Security: split proc ptrace checking into read vs. attach
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16  *              Paul Moore <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/fdtable.h>
43 #include <linux/namei.h>
44 #include <linux/mount.h>
45 #include <linux/ext2_fs.h>
46 #include <linux/proc_fs.h>
47 #include <linux/kd.h>
48 #include <linux/netfilter_ipv4.h>
49 #include <linux/netfilter_ipv6.h>
50 #include <linux/tty.h>
51 #include <net/icmp.h>
52 #include <net/ip.h>             /* for local_port_range[] */
53 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
54 #include <net/net_namespace.h>
55 #include <net/netlabel.h>
56 #include <linux/uaccess.h>
57 #include <asm/ioctls.h>
58 #include <asm/atomic.h>
59 #include <linux/bitops.h>
60 #include <linux/interrupt.h>
61 #include <linux/netdevice.h>    /* for network interface checks */
62 #include <linux/netlink.h>
63 #include <linux/tcp.h>
64 #include <linux/udp.h>
65 #include <linux/dccp.h>
66 #include <linux/quota.h>
67 #include <linux/un.h>           /* for Unix socket types */
68 #include <net/af_unix.h>        /* for Unix socket types */
69 #include <linux/parser.h>
70 #include <linux/nfs_mount.h>
71 #include <net/ipv6.h>
72 #include <linux/hugetlb.h>
73 #include <linux/personality.h>
74 #include <linux/sysctl.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
77 #include <linux/selinux.h>
78 #include <linux/mutex.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130 /* Original (dummy) security module. */
131 static struct security_operations *original_ops;
132
133 /* Minimal support for a secondary security module,
134    just to allow the use of the dummy or capability modules.
135    The owlsm module can alternatively be used as a secondary
136    module as long as CONFIG_OWLSM_FD is not enabled. */
137 static struct security_operations *secondary_ops;
138
139 /* Lists of inode and superblock security structures initialized
140    before the policy was loaded. */
141 static LIST_HEAD(superblock_security_head);
142 static DEFINE_SPINLOCK(sb_security_lock);
143
144 static struct kmem_cache *sel_inode_cache;
145
146 /**
147  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
148  *
149  * Description:
150  * This function checks the SECMARK reference counter to see if any SECMARK
151  * targets are currently configured, if the reference counter is greater than
152  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
153  * enabled, false (0) if SECMARK is disabled.
154  *
155  */
156 static int selinux_secmark_enabled(void)
157 {
158         return (atomic_read(&selinux_secmark_refcount) > 0);
159 }
160
161 /* Allocate and free functions for each kind of security blob. */
162
163 static int task_alloc_security(struct task_struct *task)
164 {
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 return -ENOMEM;
170
171         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
172         task->security = tsec;
173
174         return 0;
175 }
176
177 static void task_free_security(struct task_struct *task)
178 {
179         struct task_security_struct *tsec = task->security;
180         task->security = NULL;
181         kfree(tsec);
182 }
183
184 static int inode_alloc_security(struct inode *inode)
185 {
186         struct task_security_struct *tsec = current->security;
187         struct inode_security_struct *isec;
188
189         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
190         if (!isec)
191                 return -ENOMEM;
192
193         mutex_init(&isec->lock);
194         INIT_LIST_HEAD(&isec->list);
195         isec->inode = inode;
196         isec->sid = SECINITSID_UNLABELED;
197         isec->sclass = SECCLASS_FILE;
198         isec->task_sid = tsec->sid;
199         inode->i_security = isec;
200
201         return 0;
202 }
203
204 static void inode_free_security(struct inode *inode)
205 {
206         struct inode_security_struct *isec = inode->i_security;
207         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
208
209         spin_lock(&sbsec->isec_lock);
210         if (!list_empty(&isec->list))
211                 list_del_init(&isec->list);
212         spin_unlock(&sbsec->isec_lock);
213
214         inode->i_security = NULL;
215         kmem_cache_free(sel_inode_cache, isec);
216 }
217
218 static int file_alloc_security(struct file *file)
219 {
220         struct task_security_struct *tsec = current->security;
221         struct file_security_struct *fsec;
222
223         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
224         if (!fsec)
225                 return -ENOMEM;
226
227         fsec->sid = tsec->sid;
228         fsec->fown_sid = tsec->sid;
229         file->f_security = fsec;
230
231         return 0;
232 }
233
234 static void file_free_security(struct file *file)
235 {
236         struct file_security_struct *fsec = file->f_security;
237         file->f_security = NULL;
238         kfree(fsec);
239 }
240
241 static int superblock_alloc_security(struct super_block *sb)
242 {
243         struct superblock_security_struct *sbsec;
244
245         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
246         if (!sbsec)
247                 return -ENOMEM;
248
249         mutex_init(&sbsec->lock);
250         INIT_LIST_HEAD(&sbsec->list);
251         INIT_LIST_HEAD(&sbsec->isec_head);
252         spin_lock_init(&sbsec->isec_lock);
253         sbsec->sb = sb;
254         sbsec->sid = SECINITSID_UNLABELED;
255         sbsec->def_sid = SECINITSID_FILE;
256         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
257         sb->s_security = sbsec;
258
259         return 0;
260 }
261
262 static void superblock_free_security(struct super_block *sb)
263 {
264         struct superblock_security_struct *sbsec = sb->s_security;
265
266         spin_lock(&sb_security_lock);
267         if (!list_empty(&sbsec->list))
268                 list_del_init(&sbsec->list);
269         spin_unlock(&sb_security_lock);
270
271         sb->s_security = NULL;
272         kfree(sbsec);
273 }
274
275 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
276 {
277         struct sk_security_struct *ssec;
278
279         ssec = kzalloc(sizeof(*ssec), priority);
280         if (!ssec)
281                 return -ENOMEM;
282
283         ssec->peer_sid = SECINITSID_UNLABELED;
284         ssec->sid = SECINITSID_UNLABELED;
285         sk->sk_security = ssec;
286
287         selinux_netlbl_sk_security_reset(ssec, family);
288
289         return 0;
290 }
291
292 static void sk_free_security(struct sock *sk)
293 {
294         struct sk_security_struct *ssec = sk->sk_security;
295
296         sk->sk_security = NULL;
297         kfree(ssec);
298 }
299
300 /* The security server must be initialized before
301    any labeling or access decisions can be provided. */
302 extern int ss_initialized;
303
304 /* The file system's label must be initialized prior to use. */
305
306 static char *labeling_behaviors[6] = {
307         "uses xattr",
308         "uses transition SIDs",
309         "uses task SIDs",
310         "uses genfs_contexts",
311         "not configured for labeling",
312         "uses mountpoint labeling",
313 };
314
315 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
316
317 static inline int inode_doinit(struct inode *inode)
318 {
319         return inode_doinit_with_dentry(inode, NULL);
320 }
321
322 enum {
323         Opt_error = -1,
324         Opt_context = 1,
325         Opt_fscontext = 2,
326         Opt_defcontext = 3,
327         Opt_rootcontext = 4,
328 };
329
330 static match_table_t tokens = {
331         {Opt_context, CONTEXT_STR "%s"},
332         {Opt_fscontext, FSCONTEXT_STR "%s"},
333         {Opt_defcontext, DEFCONTEXT_STR "%s"},
334         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
335         {Opt_error, NULL},
336 };
337
338 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
339
340 static int may_context_mount_sb_relabel(u32 sid,
341                         struct superblock_security_struct *sbsec,
342                         struct task_security_struct *tsec)
343 {
344         int rc;
345
346         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
347                           FILESYSTEM__RELABELFROM, NULL);
348         if (rc)
349                 return rc;
350
351         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
352                           FILESYSTEM__RELABELTO, NULL);
353         return rc;
354 }
355
356 static int may_context_mount_inode_relabel(u32 sid,
357                         struct superblock_security_struct *sbsec,
358                         struct task_security_struct *tsec)
359 {
360         int rc;
361         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
362                           FILESYSTEM__RELABELFROM, NULL);
363         if (rc)
364                 return rc;
365
366         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
367                           FILESYSTEM__ASSOCIATE, NULL);
368         return rc;
369 }
370
371 static int sb_finish_set_opts(struct super_block *sb)
372 {
373         struct superblock_security_struct *sbsec = sb->s_security;
374         struct dentry *root = sb->s_root;
375         struct inode *root_inode = root->d_inode;
376         int rc = 0;
377
378         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
379                 /* Make sure that the xattr handler exists and that no
380                    error other than -ENODATA is returned by getxattr on
381                    the root directory.  -ENODATA is ok, as this may be
382                    the first boot of the SELinux kernel before we have
383                    assigned xattr values to the filesystem. */
384                 if (!root_inode->i_op->getxattr) {
385                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
386                                "xattr support\n", sb->s_id, sb->s_type->name);
387                         rc = -EOPNOTSUPP;
388                         goto out;
389                 }
390                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
391                 if (rc < 0 && rc != -ENODATA) {
392                         if (rc == -EOPNOTSUPP)
393                                 printk(KERN_WARNING "SELinux: (dev %s, type "
394                                        "%s) has no security xattr handler\n",
395                                        sb->s_id, sb->s_type->name);
396                         else
397                                 printk(KERN_WARNING "SELinux: (dev %s, type "
398                                        "%s) getxattr errno %d\n", sb->s_id,
399                                        sb->s_type->name, -rc);
400                         goto out;
401                 }
402         }
403
404         sbsec->initialized = 1;
405
406         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
407                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
408                        sb->s_id, sb->s_type->name);
409         else
410                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
411                        sb->s_id, sb->s_type->name,
412                        labeling_behaviors[sbsec->behavior-1]);
413
414         /* Initialize the root inode. */
415         rc = inode_doinit_with_dentry(root_inode, root);
416
417         /* Initialize any other inodes associated with the superblock, e.g.
418            inodes created prior to initial policy load or inodes created
419            during get_sb by a pseudo filesystem that directly
420            populates itself. */
421         spin_lock(&sbsec->isec_lock);
422 next_inode:
423         if (!list_empty(&sbsec->isec_head)) {
424                 struct inode_security_struct *isec =
425                                 list_entry(sbsec->isec_head.next,
426                                            struct inode_security_struct, list);
427                 struct inode *inode = isec->inode;
428                 spin_unlock(&sbsec->isec_lock);
429                 inode = igrab(inode);
430                 if (inode) {
431                         if (!IS_PRIVATE(inode))
432                                 inode_doinit(inode);
433                         iput(inode);
434                 }
435                 spin_lock(&sbsec->isec_lock);
436                 list_del_init(&isec->list);
437                 goto next_inode;
438         }
439         spin_unlock(&sbsec->isec_lock);
440 out:
441         return rc;
442 }
443
444 /*
445  * This function should allow an FS to ask what it's mount security
446  * options were so it can use those later for submounts, displaying
447  * mount options, or whatever.
448  */
449 static int selinux_get_mnt_opts(const struct super_block *sb,
450                                 struct security_mnt_opts *opts)
451 {
452         int rc = 0, i;
453         struct superblock_security_struct *sbsec = sb->s_security;
454         char *context = NULL;
455         u32 len;
456         char tmp;
457
458         security_init_mnt_opts(opts);
459
460         if (!sbsec->initialized)
461                 return -EINVAL;
462
463         if (!ss_initialized)
464                 return -EINVAL;
465
466         /*
467          * if we ever use sbsec flags for anything other than tracking mount
468          * settings this is going to need a mask
469          */
470         tmp = sbsec->flags;
471         /* count the number of mount options for this sb */
472         for (i = 0; i < 8; i++) {
473                 if (tmp & 0x01)
474                         opts->num_mnt_opts++;
475                 tmp >>= 1;
476         }
477
478         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
479         if (!opts->mnt_opts) {
480                 rc = -ENOMEM;
481                 goto out_free;
482         }
483
484         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
485         if (!opts->mnt_opts_flags) {
486                 rc = -ENOMEM;
487                 goto out_free;
488         }
489
490         i = 0;
491         if (sbsec->flags & FSCONTEXT_MNT) {
492                 rc = security_sid_to_context(sbsec->sid, &context, &len);
493                 if (rc)
494                         goto out_free;
495                 opts->mnt_opts[i] = context;
496                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
497         }
498         if (sbsec->flags & CONTEXT_MNT) {
499                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
500                 if (rc)
501                         goto out_free;
502                 opts->mnt_opts[i] = context;
503                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
504         }
505         if (sbsec->flags & DEFCONTEXT_MNT) {
506                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
507                 if (rc)
508                         goto out_free;
509                 opts->mnt_opts[i] = context;
510                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
511         }
512         if (sbsec->flags & ROOTCONTEXT_MNT) {
513                 struct inode *root = sbsec->sb->s_root->d_inode;
514                 struct inode_security_struct *isec = root->i_security;
515
516                 rc = security_sid_to_context(isec->sid, &context, &len);
517                 if (rc)
518                         goto out_free;
519                 opts->mnt_opts[i] = context;
520                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
521         }
522
523         BUG_ON(i != opts->num_mnt_opts);
524
525         return 0;
526
527 out_free:
528         security_free_mnt_opts(opts);
529         return rc;
530 }
531
532 static int bad_option(struct superblock_security_struct *sbsec, char flag,
533                       u32 old_sid, u32 new_sid)
534 {
535         /* check if the old mount command had the same options */
536         if (sbsec->initialized)
537                 if (!(sbsec->flags & flag) ||
538                     (old_sid != new_sid))
539                         return 1;
540
541         /* check if we were passed the same options twice,
542          * aka someone passed context=a,context=b
543          */
544         if (!sbsec->initialized)
545                 if (sbsec->flags & flag)
546                         return 1;
547         return 0;
548 }
549
550 /*
551  * Allow filesystems with binary mount data to explicitly set mount point
552  * labeling information.
553  */
554 static int selinux_set_mnt_opts(struct super_block *sb,
555                                 struct security_mnt_opts *opts)
556 {
557         int rc = 0, i;
558         struct task_security_struct *tsec = current->security;
559         struct superblock_security_struct *sbsec = sb->s_security;
560         const char *name = sb->s_type->name;
561         struct inode *inode = sbsec->sb->s_root->d_inode;
562         struct inode_security_struct *root_isec = inode->i_security;
563         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564         u32 defcontext_sid = 0;
565         char **mount_options = opts->mnt_opts;
566         int *flags = opts->mnt_opts_flags;
567         int num_opts = opts->num_mnt_opts;
568
569         mutex_lock(&sbsec->lock);
570
571         if (!ss_initialized) {
572                 if (!num_opts) {
573                         /* Defer initialization until selinux_complete_init,
574                            after the initial policy is loaded and the security
575                            server is ready to handle calls. */
576                         spin_lock(&sb_security_lock);
577                         if (list_empty(&sbsec->list))
578                                 list_add(&sbsec->list, &superblock_security_head);
579                         spin_unlock(&sb_security_lock);
580                         goto out;
581                 }
582                 rc = -EINVAL;
583                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
584                         "before the security server is initialized\n");
585                 goto out;
586         }
587
588         /*
589          * Binary mount data FS will come through this function twice.  Once
590          * from an explicit call and once from the generic calls from the vfs.
591          * Since the generic VFS calls will not contain any security mount data
592          * we need to skip the double mount verification.
593          *
594          * This does open a hole in which we will not notice if the first
595          * mount using this sb set explict options and a second mount using
596          * this sb does not set any security options.  (The first options
597          * will be used for both mounts)
598          */
599         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
600             && (num_opts == 0))
601                 goto out;
602
603         /*
604          * parse the mount options, check if they are valid sids.
605          * also check if someone is trying to mount the same sb more
606          * than once with different security options.
607          */
608         for (i = 0; i < num_opts; i++) {
609                 u32 sid;
610                 rc = security_context_to_sid(mount_options[i],
611                                              strlen(mount_options[i]), &sid);
612                 if (rc) {
613                         printk(KERN_WARNING "SELinux: security_context_to_sid"
614                                "(%s) failed for (dev %s, type %s) errno=%d\n",
615                                mount_options[i], sb->s_id, name, rc);
616                         goto out;
617                 }
618                 switch (flags[i]) {
619                 case FSCONTEXT_MNT:
620                         fscontext_sid = sid;
621
622                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
623                                         fscontext_sid))
624                                 goto out_double_mount;
625
626                         sbsec->flags |= FSCONTEXT_MNT;
627                         break;
628                 case CONTEXT_MNT:
629                         context_sid = sid;
630
631                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
632                                         context_sid))
633                                 goto out_double_mount;
634
635                         sbsec->flags |= CONTEXT_MNT;
636                         break;
637                 case ROOTCONTEXT_MNT:
638                         rootcontext_sid = sid;
639
640                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
641                                         rootcontext_sid))
642                                 goto out_double_mount;
643
644                         sbsec->flags |= ROOTCONTEXT_MNT;
645
646                         break;
647                 case DEFCONTEXT_MNT:
648                         defcontext_sid = sid;
649
650                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
651                                         defcontext_sid))
652                                 goto out_double_mount;
653
654                         sbsec->flags |= DEFCONTEXT_MNT;
655
656                         break;
657                 default:
658                         rc = -EINVAL;
659                         goto out;
660                 }
661         }
662
663         if (sbsec->initialized) {
664                 /* previously mounted with options, but not on this attempt? */
665                 if (sbsec->flags && !num_opts)
666                         goto out_double_mount;
667                 rc = 0;
668                 goto out;
669         }
670
671         if (strcmp(sb->s_type->name, "proc") == 0)
672                 sbsec->proc = 1;
673
674         /* Determine the labeling behavior to use for this filesystem type. */
675         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
676         if (rc) {
677                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
678                        __func__, sb->s_type->name, rc);
679                 goto out;
680         }
681
682         /* sets the context of the superblock for the fs being mounted. */
683         if (fscontext_sid) {
684
685                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
686                 if (rc)
687                         goto out;
688
689                 sbsec->sid = fscontext_sid;
690         }
691
692         /*
693          * Switch to using mount point labeling behavior.
694          * sets the label used on all file below the mountpoint, and will set
695          * the superblock context if not already set.
