040                                   FD__USE,
1041                                   &ad);
1042                 if (rc)
1043                         return rc;
1044         }
1045
1046         /* av is zero if only checking access to the descriptor. */
1047         if (av)
1048                 return inode_has_perm(tsk, inode, av, &ad);
1049
1050         return 0;
1051 }
1052
1053 /* Check whether a task can create a file. */
1054 static int may_create(struct inode *dir,
1055                       struct dentry *dentry,
1056                       u16 tclass)
1057 {
1058         struct task_security_struct *tsec;
1059         struct inode_security_struct *dsec;
1060         struct superblock_security_struct *sbsec;
1061         u32 newsid;
1062         struct avc_audit_data ad;
1063         int rc;
1064
1065         tsec = current->security;
1066         dsec = dir->i_security;
1067         sbsec = dir->i_sb->s_security;
1068
1069         AVC_AUDIT_DATA_INIT(&ad, FS);
1070         ad.u.fs.dentry = dentry;
1071
1072         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1073                           DIR__ADD_NAME | DIR__SEARCH,
1074                           &ad);
1075         if (rc)
1076                 return rc;
1077
1078         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1079                 newsid = tsec->create_sid;
1080         } else {
1081                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1082                                              &newsid);
1083                 if (rc)
1084                         return rc;
1085         }
1086
1087         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1088         if (rc)
1089                 return rc;
1090
1091         return avc_has_perm(newsid, sbsec->sid,
1092                             SECCLASS_FILESYSTEM,
1093                             FILESYSTEM__ASSOCIATE, &ad);
1094 }
1095
1096 #define MAY_LINK   0
1097 #define MAY_UNLINK 1
1098 #define MAY_RMDIR  2
1099
1100 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1101 static int may_link(struct inode *dir,
1102                     struct dentry *dentry,
1103                     int kind)
1104
1105 {
1106         struct task_security_struct *tsec;
1107         struct inode_security_struct *dsec, *isec;
1108         struct avc_audit_data ad;
1109         u32 av;
1110         int rc;
1111
1112         tsec = current->security;
1113         dsec = dir->i_security;
1114         isec = dentry->d_inode->i_security;
1115
1116         AVC_AUDIT_DATA_INIT(&ad, FS);
1117         ad.u.fs.dentry = dentry;
1118
1119         av = DIR__SEARCH;
1120         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1121         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1122         if (rc)
1123                 return rc;
1124
1125         switch (kind) {
1126         case MAY_LINK:
1127                 av = FILE__LINK;
1128                 break;
1129         case MAY_UNLINK:
1130                 av = FILE__UNLINK;
1131                 break;
1132         case MAY_RMDIR:
1133                 av = DIR__RMDIR;
1134                 break;
1135         default:
1136                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1137                 return 0;
1138         }
1139
1140         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1141         return rc;
1142 }
1143
1144 static inline int may_rename(struct inode *old_dir,
1145                              struct dentry *old_dentry,
1146                              struct inode *new_dir,
1147                              struct dentry *new_dentry)
1148 {
1149         struct task_security_struct *tsec;
1150         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1151         struct avc_audit_data ad;
1152         u32 av;
1153         int old_is_dir, new_is_dir;
1154         int rc;
1155
1156         tsec = current->security;
1157         old_dsec = old_dir->i_security;
1158         old_isec = old_dentry->d_inode->i_security;
1159         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1160         new_dsec = new_dir->i_security;
1161
1162         AVC_AUDIT_DATA_INIT(&ad, FS);
1163
1164         ad.u.fs.dentry = old_dentry;
1165         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1166                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1167         if (rc)
1168                 return rc;
1169         rc = avc_has_perm(tsec->sid, old_isec->sid,
1170                           old_isec->sclass, FILE__RENAME, &ad);
1171         if (rc)
1172                 return rc;
1173         if (old_is_dir && new_dir != old_dir) {
1174                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1175                                   old_isec->sclass, DIR__REPARENT, &ad);
1176                 if (rc)
1177                         return rc;
1178         }
1179
1180         ad.u.fs.dentry = new_dentry;
1181         av = DIR__ADD_NAME | DIR__SEARCH;
1182         if (new_dentry->d_inode)
1183                 av |= DIR__REMOVE_NAME;
1184         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1185         if (rc)
1186                 return rc;
1187         if (new_dentry->d_inode) {
1188                 new_isec = new_dentry->d_inode->i_security;
1189                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1190                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1191                                   new_isec->sclass,
1192                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1193                 if (rc)
1194                         return rc;
1195         }
1196
1197         return 0;
1198 }
1199
1200 /* Check whether a task can perform a filesystem operation. */
1201 static int superblock_has_perm(struct task_struct *tsk,
1202                                struct super_block *sb,
1203                                u32 perms,
1204                                struct avc_audit_data *ad)
1205 {
1206         struct task_security_struct *tsec;
1207         struct superblock_security_struct *sbsec;
1208
1209         tsec = tsk->security;
1210         sbsec = sb->s_security;
1211         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1212                             perms, ad);
1213 }
1214
1215 /* Convert a Linux mode and permission mask to an access vector. */
1216 static inline u32 file_mask_to_av(int mode, int mask)
1217 {
1218         u32 av = 0;
1219
1220         if ((mode & S_IFMT) != S_IFDIR) {
1221                 if (mask & MAY_EXEC)
1222                         av |= FILE__EXECUTE;
1223                 if (mask & MAY_READ)
1224                         av |= FILE__READ;
1225
1226                 if (mask & MAY_APPEND)
1227                         av |= FILE__APPEND;
1228                 else if (mask & MAY_WRITE)
1229                         av |= FILE__WRITE;
1230
1231         } else {
1232                 if (mask & MAY_EXEC)
1233                         av |= DIR__SEARCH;
1234                 if (mask & MAY_WRITE)
1235                         av |= DIR__WRITE;
1236                 if (mask & MAY_READ)
1237                         av |= DIR__READ;
1238         }
1239
1240         return av;
1241 }
1242
1243 /* Convert a Linux file to an access vector. */
1244 static inline u32 file_to_av(struct file *file)
1245 {
1246         u32 av = 0;
1247
1248         if (file->f_mode & FMODE_READ)
1249                 av |= FILE__READ;
1250         if (file->f_mode & FMODE_WRITE) {
1251                 if (file->f_flags & O_APPEND)
1252                         av |= FILE__APPEND;
1253                 else
1254                         av |= FILE__WRITE;
1255         }
1256
1257         return av;
1258 }
1259
1260 /* Set an inode's SID to a specified value. */
1261 static int inode_security_set_sid(struct inode *inode, u32 sid)
1262 {
1263         struct inode_security_struct *isec = inode->i_security;
1264         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1265
1266         if (!sbsec->initialized) {
1267                 /* Defer initialization to selinux_complete_init. */
1268                 return 0;
1269         }
1270
1271         down(&isec->sem);
1272         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1273         isec->sid = sid;
1274         isec->initialized = 1;
1275         up(&isec->sem);
1276         return 0;
1277 }
1278
1279 /* Hook functions begin here. */
1280
1281 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1282 {
1283         struct task_security_struct *psec = parent->security;
1284         struct task_security_struct *csec = child->security;
1285         int rc;
1286
1287         rc = secondary_ops->ptrace(parent,child);
1288         if (rc)
1289                 return rc;
1290
1291         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1292         /* Save the SID of the tracing process for later use in apply_creds. */
1293         if (!rc)
1294                 csec->ptrace_sid = psec->sid;
1295         return rc;
1296 }
1297
1298 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1299                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1300 {
1301         int error;
1302
1303         error = task_has_perm(current, target, PROCESS__GETCAP);
1304         if (error)
1305                 return error;
1306
1307         return secondary_ops->capget(target, effective, inheritable, permitted);
1308 }
1309
1310 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1311                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1312 {
1313         int error;
1314
1315         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1316         if (error)
1317                 return error;
1318
1319         return task_has_perm(current, target, PROCESS__SETCAP);
1320 }
1321
1322 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1323                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1324 {
1325         secondary_ops->capset_set(target, effective, inheritable, permitted);
1326 }
1327
1328 static int selinux_capable(struct task_struct *tsk, int cap)
1329 {
1330         int rc;
1331
1332         rc = secondary_ops->capable(tsk, cap);
1333         if (rc)
1334                 return rc;
1335
1336         return task_has_capability(tsk,cap);
1337 }
1338
1339 static int selinux_sysctl(ctl_table *table, int op)
1340 {
1341         int error = 0;
1342         u32 av;
1343         struct task_security_struct *tsec;
1344         u32 tsid;
1345         int rc;
1346
1347         rc = secondary_ops->sysctl(table, op);
1348         if (rc)
1349                 return rc;
1350
1351         tsec = current->security;
1352
1353         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1354                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1355         if (rc) {
1356                 /* Default to the well-defined sysctl SID. */
1357                 tsid = SECINITSID_SYSCTL;
1358         }
1359
1360         /* The op values are "defined" in sysctl.c, thereby creating
1361          * a bad coupling between this module and sysctl.c */
1362         if(op == 001) {
1363                 error = avc_has_perm(tsec->sid, tsid,
1364                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1365         } else {
1366                 av = 0;
1367                 if (op & 004)
1368                         av |= FILE__READ;
1369                 if (op & 002)
1370                         av |= FILE__WRITE;
1371                 if (av)
1372                         error = avc_has_perm(tsec->sid, tsid,
1373                                              SECCLASS_FILE, av, NULL);
1374         }
1375
1376         return error;
1377 }
1378
1379 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1380 {
1381         int rc = 0;
1382
1383         if (!sb)
1384                 return 0;
1385
1386         switch (cmds) {
1387                 case Q_SYNC:
1388                 case Q_QUOTAON:
1389                 case Q_QUOTAOFF:
1390                 case Q_SETINFO:
1391                 case Q_SETQUOTA:
1392                         rc = superblock_has_perm(current,
1393                                                  sb,
1394                                                  FILESYSTEM__QUOTAMOD, NULL);
1395                         break;
1396                 case Q_GETFMT:
1397                 case Q_GETINFO:
1398                 case Q_GETQUOTA:
1399                         rc = superblock_has_perm(current,
1400                                                  sb,
1401                                                  FILESYSTEM__QUOTAGET, NULL);
1402                         break;
1403                 default:
1404                         rc = 0;  /* let the kernel handle invalid cmds */
1405                         break;
1406         }
1407         return rc;
1408 }
1409
1410 static int selinux_quota_on(struct dentry *dentry)
1411 {
1412         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1413 }
1414
1415 static int selinux_syslog(int type)
1416 {
1417         int rc;
1418
1419         rc = secondary_ops->syslog(type);
1420         if (rc)
1421                 return rc;
1422
1423         switch (type) {
1424                 case 3:         /* Read last kernel messages */
1425                 case 10:        /* Return size of the log buffer */
1426                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1427                         break;
1428                 case 6:         /* Disable logging to console */
1429                 case 7:         /* Enable logging to console */
1430                 case 8:         /* Set level of messages printed to console */
1431                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1432                         break;
1433                 case 0:         /* Close log */
1434                 case 1:         /* Open log */
1435                 case 2:         /* Read from log */
1436                 case 4:         /* Read/clear last kernel messages */
1437                 case 5:         /* Clear ring buffer */
1438                 default:
1439                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1440                         break;
1441         }
1442         return rc;
1443 }
1444
1445 /*
1446  * Check that a process has enough memory to allocate a new virtual
1447  * mapping. 0 means there is enough memory for the allocation to
1448  * succeed and -ENOMEM implies there is not.
1449  *
1450  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1451  * if the capability is granted, but __vm_enough_memory requires 1 if
1452  * the capability is granted.
1453  *
1454  * Do not audit the selinux permission check, as this is applied to all
1455  * processes that allocate mappings.
