df30a7555d8aa4f8e4ae71f60426c6368ba6dea7
[linux-3.10.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132  * Minimal support for a secondary security module,
133  * just to allow the use of the capability module.
134  */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138    before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146  *
147  * Description:
148  * This function checks the SECMARK reference counter to see if any SECMARK
149  * targets are currently configured, if the reference counter is greater than
150  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
151  * enabled, false (0) if SECMARK is disabled.
152  *
153  */
154 static int selinux_secmark_enabled(void)
155 {
156         return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160  * initialise the security for the init task
161  */
162 static void cred_init_security(void)
163 {
164         struct cred *cred = (struct cred *) current->real_cred;
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 panic("SELinux:  Failed to initialize initial task.\n");
170
171         tsec->osid = tsec->sid = SECINITSID_KERNEL;
172         cred->security = tsec;
173 }
174
175 /*
176  * get the security ID of a set of credentials
177  */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180         const struct task_security_struct *tsec;
181
182         tsec = cred->security;
183         return tsec->sid;
184 }
185
186 /*
187  * get the objective security ID of a task
188  */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191         u32 sid;
192
193         rcu_read_lock();
194         sid = cred_sid(__task_cred(task));
195         rcu_read_unlock();
196         return sid;
197 }
198
199 /*
200  * get the subjective security ID of the current task
201  */
202 static inline u32 current_sid(void)
203 {
204         const struct task_security_struct *tsec = current_cred()->security;
205
206         return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213         struct inode_security_struct *isec;
214         u32 sid = current_sid();
215
216         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217         if (!isec)
218                 return -ENOMEM;
219
220         mutex_init(&isec->lock);
221         INIT_LIST_HEAD(&isec->list);
222         isec->inode = inode;
223         isec->sid = SECINITSID_UNLABELED;
224         isec->sclass = SECCLASS_FILE;
225         isec->task_sid = sid;
226         inode->i_security = isec;
227
228         return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233         struct inode_security_struct *isec = inode->i_security;
234         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236         spin_lock(&sbsec->isec_lock);
237         if (!list_empty(&isec->list))
238                 list_del_init(&isec->list);
239         spin_unlock(&sbsec->isec_lock);
240
241         inode->i_security = NULL;
242         kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247         struct file_security_struct *fsec;
248         u32 sid = current_sid();
249
250         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251         if (!fsec)
252                 return -ENOMEM;
253
254         fsec->sid = sid;
255         fsec->fown_sid = sid;
256         file->f_security = fsec;
257
258         return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263         struct file_security_struct *fsec = file->f_security;
264         file->f_security = NULL;
265         kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270         struct superblock_security_struct *sbsec;
271
272         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273         if (!sbsec)
274                 return -ENOMEM;
275
276         mutex_init(&sbsec->lock);
277         INIT_LIST_HEAD(&sbsec->list);
278         INIT_LIST_HEAD(&sbsec->isec_head);
279         spin_lock_init(&sbsec->isec_lock);
280         sbsec->sb = sb;
281         sbsec->sid = SECINITSID_UNLABELED;
282         sbsec->def_sid = SECINITSID_FILE;
283         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284         sb->s_security = sbsec;
285
286         return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec = sb->s_security;
292
293         spin_lock(&sb_security_lock);
294         if (!list_empty(&sbsec->list))
295                 list_del_init(&sbsec->list);
296         spin_unlock(&sb_security_lock);
297
298         sb->s_security = NULL;
299         kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304         struct sk_security_struct *ssec;
305
306         ssec = kzalloc(sizeof(*ssec), priority);
307         if (!ssec)
308                 return -ENOMEM;
309
310         ssec->peer_sid = SECINITSID_UNLABELED;
311         ssec->sid = SECINITSID_UNLABELED;
312         sk->sk_security = ssec;
313
314         selinux_netlbl_sk_security_reset(ssec, family);
315
316         return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321         struct sk_security_struct *ssec = sk->sk_security;
322
323         sk->sk_security = NULL;
324         selinux_netlbl_sk_security_free(ssec);
325         kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329    any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335         "uses xattr",
336         "uses transition SIDs",
337         "uses task SIDs",
338         "uses genfs_contexts",
339         "not configured for labeling",
340         "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347         return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351         Opt_error = -1,
352         Opt_context = 1,
353         Opt_fscontext = 2,
354         Opt_defcontext = 3,
355         Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359         {Opt_context, CONTEXT_STR "%s"},
360         {Opt_fscontext, FSCONTEXT_STR "%s"},
361         {Opt_defcontext, DEFCONTEXT_STR "%s"},
362         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363         {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369                         struct superblock_security_struct *sbsec,
370                         const struct cred *cred)
371 {
372         const struct task_security_struct *tsec = cred->security;
373         int rc;
374
375         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376                           FILESYSTEM__RELABELFROM, NULL);
377         if (rc)
378                 return rc;
379
380         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381                           FILESYSTEM__RELABELTO, NULL);
382         return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386                         struct superblock_security_struct *sbsec,
387                         const struct cred *cred)
388 {
389         const struct task_security_struct *tsec = cred->security;
390         int rc;
391         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392                           FILESYSTEM__RELABELFROM, NULL);
393         if (rc)
394                 return rc;
395
396         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397                           FILESYSTEM__ASSOCIATE, NULL);
398         return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403         struct superblock_security_struct *sbsec = sb->s_security;
404         struct dentry *root = sb->s_root;
405         struct inode *root_inode = root->d_inode;
406         int rc = 0;
407
408         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409                 /* Make sure that the xattr handler exists and that no
410                    error other than -ENODATA is returned by getxattr on
411                    the root directory.  -ENODATA is ok, as this may be
412                    the first boot of the SELinux kernel before we have
413                    assigned xattr values to the filesystem. */
414                 if (!root_inode->i_op->getxattr) {
415                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416                                "xattr support\n", sb->s_id, sb->s_type->name);
417                         rc = -EOPNOTSUPP;
418                         goto out;
419                 }
420                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421                 if (rc < 0 && rc != -ENODATA) {
422                         if (rc == -EOPNOTSUPP)
423                                 printk(KERN_WARNING "SELinux: (dev %s, type "
424                                        "%s) has no security xattr handler\n",
425                                        sb->s_id, sb->s_type->name);
426                         else
427                                 printk(KERN_WARNING "SELinux: (dev %s, type "
428                                        "%s) getxattr errno %d\n", sb->s_id,
429                                        sb->s_type->name, -rc);
430                         goto out;
431                 }
432         }
433
434         sbsec->initialized = 1;
435
436         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438                        sb->s_id, sb->s_type->name);
439         else
440                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441                        sb->s_id, sb->s_type->name,
442                        labeling_behaviors[sbsec->behavior-1]);
443
444         /* Initialize the root inode. */
445         rc = inode_doinit_with_dentry(root_inode, root);
446
447         /* Initialize any other inodes associated with the superblock, e.g.
448            inodes created prior to initial policy load or inodes created
449            during get_sb by a pseudo filesystem that directly
450            populates itself. */
451         spin_lock(&sbsec->isec_lock);
452 next_inode:
453         if (!list_empty(&sbsec->isec_head)) {
454                 struct inode_security_struct *isec =
455                                 list_entry(sbsec->isec_head.next,
456                                            struct inode_security_struct, list);
457                 struct inode *inode = isec->inode;
458                 spin_unlock(&sbsec->isec_lock);
459                 inode = igrab(inode);
460                 if (inode) {
461                         if (!IS_PRIVATE(inode))
462                                 inode_doinit(inode);
463                         iput(inode);
464                 }
465                 spin_lock(&sbsec->isec_lock);
466                 list_del_init(&isec->list);
467                 goto next_inode;
468         }
469         spin_unlock(&sbsec->isec_lock);
470 out:
471         return rc;
472 }
473
474 /*
475  * This function should allow an FS to ask what it's mount security
476  * options were so it can use those later for submounts, displaying
477  * mount options, or whatever.
478  */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480                                 struct security_mnt_opts *opts)
481 {
482         int rc = 0, i;
483         struct superblock_security_struct *sbsec = sb->s_security;
484         char *context = NULL;
485         u32 len;
486         char tmp;
487
488         security_init_mnt_opts(opts);
489
490         if (!sbsec->initialized)
491                 return -EINVAL;
492
493         if (!ss_initialized)
494                 return -EINVAL;
495
496         /*
497          * if we ever use sbsec flags for anything other than tracking mount
498          * settings this is going to need a mask
499          */
500         tmp = sbsec->flags;
501         /* count the number of mount options for this sb */
502         for (i = 0; i < 8; i++) {
503                 if (tmp & 0x01)
504                         opts->num_mnt_opts++;
505                 tmp >>= 1;
506         }
507
508         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509         if (!opts->mnt_opts) {
510                 rc = -ENOMEM;
511                 goto out_free;
512         }
513
514         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515         if (!opts->mnt_opts_flags) {
516                 rc = -ENOMEM;
517                 goto out_free;
518         }
519
520         i = 0;
521         if (sbsec->flags & FSCONTEXT_MNT) {
522                 rc = security_sid_to_context(sbsec->sid, &context, &len);
523                 if (rc)
524                         goto out_free;
525                 opts->mnt_opts[i] = context;
526                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527         }
528         if (sbsec->flags & CONTEXT_MNT) {
529                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530                 if (rc)
531                         goto out_free;
532                 opts->mnt_opts[i] = context;
533                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534         }
535         if (sbsec->flags & DEFCONTEXT_MNT) {
536                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537                 if (rc)
538                         goto out_free;
539                 opts->mnt_opts[i] = context;
540                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541         }
542         if (sbsec->flags & ROOTCONTEXT_MNT) {
543                 struct inode *root = sbsec->sb->s_root->d_inode;
544                 struct inode_security_struct *isec = root->i_security;
545
546                 rc = security_sid_to_context(isec->sid, &context, &len);
547                 if (rc)
548                         goto out_free;
549                 opts->mnt_opts[i] = context;
550                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551         }
552
553         BUG_ON(i != opts->num_mnt_opts);
554
555         return 0;
556
557 out_free:
558         security_free_mnt_opts(opts);
559         return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563                       u32 old_sid, u32 new_sid)
564 {
565         /* check if the old mount command had the same options */
566         if (sbsec->initialized)
567                 if (!(sbsec->flags & flag) ||
568                     (old_sid != new_sid))
569                         return 1;
570
571         /* check if we were passed the same options twice,
572          * aka someone passed context=a,context=b
573          */
574         if (!sbsec->initialized)
575                 if (sbsec->flags & flag)
576                         return 1;
577         return 0;
578 }
579
580 /*
581  * Allow filesystems with binary mount data to explicitly set mount point
582  * labeling information.
583  */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585                                 struct security_mnt_opts *opts)
586 {
587         const struct cred *cred = current_cred();
588         int rc = 0, i;
589         struct superblock_security_struct *sbsec = sb->s_security;
590         const char *name = sb->s_type->name;
591         struct inode *inode = sbsec->sb->s_root->d_inode;
592         struct inode_security_struct *root_isec = inode->i_security;
593         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594         u32 defcontext_sid = 0;
595         char **mount_options = opts->mnt_opts;
596         int *flags = opts->mnt_opts_flags;
597         int num_opts = opts->num_mnt_opts;
598
599         mutex_lock(&sbsec->lock);
600
601         if (!ss_initialized) {
602                 if (!num_opts) {
603                         /* Defer initialization until selinux_complete_init,
604                            after the initial policy is loaded and the security
605                            server is ready to handle calls. */
606                         spin_lock(&sb_security_lock);
607                         if (list_empty(&sbsec->list))
608                                 list_add(&sbsec->list, &superblock_security_head);
609                         spin_unlock(&sb_security_lock);
610                         goto out;
611                 }
612                 rc = -EINVAL;
613                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614                         "before the security server is initialized\n");
615                 goto out;
616         }
617
618         /*
619          * Binary mount data FS will come through this function twice.  Once
620          * from an explicit call and once from the generic calls from the vfs.
621          * Since the generic VFS calls will not contain any security mount data
622          * we need to skip the double mount verification.
623          *
624          * This does open a hole in which we will not notice if the first
625          * mount using this sb set explict options and a second mount using
626          * this sb does not set any security options.  (The first options
627          * will be used for both mounts)
628          */
629         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630             && (num_opts == 0))
631                 goto out;
632
633         /*
634          * parse the mount options, check if they are valid sids.
635          * also check if someone is trying to mount the same sb more
636          * than once with different security options.
637          */
638         for (i = 0; i < num_opts; i++) {
639                 u32 sid;
640                 rc = security_context_to_sid(mount_options[i],
641                                              strlen(mount_options[i]), &sid);
642                 if (rc) {
643                         printk(KERN_WARNING "SELinux: security_context_to_sid"
644                                "(%s) failed for (dev %s, type %s) errno=%d\n",
645                                mount_options[i], sb->s_id, name, rc);
646                         goto out;
647                 }
648                 switch (flags[i]) {
649                 case FSCONTEXT_MNT:
650                         fscontext_sid = sid;
651
652                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653                                         fscontext_sid))
654                                 goto out_double_mount;
655
656                         sbsec->flags |= FSCONTEXT_MNT;
657                         break;
658                 case CONTEXT_MNT:
659                         context_sid = sid;
660
661                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662                                         context_sid))
663                                 goto out_double_mount;
664
665                         sbsec->flags |= CONTEXT_MNT;
666                         break;
667                 case ROOTCONTEXT_MNT:
668                         rootcontext_sid = sid;
669
670                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671                                         rootcontext_sid))
672                                 goto out_double_mount;
673
674                         sbsec->flags |= ROOTCONTEXT_MNT;
675
676                         break;
677                 case DEFCONTEXT_MNT:
678                         defcontext_sid = sid;
679
680                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681                                         defcontext_sid))
682                                 goto out_double_mount;
683
684                         sbsec->flags |= DEFCONTEXT_MNT;
685
686                         break;
687                 default:
688                         rc = -EINVAL;
689                         goto out;
690                 }
691         }
692
693         if (sbsec->initialized) {
694                 /* previously mounted with options, but not on this attempt? */
695                 if (sbsec->flags && !num_opts)
696                         goto out_double_mount;
697                 rc = 0;
698                 goto out;
699         }
700
701         if (strcmp(sb->s_type->name, "proc") == 0)
702                 sbsec->proc = 1;
703
704         /* Determine the labeling behavior to use for this filesystem type. */
705         rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706         if (rc) {
707                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708                        __func__, sb->s_type->name, rc);
709                 goto out;
710         }
711
712         /* sets the context of the superblock for the fs being mounted. */
713         if (fscontext_sid) {
714                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715                 if (rc)
716                         goto out;
717
718                 sbsec->sid = fscontext_sid;
719         }
720
721         /*
722          * Switch to using mount point labeling behavior.
723          * sets the label used on all file below the mountpoint, and will set
724          * the superblock context if not already set.