696          */
697         if (context_sid) {
698                 if (!fscontext_sid) {
699                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
700                         if (rc)
701                                 goto out;
702                         sbsec->sid = context_sid;
703                 } else {
704                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
705                         if (rc)
706                                 goto out;
707                 }
708                 if (!rootcontext_sid)
709                         rootcontext_sid = context_sid;
710
711                 sbsec->mntpoint_sid = context_sid;
712                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
713         }
714
715         if (rootcontext_sid) {
716                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
717                 if (rc)
718                         goto out;
719
720                 root_isec->sid = rootcontext_sid;
721                 root_isec->initialized = 1;
722         }
723
724         if (defcontext_sid) {
725                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
726                         rc = -EINVAL;
727                         printk(KERN_WARNING "SELinux: defcontext option is "
728                                "invalid for this filesystem type\n");
729                         goto out;
730                 }
731
732                 if (defcontext_sid != sbsec->def_sid) {
733                         rc = may_context_mount_inode_relabel(defcontext_sid,
734                                                              sbsec, tsec);
735                         if (rc)
736                                 goto out;
737                 }
738
739                 sbsec->def_sid = defcontext_sid;
740         }
741
742         rc = sb_finish_set_opts(sb);
743 out:
744         mutex_unlock(&sbsec->lock);
745         return rc;
746 out_double_mount:
747         rc = -EINVAL;
748         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
749                "security settings for (dev %s, type %s)\n", sb->s_id, name);
750         goto out;
751 }
752
753 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
754                                         struct super_block *newsb)
755 {
756         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
757         struct superblock_security_struct *newsbsec = newsb->s_security;
758
759         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
760         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
761         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
762
763         /*
764          * if the parent was able to be mounted it clearly had no special lsm
765          * mount options.  thus we can safely put this sb on the list and deal
766          * with it later
767          */
768         if (!ss_initialized) {
769                 spin_lock(&sb_security_lock);
770                 if (list_empty(&newsbsec->list))
771                         list_add(&newsbsec->list, &superblock_security_head);
772                 spin_unlock(&sb_security_lock);
773                 return;
774         }
775
776         /* how can we clone if the old one wasn't set up?? */
777         BUG_ON(!oldsbsec->initialized);
778
779         /* if fs is reusing a sb, just let its options stand... */
780         if (newsbsec->initialized)
781                 return;
782
783         mutex_lock(&newsbsec->lock);
784
785         newsbsec->flags = oldsbsec->flags;
786
787         newsbsec->sid = oldsbsec->sid;
788         newsbsec->def_sid = oldsbsec->def_sid;
789         newsbsec->behavior = oldsbsec->behavior;
790
791         if (set_context) {
792                 u32 sid = oldsbsec->mntpoint_sid;
793
794                 if (!set_fscontext)
795                         newsbsec->sid = sid;
796                 if (!set_rootcontext) {
797                         struct inode *newinode = newsb->s_root->d_inode;
798                         struct inode_security_struct *newisec = newinode->i_security;
799                         newisec->sid = sid;
800                 }
801                 newsbsec->mntpoint_sid = sid;
802         }
803         if (set_rootcontext) {
804                 const struct inode *oldinode = oldsb->s_root->d_inode;
805                 const struct inode_security_struct *oldisec = oldinode->i_security;
806                 struct inode *newinode = newsb->s_root->d_inode;
807                 struct inode_security_struct *newisec = newinode->i_security;
808
809                 newisec->sid = oldisec->sid;
810         }
811
812         sb_finish_set_opts(newsb);
813         mutex_unlock(&newsbsec->lock);
814 }
815
816 static int selinux_parse_opts_str(char *options,
817                                   struct security_mnt_opts *opts)
818 {
819         char *p;
820         char *context = NULL, *defcontext = NULL;
821         char *fscontext = NULL, *rootcontext = NULL;
822         int rc, num_mnt_opts = 0;
823
824         opts->num_mnt_opts = 0;
825
826         /* Standard string-based options. */
827         while ((p = strsep(&options, "|")) != NULL) {
828                 int token;
829                 substring_t args[MAX_OPT_ARGS];
830
831                 if (!*p)
832                         continue;
833
834                 token = match_token(p, tokens, args);
835
836                 switch (token) {
837                 case Opt_context:
838                         if (context || defcontext) {
839                                 rc = -EINVAL;
840                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841                                 goto out_err;
842                         }
843                         context = match_strdup(&args[0]);
844                         if (!context) {
845                                 rc = -ENOMEM;
846                                 goto out_err;
847                         }
848                         break;
849
850                 case Opt_fscontext:
851                         if (fscontext) {
852                                 rc = -EINVAL;
853                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854                                 goto out_err;
855                         }
856                         fscontext = match_strdup(&args[0]);
857                         if (!fscontext) {
858                                 rc = -ENOMEM;
859                                 goto out_err;
860                         }
861                         break;
862
863                 case Opt_rootcontext:
864                         if (rootcontext) {
865                                 rc = -EINVAL;
866                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867                                 goto out_err;
868                         }
869                         rootcontext = match_strdup(&args[0]);
870                         if (!rootcontext) {
871                                 rc = -ENOMEM;
872                                 goto out_err;
873                         }
874                         break;
875
876                 case Opt_defcontext:
877                         if (context || defcontext) {
878                                 rc = -EINVAL;
879                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880                                 goto out_err;
881                         }
882                         defcontext = match_strdup(&args[0]);
883                         if (!defcontext) {
884                                 rc = -ENOMEM;
885                                 goto out_err;
886                         }
887                         break;
888
889                 default:
890                         rc = -EINVAL;
891                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
892                         goto out_err;
893
894                 }
895         }
896
897         rc = -ENOMEM;
898         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
899         if (!opts->mnt_opts)
900                 goto out_err;
901
902         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
903         if (!opts->mnt_opts_flags) {
904                 kfree(opts->mnt_opts);
905                 goto out_err;
906         }
907
908         if (fscontext) {
909                 opts->mnt_opts[num_mnt_opts] = fscontext;
910                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
911         }
912         if (context) {
913                 opts->mnt_opts[num_mnt_opts] = context;
914                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
915         }
916         if (rootcontext) {
917                 opts->mnt_opts[num_mnt_opts] = rootcontext;
918                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
919         }
920         if (defcontext) {
921                 opts->mnt_opts[num_mnt_opts] = defcontext;
922                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
923         }
924
925         opts->num_mnt_opts = num_mnt_opts;
926         return 0;
927
928 out_err:
929         kfree(context);
930         kfree(defcontext);
931         kfree(fscontext);
932         kfree(rootcontext);
933         return rc;
934 }
935 /*
936  * string mount options parsing and call set the sbsec
937  */
938 static int superblock_doinit(struct super_block *sb, void *data)
939 {
940         int rc = 0;
941         char *options = data;
942         struct security_mnt_opts opts;
943
944         security_init_mnt_opts(&opts);
945
946         if (!data)
947                 goto out;
948
949         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
950
951         rc = selinux_parse_opts_str(options, &opts);
952         if (rc)
953                 goto out_err;
954
955 out:
956         rc = selinux_set_mnt_opts(sb, &opts);
957
958 out_err:
959         security_free_mnt_opts(&opts);
960         return rc;
961 }
962
963 static inline u16 inode_mode_to_security_class(umode_t mode)
964 {
965         switch (mode & S_IFMT) {
966         case S_IFSOCK:
967                 return SECCLASS_SOCK_FILE;
968         case S_IFLNK:
969                 return SECCLASS_LNK_FILE;
970         case S_IFREG:
971                 return SECCLASS_FILE;
972         case S_IFBLK:
973                 return SECCLASS_BLK_FILE;
974         case S_IFDIR:
975                 return SECCLASS_DIR;
976         case S_IFCHR:
977                 return SECCLASS_CHR_FILE;
978         case S_IFIFO:
979                 return SECCLASS_FIFO_FILE;
980
981         }
982
983         return SECCLASS_FILE;
984 }
985
986 static inline int default_protocol_stream(int protocol)
987 {
988         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
989 }
990
991 static inline int default_protocol_dgram(int protocol)
992 {
993         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
994 }
995
996 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
997 {
998         switch (family) {
999         case PF_UNIX:
1000                 switch (type) {
1001                 case SOCK_STREAM:
1002                 case SOCK_SEQPACKET:
1003                         return SECCLASS_UNIX_STREAM_SOCKET;
1004                 case SOCK_DGRAM:
1005                         return SECCLASS_UNIX_DGRAM_SOCKET;
1006                 }
1007                 break;
1008         case PF_INET:
1009         case PF_INET6:
1010                 switch (type) {
1011                 case SOCK_STREAM:
1012                         if (default_protocol_stream(protocol))
1013                                 return SECCLASS_TCP_SOCKET;
1014                         else
1015                                 return SECCLASS_RAWIP_SOCKET;
1016                 case SOCK_DGRAM:
1017                         if (default_protocol_dgram(protocol))
1018                                 return SECCLASS_UDP_SOCKET;
1019                         else
1020                                 return SECCLASS_RAWIP_SOCKET;
1021                 case SOCK_DCCP:
1022                         return SECCLASS_DCCP_SOCKET;
1023                 default:
1024                         return SECCLASS_RAWIP_SOCKET;
1025                 }
1026                 break;
1027         case PF_NETLINK:
1028                 switch (protocol) {
1029                 case NETLINK_ROUTE:
1030                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1031                 case NETLINK_FIREWALL:
1032                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1033                 case NETLINK_INET_DIAG:
1034                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1035                 case NETLINK_NFLOG:
1036                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1037                 case NETLINK_XFRM:
1038                         return SECCLASS_NETLINK_XFRM_SOCKET;
1039                 case NETLINK_SELINUX:
1040                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1041                 case NETLINK_AUDIT:
1042                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1043                 case NETLINK_IP6_FW:
1044                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1045                 case NETLINK_DNRTMSG:
1046                         return SECCLASS_NETLINK_DNRT_SOCKET;
1047                 case NETLINK_KOBJECT_UEVENT:
1048                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1049                 default:
1050                         return SECCLASS_NETLINK_SOCKET;
1051                 }
1052         case PF_PACKET:
1053                 return SECCLASS_PACKET_SOCKET;
1054         case PF_KEY:
1055                 return SECCLASS_KEY_SOCKET;
1056         case PF_APPLETALK:
1057                 return SECCLASS_APPLETALK_SOCKET;
1058         }
1059
1060         return SECCLASS_SOCKET;
1061 }
1062
1063 #ifdef CONFIG_PROC_FS
1064 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1065                                 u16 tclass,
1066                                 u32 *sid)
1067 {
1068         int buflen, rc;
1069         char *buffer, *path, *end;
1070
1071         buffer = (char *)__get_free_page(GFP_KERNEL);
1072         if (!buffer)
1073                 return -ENOMEM;
1074
1075         buflen = PAGE_SIZE;
1076         end = buffer+buflen;
1077         *--end = '\0';
1078         buflen--;
1079         path = end-1;
1080         *path = '/';
1081         while (de && de != de->parent) {
1082                 buflen -= de->namelen + 1;
1083                 if (buflen < 0)
1084                         break;
1085                 end -= de->namelen;
1086                 memcpy(end, de->name, de->namelen);
1087                 *--end = '/';
1088                 path = end;
1089                 de = de->parent;
1090         }
1091         rc = security_genfs_sid("proc", path, tclass, sid);
1092         free_page((unsigned long)buffer);
1093         return rc;
1094 }
1095 #else
1096 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1097                                 u16 tclass,
1098                                 u32 *sid)
1099 {
1100         return -EINVAL;
1101 }
1102 #endif
1103
1104 /* The inode's security attributes must be initialized before first use. */
1105 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1106 {
1107         struct superblock_security_struct *sbsec = NULL;
1108         struct inode_security_struct *isec = inode->i_security;
1109         u32 sid;
1110         struct dentry *dentry;
1111 #define INITCONTEXTLEN 255
1112         char *context = NULL;
1113         unsigned len = 0;
1114         int rc = 0;
1115
1116         if (isec->initialized)
1117                 goto out;
1118
1119         mutex_lock(&isec->lock);
1120         if (isec->initialized)
1121                 goto out_unlock;
1122
1123         sbsec = inode->i_sb->s_security;
1124         if (!sbsec->initialized) {
1125                 /* Defer initialization until selinux_complete_init,
1126                    after the initial policy is loaded and the security
1127                    server is ready to handle calls. */
1128                 spin_lock(&sbsec->isec_lock);
1129                 if (list_empty(&isec->list))
1130                         list_add(&isec->list, &sbsec->isec_head);
1131                 spin_unlock(&sbsec->isec_lock);
1132                 goto out_unlock;
1133         }
1134
1135         switch (sbsec->behavior) {
1136         case SECURITY_FS_USE_XATTR:
1137                 if (!inode->i_op->getxattr) {
1138                         isec->sid = sbsec->def_sid;
1139                         break;
1140                 }
1141
1142                 /* Need a dentry, since the xattr API requires one.
1143                    Life would be simpler if we could just pass the inode. */
1144                 if (opt_dentry) {
1145                         /* Called from d_instantiate or d_splice_alias. */
1146                         dentry = dget(opt_dentry);
1147                 } else {
1148                         /* Called from selinux_complete_init, try to find a dentry. */
1149                         dentry = d_find_alias(inode);
1150                 }
1151                 if (!dentry) {
1152                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1153                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1154                                inode->i_ino);
1155                         goto out_unlock;
1156                 }
1157
1158                 len = INITCONTEXTLEN;
1159                 context = kmalloc(len, GFP_NOFS);
1160                 if (!context) {
1161                         rc = -ENOMEM;
1162                         dput(dentry);
1163                         goto out_unlock;
1164                 }
1165                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1166                                            context, len);
1167                 if (rc == -ERANGE) {
1168                         /* Need a larger buffer.  Query for the right size. */
1169                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1170                                                    NULL, 0);
1171                         if (rc < 0) {
1172                                 dput(dentry);
1173                                 goto out_unlock;
1174                         }
1175                         kfree(context);
1176                         len = rc;
1177                         context = kmalloc(len, GFP_NOFS);
1178                         if (!context) {
1179                                 rc = -ENOMEM;
1180                                 dput(dentry);
1181                                 goto out_unlock;
1182                         }
1183                         rc = inode->i_op->getxattr(dentry,
1184                                                    XATTR_NAME_SELINUX,
1185                                                    context, len);
1186                 }
1187                 dput(dentry);
1188                 if (rc < 0) {
1189                         if (rc != -ENODATA) {
1190                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1191                                        "%d for dev=%s ino=%ld\n", __func__,
1192                                        -rc, inode->i_sb->s_id, inode->i_ino);
1193                                 kfree(context);
1194                                 goto out_unlock;
1195                         }
1196                         /* Map ENODATA to the default file SID */
1197                         sid = sbsec->def_sid;
1198                         rc = 0;
1199                 } else {
1200                         rc = security_context_to_sid_default(context, rc, &sid,
1201                                                              sbsec->def_sid,
1202                                                              GFP_NOFS);
1203                         if (rc) {
1204                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1205                                        "returned %d for dev=%s ino=%ld\n",
1206                                        __func__, context, -rc,
1207                                        inode->i_sb->s_id, inode->i_ino);
1208                                 kfree(context);
1209                                 /* Leave with the unlabeled SID */
1210                                 rc = 0;
1211                                 break;
1212                         }
1213                 }
1214                 kfree(context);
1215                 isec->sid = sid;
1216                 break;
1217         case SECURITY_FS_USE_TASK:
1218                 isec->sid = isec->task_sid;
1219                 break;
1220         case SECURITY_FS_USE_TRANS:
1221                 /* Default to the fs SID. */
1222                 isec->sid = sbsec->sid;
1223
1224                 /* Try to obtain a transition SID. */
1225                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1226                 rc = security_transition_sid(isec->task_sid,
1227                                              sbsec->sid,
1228                                              isec->sclass,
1229                                              &sid);
1230                 if (rc)
1231                         goto out_unlock;
1232                 isec->sid = sid;
1233                 break;
1234         case SECURITY_FS_USE_MNTPOINT:
1235                 isec->sid = sbsec->mntpoint_sid;
1236                 break;
1237         default:
1238                 /* Default to the fs superblock SID. */
1239                 isec->sid = sbsec->sid;
1240
1241                 if (sbsec->proc) {
1242                         struct proc_inode *proci = PROC_I(inode);
1243                         if (proci->pde) {
1244                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1245                                 rc = selinux_proc_get_sid(proci->pde,
1246                                                           isec->sclass,
1247                                                           &sid);
1248                                 if (rc)
1249                                         goto out_unlock;
1250                                 isec->sid = sid;
1251                         }
1252                 }
1253                 break;
1254         }
1255
1256         isec->initialized = 1;
1257
1258 out_unlock:
1259         mutex_unlock(&isec->lock);
1260 out:
1261         if (isec->sclass == SECCLASS_FILE)
1262                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1263         return rc;
1264 }
1265
1266 /* Convert a Linux signal to an access vector. */
1267 static inline u32 signal_to_av(int sig)
1268 {
1269         u32 perm = 0;
1270
1271         switch (sig) {
1272         case SIGCHLD:
1273                 /* Commonly granted from child to parent. */
1274                 perm = PROCESS__SIGCHLD;
1275                 break;
1276         case SIGKILL:
1277                 /* Cannot be caught or ignored */
1278                 perm = PROCESS__SIGKILL;
1279                 break;
1280         case SIGSTOP:
1281                 /* Cannot be caught or ignored */
1282                 perm = PROCESS__SIGSTOP;
1283                 break;
1284         default:
1285                 /* All other signals. */
1286                 perm = PROCESS__SIGNAL;
1287                 break;
1288         }
1289
1290         return perm;
1291 }
1292
1293 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1294    fork check, ptrace check, etc. */
1295 static int task_has_perm(struct task_struct *tsk1,
1296                          struct task_struct *tsk2,
1297                          u32 perms)
1298 {
1299         struct task_security_struct *tsec1, *tsec2;
1300
1301         tsec1 = tsk1->security;
1302         tsec2 = tsk2->security;
1303         return avc_has_perm(tsec1->sid, tsec2->sid,
1304                             SECCLASS_PROCESS, perms, NULL);
1305 }
1306
1307 #if CAP_LAST_CAP > 63
1308 #error Fix SELinux to handle capabilities > 63.
1309 #endif
1310
1311 /* Check whether a task is allowed to use a capability. */
1312 static int task_has_capability(struct task_struct *tsk,
1313                                int cap)
1314 {
1315         struct task_security_struct *tsec;
1316         struct avc_audit_data ad;
1317         u16 sclass;
1318         u32 av = CAP_TO_MASK(cap);
1319
1320         tsec = tsk->security;
1321
1322         AVC_AUDIT_DATA_INIT(&ad, CAP);
1323         ad.tsk = tsk;
1324         ad.u.cap = cap;
1325
1326         switch (CAP_TO_INDEX(cap)) {
1327         case 0:
1328                 sclass = SECCLASS_CAPABILITY;
1329                 break;
1330         case 1:
1331                 sclass = SECCLASS_CAPABILITY2;
1332                 break;
1333         default:
1334                 printk(KERN_ERR
1335                        "SELinux:  out of range capability %d\n", cap);
1336                 BUG();
1337         }
1338         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1339 }
1340
1341 /* Check whether a task is allowed to use a system operation. */
1342 static int task_has_system(struct task_struct *tsk,
1343                            u32 perms)
1344 {
1345         struct task_security_struct *tsec;
1346
1347         tsec = tsk->security;
1348
1349         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1350                             SECCLASS_SYSTEM, perms, NULL);
1351 }
1352
1353 /* Check whether a task has a particular permission to an inode.
1354    The 'adp' parameter is optional and allows other audit
1355    data to be passed (e.g. the dentry). */
1356 static int inode_has_perm(struct task_struct *tsk,
1357                           struct inode *inode,
1358                           u32 perms,
1359                           struct avc_audit_data *adp)
1360 {
1361         struct task_security_struct *tsec;
1362         struct inode_security_struct *isec;
1363         struct avc_audit_data ad;
1364
1365         if (unlikely(IS_PRIVATE(inode)))
1366                 return 0;
1367
1368         tsec = tsk->security;
1369         isec = inode->i_security;
1370
1371         if (!adp) {
1372                 adp = &ad;
1373                 AVC_AUDIT_DATA_INIT(&ad, FS);
1374                 ad.u.fs.inode = inode;
1375         }
1376
1377         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1378 }
1379
1380 /* Same as inode_has_perm, but pass explicit audit data containing
1381    the dentry to help the auditing code to more easily generate the
1382    pathname if needed. */
1383 static inline int dentry_has_perm(struct task_struct *tsk,
1384                                   struct vfsmount *mnt,
1385                                   struct dentry *dentry,
1386                                   u32 av)
1387 {
1388         struct inode *inode = dentry->d_inode;
1389         struct avc_audit_data ad;
1390         AVC_AUDIT_DATA_INIT(&ad, FS);
1391         ad.u.fs.path.mnt = mnt;
1392         ad.u.fs.path.dentry = dentry;
1393         return inode_has_perm(tsk, inode, av, &ad);
1394 }
1395
1396 /* Check whether a task can use an open file descriptor to
1397    access an inode in a given way.  Check access to the
1398    descriptor itself, and then use dentry_has_perm to
1399    check a particular permission to the file.