1456  */
1457 static int selinux_vm_enough_memory(long pages)
1458 {
1459         int rc, cap_sys_admin = 0;
1460         struct task_security_struct *tsec = current->security;
1461
1462         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1463         if (rc == 0)
1464                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1465                                         SECCLASS_CAPABILITY,
1466                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1467                                         NULL);
1468
1469         if (rc == 0)
1470                 cap_sys_admin = 1;
1471
1472         return __vm_enough_memory(pages, cap_sys_admin);
1473 }
1474
1475 /* binprm security operations */
1476
1477 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1478 {
1479         struct bprm_security_struct *bsec;
1480
1481         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1482         if (!bsec)
1483                 return -ENOMEM;
1484
1485         bsec->magic = SELINUX_MAGIC;
1486         bsec->bprm = bprm;
1487         bsec->sid = SECINITSID_UNLABELED;
1488         bsec->set = 0;
1489
1490         bprm->security = bsec;
1491         return 0;
1492 }
1493
1494 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1495 {
1496         struct task_security_struct *tsec;
1497         struct inode *inode = bprm->file->f_dentry->d_inode;
1498         struct inode_security_struct *isec;
1499         struct bprm_security_struct *bsec;
1500         u32 newsid;
1501         struct avc_audit_data ad;
1502         int rc;
1503
1504         rc = secondary_ops->bprm_set_security(bprm);
1505         if (rc)
1506                 return rc;
1507
1508         bsec = bprm->security;
1509
1510         if (bsec->set)
1511                 return 0;
1512
1513         tsec = current->security;
1514         isec = inode->i_security;
1515
1516         /* Default to the current task SID. */
1517         bsec->sid = tsec->sid;
1518
1519         /* Reset create SID on execve. */
1520         tsec->create_sid = 0;
1521
1522         if (tsec->exec_sid) {
1523                 newsid = tsec->exec_sid;
1524                 /* Reset exec SID on execve. */
1525                 tsec->exec_sid = 0;
1526         } else {
1527                 /* Check for a default transition on this program. */
1528                 rc = security_transition_sid(tsec->sid, isec->sid,
1529                                              SECCLASS_PROCESS, &newsid);
1530                 if (rc)
1531                         return rc;
1532         }
1533
1534         AVC_AUDIT_DATA_INIT(&ad, FS);
1535         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1536         ad.u.fs.dentry = bprm->file->f_dentry;
1537
1538         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1539                 newsid = tsec->sid;
1540
1541         if (tsec->sid == newsid) {
1542                 rc = avc_has_perm(tsec->sid, isec->sid,
1543                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1544                 if (rc)
1545                         return rc;
1546         } else {
1547                 /* Check permissions for the transition. */
1548                 rc = avc_has_perm(tsec->sid, newsid,
1549                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1550                 if (rc)
1551                         return rc;
1552
1553                 rc = avc_has_perm(newsid, isec->sid,
1554                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1555                 if (rc)
1556                         return rc;
1557
1558                 /* Clear any possibly unsafe personality bits on exec: */
1559                 current->personality &= ~PER_CLEAR_ON_SETID;
1560
1561                 /* Set the security field to the new SID. */
1562                 bsec->sid = newsid;
1563         }
1564
1565         bsec->set = 1;
1566         return 0;
1567 }
1568
1569 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1570 {
1571         return secondary_ops->bprm_check_security(bprm);
1572 }
1573
1574
1575 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1576 {
1577         struct task_security_struct *tsec = current->security;
1578         int atsecure = 0;
1579
1580         if (tsec->osid != tsec->sid) {
1581                 /* Enable secure mode for SIDs transitions unless
1582                    the noatsecure permission is granted between
1583                    the two SIDs, i.e. ahp returns 0. */
1584                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1585                                          SECCLASS_PROCESS,
1586                                          PROCESS__NOATSECURE, NULL);
1587         }
1588
1589         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1590 }
1591
1592 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1593 {
1594         kfree(bprm->security);
1595         bprm->security = NULL;
1596 }
1597
1598 extern struct vfsmount *selinuxfs_mount;
1599 extern struct dentry *selinux_null;
1600
1601 /* Derived from fs/exec.c:flush_old_files. */
1602 static inline void flush_unauthorized_files(struct files_struct * files)
1603 {
1604         struct avc_audit_data ad;
1605         struct file *file, *devnull = NULL;
1606         struct tty_struct *tty = current->signal->tty;
1607         struct fdtable *fdt;
1608         long j = -1;
1609
1610         if (tty) {
1611                 file_list_lock();
1612                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1613                 if (file) {
1614                         /* Revalidate access to controlling tty.
1615                            Use inode_has_perm on the tty inode directly rather
1616                            than using file_has_perm, as this particular open
1617                            file may belong to another process and we are only
1618                            interested in the inode-based check here. */
1619                         struct inode *inode = file->f_dentry->d_inode;
1620                         if (inode_has_perm(current, inode,
1621                                            FILE__READ | FILE__WRITE, NULL)) {
1622                                 /* Reset controlling tty. */
1623                                 current->signal->tty = NULL;
1624                                 current->signal->tty_old_pgrp = 0;
1625                         }
1626                 }
1627                 file_list_unlock();
1628         }
1629
1630         /* Revalidate access to inherited open files. */
1631
1632         AVC_AUDIT_DATA_INIT(&ad,FS);
1633
1634         spin_lock(&files->file_lock);
1635         for (;;) {
1636                 unsigned long set, i;
1637                 int fd;
1638
1639                 j++;
1640                 i = j * __NFDBITS;
1641                 fdt = files_fdtable(files);
1642                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1643                         break;
1644                 set = fdt->open_fds->fds_bits[j];
1645                 if (!set)
1646                         continue;
1647                 spin_unlock(&files->file_lock);
1648                 for ( ; set ; i++,set >>= 1) {
1649                         if (set & 1) {
1650                                 file = fget(i);
1651                                 if (!file)
1652                                         continue;
1653                                 if (file_has_perm(current,
1654                                                   file,
1655                                                   file_to_av(file))) {
1656                                         sys_close(i);
1657                                         fd = get_unused_fd();
1658                                         if (fd != i) {
1659                                                 if (fd >= 0)
1660                                                         put_unused_fd(fd);
1661                                                 fput(file);
1662                                                 continue;
1663                                         }
1664                                         if (devnull) {
1665                                                 rcuref_inc(&devnull->f_count);
1666                                         } else {
1667                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1668                                                 if (!devnull) {
1669                                                         put_unused_fd(fd);
1670                                                         fput(file);
1671                                                         continue;
1672                                                 }
1673                                         }
1674                                         fd_install(fd, devnull);
1675                                 }
1676                                 fput(file);
1677                         }
1678                 }
1679                 spin_lock(&files->file_lock);
1680
1681         }
1682         spin_unlock(&files->file_lock);
1683 }
1684
1685 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1686 {
1687         struct task_security_struct *tsec;
1688         struct bprm_security_struct *bsec;
1689         u32 sid;
1690         int rc;
1691
1692         secondary_ops->bprm_apply_creds(bprm, unsafe);
1693
1694         tsec = current->security;
1695
1696         bsec = bprm->security;
1697         sid = bsec->sid;
1698
1699         tsec->osid = tsec->sid;
1700         bsec->unsafe = 0;
1701         if (tsec->sid != sid) {
1702                 /* Check for shared state.  If not ok, leave SID
1703                    unchanged and kill. */
1704                 if (unsafe & LSM_UNSAFE_SHARE) {
1705                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1706                                         PROCESS__SHARE, NULL);
1707                         if (rc) {
1708                                 bsec->unsafe = 1;
1709                                 return;
1710                         }
1711                 }
1712
1713                 /* Check for ptracing, and update the task SID if ok.
1714                    Otherwise, leave SID unchanged and kill. */
1715                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1716                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1717                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1718                                           NULL);
1719                         if (rc) {
1720                                 bsec->unsafe = 1;
1721                                 return;
1722                         }
1723                 }
1724                 tsec->sid = sid;
1725         }
1726 }
1727
1728 /*
1729  * called after apply_creds without the task lock held
1730  */
1731 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1732 {
1733         struct task_security_struct *tsec;
1734         struct rlimit *rlim, *initrlim;
1735         struct itimerval itimer;
1736         struct bprm_security_struct *bsec;
1737         int rc, i;
1738
1739         tsec = current->security;
1740         bsec = bprm->security;
1741
1742         if (bsec->unsafe) {
1743                 force_sig_specific(SIGKILL, current);
1744                 return;
1745         }
1746         if (tsec->osid == tsec->sid)
1747                 return;
1748
1749         /* Close files for which the new task SID is not authorized. */
1750         flush_unauthorized_files(current->files);
1751
1752         /* Check whether the new SID can inherit signal state
1753            from the old SID.  If not, clear itimers to avoid
1754            subsequent signal generation and flush and unblock
1755            signals. This must occur _after_ the task SID has
1756           been updated so that any kill done after the flush
1757           will be checked against the new SID. */
1758         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1759                           PROCESS__SIGINH, NULL);
1760         if (rc) {
1761                 memset(&itimer, 0, sizeof itimer);
1762                 for (i = 0; i < 3; i++)
1763                         do_setitimer(i, &itimer, NULL);
1764                 flush_signals(current);
1765                 spin_lock_irq(&current->sighand->siglock);
1766                 flush_signal_handlers(current, 1);
1767                 sigemptyset(&current->blocked);
1768                 recalc_sigpending();
1769                 spin_unlock_irq(&current->sighand->siglock);
1770         }
1771
1772         /* Check whether the new SID can inherit resource limits
1773            from the old SID.  If not, reset all soft limits to
1774            the lower of the current task's hard limit and the init
1775            task's soft limit.  Note that the setting of hard limits
1776            (even to lower them) can be controlled by the setrlimit
1777            check. The inclusion of the init task's soft limit into
1778            the computation is to avoid resetting soft limits higher
1779            than the default soft limit for cases where the default
1780            is lower than the hard limit, e.g. RLIMIT_CORE or
1781            RLIMIT_STACK.*/
1782         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1783                           PROCESS__RLIMITINH, NULL);
1784         if (rc) {
1785                 for (i = 0; i < RLIM_NLIMITS; i++) {
1786                         rlim = current->signal->rlim + i;
1787                         initrlim = init_task.signal->rlim+i;
1788                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1789                 }
1790                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1791                         /*
1792                          * This will cause RLIMIT_CPU calculations
1793                          * to be refigured.