725          */
726         if (context_sid) {
727                 if (!fscontext_sid) {
728                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
729                                                           cred);
730                         if (rc)
731                                 goto out;
732                         sbsec->sid = context_sid;
733                 } else {
734                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
735                                                              cred);
736                         if (rc)
737                                 goto out;
738                 }
739                 if (!rootcontext_sid)
740                         rootcontext_sid = context_sid;
741
742                 sbsec->mntpoint_sid = context_sid;
743                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744         }
745
746         if (rootcontext_sid) {
747                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748                                                      cred);
749                 if (rc)
750                         goto out;
751
752                 root_isec->sid = rootcontext_sid;
753                 root_isec->initialized = 1;
754         }
755
756         if (defcontext_sid) {
757                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758                         rc = -EINVAL;
759                         printk(KERN_WARNING "SELinux: defcontext option is "
760                                "invalid for this filesystem type\n");
761                         goto out;
762                 }
763
764                 if (defcontext_sid != sbsec->def_sid) {
765                         rc = may_context_mount_inode_relabel(defcontext_sid,
766                                                              sbsec, cred);
767                         if (rc)
768                                 goto out;
769                 }
770
771                 sbsec->def_sid = defcontext_sid;
772         }
773
774         rc = sb_finish_set_opts(sb);
775 out:
776         mutex_unlock(&sbsec->lock);
777         return rc;
778 out_double_mount:
779         rc = -EINVAL;
780         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
781                "security settings for (dev %s, type %s)\n", sb->s_id, name);
782         goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786                                         struct super_block *newsb)
787 {
788         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789         struct superblock_security_struct *newsbsec = newsb->s_security;
790
791         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
792         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
793         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795         /*
796          * if the parent was able to be mounted it clearly had no special lsm
797          * mount options.  thus we can safely put this sb on the list and deal
798          * with it later
799          */
800         if (!ss_initialized) {
801                 spin_lock(&sb_security_lock);
802                 if (list_empty(&newsbsec->list))
803                         list_add(&newsbsec->list, &superblock_security_head);
804                 spin_unlock(&sb_security_lock);
805                 return;
806         }
807
808         /* how can we clone if the old one wasn't set up?? */
809         BUG_ON(!oldsbsec->initialized);
810
811         /* if fs is reusing a sb, just let its options stand... */
812         if (newsbsec->initialized)
813                 return;
814
815         mutex_lock(&newsbsec->lock);
816
817         newsbsec->flags = oldsbsec->flags;
818
819         newsbsec->sid = oldsbsec->sid;
820         newsbsec->def_sid = oldsbsec->def_sid;
821         newsbsec->behavior = oldsbsec->behavior;
822
823         if (set_context) {
824                 u32 sid = oldsbsec->mntpoint_sid;
825
826                 if (!set_fscontext)
827                         newsbsec->sid = sid;
828                 if (!set_rootcontext) {
829                         struct inode *newinode = newsb->s_root->d_inode;
830                         struct inode_security_struct *newisec = newinode->i_security;
831                         newisec->sid = sid;
832                 }
833                 newsbsec->mntpoint_sid = sid;
834         }
835         if (set_rootcontext) {
836                 const struct inode *oldinode = oldsb->s_root->d_inode;
837                 const struct inode_security_struct *oldisec = oldinode->i_security;
838                 struct inode *newinode = newsb->s_root->d_inode;
839                 struct inode_security_struct *newisec = newinode->i_security;
840
841                 newisec->sid = oldisec->sid;
842         }
843
844         sb_finish_set_opts(newsb);
845         mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849                                   struct security_mnt_opts *opts)
850 {
851         char *p;
852         char *context = NULL, *defcontext = NULL;
853         char *fscontext = NULL, *rootcontext = NULL;
854         int rc, num_mnt_opts = 0;
855
856         opts->num_mnt_opts = 0;
857
858         /* Standard string-based options. */
859         while ((p = strsep(&options, "|")) != NULL) {
860                 int token;
861                 substring_t args[MAX_OPT_ARGS];
862
863                 if (!*p)
864                         continue;
865
866                 token = match_token(p, tokens, args);
867
868                 switch (token) {
869                 case Opt_context:
870                         if (context || defcontext) {
871                                 rc = -EINVAL;
872                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873                                 goto out_err;
874                         }
875                         context = match_strdup(&args[0]);
876                         if (!context) {
877                                 rc = -ENOMEM;
878                                 goto out_err;
879                         }
880                         break;
881
882                 case Opt_fscontext:
883                         if (fscontext) {
884                                 rc = -EINVAL;
885                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886                                 goto out_err;
887                         }
888                         fscontext = match_strdup(&args[0]);
889                         if (!fscontext) {
890                                 rc = -ENOMEM;
891                                 goto out_err;
892                         }
893                         break;
894
895                 case Opt_rootcontext:
896                         if (rootcontext) {
897                                 rc = -EINVAL;
898                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899                                 goto out_err;
900                         }
901                         rootcontext = match_strdup(&args[0]);
902                         if (!rootcontext) {
903                                 rc = -ENOMEM;
904                                 goto out_err;
905                         }
906                         break;
907
908                 case Opt_defcontext:
909                         if (context || defcontext) {
910                                 rc = -EINVAL;
911                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912                                 goto out_err;
913                         }
914                         defcontext = match_strdup(&args[0]);
915                         if (!defcontext) {
916                                 rc = -ENOMEM;
917                                 goto out_err;
918                         }
919                         break;
920
921                 default:
922                         rc = -EINVAL;
923                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
924                         goto out_err;
925
926                 }
927         }
928
929         rc = -ENOMEM;
930         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931         if (!opts->mnt_opts)
932                 goto out_err;
933
934         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935         if (!opts->mnt_opts_flags) {
936                 kfree(opts->mnt_opts);
937                 goto out_err;
938         }
939
940         if (fscontext) {
941                 opts->mnt_opts[num_mnt_opts] = fscontext;
942                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943         }
944         if (context) {
945                 opts->mnt_opts[num_mnt_opts] = context;
946                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947         }
948         if (rootcontext) {
949                 opts->mnt_opts[num_mnt_opts] = rootcontext;
950                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951         }
952         if (defcontext) {
953                 opts->mnt_opts[num_mnt_opts] = defcontext;
954                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955         }
956
957         opts->num_mnt_opts = num_mnt_opts;
958         return 0;
959
960 out_err:
961         kfree(context);
962         kfree(defcontext);
963         kfree(fscontext);
964         kfree(rootcontext);
965         return rc;
966 }
967 /*
968  * string mount options parsing and call set the sbsec
969  */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972         int rc = 0;
973         char *options = data;
974         struct security_mnt_opts opts;
975
976         security_init_mnt_opts(&opts);
977
978         if (!data)
979                 goto out;
980
981         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983         rc = selinux_parse_opts_str(options, &opts);
984         if (rc)
985                 goto out_err;
986
987 out:
988         rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991         security_free_mnt_opts(&opts);
992         return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996                                struct security_mnt_opts *opts)
997 {
998         int i;
999         char *prefix;
1000
1001         for (i = 0; i < opts->num_mnt_opts; i++) {
1002                 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004                 switch (opts->mnt_opts_flags[i]) {
1005                 case CONTEXT_MNT:
1006                         prefix = CONTEXT_STR;
1007                         break;
1008                 case FSCONTEXT_MNT:
1009                         prefix = FSCONTEXT_STR;
1010                         break;
1011                 case ROOTCONTEXT_MNT:
1012                         prefix = ROOTCONTEXT_STR;
1013                         break;
1014                 case DEFCONTEXT_MNT:
1015                         prefix = DEFCONTEXT_STR;
1016                         break;
1017                 default:
1018                         BUG();
1019                 };
1020                 /* we need a comma before each option */
1021                 seq_putc(m, ',');
1022                 seq_puts(m, prefix);
1023                 if (has_comma)
1024                         seq_putc(m, '\"');
1025                 seq_puts(m, opts->mnt_opts[i]);
1026                 if (has_comma)
1027                         seq_putc(m, '\"');
1028         }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033         struct security_mnt_opts opts;
1034         int rc;
1035
1036         rc = selinux_get_mnt_opts(sb, &opts);
1037         if (rc) {
1038                 /* before policy load we may get EINVAL, don't show anything */
1039                 if (rc == -EINVAL)
1040                         rc = 0;
1041                 return rc;
1042         }
1043
1044         selinux_write_opts(m, &opts);
1045
1046         security_free_mnt_opts(&opts);
1047
1048         return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053         switch (mode & S_IFMT) {
1054         case S_IFSOCK:
1055                 return SECCLASS_SOCK_FILE;
1056         case S_IFLNK:
1057                 return SECCLASS_LNK_FILE;
1058         case S_IFREG:
1059                 return SECCLASS_FILE;
1060         case S_IFBLK:
1061                 return SECCLASS_BLK_FILE;
1062         case S_IFDIR:
1063                 return SECCLASS_DIR;
1064         case S_IFCHR:
1065                 return SECCLASS_CHR_FILE;
1066         case S_IFIFO:
1067                 return SECCLASS_FIFO_FILE;
1068
1069         }
1070
1071         return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086         switch (family) {
1087         case PF_UNIX:
1088                 switch (type) {
1089                 case SOCK_STREAM:
1090                 case SOCK_SEQPACKET:
1091                         return SECCLASS_UNIX_STREAM_SOCKET;
1092                 case SOCK_DGRAM:
1093                         return SECCLASS_UNIX_DGRAM_SOCKET;
1094                 }
1095                 break;
1096         case PF_INET:
1097         case PF_INET6:
1098                 switch (type) {
1099                 case SOCK_STREAM:
1100                         if (default_protocol_stream(protocol))
1101                                 return SECCLASS_TCP_SOCKET;
1102                         else
1103                                 return SECCLASS_RAWIP_SOCKET;
1104                 case SOCK_DGRAM:
1105                         if (default_protocol_dgram(protocol))
1106                                 return SECCLASS_UDP_SOCKET;
1107                         else
1108                                 return SECCLASS_RAWIP_SOCKET;
1109                 case SOCK_DCCP:
1110                         return SECCLASS_DCCP_SOCKET;
1111                 default:
1112                         return SECCLASS_RAWIP_SOCKET;
1113                 }
1114                 break;
1115         case PF_NETLINK:
1116                 switch (protocol) {
1117                 case NETLINK_ROUTE:
1118                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1119                 case NETLINK_FIREWALL:
1120                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121                 case NETLINK_INET_DIAG:
1122                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123                 case NETLINK_NFLOG:
1124                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1125                 case NETLINK_XFRM:
1126                         return SECCLASS_NETLINK_XFRM_SOCKET;
1127                 case NETLINK_SELINUX:
1128                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1129                 case NETLINK_AUDIT:
1130                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1131                 case NETLINK_IP6_FW:
1132                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1133                 case NETLINK_DNRTMSG:
1134                         return SECCLASS_NETLINK_DNRT_SOCKET;
1135                 case NETLINK_KOBJECT_UEVENT:
1136                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137                 default:
1138                         return SECCLASS_NETLINK_SOCKET;
1139                 }
1140         case PF_PACKET:
1141                 return SECCLASS_PACKET_SOCKET;
1142         case PF_KEY:
1143                 return SECCLASS_KEY_SOCKET;
1144         case PF_APPLETALK:
1145                 return SECCLASS_APPLETALK_SOCKET;
1146         }
1147
1148         return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153                                 u16 tclass,
1154                                 u32 *sid)
1155 {
1156         int buflen, rc;
1157         char *buffer, *path, *end;
1158
1159         buffer = (char *)__get_free_page(GFP_KERNEL);
1160         if (!buffer)
1161                 return -ENOMEM;
1162
1163         buflen = PAGE_SIZE;
1164         end = buffer+buflen;
1165         *--end = '\0';
1166         buflen--;
1167         path = end-1;
1168         *path = '/';
1169         while (de && de != de->parent) {
1170                 buflen -= de->namelen + 1;
1171                 if (buflen < 0)
1172                         break;
1173                 end -= de->namelen;
1174                 memcpy(end, de->name, de->namelen);
1175                 *--end = '/';
1176                 path = end;
1177                 de = de->parent;
1178         }
1179         rc = security_genfs_sid("proc", path, tclass, sid);
1180         free_page((unsigned long)buffer);
1181         return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185                                 u16 tclass,
1186                                 u32 *sid)
1187 {
1188         return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195         struct superblock_security_struct *sbsec = NULL;
1196         struct inode_security_struct *isec = inode->i_security;
1197         u32 sid;
1198         struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200         char *context = NULL;
1201         unsigned len = 0;
1202         int rc = 0;
1203
1204         if (isec->initialized)
1205                 goto out;
1206
1207         mutex_lock(&isec->lock);
1208         if (isec->initialized)
1209                 goto out_unlock;
1210
1211         sbsec = inode->i_sb->s_security;
1212         if (!sbsec->initialized) {
1213                 /* Defer initialization until selinux_complete_init,
1214                    after the initial policy is loaded and the security
1215                    server is ready to handle calls. */
1216                 spin_lock(&sbsec->isec_lock);
1217                 if (list_empty(&isec->list))
1218                         list_add(&isec->list, &sbsec->isec_head);
1219                 spin_unlock(&sbsec->isec_lock);
1220                 goto out_unlock;
1221         }
1222
1223         switch (sbsec->behavior) {
1224         case SECURITY_FS_USE_XATTR:
1225                 if (!inode->i_op->getxattr) {
1226                         isec->sid = sbsec->def_sid;
1227                         break;
1228                 }
1229
1230                 /* Need a dentry, since the xattr API requires one.
1231                    Life would be simpler if we could just pass the inode. */
1232                 if (opt_dentry) {
1233                         /* Called from d_instantiate or d_splice_alias. */
1234                         dentry = dget(opt_dentry);
1235                 } else {
1236                         /* Called from selinux_complete_init, try to find a dentry. */
1237                         dentry = d_find_alias(inode);
1238                 }
1239                 if (!dentry) {
1240                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1241                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1242                                inode->i_ino);
1243                         goto out_unlock;
1244                 }
1245
1246                 len = INITCONTEXTLEN;
1247                 context = kmalloc(len, GFP_NOFS);
1248                 if (!context) {
1249                         rc = -ENOMEM;
1250                         dput(dentry);
1251                         goto out_unlock;
1252                 }
1253                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254                                            context, len);
1255                 if (rc == -ERANGE) {
1256                         /* Need a larger buffer.  Query for the right size. */
1257                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258                                                    NULL, 0);
1259                         if (rc < 0) {
1260                                 dput(dentry);
1261                                 goto out_unlock;
1262                         }
1263                         kfree(context);
1264                         len = rc;
1265                         context = kmalloc(len, GFP_NOFS);
1266                         if (!context) {
1267                                 rc = -ENOMEM;
1268                                 dput(dentry);
1269                                 goto out_unlock;
1270                         }
1271                         rc = inode->i_op->getxattr(dentry,
1272                                                    XATTR_NAME_SELINUX,
1273                                                    context, len);
1274                 }
1275                 dput(dentry);
1276                 if (rc < 0) {
1277                         if (rc != -ENODATA) {
1278                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1279                                        "%d for dev=%s ino=%ld\n", __func__,
1280                                        -rc, inode->i_sb->s_id, inode->i_ino);
1281                                 kfree(context);
1282                                 goto out_unlock;
1283                         }
1284                         /* Map ENODATA to the default file SID */
1285                         sid = sbsec->def_sid;
1286                         rc = 0;
1287                 } else {
1288                         rc = security_context_to_sid_default(context, rc, &sid,
1289                                                              sbsec->def_sid,
1290                                                              GFP_NOFS);
1291                         if (rc) {
1292                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1293                                        "returned %d for dev=%s ino=%ld\n",
1294                                        __func__, context, -rc,
1295                                        inode->i_sb->s_id, inode->i_ino);
1296                                 kfree(context);
1297                                 /* Leave with the unlabeled SID */
1298                                 rc = 0;
1299                                 break;
1300                         }
1301                 }
1302                 kfree(context);
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_TASK:
1306                 isec->sid = isec->task_sid;
1307                 break;
1308         case SECURITY_FS_USE_TRANS:
1309                 /* Default to the fs SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 /* Try to obtain a transition SID. */
1313                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314                 rc = security_transition_sid(isec->task_sid,
1315                                              sbsec->sid,
1316                                              isec->sclass,
1317                                              &sid);
1318                 if (rc)
1319                         goto out_unlock;
1320                 isec->sid = sid;
1321                 break;
1322         case SECURITY_FS_USE_MNTPOINT:
1323                 isec->sid = sbsec->mntpoint_sid;
1324                 break;
1325         default:
1326                 /* Default to the fs superblock SID. */
1327                 isec->sid = sbsec->sid;
1328
1329                 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330                         struct proc_inode *proci = PROC_I(inode);
1331                         if (proci->pde) {
1332                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333                                 rc = selinux_proc_get_sid(proci->pde,
1334                                                           isec->sclass,
1335                                                           &sid);
1336                                 if (rc)
1337                                         goto out_unlock;
1338                                 isec->sid = sid;
1339                         }
1340                 }
1341                 break;
1342         }
1343
1344         isec->initialized = 1;
1345
1346 out_unlock:
1347         mutex_unlock(&isec->lock);
1348 out:
1349         if (isec->sclass == SECCLASS_FILE)
1350                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351         return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357         u32 perm = 0;
1358
1359         switch (sig) {
1360         case SIGCHLD:
1361                 /* Commonly granted from child to parent. */
1362                 perm = PROCESS__SIGCHLD;
1363                 break;
1364         case SIGKILL:
1365                 /* Cannot be caught or ignored */
1366                 perm = PROCESS__SIGKILL;
1367                 break;
1368         case SIGSTOP:
1369                 /* Cannot be caught or ignored */
1370                 perm = PROCESS__SIGSTOP;
1371                 break;
1372         default:
1373                 /* All other signals. */
1374                 perm = PROCESS__SIGNAL;
1375                 break;
1376         }
1377
1378         return perm;
1379 }
1380
1381 /*
1382  * Check permission between a pair of credentials
1383  * fork check, ptrace check, etc.
1384  */
1385 static int cred_has_perm(const struct cred *actor,
1386                          const struct cred *target,
1387                          u32 perms)
1388 {
1389         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395  * Check permission between a pair of tasks, e.g. signal checks,
1396  * fork check, ptrace check, etc.
1397  * tsk1 is the actor and tsk2 is the target
1398  * - this uses the default subjective creds of tsk1
1399  */
1400 static int task_has_perm(const struct task_struct *tsk1,
1401                          const struct task_struct *tsk2,
1402                          u32 perms)
1403 {
1404         const struct task_security_struct *__tsec1, *__tsec2;
1405         u32 sid1, sid2;
1406
1407         rcu_read_lock();
1408         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1409         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1410         rcu_read_unlock();
1411         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 /*
1415  * Check permission between current and another task, e.g. signal checks,
1416  * fork check, ptrace check, etc.