1400    Access to the descriptor is implicitly granted if it
1401    has the same SID as the process.  If av is zero, then
1402    access to the file is not checked, e.g. for cases
1403    where only the descriptor is affected like seek. */
1404 static int file_has_perm(struct task_struct *tsk,
1405                                 struct file *file,
1406                                 u32 av)
1407 {
1408         struct task_security_struct *tsec = tsk->security;
1409         struct file_security_struct *fsec = file->f_security;
1410         struct inode *inode = file->f_path.dentry->d_inode;
1411         struct avc_audit_data ad;
1412         int rc;
1413
1414         AVC_AUDIT_DATA_INIT(&ad, FS);
1415         ad.u.fs.path = file->f_path;
1416
1417         if (tsec->sid != fsec->sid) {
1418                 rc = avc_has_perm(tsec->sid, fsec->sid,
1419                                   SECCLASS_FD,
1420                                   FD__USE,
1421                                   &ad);
1422                 if (rc)
1423                         return rc;
1424         }
1425
1426         /* av is zero if only checking access to the descriptor. */
1427         if (av)
1428                 return inode_has_perm(tsk, inode, av, &ad);
1429
1430         return 0;
1431 }
1432
1433 /* Check whether a task can create a file. */
1434 static int may_create(struct inode *dir,
1435                       struct dentry *dentry,
1436                       u16 tclass)
1437 {
1438         struct task_security_struct *tsec;
1439         struct inode_security_struct *dsec;
1440         struct superblock_security_struct *sbsec;
1441         u32 newsid;
1442         struct avc_audit_data ad;
1443         int rc;
1444
1445         tsec = current->security;
1446         dsec = dir->i_security;
1447         sbsec = dir->i_sb->s_security;
1448
1449         AVC_AUDIT_DATA_INIT(&ad, FS);
1450         ad.u.fs.path.dentry = dentry;
1451
1452         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1453                           DIR__ADD_NAME | DIR__SEARCH,
1454                           &ad);
1455         if (rc)
1456                 return rc;
1457
1458         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1459                 newsid = tsec->create_sid;
1460         } else {
1461                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1462                                              &newsid);
1463                 if (rc)
1464                         return rc;
1465         }
1466
1467         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1468         if (rc)
1469                 return rc;
1470
1471         return avc_has_perm(newsid, sbsec->sid,
1472                             SECCLASS_FILESYSTEM,
1473                             FILESYSTEM__ASSOCIATE, &ad);
1474 }
1475
1476 /* Check whether a task can create a key. */
1477 static int may_create_key(u32 ksid,
1478                           struct task_struct *ctx)
1479 {
1480         struct task_security_struct *tsec;
1481
1482         tsec = ctx->security;
1483
1484         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1485 }
1486
1487 #define MAY_LINK        0
1488 #define MAY_UNLINK      1
1489 #define MAY_RMDIR       2
1490
1491 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1492 static int may_link(struct inode *dir,
1493                     struct dentry *dentry,
1494                     int kind)
1495
1496 {
1497         struct task_security_struct *tsec;
1498         struct inode_security_struct *dsec, *isec;
1499         struct avc_audit_data ad;
1500         u32 av;
1501         int rc;
1502
1503         tsec = current->security;
1504         dsec = dir->i_security;
1505         isec = dentry->d_inode->i_security;
1506
1507         AVC_AUDIT_DATA_INIT(&ad, FS);
1508         ad.u.fs.path.dentry = dentry;
1509
1510         av = DIR__SEARCH;
1511         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1512         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1513         if (rc)
1514                 return rc;
1515
1516         switch (kind) {
1517         case MAY_LINK:
1518                 av = FILE__LINK;
1519                 break;
1520         case MAY_UNLINK:
1521                 av = FILE__UNLINK;
1522                 break;
1523         case MAY_RMDIR:
1524                 av = DIR__RMDIR;
1525                 break;
1526         default:
1527                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1528                         __func__, kind);
1529                 return 0;
1530         }
1531
1532         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1533         return rc;
1534 }
1535
1536 static inline int may_rename(struct inode *old_dir,
1537                              struct dentry *old_dentry,
1538                              struct inode *new_dir,
1539                              struct dentry *new_dentry)
1540 {
1541         struct task_security_struct *tsec;
1542         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1543         struct avc_audit_data ad;
1544         u32 av;
1545         int old_is_dir, new_is_dir;
1546         int rc;
1547
1548         tsec = current->security;
1549         old_dsec = old_dir->i_security;
1550         old_isec = old_dentry->d_inode->i_security;
1551         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1552         new_dsec = new_dir->i_security;
1553
1554         AVC_AUDIT_DATA_INIT(&ad, FS);
1555
1556         ad.u.fs.path.dentry = old_dentry;
1557         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1558                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1559         if (rc)
1560                 return rc;
1561         rc = avc_has_perm(tsec->sid, old_isec->sid,
1562                           old_isec->sclass, FILE__RENAME, &ad);
1563         if (rc)
1564                 return rc;
1565         if (old_is_dir && new_dir != old_dir) {
1566                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1567                                   old_isec->sclass, DIR__REPARENT, &ad);
1568                 if (rc)
1569                         return rc;
1570         }
1571
1572         ad.u.fs.path.dentry = new_dentry;
1573         av = DIR__ADD_NAME | DIR__SEARCH;
1574         if (new_dentry->d_inode)
1575                 av |= DIR__REMOVE_NAME;
1576         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1577         if (rc)
1578                 return rc;
1579         if (new_dentry->d_inode) {
1580                 new_isec = new_dentry->d_inode->i_security;
1581                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1582                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1583                                   new_isec->sclass,
1584                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1585                 if (rc)
1586                         return rc;
1587         }
1588
1589         return 0;
1590 }
1591
1592 /* Check whether a task can perform a filesystem operation. */
1593 static int superblock_has_perm(struct task_struct *tsk,
1594                                struct super_block *sb,
1595                                u32 perms,
1596                                struct avc_audit_data *ad)
1597 {
1598         struct task_security_struct *tsec;
1599         struct superblock_security_struct *sbsec;
1600
1601         tsec = tsk->security;
1602         sbsec = sb->s_security;
1603         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1604                             perms, ad);
1605 }
1606
1607 /* Convert a Linux mode and permission mask to an access vector. */
1608 static inline u32 file_mask_to_av(int mode, int mask)
1609 {
1610         u32 av = 0;
1611
1612         if ((mode & S_IFMT) != S_IFDIR) {
1613                 if (mask & MAY_EXEC)
1614                         av |= FILE__EXECUTE;
1615                 if (mask & MAY_READ)
1616                         av |= FILE__READ;
1617
1618                 if (mask & MAY_APPEND)
1619                         av |= FILE__APPEND;
1620                 else if (mask & MAY_WRITE)
1621                         av |= FILE__WRITE;
1622
1623         } else {
1624                 if (mask & MAY_EXEC)
1625                         av |= DIR__SEARCH;
1626                 if (mask & MAY_WRITE)
1627                         av |= DIR__WRITE;
1628                 if (mask & MAY_READ)
1629                         av |= DIR__READ;
1630         }
1631
1632         return av;
1633 }
1634
1635 /*
1636  * Convert a file mask to an access vector and include the correct open
1637  * open permission.
1638  */
1639 static inline u32 open_file_mask_to_av(int mode, int mask)
1640 {
1641         u32 av = file_mask_to_av(mode, mask);
1642
1643         if (selinux_policycap_openperm) {
1644                 /*
1645                  * lnk files and socks do not really have an 'open'
1646                  */
1647                 if (S_ISREG(mode))
1648                         av |= FILE__OPEN;
1649                 else if (S_ISCHR(mode))
1650                         av |= CHR_FILE__OPEN;
1651                 else if (S_ISBLK(mode))
1652                         av |= BLK_FILE__OPEN;
1653                 else if (S_ISFIFO(mode))
1654                         av |= FIFO_FILE__OPEN;
1655                 else if (S_ISDIR(mode))
1656                         av |= DIR__OPEN;
1657                 else
1658                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1659                                 "unknown mode:%x\n", __func__, mode);
1660         }
1661         return av;
1662 }
1663
1664 /* Convert a Linux file to an access vector. */
1665 static inline u32 file_to_av(struct file *file)
1666 {
1667         u32 av = 0;
1668
1669         if (file->f_mode & FMODE_READ)
1670                 av |= FILE__READ;
1671         if (file->f_mode & FMODE_WRITE) {
1672                 if (file->f_flags & O_APPEND)
1673                         av |= FILE__APPEND;
1674                 else
1675                         av |= FILE__WRITE;
1676         }
1677         if (!av) {
1678                 /*
1679                  * Special file opened with flags 3 for ioctl-only use.
1680                  */
1681                 av = FILE__IOCTL;
1682         }
1683
1684         return av;
1685 }
1686
1687 /* Hook functions begin here. */
1688
1689 static int selinux_ptrace(struct task_struct *parent,
1690                           struct task_struct *child,
1691                           unsigned int mode)
1692 {
1693         int rc;
1694
1695         rc = secondary_ops->ptrace(parent, child, mode);
1696         if (rc)
1697                 return rc;
1698
1699         if (mode == PTRACE_MODE_READ) {
1700                 struct task_security_struct *tsec = parent->security;
1701                 struct task_security_struct *csec = child->security;
1702                 return avc_has_perm(tsec->sid, csec->sid,
1703                                     SECCLASS_FILE, FILE__READ, NULL);
1704         }
1705
1706         return task_has_perm(parent, child, PROCESS__PTRACE);
1707 }
1708
1709 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1710                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711 {
1712         int error;
1713
1714         error = task_has_perm(current, target, PROCESS__GETCAP);
1715         if (error)
1716                 return error;
1717
1718         return secondary_ops->capget(target, effective, inheritable, permitted);
1719 }
1720
1721 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1722                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1723 {
1724         int error;
1725
1726         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1727         if (error)
1728                 return error;
1729
1730         return task_has_perm(current, target, PROCESS__SETCAP);
1731 }
1732
1733 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1734                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1735 {
1736         secondary_ops->capset_set(target, effective, inheritable, permitted);
1737 }
1738
1739 static int selinux_capable(struct task_struct *tsk, int cap)
1740 {
1741         int rc;
1742
1743         rc = secondary_ops->capable(tsk, cap);
1744         if (rc)
1745                 return rc;
1746
1747         return task_has_capability(tsk, cap);
1748 }
1749
1750 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1751 {
1752         int buflen, rc;
1753         char *buffer, *path, *end;
1754
1755         rc = -ENOMEM;
1756         buffer = (char *)__get_free_page(GFP_KERNEL);
1757         if (!buffer)
1758                 goto out;
1759
1760         buflen = PAGE_SIZE;
1761         end = buffer+buflen;
1762         *--end = '\0';
1763         buflen--;
1764         path = end-1;
1765         *path = '/';
1766         while (table) {
1767                 const char *name = table->procname;
1768                 size_t namelen = strlen(name);
1769                 buflen -= namelen + 1;
1770                 if (buflen < 0)
1771                         goto out_free;
1772                 end -= namelen;
1773                 memcpy(end, name, namelen);
1774                 *--end = '/';
1775                 path = end;
1776                 table = table->parent;
1777         }
1778         buflen -= 4;
1779         if (buflen < 0)
1780                 goto out_free;
1781         end -= 4;
1782         memcpy(end, "/sys", 4);
1783         path = end;
1784         rc = security_genfs_sid("proc", path, tclass, sid);
1785 out_free:
1786         free_page((unsigned long)buffer);
1787 out:
1788         return rc;
1789 }
1790
1791 static int selinux_sysctl(ctl_table *table, int op)
1792 {
1793         int error = 0;
1794         u32 av;
1795         struct task_security_struct *tsec;
1796         u32 tsid;
1797         int rc;
1798
1799         rc = secondary_ops->sysctl(table, op);
1800         if (rc)
1801                 return rc;
1802
1803         tsec = current->security;
1804
1805         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1806                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1807         if (rc) {
1808                 /* Default to the well-defined sysctl SID. */
1809                 tsid = SECINITSID_SYSCTL;
1810         }
1811
1812         /* The op values are "defined" in sysctl.c, thereby creating
1813          * a bad coupling between this module and sysctl.c */
1814         if (op == 001) {
1815                 error = avc_has_perm(tsec->sid, tsid,
1816                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1817         } else {
1818                 av = 0;
1819                 if (op & 004)
1820                         av |= FILE__READ;
1821                 if (op & 002)
1822                         av |= FILE__WRITE;
1823                 if (av)
1824                         error = avc_has_perm(tsec->sid, tsid,
1825                                              SECCLASS_FILE, av, NULL);
1826         }
1827
1828         return error;
1829 }
1830
1831 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1832 {
1833         int rc = 0;
1834
1835         if (!sb)
1836                 return 0;
1837
1838         switch (cmds) {
1839         case Q_SYNC:
1840         case Q_QUOTAON:
1841         case Q_QUOTAOFF:
1842         case Q_SETINFO:
1843         case Q_SETQUOTA:
1844                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1845                                          NULL);
1846                 break;
1847         case Q_GETFMT:
1848         case Q_GETINFO:
1849         case Q_GETQUOTA:
1850                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1851                                          NULL);
1852                 break;
1853         default:
1854                 rc = 0;  /* let the kernel handle invalid cmds */
1855                 break;
1856         }
1857         return rc;
1858 }
1859
1860 static int selinux_quota_on(struct dentry *dentry)
1861 {
1862         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1863 }
1864
1865 static int selinux_syslog(int type)
1866 {
1867         int rc;
1868
1869         rc = secondary_ops->syslog(type);
1870         if (rc)
1871                 return rc;
1872
1873         switch (type) {
1874         case 3:         /* Read last kernel messages */
1875         case 10:        /* Return size of the log buffer */
1876                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1877                 break;
1878         case 6:         /* Disable logging to console */
1879         case 7:         /* Enable logging to console */
1880         case 8:         /* Set level of messages printed to console */
1881                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1882                 break;
1883         case 0:         /* Close log */
1884         case 1:         /* Open log */
1885         case 2:         /* Read from log */
1886         case 4:         /* Read/clear last kernel messages */
1887         case 5:         /* Clear ring buffer */
1888         default:
1889                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1890                 break;
1891         }
1892         return rc;
1893 }
1894
1895 /*
1896  * Check that a process has enough memory to allocate a new virtual
1897  * mapping. 0 means there is enough memory for the allocation to
1898  * succeed and -ENOMEM implies there is not.
1899  *
1900  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1901  * if the capability is granted, but __vm_enough_memory requires 1 if
1902  * the capability is granted.
1903  *
1904  * Do not audit the selinux permission check, as this is applied to all
1905  * processes that allocate mappings.
1906  */
1907 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1908 {
1909         int rc, cap_sys_admin = 0;
1910         struct task_security_struct *tsec = current->security;
1911
1912         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1913         if (rc == 0)
1914                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1915                                           SECCLASS_CAPABILITY,
1916                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1917                                           0,
1918                                           NULL);
1919
1920         if (rc == 0)
1921                 cap_sys_admin = 1;
1922
1923         return __vm_enough_memory(mm, pages, cap_sys_admin);
1924 }
1925
1926 /**
1927  * task_tracer_task - return the task that is tracing the given task
1928  * @task:               task to consider
1929  *
1930  * Returns NULL if noone is tracing @task, or the &struct task_struct
1931  * pointer to its tracer.
1932  *
1933  * Must be called under rcu_read_lock().
1934  */
1935 static struct task_struct *task_tracer_task(struct task_struct *task)
1936 {
1937         if (task->ptrace & PT_PTRACED)
1938                 return rcu_dereference(task->parent);
1939         return NULL;
1940 }
1941
1942 /* binprm security operations */
1943
1944 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1945 {
1946         struct bprm_security_struct *bsec;
1947
1948         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1949         if (!bsec)
1950                 return -ENOMEM;
1951
1952         bsec->sid = SECINITSID_UNLABELED;
1953         bsec->set = 0;
1954
1955         bprm->security = bsec;
1956         return 0;
1957 }
1958
1959 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1960 {
1961         struct task_security_struct *tsec;
1962         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1963         struct inode_security_struct *isec;
1964         struct bprm_security_struct *bsec;
1965         u32 newsid;
1966         struct avc_audit_data ad;
1967         int rc;
1968
1969         rc = secondary_ops->bprm_set_security(bprm);
1970         if (rc)
1971                 return rc;
1972
1973         bsec = bprm->security;
1974
1975         if (bsec->set)
1976                 return 0;
1977
1978         tsec = current->security;
1979         isec = inode->i_security;
1980
1981         /* Default to the current task SID. */
1982         bsec->sid = tsec->sid;
1983
1984         /* Reset fs, key, and sock SIDs on execve. */
1985         tsec->create_sid = 0;
1986         tsec->keycreate_sid = 0;
1987         tsec->sockcreate_sid = 0;
1988
1989         if (tsec->exec_sid) {
1990                 newsid = tsec->exec_sid;
1991                 /* Reset exec SID on execve. */
1992                 tsec->exec_sid = 0;
1993         } else {
1994                 /* Check for a default transition on this program. */
1995                 rc = security_transition_sid(tsec->sid, isec->sid,
1996                                              SECCLASS_PROCESS, &newsid);
1997                 if (rc)
1998                         return rc;
1999         }
2000
2001         AVC_AUDIT_DATA_INIT(&ad, FS);
2002         ad.u.fs.path = bprm->file->f_path;
2003
2004         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2005                 newsid = tsec->sid;
2006
2007         if (tsec->sid == newsid) {
2008                 rc = avc_has_perm(tsec->sid, isec->sid,
2009                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2010                 if (rc)
2011                         return rc;
2012         } else {
2013                 /* Check permissions for the transition. */
2014                 rc = avc_has_perm(tsec->sid, newsid,
2015                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2016                 if (rc)
2017                         return rc;
2018
2019                 rc = avc_has_perm(newsid, isec->sid,
2020                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2021                 if (rc)
2022                         return rc;
2023
2024                 /* Clear any possibly unsafe personality bits on exec: */
2025                 current->personality &= ~PER_CLEAR_ON_SETID;
2026
2027                 /* Set the security field to the new SID. */
2028                 bsec->sid = newsid;
2029         }
2030
2031         bsec->set = 1;
2032         return 0;
2033 }
2034
2035 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2036 {
2037         return secondary_ops->bprm_check_security(bprm);
2038 }
2039
2040
2041 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2042 {
2043         struct task_security_struct *tsec = current->security;
2044         int atsecure = 0;
2045
2046         if (tsec->osid != tsec->sid) {
2047                 /* Enable secure mode for SIDs transitions unless
2048                    the noatsecure permission is granted between
2049                    the two SIDs, i.e. ahp returns 0. */
2050                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2051                                          SECCLASS_PROCESS,
2052                                          PROCESS__NOATSECURE, NULL);
2053         }
2054
2055         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2056 }
2057
2058 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2059 {
2060         kfree(bprm->security);
2061         bprm->security = NULL;
2062 }
2063
2064 extern struct vfsmount *selinuxfs_mount;
2065 extern struct dentry *selinux_null;
2066
2067 /* Derived from fs/exec.c:flush_old_files. */
2068 static inline void flush_unauthorized_files(struct files_struct *files)
2069 {
2070         struct avc_audit_data ad;
2071         struct file *file, *devnull = NULL;
2072         struct tty_struct *tty;
2073         struct fdtable *fdt;
2074         long j = -1;
2075         int drop_tty = 0;
2076
2077         mutex_lock(&tty_mutex);
2078         tty = get_current_tty();
2079         if (tty) {
2080                 file_list_lock();
2081                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2082                 if (file) {
2083                         /* Revalidate access to controlling tty.
2084                            Use inode_has_perm on the tty inode directly rather
2085                            than using file_has_perm, as this particular open
2086                            file may belong to another process and we are only
2087                            interested in the inode-based check here. */
2088                         struct inode *inode = file->f_path.dentry->d_inode;
2089                         if (inode_has_perm(current, inode,
2090                                            FILE__READ | FILE__WRITE, NULL)) {
2091                                 drop_tty = 1;
2092                         }
2093                 }
2094                 file_list_unlock();
2095         }
2096         mutex_unlock(&tty_mutex);
2097         /* Reset controlling tty. */
2098         if (drop_tty)
2099                 no_tty();
2100
2101         /* Revalidate access to inherited open files. */
2102
2103         AVC_AUDIT_DATA_INIT(&ad, FS);
2104
2105         spin_lock(&files->file_lock);
2106         for (;;) {
2107                 unsigned long set, i;
2108                 int fd;
2109
2110                 j++;
2111                 i = j * __NFDBITS;
2112                 fdt = files_fdtable(files);
2113                 if (i >= fdt->max_fds)
2114                         break;
2115                 set = fdt->open_fds->fds_bits[j];
2116                 if (!set)
2117                         continue;
2118                 spin_unlock(&files->file_lock);
2119                 for ( ; set ; i++, set >>= 1) {
2120                         if (set & 1) {
2121                                 file = fget(i);
2122                                 if (!file)
2123                                         continue;
2124                                 if (file_has_perm(current,
2125                                                   file,
2126                                                   file_to_av(file))) {
2127                                         sys_close(i);
2128                                         fd = get_unused_fd();
2129                                         if (fd != i) {
2130                                                 if (fd >= 0)
2131                                                         put_unused_fd(fd);
2132                                                 fput(file);
2133                                                 continue;
2134                                         }
2135                                         if (devnull) {
2136                                                 get_file(devnull);
2137                                         } else {
2138                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2139                                                 if (IS_ERR(devnull)) {
2140                                                         devnull = NULL;
2141                                                         put_unused_fd(fd);
2142                                                         fput(file);
2143                                                         continue;
2144                                                 }
2145                                         }
2146                                         fd_install(fd, devnull);
2147                                 }
2148                                 fput(file);
2149                         }
2150                 }
2151                 spin_lock(&files->file_lock);
2152
2153         }
2154         spin_unlock(&files->file_lock);
2155 }
2156
2157 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2158 {
2159         struct task_security_struct *tsec;
2160         struct bprm_security_struct *bsec;
2161         u32 sid;
2162         int rc;
2163
2164         secondary_ops->bprm_apply_creds(bprm, unsafe);
2165
2166         tsec = current->security;
2167
2168         bsec = bprm->security;
2169         sid = bsec->sid;
2170
2171         tsec->osid = tsec->sid;
2172         bsec->unsafe = 0;
2173         if (tsec->sid != sid) {
2174                 /* Check for shared state.  If not ok, leave SID
2175                    unchanged and kill. */
2176                 if (unsafe & LSM_UNSAFE_SHARE) {
2177                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2178                                         PROCESS__SHARE, NULL);
2179                         if (rc) {
2180                                 bsec->unsafe = 1;
2181                                 return;
2182                         }
2183                 }
2184
2185                 /* Check for ptracing, and update the task SID if ok.