1794                          */
1795                         current->it_prof_expires = jiffies_to_cputime(1);
1796                 }
1797         }
1798
1799         /* Wake up the parent if it is waiting so that it can
1800            recheck wait permission to the new task SID. */
1801         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1802 }
1803
1804 /* superblock security operations */
1805
1806 static int selinux_sb_alloc_security(struct super_block *sb)
1807 {
1808         return superblock_alloc_security(sb);
1809 }
1810
1811 static void selinux_sb_free_security(struct super_block *sb)
1812 {
1813         superblock_free_security(sb);
1814 }
1815
1816 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1817 {
1818         if (plen > olen)
1819                 return 0;
1820
1821         return !memcmp(prefix, option, plen);
1822 }
1823
1824 static inline int selinux_option(char *option, int len)
1825 {
1826         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1827                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1828                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1829 }
1830
1831 static inline void take_option(char **to, char *from, int *first, int len)
1832 {
1833         if (!*first) {
1834                 **to = ',';
1835                 *to += 1;
1836         }
1837         else
1838                 *first = 0;
1839         memcpy(*to, from, len);
1840         *to += len;
1841 }
1842
1843 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1844 {
1845         int fnosec, fsec, rc = 0;
1846         char *in_save, *in_curr, *in_end;
1847         char *sec_curr, *nosec_save, *nosec;
1848
1849         in_curr = orig;
1850         sec_curr = copy;
1851
1852         /* Binary mount data: just copy */
1853         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1854                 copy_page(sec_curr, in_curr);
1855                 goto out;
1856         }
1857
1858         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1859         if (!nosec) {
1860                 rc = -ENOMEM;
1861                 goto out;
1862         }
1863
1864         nosec_save = nosec;
1865         fnosec = fsec = 1;
1866         in_save = in_end = orig;
1867
1868         do {
1869                 if (*in_end == ',' || *in_end == '\0') {
1870                         int len = in_end - in_curr;
1871
1872                         if (selinux_option(in_curr, len))
1873                                 take_option(&sec_curr, in_curr, &fsec, len);
1874                         else
1875                                 take_option(&nosec, in_curr, &fnosec, len);
1876
1877                         in_curr = in_end + 1;
1878                 }
1879         } while (*in_end++);
1880
1881         strcpy(in_save, nosec_save);
1882         free_page((unsigned long)nosec_save);
1883 out:
1884         return rc;
1885 }
1886
1887 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1888 {
1889         struct avc_audit_data ad;
1890         int rc;
1891
1892         rc = superblock_doinit(sb, data);
1893         if (rc)
1894                 return rc;
1895
1896         AVC_AUDIT_DATA_INIT(&ad,FS);
1897         ad.u.fs.dentry = sb->s_root;
1898         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1899 }
1900
1901 static int selinux_sb_statfs(struct super_block *sb)
1902 {
1903         struct avc_audit_data ad;
1904
1905         AVC_AUDIT_DATA_INIT(&ad,FS);
1906         ad.u.fs.dentry = sb->s_root;
1907         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1908 }
1909
1910 static int selinux_mount(char * dev_name,
1911                          struct nameidata *nd,
1912                          char * type,
1913                          unsigned long flags,
1914                          void * data)
1915 {
1916         int rc;
1917
1918         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1919         if (rc)
1920                 return rc;
1921
1922         if (flags & MS_REMOUNT)
1923                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1924                                            FILESYSTEM__REMOUNT, NULL);
1925         else
1926                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1927                                        FILE__MOUNTON);
1928 }
1929
1930 static int selinux_umount(struct vfsmount *mnt, int flags)
1931 {
1932         int rc;
1933
1934         rc = secondary_ops->sb_umount(mnt, flags);
1935         if (rc)
1936                 return rc;
1937
1938         return superblock_has_perm(current,mnt->mnt_sb,
1939                                    FILESYSTEM__UNMOUNT,NULL);
1940 }
1941
1942 /* inode security operations */
1943
1944 static int selinux_inode_alloc_security(struct inode *inode)
1945 {
1946         return inode_alloc_security(inode);
1947 }
1948
1949 static void selinux_inode_free_security(struct inode *inode)
1950 {
1951         inode_free_security(inode);
1952 }
1953
1954 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1955                                        char **name, void **value,
1956                                        size_t *len)
1957 {
1958         struct task_security_struct *tsec;
1959         struct inode_security_struct *dsec;
1960         struct superblock_security_struct *sbsec;
1961         struct inode_security_struct *isec;
1962         u32 newsid, clen;
1963         int rc;
1964         char *namep = NULL, *context;
1965
1966         tsec = current->security;
1967         dsec = dir->i_security;
1968         sbsec = dir->i_sb->s_security;
1969         isec = inode->i_security;
1970
1971         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1972                 newsid = tsec->create_sid;
1973         } else {
1974                 rc = security_transition_sid(tsec->sid, dsec->sid,
1975                                              inode_mode_to_security_class(inode->i_mode),
1976                                              &newsid);
1977                 if (rc) {
1978                         printk(KERN_WARNING "%s:  "
1979                                "security_transition_sid failed, rc=%d (dev=%s "
1980                                "ino=%ld)\n",
1981                                __FUNCTION__,
1982                                -rc, inode->i_sb->s_id, inode->i_ino);
1983                         return rc;
1984                 }
1985         }
1986
1987         inode_security_set_sid(inode, newsid);
1988
1989         if (name) {
1990                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1991                 if (!namep)
1992                         return -ENOMEM;
1993                 *name = namep;
1994         }
1995
1996         if (value && len) {
1997                 rc = security_sid_to_context(newsid, &context, &clen);
1998                 if (rc) {
1999                         kfree(namep);
2000                         return rc;
2001                 }
2002                 *value = context;
2003                 *len = clen;
2004         }
2005
2006         return 0;
2007 }
2008
2009 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2010 {
2011         return may_create(dir, dentry, SECCLASS_FILE);
2012 }
2013
2014 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2015 {
2016         int rc;
2017
2018         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2019         if (rc)
2020                 return rc;
2021         return may_link(dir, old_dentry, MAY_LINK);
2022 }
2023
2024 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2025 {
2026         int rc;
2027
2028         rc = secondary_ops->inode_unlink(dir, dentry);
2029         if (rc)
2030                 return rc;
2031         return may_link(dir, dentry, MAY_UNLINK);
2032 }
2033
2034 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2035 {
2036         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2037 }
2038
2039 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2040 {
2041         return may_create(dir, dentry, SECCLASS_DIR);
2042 }
2043
2044 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2045 {
2046         return may_link(dir, dentry, MAY_RMDIR);
2047 }
2048
2049 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2050 {
2051         int rc;
2052
2053         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2054         if (rc)
2055                 return rc;
2056
2057         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2058 }
2059
2060 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2061                                 struct inode *new_inode, struct dentry *new_dentry)
2062 {
2063         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2064 }
2065
2066 static int selinux_inode_readlink(struct dentry *dentry)
2067 {
2068         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2069 }
2070
2071 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2072 {
2073         int rc;
2074
2075         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2076         if (rc)
2077                 return rc;
2078         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2079 }
2080
2081 static int selinux_inode_permission(struct inode *inode, int mask,
2082                                     struct nameidata *nd)
2083 {
2084         int rc;
2085
2086         rc = secondary_ops->inode_permission(inode, mask, nd);
2087         if (rc)
2088                 return rc;
2089
2090         if (!mask) {
2091                 /* No permission to check.  Existence test. */
2092                 return 0;
2093         }
2094
2095         return inode_has_perm(current, inode,
2096                                file_mask_to_av(inode->i_mode, mask), NULL);
2097 }
2098
2099 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2100 {
2101         int rc;
2102
2103         rc = secondary_ops->inode_setattr(dentry, iattr);
2104         if (rc)
2105                 return rc;
2106
2107         if (iattr->ia_valid & ATTR_FORCE)
2108                 return 0;
2109
2110         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2111                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2112                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2113
2114         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2115 }
2116
2117 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2118 {
2119         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2120 }
2121
2122 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2123 {
2124         struct task_security_struct *tsec = current->security;
2125         struct inode *inode = dentry->d_inode;
2126         struct inode_security_struct *isec = inode->i_security;
2127         struct superblock_security_struct *sbsec;
2128         struct avc_audit_data ad;
2129         u32 newsid;
2130         int rc = 0;
2131
2132         if (strcmp(name, XATTR_NAME_SELINUX)) {
2133                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2134                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2135                     !capable(CAP_SYS_ADMIN)) {
2136                         /* A different attribute in the security namespace.
2137                            Restrict to administrator. */
2138                         return -EPERM;
2139                 }
2140
2141                 /* Not an attribute we recognize, so just check the
2142                    ordinary setattr permission. */
2143                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2144         }
2145
2146         sbsec = inode->i_sb->s_security;
2147         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2148                 return -EOPNOTSUPP;
2149
2150         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2151                 return -EPERM;
2152
2153         AVC_AUDIT_DATA_INIT(&ad,FS);
2154         ad.u.fs.dentry = dentry;
2155
2156         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2157                           FILE__RELABELFROM, &ad);
2158         if (rc)
2159                 return rc;
2160
2161         rc = security_context_to_sid(value, size, &newsid);
2162         if (rc)
2163                 return rc;
2164
2165         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2166                           FILE__RELABELTO, &ad);
2167         if (rc)
2168                 return rc;
2169
2170         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2171                                           isec->sclass);
2172         if (rc)
2173                 return rc;
2174
2175         return avc_has_perm(newsid,
2176                             sbsec->sid,
2177                             SECCLASS_FILESYSTEM,
2178                             FILESYSTEM__ASSOCIATE,
2179                             &ad);
2180 }
2181
2182 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2183                                         void *value, size_t size, int flags)
2184 {
2185         struct inode *inode = dentry->d_inode;
2186         struct inode_security_struct *isec = inode->i_security;
2187         u32 newsid;
2188         int rc;
2189
2190         if (strcmp(name, XATTR_NAME_SELINUX)) {
2191                 /* Not an attribute we recognize, so nothing to do. */
2192                 return;
2193         }
2194
2195         rc = security_context_to_sid(value, size, &newsid);
2196         if (rc) {
2197                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2198                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2199                 return;
2200         }
2201
2202         isec->sid = newsid;
2203         return;
2204 }
2205
2206 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2207 {
2208         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2209 }
2210
2211 static int selinux_inode_listxattr (struct dentry *dentry)
2212 {
2213         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2214 }
2215
2216 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2217 {
2218         if (strcmp(name, XATTR_NAME_SELINUX)) {
2219                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2220                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2221                     !capable(CAP_SYS_ADMIN)) {
2222                         /* A different attribute in the security namespace.
2223                            Restrict to administrator. */
2224                         return -EPERM;
2225                 }
2226
2227                 /* Not an attribute we recognize, so just check the
2228                    ordinary setattr permission. Might want a separate
2229                    permission for removexattr. */
2230                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2231         }
2232
2233         /* No one is allowed to remove a SELinux security label.
2234            You can change the label, but all data must be labeled. */
2235         return -EACCES;
2236 }
2237
2238 /*
2239  * Copy the in-core inode security context value to the user.  If the
2240  * getxattr() prior to this succeeded, check to see if we need to
2241  * canonicalize the value to be finally returned to the user.
2242  *
2243  * Permission check is handled by selinux_inode_getxattr hook.
2244  */
2245 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2246 {
2247         struct inode_security_struct *isec = inode->i_security;
2248         char *context;
2249         unsigned len;
2250         int rc;
2251
2252         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2253                 rc = -EOPNOTSUPP;
2254                 goto out;
2255         }
2256
2257         rc = security_sid_to_context(isec->sid, &context, &len);
2258         if (rc)
2259                 goto out;
2260
2261         /* Probe for required buffer size */
2262         if (!buffer || !size) {
2263                 rc = len;
2264                 goto out_free;
2265         }
2266
2267         if (size < len) {
2268                 rc = -ERANGE;
2269                 goto out_free;
2270         }
2271
2272         if (err > 0) {
2273                 if ((len == err) && !(memcmp(context, buffer, len))) {
2274                         /* Don't need to canonicalize value */
2275                         rc = err;
2276                         goto out_free;
2277                 }
2278                 memset(buffer, 0, size);
2279         }
2280         memcpy(buffer, context, len);
2281         rc = len;
2282 out_free:
2283         kfree(context);
2284 out:
2285         return rc;
2286 }
2287
2288 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2289                                      const void *value, size_t size, int flags)
2290 {
2291         struct inode_security_struct *isec = inode->i_security;
2292         u32 newsid;
2293         int rc;
2294
2295         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2296                 return -EOPNOTSUPP;
2297
2298         if (!value || !size)
2299                 return -EACCES;
2300
2301         rc = security_context_to_sid((void*)value, size, &newsid);
2302         if (rc)
2303                 return rc;
2304
2305         isec->sid = newsid;
2306         return 0;
2307 }
2308
2309 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2310 {
2311         const int len = sizeof(XATTR_NAME_SELINUX);
2312         if (buffer && len <= buffer_size)
2313                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2314         return len;
2315 }
2316
2317 /* file security operations */
2318
2319 static int selinux_file_permission(struct file *file, int mask)
2320 {
2321         struct inode *inode = file->f_dentry->d_inode;
2322
2323         if (!mask) {
2324                 /* No permission to check.  Existence test. */
2325                 return 0;
2326         }
2327
2328         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2329         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2330                 mask |= MAY_APPEND;
2331
2332         return file_has_perm(current, file,
2333                              file_mask_to_av(inode->i_mode, mask));
2334 }
2335
2336 static int selinux_file_alloc_security(struct file *file)
2337 {
2338         return file_alloc_security(file);
2339 }
2340
2341 static void selinux_file_free_security(struct file *file)
2342 {
2343         file_free_security(file);
2344 }
2345
2346 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2347                               unsigned long arg)
2348 {
2349         int error = 0;
2350
2351         switch (cmd) {
2352                 case FIONREAD:
2353                 /* fall through */
2354                 case FIBMAP:
2355                 /* fall through */
2356                 case FIGETBSZ:
2357                 /* fall through */
2358                 case EXT2_IOC_GETFLAGS:
2359                 /* fall through */
2360                 case EXT2_IOC_GETVERSION:
2361                         error = file_has_perm(current, file, FILE__GETATTR);
2362                         break;
2363
2364                 case EXT2_IOC_SETFLAGS:
2365                 /* fall through */
2366                 case EXT2_IOC_SETVERSION:
2367                         error = file_has_perm(current, file, FILE__SETATTR);
2368                         break;
2369
2370                 /* sys_ioctl() checks */
2371                 case FIONBIO:
2372                 /* fall through */
2373                 case FIOASYNC:
2374                         error = file_has_perm(current, file, 0);
2375                         break;
2376
2377                 case KDSKBENT:
2378                 case KDSKBSENT:
2379                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2380                         break;
2381
2382                 /* default case assumes that the command will go
2383                  * to the file's ioctl() function.
2384                  */
2385                 default:
2386                         error = file_has_perm(current, file, FILE__IOCTL);
2387
2388         }
2389         return error;
2390 }
2391
2392 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2393 {
2394 #ifndef CONFIG_PPC32
2395         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2396                 /*
2397                  * We are making executable an anonymous mapping or a
2398                  * private file mapping that will also be writable.
2399                  * This has an additional check.