1417  * current is the actor and tsk2 is the target
1418  * - this uses current's subjective creds
1419  */
1420 static int current_has_perm(const struct task_struct *tsk,
1421                             u32 perms)
1422 {
1423         u32 sid, tsid;
1424
1425         sid = current_sid();
1426         tsid = task_sid(tsk);
1427         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1428 }
1429
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1432 #endif
1433
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436                                int cap, int audit)
1437 {
1438         struct avc_audit_data ad;
1439         struct av_decision avd;
1440         u16 sclass;
1441         u32 sid = task_sid(tsk);
1442         u32 av = CAP_TO_MASK(cap);
1443         int rc;
1444
1445         AVC_AUDIT_DATA_INIT(&ad, CAP);
1446         ad.tsk = tsk;
1447         ad.u.cap = cap;
1448
1449         switch (CAP_TO_INDEX(cap)) {
1450         case 0:
1451                 sclass = SECCLASS_CAPABILITY;
1452                 break;
1453         case 1:
1454                 sclass = SECCLASS_CAPABILITY2;
1455                 break;
1456         default:
1457                 printk(KERN_ERR
1458                        "SELinux:  out of range capability %d\n", cap);
1459                 BUG();
1460         }
1461
1462         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1463         if (audit == SECURITY_CAP_AUDIT)
1464                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1465         return rc;
1466 }
1467
1468 /* Check whether a task is allowed to use a system operation. */
1469 static int task_has_system(struct task_struct *tsk,
1470                            u32 perms)
1471 {
1472         u32 sid = task_sid(tsk);
1473
1474         return avc_has_perm(sid, SECINITSID_KERNEL,
1475                             SECCLASS_SYSTEM, perms, NULL);
1476 }
1477
1478 /* Check whether a task has a particular permission to an inode.
1479    The 'adp' parameter is optional and allows other audit
1480    data to be passed (e.g. the dentry). */
1481 static int inode_has_perm(const struct cred *cred,
1482                           struct inode *inode,
1483                           u32 perms,
1484                           struct avc_audit_data *adp)
1485 {
1486         struct inode_security_struct *isec;
1487         struct avc_audit_data ad;
1488         u32 sid;
1489
1490         if (unlikely(IS_PRIVATE(inode)))
1491                 return 0;
1492
1493         sid = cred_sid(cred);
1494         isec = inode->i_security;
1495
1496         if (!adp) {
1497                 adp = &ad;
1498                 AVC_AUDIT_DATA_INIT(&ad, FS);
1499                 ad.u.fs.inode = inode;
1500         }
1501
1502         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1503 }
1504
1505 /* Same as inode_has_perm, but pass explicit audit data containing
1506    the dentry to help the auditing code to more easily generate the
1507    pathname if needed. */
1508 static inline int dentry_has_perm(const struct cred *cred,
1509                                   struct vfsmount *mnt,
1510                                   struct dentry *dentry,
1511                                   u32 av)
1512 {
1513         struct inode *inode = dentry->d_inode;
1514         struct avc_audit_data ad;
1515
1516         AVC_AUDIT_DATA_INIT(&ad, FS);
1517         ad.u.fs.path.mnt = mnt;
1518         ad.u.fs.path.dentry = dentry;
1519         return inode_has_perm(cred, inode, av, &ad);
1520 }
1521
1522 /* Check whether a task can use an open file descriptor to
1523    access an inode in a given way.  Check access to the
1524    descriptor itself, and then use dentry_has_perm to
1525    check a particular permission to the file.
1526    Access to the descriptor is implicitly granted if it
1527    has the same SID as the process.  If av is zero, then
1528    access to the file is not checked, e.g. for cases
1529    where only the descriptor is affected like seek. */
1530 static int file_has_perm(const struct cred *cred,
1531                          struct file *file,
1532                          u32 av)
1533 {
1534         struct file_security_struct *fsec = file->f_security;
1535         struct inode *inode = file->f_path.dentry->d_inode;
1536         struct avc_audit_data ad;
1537         u32 sid = cred_sid(cred);
1538         int rc;
1539
1540         AVC_AUDIT_DATA_INIT(&ad, FS);
1541         ad.u.fs.path = file->f_path;
1542
1543         if (sid != fsec->sid) {
1544                 rc = avc_has_perm(sid, fsec->sid,
1545                                   SECCLASS_FD,
1546                                   FD__USE,
1547                                   &ad);
1548                 if (rc)
1549                         goto out;
1550         }
1551
1552         /* av is zero if only checking access to the descriptor. */
1553         rc = 0;
1554         if (av)
1555                 rc = inode_has_perm(cred, inode, av, &ad);
1556
1557 out:
1558         return rc;
1559 }
1560
1561 /* Check whether a task can create a file. */
1562 static int may_create(struct inode *dir,
1563                       struct dentry *dentry,
1564                       u16 tclass)
1565 {
1566         const struct cred *cred = current_cred();
1567         const struct task_security_struct *tsec = cred->security;
1568         struct inode_security_struct *dsec;
1569         struct superblock_security_struct *sbsec;
1570         u32 sid, newsid;
1571         struct avc_audit_data ad;
1572         int rc;
1573
1574         dsec = dir->i_security;
1575         sbsec = dir->i_sb->s_security;
1576
1577         sid = tsec->sid;
1578         newsid = tsec->create_sid;
1579
1580         AVC_AUDIT_DATA_INIT(&ad, FS);
1581         ad.u.fs.path.dentry = dentry;
1582
1583         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1584                           DIR__ADD_NAME | DIR__SEARCH,
1585                           &ad);
1586         if (rc)
1587                 return rc;
1588
1589         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1590                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1591                 if (rc)
1592                         return rc;
1593         }
1594
1595         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1596         if (rc)
1597                 return rc;
1598
1599         return avc_has_perm(newsid, sbsec->sid,
1600                             SECCLASS_FILESYSTEM,
1601                             FILESYSTEM__ASSOCIATE, &ad);
1602 }
1603
1604 /* Check whether a task can create a key. */
1605 static int may_create_key(u32 ksid,
1606                           struct task_struct *ctx)
1607 {
1608         u32 sid = task_sid(ctx);
1609
1610         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1611 }
1612
1613 #define MAY_LINK        0
1614 #define MAY_UNLINK      1
1615 #define MAY_RMDIR       2
1616
1617 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1618 static int may_link(struct inode *dir,
1619                     struct dentry *dentry,
1620                     int kind)
1621
1622 {
1623         struct inode_security_struct *dsec, *isec;
1624         struct avc_audit_data ad;
1625         u32 sid = current_sid();
1626         u32 av;
1627         int rc;
1628
1629         dsec = dir->i_security;
1630         isec = dentry->d_inode->i_security;
1631
1632         AVC_AUDIT_DATA_INIT(&ad, FS);
1633         ad.u.fs.path.dentry = dentry;
1634
1635         av = DIR__SEARCH;
1636         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1637         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1638         if (rc)
1639                 return rc;
1640
1641         switch (kind) {
1642         case MAY_LINK:
1643                 av = FILE__LINK;
1644                 break;
1645         case MAY_UNLINK:
1646                 av = FILE__UNLINK;
1647                 break;
1648         case MAY_RMDIR:
1649                 av = DIR__RMDIR;
1650                 break;
1651         default:
1652                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1653                         __func__, kind);
1654                 return 0;
1655         }
1656
1657         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1658         return rc;
1659 }
1660
1661 static inline int may_rename(struct inode *old_dir,
1662                              struct dentry *old_dentry,
1663                              struct inode *new_dir,
1664                              struct dentry *new_dentry)
1665 {
1666         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1667         struct avc_audit_data ad;
1668         u32 sid = current_sid();
1669         u32 av;
1670         int old_is_dir, new_is_dir;
1671         int rc;
1672
1673         old_dsec = old_dir->i_security;
1674         old_isec = old_dentry->d_inode->i_security;
1675         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1676         new_dsec = new_dir->i_security;
1677
1678         AVC_AUDIT_DATA_INIT(&ad, FS);
1679
1680         ad.u.fs.path.dentry = old_dentry;
1681         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1682                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1683         if (rc)
1684                 return rc;
1685         rc = avc_has_perm(sid, old_isec->sid,
1686                           old_isec->sclass, FILE__RENAME, &ad);
1687         if (rc)
1688                 return rc;
1689         if (old_is_dir && new_dir != old_dir) {
1690                 rc = avc_has_perm(sid, old_isec->sid,
1691                                   old_isec->sclass, DIR__REPARENT, &ad);
1692                 if (rc)
1693                         return rc;
1694         }
1695
1696         ad.u.fs.path.dentry = new_dentry;
1697         av = DIR__ADD_NAME | DIR__SEARCH;
1698         if (new_dentry->d_inode)
1699                 av |= DIR__REMOVE_NAME;
1700         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1701         if (rc)
1702                 return rc;
1703         if (new_dentry->d_inode) {
1704                 new_isec = new_dentry->d_inode->i_security;
1705                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1706                 rc = avc_has_perm(sid, new_isec->sid,
1707                                   new_isec->sclass,
1708                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1709                 if (rc)
1710                         return rc;
1711         }
1712
1713         return 0;
1714 }
1715
1716 /* Check whether a task can perform a filesystem operation. */
1717 static int superblock_has_perm(const struct cred *cred,
1718                                struct super_block *sb,
1719                                u32 perms,
1720                                struct avc_audit_data *ad)
1721 {
1722         struct superblock_security_struct *sbsec;
1723         u32 sid = cred_sid(cred);
1724
1725         sbsec = sb->s_security;
1726         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1727 }
1728
1729 /* Convert a Linux mode and permission mask to an access vector. */
1730 static inline u32 file_mask_to_av(int mode, int mask)
1731 {
1732         u32 av = 0;
1733
1734         if ((mode & S_IFMT) != S_IFDIR) {
1735                 if (mask & MAY_EXEC)
1736                         av |= FILE__EXECUTE;
1737                 if (mask & MAY_READ)
1738                         av |= FILE__READ;
1739
1740                 if (mask & MAY_APPEND)
1741                         av |= FILE__APPEND;
1742                 else if (mask & MAY_WRITE)
1743                         av |= FILE__WRITE;
1744
1745         } else {
1746                 if (mask & MAY_EXEC)
1747                         av |= DIR__SEARCH;
1748                 if (mask & MAY_WRITE)
1749                         av |= DIR__WRITE;
1750                 if (mask & MAY_READ)
1751                         av |= DIR__READ;
1752         }
1753
1754         return av;
1755 }
1756
1757 /* Convert a Linux file to an access vector. */
1758 static inline u32 file_to_av(struct file *file)
1759 {
1760         u32 av = 0;
1761
1762         if (file->f_mode & FMODE_READ)
1763                 av |= FILE__READ;
1764         if (file->f_mode & FMODE_WRITE) {
1765                 if (file->f_flags & O_APPEND)
1766                         av |= FILE__APPEND;
1767                 else
1768                         av |= FILE__WRITE;
1769         }
1770         if (!av) {
1771                 /*
1772                  * Special file opened with flags 3 for ioctl-only use.
1773                  */
1774                 av = FILE__IOCTL;
1775         }
1776
1777         return av;
1778 }
1779
1780 /*
1781  * Convert a file to an access vector and include the correct open
1782  * open permission.
1783  */
1784 static inline u32 open_file_to_av(struct file *file)
1785 {
1786         u32 av = file_to_av(file);
1787
1788         if (selinux_policycap_openperm) {
1789                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1790                 /*
1791                  * lnk files and socks do not really have an 'open'
1792                  */
1793                 if (S_ISREG(mode))
1794                         av |= FILE__OPEN;
1795                 else if (S_ISCHR(mode))
1796                         av |= CHR_FILE__OPEN;
1797                 else if (S_ISBLK(mode))
1798                         av |= BLK_FILE__OPEN;
1799                 else if (S_ISFIFO(mode))
1800                         av |= FIFO_FILE__OPEN;
1801                 else if (S_ISDIR(mode))
1802                         av |= DIR__OPEN;
1803                 else
1804                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1805                                 "unknown mode:%o\n", __func__, mode);
1806         }
1807         return av;
1808 }
1809
1810 /* Hook functions begin here. */
1811
1812 static int selinux_ptrace_may_access(struct task_struct *child,
1813                                      unsigned int mode)
1814 {
1815         int rc;
1816
1817         rc = secondary_ops->ptrace_may_access(child, mode);
1818         if (rc)
1819                 return rc;
1820
1821         if (mode == PTRACE_MODE_READ) {
1822                 u32 sid = current_sid();
1823                 u32 csid = task_sid(child);
1824                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1825         }
1826
1827         return current_has_perm(child, PROCESS__PTRACE);
1828 }
1829
1830 static int selinux_ptrace_traceme(struct task_struct *parent)
1831 {
1832         int rc;
1833
1834         rc = secondary_ops->ptrace_traceme(parent);
1835         if (rc)
1836                 return rc;
1837
1838         return task_has_perm(parent, current, PROCESS__PTRACE);
1839 }
1840
1841 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1842                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1843 {
1844         int error;
1845
1846         error = current_has_perm(target, PROCESS__GETCAP);
1847         if (error)
1848                 return error;
1849
1850         return secondary_ops->capget(target, effective, inheritable, permitted);
1851 }
1852
1853 static int selinux_capset(struct cred *new, const struct cred *old,
1854                           const kernel_cap_t *effective,
1855                           const kernel_cap_t *inheritable,
1856                           const kernel_cap_t *permitted)
1857 {
1858         int error;
1859
1860         error = secondary_ops->capset(new, old,
1861                                       effective, inheritable, permitted);
1862         if (error)
1863                 return error;
1864
1865         return cred_has_perm(old, new, PROCESS__SETCAP);
1866 }
1867
1868 static int selinux_capable(struct task_struct *tsk, int cap, int audit)
1869 {
1870         int rc;
1871
1872         rc = secondary_ops->capable(tsk, cap, audit);
1873         if (rc)
1874                 return rc;
1875
1876         return task_has_capability(tsk, cap, audit);
1877 }
1878
1879 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1880 {
1881         int buflen, rc;
1882         char *buffer, *path, *end;
1883
1884         rc = -ENOMEM;
1885         buffer = (char *)__get_free_page(GFP_KERNEL);
1886         if (!buffer)
1887                 goto out;
1888
1889         buflen = PAGE_SIZE;
1890         end = buffer+buflen;
1891         *--end = '\0';
1892         buflen--;
1893         path = end-1;
1894         *path = '/';
1895         while (table) {
1896                 const char *name = table->procname;
1897                 size_t namelen = strlen(name);
1898                 buflen -= namelen + 1;
1899                 if (buflen < 0)
1900                         goto out_free;
1901                 end -= namelen;
1902                 memcpy(end, name, namelen);
1903                 *--end = '/';
1904                 path = end;
1905                 table = table->parent;
1906         }
1907         buflen -= 4;
1908         if (buflen < 0)
1909                 goto out_free;
1910         end -= 4;
1911         memcpy(end, "/sys", 4);
1912         path = end;
1913         rc = security_genfs_sid("proc", path, tclass, sid);
1914 out_free:
1915         free_page((unsigned long)buffer);
1916 out:
1917         return rc;
1918 }
1919
1920 static int selinux_sysctl(ctl_table *table, int op)
1921 {
1922         int error = 0;
1923         u32 av;
1924         u32 tsid, sid;
1925         int rc;
1926
1927         rc = secondary_ops->sysctl(table, op);
1928         if (rc)
1929                 return rc;
1930
1931         sid = current_sid();
1932
1933         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1934                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1935         if (rc) {
1936                 /* Default to the well-defined sysctl SID. */
1937                 tsid = SECINITSID_SYSCTL;
1938         }
1939
1940         /* The op values are "defined" in sysctl.c, thereby creating
1941          * a bad coupling between this module and sysctl.c */
1942         if (op == 001) {
1943                 error = avc_has_perm(sid, tsid,
1944                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1945         } else {
1946                 av = 0;
1947                 if (op & 004)
1948                         av |= FILE__READ;
1949                 if (op & 002)
1950                         av |= FILE__WRITE;
1951                 if (av)
1952                         error = avc_has_perm(sid, tsid,
1953                                              SECCLASS_FILE, av, NULL);
1954         }
1955
1956         return error;
1957 }
1958
1959 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1960 {
1961         const struct cred *cred = current_cred();
1962         int rc = 0;
1963
1964         if (!sb)
1965                 return 0;
1966
1967         switch (cmds) {
1968         case Q_SYNC:
1969         case Q_QUOTAON:
1970         case Q_QUOTAOFF:
1971         case Q_SETINFO:
1972         case Q_SETQUOTA:
1973                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1974                 break;
1975         case Q_GETFMT:
1976         case Q_GETINFO:
1977         case Q_GETQUOTA:
1978                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1979                 break;
1980         default:
1981                 rc = 0;  /* let the kernel handle invalid cmds */
1982                 break;
1983         }
1984         return rc;
1985 }
1986
1987 static int selinux_quota_on(struct dentry *dentry)
1988 {
1989         const struct cred *cred = current_cred();
1990
1991         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
1992 }
1993
1994 static int selinux_syslog(int type)
1995 {
1996         int rc;
1997
1998         rc = secondary_ops->syslog(type);
1999         if (rc)
2000                 return rc;
2001
2002         switch (type) {
2003         case 3:         /* Read last kernel messages */
2004         case 10:        /* Return size of the log buffer */
2005                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2006                 break;
2007         case 6:         /* Disable logging to console */
2008         case 7:         /* Enable logging to console */
2009         case 8:         /* Set level of messages printed to console */
2010                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2011                 break;
2012         case 0:         /* Close log */
2013         case 1:         /* Open log */
2014         case 2:         /* Read from log */
2015         case 4:         /* Read/clear last kernel messages */
2016         case 5:         /* Clear ring buffer */
2017         default:
2018                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2019                 break;
2020         }
2021         return rc;
2022 }
2023
2024 /*
2025  * Check that a process has enough memory to allocate a new virtual
2026  * mapping. 0 means there is enough memory for the allocation to
2027  * succeed and -ENOMEM implies there is not.