2186                    Otherwise, leave SID unchanged and kill. */
2187                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2188                         struct task_struct *tracer;
2189                         struct task_security_struct *sec;
2190                         u32 ptsid = 0;
2191
2192                         rcu_read_lock();
2193                         tracer = task_tracer_task(current);
2194                         if (likely(tracer != NULL)) {
2195                                 sec = tracer->security;
2196                                 ptsid = sec->sid;
2197                         }
2198                         rcu_read_unlock();
2199
2200                         if (ptsid != 0) {
2201                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2202                                                   PROCESS__PTRACE, NULL);
2203                                 if (rc) {
2204                                         bsec->unsafe = 1;
2205                                         return;
2206                                 }
2207                         }
2208                 }
2209                 tsec->sid = sid;
2210         }
2211 }
2212
2213 /*
2214  * called after apply_creds without the task lock held
2215  */
2216 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2217 {
2218         struct task_security_struct *tsec;
2219         struct rlimit *rlim, *initrlim;
2220         struct itimerval itimer;
2221         struct bprm_security_struct *bsec;
2222         int rc, i;
2223
2224         tsec = current->security;
2225         bsec = bprm->security;
2226
2227         if (bsec->unsafe) {
2228                 force_sig_specific(SIGKILL, current);
2229                 return;
2230         }
2231         if (tsec->osid == tsec->sid)
2232                 return;
2233
2234         /* Close files for which the new task SID is not authorized. */
2235         flush_unauthorized_files(current->files);
2236
2237         /* Check whether the new SID can inherit signal state
2238            from the old SID.  If not, clear itimers to avoid
2239            subsequent signal generation and flush and unblock
2240            signals. This must occur _after_ the task SID has
2241           been updated so that any kill done after the flush
2242           will be checked against the new SID. */
2243         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2244                           PROCESS__SIGINH, NULL);
2245         if (rc) {
2246                 memset(&itimer, 0, sizeof itimer);
2247                 for (i = 0; i < 3; i++)
2248                         do_setitimer(i, &itimer, NULL);
2249                 flush_signals(current);
2250                 spin_lock_irq(&current->sighand->siglock);
2251                 flush_signal_handlers(current, 1);
2252                 sigemptyset(&current->blocked);
2253                 recalc_sigpending();
2254                 spin_unlock_irq(&current->sighand->siglock);
2255         }
2256
2257         /* Always clear parent death signal on SID transitions. */
2258         current->pdeath_signal = 0;
2259
2260         /* Check whether the new SID can inherit resource limits
2261            from the old SID.  If not, reset all soft limits to
2262            the lower of the current task's hard limit and the init
2263            task's soft limit.  Note that the setting of hard limits
2264            (even to lower them) can be controlled by the setrlimit
2265            check. The inclusion of the init task's soft limit into
2266            the computation is to avoid resetting soft limits higher
2267            than the default soft limit for cases where the default
2268            is lower than the hard limit, e.g. RLIMIT_CORE or
2269            RLIMIT_STACK.*/
2270         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2271                           PROCESS__RLIMITINH, NULL);
2272         if (rc) {
2273                 for (i = 0; i < RLIM_NLIMITS; i++) {
2274                         rlim = current->signal->rlim + i;
2275                         initrlim = init_task.signal->rlim+i;
2276                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2277                 }
2278                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2279                         /*
2280                          * This will cause RLIMIT_CPU calculations
2281                          * to be refigured.
2282                          */
2283                         current->it_prof_expires = jiffies_to_cputime(1);
2284                 }
2285         }
2286
2287         /* Wake up the parent if it is waiting so that it can
2288            recheck wait permission to the new task SID. */
2289         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2290 }
2291
2292 /* superblock security operations */
2293
2294 static int selinux_sb_alloc_security(struct super_block *sb)
2295 {
2296         return superblock_alloc_security(sb);
2297 }
2298
2299 static void selinux_sb_free_security(struct super_block *sb)
2300 {
2301         superblock_free_security(sb);
2302 }
2303
2304 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2305 {
2306         if (plen > olen)
2307                 return 0;
2308
2309         return !memcmp(prefix, option, plen);
2310 }
2311
2312 static inline int selinux_option(char *option, int len)
2313 {
2314         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2315                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2316                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2317                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2318 }
2319
2320 static inline void take_option(char **to, char *from, int *first, int len)
2321 {
2322         if (!*first) {
2323                 **to = ',';
2324                 *to += 1;
2325         } else
2326                 *first = 0;
2327         memcpy(*to, from, len);
2328         *to += len;
2329 }
2330
2331 static inline void take_selinux_option(char **to, char *from, int *first,
2332                                        int len)
2333 {
2334         int current_size = 0;
2335
2336         if (!*first) {
2337                 **to = '|';
2338                 *to += 1;
2339         } else
2340                 *first = 0;
2341
2342         while (current_size < len) {
2343                 if (*from != '"') {
2344                         **to = *from;
2345                         *to += 1;
2346                 }
2347                 from += 1;
2348                 current_size += 1;
2349         }
2350 }
2351
2352 static int selinux_sb_copy_data(char *orig, char *copy)
2353 {
2354         int fnosec, fsec, rc = 0;
2355         char *in_save, *in_curr, *in_end;
2356         char *sec_curr, *nosec_save, *nosec;
2357         int open_quote = 0;
2358
2359         in_curr = orig;
2360         sec_curr = copy;
2361
2362         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2363         if (!nosec) {
2364                 rc = -ENOMEM;
2365                 goto out;
2366         }
2367
2368         nosec_save = nosec;
2369         fnosec = fsec = 1;
2370         in_save = in_end = orig;
2371
2372         do {
2373                 if (*in_end == '"')
2374                         open_quote = !open_quote;
2375                 if ((*in_end == ',' && open_quote == 0) ||
2376                                 *in_end == '\0') {
2377                         int len = in_end - in_curr;
2378
2379                         if (selinux_option(in_curr, len))
2380                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2381                         else
2382                                 take_option(&nosec, in_curr, &fnosec, len);
2383
2384                         in_curr = in_end + 1;
2385                 }
2386         } while (*in_end++);
2387
2388         strcpy(in_save, nosec_save);
2389         free_page((unsigned long)nosec_save);
2390 out:
2391         return rc;
2392 }
2393
2394 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2395 {
2396         struct avc_audit_data ad;
2397         int rc;
2398
2399         rc = superblock_doinit(sb, data);
2400         if (rc)
2401                 return rc;
2402
2403         AVC_AUDIT_DATA_INIT(&ad, FS);
2404         ad.u.fs.path.dentry = sb->s_root;
2405         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2406 }
2407
2408 static int selinux_sb_statfs(struct dentry *dentry)
2409 {
2410         struct avc_audit_data ad;
2411
2412         AVC_AUDIT_DATA_INIT(&ad, FS);
2413         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2414         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2415 }
2416
2417 static int selinux_mount(char *dev_name,
2418                          struct path *path,
2419                          char *type,
2420                          unsigned long flags,
2421                          void *data)
2422 {
2423         int rc;
2424
2425         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2426         if (rc)
2427                 return rc;
2428
2429         if (flags & MS_REMOUNT)
2430                 return superblock_has_perm(current, path->mnt->mnt_sb,
2431                                            FILESYSTEM__REMOUNT, NULL);
2432         else
2433                 return dentry_has_perm(current, path->mnt, path->dentry,
2434                                        FILE__MOUNTON);
2435 }
2436
2437 static int selinux_umount(struct vfsmount *mnt, int flags)
2438 {
2439         int rc;
2440
2441         rc = secondary_ops->sb_umount(mnt, flags);
2442         if (rc)
2443                 return rc;
2444
2445         return superblock_has_perm(current, mnt->mnt_sb,
2446                                    FILESYSTEM__UNMOUNT, NULL);
2447 }
2448
2449 /* inode security operations */
2450
2451 static int selinux_inode_alloc_security(struct inode *inode)
2452 {
2453         return inode_alloc_security(inode);
2454 }
2455
2456 static void selinux_inode_free_security(struct inode *inode)
2457 {
2458         inode_free_security(inode);
2459 }
2460
2461 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2462                                        char **name, void **value,
2463                                        size_t *len)
2464 {
2465         struct task_security_struct *tsec;
2466         struct inode_security_struct *dsec;
2467         struct superblock_security_struct *sbsec;
2468         u32 newsid, clen;
2469         int rc;
2470         char *namep = NULL, *context;
2471
2472         tsec = current->security;
2473         dsec = dir->i_security;
2474         sbsec = dir->i_sb->s_security;
2475
2476         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2477                 newsid = tsec->create_sid;
2478         } else {
2479                 rc = security_transition_sid(tsec->sid, dsec->sid,
2480                                              inode_mode_to_security_class(inode->i_mode),
2481                                              &newsid);
2482                 if (rc) {
2483                         printk(KERN_WARNING "%s:  "
2484                                "security_transition_sid failed, rc=%d (dev=%s "
2485                                "ino=%ld)\n",
2486                                __func__,
2487                                -rc, inode->i_sb->s_id, inode->i_ino);
2488                         return rc;
2489                 }
2490         }
2491
2492         /* Possibly defer initialization to selinux_complete_init. */
2493         if (sbsec->initialized) {
2494                 struct inode_security_struct *isec = inode->i_security;
2495                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2496                 isec->sid = newsid;
2497                 isec->initialized = 1;
2498         }
2499
2500         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2501                 return -EOPNOTSUPP;
2502
2503         if (name) {
2504                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2505                 if (!namep)
2506                         return -ENOMEM;
2507                 *name = namep;
2508         }
2509
2510         if (value && len) {
2511                 rc = security_sid_to_context_force(newsid, &context, &clen);
2512                 if (rc) {
2513                         kfree(namep);
2514                         return rc;
2515                 }
2516                 *value = context;
2517                 *len = clen;
2518         }
2519
2520         return 0;
2521 }
2522
2523 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2524 {
2525         return may_create(dir, dentry, SECCLASS_FILE);
2526 }
2527
2528 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2529 {
2530         int rc;
2531
2532         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2533         if (rc)
2534                 return rc;
2535         return may_link(dir, old_dentry, MAY_LINK);
2536 }
2537
2538 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2539 {
2540         int rc;
2541
2542         rc = secondary_ops->inode_unlink(dir, dentry);
2543         if (rc)
2544                 return rc;
2545         return may_link(dir, dentry, MAY_UNLINK);
2546 }
2547
2548 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2549 {
2550         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2551 }
2552
2553 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2554 {
2555         return may_create(dir, dentry, SECCLASS_DIR);
2556 }
2557
2558 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2559 {
2560         return may_link(dir, dentry, MAY_RMDIR);
2561 }
2562
2563 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2564 {
2565         int rc;
2566
2567         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2568         if (rc)
2569                 return rc;
2570
2571         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2572 }
2573
2574 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2575                                 struct inode *new_inode, struct dentry *new_dentry)
2576 {
2577         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2578 }
2579
2580 static int selinux_inode_readlink(struct dentry *dentry)
2581 {
2582         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2583 }
2584
2585 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2586 {
2587         int rc;
2588
2589         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2590         if (rc)
2591                 return rc;
2592         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2593 }
2594
2595 static int selinux_inode_permission(struct inode *inode, int mask,
2596                                     struct nameidata *nd)
2597 {
2598         int rc;
2599
2600         rc = secondary_ops->inode_permission(inode, mask, nd);
2601         if (rc)
2602                 return rc;
2603
2604         if (!mask) {
2605                 /* No permission to check.  Existence test. */
2606                 return 0;
2607         }
2608
2609         return inode_has_perm(current, inode,
2610                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2611 }
2612
2613 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2614 {
2615         int rc;
2616
2617         rc = secondary_ops->inode_setattr(dentry, iattr);
2618         if (rc)
2619                 return rc;
2620
2621         if (iattr->ia_valid & ATTR_FORCE)
2622                 return 0;
2623
2624         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2625                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2626                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2627
2628         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2629 }
2630
2631 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2632 {
2633         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2634 }
2635
2636 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2637 {
2638         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2639                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2640                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2641                         if (!capable(CAP_SETFCAP))
2642                                 return -EPERM;
2643                 } else if (!capable(CAP_SYS_ADMIN)) {
2644                         /* A different attribute in the security namespace.
2645                            Restrict to administrator. */
2646                         return -EPERM;
2647                 }
2648         }
2649
2650         /* Not an attribute we recognize, so just check the
2651            ordinary setattr permission. */
2652         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2653 }
2654
2655 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2656                                   const void *value, size_t size, int flags)
2657 {
2658         struct task_security_struct *tsec = current->security;
2659         struct inode *inode = dentry->d_inode;
2660         struct inode_security_struct *isec = inode->i_security;
2661         struct superblock_security_struct *sbsec;
2662         struct avc_audit_data ad;
2663         u32 newsid;
2664         int rc = 0;
2665
2666         if (strcmp(name, XATTR_NAME_SELINUX))
2667                 return selinux_inode_setotherxattr(dentry, name);
2668
2669         sbsec = inode->i_sb->s_security;
2670         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2671                 return -EOPNOTSUPP;
2672
2673         if (!is_owner_or_cap(inode))
2674                 return -EPERM;
2675
2676         AVC_AUDIT_DATA_INIT(&ad, FS);
2677         ad.u.fs.path.dentry = dentry;
2678
2679         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2680                           FILE__RELABELFROM, &ad);
2681         if (rc)
2682                 return rc;
2683
2684         rc = security_context_to_sid(value, size, &newsid);
2685         if (rc == -EINVAL) {
2686                 if (!capable(CAP_MAC_ADMIN))
2687                         return rc;
2688                 rc = security_context_to_sid_force(value, size, &newsid);
2689         }
2690         if (rc)
2691                 return rc;
2692
2693         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2694                           FILE__RELABELTO, &ad);
2695         if (rc)
2696                 return rc;
2697
2698         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2699                                           isec->sclass);
2700         if (rc)
2701                 return rc;
2702
2703         return avc_has_perm(newsid,
2704                             sbsec->sid,
2705                             SECCLASS_FILESYSTEM,
2706                             FILESYSTEM__ASSOCIATE,
2707                             &ad);
2708 }
2709
2710 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2711                                         const void *value, size_t size,
2712                                         int flags)
2713 {
2714         struct inode *inode = dentry->d_inode;
2715         struct inode_security_struct *isec = inode->i_security;
2716         u32 newsid;
2717         int rc;
2718
2719         if (strcmp(name, XATTR_NAME_SELINUX)) {
2720                 /* Not an attribute we recognize, so nothing to do. */
2721                 return;
2722         }
2723
2724         rc = security_context_to_sid_force(value, size, &newsid);
2725         if (rc) {
2726                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2727                        "for (%s, %lu), rc=%d\n",
2728                        inode->i_sb->s_id, inode->i_ino, -rc);
2729                 return;
2730         }
2731
2732         isec->sid = newsid;
2733         return;
2734 }
2735
2736 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2737 {
2738         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2739 }
2740
2741 static int selinux_inode_listxattr(struct dentry *dentry)
2742 {
2743         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2744 }
2745
2746 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2747 {
2748         if (strcmp(name, XATTR_NAME_SELINUX))
2749                 return selinux_inode_setotherxattr(dentry, name);
2750
2751         /* No one is allowed to remove a SELinux security label.
2752            You can change the label, but all data must be labeled. */
2753         return -EACCES;
2754 }
2755
2756 /*
2757  * Copy the in-core inode security context value to the user.  If the
2758  * getxattr() prior to this succeeded, check to see if we need to
2759  * canonicalize the value to be finally returned to the user.
2760  *
2761  * Permission check is handled by selinux_inode_getxattr hook.
2762  */
2763 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2764 {
2765         u32 size;
2766         int error;
2767         char *context = NULL;
2768         struct inode_security_struct *isec = inode->i_security;
2769
2770         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2771                 return -EOPNOTSUPP;
2772
2773         error = security_sid_to_context(isec->sid, &context, &size);
2774         if (error)
2775                 return error;
2776         error = size;
2777         if (alloc) {
2778                 *buffer = context;
2779                 goto out_nofree;
2780         }
2781         kfree(context);
2782 out_nofree:
2783         return error;
2784 }
2785
2786 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2787                                      const void *value, size_t size, int flags)
2788 {
2789         struct inode_security_struct *isec = inode->i_security;
2790         u32 newsid;
2791         int rc;
2792
2793         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2794                 return -EOPNOTSUPP;
2795
2796         if (!value || !size)
2797                 return -EACCES;
2798
2799         rc = security_context_to_sid((void *)value, size, &newsid);
2800         if (rc)
2801                 return rc;
2802
2803         isec->sid = newsid;
2804         return 0;
2805 }
2806
2807 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2808 {
2809         const int len = sizeof(XATTR_NAME_SELINUX);
2810         if (buffer && len <= buffer_size)
2811                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2812         return len;
2813 }
2814
2815 static int selinux_inode_need_killpriv(struct dentry *dentry)
2816 {
2817         return secondary_ops->inode_need_killpriv(dentry);
2818 }
2819
2820 static int selinux_inode_killpriv(struct dentry *dentry)
2821 {
2822         return secondary_ops->inode_killpriv(dentry);
2823 }
2824
2825 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2826 {
2827         struct inode_security_struct *isec = inode->i_security;
2828         *secid = isec->sid;
2829 }
2830
2831 /* file security operations */
2832
2833 static int selinux_revalidate_file_permission(struct file *file, int mask)
2834 {
2835         int rc;
2836         struct inode *inode = file->f_path.dentry->d_inode;
2837
2838         if (!mask) {
2839                 /* No permission to check.  Existence test. */
2840                 return 0;
2841         }
2842
2843         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2844         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2845                 mask |= MAY_APPEND;
2846
2847         rc = file_has_perm(current, file,
2848                            file_mask_to_av(inode->i_mode, mask));
2849         if (rc)
2850                 return rc;
2851
2852         return selinux_netlbl_inode_permission(inode, mask);
2853 }
2854
2855 static int selinux_file_permission(struct file *file, int mask)
2856 {
2857         struct inode *inode = file->f_path.dentry->d_inode;
2858         struct task_security_struct *tsec = current->security;
2859         struct file_security_struct *fsec = file->f_security;
2860         struct inode_security_struct *isec = inode->i_security;
2861
2862         if (!mask) {
2863                 /* No permission to check.  Existence test. */
2864                 return 0;
2865         }
2866
2867         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2868             && fsec->pseqno == avc_policy_seqno())
2869                 return selinux_netlbl_inode_permission(inode, mask);
2870
2871         return selinux_revalidate_file_permission(file, mask);
2872 }
2873
2874 static int selinux_file_alloc_security(struct file *file)
2875 {
2876         return file_alloc_security(file);
2877 }
2878
2879 static void selinux_file_free_security(struct file *file)
2880 {
2881         file_free_security(file);
2882 }
2883
2884 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2885                               unsigned long arg)
2886 {
2887         int error = 0;
2888
2889         switch (cmd) {
2890         case FIONREAD:
2891         /* fall through */
2892         case FIBMAP:
2893         /* fall through */
2894         case FIGETBSZ:
2895         /* fall through */
2896         case EXT2_IOC_GETFLAGS:
2897         /* fall through */
2898         case EXT2_IOC_GETVERSION:
2899                 error = file_has_perm(current, file, FILE__GETATTR);
2900                 break;
2901
2902         case EXT2_IOC_SETFLAGS:
2903         /* fall through */
2904         case EXT2_IOC_SETVERSION:
2905                 error = file_has_perm(current, file, FILE__SETATTR);
2906                 break;
2907
2908         /* sys_ioctl() checks */
2909         case FIONBIO:
2910         /* fall through */
2911         case FIOASYNC:
2912                 error = file_has_perm(current, file, 0);
2913                 break;
2914
2915         case KDSKBENT:
2916         case KDSKBSENT:
2917                 error = task_has_capability(current, CAP_SYS_TTY_CONFIG);
2918                 break;
2919
2920         /* default case assumes that the command will go
2921          * to the file's ioctl() function.
2922          */
2923         default:
2924                 error = file_has_perm(current, file, FILE__IOCTL);
2925         }
2926         return error;
2927 }
2928
2929 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2930 {
2931 #ifndef CONFIG_PPC32
2932         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2933                 /*
2934                  * We are making executable an anonymous mapping or a
2935                  * private file mapping that will also be writable.
2936                  * This has an additional check.