2400                  */
2401                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2402                 if (rc)
2403                         return rc;
2404         }
2405 #endif
2406
2407         if (file) {
2408                 /* read access is always possible with a mapping */
2409                 u32 av = FILE__READ;
2410
2411                 /* write access only matters if the mapping is shared */
2412                 if (shared && (prot & PROT_WRITE))
2413                         av |= FILE__WRITE;
2414
2415                 if (prot & PROT_EXEC)
2416                         av |= FILE__EXECUTE;
2417
2418                 return file_has_perm(current, file, av);
2419         }
2420         return 0;
2421 }
2422
2423 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2424                              unsigned long prot, unsigned long flags)
2425 {
2426         int rc;
2427
2428         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2429         if (rc)
2430                 return rc;
2431
2432         if (selinux_checkreqprot)
2433                 prot = reqprot;
2434
2435         return file_map_prot_check(file, prot,
2436                                    (flags & MAP_TYPE) == MAP_SHARED);
2437 }
2438
2439 static int selinux_file_mprotect(struct vm_area_struct *vma,
2440                                  unsigned long reqprot,
2441                                  unsigned long prot)
2442 {
2443         int rc;
2444
2445         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2446         if (rc)
2447                 return rc;
2448
2449         if (selinux_checkreqprot)
2450                 prot = reqprot;
2451
2452 #ifndef CONFIG_PPC32
2453         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2454            (vma->vm_start >= vma->vm_mm->start_brk &&
2455             vma->vm_end <= vma->vm_mm->brk)) {
2456                 /*
2457                  * We are making an executable mapping in the brk region.
2458                  * This has an additional execheap check.
2459                  */
2460                 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2461                 if (rc)
2462                         return rc;
2463         }
2464         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2465                 /*
2466                  * We are making executable a file mapping that has
2467                  * had some COW done. Since pages might have been written,
2468                  * check ability to execute the possibly modified content.
2469                  * This typically should only occur for text relocations.
2470                  */
2471                 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2472                 if (rc)
2473                         return rc;
2474         }
2475         if (!vma->vm_file && (prot & PROT_EXEC) &&
2476                 vma->vm_start <= vma->vm_mm->start_stack &&
2477                 vma->vm_end >= vma->vm_mm->start_stack) {
2478                 /* Attempt to make the process stack executable.
2479                  * This has an additional execstack check.
2480                  */
2481                 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2482                 if (rc)
2483                         return rc;
2484         }
2485 #endif
2486
2487         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2488 }
2489
2490 static int selinux_file_lock(struct file *file, unsigned int cmd)
2491 {
2492         return file_has_perm(current, file, FILE__LOCK);
2493 }
2494
2495 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2496                               unsigned long arg)
2497 {
2498         int err = 0;
2499
2500         switch (cmd) {
2501                 case F_SETFL:
2502                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2503                                 err = -EINVAL;
2504                                 break;
2505                         }
2506
2507                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2508                                 err = file_has_perm(current, file,FILE__WRITE);
2509                                 break;
2510                         }
2511                         /* fall through */
2512                 case F_SETOWN:
2513                 case F_SETSIG:
2514                 case F_GETFL:
2515                 case F_GETOWN:
2516                 case F_GETSIG:
2517                         /* Just check FD__USE permission */
2518                         err = file_has_perm(current, file, 0);
2519                         break;
2520                 case F_GETLK:
2521                 case F_SETLK:
2522                 case F_SETLKW:
2523 #if BITS_PER_LONG == 32
2524                 case F_GETLK64:
2525                 case F_SETLK64:
2526                 case F_SETLKW64:
2527 #endif
2528                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2529                                 err = -EINVAL;
2530                                 break;
2531                         }
2532                         err = file_has_perm(current, file, FILE__LOCK);
2533                         break;
2534         }
2535
2536         return err;
2537 }
2538
2539 static int selinux_file_set_fowner(struct file *file)
2540 {
2541         struct task_security_struct *tsec;
2542         struct file_security_struct *fsec;
2543
2544         tsec = current->security;
2545         fsec = file->f_security;
2546         fsec->fown_sid = tsec->sid;
2547
2548         return 0;
2549 }
2550
2551 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2552                                        struct fown_struct *fown, int signum)
2553 {
2554         struct file *file;
2555         u32 perm;
2556         struct task_security_struct *tsec;
2557         struct file_security_struct *fsec;
2558
2559         /* struct fown_struct is never outside the context of a struct file */
2560         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2561
2562         tsec = tsk->security;
2563         fsec = file->f_security;
2564
2565         if (!signum)
2566                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2567         else
2568                 perm = signal_to_av(signum);
2569
2570         return avc_has_perm(fsec->fown_sid, tsec->sid,
2571                             SECCLASS_PROCESS, perm, NULL);
2572 }
2573
2574 static int selinux_file_receive(struct file *file)
2575 {
2576         return file_has_perm(current, file, file_to_av(file));
2577 }
2578
2579 /* task security operations */
2580
2581 static int selinux_task_create(unsigned long clone_flags)
2582 {
2583         int rc;
2584
2585         rc = secondary_ops->task_create(clone_flags);
2586         if (rc)
2587                 return rc;
2588
2589         return task_has_perm(current, current, PROCESS__FORK);
2590 }
2591
2592 static int selinux_task_alloc_security(struct task_struct *tsk)
2593 {
2594         struct task_security_struct *tsec1, *tsec2;
2595         int rc;
2596
2597         tsec1 = current->security;
2598
2599         rc = task_alloc_security(tsk);
2600         if (rc)
2601                 return rc;
2602         tsec2 = tsk->security;
2603
2604         tsec2->osid = tsec1->osid;
2605         tsec2->sid = tsec1->sid;
2606
2607         /* Retain the exec and create SIDs across fork */
2608         tsec2->exec_sid = tsec1->exec_sid;
2609         tsec2->create_sid = tsec1->create_sid;
2610
2611         /* Retain ptracer SID across fork, if any.
2612            This will be reset by the ptrace hook upon any
2613            subsequent ptrace_attach operations. */
2614         tsec2->ptrace_sid = tsec1->ptrace_sid;
2615
2616         return 0;
2617 }
2618
2619 static void selinux_task_free_security(struct task_struct *tsk)
2620 {
2621         task_free_security(tsk);
2622 }
2623
2624 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2625 {
2626         /* Since setuid only affects the current process, and
2627            since the SELinux controls are not based on the Linux
2628            identity attributes, SELinux does not need to control
2629            this operation.  However, SELinux does control the use
2630            of the CAP_SETUID and CAP_SETGID capabilities using the
2631            capable hook. */
2632         return 0;
2633 }
2634
2635 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2636 {
2637         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2638 }
2639
2640 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2641 {
2642         /* See the comment for setuid above. */
2643         return 0;
2644 }
2645
2646 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2647 {
2648         return task_has_perm(current, p, PROCESS__SETPGID);
2649 }
2650
2651 static int selinux_task_getpgid(struct task_struct *p)
2652 {
2653         return task_has_perm(current, p, PROCESS__GETPGID);
2654 }
2655
2656 static int selinux_task_getsid(struct task_struct *p)
2657 {
2658         return task_has_perm(current, p, PROCESS__GETSESSION);
2659 }
2660
2661 static int selinux_task_setgroups(struct group_info *group_info)
2662 {
2663         /* See the comment for setuid above. */
2664         return 0;
2665 }
2666
2667 static int selinux_task_setnice(struct task_struct *p, int nice)
2668 {
2669         int rc;
2670
2671         rc = secondary_ops->task_setnice(p, nice);
2672         if (rc)
2673                 return rc;
2674
2675         return task_has_perm(current,p, PROCESS__SETSCHED);
2676 }
2677
2678 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2679 {
2680         struct rlimit *old_rlim = current->signal->rlim + resource;
2681         int rc;
2682
2683         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2684         if (rc)
2685                 return rc;
2686
2687         /* Control the ability to change the hard limit (whether
2688            lowering or raising it), so that the hard limit can
2689            later be used as a safe reset point for the soft limit
2690            upon context transitions. See selinux_bprm_apply_creds. */
2691         if (old_rlim->rlim_max != new_rlim->rlim_max)
2692                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2693
2694         return 0;
2695 }
2696
2697 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2698 {
2699         return task_has_perm(current, p, PROCESS__SETSCHED);
2700 }
2701
2702 static int selinux_task_getscheduler(struct task_struct *p)
2703 {
2704         return task_has_perm(current, p, PROCESS__GETSCHED);
2705 }
2706
2707 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2708 {
2709         u32 perm;
2710         int rc;
2711
2712         rc = secondary_ops->task_kill(p, info, sig);
2713         if (rc)
2714                 return rc;
2715
2716         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2717                 return 0;
2718
2719         if (!sig)
2720                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2721         else
2722                 perm = signal_to_av(sig);
2723
2724         return task_has_perm(current, p, perm);
2725 }
2726
2727 static int selinux_task_prctl(int option,
2728                               unsigned long arg2,
2729                               unsigned long arg3,
2730                               unsigned long arg4,
2731                               unsigned long arg5)
2732 {
2733         /* The current prctl operations do not appear to require
2734            any SELinux controls since they merely observe or modify
2735            the state of the current process. */
2736         return 0;
2737 }
2738
2739 static int selinux_task_wait(struct task_struct *p)
2740 {
2741         u32 perm;
2742
2743         perm = signal_to_av(p->exit_signal);
2744
2745         return task_has_perm(p, current, perm);
2746 }
2747
2748 static void selinux_task_reparent_to_init(struct task_struct *p)
2749 {
2750         struct task_security_struct *tsec;
2751
2752         secondary_ops->task_reparent_to_init(p);
2753
2754         tsec = p->security;
2755         tsec->osid = tsec->sid;
2756         tsec->sid = SECINITSID_KERNEL;
2757         return;
2758 }
2759
2760 static void selinux_task_to_inode(struct task_struct *p,
2761                                   struct inode *inode)
2762 {
2763         struct task_security_struct *tsec = p->security;
2764         struct inode_security_struct *isec = inode->i_security;
2765
2766         isec->sid = tsec->sid;
2767         isec->initialized = 1;
2768         return;
2769 }
2770
2771 #ifdef CONFIG_SECURITY_NETWORK
2772
2773 /* Returns error only if unable to parse addresses */
2774 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2775 {
2776         int offset, ihlen, ret = -EINVAL;
2777         struct iphdr _iph, *ih;
2778
2779         offset = skb->nh.raw - skb->data;
2780         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2781         if (ih == NULL)
2782                 goto out;
2783
2784         ihlen = ih->ihl * 4;
2785         if (ihlen < sizeof(_iph))
2786                 goto out;
2787
2788         ad->u.net.v4info.saddr = ih->saddr;
2789         ad->u.net.v4info.daddr = ih->daddr;
2790         ret = 0;
2791
2792         switch (ih->protocol) {
2793         case IPPROTO_TCP: {
2794                 struct tcphdr _tcph, *th;
2795
2796                 if (ntohs(ih->frag_off) & IP_OFFSET)
2797                         break;
2798
2799                 offset += ihlen;
2800                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2801                 if (th == NULL)
2802                         break;
2803
2804                 ad->u.net.sport = th->source;
2805                 ad->u.net.dport = th->dest;
2806                 break;
2807         }
2808         
2809         case IPPROTO_UDP: {
2810                 struct udphdr _udph, *uh;
2811                 
2812                 if (ntohs(ih->frag_off) & IP_OFFSET)
2813                         break;
2814                         
2815                 offset += ihlen;
2816                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2817                 if (uh == NULL)
2818                         break;  
2819
2820                 ad->u.net.sport = uh->source;
2821                 ad->u.net.dport = uh->dest;
2822                 break;
2823         }
2824
2825         default:
2826                 break;
2827         }
2828 out:
2829         return ret;
2830 }
2831
2832 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2833
2834 /* Returns error only if unable to parse addresses */
2835 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2836 {
2837         u8 nexthdr;
2838         int ret = -EINVAL, offset;
2839         struct ipv6hdr _ipv6h, *ip6;
2840
2841         offset = skb->nh.raw - skb->data;
2842         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2843         if (ip6 == NULL)
2844                 goto out;
2845
2846         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2847         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2848         ret = 0;
2849
2850         nexthdr = ip6->nexthdr;
2851         offset += sizeof(_ipv6h);
2852         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2853         if (offset < 0)
2854                 goto out;
2855
2856         switch (nexthdr) {
2857         case IPPROTO_TCP: {
2858                 struct tcphdr _tcph, *th;
2859
2860                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2861                 if (th == NULL)
2862                         break;
2863
2864                 ad->u.net.sport = th->source;
2865                 ad->u.net.dport = th->dest;
2866                 break;
2867         }
2868
2869         case IPPROTO_UDP: {
2870                 struct udphdr _udph, *uh;
2871
2872                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2873                 if (uh == NULL)
2874                         break;
2875
2876                 ad->u.net.sport = uh->source;
2877                 ad->u.net.dport = uh->dest;
2878                 break;
2879         }
2880
2881         /* includes fragments */
2882         default:
2883                 break;
2884         }
2885 out:
2886         return ret;
2887 }
2888
2889 #endif /* IPV6 */
2890
2891 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2892                              char **addrp, int *len, int src)
2893 {
2894         int ret = 0;
2895
2896         switch (ad->u.net.family) {
2897         case PF_INET:
2898                 ret = selinux_parse_skb_ipv4(skb, ad);
2899                 if (ret || !addrp)
2900                         break;
2901                 *len = 4;
2902                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2903                                         &ad->u.net.v4info.daddr);
2904                 break;
2905
2906 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2907         case PF_INET6:
2908                 ret = selinux_parse_skb_ipv6(skb, ad);
2909                 if (ret || !addrp)
2910                         break;
2911                 *len = 16;
2912                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2913                                         &ad->u.net.v6info.daddr);
2914                 break;
2915 #endif  /* IPV6 */
2916         default:
2917                 break;
2918         }
2919
2920         return ret;
2921 }
2922
2923 /* socket security operations */
2924 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2925                            u32 perms)
2926 {
2927         struct inode_security_struct *isec;
2928         struct task_security_struct *tsec;
2929         struct avc_audit_data ad;
2930         int err = 0;
2931
2932         tsec = task->security;
2933         isec = SOCK_INODE(sock)->i_security;
2934
2935         if (isec->sid == SECINITSID_KERNEL)
2936                 goto out;
2937
2938         AVC_AUDIT_DATA_INIT(&ad,NET);
2939         ad.u.net.sk = sock->sk;
2940         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2941
2942 out:
2943         return err;
2944 }
2945
2946 static int selinux_socket_create(int family, int type,
2947                                  int protocol, int kern)
2948 {
2949         int err = 0;
2950         struct task_security_struct *tsec;
2951
2952         if (kern)
2953                 goto out;
2954
2955         tsec = current->security;
2956         err = avc_has_perm(tsec->sid, tsec->sid,
2957                            socket_type_to_security_class(family, type,
2958                            protocol), SOCKET__CREATE, NULL);
2959
2960 out:
2961         return err;
2962 }
2963
2964 static void selinux_socket_post_create(struct socket *sock, int family,
2965                                        int type, int protocol, int kern)
2966 {
2967         struct inode_security_struct *isec;
2968         struct task_security_struct *tsec;
2969
2970         isec = SOCK_INODE(sock)->i_security;
2971
2972         tsec = current->security;
2973         isec->sclass = socket_type_to_security_class(family, type, protocol);
2974         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2975         isec->initialized = 1;
2976
2977         return;
2978 }
2979
2980 /* Range of port numbers used to automatically bind.