2028  *
2029  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2030  * if the capability is granted, but __vm_enough_memory requires 1 if
2031  * the capability is granted.
2032  *
2033  * Do not audit the selinux permission check, as this is applied to all
2034  * processes that allocate mappings.
2035  */
2036 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2037 {
2038         int rc, cap_sys_admin = 0;
2039
2040         rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2041         if (rc == 0)
2042                 cap_sys_admin = 1;
2043
2044         return __vm_enough_memory(mm, pages, cap_sys_admin);
2045 }
2046
2047 /* binprm security operations */
2048
2049 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2050 {
2051         const struct task_security_struct *old_tsec;
2052         struct task_security_struct *new_tsec;
2053         struct inode_security_struct *isec;
2054         struct avc_audit_data ad;
2055         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2056         int rc;
2057
2058         rc = secondary_ops->bprm_set_creds(bprm);
2059         if (rc)
2060                 return rc;
2061
2062         /* SELinux context only depends on initial program or script and not
2063          * the script interpreter */
2064         if (bprm->cred_prepared)
2065                 return 0;
2066
2067         old_tsec = current_security();
2068         new_tsec = bprm->cred->security;
2069         isec = inode->i_security;
2070
2071         /* Default to the current task SID. */
2072         new_tsec->sid = old_tsec->sid;
2073         new_tsec->osid = old_tsec->sid;
2074
2075         /* Reset fs, key, and sock SIDs on execve. */
2076         new_tsec->create_sid = 0;
2077         new_tsec->keycreate_sid = 0;
2078         new_tsec->sockcreate_sid = 0;
2079
2080         if (old_tsec->exec_sid) {
2081                 new_tsec->sid = old_tsec->exec_sid;
2082                 /* Reset exec SID on execve. */
2083                 new_tsec->exec_sid = 0;
2084         } else {
2085                 /* Check for a default transition on this program. */
2086                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2087                                              SECCLASS_PROCESS, &new_tsec->sid);
2088                 if (rc)
2089                         return rc;
2090         }
2091
2092         AVC_AUDIT_DATA_INIT(&ad, FS);
2093         ad.u.fs.path = bprm->file->f_path;
2094
2095         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2096                 new_tsec->sid = old_tsec->sid;
2097
2098         if (new_tsec->sid == old_tsec->sid) {
2099                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2100                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2101                 if (rc)
2102                         return rc;
2103         } else {
2104                 /* Check permissions for the transition. */
2105                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2106                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2107                 if (rc)
2108                         return rc;
2109
2110                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2111                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2112                 if (rc)
2113                         return rc;
2114
2115                 /* Check for shared state */
2116                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2117                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2118                                           SECCLASS_PROCESS, PROCESS__SHARE,
2119                                           NULL);
2120                         if (rc)
2121                                 return -EPERM;
2122                 }
2123
2124                 /* Make sure that anyone attempting to ptrace over a task that
2125                  * changes its SID has the appropriate permit */
2126                 if (bprm->unsafe &
2127                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128                         struct task_struct *tracer;
2129                         struct task_security_struct *sec;
2130                         u32 ptsid = 0;
2131
2132                         rcu_read_lock();
2133                         tracer = tracehook_tracer_task(current);
2134                         if (likely(tracer != NULL)) {
2135                                 sec = __task_cred(tracer)->security;
2136                                 ptsid = sec->sid;
2137                         }
2138                         rcu_read_unlock();
2139
2140                         if (ptsid != 0) {
2141                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2142                                                   SECCLASS_PROCESS,
2143                                                   PROCESS__PTRACE, NULL);
2144                                 if (rc)
2145                                         return -EPERM;
2146                         }
2147                 }
2148
2149                 /* Clear any possibly unsafe personality bits on exec: */
2150                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2151         }
2152
2153         return 0;
2154 }
2155
2156 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2157 {
2158         return secondary_ops->bprm_check_security(bprm);
2159 }
2160
2161 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2162 {
2163         const struct cred *cred = current_cred();
2164         const struct task_security_struct *tsec = cred->security;
2165         u32 sid, osid;
2166         int atsecure = 0;
2167
2168         sid = tsec->sid;
2169         osid = tsec->osid;
2170
2171         if (osid != sid) {
2172                 /* Enable secure mode for SIDs transitions unless
2173                    the noatsecure permission is granted between
2174                    the two SIDs, i.e. ahp returns 0. */
2175                 atsecure = avc_has_perm(osid, sid,
2176                                         SECCLASS_PROCESS,
2177                                         PROCESS__NOATSECURE, NULL);
2178         }
2179
2180         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2181 }
2182
2183 extern struct vfsmount *selinuxfs_mount;
2184 extern struct dentry *selinux_null;
2185
2186 /* Derived from fs/exec.c:flush_old_files. */
2187 static inline void flush_unauthorized_files(const struct cred *cred,
2188                                             struct files_struct *files)
2189 {
2190         struct avc_audit_data ad;
2191         struct file *file, *devnull = NULL;
2192         struct tty_struct *tty;
2193         struct fdtable *fdt;
2194         long j = -1;
2195         int drop_tty = 0;
2196
2197         tty = get_current_tty();
2198         if (tty) {
2199                 file_list_lock();
2200                 if (!list_empty(&tty->tty_files)) {
2201                         struct inode *inode;
2202
2203                         /* Revalidate access to controlling tty.
2204                            Use inode_has_perm on the tty inode directly rather
2205                            than using file_has_perm, as this particular open
2206                            file may belong to another process and we are only
2207                            interested in the inode-based check here. */
2208                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2209                         inode = file->f_path.dentry->d_inode;
2210                         if (inode_has_perm(cred, inode,
2211                                            FILE__READ | FILE__WRITE, NULL)) {
2212                                 drop_tty = 1;
2213                         }
2214                 }
2215                 file_list_unlock();
2216                 tty_kref_put(tty);
2217         }
2218         /* Reset controlling tty. */
2219         if (drop_tty)
2220                 no_tty();
2221
2222         /* Revalidate access to inherited open files. */
2223
2224         AVC_AUDIT_DATA_INIT(&ad, FS);
2225
2226         spin_lock(&files->file_lock);
2227         for (;;) {
2228                 unsigned long set, i;
2229                 int fd;
2230
2231                 j++;
2232                 i = j * __NFDBITS;
2233                 fdt = files_fdtable(files);
2234                 if (i >= fdt->max_fds)
2235                         break;
2236                 set = fdt->open_fds->fds_bits[j];
2237                 if (!set)
2238                         continue;
2239                 spin_unlock(&files->file_lock);
2240                 for ( ; set ; i++, set >>= 1) {
2241                         if (set & 1) {
2242                                 file = fget(i);
2243                                 if (!file)
2244                                         continue;
2245                                 if (file_has_perm(cred,
2246                                                   file,
2247                                                   file_to_av(file))) {
2248                                         sys_close(i);
2249                                         fd = get_unused_fd();
2250                                         if (fd != i) {
2251                                                 if (fd >= 0)
2252                                                         put_unused_fd(fd);
2253                                                 fput(file);
2254                                                 continue;
2255                                         }
2256                                         if (devnull) {
2257                                                 get_file(devnull);
2258                                         } else {
2259                                                 devnull = dentry_open(
2260                                                         dget(selinux_null),
2261                                                         mntget(selinuxfs_mount),
2262                                                         O_RDWR, cred);
2263                                                 if (IS_ERR(devnull)) {
2264                                                         devnull = NULL;
2265                                                         put_unused_fd(fd);
2266                                                         fput(file);
2267                                                         continue;
2268                                                 }
2269                                         }
2270                                         fd_install(fd, devnull);
2271                                 }
2272                                 fput(file);
2273                         }
2274                 }
2275                 spin_lock(&files->file_lock);
2276
2277         }
2278         spin_unlock(&files->file_lock);
2279 }
2280
2281 /*
2282  * Prepare a process for imminent new credential changes due to exec
2283  */
2284 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2285 {
2286         struct task_security_struct *new_tsec;
2287         struct rlimit *rlim, *initrlim;
2288         int rc, i;
2289
2290         secondary_ops->bprm_committing_creds(bprm);
2291
2292         new_tsec = bprm->cred->security;
2293         if (new_tsec->sid == new_tsec->osid)
2294                 return;
2295
2296         /* Close files for which the new task SID is not authorized. */
2297         flush_unauthorized_files(bprm->cred, current->files);
2298
2299         /* Always clear parent death signal on SID transitions. */
2300         current->pdeath_signal = 0;
2301
2302         /* Check whether the new SID can inherit resource limits from the old
2303          * SID.  If not, reset all soft limits to the lower of the current
2304          * task's hard limit and the init task's soft limit.
2305          *
2306          * Note that the setting of hard limits (even to lower them) can be
2307          * controlled by the setrlimit check.  The inclusion of the init task's
2308          * soft limit into the computation is to avoid resetting soft limits
2309          * higher than the default soft limit for cases where the default is
2310          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2311          */
2312         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2313                           PROCESS__RLIMITINH, NULL);
2314         if (rc) {
2315                 for (i = 0; i < RLIM_NLIMITS; i++) {
2316                         rlim = current->signal->rlim + i;
2317                         initrlim = init_task.signal->rlim + i;
2318                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2319                 }
2320                 update_rlimit_cpu(rlim->rlim_cur);
2321         }
2322 }
2323
2324 /*
2325  * Clean up the process immediately after the installation of new credentials
2326  * due to exec
2327  */
2328 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2329 {
2330         const struct task_security_struct *tsec = current_security();
2331         struct itimerval itimer;
2332         struct sighand_struct *psig;
2333         u32 osid, sid;
2334         int rc, i;
2335         unsigned long flags;
2336
2337         secondary_ops->bprm_committed_creds(bprm);
2338
2339         osid = tsec->osid;
2340         sid = tsec->sid;
2341
2342         if (sid == osid)
2343                 return;
2344
2345         /* Check whether the new SID can inherit signal state from the old SID.
2346          * If not, clear itimers to avoid subsequent signal generation and
2347          * flush and unblock signals.
2348          *
2349          * This must occur _after_ the task SID has been updated so that any
2350          * kill done after the flush will be checked against the new SID.
2351          */
2352         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2353         if (rc) {
2354                 memset(&itimer, 0, sizeof itimer);
2355                 for (i = 0; i < 3; i++)
2356                         do_setitimer(i, &itimer, NULL);
2357                 flush_signals(current);
2358                 spin_lock_irq(&current->sighand->siglock);
2359                 flush_signal_handlers(current, 1);
2360                 sigemptyset(&current->blocked);
2361                 recalc_sigpending();
2362                 spin_unlock_irq(&current->sighand->siglock);
2363         }
2364
2365         /* Wake up the parent if it is waiting so that it can recheck
2366          * wait permission to the new task SID. */
2367         read_lock_irq(&tasklist_lock);
2368         psig = current->parent->sighand;
2369         spin_lock_irqsave(&psig->siglock, flags);
2370         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2371         spin_unlock_irqrestore(&psig->siglock, flags);
2372         read_unlock_irq(&tasklist_lock);
2373 }
2374
2375 /* superblock security operations */
2376
2377 static int selinux_sb_alloc_security(struct super_block *sb)
2378 {
2379         return superblock_alloc_security(sb);
2380 }
2381
2382 static void selinux_sb_free_security(struct super_block *sb)
2383 {
2384         superblock_free_security(sb);
2385 }
2386
2387 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2388 {
2389         if (plen > olen)
2390                 return 0;
2391
2392         return !memcmp(prefix, option, plen);
2393 }
2394
2395 static inline int selinux_option(char *option, int len)
2396 {
2397         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2398                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2399                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2400                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2401 }
2402
2403 static inline void take_option(char **to, char *from, int *first, int len)
2404 {
2405         if (!*first) {
2406                 **to = ',';
2407                 *to += 1;
2408         } else
2409                 *first = 0;
2410         memcpy(*to, from, len);
2411         *to += len;
2412 }
2413
2414 static inline void take_selinux_option(char **to, char *from, int *first,
2415                                        int len)
2416 {
2417         int current_size = 0;
2418
2419         if (!*first) {
2420                 **to = '|';
2421                 *to += 1;
2422         } else
2423                 *first = 0;
2424
2425         while (current_size < len) {
2426                 if (*from != '"') {
2427                         **to = *from;
2428                         *to += 1;
2429                 }
2430                 from += 1;
2431                 current_size += 1;
2432         }
2433 }
2434
2435 static int selinux_sb_copy_data(char *orig, char *copy)
2436 {
2437         int fnosec, fsec, rc = 0;
2438         char *in_save, *in_curr, *in_end;
2439         char *sec_curr, *nosec_save, *nosec;
2440         int open_quote = 0;
2441
2442         in_curr = orig;
2443         sec_curr = copy;
2444
2445         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2446         if (!nosec) {
2447                 rc = -ENOMEM;
2448                 goto out;
2449         }
2450
2451         nosec_save = nosec;
2452         fnosec = fsec = 1;
2453         in_save = in_end = orig;
2454
2455         do {
2456                 if (*in_end == '"')
2457                         open_quote = !open_quote;
2458                 if ((*in_end == ',' && open_quote == 0) ||
2459                                 *in_end == '\0') {
2460                         int len = in_end - in_curr;
2461
2462                         if (selinux_option(in_curr, len))
2463                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2464                         else
2465                                 take_option(&nosec, in_curr, &fnosec, len);
2466
2467                         in_curr = in_end + 1;
2468                 }
2469         } while (*in_end++);
2470
2471         strcpy(in_save, nosec_save);
2472         free_page((unsigned long)nosec_save);
2473 out:
2474         return rc;
2475 }
2476
2477 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2478 {
2479         const struct cred *cred = current_cred();
2480         struct avc_audit_data ad;
2481         int rc;
2482
2483         rc = superblock_doinit(sb, data);
2484         if (rc)
2485                 return rc;
2486
2487         /* Allow all mounts performed by the kernel */
2488         if (flags & MS_KERNMOUNT)
2489                 return 0;
2490
2491         AVC_AUDIT_DATA_INIT(&ad, FS);
2492         ad.u.fs.path.dentry = sb->s_root;
2493         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2494 }
2495
2496 static int selinux_sb_statfs(struct dentry *dentry)
2497 {
2498         const struct cred *cred = current_cred();
2499         struct avc_audit_data ad;
2500
2501         AVC_AUDIT_DATA_INIT(&ad, FS);
2502         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2503         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2504 }
2505
2506 static int selinux_mount(char *dev_name,
2507                          struct path *path,
2508                          char *type,
2509                          unsigned long flags,
2510                          void *data)
2511 {
2512         const struct cred *cred = current_cred();
2513         int rc;
2514
2515         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2516         if (rc)
2517                 return rc;
2518
2519         if (flags & MS_REMOUNT)
2520                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2521                                            FILESYSTEM__REMOUNT, NULL);
2522         else
2523                 return dentry_has_perm(cred, path->mnt, path->dentry,
2524                                        FILE__MOUNTON);
2525 }
2526
2527 static int selinux_umount(struct vfsmount *mnt, int flags)
2528 {
2529         const struct cred *cred = current_cred();
2530         int rc;
2531
2532         rc = secondary_ops->sb_umount(mnt, flags);
2533         if (rc)
2534                 return rc;
2535
2536         return superblock_has_perm(cred, mnt->mnt_sb,
2537                                    FILESYSTEM__UNMOUNT, NULL);
2538 }
2539
2540 /* inode security operations */
2541
2542 static int selinux_inode_alloc_security(struct inode *inode)
2543 {
2544         return inode_alloc_security(inode);
2545 }
2546
2547 static void selinux_inode_free_security(struct inode *inode)
2548 {
2549         inode_free_security(inode);
2550 }
2551
2552 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2553                                        char **name, void **value,
2554                                        size_t *len)
2555 {
2556         const struct cred *cred = current_cred();
2557         const struct task_security_struct *tsec = cred->security;
2558         struct inode_security_struct *dsec;
2559         struct superblock_security_struct *sbsec;
2560         u32 sid, newsid, clen;
2561         int rc;
2562         char *namep = NULL, *context;
2563
2564         dsec = dir->i_security;
2565         sbsec = dir->i_sb->s_security;
2566
2567         sid = tsec->sid;
2568         newsid = tsec->create_sid;
2569
2570         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2571                 rc = security_transition_sid(sid, dsec->sid,
2572                                              inode_mode_to_security_class(inode->i_mode),
2573                                              &newsid);
2574                 if (rc) {
2575                         printk(KERN_WARNING "%s:  "
2576                                "security_transition_sid failed, rc=%d (dev=%s "
2577                                "ino=%ld)\n",
2578                                __func__,
2579                                -rc, inode->i_sb->s_id, inode->i_ino);
2580                         return rc;
2581                 }
2582         }
2583
2584         /* Possibly defer initialization to selinux_complete_init. */
2585         if (sbsec->initialized) {
2586                 struct inode_security_struct *isec = inode->i_security;
2587                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2588                 isec->sid = newsid;
2589                 isec->initialized = 1;
2590         }
2591
2592         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2593                 return -EOPNOTSUPP;
2594
2595         if (name) {
2596                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2597                 if (!namep)
2598                         return -ENOMEM;
2599                 *name = namep;
2600         }
2601
2602         if (value && len) {
2603                 rc = security_sid_to_context_force(newsid, &context, &clen);
2604                 if (rc) {
2605                         kfree(namep);
2606                         return rc;
2607                 }
2608                 *value = context;
2609                 *len = clen;
2610         }
2611
2612         return 0;
2613 }
2614
2615 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2616 {
2617         return may_create(dir, dentry, SECCLASS_FILE);
2618 }
2619
2620 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2621 {
2622         int rc;
2623
2624         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2625         if (rc)
2626                 return rc;
2627         return may_link(dir, old_dentry, MAY_LINK);
2628 }
2629
2630 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2631 {
2632         int rc;
2633
2634         rc = secondary_ops->inode_unlink(dir, dentry);
2635         if (rc)
2636                 return rc;
2637         return may_link(dir, dentry, MAY_UNLINK);
2638 }
2639
2640 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2641 {
2642         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2643 }
2644
2645 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2646 {
2647         return may_create(dir, dentry, SECCLASS_DIR);
2648 }
2649
2650 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2651 {
2652         return may_link(dir, dentry, MAY_RMDIR);
2653 }
2654
2655 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2656 {
2657         int rc;
2658
2659         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2660         if (rc)
2661                 return rc;
2662
2663         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2664 }
2665
2666 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2667                                 struct inode *new_inode, struct dentry *new_dentry)
2668 {
2669         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2670 }
2671
2672 static int selinux_inode_readlink(struct dentry *dentry)
2673 {
2674         const struct cred *cred = current_cred();
2675
2676         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2677 }
2678
2679 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2680 {
2681         const struct cred *cred = current_cred();
2682         int rc;
2683
2684         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2685         if (rc)
2686                 return rc;
2687         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2688 }
2689
2690 static int selinux_inode_permission(struct inode *inode, int mask)
2691 {
2692         const struct cred *cred = current_cred();
2693         int rc;
2694
2695         rc = secondary_ops->inode_permission(inode, mask);
2696         if (rc)
2697                 return rc;
2698
2699         if (!mask) {
2700                 /* No permission to check.  Existence test. */
2701                 return 0;
2702         }
2703
2704         return inode_has_perm(cred, inode,
2705                               file_mask_to_av(inode->i_mode, mask), NULL);
2706 }
2707
2708 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2709 {
2710         const struct cred *cred = current_cred();
2711         int rc;
2712
2713         rc = secondary_ops->inode_setattr(dentry, iattr);
2714         if (rc)
2715                 return rc;
2716
2717         if (iattr->ia_valid & ATTR_FORCE)
2718                 return 0;
2719
2720         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2721                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2722                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2723
2724         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2725 }
2726
2727 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2728 {
2729         const struct cred *cred = current_cred();
2730
2731         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2732 }
2733
2734 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2735 {
2736         const struct cred *cred = current_cred();
2737
2738         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2739                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2740                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2741                         if (!capable(CAP_SETFCAP))
2742                                 return -EPERM;
2743                 } else if (!capable(CAP_SYS_ADMIN)) {
2744                         /* A different attribute in the security namespace.