2937                  */
2938                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2939                 if (rc)
2940                         return rc;
2941         }
2942 #endif
2943
2944         if (file) {
2945                 /* read access is always possible with a mapping */
2946                 u32 av = FILE__READ;
2947
2948                 /* write access only matters if the mapping is shared */
2949                 if (shared && (prot & PROT_WRITE))
2950                         av |= FILE__WRITE;
2951
2952                 if (prot & PROT_EXEC)
2953                         av |= FILE__EXECUTE;
2954
2955                 return file_has_perm(current, file, av);
2956         }
2957         return 0;
2958 }
2959
2960 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2961                              unsigned long prot, unsigned long flags,
2962                              unsigned long addr, unsigned long addr_only)
2963 {
2964         int rc = 0;
2965         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2966
2967         if (addr < mmap_min_addr)
2968                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2969                                   MEMPROTECT__MMAP_ZERO, NULL);
2970         if (rc || addr_only)
2971                 return rc;
2972
2973         if (selinux_checkreqprot)
2974                 prot = reqprot;
2975
2976         return file_map_prot_check(file, prot,
2977                                    (flags & MAP_TYPE) == MAP_SHARED);
2978 }
2979
2980 static int selinux_file_mprotect(struct vm_area_struct *vma,
2981                                  unsigned long reqprot,
2982                                  unsigned long prot)
2983 {
2984         int rc;
2985
2986         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2987         if (rc)
2988                 return rc;
2989
2990         if (selinux_checkreqprot)
2991                 prot = reqprot;
2992
2993 #ifndef CONFIG_PPC32
2994         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2995                 rc = 0;
2996                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2997                     vma->vm_end <= vma->vm_mm->brk) {
2998                         rc = task_has_perm(current, current,
2999                                            PROCESS__EXECHEAP);
3000                 } else if (!vma->vm_file &&
3001                            vma->vm_start <= vma->vm_mm->start_stack &&
3002                            vma->vm_end >= vma->vm_mm->start_stack) {
3003                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3004                 } else if (vma->vm_file && vma->anon_vma) {
3005                         /*
3006                          * We are making executable a file mapping that has
3007                          * had some COW done. Since pages might have been
3008                          * written, check ability to execute the possibly
3009                          * modified content.  This typically should only
3010                          * occur for text relocations.
3011                          */
3012                         rc = file_has_perm(current, vma->vm_file,
3013                                            FILE__EXECMOD);
3014                 }
3015                 if (rc)
3016                         return rc;
3017         }
3018 #endif
3019
3020         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3021 }
3022
3023 static int selinux_file_lock(struct file *file, unsigned int cmd)
3024 {
3025         return file_has_perm(current, file, FILE__LOCK);
3026 }
3027
3028 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3029                               unsigned long arg)
3030 {
3031         int err = 0;
3032
3033         switch (cmd) {
3034         case F_SETFL:
3035                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3036                         err = -EINVAL;
3037                         break;
3038                 }
3039
3040                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3041                         err = file_has_perm(current, file, FILE__WRITE);
3042                         break;
3043                 }
3044                 /* fall through */
3045         case F_SETOWN:
3046         case F_SETSIG:
3047         case F_GETFL:
3048         case F_GETOWN:
3049         case F_GETSIG:
3050                 /* Just check FD__USE permission */
3051                 err = file_has_perm(current, file, 0);
3052                 break;
3053         case F_GETLK:
3054         case F_SETLK:
3055         case F_SETLKW:
3056 #if BITS_PER_LONG == 32
3057         case F_GETLK64:
3058         case F_SETLK64:
3059         case F_SETLKW64:
3060 #endif
3061                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3062                         err = -EINVAL;
3063                         break;
3064                 }
3065                 err = file_has_perm(current, file, FILE__LOCK);
3066                 break;
3067         }
3068
3069         return err;
3070 }
3071
3072 static int selinux_file_set_fowner(struct file *file)
3073 {
3074         struct task_security_struct *tsec;
3075         struct file_security_struct *fsec;
3076
3077         tsec = current->security;
3078         fsec = file->f_security;
3079         fsec->fown_sid = tsec->sid;
3080
3081         return 0;
3082 }
3083
3084 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3085                                        struct fown_struct *fown, int signum)
3086 {
3087         struct file *file;
3088         u32 perm;
3089         struct task_security_struct *tsec;
3090         struct file_security_struct *fsec;
3091
3092         /* struct fown_struct is never outside the context of a struct file */
3093         file = container_of(fown, struct file, f_owner);
3094
3095         tsec = tsk->security;
3096         fsec = file->f_security;
3097
3098         if (!signum)
3099                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3100         else
3101                 perm = signal_to_av(signum);
3102
3103         return avc_has_perm(fsec->fown_sid, tsec->sid,
3104                             SECCLASS_PROCESS, perm, NULL);
3105 }
3106
3107 static int selinux_file_receive(struct file *file)
3108 {
3109         return file_has_perm(current, file, file_to_av(file));
3110 }
3111
3112 static int selinux_dentry_open(struct file *file)
3113 {
3114         struct file_security_struct *fsec;
3115         struct inode *inode;
3116         struct inode_security_struct *isec;
3117         inode = file->f_path.dentry->d_inode;
3118         fsec = file->f_security;
3119         isec = inode->i_security;
3120         /*
3121          * Save inode label and policy sequence number
3122          * at open-time so that selinux_file_permission
3123          * can determine whether revalidation is necessary.
3124          * Task label is already saved in the file security
3125          * struct as its SID.
3126          */
3127         fsec->isid = isec->sid;
3128         fsec->pseqno = avc_policy_seqno();
3129         /*
3130          * Since the inode label or policy seqno may have changed
3131          * between the selinux_inode_permission check and the saving
3132          * of state above, recheck that access is still permitted.
3133          * Otherwise, access might never be revalidated against the
3134          * new inode label or new policy.
3135          * This check is not redundant - do not remove.
3136          */
3137         return inode_has_perm(current, inode, file_to_av(file), NULL);
3138 }
3139
3140 /* task security operations */
3141
3142 static int selinux_task_create(unsigned long clone_flags)
3143 {
3144         int rc;
3145
3146         rc = secondary_ops->task_create(clone_flags);
3147         if (rc)
3148                 return rc;
3149
3150         return task_has_perm(current, current, PROCESS__FORK);
3151 }
3152
3153 static int selinux_task_alloc_security(struct task_struct *tsk)
3154 {
3155         struct task_security_struct *tsec1, *tsec2;
3156         int rc;
3157
3158         tsec1 = current->security;
3159
3160         rc = task_alloc_security(tsk);
3161         if (rc)
3162                 return rc;
3163         tsec2 = tsk->security;
3164
3165         tsec2->osid = tsec1->osid;
3166         tsec2->sid = tsec1->sid;
3167
3168         /* Retain the exec, fs, key, and sock SIDs across fork */
3169         tsec2->exec_sid = tsec1->exec_sid;
3170         tsec2->create_sid = tsec1->create_sid;
3171         tsec2->keycreate_sid = tsec1->keycreate_sid;
3172         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3173
3174         return 0;
3175 }
3176
3177 static void selinux_task_free_security(struct task_struct *tsk)
3178 {
3179         task_free_security(tsk);
3180 }
3181
3182 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3183 {
3184         /* Since setuid only affects the current process, and
3185            since the SELinux controls are not based on the Linux
3186            identity attributes, SELinux does not need to control
3187            this operation.  However, SELinux does control the use
3188            of the CAP_SETUID and CAP_SETGID capabilities using the
3189            capable hook. */
3190         return 0;
3191 }
3192
3193 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3194 {
3195         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3196 }
3197
3198 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3199 {
3200         /* See the comment for setuid above. */
3201         return 0;
3202 }
3203
3204 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3205 {
3206         return task_has_perm(current, p, PROCESS__SETPGID);
3207 }
3208
3209 static int selinux_task_getpgid(struct task_struct *p)
3210 {
3211         return task_has_perm(current, p, PROCESS__GETPGID);
3212 }
3213
3214 static int selinux_task_getsid(struct task_struct *p)
3215 {
3216         return task_has_perm(current, p, PROCESS__GETSESSION);
3217 }
3218
3219 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3220 {
3221         struct task_security_struct *tsec = p->security;
3222         *secid = tsec->sid;
3223 }
3224
3225 static int selinux_task_setgroups(struct group_info *group_info)
3226 {
3227         /* See the comment for setuid above. */
3228         return 0;
3229 }
3230
3231 static int selinux_task_setnice(struct task_struct *p, int nice)
3232 {
3233         int rc;
3234
3235         rc = secondary_ops->task_setnice(p, nice);
3236         if (rc)
3237                 return rc;
3238
3239         return task_has_perm(current, p, PROCESS__SETSCHED);
3240 }
3241
3242 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3243 {
3244         int rc;
3245
3246         rc = secondary_ops->task_setioprio(p, ioprio);
3247         if (rc)
3248                 return rc;
3249
3250         return task_has_perm(current, p, PROCESS__SETSCHED);
3251 }
3252
3253 static int selinux_task_getioprio(struct task_struct *p)
3254 {
3255         return task_has_perm(current, p, PROCESS__GETSCHED);
3256 }
3257
3258 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3259 {
3260         struct rlimit *old_rlim = current->signal->rlim + resource;
3261         int rc;
3262
3263         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3264         if (rc)
3265                 return rc;
3266
3267         /* Control the ability to change the hard limit (whether
3268            lowering or raising it), so that the hard limit can
3269            later be used as a safe reset point for the soft limit
3270            upon context transitions. See selinux_bprm_apply_creds. */
3271         if (old_rlim->rlim_max != new_rlim->rlim_max)
3272                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3273
3274         return 0;
3275 }
3276
3277 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3278 {
3279         int rc;
3280
3281         rc = secondary_ops->task_setscheduler(p, policy, lp);
3282         if (rc)
3283                 return rc;
3284
3285         return task_has_perm(current, p, PROCESS__SETSCHED);
3286 }
3287
3288 static int selinux_task_getscheduler(struct task_struct *p)
3289 {
3290         return task_has_perm(current, p, PROCESS__GETSCHED);
3291 }
3292
3293 static int selinux_task_movememory(struct task_struct *p)
3294 {
3295         return task_has_perm(current, p, PROCESS__SETSCHED);
3296 }
3297
3298 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3299                                 int sig, u32 secid)
3300 {
3301         u32 perm;
3302         int rc;
3303         struct task_security_struct *tsec;
3304
3305         rc = secondary_ops->task_kill(p, info, sig, secid);
3306         if (rc)
3307                 return rc;
3308
3309         if (!sig)
3310                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3311         else
3312                 perm = signal_to_av(sig);
3313         tsec = p->security;
3314         if (secid)
3315                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3316         else
3317                 rc = task_has_perm(current, p, perm);
3318         return rc;
3319 }
3320
3321 static int selinux_task_prctl(int option,
3322                               unsigned long arg2,
3323                               unsigned long arg3,
3324                               unsigned long arg4,
3325                               unsigned long arg5,
3326                               long *rc_p)
3327 {
3328         /* The current prctl operations do not appear to require
3329            any SELinux controls since they merely observe or modify
3330            the state of the current process. */
3331         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3332 }
3333
3334 static int selinux_task_wait(struct task_struct *p)
3335 {
3336         return task_has_perm(p, current, PROCESS__SIGCHLD);
3337 }
3338
3339 static void selinux_task_reparent_to_init(struct task_struct *p)
3340 {
3341         struct task_security_struct *tsec;
3342
3343         secondary_ops->task_reparent_to_init(p);
3344
3345         tsec = p->security;
3346         tsec->osid = tsec->sid;
3347         tsec->sid = SECINITSID_KERNEL;
3348         return;
3349 }
3350
3351 static void selinux_task_to_inode(struct task_struct *p,
3352                                   struct inode *inode)
3353 {
3354         struct task_security_struct *tsec = p->security;
3355         struct inode_security_struct *isec = inode->i_security;
3356
3357         isec->sid = tsec->sid;
3358         isec->initialized = 1;
3359         return;
3360 }
3361
3362 /* Returns error only if unable to parse addresses */
3363 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3364                         struct avc_audit_data *ad, u8 *proto)
3365 {
3366         int offset, ihlen, ret = -EINVAL;
3367         struct iphdr _iph, *ih;
3368
3369         offset = skb_network_offset(skb);
3370         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3371         if (ih == NULL)
3372                 goto out;
3373
3374         ihlen = ih->ihl * 4;
3375         if (ihlen < sizeof(_iph))
3376                 goto out;
3377
3378         ad->u.net.v4info.saddr = ih->saddr;
3379         ad->u.net.v4info.daddr = ih->daddr;
3380         ret = 0;
3381
3382         if (proto)
3383                 *proto = ih->protocol;
3384
3385         switch (ih->protocol) {
3386         case IPPROTO_TCP: {
3387                 struct tcphdr _tcph, *th;
3388
3389                 if (ntohs(ih->frag_off) & IP_OFFSET)
3390                         break;
3391
3392                 offset += ihlen;
3393                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3394                 if (th == NULL)
3395                         break;
3396
3397                 ad->u.net.sport = th->source;
3398                 ad->u.net.dport = th->dest;
3399                 break;
3400         }
3401
3402         case IPPROTO_UDP: {
3403                 struct udphdr _udph, *uh;
3404
3405                 if (ntohs(ih->frag_off) & IP_OFFSET)
3406                         break;
3407
3408                 offset += ihlen;
3409                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3410                 if (uh == NULL)
3411                         break;
3412
3413                 ad->u.net.sport = uh->source;
3414                 ad->u.net.dport = uh->dest;
3415                 break;
3416         }
3417
3418         case IPPROTO_DCCP: {
3419                 struct dccp_hdr _dccph, *dh;
3420
3421                 if (ntohs(ih->frag_off) & IP_OFFSET)
3422                         break;
3423
3424                 offset += ihlen;
3425                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3426                 if (dh == NULL)
3427                         break;
3428
3429                 ad->u.net.sport = dh->dccph_sport;
3430                 ad->u.net.dport = dh->dccph_dport;
3431                 break;
3432         }
3433
3434         default:
3435                 break;
3436         }
3437 out:
3438         return ret;
3439 }
3440
3441 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3442
3443 /* Returns error only if unable to parse addresses */
3444 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3445                         struct avc_audit_data *ad, u8 *proto)
3446 {
3447         u8 nexthdr;
3448         int ret = -EINVAL, offset;
3449         struct ipv6hdr _ipv6h, *ip6;
3450
3451         offset = skb_network_offset(skb);
3452         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3453         if (ip6 == NULL)
3454                 goto out;
3455
3456         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3457         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3458         ret = 0;
3459
3460         nexthdr = ip6->nexthdr;
3461         offset += sizeof(_ipv6h);
3462         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3463         if (offset < 0)
3464                 goto out;
3465
3466         if (proto)
3467                 *proto = nexthdr;
3468
3469         switch (nexthdr) {
3470         case IPPROTO_TCP: {
3471                 struct tcphdr _tcph, *th;
3472
3473                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3474                 if (th == NULL)
3475                         break;
3476
3477                 ad->u.net.sport = th->source;
3478                 ad->u.net.dport = th->dest;
3479                 break;
3480         }
3481
3482         case IPPROTO_UDP: {
3483                 struct udphdr _udph, *uh;
3484
3485                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3486                 if (uh == NULL)
3487                         break;
3488
3489                 ad->u.net.sport = uh->source;
3490                 ad->u.net.dport = uh->dest;
3491                 break;
3492         }
3493
3494         case IPPROTO_DCCP: {
3495                 struct dccp_hdr _dccph, *dh;
3496
3497                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3498                 if (dh == NULL)
3499                         break;
3500
3501                 ad->u.net.sport = dh->dccph_sport;
3502                 ad->u.net.dport = dh->dccph_dport;
3503                 break;
3504         }
3505
3506         /* includes fragments */
3507         default:
3508                 break;
3509         }
3510 out:
3511         return ret;
3512 }
3513
3514 #endif /* IPV6 */
3515
3516 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3517                              char **addrp, int src, u8 *proto)
3518 {
3519         int ret = 0;
3520
3521         switch (ad->u.net.family) {
3522         case PF_INET:
3523                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3524                 if (ret || !addrp)
3525                         break;
3526                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3527                                         &ad->u.net.v4info.daddr);
3528                 break;
3529
3530 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3531         case PF_INET6:
3532                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3533                 if (ret || !addrp)
3534                         break;
3535                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3536                                         &ad->u.net.v6info.daddr);
3537                 break;
3538 #endif  /* IPV6 */
3539         default:
3540                 break;
3541         }
3542
3543         if (unlikely(ret))
3544                 printk(KERN_WARNING
3545                        "SELinux: failure in selinux_parse_skb(),"
3546                        " unable to parse packet\n");
3547
3548         return ret;
3549 }
3550
3551 /**
3552  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3553  * @skb: the packet
3554  * @family: protocol family
3555  * @sid: the packet's peer label SID
3556  *
3557  * Description:
3558  * Check the various different forms of network peer labeling and determine
3559  * the peer label/SID for the packet; most of the magic actually occurs in
3560  * the security server function security_net_peersid_cmp().  The function
3561  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3562  * or -EACCES if @sid is invalid due to inconsistencies with the different
3563  * peer labels.
3564  *
3565  */
3566 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3567 {
3568         int err;
3569         u32 xfrm_sid;
3570         u32 nlbl_sid;
3571         u32 nlbl_type;
3572
3573         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3574         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3575
3576         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3577         if (unlikely(err)) {
3578                 printk(KERN_WARNING
3579                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3580                        " unable to determine packet's peer label\n");
3581                 return -EACCES;
3582         }
3583
3584         return 0;
3585 }
3586
3587 /* socket security operations */
3588 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3589                            u32 perms)
3590 {
3591         struct inode_security_struct *isec;
3592         struct task_security_struct *tsec;
3593         struct avc_audit_data ad;
3594         int err = 0;
3595
3596         tsec = task->security;
3597         isec = SOCK_INODE(sock)->i_security;
3598
3599         if (isec->sid == SECINITSID_KERNEL)
3600                 goto out;
3601
3602         AVC_AUDIT_DATA_INIT(&ad, NET);
3603         ad.u.net.sk = sock->sk;
3604         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3605
3606 out:
3607         return err;
3608 }
3609
3610 static int selinux_socket_create(int family, int type,
3611                                  int protocol, int kern)
3612 {
3613         int err = 0;
3614         struct task_security_struct *tsec;
3615         u32 newsid;
3616
3617         if (kern)
3618                 goto out;
3619
3620         tsec = current->security;
3621         newsid = tsec->sockcreate_sid ? : tsec->sid;
3622         err = avc_has_perm(tsec->sid, newsid,
3623                            socket_type_to_security_class(family, type,
3624                            protocol), SOCKET__CREATE, NULL);
3625
3626 out:
3627         return err;
3628 }
3629
3630 static int selinux_socket_post_create(struct socket *sock, int family,
3631                                       int type, int protocol, int kern)
3632 {
3633         int err = 0;
3634         struct inode_security_struct *isec;
3635         struct task_security_struct *tsec;
3636         struct sk_security_struct *sksec;
3637         u32 newsid;
3638
3639         isec = SOCK_INODE(sock)->i_security;
3640
3641         tsec = current->security;
3642         newsid = tsec->sockcreate_sid ? : tsec->sid;
3643         isec->sclass = socket_type_to_security_class(family, type, protocol);
3644         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3645         isec->initialized = 1;
3646
3647         if (sock->sk) {
3648                 sksec = sock->sk->sk_security;
3649                 sksec->sid = isec->sid;
3650                 sksec->sclass = isec->sclass;
3651                 err = selinux_netlbl_socket_post_create(sock);
3652         }
3653
3654         return err;
3655 }
3656
3657 /* Range of port numbers used to automatically bind.
3658    Need to determine whether we should perform a name_bind
3659    permission check between the socket and the port number. */
3660
3661 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3662 {
3663         u16 family;
3664         int err;
3665
3666         err = socket_has_perm(current, sock, SOCKET__BIND);
3667         if (err)
3668                 goto out;
3669
3670         /*
3671          * If PF_INET or PF_INET6, check name_bind permission for the port.
3672          * Multiple address binding for SCTP is not supported yet: we just
3673          * check the first address now.