2981    Need to determine whether we should perform a name_bind
2982    permission check between the socket and the port number. */
2983 #define ip_local_port_range_0 sysctl_local_port_range[0]
2984 #define ip_local_port_range_1 sysctl_local_port_range[1]
2985
2986 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2987 {
2988         u16 family;
2989         int err;
2990
2991         err = socket_has_perm(current, sock, SOCKET__BIND);
2992         if (err)
2993                 goto out;
2994
2995         /*
2996          * If PF_INET or PF_INET6, check name_bind permission for the port.
2997          * Multiple address binding for SCTP is not supported yet: we just
2998          * check the first address now.
2999          */
3000         family = sock->sk->sk_family;
3001         if (family == PF_INET || family == PF_INET6) {
3002                 char *addrp;
3003                 struct inode_security_struct *isec;
3004                 struct task_security_struct *tsec;
3005                 struct avc_audit_data ad;
3006                 struct sockaddr_in *addr4 = NULL;
3007                 struct sockaddr_in6 *addr6 = NULL;
3008                 unsigned short snum;
3009                 struct sock *sk = sock->sk;
3010                 u32 sid, node_perm, addrlen;
3011
3012                 tsec = current->security;
3013                 isec = SOCK_INODE(sock)->i_security;
3014
3015                 if (family == PF_INET) {
3016                         addr4 = (struct sockaddr_in *)address;
3017                         snum = ntohs(addr4->sin_port);
3018                         addrlen = sizeof(addr4->sin_addr.s_addr);
3019                         addrp = (char *)&addr4->sin_addr.s_addr;
3020                 } else {
3021                         addr6 = (struct sockaddr_in6 *)address;
3022                         snum = ntohs(addr6->sin6_port);
3023                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3024                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3025                 }
3026
3027                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3028                            snum > ip_local_port_range_1)) {
3029                         err = security_port_sid(sk->sk_family, sk->sk_type,
3030                                                 sk->sk_protocol, snum, &sid);
3031                         if (err)
3032                                 goto out;
3033                         AVC_AUDIT_DATA_INIT(&ad,NET);
3034                         ad.u.net.sport = htons(snum);
3035                         ad.u.net.family = family;
3036                         err = avc_has_perm(isec->sid, sid,
3037                                            isec->sclass,
3038                                            SOCKET__NAME_BIND, &ad);
3039                         if (err)
3040                                 goto out;
3041                 }
3042                 
3043                 switch(isec->sclass) {
3044                 case SECCLASS_TCP_SOCKET:
3045                         node_perm = TCP_SOCKET__NODE_BIND;
3046                         break;
3047                         
3048                 case SECCLASS_UDP_SOCKET:
3049                         node_perm = UDP_SOCKET__NODE_BIND;
3050                         break;
3051                         
3052                 default:
3053                         node_perm = RAWIP_SOCKET__NODE_BIND;
3054                         break;
3055                 }
3056                 
3057                 err = security_node_sid(family, addrp, addrlen, &sid);
3058                 if (err)
3059                         goto out;
3060                 
3061                 AVC_AUDIT_DATA_INIT(&ad,NET);
3062                 ad.u.net.sport = htons(snum);
3063                 ad.u.net.family = family;
3064
3065                 if (family == PF_INET)
3066                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3067                 else
3068                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3069
3070                 err = avc_has_perm(isec->sid, sid,
3071                                    isec->sclass, node_perm, &ad);
3072                 if (err)
3073                         goto out;
3074         }
3075 out:
3076         return err;
3077 }
3078
3079 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3080 {
3081         struct inode_security_struct *isec;
3082         int err;
3083
3084         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3085         if (err)
3086                 return err;
3087
3088         /*
3089          * If a TCP socket, check name_connect permission for the port.
3090          */
3091         isec = SOCK_INODE(sock)->i_security;
3092         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3093                 struct sock *sk = sock->sk;
3094                 struct avc_audit_data ad;
3095                 struct sockaddr_in *addr4 = NULL;
3096                 struct sockaddr_in6 *addr6 = NULL;
3097                 unsigned short snum;
3098                 u32 sid;
3099
3100                 if (sk->sk_family == PF_INET) {
3101                         addr4 = (struct sockaddr_in *)address;
3102                         if (addrlen < sizeof(struct sockaddr_in))
3103                                 return -EINVAL;
3104                         snum = ntohs(addr4->sin_port);
3105                 } else {
3106                         addr6 = (struct sockaddr_in6 *)address;
3107                         if (addrlen < SIN6_LEN_RFC2133)
3108                                 return -EINVAL;
3109                         snum = ntohs(addr6->sin6_port);
3110                 }
3111
3112                 err = security_port_sid(sk->sk_family, sk->sk_type,
3113                                         sk->sk_protocol, snum, &sid);
3114                 if (err)
3115                         goto out;
3116
3117                 AVC_AUDIT_DATA_INIT(&ad,NET);
3118                 ad.u.net.dport = htons(snum);
3119                 ad.u.net.family = sk->sk_family;
3120                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3121                                    TCP_SOCKET__NAME_CONNECT, &ad);
3122                 if (err)
3123                         goto out;
3124         }
3125
3126 out:
3127         return err;
3128 }
3129
3130 static int selinux_socket_listen(struct socket *sock, int backlog)
3131 {
3132         return socket_has_perm(current, sock, SOCKET__LISTEN);
3133 }
3134
3135 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3136 {
3137         int err;
3138         struct inode_security_struct *isec;
3139         struct inode_security_struct *newisec;
3140
3141         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3142         if (err)
3143                 return err;
3144
3145         newisec = SOCK_INODE(newsock)->i_security;
3146
3147         isec = SOCK_INODE(sock)->i_security;
3148         newisec->sclass = isec->sclass;
3149         newisec->sid = isec->sid;
3150         newisec->initialized = 1;
3151
3152         return 0;
3153 }
3154
3155 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3156                                   int size)
3157 {
3158         return socket_has_perm(current, sock, SOCKET__WRITE);
3159 }
3160
3161 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3162                                   int size, int flags)
3163 {
3164         return socket_has_perm(current, sock, SOCKET__READ);
3165 }
3166
3167 static int selinux_socket_getsockname(struct socket *sock)
3168 {
3169         return socket_has_perm(current, sock, SOCKET__GETATTR);
3170 }
3171
3172 static int selinux_socket_getpeername(struct socket *sock)
3173 {
3174         return socket_has_perm(current, sock, SOCKET__GETATTR);
3175 }
3176
3177 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3178 {
3179         return socket_has_perm(current, sock, SOCKET__SETOPT);
3180 }
3181
3182 static int selinux_socket_getsockopt(struct socket *sock, int level,
3183                                      int optname)
3184 {
3185         return socket_has_perm(current, sock, SOCKET__GETOPT);
3186 }
3187
3188 static int selinux_socket_shutdown(struct socket *sock, int how)
3189 {
3190         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3191 }
3192
3193 static int selinux_socket_unix_stream_connect(struct socket *sock,
3194                                               struct socket *other,
3195                                               struct sock *newsk)
3196 {
3197         struct sk_security_struct *ssec;
3198         struct inode_security_struct *isec;
3199         struct inode_security_struct *other_isec;
3200         struct avc_audit_data ad;
3201         int err;
3202
3203         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3204         if (err)
3205                 return err;
3206
3207         isec = SOCK_INODE(sock)->i_security;
3208         other_isec = SOCK_INODE(other)->i_security;
3209
3210         AVC_AUDIT_DATA_INIT(&ad,NET);
3211         ad.u.net.sk = other->sk;
3212
3213         err = avc_has_perm(isec->sid, other_isec->sid,
3214                            isec->sclass,
3215                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3216         if (err)
3217                 return err;
3218
3219         /* connecting socket */
3220         ssec = sock->sk->sk_security;
3221         ssec->peer_sid = other_isec->sid;
3222         
3223         /* server child socket */
3224         ssec = newsk->sk_security;
3225         ssec->peer_sid = isec->sid;
3226         
3227         return 0;
3228 }
3229
3230 static int selinux_socket_unix_may_send(struct socket *sock,
3231                                         struct socket *other)
3232 {
3233         struct inode_security_struct *isec;
3234         struct inode_security_struct *other_isec;
3235         struct avc_audit_data ad;
3236         int err;
3237
3238         isec = SOCK_INODE(sock)->i_security;
3239         other_isec = SOCK_INODE(other)->i_security;
3240
3241         AVC_AUDIT_DATA_INIT(&ad,NET);
3242         ad.u.net.sk = other->sk;
3243
3244         err = avc_has_perm(isec->sid, other_isec->sid,
3245                            isec->sclass, SOCKET__SENDTO, &ad);
3246         if (err)
3247                 return err;
3248
3249         return 0;
3250 }
3251
3252 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3253 {
3254         u16 family;
3255         char *addrp;
3256         int len, err = 0;
3257         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3258         u32 sock_sid = 0;
3259         u16 sock_class = 0;
3260         struct socket *sock;
3261         struct net_device *dev;
3262         struct avc_audit_data ad;
3263
3264         family = sk->sk_family;
3265         if (family != PF_INET && family != PF_INET6)
3266                 goto out;
3267
3268         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3269         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3270                 family = PF_INET;
3271
3272         read_lock_bh(&sk->sk_callback_lock);
3273         sock = sk->sk_socket;
3274         if (sock) {
3275                 struct inode *inode;
3276                 inode = SOCK_INODE(sock);
3277                 if (inode) {
3278                         struct inode_security_struct *isec;
3279                         isec = inode->i_security;
3280                         sock_sid = isec->sid;
3281                         sock_class = isec->sclass;
3282                 }
3283         }
3284         read_unlock_bh(&sk->sk_callback_lock);
3285         if (!sock_sid)
3286                 goto out;
3287
3288         dev = skb->dev;
3289         if (!dev)
3290                 goto out;
3291
3292         err = sel_netif_sids(dev, &if_sid, NULL);
3293         if (err)
3294                 goto out;
3295
3296         switch (sock_class) {
3297         case SECCLASS_UDP_SOCKET:
3298                 netif_perm = NETIF__UDP_RECV;
3299                 node_perm = NODE__UDP_RECV;
3300                 recv_perm = UDP_SOCKET__RECV_MSG;
3301                 break;
3302         
3303         case SECCLASS_TCP_SOCKET:
3304                 netif_perm = NETIF__TCP_RECV;
3305                 node_perm = NODE__TCP_RECV;
3306                 recv_perm = TCP_SOCKET__RECV_MSG;
3307                 break;
3308         
3309         default:
3310                 netif_perm = NETIF__RAWIP_RECV;
3311                 node_perm = NODE__RAWIP_RECV;
3312                 break;
3313         }
3314
3315         AVC_AUDIT_DATA_INIT(&ad, NET);
3316         ad.u.net.netif = dev->name;
3317         ad.u.net.family = family;
3318
3319         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3320         if (err)
3321                 goto out;
3322
3323         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3324         if (err)
3325                 goto out;
3326         
3327         /* Fixme: this lookup is inefficient */
3328         err = security_node_sid(family, addrp, len, &node_sid);
3329         if (err)
3330                 goto out;
3331         
3332         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3333         if (err)
3334                 goto out;
3335
3336         if (recv_perm) {
3337                 u32 port_sid;
3338
3339                 /* Fixme: make this more efficient */
3340                 err = security_port_sid(sk->sk_family, sk->sk_type,
3341                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3342                                         &port_sid);
3343                 if (err)
3344                         goto out;
3345
3346                 err = avc_has_perm(sock_sid, port_sid,
3347                                    sock_class, recv_perm, &ad);
3348         }
3349 out:    
3350         return err;
3351 }
3352
3353 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3354                                      int __user *optlen, unsigned len)
3355 {
3356         int err = 0;
3357         char *scontext;
3358         u32 scontext_len;
3359         struct sk_security_struct *ssec;
3360         struct inode_security_struct *isec;
3361
3362         isec = SOCK_INODE(sock)->i_security;
3363         if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3364                 err = -ENOPROTOOPT;
3365                 goto out;