2745                            Restrict to administrator. */
2746                         return -EPERM;
2747                 }
2748         }
2749
2750         /* Not an attribute we recognize, so just check the
2751            ordinary setattr permission. */
2752         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2753 }
2754
2755 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2756                                   const void *value, size_t size, int flags)
2757 {
2758         struct inode *inode = dentry->d_inode;
2759         struct inode_security_struct *isec = inode->i_security;
2760         struct superblock_security_struct *sbsec;
2761         struct avc_audit_data ad;
2762         u32 newsid, sid = current_sid();
2763         int rc = 0;
2764
2765         if (strcmp(name, XATTR_NAME_SELINUX))
2766                 return selinux_inode_setotherxattr(dentry, name);
2767
2768         sbsec = inode->i_sb->s_security;
2769         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2770                 return -EOPNOTSUPP;
2771
2772         if (!is_owner_or_cap(inode))
2773                 return -EPERM;
2774
2775         AVC_AUDIT_DATA_INIT(&ad, FS);
2776         ad.u.fs.path.dentry = dentry;
2777
2778         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2779                           FILE__RELABELFROM, &ad);
2780         if (rc)
2781                 return rc;
2782
2783         rc = security_context_to_sid(value, size, &newsid);
2784         if (rc == -EINVAL) {
2785                 if (!capable(CAP_MAC_ADMIN))
2786                         return rc;
2787                 rc = security_context_to_sid_force(value, size, &newsid);
2788         }
2789         if (rc)
2790                 return rc;
2791
2792         rc = avc_has_perm(sid, newsid, isec->sclass,
2793                           FILE__RELABELTO, &ad);
2794         if (rc)
2795                 return rc;
2796
2797         rc = security_validate_transition(isec->sid, newsid, sid,
2798                                           isec->sclass);
2799         if (rc)
2800                 return rc;
2801
2802         return avc_has_perm(newsid,
2803                             sbsec->sid,
2804                             SECCLASS_FILESYSTEM,
2805                             FILESYSTEM__ASSOCIATE,
2806                             &ad);
2807 }
2808
2809 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2810                                         const void *value, size_t size,
2811                                         int flags)
2812 {
2813         struct inode *inode = dentry->d_inode;
2814         struct inode_security_struct *isec = inode->i_security;
2815         u32 newsid;
2816         int rc;
2817
2818         if (strcmp(name, XATTR_NAME_SELINUX)) {
2819                 /* Not an attribute we recognize, so nothing to do. */
2820                 return;
2821         }
2822
2823         rc = security_context_to_sid_force(value, size, &newsid);
2824         if (rc) {
2825                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2826                        "for (%s, %lu), rc=%d\n",
2827                        inode->i_sb->s_id, inode->i_ino, -rc);
2828                 return;
2829         }
2830
2831         isec->sid = newsid;
2832         return;
2833 }
2834
2835 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2836 {
2837         const struct cred *cred = current_cred();
2838
2839         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2840 }
2841
2842 static int selinux_inode_listxattr(struct dentry *dentry)
2843 {
2844         const struct cred *cred = current_cred();
2845
2846         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2847 }
2848
2849 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2850 {
2851         if (strcmp(name, XATTR_NAME_SELINUX))
2852                 return selinux_inode_setotherxattr(dentry, name);
2853
2854         /* No one is allowed to remove a SELinux security label.
2855            You can change the label, but all data must be labeled. */
2856         return -EACCES;
2857 }
2858
2859 /*
2860  * Copy the inode security context value to the user.
2861  *
2862  * Permission check is handled by selinux_inode_getxattr hook.
2863  */
2864 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2865 {
2866         u32 size;
2867         int error;
2868         char *context = NULL;
2869         struct inode_security_struct *isec = inode->i_security;
2870
2871         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2872                 return -EOPNOTSUPP;
2873
2874         /*
2875          * If the caller has CAP_MAC_ADMIN, then get the raw context
2876          * value even if it is not defined by current policy; otherwise,
2877          * use the in-core value under current policy.
2878          * Use the non-auditing forms of the permission checks since
2879          * getxattr may be called by unprivileged processes commonly
2880          * and lack of permission just means that we fall back to the
2881          * in-core context value, not a denial.
2882          */
2883         error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2884         if (!error)
2885                 error = security_sid_to_context_force(isec->sid, &context,
2886                                                       &size);
2887         else
2888                 error = security_sid_to_context(isec->sid, &context, &size);
2889         if (error)
2890                 return error;
2891         error = size;
2892         if (alloc) {
2893                 *buffer = context;
2894                 goto out_nofree;
2895         }
2896         kfree(context);
2897 out_nofree:
2898         return error;
2899 }
2900
2901 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2902                                      const void *value, size_t size, int flags)
2903 {
2904         struct inode_security_struct *isec = inode->i_security;
2905         u32 newsid;
2906         int rc;
2907
2908         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2909                 return -EOPNOTSUPP;
2910
2911         if (!value || !size)
2912                 return -EACCES;
2913
2914         rc = security_context_to_sid((void *)value, size, &newsid);
2915         if (rc)
2916                 return rc;
2917
2918         isec->sid = newsid;
2919         return 0;
2920 }
2921
2922 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2923 {
2924         const int len = sizeof(XATTR_NAME_SELINUX);
2925         if (buffer && len <= buffer_size)
2926                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2927         return len;
2928 }
2929
2930 static int selinux_inode_need_killpriv(struct dentry *dentry)
2931 {
2932         return secondary_ops->inode_need_killpriv(dentry);
2933 }
2934
2935 static int selinux_inode_killpriv(struct dentry *dentry)
2936 {
2937         return secondary_ops->inode_killpriv(dentry);
2938 }
2939
2940 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2941 {
2942         struct inode_security_struct *isec = inode->i_security;
2943         *secid = isec->sid;
2944 }
2945
2946 /* file security operations */
2947
2948 static int selinux_revalidate_file_permission(struct file *file, int mask)
2949 {
2950         const struct cred *cred = current_cred();
2951         int rc;
2952         struct inode *inode = file->f_path.dentry->d_inode;
2953
2954         if (!mask) {
2955                 /* No permission to check.  Existence test. */
2956                 return 0;
2957         }
2958
2959         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2960         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2961                 mask |= MAY_APPEND;
2962
2963         rc = file_has_perm(cred, file,
2964                            file_mask_to_av(inode->i_mode, mask));
2965         if (rc)
2966                 return rc;
2967
2968         return selinux_netlbl_inode_permission(inode, mask);
2969 }
2970
2971 static int selinux_file_permission(struct file *file, int mask)
2972 {
2973         struct inode *inode = file->f_path.dentry->d_inode;
2974         struct file_security_struct *fsec = file->f_security;
2975         struct inode_security_struct *isec = inode->i_security;
2976         u32 sid = current_sid();
2977
2978         if (!mask) {
2979                 /* No permission to check.  Existence test. */
2980                 return 0;
2981         }
2982
2983         if (sid == fsec->sid && fsec->isid == isec->sid
2984             && fsec->pseqno == avc_policy_seqno())
2985                 return selinux_netlbl_inode_permission(inode, mask);
2986
2987         return selinux_revalidate_file_permission(file, mask);
2988 }
2989
2990 static int selinux_file_alloc_security(struct file *file)
2991 {
2992         return file_alloc_security(file);
2993 }
2994
2995 static void selinux_file_free_security(struct file *file)
2996 {
2997         file_free_security(file);
2998 }
2999
3000 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3001                               unsigned long arg)
3002 {
3003         const struct cred *cred = current_cred();
3004         u32 av = 0;
3005
3006         if (_IOC_DIR(cmd) & _IOC_WRITE)
3007                 av |= FILE__WRITE;
3008         if (_IOC_DIR(cmd) & _IOC_READ)
3009                 av |= FILE__READ;
3010         if (!av)
3011                 av = FILE__IOCTL;
3012
3013         return file_has_perm(cred, file, av);
3014 }
3015
3016 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3017 {
3018         const struct cred *cred = current_cred();
3019         int rc = 0;
3020
3021 #ifndef CONFIG_PPC32
3022         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3023                 /*
3024                  * We are making executable an anonymous mapping or a
3025                  * private file mapping that will also be writable.
3026                  * This has an additional check.
3027                  */
3028                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3029                 if (rc)
3030                         goto error;
3031         }
3032 #endif
3033
3034         if (file) {
3035                 /* read access is always possible with a mapping */
3036                 u32 av = FILE__READ;
3037
3038                 /* write access only matters if the mapping is shared */
3039                 if (shared && (prot & PROT_WRITE))
3040                         av |= FILE__WRITE;
3041
3042                 if (prot & PROT_EXEC)
3043                         av |= FILE__EXECUTE;
3044
3045                 return file_has_perm(cred, file, av);
3046         }
3047
3048 error:
3049         return rc;
3050 }
3051
3052 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3053                              unsigned long prot, unsigned long flags,
3054                              unsigned long addr, unsigned long addr_only)
3055 {
3056         int rc = 0;
3057         u32 sid = current_sid();
3058
3059         if (addr < mmap_min_addr)
3060                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3061                                   MEMPROTECT__MMAP_ZERO, NULL);
3062         if (rc || addr_only)
3063                 return rc;
3064
3065         if (selinux_checkreqprot)
3066                 prot = reqprot;
3067
3068         return file_map_prot_check(file, prot,
3069                                    (flags & MAP_TYPE) == MAP_SHARED);
3070 }
3071
3072 static int selinux_file_mprotect(struct vm_area_struct *vma,
3073                                  unsigned long reqprot,
3074                                  unsigned long prot)
3075 {
3076         const struct cred *cred = current_cred();
3077         int rc;
3078
3079         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3080         if (rc)
3081                 return rc;
3082
3083         if (selinux_checkreqprot)
3084                 prot = reqprot;
3085
3086 #ifndef CONFIG_PPC32
3087         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3088                 rc = 0;
3089                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3090                     vma->vm_end <= vma->vm_mm->brk) {
3091                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3092                 } else if (!vma->vm_file &&
3093                            vma->vm_start <= vma->vm_mm->start_stack &&
3094                            vma->vm_end >= vma->vm_mm->start_stack) {
3095                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3096                 } else if (vma->vm_file && vma->anon_vma) {
3097                         /*
3098                          * We are making executable a file mapping that has
3099                          * had some COW done. Since pages might have been
3100                          * written, check ability to execute the possibly
3101                          * modified content.  This typically should only
3102                          * occur for text relocations.
3103                          */
3104                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3105                 }
3106                 if (rc)
3107                         return rc;
3108         }
3109 #endif
3110
3111         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3112 }
3113
3114 static int selinux_file_lock(struct file *file, unsigned int cmd)
3115 {
3116         const struct cred *cred = current_cred();
3117
3118         return file_has_perm(cred, file, FILE__LOCK);
3119 }
3120
3121 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3122                               unsigned long arg)
3123 {
3124         const struct cred *cred = current_cred();
3125         int err = 0;
3126
3127         switch (cmd) {
3128         case F_SETFL:
3129                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3130                         err = -EINVAL;
3131                         break;
3132                 }
3133
3134                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3135                         err = file_has_perm(cred, file, FILE__WRITE);
3136                         break;
3137                 }
3138                 /* fall through */
3139         case F_SETOWN:
3140         case F_SETSIG:
3141         case F_GETFL:
3142         case F_GETOWN:
3143         case F_GETSIG:
3144                 /* Just check FD__USE permission */
3145                 err = file_has_perm(cred, file, 0);
3146                 break;
3147         case F_GETLK:
3148         case F_SETLK:
3149         case F_SETLKW:
3150 #if BITS_PER_LONG == 32
3151         case F_GETLK64:
3152         case F_SETLK64:
3153         case F_SETLKW64:
3154 #endif
3155                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3156                         err = -EINVAL;
3157                         break;
3158                 }
3159                 err = file_has_perm(cred, file, FILE__LOCK);
3160                 break;
3161         }
3162
3163         return err;
3164 }
3165
3166 static int selinux_file_set_fowner(struct file *file)
3167 {
3168         struct file_security_struct *fsec;
3169
3170         fsec = file->f_security;
3171         fsec->fown_sid = current_sid();
3172
3173         return 0;
3174 }
3175
3176 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3177                                        struct fown_struct *fown, int signum)
3178 {
3179         struct file *file;
3180         u32 sid = current_sid();
3181         u32 perm;
3182         struct file_security_struct *fsec;
3183
3184         /* struct fown_struct is never outside the context of a struct file */
3185         file = container_of(fown, struct file, f_owner);
3186
3187         fsec = file->f_security;
3188
3189         if (!signum)
3190                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3191         else
3192                 perm = signal_to_av(signum);
3193
3194         return avc_has_perm(fsec->fown_sid, sid,
3195                             SECCLASS_PROCESS, perm, NULL);
3196 }
3197
3198 static int selinux_file_receive(struct file *file)
3199 {
3200         const struct cred *cred = current_cred();
3201
3202         return file_has_perm(cred, file, file_to_av(file));
3203 }
3204
3205 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3206 {
3207         struct file_security_struct *fsec;
3208         struct inode *inode;
3209         struct inode_security_struct *isec;
3210
3211         inode = file->f_path.dentry->d_inode;
3212         fsec = file->f_security;
3213         isec = inode->i_security;
3214         /*
3215          * Save inode label and policy sequence number
3216          * at open-time so that selinux_file_permission
3217          * can determine whether revalidation is necessary.