3674          */
3675         family = sock->sk->sk_family;
3676         if (family == PF_INET || family == PF_INET6) {
3677                 char *addrp;
3678                 struct inode_security_struct *isec;
3679                 struct task_security_struct *tsec;
3680                 struct avc_audit_data ad;
3681                 struct sockaddr_in *addr4 = NULL;
3682                 struct sockaddr_in6 *addr6 = NULL;
3683                 unsigned short snum;
3684                 struct sock *sk = sock->sk;
3685                 u32 sid, node_perm, addrlen;
3686
3687                 tsec = current->security;
3688                 isec = SOCK_INODE(sock)->i_security;
3689
3690                 if (family == PF_INET) {
3691                         addr4 = (struct sockaddr_in *)address;
3692                         snum = ntohs(addr4->sin_port);
3693                         addrlen = sizeof(addr4->sin_addr.s_addr);
3694                         addrp = (char *)&addr4->sin_addr.s_addr;
3695                 } else {
3696                         addr6 = (struct sockaddr_in6 *)address;
3697                         snum = ntohs(addr6->sin6_port);
3698                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3699                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3700                 }
3701
3702                 if (snum) {
3703                         int low, high;
3704
3705                         inet_get_local_port_range(&low, &high);
3706
3707                         if (snum < max(PROT_SOCK, low) || snum > high) {
3708                                 err = sel_netport_sid(sk->sk_protocol,
3709                                                       snum, &sid);
3710                                 if (err)
3711                                         goto out;
3712                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3713                                 ad.u.net.sport = htons(snum);
3714                                 ad.u.net.family = family;
3715                                 err = avc_has_perm(isec->sid, sid,
3716                                                    isec->sclass,
3717                                                    SOCKET__NAME_BIND, &ad);
3718                                 if (err)
3719                                         goto out;
3720                         }
3721                 }
3722
3723                 switch (isec->sclass) {
3724                 case SECCLASS_TCP_SOCKET:
3725                         node_perm = TCP_SOCKET__NODE_BIND;
3726                         break;
3727
3728                 case SECCLASS_UDP_SOCKET:
3729                         node_perm = UDP_SOCKET__NODE_BIND;
3730                         break;
3731
3732                 case SECCLASS_DCCP_SOCKET:
3733                         node_perm = DCCP_SOCKET__NODE_BIND;
3734                         break;
3735
3736                 default:
3737                         node_perm = RAWIP_SOCKET__NODE_BIND;
3738                         break;
3739                 }
3740
3741                 err = sel_netnode_sid(addrp, family, &sid);
3742                 if (err)
3743                         goto out;
3744
3745                 AVC_AUDIT_DATA_INIT(&ad, NET);
3746                 ad.u.net.sport = htons(snum);
3747                 ad.u.net.family = family;
3748
3749                 if (family == PF_INET)
3750                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3751                 else
3752                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3753
3754                 err = avc_has_perm(isec->sid, sid,
3755                                    isec->sclass, node_perm, &ad);
3756                 if (err)
3757                         goto out;
3758         }
3759 out:
3760         return err;
3761 }
3762
3763 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3764 {
3765         struct inode_security_struct *isec;
3766         int err;
3767
3768         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3769         if (err)
3770                 return err;
3771
3772         /*
3773          * If a TCP or DCCP socket, check name_connect permission for the port.
3774          */
3775         isec = SOCK_INODE(sock)->i_security;
3776         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3777             isec->sclass == SECCLASS_DCCP_SOCKET) {
3778                 struct sock *sk = sock->sk;
3779                 struct avc_audit_data ad;
3780                 struct sockaddr_in *addr4 = NULL;
3781                 struct sockaddr_in6 *addr6 = NULL;
3782                 unsigned short snum;
3783                 u32 sid, perm;
3784
3785                 if (sk->sk_family == PF_INET) {
3786                         addr4 = (struct sockaddr_in *)address;
3787                         if (addrlen < sizeof(struct sockaddr_in))
3788                                 return -EINVAL;
3789                         snum = ntohs(addr4->sin_port);
3790                 } else {
3791                         addr6 = (struct sockaddr_in6 *)address;
3792                         if (addrlen < SIN6_LEN_RFC2133)
3793                                 return -EINVAL;
3794                         snum = ntohs(addr6->sin6_port);
3795                 }
3796
3797                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3798                 if (err)
3799                         goto out;
3800
3801                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3802                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3803
3804                 AVC_AUDIT_DATA_INIT(&ad, NET);
3805                 ad.u.net.dport = htons(snum);
3806                 ad.u.net.family = sk->sk_family;
3807                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3808                 if (err)
3809                         goto out;
3810         }
3811
3812 out:
3813         return err;
3814 }
3815
3816 static int selinux_socket_listen(struct socket *sock, int backlog)
3817 {
3818         return socket_has_perm(current, sock, SOCKET__LISTEN);
3819 }
3820
3821 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3822 {
3823         int err;
3824         struct inode_security_struct *isec;
3825         struct inode_security_struct *newisec;
3826
3827         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3828         if (err)
3829                 return err;
3830
3831         newisec = SOCK_INODE(newsock)->i_security;
3832
3833         isec = SOCK_INODE(sock)->i_security;
3834         newisec->sclass = isec->sclass;
3835         newisec->sid = isec->sid;
3836         newisec->initialized = 1;
3837
3838         return 0;
3839 }
3840
3841 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3842                                   int size)
3843 {
3844         int rc;
3845
3846         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3847         if (rc)
3848                 return rc;
3849
3850         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3851 }
3852
3853 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3854                                   int size, int flags)
3855 {
3856         return socket_has_perm(current, sock, SOCKET__READ);
3857 }
3858
3859 static int selinux_socket_getsockname(struct socket *sock)
3860 {
3861         return socket_has_perm(current, sock, SOCKET__GETATTR);
3862 }
3863
3864 static int selinux_socket_getpeername(struct socket *sock)
3865 {
3866         return socket_has_perm(current, sock, SOCKET__GETATTR);
3867 }
3868
3869 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3870 {
3871         int err;
3872
3873         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3874         if (err)
3875                 return err;
3876
3877         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3878 }
3879
3880 static int selinux_socket_getsockopt(struct socket *sock, int level,
3881                                      int optname)
3882 {
3883         return socket_has_perm(current, sock, SOCKET__GETOPT);
3884 }
3885
3886 static int selinux_socket_shutdown(struct socket *sock, int how)
3887 {
3888         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3889 }
3890
3891 static int selinux_socket_unix_stream_connect(struct socket *sock,
3892                                               struct socket *other,
3893                                               struct sock *newsk)
3894 {
3895         struct sk_security_struct *ssec;
3896         struct inode_security_struct *isec;
3897         struct inode_security_struct *other_isec;
3898         struct avc_audit_data ad;
3899         int err;
3900
3901         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3902         if (err)
3903                 return err;
3904
3905         isec = SOCK_INODE(sock)->i_security;
3906         other_isec = SOCK_INODE(other)->i_security;
3907
3908         AVC_AUDIT_DATA_INIT(&ad, NET);
3909         ad.u.net.sk = other->sk;
3910
3911         err = avc_has_perm(isec->sid, other_isec->sid,
3912                            isec->sclass,
3913                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3914         if (err)
3915                 return err;
3916
3917         /* connecting socket */
3918         ssec = sock->sk->sk_security;
3919         ssec->peer_sid = other_isec->sid;
3920
3921         /* server child socket */
3922         ssec = newsk->sk_security;
3923         ssec->peer_sid = isec->sid;
3924         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3925
3926         return err;
3927 }
3928
3929 static int selinux_socket_unix_may_send(struct socket *sock,
3930                                         struct socket *other)
3931 {
3932         struct inode_security_struct *isec;
3933         struct inode_security_struct *other_isec;
3934         struct avc_audit_data ad;
3935         int err;
3936
3937         isec = SOCK_INODE(sock)->i_security;
3938         other_isec = SOCK_INODE(other)->i_security;
3939
3940         AVC_AUDIT_DATA_INIT(&ad, NET);
3941         ad.u.net.sk = other->sk;
3942
3943         err = avc_has_perm(isec->sid, other_isec->sid,
3944                            isec->sclass, SOCKET__SENDTO, &ad);
3945         if (err)
3946                 return err;
3947
3948         return 0;
3949 }
3950
3951 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3952                                     u32 peer_sid,
3953                                     struct avc_audit_data *ad)
3954 {
3955         int err;
3956         u32 if_sid;
3957         u32 node_sid;
3958
3959         err = sel_netif_sid(ifindex, &if_sid);
3960         if (err)
3961                 return err;
3962         err = avc_has_perm(peer_sid, if_sid,
3963                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3964         if (err)
3965                 return err;
3966
3967         err = sel_netnode_sid(addrp, family, &node_sid);
3968         if (err)
3969                 return err;
3970         return avc_has_perm(peer_sid, node_sid,
3971                             SECCLASS_NODE, NODE__RECVFROM, ad);
3972 }
3973
3974 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3975                                                 struct sk_buff *skb,
3976                                                 struct avc_audit_data *ad,
3977                                                 u16 family,
3978                                                 char *addrp)
3979 {
3980         int err;
3981         struct sk_security_struct *sksec = sk->sk_security;
3982         u16 sk_class;
3983         u32 netif_perm, node_perm, recv_perm;
3984         u32 port_sid, node_sid, if_sid, sk_sid;
3985
3986         sk_sid = sksec->sid;
3987         sk_class = sksec->sclass;
3988
3989         switch (sk_class) {
3990         case SECCLASS_UDP_SOCKET:
3991                 netif_perm = NETIF__UDP_RECV;
3992                 node_perm = NODE__UDP_RECV;
3993                 recv_perm = UDP_SOCKET__RECV_MSG;
3994                 break;
3995         case SECCLASS_TCP_SOCKET:
3996                 netif_perm = NETIF__TCP_RECV;
3997                 node_perm = NODE__TCP_RECV;
3998                 recv_perm = TCP_SOCKET__RECV_MSG;
3999                 break;
4000         case SECCLASS_DCCP_SOCKET:
4001                 netif_perm = NETIF__DCCP_RECV;
4002                 node_perm = NODE__DCCP_RECV;
4003                 recv_perm = DCCP_SOCKET__RECV_MSG;
4004                 break;
4005         default:
4006                 netif_perm = NETIF__RAWIP_RECV;
4007                 node_perm = NODE__RAWIP_RECV;
4008                 recv_perm = 0;
4009                 break;
4010         }
4011
4012         err = sel_netif_sid(skb->iif, &if_sid);
4013         if (err)
4014                 return err;
4015         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4016         if (err)
4017                 return err;
4018
4019         err = sel_netnode_sid(addrp, family, &node_sid);
4020         if (err)
4021                 return err;
4022         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4023         if (err)
4024                 return err;
4025
4026         if (!recv_perm)
4027                 return 0;
4028         err = sel_netport_sid(sk->sk_protocol,
4029                               ntohs(ad->u.net.sport), &port_sid);
4030         if (unlikely(err)) {
4031                 printk(KERN_WARNING
4032                        "SELinux: failure in"
4033                        " selinux_sock_rcv_skb_iptables_compat(),"
4034                        " network port label not found\n");
4035                 return err;
4036         }
4037         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4038 }
4039
4040 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4041                                        struct avc_audit_data *ad,
4042                                        u16 family, char *addrp)
4043 {
4044         int err;
4045         struct sk_security_struct *sksec = sk->sk_security;
4046         u32 peer_sid;
4047         u32 sk_sid = sksec->sid;
4048
4049         if (selinux_compat_net)
4050                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4051                                                            family, addrp);
4052         else
4053                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4054                                    PACKET__RECV, ad);
4055         if (err)
4056                 return err;
4057
4058         if (selinux_policycap_netpeer) {
4059                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4060                 if (err)
4061                         return err;
4062                 err = avc_has_perm(sk_sid, peer_sid,
4063                                    SECCLASS_PEER, PEER__RECV, ad);
4064         } else {
4065                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4066                 if (err)
4067                         return err;
4068                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4069         }
4070
4071         return err;
4072 }
4073
4074 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4075 {
4076         int err;
4077         struct sk_security_struct *sksec = sk->sk_security;
4078         u16 family = sk->sk_family;
4079         u32 sk_sid = sksec->sid;
4080         struct avc_audit_data ad;
4081         char *addrp;
4082
4083         if (family != PF_INET && family != PF_INET6)
4084                 return 0;
4085
4086         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4087         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4088                 family = PF_INET;
4089
4090         AVC_AUDIT_DATA_INIT(&ad, NET);
4091         ad.u.net.netif = skb->iif;
4092         ad.u.net.family = family;
4093         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4094         if (err)
4095                 return err;
4096
4097         /* If any sort of compatibility mode is enabled then handoff processing
4098          * to the selinux_sock_rcv_skb_compat() function to deal with the
4099          * special handling.  We do this in an attempt to keep this function
4100          * as fast and as clean as possible. */
4101         if (selinux_compat_net || !selinux_policycap_netpeer)
4102                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4103                                                    family, addrp);
4104
4105         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4106                 u32 peer_sid;
4107
4108                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4109                 if (err)
4110                         return err;
4111                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4112                                                peer_sid, &ad);
4113                 if (err)
4114                         return err;
4115                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4116                                    PEER__RECV, &ad);
4117         }
4118
4119         if (selinux_secmark_enabled()) {
4120                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4121                                    PACKET__RECV, &ad);
4122                 if (err)
4123                         return err;
4124         }
4125
4126         return err;
4127 }
4128
4129 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4130                                             int __user *optlen, unsigned len)
4131 {
4132         int err = 0;
4133         char *scontext;
4134         u32 scontext_len;
4135         struct sk_security_struct *ssec;
4136         struct inode_security_struct *isec;
4137         u32 peer_sid = SECSID_NULL;
4138
4139         isec = SOCK_INODE(sock)->i_security;
4140
4141         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4142             isec->sclass == SECCLASS_TCP_SOCKET) {
4143                 ssec = sock->sk->sk_security;
4144                 peer_sid = ssec->peer_sid;
4145         }
4146         if (peer_sid == SECSID_NULL) {
4147                 err = -ENOPROTOOPT;
4148                 goto out;
4149         }
4150
4151         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4152
4153         if (err)
4154                 goto out;
4155
4156         if (scontext_len > len) {
4157                 err = -ERANGE;
4158                 goto out_len;
4159         }
4160
4161         if (copy_to_user(optval, scontext, scontext_len))
4162                 err = -EFAULT;
4163
4164 out_len:
4165         if (put_user(scontext_len, optlen))
4166                 err = -EFAULT;
4167
4168         kfree(scontext);
4169 out:
4170         return err;
4171 }
4172
4173 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4174 {
4175         u32 peer_secid = SECSID_NULL;
4176         u16 family;
4177
4178         if (sock)
4179                 family = sock->sk->sk_family;
4180         else if (skb && skb->sk)
4181                 family = skb->sk->sk_family;
4182         else
4183                 goto out;
4184
4185         if (sock && family == PF_UNIX)
4186                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4187         else if (skb)
4188                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4189
4190 out:
4191         *secid = peer_secid;
4192         if (peer_secid == SECSID_NULL)
4193                 return -EINVAL;
4194         return 0;
4195 }
4196
4197 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4198 {
4199         return sk_alloc_security(sk, family, priority);
4200 }
4201
4202 static void selinux_sk_free_security(struct sock *sk)
4203 {
4204         sk_free_security(sk);
4205 }
4206
4207 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4208 {
4209         struct sk_security_struct *ssec = sk->sk_security;
4210         struct sk_security_struct *newssec = newsk->sk_security;
4211
4212         newssec->sid = ssec->sid;
4213         newssec->peer_sid = ssec->peer_sid;
4214         newssec->sclass = ssec->sclass;
4215
4216         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4217 }
4218
4219 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4220 {
4221         if (!sk)
4222                 *secid = SECINITSID_ANY_SOCKET;
4223         else {
4224                 struct sk_security_struct *sksec = sk->sk_security;
4225
4226                 *secid = sksec->sid;
4227         }
4228 }
4229
4230 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4231 {
4232         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4233         struct sk_security_struct *sksec = sk->sk_security;
4234
4235         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4236             sk->sk_family == PF_UNIX)
4237                 isec->sid = sksec->sid;
4238         sksec->sclass = isec->sclass;
4239
4240         selinux_netlbl_sock_graft(sk, parent);
4241 }
4242
4243 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4244                                      struct request_sock *req)
4245 {
4246         struct sk_security_struct *sksec = sk->sk_security;
4247         int err;
4248         u32 newsid;
4249         u32 peersid;
4250
4251         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4252         if (err)
4253                 return err;
4254         if (peersid == SECSID_NULL) {
4255                 req->secid = sksec->sid;
4256                 req->peer_secid = SECSID_NULL;
4257                 return 0;
4258         }
4259
4260         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4261         if (err)
4262                 return err;
4263
4264         req->secid = newsid;
4265         req->peer_secid = peersid;
4266         return 0;
4267 }
4268
4269 static void selinux_inet_csk_clone(struct sock *newsk,
4270                                    const struct request_sock *req)
4271 {
4272         struct sk_security_struct *newsksec = newsk->sk_security;
4273
4274         newsksec->sid = req->secid;
4275         newsksec->peer_sid = req->peer_secid;
4276         /* NOTE: Ideally, we should also get the isec->sid for the
4277            new socket in sync, but we don't have the isec available yet.
4278            So we will wait until sock_graft to do it, by which
4279            time it will have been created and available. */
4280
4281         /* We don't need to take any sort of lock here as we are the only
4282          * thread with access to newsksec */
4283         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4284 }
4285
4286 static void selinux_inet_conn_established(struct sock *sk,
4287                                 struct sk_buff *skb)
4288 {
4289         struct sk_security_struct *sksec = sk->sk_security;
4290
4291         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4292 }
4293
4294 static void selinux_req_classify_flow(const struct request_sock *req,
4295                                       struct flowi *fl)
4296 {
4297         fl->secid = req->secid;
4298 }
4299
4300 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4301 {
4302         int err = 0;
4303         u32 perm;
4304         struct nlmsghdr *nlh;
4305         struct socket *sock = sk->sk_socket;
4306         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4307
4308         if (skb->len < NLMSG_SPACE(0)) {
4309                 err = -EINVAL;
4310                 goto out;
4311         }
4312         nlh = nlmsg_hdr(skb);
4313
4314         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4315         if (err) {
4316                 if (err == -EINVAL) {
4317                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4318                                   "SELinux:  unrecognized netlink message"
4319                                   " type=%hu for sclass=%hu\n",
4320                                   nlh->nlmsg_type, isec->sclass);
4321                         if (!selinux_enforcing)
4322                                 err = 0;
4323                 }
4324
4325                 /* Ignore */
4326                 if (err == -ENOENT)
4327                         err = 0;
4328                 goto out;
4329         }
4330
4331         err = socket_has_perm(current, sock, perm);
4332 out:
4333         return err;
4334 }
4335
4336 #ifdef CONFIG_NETFILTER
4337
4338 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4339                                        u16 family)
4340 {
4341         char *addrp;
4342         u32 peer_sid;
4343         struct avc_audit_data ad;
4344         u8 secmark_active;
4345         u8 peerlbl_active;
4346
4347         if (!selinux_policycap_netpeer)
4348                 return NF_ACCEPT;
4349
4350         secmark_active = selinux_secmark_enabled();
4351         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4352         if (!secmark_active && !peerlbl_active)
4353                 return NF_ACCEPT;
4354
4355         AVC_AUDIT_DATA_INIT(&ad, NET);
4356         ad.u.net.netif = ifindex;
4357         ad.u.net.family = family;
4358         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4359                 return NF_DROP;
4360
4361         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4362                 return NF_DROP;
4363
4364         if (peerlbl_active)
4365                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4366                                              peer_sid, &ad) != 0)
4367                         return NF_DROP;
4368
4369         if (secmark_active)
4370                 if (avc_has_perm(peer_sid, skb->secmark,
4371                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4372                         return NF_DROP;
4373
4374         return NF_ACCEPT;
4375 }
4376
4377 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4378                                          struct sk_buff *skb,
4379                                          const struct net_device *in,
4380                                          const struct net_device *out,
4381                                          int (*okfn)(struct sk_buff *))
4382 {
4383         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4384 }
4385
4386 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4387 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4388                                          struct sk_buff *skb,
4389                                          const struct net_device *in,
4390                                          const struct net_device *out,
4391                                          int (*okfn)(struct sk_buff *))
4392 {
4393         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4394 }
4395 #endif  /* IPV6 */
4396
4397 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4398                                                 int ifindex,
4399                                                 struct avc_audit_data *ad,
4400                                                 u16 family, char *addrp)
4401 {
4402         int err;
4403         struct sk_security_struct *sksec = sk->sk_security;
4404         u16 sk_class;
4405         u32 netif_perm, node_perm, send_perm;
4406         u32 port_sid, node_sid, if_sid, sk_sid;
4407
4408         sk_sid = sksec->sid;
4409         sk_class = sksec->sclass;
4410
4411         switch (sk_class) {
4412         case SECCLASS_UDP_SOCKET:
4413                 netif_perm = NETIF__UDP_SEND;
4414                 node_perm = NODE__UDP_SEND;
4415                 send_perm = UDP_SOCKET__SEND_MSG;
4416                 break;
4417         case SECCLASS_TCP_SOCKET:
4418                 netif_perm = NETIF__TCP_SEND;
4419                 node_perm = NODE__TCP_SEND;
4420                 send_perm = TCP_SOCKET__SEND_MSG;
4421                 break;
4422         case SECCLASS_DCCP_SOCKET:
4423                 netif_perm = NETIF__DCCP_SEND;
4424                 node_perm = NODE__DCCP_SEND;
4425                 send_perm = DCCP_SOCKET__SEND_MSG;
4426                 break;
4427         default:
4428                 netif_perm = NETIF__RAWIP_SEND;
4429                 node_perm = NODE__RAWIP_SEND;
4430                 send_perm = 0;
4431                 break;
4432         }
4433
4434         err = sel_netif_sid(ifindex, &if_sid);
4435         if (err)
4436                 return err;
4437         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4438                 return err;
4439
4440         err = sel_netnode_sid(addrp, family, &node_sid);
4441         if (err)
4442                 return err;
4443         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4444         if (err)
4445                 return err;
4446
4447         if (send_perm != 0)
4448                 return 0;
4449
4450         err = sel_netport_sid(sk->sk_protocol,
4451                               ntohs(ad->u.net.dport), &port_sid);
4452         if (unlikely(err)) {
4453                 printk(KERN_WARNING
4454                        "SELinux: failure in"
4455                        " selinux_ip_postroute_iptables_compat(),"
4456                        " network port label not found\n");
4457                 return err;
4458         }
4459         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4460 }
4461
4462 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4463                                                 int ifindex,
4464                                                 struct avc_audit_data *ad,
4465                                                 u16 family,
4466                                                 char *addrp,
4467                                                 u8 proto)
4468 {
4469         struct sock *sk = skb->sk;
4470         struct sk_security_struct *sksec;
4471
4472         if (sk == NULL)
4473                 return NF_ACCEPT;
4474         sksec = sk->sk_security;
4475
4476         if (selinux_compat_net) {
4477                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4478                                                          ad, family, addrp))
4479                         return NF_DROP;
4480         } else {
4481                 if (avc_has_perm(sksec->sid, skb->secmark,
4482                                  SECCLASS_PACKET, PACKET__SEND, ad))
4483                         return NF_DROP;
4484         }
4485
4486         if (selinux_policycap_netpeer)
4487                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4488                         return NF_DROP;
4489
4490         return NF_ACCEPT;
4491 }
4492
4493 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4494                                          u16 family)
4495 {
4496         u32 secmark_perm;
4497         u32 peer_sid;
4498         struct sock *sk;
4499         struct avc_audit_data ad;
4500         char *addrp;
4501         u8 proto;
4502         u8 secmark_active;
4503         u8 peerlbl_active;
4504
4505         AVC_AUDIT_DATA_INIT(&ad, NET);
4506         ad.u.net.netif = ifindex;
4507         ad.u.net.family = family;
4508         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4509                 return NF_DROP;
4510
4511         /* If any sort of compatibility mode is enabled then handoff processing
4512          * to the selinux_ip_postroute_compat() function to deal with the
4513          * special handling.  We do this in an attempt to keep this function
4514          * as fast and as clean as possible. */
4515         if (selinux_compat_net || !selinux_policycap_netpeer)
4516                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4517                                                    family, addrp, proto);
4518
4519         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4520          * packet transformation so allow the packet to pass without any checks
4521          * since we'll have another chance to perform access control checks
4522          * when the packet is on it's final way out.