3366         }
3367
3368         ssec = sock->sk->sk_security;
3369         
3370         err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3371         if (err)
3372                 goto out;
3373
3374         if (scontext_len > len) {
3375                 err = -ERANGE;
3376                 goto out_len;
3377         }
3378
3379         if (copy_to_user(optval, scontext, scontext_len))
3380                 err = -EFAULT;
3381
3382 out_len:
3383         if (put_user(scontext_len, optlen))
3384                 err = -EFAULT;
3385
3386         kfree(scontext);
3387 out:    
3388         return err;
3389 }
3390
3391 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3392 {
3393         return sk_alloc_security(sk, family, priority);
3394 }
3395
3396 static void selinux_sk_free_security(struct sock *sk)
3397 {
3398         sk_free_security(sk);
3399 }
3400
3401 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3402 {
3403         int err = 0;
3404         u32 perm;
3405         struct nlmsghdr *nlh;
3406         struct socket *sock = sk->sk_socket;
3407         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3408         
3409         if (skb->len < NLMSG_SPACE(0)) {
3410                 err = -EINVAL;
3411                 goto out;
3412         }
3413         nlh = (struct nlmsghdr *)skb->data;
3414         
3415         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3416         if (err) {
3417                 if (err == -EINVAL) {
3418                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3419                                   "SELinux:  unrecognized netlink message"
3420                                   " type=%hu for sclass=%hu\n",
3421                                   nlh->nlmsg_type, isec->sclass);
3422                         if (!selinux_enforcing)
3423                                 err = 0;
3424                 }
3425
3426                 /* Ignore */
3427                 if (err == -ENOENT)
3428                         err = 0;
3429                 goto out;
3430         }
3431
3432         err = socket_has_perm(current, sock, perm);
3433 out:
3434         return err;
3435 }
3436
3437 #ifdef CONFIG_NETFILTER
3438
3439 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3440                                               struct sk_buff **pskb,
3441                                               const struct net_device *in,
3442                                               const struct net_device *out,
3443                                               int (*okfn)(struct sk_buff *),
3444                                               u16 family)
3445 {
3446         char *addrp;
3447         int len, err = NF_ACCEPT;
3448         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3449         struct sock *sk;
3450         struct socket *sock;
3451         struct inode *inode;
3452         struct sk_buff *skb = *pskb;
3453         struct inode_security_struct *isec;
3454         struct avc_audit_data ad;
3455         struct net_device *dev = (struct net_device *)out;
3456         
3457         sk = skb->sk;
3458         if (!sk)
3459                 goto out;
3460                 
3461         sock = sk->sk_socket;
3462         if (!sock)
3463                 goto out;
3464                 
3465         inode = SOCK_INODE(sock);
3466         if (!inode)
3467                 goto out;
3468
3469         err = sel_netif_sids(dev, &if_sid, NULL);
3470         if (err)
3471                 goto out;
3472
3473         isec = inode->i_security;
3474         
3475         switch (isec->sclass) {
3476         case SECCLASS_UDP_SOCKET:
3477                 netif_perm = NETIF__UDP_SEND;
3478                 node_perm = NODE__UDP_SEND;
3479                 send_perm = UDP_SOCKET__SEND_MSG;
3480                 break;
3481         
3482         case SECCLASS_TCP_SOCKET:
3483                 netif_perm = NETIF__TCP_SEND;
3484                 node_perm = NODE__TCP_SEND;
3485                 send_perm = TCP_SOCKET__SEND_MSG;
3486                 break;
3487         
3488         default:
3489                 netif_perm = NETIF__RAWIP_SEND;
3490                 node_perm = NODE__RAWIP_SEND;
3491                 break;
3492         }
3493
3494
3495         AVC_AUDIT_DATA_INIT(&ad, NET);
3496         ad.u.net.netif = dev->name;
3497         ad.u.net.family = family;
3498
3499         err = selinux_parse_skb(skb, &ad, &addrp,
3500                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3501         if (err != NF_ACCEPT)
3502                 goto out;
3503
3504         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3505                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3506         if (err != NF_ACCEPT)
3507                 goto out;
3508                 
3509         /* Fixme: this lookup is inefficient */
3510         err = security_node_sid(family, addrp, len,
3511                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3512         if (err != NF_ACCEPT)
3513                 goto out;
3514         
3515         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3516                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3517         if (err != NF_ACCEPT)
3518                 goto out;
3519
3520         if (send_perm) {
3521                 u32 port_sid;
3522                 
3523                 /* Fixme: make this more efficient */
3524                 err = security_port_sid(sk->sk_family,
3525                                         sk->sk_type,
3526                                         sk->sk_protocol,
3527                                         ntohs(ad.u.net.dport),
3528                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3529                 if (err != NF_ACCEPT)
3530                         goto out;
3531
3532                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3533                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3534         }
3535
3536 out:
3537         return err;
3538 }
3539
3540 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3541                                                 struct sk_buff **pskb,
3542                                                 const struct net_device *in,
3543                                                 const struct net_device *out,
3544                                                 int (*okfn)(struct sk_buff *))
3545 {
3546         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3547 }
3548
3549 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3550
3551 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3552                                                 struct sk_buff **pskb,
3553                                                 const struct net_device *in,
3554                                                 const struct net_device *out,
3555                                                 int (*okfn)(struct sk_buff *))
3556 {
3557         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3558 }
3559
3560 #endif  /* IPV6 */
3561
3562 #endif  /* CONFIG_NETFILTER */
3563
3564 #else
3565
3566 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3567 {
3568         return 0;
3569 }
3570
3571 #endif  /* CONFIG_SECURITY_NETWORK */
3572
3573 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3574 {
3575         struct task_security_struct *tsec;
3576         struct av_decision avd;
3577         int err;
3578
3579         err = secondary_ops->netlink_send(sk, skb);
3580         if (err)
3581                 return err;
3582
3583         tsec = current->security;
3584
3585         avd.allowed = 0;
3586         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3587                                 SECCLASS_CAPABILITY, ~0, &avd);
3588         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3589
3590         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3591                 err = selinux_nlmsg_perm(sk, skb);
3592
3593         return err;
3594 }
3595
3596 static int selinux_netlink_recv(struct sk_buff *skb)
3597 {
3598         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3599                 return -EPERM;
3600         return 0;
3601 }
3602
3603 static int ipc_alloc_security(struct task_struct *task,
3604                               struct kern_ipc_perm *perm,
3605                               u16 sclass)
3606 {
3607         struct task_security_struct *tsec = task->security;
3608         struct ipc_security_struct *isec;
3609
3610         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3611         if (!isec)
3612                 return -ENOMEM;
3613
3614         isec->magic = SELINUX_MAGIC;
3615         isec->sclass = sclass;
3616         isec->ipc_perm = perm;
3617         if (tsec) {
3618                 isec->sid = tsec->sid;
3619         } else {
3620                 isec->sid = SECINITSID_UNLABELED;
3621         }
3622         perm->security = isec;
3623
3624         return 0;
3625 }
3626
3627 static void ipc_free_security(struct kern_ipc_perm *perm)
3628 {
3629         struct ipc_security_struct *isec = perm->security;
3630         if (!isec || isec->magic != SELINUX_MAGIC)
3631                 return;
3632
3633         perm->security = NULL;
3634         kfree(isec);
3635 }
3636
3637 static int msg_msg_alloc_security(struct msg_msg *msg)
3638 {
3639         struct msg_security_struct *msec;
3640
3641         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3642         if (!msec)
3643                 return -ENOMEM;
3644
3645         msec->magic = SELINUX_MAGIC;
3646         msec->msg = msg;
3647         msec->sid = SECINITSID_UNLABELED;
3648         msg->security = msec;
3649
3650         return 0;
3651 }
3652
3653 static void msg_msg_free_security(struct msg_msg *msg)
3654 {
3655         struct msg_security_struct *msec = msg->security;
3656         if (!msec || msec->magic != SELINUX_MAGIC)
3657                 return;
3658
3659         msg->security = NULL;
3660         kfree(msec);
3661 }
3662
3663 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3664                         u32 perms)
3665 {
3666         struct task_security_struct *tsec;
3667         struct ipc_security_struct *isec;
3668         struct avc_audit_data ad;
3669
3670         tsec = current->security;
3671         isec = ipc_perms->security;
3672
3673         AVC_AUDIT_DATA_INIT(&ad, IPC);
3674         ad.u.ipc_id = ipc_perms->key;
3675
3676         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3677 }
3678
3679 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3680 {
3681         return msg_msg_alloc_security(msg);
3682 }
3683
3684 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3685 {
3686         msg_msg_free_security(msg);
3687 }
3688
3689 /* message queue security operations */
3690 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3691 {
3692         struct task_security_struct *tsec;
3693         struct ipc_security_struct *isec;
3694         struct avc_audit_data ad;
3695         int rc;
3696
3697         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3698         if (rc)
3699                 return rc;
3700
3701         tsec = current->security;
3702         isec = msq->q_perm.security;
3703
3704         AVC_AUDIT_DATA_INIT(&ad, IPC);
3705         ad.u.ipc_id = msq->q_perm.key;
3706
3707         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3708                           MSGQ__CREATE, &ad);
3709         if (rc) {
3710                 ipc_free_security(&msq->q_perm);
3711                 return rc;
3712         }
3713         return 0;
3714 }
3715
3716 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3717 {
3718         ipc_free_security(&msq->q_perm);
3719 }
3720
3721 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3722 {
3723         struct task_security_struct *tsec;
3724         struct ipc_security_struct *isec;
3725         struct avc_audit_data ad;
3726
3727         tsec = current->security;
3728         isec = msq->q_perm.security;
3729
3730         AVC_AUDIT_DATA_INIT(&ad, IPC);
3731         ad.u.ipc_id = msq->q_perm.key;
3732
3733         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3734                             MSGQ__ASSOCIATE, &ad);
3735 }
3736
3737 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3738 {
3739         int err;
3740         int perms;
3741
3742         switch(cmd) {
3743         case IPC_INFO:
3744         case MSG_INFO:
3745                 /* No specific object, just general system-wide information. */
3746                 return task_has_system(current, SYSTEM__IPC_INFO);
3747         case IPC_STAT:
3748         case MSG_STAT:
3749                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3750                 break;
3751         case IPC_SET:
3752                 perms = MSGQ__SETATTR;
3753                 break;
3754         case IPC_RMID:
3755                 perms = MSGQ__DESTROY;
3756                 break;
3757         default:
3758                 return 0;
3759         }
3760
3761         err = ipc_has_perm(&msq->q_perm, perms);
3762         return err;
3763 }
3764
3765 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3766 {
3767         struct task_security_struct *tsec;
3768         struct ipc_security_struct *isec;
3769         struct msg_security_struct *msec;
3770         struct avc_audit_data ad;
3771         int rc;
3772
3773         tsec = current->security;
3774         isec = msq->q_perm.security;
3775         msec = msg->security;
3776
3777         /*
3778          * First time through, need to assign label to the message
3779          */
3780         if (msec->sid == SECINITSID_UNLABELED) {
3781                 /*
3782                  * Compute new sid based on current process and
3783                  * message queue this message will be stored in
3784                  */
3785                 rc = security_transition_sid(tsec->sid,
3786                                              isec->sid,
3787                                              SECCLASS_MSG,
3788                                              &msec->sid);
3789                 if (rc)
3790                         return rc;
3791         }
3792
3793         AVC_AUDIT_DATA_INIT(&ad, IPC);
3794         ad.u.ipc_id = msq->q_perm.key;
3795
3796         /* Can this process write to the queue? */