3218          * Task label is already saved in the file security
3219          * struct as its SID.
3220          */
3221         fsec->isid = isec->sid;
3222         fsec->pseqno = avc_policy_seqno();
3223         /*
3224          * Since the inode label or policy seqno may have changed
3225          * between the selinux_inode_permission check and the saving
3226          * of state above, recheck that access is still permitted.
3227          * Otherwise, access might never be revalidated against the
3228          * new inode label or new policy.
3229          * This check is not redundant - do not remove.
3230          */
3231         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3232 }
3233
3234 /* task security operations */
3235
3236 static int selinux_task_create(unsigned long clone_flags)
3237 {
3238         int rc;
3239
3240         rc = secondary_ops->task_create(clone_flags);
3241         if (rc)
3242                 return rc;
3243
3244         return current_has_perm(current, PROCESS__FORK);
3245 }
3246
3247 /*
3248  * detach and free the LSM part of a set of credentials
3249  */
3250 static void selinux_cred_free(struct cred *cred)
3251 {
3252         struct task_security_struct *tsec = cred->security;
3253         cred->security = NULL;
3254         kfree(tsec);
3255 }
3256
3257 /*
3258  * prepare a new set of credentials for modification
3259  */
3260 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3261                                 gfp_t gfp)
3262 {
3263         const struct task_security_struct *old_tsec;
3264         struct task_security_struct *tsec;
3265
3266         old_tsec = old->security;
3267
3268         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3269         if (!tsec)
3270                 return -ENOMEM;
3271
3272         new->security = tsec;
3273         return 0;
3274 }
3275
3276 /*
3277  * commit new credentials
3278  */
3279 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3280 {
3281         secondary_ops->cred_commit(new, old);
3282 }
3283
3284 /*
3285  * set the security data for a kernel service
3286  * - all the creation contexts are set to unlabelled
3287  */
3288 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3289 {
3290         struct task_security_struct *tsec = new->security;
3291         u32 sid = current_sid();
3292         int ret;
3293
3294         ret = avc_has_perm(sid, secid,
3295                            SECCLASS_KERNEL_SERVICE,
3296                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3297                            NULL);
3298         if (ret == 0) {
3299                 tsec->sid = secid;
3300                 tsec->create_sid = 0;
3301                 tsec->keycreate_sid = 0;
3302                 tsec->sockcreate_sid = 0;
3303         }
3304         return ret;
3305 }
3306
3307 /*
3308  * set the file creation context in a security record to the same as the
3309  * objective context of the specified inode
3310  */
3311 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3312 {
3313         struct inode_security_struct *isec = inode->i_security;
3314         struct task_security_struct *tsec = new->security;
3315         u32 sid = current_sid();
3316         int ret;
3317
3318         ret = avc_has_perm(sid, isec->sid,
3319                            SECCLASS_KERNEL_SERVICE,
3320                            KERNEL_SERVICE__CREATE_FILES_AS,
3321                            NULL);
3322
3323         if (ret == 0)
3324                 tsec->create_sid = isec->sid;
3325         return 0;
3326 }
3327
3328 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3329 {
3330         /* Since setuid only affects the current process, and
3331            since the SELinux controls are not based on the Linux
3332            identity attributes, SELinux does not need to control
3333            this operation.  However, SELinux does control the use
3334            of the CAP_SETUID and CAP_SETGID capabilities using the
3335            capable hook. */
3336         return 0;
3337 }
3338
3339 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3340                                    int flags)
3341 {
3342         return secondary_ops->task_fix_setuid(new, old, flags);
3343 }
3344
3345 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3346 {
3347         /* See the comment for setuid above. */
3348         return 0;
3349 }
3350
3351 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3352 {
3353         return current_has_perm(p, PROCESS__SETPGID);
3354 }
3355
3356 static int selinux_task_getpgid(struct task_struct *p)
3357 {
3358         return current_has_perm(p, PROCESS__GETPGID);
3359 }
3360
3361 static int selinux_task_getsid(struct task_struct *p)
3362 {
3363         return current_has_perm(p, PROCESS__GETSESSION);
3364 }
3365
3366 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3367 {
3368         *secid = task_sid(p);
3369 }
3370
3371 static int selinux_task_setgroups(struct group_info *group_info)
3372 {
3373         /* See the comment for setuid above. */
3374         return 0;
3375 }
3376
3377 static int selinux_task_setnice(struct task_struct *p, int nice)
3378 {
3379         int rc;
3380
3381         rc = secondary_ops->task_setnice(p, nice);
3382         if (rc)
3383                 return rc;
3384
3385         return current_has_perm(p, PROCESS__SETSCHED);
3386 }
3387
3388 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3389 {
3390         int rc;
3391
3392         rc = secondary_ops->task_setioprio(p, ioprio);
3393         if (rc)
3394                 return rc;
3395
3396         return current_has_perm(p, PROCESS__SETSCHED);
3397 }
3398
3399 static int selinux_task_getioprio(struct task_struct *p)
3400 {
3401         return current_has_perm(p, PROCESS__GETSCHED);
3402 }
3403
3404 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3405 {
3406         struct rlimit *old_rlim = current->signal->rlim + resource;
3407         int rc;
3408
3409         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3410         if (rc)
3411                 return rc;
3412
3413         /* Control the ability to change the hard limit (whether
3414            lowering or raising it), so that the hard limit can
3415            later be used as a safe reset point for the soft limit
3416            upon context transitions.  See selinux_bprm_committing_creds. */
3417         if (old_rlim->rlim_max != new_rlim->rlim_max)
3418                 return current_has_perm(current, PROCESS__SETRLIMIT);
3419
3420         return 0;
3421 }
3422
3423 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3424 {
3425         int rc;
3426
3427         rc = secondary_ops->task_setscheduler(p, policy, lp);
3428         if (rc)
3429                 return rc;
3430
3431         return current_has_perm(p, PROCESS__SETSCHED);
3432 }
3433
3434 static int selinux_task_getscheduler(struct task_struct *p)
3435 {
3436         return current_has_perm(p, PROCESS__GETSCHED);
3437 }
3438
3439 static int selinux_task_movememory(struct task_struct *p)
3440 {
3441         return current_has_perm(p, PROCESS__SETSCHED);
3442 }
3443
3444 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3445                                 int sig, u32 secid)
3446 {
3447         u32 perm;
3448         int rc;
3449
3450         rc = secondary_ops->task_kill(p, info, sig, secid);
3451         if (rc)
3452                 return rc;
3453
3454         if (!sig)
3455                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3456         else
3457                 perm = signal_to_av(sig);
3458         if (secid)
3459                 rc = avc_has_perm(secid, task_sid(p),
3460                                   SECCLASS_PROCESS, perm, NULL);
3461         else
3462                 rc = current_has_perm(p, perm);
3463         return rc;
3464 }
3465
3466 static int selinux_task_prctl(int option,
3467                               unsigned long arg2,
3468                               unsigned long arg3,
3469                               unsigned long arg4,
3470                               unsigned long arg5)
3471 {
3472         /* The current prctl operations do not appear to require
3473            any SELinux controls since they merely observe or modify
3474            the state of the current process. */
3475         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3476 }
3477
3478 static int selinux_task_wait(struct task_struct *p)
3479 {
3480         return task_has_perm(p, current, PROCESS__SIGCHLD);
3481 }
3482
3483 static void selinux_task_to_inode(struct task_struct *p,
3484                                   struct inode *inode)
3485 {
3486         struct inode_security_struct *isec = inode->i_security;
3487         u32 sid = task_sid(p);
3488
3489         isec->sid = sid;
3490         isec->initialized = 1;
3491 }
3492
3493 /* Returns error only if unable to parse addresses */
3494 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3495                         struct avc_audit_data *ad, u8 *proto)
3496 {
3497         int offset, ihlen, ret = -EINVAL;
3498         struct iphdr _iph, *ih;
3499
3500         offset = skb_network_offset(skb);
3501         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3502         if (ih == NULL)
3503                 goto out;
3504
3505         ihlen = ih->ihl * 4;
3506         if (ihlen < sizeof(_iph))
3507                 goto out;
3508
3509         ad->u.net.v4info.saddr = ih->saddr;
3510         ad->u.net.v4info.daddr = ih->daddr;
3511         ret = 0;
3512
3513         if (proto)
3514                 *proto = ih->protocol;
3515
3516         switch (ih->protocol) {
3517         case IPPROTO_TCP: {
3518                 struct tcphdr _tcph, *th;
3519
3520                 if (ntohs(ih->frag_off) & IP_OFFSET)
3521                         break;
3522
3523                 offset += ihlen;
3524                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3525                 if (th == NULL)
3526                         break;
3527
3528                 ad->u.net.sport = th->source;
3529                 ad->u.net.dport = th->dest;
3530                 break;
3531         }
3532
3533         case IPPROTO_UDP: {
3534                 struct udphdr _udph, *uh;
3535
3536                 if (ntohs(ih->frag_off) & IP_OFFSET)
3537                         break;
3538
3539                 offset += ihlen;
3540                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3541                 if (uh == NULL)
3542                         break;
3543
3544                 ad->u.net.sport = uh->source;
3545                 ad->u.net.dport = uh->dest;
3546                 break;
3547         }
3548
3549         case IPPROTO_DCCP: {
3550                 struct dccp_hdr _dccph, *dh;
3551
3552                 if (ntohs(ih->frag_off) & IP_OFFSET)
3553                         break;
3554
3555                 offset += ihlen;
3556                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3557                 if (dh == NULL)
3558                         break;
3559
3560                 ad->u.net.sport = dh->dccph_sport;
3561                 ad->u.net.dport = dh->dccph_dport;
3562                 break;
3563         }
3564
3565         default:
3566                 break;
3567         }
3568 out:
3569         return ret;
3570 }
3571
3572 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3573
3574 /* Returns error only if unable to parse addresses */
3575 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3576                         struct avc_audit_data *ad, u8 *proto)
3577 {
3578         u8 nexthdr;
3579         int ret = -EINVAL, offset;
3580         struct ipv6hdr _ipv6h, *ip6;
3581
3582         offset = skb_network_offset(skb);
3583         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3584         if (ip6 == NULL)
3585                 goto out;
3586
3587         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3588         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3589         ret = 0;
3590
3591         nexthdr = ip6->nexthdr;
3592         offset += sizeof(_ipv6h);
3593         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3594         if (offset < 0)
3595                 goto out;
3596
3597         if (proto)
3598                 *proto = nexthdr;
3599
3600         switch (nexthdr) {
3601         case IPPROTO_TCP: {
3602                 struct tcphdr _tcph, *th;
3603
3604                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3605                 if (th == NULL)
3606                         break;
3607
3608                 ad->u.net.sport = th->source;
3609                 ad->u.net.dport = th->dest;
3610                 break;
3611         }
3612
3613         case IPPROTO_UDP: {
3614                 struct udphdr _udph, *uh;
3615
3616                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3617                 if (uh == NULL)
3618                         break;
3619
3620                 ad->u.net.sport = uh->source;
3621                 ad->u.net.dport = uh->dest;
3622                 break;
3623         }
3624
3625         case IPPROTO_DCCP: {
3626                 struct dccp_hdr _dccph, *dh;
3627
3628                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3629                 if (dh == NULL)
3630                         break;
3631
3632                 ad->u.net.sport = dh->dccph_sport;
3633                 ad->u.net.dport = dh->dccph_dport;
3634                 break;
3635         }
3636
3637         /* includes fragments */
3638         default:
3639                 break;
3640         }
3641 out:
3642         return ret;
3643 }
3644
3645 #endif /* IPV6 */
3646
3647 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3648                              char **_addrp, int src, u8 *proto)
3649 {
3650         char *addrp;
3651         int ret;
3652
3653         switch (ad->u.net.family) {
3654         case PF_INET:
3655                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3656                 if (ret)
3657                         goto parse_error;
3658                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3659                                        &ad->u.net.v4info.daddr);
3660                 goto okay;
3661
3662 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3663         case PF_INET6:
3664                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3665                 if (ret)
3666                         goto parse_error;
3667                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3668                                        &ad->u.net.v6info.daddr);
3669                 goto okay;
3670 #endif  /* IPV6 */
3671         default:
3672                 addrp = NULL;
3673                 goto okay;
3674         }
3675
3676 parse_error:
3677         printk(KERN_WARNING
3678                "SELinux: failure in selinux_parse_skb(),"
3679                " unable to parse packet\n");
3680         return ret;
3681
3682 okay:
3683         if (_addrp)
3684                 *_addrp = addrp;
3685         return 0;
3686 }
3687
3688 /**
3689  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3690  * @skb: the packet
3691  * @family: protocol family
3692  * @sid: the packet's peer label SID
3693  *
3694  * Description:
3695  * Check the various different forms of network peer labeling and determine
3696  * the peer label/SID for the packet; most of the magic actually occurs in
3697  * the security server function security_net_peersid_cmp().  The function
3698  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3699  * or -EACCES if @sid is invalid due to inconsistencies with the different
3700  * peer labels.
3701  *
3702  */
3703 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3704 {
3705         int err;
3706         u32 xfrm_sid;
3707         u32 nlbl_sid;
3708         u32 nlbl_type;
3709
3710         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3711         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3712
3713         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3714         if (unlikely(err)) {
3715                 printk(KERN_WARNING
3716                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3717                        " unable to determine packet's peer label\n");
3718                 return -EACCES;
3719         }
3720
3721         return 0;
3722 }
3723
3724 /* socket security operations */
3725 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3726                            u32 perms)
3727 {
3728         struct inode_security_struct *isec;
3729         struct avc_audit_data ad;
3730         u32 sid;
3731         int err = 0;
3732
3733         isec = SOCK_INODE(sock)->i_security;
3734
3735         if (isec->sid == SECINITSID_KERNEL)
3736                 goto out;
3737         sid = task_sid(task);
3738
3739         AVC_AUDIT_DATA_INIT(&ad, NET);
3740         ad.u.net.sk = sock->sk;
3741         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3742
3743 out:
3744         return err;
3745 }
3746
3747 static int selinux_socket_create(int family, int type,
3748                                  int protocol, int kern)
3749 {
3750         const struct cred *cred = current_cred();
3751         const struct task_security_struct *tsec = cred->security;
3752         u32 sid, newsid;
3753         u16 secclass;
3754         int err = 0;
3755
3756         if (kern)
3757                 goto out;
3758
3759         sid = tsec->sid;
3760         newsid = tsec->sockcreate_sid ?: sid;
3761
3762         secclass = socket_type_to_security_class(family, type, protocol);
3763         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3764
3765 out:
3766         return err;
3767 }
3768
3769 static int selinux_socket_post_create(struct socket *sock, int family,
3770                                       int type, int protocol, int kern)
3771 {
3772         const struct cred *cred = current_cred();
3773         const struct task_security_struct *tsec = cred->security;
3774         struct inode_security_struct *isec;
3775         struct sk_security_struct *sksec;
3776         u32 sid, newsid;
3777         int err = 0;
3778
3779         sid = tsec->sid;
3780         newsid = tsec->sockcreate_sid;
3781
3782         isec = SOCK_INODE(sock)->i_security;
3783
3784         if (kern)
3785                 isec->sid = SECINITSID_KERNEL;
3786         else if (newsid)
3787                 isec->sid = newsid;
3788         else
3789                 isec->sid = sid;
3790
3791         isec->sclass = socket_type_to_security_class(family, type, protocol);
3792         isec->initialized = 1;
3793
3794         if (sock->sk) {
3795                 sksec = sock->sk->sk_security;
3796                 sksec->sid = isec->sid;
3797                 sksec->sclass = isec->sclass;
3798                 err = selinux_netlbl_socket_post_create(sock);
3799         }
3800
3801         return err;
3802 }
3803
3804 /* Range of port numbers used to automatically bind.
3805    Need to determine whether we should perform a name_bind
3806    permission check between the socket and the port number. */
3807
3808 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3809 {
3810         u16 family;
3811         int err;
3812
3813         err = socket_has_perm(current, sock, SOCKET__BIND);
3814         if (err)
3815                 goto out;
3816
3817         /*
3818          * If PF_INET or PF_INET6, check name_bind permission for the port.
3819          * Multiple address binding for SCTP is not supported yet: we just
3820          * check the first address now.