4523          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4524          *       is NULL, in this case go ahead and apply access control. */
4525         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4526                 return NF_ACCEPT;
4527
4528         secmark_active = selinux_secmark_enabled();
4529         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4530         if (!secmark_active && !peerlbl_active)
4531                 return NF_ACCEPT;
4532
4533         /* if the packet is locally generated (skb->sk != NULL) then use the
4534          * socket's label as the peer label, otherwise the packet is being
4535          * forwarded through this system and we need to fetch the peer label
4536          * directly from the packet */
4537         sk = skb->sk;
4538         if (sk) {
4539                 struct sk_security_struct *sksec = sk->sk_security;
4540                 peer_sid = sksec->sid;
4541                 secmark_perm = PACKET__SEND;
4542         } else {
4543                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4544                                 return NF_DROP;
4545                 secmark_perm = PACKET__FORWARD_OUT;
4546         }
4547
4548         if (secmark_active)
4549                 if (avc_has_perm(peer_sid, skb->secmark,
4550                                  SECCLASS_PACKET, secmark_perm, &ad))
4551                         return NF_DROP;
4552
4553         if (peerlbl_active) {
4554                 u32 if_sid;
4555                 u32 node_sid;
4556
4557                 if (sel_netif_sid(ifindex, &if_sid))
4558                         return NF_DROP;
4559                 if (avc_has_perm(peer_sid, if_sid,
4560                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4561                         return NF_DROP;
4562
4563                 if (sel_netnode_sid(addrp, family, &node_sid))
4564                         return NF_DROP;
4565                 if (avc_has_perm(peer_sid, node_sid,
4566                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4567                         return NF_DROP;
4568         }
4569
4570         return NF_ACCEPT;
4571 }
4572
4573 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4574                                            struct sk_buff *skb,
4575                                            const struct net_device *in,
4576                                            const struct net_device *out,
4577                                            int (*okfn)(struct sk_buff *))
4578 {
4579         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4580 }
4581
4582 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4583 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4584                                            struct sk_buff *skb,
4585                                            const struct net_device *in,
4586                                            const struct net_device *out,
4587                                            int (*okfn)(struct sk_buff *))
4588 {
4589         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4590 }
4591 #endif  /* IPV6 */
4592
4593 #endif  /* CONFIG_NETFILTER */
4594
4595 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4596 {
4597         int err;
4598
4599         err = secondary_ops->netlink_send(sk, skb);
4600         if (err)
4601                 return err;
4602
4603         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4604                 err = selinux_nlmsg_perm(sk, skb);
4605
4606         return err;
4607 }
4608
4609 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4610 {
4611         int err;
4612         struct avc_audit_data ad;
4613
4614         err = secondary_ops->netlink_recv(skb, capability);
4615         if (err)
4616                 return err;
4617
4618         AVC_AUDIT_DATA_INIT(&ad, CAP);
4619         ad.u.cap = capability;
4620
4621         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4622                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4623 }
4624
4625 static int ipc_alloc_security(struct task_struct *task,
4626                               struct kern_ipc_perm *perm,
4627                               u16 sclass)
4628 {
4629         struct task_security_struct *tsec = task->security;
4630         struct ipc_security_struct *isec;
4631
4632         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4633         if (!isec)
4634                 return -ENOMEM;
4635
4636         isec->sclass = sclass;
4637         isec->sid = tsec->sid;
4638         perm->security = isec;
4639
4640         return 0;
4641 }
4642
4643 static void ipc_free_security(struct kern_ipc_perm *perm)
4644 {
4645         struct ipc_security_struct *isec = perm->security;
4646         perm->security = NULL;
4647         kfree(isec);
4648 }
4649
4650 static int msg_msg_alloc_security(struct msg_msg *msg)
4651 {
4652         struct msg_security_struct *msec;
4653
4654         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4655         if (!msec)
4656                 return -ENOMEM;
4657
4658         msec->sid = SECINITSID_UNLABELED;
4659         msg->security = msec;
4660
4661         return 0;
4662 }
4663
4664 static void msg_msg_free_security(struct msg_msg *msg)
4665 {
4666         struct msg_security_struct *msec = msg->security;
4667
4668         msg->security = NULL;
4669         kfree(msec);
4670 }
4671
4672 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4673                         u32 perms)
4674 {
4675         struct task_security_struct *tsec;
4676         struct ipc_security_struct *isec;
4677         struct avc_audit_data ad;
4678
4679         tsec = current->security;
4680         isec = ipc_perms->security;
4681
4682         AVC_AUDIT_DATA_INIT(&ad, IPC);
4683         ad.u.ipc_id = ipc_perms->key;
4684
4685         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4686 }
4687
4688 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4689 {
4690         return msg_msg_alloc_security(msg);
4691 }
4692
4693 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4694 {
4695         msg_msg_free_security(msg);
4696 }
4697
4698 /* message queue security operations */
4699 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4700 {
4701         struct task_security_struct *tsec;
4702         struct ipc_security_struct *isec;
4703         struct avc_audit_data ad;
4704         int rc;
4705
4706         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4707         if (rc)
4708                 return rc;
4709
4710         tsec = current->security;
4711         isec = msq->q_perm.security;
4712
4713         AVC_AUDIT_DATA_INIT(&ad, IPC);
4714         ad.u.ipc_id = msq->q_perm.key;
4715
4716         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4717                           MSGQ__CREATE, &ad);
4718         if (rc) {
4719                 ipc_free_security(&msq->q_perm);
4720                 return rc;
4721         }
4722         return 0;
4723 }
4724
4725 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4726 {
4727         ipc_free_security(&msq->q_perm);
4728 }
4729
4730 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4731 {
4732         struct task_security_struct *tsec;
4733         struct ipc_security_struct *isec;
4734         struct avc_audit_data ad;
4735
4736         tsec = current->security;
4737         isec = msq->q_perm.security;
4738
4739         AVC_AUDIT_DATA_INIT(&ad, IPC);
4740         ad.u.ipc_id = msq->q_perm.key;
4741
4742         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4743                             MSGQ__ASSOCIATE, &ad);
4744 }
4745
4746 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4747 {
4748         int err;
4749         int perms;
4750
4751         switch (cmd) {
4752         case IPC_INFO:
4753         case MSG_INFO:
4754                 /* No specific object, just general system-wide information. */
4755                 return task_has_system(current, SYSTEM__IPC_INFO);
4756         case IPC_STAT:
4757         case MSG_STAT:
4758                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4759                 break;
4760         case IPC_SET:
4761                 perms = MSGQ__SETATTR;
4762                 break;
4763         case IPC_RMID:
4764                 perms = MSGQ__DESTROY;
4765                 break;
4766         default:
4767                 return 0;
4768         }
4769
4770         err = ipc_has_perm(&msq->q_perm, perms);
4771         return err;
4772 }
4773
4774 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4775 {
4776         struct task_security_struct *tsec;
4777         struct ipc_security_struct *isec;
4778         struct msg_security_struct *msec;
4779         struct avc_audit_data ad;
4780         int rc;
4781
4782         tsec = current->security;
4783         isec = msq->q_perm.security;
4784         msec = msg->security;
4785
4786         /*
4787          * First time through, need to assign label to the message
4788          */
4789         if (msec->sid == SECINITSID_UNLABELED) {
4790                 /*
4791                  * Compute new sid based on current process and
4792                  * message queue this message will be stored in
4793                  */
4794                 rc = security_transition_sid(tsec->sid,
4795                                              isec->sid,
4796                                              SECCLASS_MSG,
4797                                              &msec->sid);
4798                 if (rc)
4799                         return rc;
4800         }
4801
4802         AVC_AUDIT_DATA_INIT(&ad, IPC);
4803         ad.u.ipc_id = msq->q_perm.key;
4804
4805         /* Can this process write to the queue? */
4806         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4807                           MSGQ__WRITE, &ad);
4808         if (!rc)
4809                 /* Can this process send the message */
4810                 rc = avc_has_perm(tsec->sid, msec->sid,
4811                                   SECCLASS_MSG, MSG__SEND, &ad);
4812         if (!rc)
4813                 /* Can the message be put in the queue? */
4814                 rc = avc_has_perm(msec->sid, isec->sid,
4815                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4816
4817         return rc;
4818 }
4819
4820 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4821                                     struct task_struct *target,
4822                                     long type, int mode)
4823 {
4824         struct task_security_struct *tsec;
4825         struct ipc_security_struct *isec;
4826         struct msg_security_struct *msec;
4827         struct avc_audit_data ad;
4828         int rc;
4829
4830         tsec = target->security;
4831         isec = msq->q_perm.security;
4832         msec = msg->security;
4833
4834         AVC_AUDIT_DATA_INIT(&ad, IPC);
4835         ad.u.ipc_id = msq->q_perm.key;
4836
4837         rc = avc_has_perm(tsec->sid, isec->sid,
4838                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4839         if (!rc)
4840                 rc = avc_has_perm(tsec->sid, msec->sid,
4841                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4842         return rc;
4843 }
4844
4845 /* Shared Memory security operations */
4846 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4847 {
4848         struct task_security_struct *tsec;
4849         struct ipc_security_struct *isec;
4850         struct avc_audit_data ad;
4851         int rc;
4852
4853         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4854         if (rc)
4855                 return rc;
4856
4857         tsec = current->security;
4858         isec = shp->shm_perm.security;
4859
4860         AVC_AUDIT_DATA_INIT(&ad, IPC);
4861         ad.u.ipc_id = shp->shm_perm.key;
4862
4863         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4864                           SHM__CREATE, &ad);
4865         if (rc) {
4866                 ipc_free_security(&shp->shm_perm);
4867                 return rc;
4868         }
4869         return 0;
4870 }
4871
4872 static void selinux_shm_free_security(struct shmid_kernel *shp)
4873 {
4874         ipc_free_security(&shp->shm_perm);
4875 }
4876
4877 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4878 {
4879         struct task_security_struct *tsec;
4880         struct ipc_security_struct *isec;
4881         struct avc_audit_data ad;
4882
4883         tsec = current->security;
4884         isec = shp->shm_perm.security;
4885
4886         AVC_AUDIT_DATA_INIT(&ad, IPC);
4887         ad.u.ipc_id = shp->shm_perm.key;
4888
4889         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4890                             SHM__ASSOCIATE, &ad);
4891 }
4892
4893 /* Note, at this point, shp is locked down */
4894 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4895 {
4896         int perms;
4897         int err;
4898
4899         switch (cmd) {
4900         case IPC_INFO:
4901         case SHM_INFO:
4902                 /* No specific object, just general system-wide information. */
4903                 return task_has_system(current, SYSTEM__IPC_INFO);
4904         case IPC_STAT:
4905         case SHM_STAT:
4906                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4907                 break;
4908         case IPC_SET:
4909                 perms = SHM__SETATTR;
4910                 break;
4911         case SHM_LOCK:
4912         case SHM_UNLOCK:
4913                 perms = SHM__LOCK;
4914                 break;
4915         case IPC_RMID:
4916                 perms = SHM__DESTROY;
4917                 break;
4918         default:
4919                 return 0;
4920         }
4921
4922         err = ipc_has_perm(&shp->shm_perm, perms);
4923         return err;
4924 }
4925
4926 static int selinux_shm_shmat(struct shmid_kernel *shp,
4927                              char __user *shmaddr, int shmflg)
4928 {
4929         u32 perms;
4930         int rc;
4931
4932         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4933         if (rc)
4934                 return rc;
4935
4936         if (shmflg & SHM_RDONLY)
4937                 perms = SHM__READ;
4938         else
4939                 perms = SHM__READ | SHM__WRITE;
4940
4941         return ipc_has_perm(&shp->shm_perm, perms);
4942 }
4943
4944 /* Semaphore security operations */
4945 static int selinux_sem_alloc_security(struct sem_array *sma)
4946 {
4947         struct task_security_struct *tsec;
4948         struct ipc_security_struct *isec;
4949         struct avc_audit_data ad;
4950         int rc;
4951
4952         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4953         if (rc)
4954                 return rc;
4955
4956         tsec = current->security;
4957         isec = sma->sem_perm.security;
4958
4959         AVC_AUDIT_DATA_INIT(&ad, IPC);
4960         ad.u.ipc_id = sma->sem_perm.key;
4961
4962         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4963                           SEM__CREATE, &ad);
4964         if (rc) {
4965                 ipc_free_security(&sma->sem_perm);
4966                 return rc;
4967         }
4968         return 0;
4969 }
4970
4971 static void selinux_sem_free_security(struct sem_array *sma)
4972 {
4973         ipc_free_security(&sma->sem_perm);
4974 }
4975
4976 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4977 {
4978         struct task_security_struct *tsec;
4979         struct ipc_security_struct *isec;
4980         struct avc_audit_data ad;
4981
4982         tsec = current->security;
4983         isec = sma->sem_perm.security;
4984
4985         AVC_AUDIT_DATA_INIT(&ad, IPC);
4986         ad.u.ipc_id = sma->sem_perm.key;
4987
4988         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4989                             SEM__ASSOCIATE, &ad);
4990 }
4991
4992 /* Note, at this point, sma is locked down */
4993 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4994 {
4995         int err;
4996         u32 perms;
4997
4998         switch (cmd) {
4999         case IPC_INFO:
5000         case SEM_INFO:
5001                 /* No specific object, just general system-wide information. */
5002                 return task_has_system(current, SYSTEM__IPC_INFO);
5003         case GETPID:
5004         case GETNCNT:
5005         case GETZCNT:
5006                 perms = SEM__GETATTR;
5007                 break;
5008         case GETVAL:
5009         case GETALL:
5010                 perms = SEM__READ;
5011                 break;
5012         case SETVAL:
5013         case SETALL:
5014                 perms = SEM__WRITE;
5015                 break;
5016         case IPC_RMID:
5017                 perms = SEM__DESTROY;
5018                 break;
5019         case IPC_SET:
5020                 perms = SEM__SETATTR;
5021                 break;
5022         case IPC_STAT:
5023         case SEM_STAT:
5024                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5025                 break;
5026         default:
5027                 return 0;
5028         }
5029
5030         err = ipc_has_perm(&sma->sem_perm, perms);
5031         return err;
5032 }
5033
5034 static int selinux_sem_semop(struct sem_array *sma,
5035                              struct sembuf *sops, unsigned nsops, int alter)
5036 {
5037         u32 perms;
5038
5039         if (alter)
5040                 perms = SEM__READ | SEM__WRITE;
5041         else
5042                 perms = SEM__READ;
5043
5044         return ipc_has_perm(&sma->sem_perm, perms);
5045 }
5046
5047 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5048 {
5049         u32 av = 0;
5050
5051         av = 0;
5052         if (flag & S_IRUGO)
5053                 av |= IPC__UNIX_READ;
5054         if (flag & S_IWUGO)
5055                 av |= IPC__UNIX_WRITE;
5056
5057         if (av == 0)
5058                 return 0;
5059
5060         return ipc_has_perm(ipcp, av);
5061 }
5062
5063 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5064 {
5065         struct ipc_security_struct *isec = ipcp->security;
5066         *secid = isec->sid;
5067 }
5068
5069 /* module stacking operations */
5070 static int selinux_register_security(const char *name, struct security_operations *ops)
5071 {
5072         if (secondary_ops != original_ops) {
5073                 printk(KERN_ERR "%s:  There is already a secondary security "
5074                        "module registered.\n", __func__);
5075                 return -EINVAL;
5076         }
5077
5078         secondary_ops = ops;
5079
5080         printk(KERN_INFO "%s:  Registering secondary module %s\n",
5081                __func__,
5082                name);
5083
5084         return 0;
5085 }
5086
5087 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5088 {
5089         if (inode)
5090                 inode_doinit_with_dentry(inode, dentry);
5091 }
5092
5093 static int selinux_getprocattr(struct task_struct *p,
5094                                char *name, char **value)
5095 {
5096         struct task_security_struct *tsec;
5097         u32 sid;
5098         int error;
5099         unsigned len;
5100
5101         if (current != p) {
5102                 error = task_has_perm(current, p, PROCESS__GETATTR);
5103                 if (error)
5104                         return error;
5105         }
5106
5107         tsec = p->security;
5108
5109         if (!strcmp(name, "current"))
5110                 sid = tsec->sid;
5111         else if (!strcmp(name, "prev"))
5112                 sid = tsec->osid;
5113         else if (!strcmp(name, "exec"))
5114                 sid = tsec->exec_sid;
5115         else if (!strcmp(name, "fscreate"))
5116                 sid = tsec->create_sid;
5117         else if (!strcmp(name, "keycreate"))
5118                 sid = tsec->keycreate_sid;
5119         else if (!strcmp(name, "sockcreate"))
5120                 sid = tsec->sockcreate_sid;
5121         else
5122                 return -EINVAL;
5123
5124         if (!sid)
5125                 return 0;
5126
5127         error = security_sid_to_context(sid, value, &len);
5128         if (error)
5129                 return error;
5130         return len;
5131 }
5132
5133 static int selinux_setprocattr(struct task_struct *p,
5134                                char *name, void *value, size_t size)
5135 {
5136         struct task_security_struct *tsec;
5137         struct task_struct *tracer;
5138         u32 sid = 0;
5139         int error;
5140         char *str = value;
5141
5142         if (current != p) {
5143                 /* SELinux only allows a process to change its own
5144                    security attributes. */
5145                 return -EACCES;
5146         }
5147
5148         /*
5149          * Basic control over ability to set these attributes at all.
5150          * current == p, but we'll pass them separately in case the
5151          * above restriction is ever removed.