3797         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3798                           MSGQ__WRITE, &ad);
3799         if (!rc)
3800                 /* Can this process send the message */
3801                 rc = avc_has_perm(tsec->sid, msec->sid,
3802                                   SECCLASS_MSG, MSG__SEND, &ad);
3803         if (!rc)
3804                 /* Can the message be put in the queue? */
3805                 rc = avc_has_perm(msec->sid, isec->sid,
3806                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3807
3808         return rc;
3809 }
3810
3811 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3812                                     struct task_struct *target,
3813                                     long type, int mode)
3814 {
3815         struct task_security_struct *tsec;
3816         struct ipc_security_struct *isec;
3817         struct msg_security_struct *msec;
3818         struct avc_audit_data ad;
3819         int rc;
3820
3821         tsec = target->security;
3822         isec = msq->q_perm.security;
3823         msec = msg->security;
3824
3825         AVC_AUDIT_DATA_INIT(&ad, IPC);
3826         ad.u.ipc_id = msq->q_perm.key;
3827
3828         rc = avc_has_perm(tsec->sid, isec->sid,
3829                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3830         if (!rc)
3831                 rc = avc_has_perm(tsec->sid, msec->sid,
3832                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3833         return rc;
3834 }
3835
3836 /* Shared Memory security operations */
3837 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3838 {
3839         struct task_security_struct *tsec;
3840         struct ipc_security_struct *isec;
3841         struct avc_audit_data ad;
3842         int rc;
3843
3844         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3845         if (rc)
3846                 return rc;
3847
3848         tsec = current->security;
3849         isec = shp->shm_perm.security;
3850
3851         AVC_AUDIT_DATA_INIT(&ad, IPC);
3852         ad.u.ipc_id = shp->shm_perm.key;
3853
3854         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3855                           SHM__CREATE, &ad);
3856         if (rc) {
3857                 ipc_free_security(&shp->shm_perm);
3858                 return rc;
3859         }
3860         return 0;
3861 }
3862
3863 static void selinux_shm_free_security(struct shmid_kernel *shp)
3864 {
3865         ipc_free_security(&shp->shm_perm);
3866 }
3867
3868 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3869 {
3870         struct task_security_struct *tsec;
3871         struct ipc_security_struct *isec;
3872         struct avc_audit_data ad;
3873
3874         tsec = current->security;
3875         isec = shp->shm_perm.security;
3876
3877         AVC_AUDIT_DATA_INIT(&ad, IPC);
3878         ad.u.ipc_id = shp->shm_perm.key;
3879
3880         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3881                             SHM__ASSOCIATE, &ad);
3882 }
3883
3884 /* Note, at this point, shp is locked down */
3885 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3886 {
3887         int perms;
3888         int err;
3889
3890         switch(cmd) {
3891         case IPC_INFO:
3892         case SHM_INFO:
3893                 /* No specific object, just general system-wide information. */
3894                 return task_has_system(current, SYSTEM__IPC_INFO);
3895         case IPC_STAT:
3896         case SHM_STAT:
3897                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3898                 break;
3899         case IPC_SET:
3900                 perms = SHM__SETATTR;
3901                 break;
3902         case SHM_LOCK:
3903         case SHM_UNLOCK:
3904                 perms = SHM__LOCK;
3905                 break;
3906         case IPC_RMID:
3907                 perms = SHM__DESTROY;
3908                 break;
3909         default:
3910                 return 0;
3911         }
3912
3913         err = ipc_has_perm(&shp->shm_perm, perms);
3914         return err;
3915 }
3916
3917 static int selinux_shm_shmat(struct shmid_kernel *shp,
3918                              char __user *shmaddr, int shmflg)
3919 {
3920         u32 perms;
3921         int rc;
3922
3923         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3924         if (rc)
3925                 return rc;
3926
3927         if (shmflg & SHM_RDONLY)
3928                 perms = SHM__READ;
3929         else
3930                 perms = SHM__READ | SHM__WRITE;
3931
3932         return ipc_has_perm(&shp->shm_perm, perms);
3933 }
3934
3935 /* Semaphore security operations */
3936 static int selinux_sem_alloc_security(struct sem_array *sma)
3937 {
3938         struct task_security_struct *tsec;
3939         struct ipc_security_struct *isec;
3940         struct avc_audit_data ad;
3941         int rc;
3942
3943         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3944         if (rc)
3945                 return rc;
3946
3947         tsec = current->security;
3948         isec = sma->sem_perm.security;
3949
3950         AVC_AUDIT_DATA_INIT(&ad, IPC);
3951         ad.u.ipc_id = sma->sem_perm.key;
3952
3953         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3954                           SEM__CREATE, &ad);
3955         if (rc) {
3956                 ipc_free_security(&sma->sem_perm);
3957                 return rc;
3958         }
3959         return 0;
3960 }
3961
3962 static void selinux_sem_free_security(struct sem_array *sma)
3963 {
3964         ipc_free_security(&sma->sem_perm);
3965 }
3966
3967 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3968 {
3969         struct task_security_struct *tsec;
3970         struct ipc_security_struct *isec;
3971         struct avc_audit_data ad;
3972
3973         tsec = current->security;
3974         isec = sma->sem_perm.security;
3975
3976         AVC_AUDIT_DATA_INIT(&ad, IPC);
3977         ad.u.ipc_id = sma->sem_perm.key;
3978
3979         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3980                             SEM__ASSOCIATE, &ad);
3981 }
3982
3983 /* Note, at this point, sma is locked down */
3984 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3985 {
3986         int err;
3987         u32 perms;
3988
3989         switch(cmd) {
3990         case IPC_INFO:
3991         case SEM_INFO:
3992                 /* No specific object, just general system-wide information. */
3993                 return task_has_system(current, SYSTEM__IPC_INFO);
3994         case GETPID:
3995         case GETNCNT:
3996         case GETZCNT:
3997                 perms = SEM__GETATTR;
3998                 break;
3999         case GETVAL:
4000         case GETALL:
4001                 perms = SEM__READ;
4002                 break;
4003         case SETVAL:
4004         case SETALL:
4005                 perms = SEM__WRITE;
4006                 break;
4007         case IPC_RMID:
4008                 perms = SEM__DESTROY;
4009                 break;
4010         case IPC_SET:
4011                 perms = SEM__SETATTR;
4012                 break;
4013         case IPC_STAT:
4014         case SEM_STAT:
4015                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4016                 break;
4017         default:
4018                 return 0;
4019         }
4020
4021         err = ipc_has_perm(&sma->sem_perm, perms);
4022         return err;
4023 }
4024
4025 static int selinux_sem_semop(struct sem_array *sma,
4026                              struct sembuf *sops, unsigned nsops, int alter)
4027 {
4028         u32 perms;
4029
4030         if (alter)
4031                 perms = SEM__READ | SEM__WRITE;
4032         else
4033                 perms = SEM__READ;
4034
4035         return ipc_has_perm(&sma->sem_perm, perms);
4036 }
4037
4038 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4039 {
4040         u32 av = 0;
4041
4042         av = 0;
4043         if (flag & S_IRUGO)
4044                 av |= IPC__UNIX_READ;
4045         if (flag & S_IWUGO)
4046                 av |= IPC__UNIX_WRITE;
4047
4048         if (av == 0)
4049                 return 0;
4050
4051         return ipc_has_perm(ipcp, av);
4052 }
4053
4054 /* module stacking operations */
4055 static int selinux_register_security (const char *name, struct security_operations *ops)
4056 {
4057         if (secondary_ops != original_ops) {
4058                 printk(KERN_INFO "%s:  There is already a secondary security "
4059                        "module registered.\n", __FUNCTION__);
4060                 return -EINVAL;
4061         }
4062
4063         secondary_ops = ops;
4064
4065         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4066                __FUNCTION__,
4067                name);
4068
4069         return 0;
4070 }
4071
4072 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4073 {
4074         if (ops != secondary_ops) {
4075                 printk (KERN_INFO "%s:  trying to unregister a security module "
4076                         "that is not registered.\n", __FUNCTION__);
4077                 return -EINVAL;
4078         }
4079
4080         secondary_ops = original_ops;
4081
4082         return 0;
4083 }
4084
4085 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4086 {
4087         if (inode)
4088                 inode_doinit_with_dentry(inode, dentry);
4089 }
4090
4091 static int selinux_getprocattr(struct task_struct *p,
4092                                char *name, void *value, size_t size)
4093 {
4094         struct task_security_struct *tsec;
4095         u32 sid, len;
4096         char *context;
4097         int error;
4098
4099         if (current != p) {
4100                 error = task_has_perm(current, p, PROCESS__GETATTR);
4101                 if (error)
4102                         return error;
4103         }
4104
4105         if (!size)
4106                 return -ERANGE;
4107
4108         tsec = p->security;
4109
4110         if (!strcmp(name, "current"))
4111                 sid = tsec->sid;
4112         else if (!strcmp(name, "prev"))
4113                 sid = tsec->osid;
4114         else if (!strcmp(name, "exec"))
4115                 sid = tsec->exec_sid;
4116         else if (!strcmp(name, "fscreate"))
4117                 sid = tsec->create_sid;
4118         else
4119                 return -EINVAL;
4120
4121         if (!sid)
4122                 return 0;
4123
4124         error = security_sid_to_context(sid, &context, &len);
4125         if (error)
4126                 return error;
4127         if (len > size) {
4128                 kfree(context);
4129                 return -ERANGE;
4130         }
4131         memcpy(value, context, len);
4132         kfree(context);
4133         return len;
4134 }
4135
4136 static int selinux_setprocattr(struct task_struct *p,
4137                                char *name, void *value, size_t size)
4138 {
4139         struct task_security_struct *tsec;
4140         u32 sid = 0;
4141         int error;
4142         char *str = value;
4143
4144         if (current != p) {
4145                 /* SELinux only allows a process to change its own
4146                    security attributes. */
4147                 return -EACCES;
4148         }
4149
4150         /*
4151          * Basic control over ability to set these attributes at all.
4152          * current == p, but we'll pass them separately in case the
4153          * above restriction is ever removed.
4154          */
4155         if (!strcmp(name, "exec"))
4156                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4157         else if (!strcmp(name, "fscreate"))
4158                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4159         else if (!strcmp(name, "current"))
4160                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4161         else
4162                 error = -EINVAL;
4163         if (error)
4164                 return error;
4165
4166         /* Obtain a SID for the context, if one was specified. */
4167         if (size && str[1] && str[1] != '\n') {
4168                 if (str[size-1] == '\n') {
4169                         str[size-1] = 0;
4170                         size--;
4171                 }
4172                 error = security_context_to_sid(value, size, &sid);
4173                 if (error)
4174                         return error;
4175         }
4176
4177         /* Permission checking based on the specified context is
4178            performed during the actual operation (execve,
4179            open/mkdir/...), when we know the full context of the
4180            operation.  See selinux_bprm_set_security for the execve
4181            checks and may_create for the file creation checks. The
4182            operation will then fail if the context is not permitted. */
4183         tsec = p->security;
4184         if (!strcmp(name, "exec"))
4185                 tsec->exec_sid = sid;
4186         else if (!strcmp(name, "fscreate"))
4187                 tsec->create_sid = sid;
4188         else if (!strcmp(name, "current")) {
4189                 struct av_decision avd;
4190
4191                 if (sid == 0)
4192                         return -EINVAL;
4193
4194                 /* Only allow single threaded processes to change context */
4195                 if (atomic_read(&p->mm->mm_users) != 1) {
4196                         struct task_struct *g, *t;
4197                         struct mm_struct *mm = p->mm;
4198                         read_lock(&tasklist_lock);
4199                         do_each_thread(g, t)
4200                                 if (t->mm == mm && t != p) {
4201                                         read_unlock(&tasklist_lock);
4202                                         return -EPERM;
4203                                 }
4204                         while_each_thread(g, t);
4205                         read_unlock(&tasklist_lock);
4206                 }
4207
4208                 /* Check permissions for the transition. */
4209                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4210                                      PROCESS__DYNTRANSITION, NULL);
4211                 if (error)
4212                         return error;
4213
4214                 /* Check for ptracing, and update the task SID if ok.