3821          */
3822         family = sock->sk->sk_family;
3823         if (family == PF_INET || family == PF_INET6) {
3824                 char *addrp;
3825                 struct inode_security_struct *isec;
3826                 struct avc_audit_data ad;
3827                 struct sockaddr_in *addr4 = NULL;
3828                 struct sockaddr_in6 *addr6 = NULL;
3829                 unsigned short snum;
3830                 struct sock *sk = sock->sk;
3831                 u32 sid, node_perm;
3832
3833                 isec = SOCK_INODE(sock)->i_security;
3834
3835                 if (family == PF_INET) {
3836                         addr4 = (struct sockaddr_in *)address;
3837                         snum = ntohs(addr4->sin_port);
3838                         addrp = (char *)&addr4->sin_addr.s_addr;
3839                 } else {
3840                         addr6 = (struct sockaddr_in6 *)address;
3841                         snum = ntohs(addr6->sin6_port);
3842                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3843                 }
3844
3845                 if (snum) {
3846                         int low, high;
3847
3848                         inet_get_local_port_range(&low, &high);
3849
3850                         if (snum < max(PROT_SOCK, low) || snum > high) {
3851                                 err = sel_netport_sid(sk->sk_protocol,
3852                                                       snum, &sid);
3853                                 if (err)
3854                                         goto out;
3855                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3856                                 ad.u.net.sport = htons(snum);
3857                                 ad.u.net.family = family;
3858                                 err = avc_has_perm(isec->sid, sid,
3859                                                    isec->sclass,
3860                                                    SOCKET__NAME_BIND, &ad);
3861                                 if (err)
3862                                         goto out;
3863                         }
3864                 }
3865
3866                 switch (isec->sclass) {
3867                 case SECCLASS_TCP_SOCKET:
3868                         node_perm = TCP_SOCKET__NODE_BIND;
3869                         break;
3870
3871                 case SECCLASS_UDP_SOCKET:
3872                         node_perm = UDP_SOCKET__NODE_BIND;
3873                         break;
3874
3875                 case SECCLASS_DCCP_SOCKET:
3876                         node_perm = DCCP_SOCKET__NODE_BIND;
3877                         break;
3878
3879                 default:
3880                         node_perm = RAWIP_SOCKET__NODE_BIND;
3881                         break;
3882                 }
3883
3884                 err = sel_netnode_sid(addrp, family, &sid);
3885                 if (err)
3886                         goto out;
3887
3888                 AVC_AUDIT_DATA_INIT(&ad, NET);
3889                 ad.u.net.sport = htons(snum);
3890                 ad.u.net.family = family;
3891
3892                 if (family == PF_INET)
3893                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3894                 else
3895                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3896
3897                 err = avc_has_perm(isec->sid, sid,
3898                                    isec->sclass, node_perm, &ad);
3899                 if (err)
3900                         goto out;
3901         }
3902 out:
3903         return err;
3904 }
3905
3906 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3907 {
3908         struct sock *sk = sock->sk;
3909         struct inode_security_struct *isec;
3910         int err;
3911
3912         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3913         if (err)
3914                 return err;
3915
3916         /*
3917          * If a TCP or DCCP socket, check name_connect permission for the port.
3918          */
3919         isec = SOCK_INODE(sock)->i_security;
3920         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3921             isec->sclass == SECCLASS_DCCP_SOCKET) {
3922                 struct avc_audit_data ad;
3923                 struct sockaddr_in *addr4 = NULL;
3924                 struct sockaddr_in6 *addr6 = NULL;
3925                 unsigned short snum;
3926                 u32 sid, perm;
3927
3928                 if (sk->sk_family == PF_INET) {
3929                         addr4 = (struct sockaddr_in *)address;
3930                         if (addrlen < sizeof(struct sockaddr_in))
3931                                 return -EINVAL;
3932                         snum = ntohs(addr4->sin_port);
3933                 } else {
3934                         addr6 = (struct sockaddr_in6 *)address;
3935                         if (addrlen < SIN6_LEN_RFC2133)
3936                                 return -EINVAL;
3937                         snum = ntohs(addr6->sin6_port);
3938                 }
3939
3940                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3941                 if (err)
3942                         goto out;
3943
3944                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3945                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3946
3947                 AVC_AUDIT_DATA_INIT(&ad, NET);
3948                 ad.u.net.dport = htons(snum);
3949                 ad.u.net.family = sk->sk_family;
3950                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3951                 if (err)
3952                         goto out;
3953         }
3954
3955         err = selinux_netlbl_socket_connect(sk, address);
3956
3957 out:
3958         return err;
3959 }
3960
3961 static int selinux_socket_listen(struct socket *sock, int backlog)
3962 {
3963         return socket_has_perm(current, sock, SOCKET__LISTEN);
3964 }
3965
3966 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3967 {
3968         int err;
3969         struct inode_security_struct *isec;
3970         struct inode_security_struct *newisec;
3971
3972         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3973         if (err)
3974                 return err;
3975
3976         newisec = SOCK_INODE(newsock)->i_security;
3977
3978         isec = SOCK_INODE(sock)->i_security;
3979         newisec->sclass = isec->sclass;
3980         newisec->sid = isec->sid;
3981         newisec->initialized = 1;
3982
3983         return 0;
3984 }
3985
3986 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3987                                   int size)
3988 {
3989         int rc;
3990
3991         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3992         if (rc)
3993                 return rc;
3994
3995         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3996 }
3997
3998 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3999                                   int size, int flags)
4000 {
4001         return socket_has_perm(current, sock, SOCKET__READ);
4002 }
4003
4004 static int selinux_socket_getsockname(struct socket *sock)
4005 {
4006         return socket_has_perm(current, sock, SOCKET__GETATTR);
4007 }
4008
4009 static int selinux_socket_getpeername(struct socket *sock)
4010 {
4011         return socket_has_perm(current, sock, SOCKET__GETATTR);
4012 }
4013
4014 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4015 {
4016         int err;
4017
4018         err = socket_has_perm(current, sock, SOCKET__SETOPT);
4019         if (err)
4020                 return err;
4021
4022         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4023 }
4024
4025 static int selinux_socket_getsockopt(struct socket *sock, int level,
4026                                      int optname)
4027 {
4028         return socket_has_perm(current, sock, SOCKET__GETOPT);
4029 }
4030
4031 static int selinux_socket_shutdown(struct socket *sock, int how)
4032 {
4033         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4034 }
4035
4036 static int selinux_socket_unix_stream_connect(struct socket *sock,
4037                                               struct socket *other,
4038                                               struct sock *newsk)
4039 {
4040         struct sk_security_struct *ssec;
4041         struct inode_security_struct *isec;
4042         struct inode_security_struct *other_isec;
4043         struct avc_audit_data ad;
4044         int err;
4045
4046         err = secondary_ops->unix_stream_connect(sock, other, newsk);
4047         if (err)
4048                 return err;
4049
4050         isec = SOCK_INODE(sock)->i_security;
4051         other_isec = SOCK_INODE(other)->i_security;
4052
4053         AVC_AUDIT_DATA_INIT(&ad, NET);
4054         ad.u.net.sk = other->sk;
4055
4056         err = avc_has_perm(isec->sid, other_isec->sid,
4057                            isec->sclass,
4058                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4059         if (err)
4060                 return err;
4061
4062         /* connecting socket */
4063         ssec = sock->sk->sk_security;
4064         ssec->peer_sid = other_isec->sid;
4065
4066         /* server child socket */
4067         ssec = newsk->sk_security;
4068         ssec->peer_sid = isec->sid;
4069         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4070
4071         return err;
4072 }
4073
4074 static int selinux_socket_unix_may_send(struct socket *sock,
4075                                         struct socket *other)
4076 {
4077         struct inode_security_struct *isec;
4078         struct inode_security_struct *other_isec;
4079         struct avc_audit_data ad;
4080         int err;
4081
4082         isec = SOCK_INODE(sock)->i_security;
4083         other_isec = SOCK_INODE(other)->i_security;
4084
4085         AVC_AUDIT_DATA_INIT(&ad, NET);
4086         ad.u.net.sk = other->sk;
4087
4088         err = avc_has_perm(isec->sid, other_isec->sid,
4089                            isec->sclass, SOCKET__SENDTO, &ad);
4090         if (err)
4091                 return err;
4092
4093         return 0;
4094 }
4095
4096 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4097                                     u32 peer_sid,
4098                                     struct avc_audit_data *ad)
4099 {
4100         int err;
4101         u32 if_sid;
4102         u32 node_sid;
4103
4104         err = sel_netif_sid(ifindex, &if_sid);
4105         if (err)
4106                 return err;
4107         err = avc_has_perm(peer_sid, if_sid,
4108                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4109         if (err)
4110                 return err;
4111
4112         err = sel_netnode_sid(addrp, family, &node_sid);
4113         if (err)
4114                 return err;
4115         return avc_has_perm(peer_sid, node_sid,
4116                             SECCLASS_NODE, NODE__RECVFROM, ad);
4117 }
4118
4119 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4120                                                 struct sk_buff *skb,
4121                                                 struct avc_audit_data *ad,
4122                                                 u16 family,
4123                                                 char *addrp)
4124 {
4125         int err;
4126         struct sk_security_struct *sksec = sk->sk_security;
4127         u16 sk_class;
4128         u32 netif_perm, node_perm, recv_perm;
4129         u32 port_sid, node_sid, if_sid, sk_sid;
4130
4131         sk_sid = sksec->sid;
4132         sk_class = sksec->sclass;
4133
4134         switch (sk_class) {
4135         case SECCLASS_UDP_SOCKET:
4136                 netif_perm = NETIF__UDP_RECV;
4137                 node_perm = NODE__UDP_RECV;
4138                 recv_perm = UDP_SOCKET__RECV_MSG;
4139                 break;
4140         case SECCLASS_TCP_SOCKET:
4141                 netif_perm = NETIF__TCP_RECV;
4142                 node_perm = NODE__TCP_RECV;
4143                 recv_perm = TCP_SOCKET__RECV_MSG;
4144                 break;
4145         case SECCLASS_DCCP_SOCKET:
4146                 netif_perm = NETIF__DCCP_RECV;
4147                 node_perm = NODE__DCCP_RECV;
4148                 recv_perm = DCCP_SOCKET__RECV_MSG;
4149                 break;
4150         default:
4151                 netif_perm = NETIF__RAWIP_RECV;
4152                 node_perm = NODE__RAWIP_RECV;
4153                 recv_perm = 0;
4154                 break;
4155         }
4156
4157         err = sel_netif_sid(skb->iif, &if_sid);
4158         if (err)
4159                 return err;
4160         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4161         if (err)
4162                 return err;
4163
4164         err = sel_netnode_sid(addrp, family, &node_sid);
4165         if (err)
4166                 return err;
4167         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4168         if (err)
4169                 return err;
4170
4171         if (!recv_perm)
4172                 return 0;
4173         err = sel_netport_sid(sk->sk_protocol,
4174                               ntohs(ad->u.net.sport), &port_sid);
4175         if (unlikely(err)) {
4176                 printk(KERN_WARNING
4177                        "SELinux: failure in"
4178                        " selinux_sock_rcv_skb_iptables_compat(),"
4179                        " network port label not found\n");
4180                 return err;
4181         }
4182         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4183 }
4184
4185 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4186                                        u16 family)
4187 {
4188         int err = 0;
4189         struct sk_security_struct *sksec = sk->sk_security;
4190         u32 peer_sid;
4191         u32 sk_sid = sksec->sid;
4192         struct avc_audit_data ad;
4193         char *addrp;
4194
4195         AVC_AUDIT_DATA_INIT(&ad, NET);
4196         ad.u.net.netif = skb->iif;
4197         ad.u.net.family = family;
4198         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4199         if (err)
4200                 return err;
4201
4202         if (selinux_compat_net)
4203                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4204                                                            family, addrp);
4205         else if (selinux_secmark_enabled())
4206                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4207                                    PACKET__RECV, &ad);
4208         if (err)
4209                 return err;
4210
4211         if (selinux_policycap_netpeer) {
4212                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4213                 if (err)
4214                         return err;
4215                 err = avc_has_perm(sk_sid, peer_sid,
4216                                    SECCLASS_PEER, PEER__RECV, &ad);
4217                 if (err)
4218                         selinux_netlbl_err(skb, err, 0);
4219         } else {
4220                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4221                 if (err)
4222                         return err;
4223                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4224         }
4225
4226         return err;
4227 }
4228
4229 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4230 {
4231         int err;
4232         struct sk_security_struct *sksec = sk->sk_security;
4233         u16 family = sk->sk_family;
4234         u32 sk_sid = sksec->sid;
4235         struct avc_audit_data ad;
4236         char *addrp;
4237         u8 secmark_active;
4238         u8 peerlbl_active;
4239
4240         if (family != PF_INET && family != PF_INET6)
4241                 return 0;
4242
4243         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4244         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4245                 family = PF_INET;
4246
4247         /* If any sort of compatibility mode is enabled then handoff processing
4248          * to the selinux_sock_rcv_skb_compat() function to deal with the
4249          * special handling.  We do this in an attempt to keep this function
4250          * as fast and as clean as possible. */
4251         if (selinux_compat_net || !selinux_policycap_netpeer)
4252                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4253
4254         secmark_active = selinux_secmark_enabled();
4255         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4256         if (!secmark_active && !peerlbl_active)
4257                 return 0;
4258
4259         AVC_AUDIT_DATA_INIT(&ad, NET);
4260         ad.u.net.netif = skb->iif;
4261         ad.u.net.family = family;
4262         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4263         if (err)
4264                 return err;
4265
4266         if (peerlbl_active) {
4267                 u32 peer_sid;
4268
4269                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4270                 if (err)
4271                         return err;
4272                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4273                                                peer_sid, &ad);
4274                 if (err) {
4275                         selinux_netlbl_err(skb, err, 0);
4276                         return err;
4277                 }
4278                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4279                                    PEER__RECV, &ad);
4280                 if (err)
4281                         selinux_netlbl_err(skb, err, 0);
4282         }
4283
4284         if (secmark_active) {
4285                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4286                                    PACKET__RECV, &ad);
4287                 if (err)
4288                         return err;
4289         }
4290
4291         return err;
4292 }
4293
4294 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4295                                             int __user *optlen, unsigned len)
4296 {
4297         int err = 0;
4298         char *scontext;
4299         u32 scontext_len;
4300         struct sk_security_struct *ssec;
4301         struct inode_security_struct *isec;
4302         u32 peer_sid = SECSID_NULL;
4303
4304         isec = SOCK_INODE(sock)->i_security;
4305
4306         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4307             isec->sclass == SECCLASS_TCP_SOCKET) {
4308                 ssec = sock->sk->sk_security;
4309                 peer_sid = ssec->peer_sid;
4310         }
4311         if (peer_sid == SECSID_NULL) {
4312                 err = -ENOPROTOOPT;
4313                 goto out;
4314         }
4315
4316         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4317
4318         if (err)
4319                 goto out;
4320
4321         if (scontext_len > len) {
4322                 err = -ERANGE;
4323                 goto out_len;
4324         }
4325
4326         if (copy_to_user(optval, scontext, scontext_len))
4327                 err = -EFAULT;
4328
4329 out_len:
4330         if (put_user(scontext_len, optlen))
4331                 err = -EFAULT;
4332
4333         kfree(scontext);
4334 out:
4335         return err;
4336 }
4337
4338 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4339 {
4340         u32 peer_secid = SECSID_NULL;
4341         u16 family;
4342
4343         if (skb && skb->protocol == htons(ETH_P_IP))
4344                 family = PF_INET;
4345         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4346                 family = PF_INET6;
4347         else if (sock)
4348                 family = sock->sk->sk_family;
4349         else
4350                 goto out;
4351
4352         if (sock && family == PF_UNIX)
4353                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4354         else if (skb)
4355                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4356
4357 out:
4358         *secid = peer_secid;
4359         if (peer_secid == SECSID_NULL)
4360                 return -EINVAL;
4361         return 0;
4362 }
4363
4364 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4365 {
4366         return sk_alloc_security(sk, family, priority);
4367 }
4368
4369 static void selinux_sk_free_security(struct sock *sk)
4370 {
4371         sk_free_security(sk);
4372 }
4373
4374 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4375 {
4376         struct sk_security_struct *ssec = sk->sk_security;
4377         struct sk_security_struct *newssec = newsk->sk_security;
4378
4379         newssec->sid = ssec->sid;
4380         newssec->peer_sid = ssec->peer_sid;
4381         newssec->sclass = ssec->sclass;
4382
4383         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4384 }
4385
4386 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4387 {
4388         if (!sk)
4389                 *secid = SECINITSID_ANY_SOCKET;
4390         else {
4391                 struct sk_security_struct *sksec = sk->sk_security;
4392
4393                 *secid = sksec->sid;
4394         }
4395 }
4396
4397 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4398 {
4399         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4400         struct sk_security_struct *sksec = sk->sk_security;
4401
4402         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4403             sk->sk_family == PF_UNIX)
4404                 isec->sid = sksec->sid;
4405         sksec->sclass = isec->sclass;
4406 }
4407
4408 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4409                                      struct request_sock *req)
4410 {
4411         struct sk_security_struct *sksec = sk->sk_security;
4412         int err;
4413         u16 family = sk->sk_family;
4414         u32 newsid;
4415         u32 peersid;
4416
4417         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4418         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4419                 family = PF_INET;
4420
4421         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4422         if (err)
4423                 return err;
4424         if (peersid == SECSID_NULL) {
4425                 req->secid = sksec->sid;
4426                 req->peer_secid = SECSID_NULL;
4427                 return 0;
4428         }
4429
4430         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4431         if (err)
4432                 return err;
4433
4434         req->secid = newsid;
4435         req->peer_secid = peersid;
4436         return 0;
4437 }
4438
4439 static void selinux_inet_csk_clone(struct sock *newsk,
4440                                    const struct request_sock *req)
4441 {
4442         struct sk_security_struct *newsksec = newsk->sk_security;
4443
4444         newsksec->sid = req->secid;
4445         newsksec->peer_sid = req->peer_secid;
4446         /* NOTE: Ideally, we should also get the isec->sid for the
4447            new socket in sync, but we don't have the isec available yet.