5152          */
5153         if (!strcmp(name, "exec"))
5154                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5155         else if (!strcmp(name, "fscreate"))
5156                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5157         else if (!strcmp(name, "keycreate"))
5158                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5159         else if (!strcmp(name, "sockcreate"))
5160                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5161         else if (!strcmp(name, "current"))
5162                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5163         else
5164                 error = -EINVAL;
5165         if (error)
5166                 return error;
5167
5168         /* Obtain a SID for the context, if one was specified. */
5169         if (size && str[1] && str[1] != '\n') {
5170                 if (str[size-1] == '\n') {
5171                         str[size-1] = 0;
5172                         size--;
5173                 }
5174                 error = security_context_to_sid(value, size, &sid);
5175                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5176                         if (!capable(CAP_MAC_ADMIN))
5177                                 return error;
5178                         error = security_context_to_sid_force(value, size,
5179                                                               &sid);
5180                 }
5181                 if (error)
5182                         return error;
5183         }
5184
5185         /* Permission checking based on the specified context is
5186            performed during the actual operation (execve,
5187            open/mkdir/...), when we know the full context of the
5188            operation.  See selinux_bprm_set_security for the execve
5189            checks and may_create for the file creation checks. The
5190            operation will then fail if the context is not permitted. */
5191         tsec = p->security;
5192         if (!strcmp(name, "exec"))
5193                 tsec->exec_sid = sid;
5194         else if (!strcmp(name, "fscreate"))
5195                 tsec->create_sid = sid;
5196         else if (!strcmp(name, "keycreate")) {
5197                 error = may_create_key(sid, p);
5198                 if (error)
5199                         return error;
5200                 tsec->keycreate_sid = sid;
5201         } else if (!strcmp(name, "sockcreate"))
5202                 tsec->sockcreate_sid = sid;
5203         else if (!strcmp(name, "current")) {
5204                 struct av_decision avd;
5205
5206                 if (sid == 0)
5207                         return -EINVAL;
5208
5209                 /* Only allow single threaded processes to change context */
5210                 if (atomic_read(&p->mm->mm_users) != 1) {
5211                         struct task_struct *g, *t;
5212                         struct mm_struct *mm = p->mm;
5213                         read_lock(&tasklist_lock);
5214                         do_each_thread(g, t)
5215                                 if (t->mm == mm && t != p) {
5216                                         read_unlock(&tasklist_lock);
5217                                         return -EPERM;
5218                                 }
5219                         while_each_thread(g, t);
5220                         read_unlock(&tasklist_lock);
5221                 }
5222
5223                 /* Check permissions for the transition. */
5224                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5225                                      PROCESS__DYNTRANSITION, NULL);
5226                 if (error)
5227                         return error;
5228
5229                 /* Check for ptracing, and update the task SID if ok.
5230                    Otherwise, leave SID unchanged and fail. */
5231                 task_lock(p);
5232                 rcu_read_lock();
5233                 tracer = task_tracer_task(p);
5234                 if (tracer != NULL) {
5235                         struct task_security_struct *ptsec = tracer->security;
5236                         u32 ptsid = ptsec->sid;
5237                         rcu_read_unlock();
5238                         error = avc_has_perm_noaudit(ptsid, sid,
5239                                                      SECCLASS_PROCESS,
5240                                                      PROCESS__PTRACE, 0, &avd);
5241                         if (!error)
5242                                 tsec->sid = sid;
5243                         task_unlock(p);
5244                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5245                                   PROCESS__PTRACE, &avd, error, NULL);
5246                         if (error)
5247                                 return error;
5248                 } else {
5249                         rcu_read_unlock();
5250                         tsec->sid = sid;
5251                         task_unlock(p);
5252                 }
5253         } else
5254                 return -EINVAL;
5255
5256         return size;
5257 }
5258
5259 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5260 {
5261         return security_sid_to_context(secid, secdata, seclen);
5262 }
5263
5264 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5265 {
5266         return security_context_to_sid(secdata, seclen, secid);
5267 }
5268
5269 static void selinux_release_secctx(char *secdata, u32 seclen)
5270 {
5271         kfree(secdata);
5272 }
5273
5274 #ifdef CONFIG_KEYS
5275
5276 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5277                              unsigned long flags)
5278 {
5279         struct task_security_struct *tsec = tsk->security;
5280         struct key_security_struct *ksec;
5281
5282         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5283         if (!ksec)
5284                 return -ENOMEM;
5285
5286         if (tsec->keycreate_sid)
5287                 ksec->sid = tsec->keycreate_sid;
5288         else
5289                 ksec->sid = tsec->sid;
5290         k->security = ksec;
5291
5292         return 0;
5293 }
5294
5295 static void selinux_key_free(struct key *k)
5296 {
5297         struct key_security_struct *ksec = k->security;
5298
5299         k->security = NULL;
5300         kfree(ksec);
5301 }
5302
5303 static int selinux_key_permission(key_ref_t key_ref,
5304                             struct task_struct *ctx,
5305                             key_perm_t perm)
5306 {
5307         struct key *key;
5308         struct task_security_struct *tsec;
5309         struct key_security_struct *ksec;
5310
5311         key = key_ref_to_ptr(key_ref);
5312
5313         tsec = ctx->security;
5314         ksec = key->security;
5315
5316         /* if no specific permissions are requested, we skip the
5317            permission check. No serious, additional covert channels
5318            appear to be created. */
5319         if (perm == 0)
5320                 return 0;
5321
5322         return avc_has_perm(tsec->sid, ksec->sid,
5323                             SECCLASS_KEY, perm, NULL);
5324 }
5325
5326 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5327 {
5328         struct key_security_struct *ksec = key->security;
5329         char *context = NULL;
5330         unsigned len;
5331         int rc;
5332
5333         rc = security_sid_to_context(ksec->sid, &context, &len);
5334         if (!rc)
5335                 rc = len;
5336         *_buffer = context;
5337         return rc;
5338 }
5339
5340 #endif
5341
5342 static struct security_operations selinux_ops = {
5343         .name =                         "selinux",
5344
5345         .ptrace =                       selinux_ptrace,
5346         .capget =                       selinux_capget,
5347         .capset_check =                 selinux_capset_check,
5348         .capset_set =                   selinux_capset_set,
5349         .sysctl =                       selinux_sysctl,
5350         .capable =                      selinux_capable,
5351         .quotactl =                     selinux_quotactl,
5352         .quota_on =                     selinux_quota_on,
5353         .syslog =                       selinux_syslog,
5354         .vm_enough_memory =             selinux_vm_enough_memory,
5355
5356         .netlink_send =                 selinux_netlink_send,
5357         .netlink_recv =                 selinux_netlink_recv,
5358
5359         .bprm_alloc_security =          selinux_bprm_alloc_security,
5360         .bprm_free_security =           selinux_bprm_free_security,
5361         .bprm_apply_creds =             selinux_bprm_apply_creds,
5362         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5363         .bprm_set_security =            selinux_bprm_set_security,
5364         .bprm_check_security =          selinux_bprm_check_security,
5365         .bprm_secureexec =              selinux_bprm_secureexec,
5366
5367         .sb_alloc_security =            selinux_sb_alloc_security,
5368         .sb_free_security =             selinux_sb_free_security,
5369         .sb_copy_data =                 selinux_sb_copy_data,
5370         .sb_kern_mount =                selinux_sb_kern_mount,
5371         .sb_statfs =                    selinux_sb_statfs,
5372         .sb_mount =                     selinux_mount,
5373         .sb_umount =                    selinux_umount,
5374         .sb_get_mnt_opts =              selinux_get_mnt_opts,
5375         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5376         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5377         .sb_parse_opts_str =            selinux_parse_opts_str,
5378
5379
5380         .inode_alloc_security =         selinux_inode_alloc_security,
5381         .inode_free_security =          selinux_inode_free_security,
5382         .inode_init_security =          selinux_inode_init_security,
5383         .inode_create =                 selinux_inode_create,
5384         .inode_link =                   selinux_inode_link,
5385         .inode_unlink =                 selinux_inode_unlink,
5386         .inode_symlink =                selinux_inode_symlink,
5387         .inode_mkdir =                  selinux_inode_mkdir,
5388         .inode_rmdir =                  selinux_inode_rmdir,
5389         .inode_mknod =                  selinux_inode_mknod,
5390         .inode_rename =                 selinux_inode_rename,
5391         .inode_readlink =               selinux_inode_readlink,
5392         .inode_follow_link =            selinux_inode_follow_link,
5393         .inode_permission =             selinux_inode_permission,
5394         .inode_setattr =                selinux_inode_setattr,
5395         .inode_getattr =                selinux_inode_getattr,
5396         .inode_setxattr =               selinux_inode_setxattr,
5397         .inode_post_setxattr =          selinux_inode_post_setxattr,
5398         .inode_getxattr =               selinux_inode_getxattr,
5399         .inode_listxattr =              selinux_inode_listxattr,
5400         .inode_removexattr =            selinux_inode_removexattr,
5401         .inode_getsecurity =            selinux_inode_getsecurity,
5402         .inode_setsecurity =            selinux_inode_setsecurity,
5403         .inode_listsecurity =           selinux_inode_listsecurity,
5404         .inode_need_killpriv =          selinux_inode_need_killpriv,
5405         .inode_killpriv =               selinux_inode_killpriv,
5406         .inode_getsecid =               selinux_inode_getsecid,
5407
5408         .file_permission =              selinux_file_permission,
5409         .file_alloc_security =          selinux_file_alloc_security,
5410         .file_free_security =           selinux_file_free_security,
5411         .file_ioctl =                   selinux_file_ioctl,
5412         .file_mmap =                    selinux_file_mmap,
5413         .file_mprotect =                selinux_file_mprotect,
5414         .file_lock =                    selinux_file_lock,
5415         .file_fcntl =                   selinux_file_fcntl,
5416         .file_set_fowner =              selinux_file_set_fowner,
5417         .file_send_sigiotask =          selinux_file_send_sigiotask,
5418         .file_receive =                 selinux_file_receive,
5419
5420         .dentry_open =                  selinux_dentry_open,
5421
5422         .task_create =                  selinux_task_create,
5423         .task_alloc_security =          selinux_task_alloc_security,
5424         .task_free_security =           selinux_task_free_security,
5425         .task_setuid =                  selinux_task_setuid,
5426         .task_post_setuid =             selinux_task_post_setuid,
5427         .task_setgid =                  selinux_task_setgid,
5428         .task_setpgid =                 selinux_task_setpgid,
5429         .task_getpgid =                 selinux_task_getpgid,
5430         .task_getsid =                  selinux_task_getsid,
5431         .task_getsecid =                selinux_task_getsecid,
5432         .task_setgroups =               selinux_task_setgroups,
5433         .task_setnice =                 selinux_task_setnice,
5434         .task_setioprio =               selinux_task_setioprio,
5435         .task_getioprio =               selinux_task_getioprio,
5436         .task_setrlimit =               selinux_task_setrlimit,
5437         .task_setscheduler =            selinux_task_setscheduler,
5438         .task_getscheduler =            selinux_task_getscheduler,
5439         .task_movememory =              selinux_task_movememory,
5440         .task_kill =                    selinux_task_kill,
5441         .task_wait =                    selinux_task_wait,
5442         .task_prctl =                   selinux_task_prctl,
5443         .task_reparent_to_init =        selinux_task_reparent_to_init,
5444         .task_to_inode =                selinux_task_to_inode,
5445
5446         .ipc_permission =               selinux_ipc_permission,
5447         .ipc_getsecid =                 selinux_ipc_getsecid,
5448
5449         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5450         .msg_msg_free_security =        selinux_msg_msg_free_security,
5451
5452         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5453         .msg_queue_free_security =      selinux_msg_queue_free_security,
5454         .msg_queue_associate =          selinux_msg_queue_associate,
5455         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5456         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5457         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5458
5459         .shm_alloc_security =           selinux_shm_alloc_security,
5460         .shm_free_security =            selinux_shm_free_security,
5461         .shm_associate =                selinux_shm_associate,
5462         .shm_shmctl =                   selinux_shm_shmctl,
5463         .shm_shmat =                    selinux_shm_shmat,
5464
5465         .sem_alloc_security =           selinux_sem_alloc_security,
5466         .sem_free_security =            selinux_sem_free_security,
5467         .sem_associate =                selinux_sem_associate,
5468         .sem_semctl =                   selinux_sem_semctl,
5469         .sem_semop =                    selinux_sem_semop,
5470
5471         .register_security =            selinux_register_security,
5472
5473         .d_instantiate =                selinux_d_instantiate,
5474
5475         .getprocattr =                  selinux_getprocattr,
5476         .setprocattr =                  selinux_setprocattr,
5477
5478         .secid_to_secctx =              selinux_secid_to_secctx,
5479         .secctx_to_secid =              selinux_secctx_to_secid,
5480         .release_secctx =               selinux_release_secctx,
5481
5482         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5483         .unix_may_send =                selinux_socket_unix_may_send,
5484
5485         .socket_create =                selinux_socket_create,
5486         .socket_post_create =           selinux_socket_post_create,
5487         .socket_bind =                  selinux_socket_bind,
5488         .socket_connect =               selinux_socket_connect,
5489         .socket_listen =                selinux_socket_listen,
5490         .socket_accept =                selinux_socket_accept,
5491         .socket_sendmsg =               selinux_socket_sendmsg,
5492         .socket_recvmsg =               selinux_socket_recvmsg,
5493         .socket_getsockname =           selinux_socket_getsockname,
5494         .socket_getpeername =           selinux_socket_getpeername,
5495         .socket_getsockopt =            selinux_socket_getsockopt,
5496         .socket_setsockopt =            selinux_socket_setsockopt,
5497         .socket_shutdown =              selinux_socket_shutdown,
5498         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5499         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5500         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5501         .sk_alloc_security =            selinux_sk_alloc_security,
5502         .sk_free_security =             selinux_sk_free_security,
5503         .sk_clone_security =            selinux_sk_clone_security,
5504         .sk_getsecid =                  selinux_sk_getsecid,
5505         .sock_graft =                   selinux_sock_graft,
5506         .inet_conn_request =            selinux_inet_conn_request,
5507         .inet_csk_clone =               selinux_inet_csk_clone,
5508         .inet_conn_established =        selinux_inet_conn_established,
5509         .req_classify_flow =            selinux_req_classify_flow,
5510
5511 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5512         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5513         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5514         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5515         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5516         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5517         .xfrm_state_free_security =     selinux_xfrm_state_free,
5518         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5519         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5520         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5521         .xfrm_decode_session =          selinux_xfrm_decode_session,
5522 #endif
5523
5524 #ifdef CONFIG_KEYS
5525         .key_alloc =                    selinux_key_alloc,
5526         .key_free =                     selinux_key_free,
5527         .key_permission =               selinux_key_permission,
5528         .key_getsecurity =              selinux_key_getsecurity,
5529 #endif
5530
5531 #ifdef CONFIG_AUDIT
5532         .audit_rule_init =              selinux_audit_rule_init,
5533         .audit_rule_known =             selinux_audit_rule_known,
5534         .audit_rule_match =             selinux_audit_rule_match,
5535         .audit_rule_free =              selinux_audit_rule_free,
5536 #endif
5537 };
5538
5539 static __init int selinux_init(void)
5540 {
5541         struct task_security_struct *tsec;
5542
5543         if (!security_module_enable(&selinux_ops)) {
5544                 selinux_enabled = 0;
5545                 return 0;
5546         }
5547
5548         if (!selinux_enabled) {
5549                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5550                 return 0;
5551         }
5552
5553         printk(KERN_INFO "SELinux:  Initializing.\n");
5554
5555         /* Set the security state for the initial task. */
5556         if (task_alloc_security(current))
5557                 panic("SELinux:  Failed to initialize initial task.\n");
5558         tsec = current->security;
5559         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5560
5561         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5562                                             sizeof(struct inode_security_struct),
5563                                             0, SLAB_PANIC, NULL);
5564         avc_init();
5565
5566         original_ops = secondary_ops = security_ops;
5567         if (!secondary_ops)
5568                 panic("SELinux: No initial security operations\n");
5569         if (register_security(&selinux_ops))
5570                 panic("SELinux: Unable to register with kernel.\n");
5571
5572         if (selinux_enforcing)
5573                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5574         else
5575                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5576
5577         return 0;
5578 }
5579
5580 void selinux_complete_init(void)
5581 {
5582         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5583
5584         /* Set up any superblocks initialized prior to the policy load. */
5585         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5586         spin_lock(&sb_lock);
5587         spin_lock(&sb_security_lock);
5588 next_sb:
5589         if (!list_empty(&superblock_security_head)) {
5590                 struct superblock_security_struct *sbsec =
5591                                 list_entry(superblock_security_head.next,
5592                                            struct superblock_security_struct,
5593                                            list);
5594                 struct super_block *sb = sbsec->sb;
5595                 sb->s_count++;
5596                 spin_unlock(&sb_security_lock);
5597                 spin_unlock(&sb_lock);
5598                 down_read(&sb->s_umount);
5599                 if (sb->s_root)
5600                         superblock_doinit(sb, NULL);
5601                 drop_super(sb);
5602                 spin_lock(&sb_lock);
5603                 spin_lock(&sb_security_lock);
5604                 list_del_init(&sbsec->list);
5605                 goto next_sb;
5606         }
5607         spin_unlock(&sb_security_lock);
5608         spin_unlock(&sb_lock);
5609 }
5610
5611 /* SELinux requires early initialization in order to label
5612    all processes and objects when they are created. */
5613 security_initcall(selinux_init);
5614
5615 #if defined(CONFIG_NETFILTER)
5616
5617 static struct nf_hook_ops selinux_ipv4_ops[] = {
5618         {
5619                 .hook =         selinux_ipv4_postroute,
5620                 .owner =        THIS_MODULE,
5621                 .pf =           PF_INET,
5622                 .hooknum =      NF_INET_POST_ROUTING,
5623                 .priority =     NF_IP_PRI_SELINUX_LAST,
5624         },
5625         {
5626                 .hook =         selinux_ipv4_forward,
5627                 .owner =        THIS_MODULE,
5628                 .pf =           PF_INET,
5629                 .hooknum =      NF_INET_FORWARD,
5630                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5631         }
5632 };
5633
5634 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5635
5636 static struct nf_hook_ops selinux_ipv6_ops[] = {
5637         {
5638                 .hook =         selinux_ipv6_postroute,
5639                 .owner =        THIS_MODULE,
5640                 .pf =           PF_INET6,
5641                 .hooknum =      NF_INET_POST_ROUTING,
5642                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5643         },
5644         {
5645                 .hook =         selinux_ipv6_forward,
5646                 .owner =        THIS_MODULE,
5647                 .pf =           PF_INET6,
5648                 .hooknum =      NF_INET_FORWARD,
5649                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5650         }
5651 };
5652
5653 #endif  /* IPV6 */
5654
5655 static int __init selinux_nf_ip_init(void)
5656 {
5657         int err = 0;
5658         u32 iter;
5659
5660         if (!selinux_enabled)
5661                 goto out;
5662
5663         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5664
5665         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5666                 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5667                 if (err)
5668                         panic("SELinux: nf_register_hook for IPv4: error %d\n",
5669                               err);
5670         }
5671
5672 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5673         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5674                 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5675                 if (err)
5676                         panic("SELinux: nf_register_hook for IPv6: error %d\n",
5677                               err);
5678         }
5679 #endif  /* IPV6 */
5680
5681 out:
5682         return err;
5683 }
5684
5685 __initcall(selinux_nf_ip_init);
5686
5687 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5688 static void selinux_nf_ip_exit(void)
5689 {
5690         u32 iter;
5691
5692         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5693
5694         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5695                 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5696 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5697         for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5698                 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5699 #endif  /* IPV6 */
5700 }
5701 #endif
5702
5703 #else /* CONFIG_NETFILTER */
5704
5705 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5706 #define selinux_nf_ip_exit()
5707 #endif
5708
5709 #endif /* CONFIG_NETFILTER */
5710
5711 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5712 static int selinux_disabled;
5713
5714 int selinux_disable(void)
5715 {
5716         extern void exit_sel_fs(void);
5717
5718         if (ss_initialized) {
5719                 /* Not permitted after initial policy load. */
5720                 return -EINVAL;
5721         }
5722
5723         if (selinux_disabled) {
5724                 /* Only do this once. */
5725                 return -EINVAL;
5726         }
5727
5728         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5729
5730         selinux_disabled = 1;
5731         selinux_enabled = 0;
5732
5733         /* Reset security_ops to the secondary module, dummy or capability. */
5734         security_ops = secondary_ops;
5735
5736         /* Unregister netfilter hooks. */
5737         selinux_nf_ip_exit();
5738
5739         /* Unregister selinuxfs. */
5740         exit_sel_fs();
5741
5742         return 0;
5743 }
5744 #endif