4215                    Otherwise, leave SID unchanged and fail. */
4216                 task_lock(p);
4217                 if (p->ptrace & PT_PTRACED) {
4218                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4219                                                      SECCLASS_PROCESS,
4220                                                      PROCESS__PTRACE, &avd);
4221                         if (!error)
4222                                 tsec->sid = sid;
4223                         task_unlock(p);
4224                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4225                                   PROCESS__PTRACE, &avd, error, NULL);
4226                         if (error)
4227                                 return error;
4228                 } else {
4229                         tsec->sid = sid;
4230                         task_unlock(p);
4231                 }
4232         }
4233         else
4234                 return -EINVAL;
4235
4236         return size;
4237 }
4238
4239 static struct security_operations selinux_ops = {
4240         .ptrace =                       selinux_ptrace,
4241         .capget =                       selinux_capget,
4242         .capset_check =                 selinux_capset_check,
4243         .capset_set =                   selinux_capset_set,
4244         .sysctl =                       selinux_sysctl,
4245         .capable =                      selinux_capable,
4246         .quotactl =                     selinux_quotactl,
4247         .quota_on =                     selinux_quota_on,
4248         .syslog =                       selinux_syslog,
4249         .vm_enough_memory =             selinux_vm_enough_memory,
4250
4251         .netlink_send =                 selinux_netlink_send,
4252         .netlink_recv =                 selinux_netlink_recv,
4253
4254         .bprm_alloc_security =          selinux_bprm_alloc_security,
4255         .bprm_free_security =           selinux_bprm_free_security,
4256         .bprm_apply_creds =             selinux_bprm_apply_creds,
4257         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4258         .bprm_set_security =            selinux_bprm_set_security,
4259         .bprm_check_security =          selinux_bprm_check_security,
4260         .bprm_secureexec =              selinux_bprm_secureexec,
4261
4262         .sb_alloc_security =            selinux_sb_alloc_security,
4263         .sb_free_security =             selinux_sb_free_security,
4264         .sb_copy_data =                 selinux_sb_copy_data,
4265         .sb_kern_mount =                selinux_sb_kern_mount,
4266         .sb_statfs =                    selinux_sb_statfs,
4267         .sb_mount =                     selinux_mount,
4268         .sb_umount =                    selinux_umount,
4269
4270         .inode_alloc_security =         selinux_inode_alloc_security,
4271         .inode_free_security =          selinux_inode_free_security,
4272         .inode_init_security =          selinux_inode_init_security,
4273         .inode_create =                 selinux_inode_create,
4274         .inode_link =                   selinux_inode_link,
4275         .inode_unlink =                 selinux_inode_unlink,
4276         .inode_symlink =                selinux_inode_symlink,
4277         .inode_mkdir =                  selinux_inode_mkdir,
4278         .inode_rmdir =                  selinux_inode_rmdir,
4279         .inode_mknod =                  selinux_inode_mknod,
4280         .inode_rename =                 selinux_inode_rename,
4281         .inode_readlink =               selinux_inode_readlink,
4282         .inode_follow_link =            selinux_inode_follow_link,
4283         .inode_permission =             selinux_inode_permission,
4284         .inode_setattr =                selinux_inode_setattr,
4285         .inode_getattr =                selinux_inode_getattr,
4286         .inode_setxattr =               selinux_inode_setxattr,
4287         .inode_post_setxattr =          selinux_inode_post_setxattr,
4288         .inode_getxattr =               selinux_inode_getxattr,
4289         .inode_listxattr =              selinux_inode_listxattr,
4290         .inode_removexattr =            selinux_inode_removexattr,
4291         .inode_getsecurity =            selinux_inode_getsecurity,
4292         .inode_setsecurity =            selinux_inode_setsecurity,
4293         .inode_listsecurity =           selinux_inode_listsecurity,
4294
4295         .file_permission =              selinux_file_permission,
4296         .file_alloc_security =          selinux_file_alloc_security,
4297         .file_free_security =           selinux_file_free_security,
4298         .file_ioctl =                   selinux_file_ioctl,
4299         .file_mmap =                    selinux_file_mmap,
4300         .file_mprotect =                selinux_file_mprotect,
4301         .file_lock =                    selinux_file_lock,
4302         .file_fcntl =                   selinux_file_fcntl,
4303         .file_set_fowner =              selinux_file_set_fowner,
4304         .file_send_sigiotask =          selinux_file_send_sigiotask,
4305         .file_receive =                 selinux_file_receive,
4306
4307         .task_create =                  selinux_task_create,
4308         .task_alloc_security =          selinux_task_alloc_security,
4309         .task_free_security =           selinux_task_free_security,
4310         .task_setuid =                  selinux_task_setuid,
4311         .task_post_setuid =             selinux_task_post_setuid,
4312         .task_setgid =                  selinux_task_setgid,
4313         .task_setpgid =                 selinux_task_setpgid,
4314         .task_getpgid =                 selinux_task_getpgid,
4315         .task_getsid =                  selinux_task_getsid,
4316         .task_setgroups =               selinux_task_setgroups,
4317         .task_setnice =                 selinux_task_setnice,
4318         .task_setrlimit =               selinux_task_setrlimit,
4319         .task_setscheduler =            selinux_task_setscheduler,
4320         .task_getscheduler =            selinux_task_getscheduler,
4321         .task_kill =                    selinux_task_kill,
4322         .task_wait =                    selinux_task_wait,
4323         .task_prctl =                   selinux_task_prctl,
4324         .task_reparent_to_init =        selinux_task_reparent_to_init,
4325         .task_to_inode =                selinux_task_to_inode,
4326
4327         .ipc_permission =               selinux_ipc_permission,
4328
4329         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4330         .msg_msg_free_security =        selinux_msg_msg_free_security,
4331
4332         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4333         .msg_queue_free_security =      selinux_msg_queue_free_security,
4334         .msg_queue_associate =          selinux_msg_queue_associate,
4335         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4336         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4337         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4338
4339         .shm_alloc_security =           selinux_shm_alloc_security,
4340         .shm_free_security =            selinux_shm_free_security,
4341         .shm_associate =                selinux_shm_associate,
4342         .shm_shmctl =                   selinux_shm_shmctl,
4343         .shm_shmat =                    selinux_shm_shmat,
4344
4345         .sem_alloc_security =           selinux_sem_alloc_security,
4346         .sem_free_security =            selinux_sem_free_security,
4347         .sem_associate =                selinux_sem_associate,
4348         .sem_semctl =                   selinux_sem_semctl,
4349         .sem_semop =                    selinux_sem_semop,
4350
4351         .register_security =            selinux_register_security,
4352         .unregister_security =          selinux_unregister_security,
4353
4354         .d_instantiate =                selinux_d_instantiate,
4355
4356         .getprocattr =                  selinux_getprocattr,
4357         .setprocattr =                  selinux_setprocattr,
4358
4359 #ifdef CONFIG_SECURITY_NETWORK
4360         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4361         .unix_may_send =                selinux_socket_unix_may_send,
4362
4363         .socket_create =                selinux_socket_create,
4364         .socket_post_create =           selinux_socket_post_create,
4365         .socket_bind =                  selinux_socket_bind,
4366         .socket_connect =               selinux_socket_connect,
4367         .socket_listen =                selinux_socket_listen,
4368         .socket_accept =                selinux_socket_accept,
4369         .socket_sendmsg =               selinux_socket_sendmsg,
4370         .socket_recvmsg =               selinux_socket_recvmsg,
4371         .socket_getsockname =           selinux_socket_getsockname,
4372         .socket_getpeername =           selinux_socket_getpeername,
4373         .socket_getsockopt =            selinux_socket_getsockopt,
4374         .socket_setsockopt =            selinux_socket_setsockopt,
4375         .socket_shutdown =              selinux_socket_shutdown,
4376         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4377         .socket_getpeersec =            selinux_socket_getpeersec,
4378         .sk_alloc_security =            selinux_sk_alloc_security,
4379         .sk_free_security =             selinux_sk_free_security,
4380 #endif
4381 };
4382
4383 static __init int selinux_init(void)
4384 {
4385         struct task_security_struct *tsec;
4386
4387         if (!selinux_enabled) {
4388                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4389                 return 0;
4390         }
4391
4392         printk(KERN_INFO "SELinux:  Initializing.\n");
4393
4394         /* Set the security state for the initial task. */
4395         if (task_alloc_security(current))
4396                 panic("SELinux:  Failed to initialize initial task.\n");
4397         tsec = current->security;
4398         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4399
4400         avc_init();
4401
4402         original_ops = secondary_ops = security_ops;
4403         if (!secondary_ops)
4404                 panic ("SELinux: No initial security operations\n");
4405         if (register_security (&selinux_ops))
4406                 panic("SELinux: Unable to register with kernel.\n");
4407
4408         if (selinux_enforcing) {
4409                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4410         } else {
4411                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4412         }
4413         return 0;
4414 }
4415
4416 void selinux_complete_init(void)
4417 {
4418         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4419
4420         /* Set up any superblocks initialized prior to the policy load. */
4421         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4422         spin_lock(&sb_security_lock);
4423 next_sb:
4424         if (!list_empty(&superblock_security_head)) {
4425                 struct superblock_security_struct *sbsec =
4426                                 list_entry(superblock_security_head.next,
4427                                            struct superblock_security_struct,
4428                                            list);
4429                 struct super_block *sb = sbsec->sb;
4430                 spin_lock(&sb_lock);
4431                 sb->s_count++;
4432                 spin_unlock(&sb_lock);
4433                 spin_unlock(&sb_security_lock);
4434                 down_read(&sb->s_umount);
4435                 if (sb->s_root)
4436                         superblock_doinit(sb, NULL);
4437                 drop_super(sb);
4438                 spin_lock(&sb_security_lock);
4439                 list_del_init(&sbsec->list);
4440                 goto next_sb;
4441         }
4442         spin_unlock(&sb_security_lock);
4443 }
4444
4445 /* SELinux requires early initialization in order to label
4446    all processes and objects when they are created. */
4447 security_initcall(selinux_init);
4448
4449 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4450
4451 static struct nf_hook_ops selinux_ipv4_op = {
4452         .hook =         selinux_ipv4_postroute_last,
4453         .owner =        THIS_MODULE,
4454         .pf =           PF_INET,
4455         .hooknum =      NF_IP_POST_ROUTING,
4456         .priority =     NF_IP_PRI_SELINUX_LAST,
4457 };
4458
4459 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4460
4461 static struct nf_hook_ops selinux_ipv6_op = {
4462         .hook =         selinux_ipv6_postroute_last,
4463         .owner =        THIS_MODULE,
4464         .pf =           PF_INET6,
4465         .hooknum =      NF_IP6_POST_ROUTING,
4466         .priority =     NF_IP6_PRI_SELINUX_LAST,
4467 };
4468
4469 #endif  /* IPV6 */
4470
4471 static int __init selinux_nf_ip_init(void)
4472 {
4473         int err = 0;
4474
4475         if (!selinux_enabled)
4476                 goto out;
4477                 
4478         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4479         
4480         err = nf_register_hook(&selinux_ipv4_op);
4481         if (err)
4482                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4483
4484 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4485
4486         err = nf_register_hook(&selinux_ipv6_op);
4487         if (err)
4488                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4489
4490 #endif  /* IPV6 */
4491 out:
4492         return err;
4493 }
4494
4495 __initcall(selinux_nf_ip_init);
4496
4497 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4498 static void selinux_nf_ip_exit(void)
4499 {
4500         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4501
4502         nf_unregister_hook(&selinux_ipv4_op);
4503 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4504         nf_unregister_hook(&selinux_ipv6_op);
4505 #endif  /* IPV6 */
4506 }
4507 #endif
4508
4509 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4510
4511 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4512 #define selinux_nf_ip_exit()
4513 #endif
4514
4515 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4516
4517 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4518 int selinux_disable(void)
4519 {
4520         extern void exit_sel_fs(void);
4521         static int selinux_disabled = 0;
4522
4523         if (ss_initialized) {
4524                 /* Not permitted after initial policy load. */
4525                 return -EINVAL;
4526         }
4527
4528         if (selinux_disabled) {
4529                 /* Only do this once. */
4530                 return -EINVAL;
4531         }
4532
4533         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4534
4535         selinux_disabled = 1;
4536
4537         /* Reset security_ops to the secondary module, dummy or capability. */
4538         security_ops = secondary_ops;
4539
4540         /* Unregister netfilter hooks. */
4541         selinux_nf_ip_exit();
4542
4543         /* Unregister selinuxfs. */
4544         exit_sel_fs();
4545
4546         return 0;
4547 }
4548 #endif
4549
4550