4448            So we will wait until sock_graft to do it, by which
4449            time it will have been created and available. */
4450
4451         /* We don't need to take any sort of lock here as we are the only
4452          * thread with access to newsksec */
4453         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4454 }
4455
4456 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4457 {
4458         u16 family = sk->sk_family;
4459         struct sk_security_struct *sksec = sk->sk_security;
4460
4461         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4462         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4463                 family = PF_INET;
4464
4465         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4466
4467         selinux_netlbl_inet_conn_established(sk, family);
4468 }
4469
4470 static void selinux_req_classify_flow(const struct request_sock *req,
4471                                       struct flowi *fl)
4472 {
4473         fl->secid = req->secid;
4474 }
4475
4476 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4477 {
4478         int err = 0;
4479         u32 perm;
4480         struct nlmsghdr *nlh;
4481         struct socket *sock = sk->sk_socket;
4482         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4483
4484         if (skb->len < NLMSG_SPACE(0)) {
4485                 err = -EINVAL;
4486                 goto out;
4487         }
4488         nlh = nlmsg_hdr(skb);
4489
4490         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4491         if (err) {
4492                 if (err == -EINVAL) {
4493                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4494                                   "SELinux:  unrecognized netlink message"
4495                                   " type=%hu for sclass=%hu\n",
4496                                   nlh->nlmsg_type, isec->sclass);
4497                         if (!selinux_enforcing || security_get_allow_unknown())
4498                                 err = 0;
4499                 }
4500
4501                 /* Ignore */
4502                 if (err == -ENOENT)
4503                         err = 0;
4504                 goto out;
4505         }
4506
4507         err = socket_has_perm(current, sock, perm);
4508 out:
4509         return err;
4510 }
4511
4512 #ifdef CONFIG_NETFILTER
4513
4514 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4515                                        u16 family)
4516 {
4517         int err;
4518         char *addrp;
4519         u32 peer_sid;
4520         struct avc_audit_data ad;
4521         u8 secmark_active;
4522         u8 netlbl_active;
4523         u8 peerlbl_active;
4524
4525         if (!selinux_policycap_netpeer)
4526                 return NF_ACCEPT;
4527
4528         secmark_active = selinux_secmark_enabled();
4529         netlbl_active = netlbl_enabled();
4530         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4531         if (!secmark_active && !peerlbl_active)
4532                 return NF_ACCEPT;
4533
4534         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4535                 return NF_DROP;
4536
4537         AVC_AUDIT_DATA_INIT(&ad, NET);
4538         ad.u.net.netif = ifindex;
4539         ad.u.net.family = family;
4540         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4541                 return NF_DROP;
4542
4543         if (peerlbl_active) {
4544                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4545                                                peer_sid, &ad);
4546                 if (err) {
4547                         selinux_netlbl_err(skb, err, 1);
4548                         return NF_DROP;
4549                 }
4550         }
4551
4552         if (secmark_active)
4553                 if (avc_has_perm(peer_sid, skb->secmark,
4554                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4555                         return NF_DROP;
4556
4557         if (netlbl_active)
4558                 /* we do this in the FORWARD path and not the POST_ROUTING
4559                  * path because we want to make sure we apply the necessary
4560                  * labeling before IPsec is applied so we can leverage AH
4561                  * protection */
4562                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4563                         return NF_DROP;
4564
4565         return NF_ACCEPT;
4566 }
4567
4568 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4569                                          struct sk_buff *skb,
4570                                          const struct net_device *in,
4571                                          const struct net_device *out,
4572                                          int (*okfn)(struct sk_buff *))
4573 {
4574         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4575 }
4576
4577 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4578 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4579                                          struct sk_buff *skb,
4580                                          const struct net_device *in,
4581                                          const struct net_device *out,
4582                                          int (*okfn)(struct sk_buff *))
4583 {
4584         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4585 }
4586 #endif  /* IPV6 */
4587
4588 static unsigned int selinux_ip_output(struct sk_buff *skb,
4589                                       u16 family)
4590 {
4591         u32 sid;
4592
4593         if (!netlbl_enabled())
4594                 return NF_ACCEPT;
4595
4596         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4597          * because we want to make sure we apply the necessary labeling
4598          * before IPsec is applied so we can leverage AH protection */
4599         if (skb->sk) {
4600                 struct sk_security_struct *sksec = skb->sk->sk_security;
4601                 sid = sksec->sid;
4602         } else
4603                 sid = SECINITSID_KERNEL;
4604         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4605                 return NF_DROP;
4606
4607         return NF_ACCEPT;
4608 }
4609
4610 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4611                                         struct sk_buff *skb,
4612                                         const struct net_device *in,
4613                                         const struct net_device *out,
4614                                         int (*okfn)(struct sk_buff *))
4615 {
4616         return selinux_ip_output(skb, PF_INET);
4617 }
4618
4619 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4620                                                 int ifindex,
4621                                                 struct avc_audit_data *ad,
4622                                                 u16 family, char *addrp)
4623 {
4624         int err;
4625         struct sk_security_struct *sksec = sk->sk_security;
4626         u16 sk_class;
4627         u32 netif_perm, node_perm, send_perm;
4628         u32 port_sid, node_sid, if_sid, sk_sid;
4629
4630         sk_sid = sksec->sid;
4631         sk_class = sksec->sclass;
4632
4633         switch (sk_class) {
4634         case SECCLASS_UDP_SOCKET:
4635                 netif_perm = NETIF__UDP_SEND;
4636                 node_perm = NODE__UDP_SEND;
4637                 send_perm = UDP_SOCKET__SEND_MSG;
4638                 break;
4639         case SECCLASS_TCP_SOCKET:
4640                 netif_perm = NETIF__TCP_SEND;
4641                 node_perm = NODE__TCP_SEND;
4642                 send_perm = TCP_SOCKET__SEND_MSG;
4643                 break;
4644         case SECCLASS_DCCP_SOCKET:
4645                 netif_perm = NETIF__DCCP_SEND;
4646                 node_perm = NODE__DCCP_SEND;
4647                 send_perm = DCCP_SOCKET__SEND_MSG;
4648                 break;
4649         default:
4650                 netif_perm = NETIF__RAWIP_SEND;
4651                 node_perm = NODE__RAWIP_SEND;
4652                 send_perm = 0;
4653                 break;
4654         }
4655
4656         err = sel_netif_sid(ifindex, &if_sid);
4657         if (err)
4658                 return err;
4659         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4660                 return err;
4661
4662         err = sel_netnode_sid(addrp, family, &node_sid);
4663         if (err)
4664                 return err;
4665         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4666         if (err)
4667                 return err;
4668
4669         if (send_perm != 0)
4670                 return 0;
4671
4672         err = sel_netport_sid(sk->sk_protocol,
4673                               ntohs(ad->u.net.dport), &port_sid);
4674         if (unlikely(err)) {
4675                 printk(KERN_WARNING
4676                        "SELinux: failure in"
4677                        " selinux_ip_postroute_iptables_compat(),"
4678                        " network port label not found\n");
4679                 return err;
4680         }
4681         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4682 }
4683
4684 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4685                                                 int ifindex,
4686                                                 u16 family)
4687 {
4688         struct sock *sk = skb->sk;
4689         struct sk_security_struct *sksec;
4690         struct avc_audit_data ad;
4691         char *addrp;
4692         u8 proto;
4693
4694         if (sk == NULL)
4695                 return NF_ACCEPT;
4696         sksec = sk->sk_security;
4697
4698         AVC_AUDIT_DATA_INIT(&ad, NET);
4699         ad.u.net.netif = ifindex;
4700         ad.u.net.family = family;
4701         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4702                 return NF_DROP;
4703
4704         if (selinux_compat_net) {
4705                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4706                                                          &ad, family, addrp))
4707                         return NF_DROP;
4708         } else if (selinux_secmark_enabled()) {
4709                 if (avc_has_perm(sksec->sid, skb->secmark,
4710                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4711                         return NF_DROP;
4712         }
4713
4714         if (selinux_policycap_netpeer)
4715                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4716                         return NF_DROP;
4717
4718         return NF_ACCEPT;
4719 }
4720
4721 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4722                                          u16 family)
4723 {
4724         u32 secmark_perm;
4725         u32 peer_sid;
4726         struct sock *sk;
4727         struct avc_audit_data ad;
4728         char *addrp;
4729         u8 secmark_active;
4730         u8 peerlbl_active;
4731
4732         /* If any sort of compatibility mode is enabled then handoff processing
4733          * to the selinux_ip_postroute_compat() function to deal with the
4734          * special handling.  We do this in an attempt to keep this function
4735          * as fast and as clean as possible. */
4736         if (selinux_compat_net || !selinux_policycap_netpeer)
4737                 return selinux_ip_postroute_compat(skb, ifindex, family);
4738 #ifdef CONFIG_XFRM
4739         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4740          * packet transformation so allow the packet to pass without any checks
4741          * since we'll have another chance to perform access control checks
4742          * when the packet is on it's final way out.
4743          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4744          *       is NULL, in this case go ahead and apply access control. */
4745         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4746                 return NF_ACCEPT;
4747 #endif
4748         secmark_active = selinux_secmark_enabled();
4749         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4750         if (!secmark_active && !peerlbl_active)
4751                 return NF_ACCEPT;
4752
4753         /* if the packet is being forwarded then get the peer label from the
4754          * packet itself; otherwise check to see if it is from a local
4755          * application or the kernel, if from an application get the peer label
4756          * from the sending socket, otherwise use the kernel's sid */
4757         sk = skb->sk;
4758         if (sk == NULL) {
4759                 switch (family) {
4760                 case PF_INET:
4761                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4762                                 secmark_perm = PACKET__FORWARD_OUT;
4763                         else
4764                                 secmark_perm = PACKET__SEND;
4765                         break;
4766                 case PF_INET6:
4767                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4768                                 secmark_perm = PACKET__FORWARD_OUT;
4769                         else
4770                                 secmark_perm = PACKET__SEND;
4771                         break;
4772                 default:
4773                         return NF_DROP;
4774                 }
4775                 if (secmark_perm == PACKET__FORWARD_OUT) {
4776                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4777                                 return NF_DROP;
4778                 } else
4779                         peer_sid = SECINITSID_KERNEL;
4780         } else {
4781                 struct sk_security_struct *sksec = sk->sk_security;
4782                 peer_sid = sksec->sid;
4783                 secmark_perm = PACKET__SEND;
4784         }
4785
4786         AVC_AUDIT_DATA_INIT(&ad, NET);
4787         ad.u.net.netif = ifindex;
4788         ad.u.net.family = family;
4789         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4790                 return NF_DROP;
4791
4792         if (secmark_active)
4793                 if (avc_has_perm(peer_sid, skb->secmark,
4794                                  SECCLASS_PACKET, secmark_perm, &ad))
4795                         return NF_DROP;
4796
4797         if (peerlbl_active) {
4798                 u32 if_sid;
4799                 u32 node_sid;
4800
4801                 if (sel_netif_sid(ifindex, &if_sid))
4802                         return NF_DROP;
4803                 if (avc_has_perm(peer_sid, if_sid,
4804                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4805                         return NF_DROP;
4806
4807                 if (sel_netnode_sid(addrp, family, &node_sid))
4808                         return NF_DROP;
4809                 if (avc_has_perm(peer_sid, node_sid,
4810                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4811                         return NF_DROP;
4812         }
4813
4814         return NF_ACCEPT;
4815 }
4816
4817 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4818                                            struct sk_buff *skb,
4819                                            const struct net_device *in,
4820                                            const struct net_device *out,
4821                                            int (*okfn)(struct sk_buff *))
4822 {
4823         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4824 }
4825
4826 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4827 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4828                                            struct sk_buff *skb,
4829                                            const struct net_device *in,
4830                                            const struct net_device *out,
4831                                            int (*okfn)(struct sk_buff *))
4832 {
4833         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4834 }
4835 #endif  /* IPV6 */
4836
4837 #endif  /* CONFIG_NETFILTER */
4838
4839 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4840 {
4841         int err;
4842
4843         err = secondary_ops->netlink_send(sk, skb);
4844         if (err)
4845                 return err;
4846
4847         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4848                 err = selinux_nlmsg_perm(sk, skb);
4849
4850         return err;
4851 }
4852
4853 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4854 {
4855         int err;
4856         struct avc_audit_data ad;
4857
4858         err = secondary_ops->netlink_recv(skb, capability);
4859         if (err)
4860                 return err;
4861
4862         AVC_AUDIT_DATA_INIT(&ad, CAP);
4863         ad.u.cap = capability;
4864
4865         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4866                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4867 }
4868
4869 static int ipc_alloc_security(struct task_struct *task,
4870                               struct kern_ipc_perm *perm,
4871                               u16 sclass)
4872 {
4873         struct ipc_security_struct *isec;
4874         u32 sid;
4875
4876         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4877         if (!isec)
4878                 return -ENOMEM;
4879
4880         sid = task_sid(task);
4881         isec->sclass = sclass;
4882         isec->sid = sid;
4883         perm->security = isec;
4884
4885         return 0;
4886 }
4887
4888 static void ipc_free_security(struct kern_ipc_perm *perm)
4889 {
4890         struct ipc_security_struct *isec = perm->security;
4891         perm->security = NULL;
4892         kfree(isec);
4893 }
4894
4895 static int msg_msg_alloc_security(struct msg_msg *msg)
4896 {
4897         struct msg_security_struct *msec;
4898
4899         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4900         if (!msec)
4901                 return -ENOMEM;
4902
4903         msec->sid = SECINITSID_UNLABELED;
4904         msg->security = msec;
4905
4906         return 0;
4907 }
4908
4909 static void msg_msg_free_security(struct msg_msg *msg)
4910 {
4911         struct msg_security_struct *msec = msg->security;
4912
4913         msg->security = NULL;
4914         kfree(msec);
4915 }
4916
4917 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4918                         u32 perms)
4919 {
4920         struct ipc_security_struct *isec;
4921         struct avc_audit_data ad;
4922         u32 sid = current_sid();
4923
4924         isec = ipc_perms->security;
4925
4926         AVC_AUDIT_DATA_INIT(&ad, IPC);
4927         ad.u.ipc_id = ipc_perms->key;
4928
4929         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4930 }
4931
4932 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4933 {
4934         return msg_msg_alloc_security(msg);
4935 }
4936
4937 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4938 {
4939         msg_msg_free_security(msg);
4940 }
4941
4942 /* message queue security operations */
4943 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4944 {
4945         struct ipc_security_struct *isec;
4946         struct avc_audit_data ad;
4947         u32 sid = current_sid();
4948         int rc;
4949
4950         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4951         if (rc)
4952                 return rc;
4953
4954         isec = msq->q_perm.security;
4955
4956         AVC_AUDIT_DATA_INIT(&ad, IPC);
4957         ad.u.ipc_id = msq->q_perm.key;
4958
4959         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4960                           MSGQ__CREATE, &ad);
4961         if (rc) {
4962                 ipc_free_security(&msq->q_perm);
4963                 return rc;
4964         }
4965         return 0;
4966 }
4967
4968 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4969 {
4970         ipc_free_security(&msq->q_perm);
4971 }
4972
4973 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4974 {
4975         struct ipc_security_struct *isec;
4976         struct avc_audit_data ad;
4977         u32 sid = current_sid();
4978
4979         isec = msq->q_perm.security;
4980
4981         AVC_AUDIT_DATA_INIT(&ad, IPC);
4982         ad.u.ipc_id = msq->q_perm.key;
4983
4984         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4985                             MSGQ__ASSOCIATE, &ad);
4986 }
4987
4988 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4989 {
4990         int err;
4991         int perms;
4992
4993         switch (cmd) {
4994         case IPC_INFO:
4995         case MSG_INFO:
4996                 /* No specific object, just general system-wide information. */
4997                 return task_has_system(current, SYSTEM__IPC_INFO);
4998         case IPC_STAT:
4999         case MSG_STAT:
5000                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5001                 break;
5002         case IPC_SET:
5003                 perms = MSGQ__SETATTR;
5004                 break;
5005         case IPC_RMID:
5006                 perms = MSGQ__DESTROY;
5007                 break;
5008         default:
5009                 return 0;
5010         }
5011
5012         err = ipc_has_perm(&msq->q_perm, perms);
5013         return err;
5014 }
5015
5016 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5017 {
5018         struct ipc_security_struct *isec;
5019         struct msg_security_struct *msec;
5020         struct avc_audit_data ad;
5021         u32 sid = current_sid();
5022         int rc;
5023
5024         isec = msq->q_perm.security;
5025         msec = msg->security;
5026
5027         /*
5028          * First time through, need to assign label to the message
5029          */
5030         if (msec->sid == SECINITSID_UNLABELED) {
5031                 /*
5032                  * Compute new sid based on current process and
5033                  * message queue this message will be stored in
5034                  */
5035                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5036                                              &msec->sid);
5037                 if (rc)
5038                         return rc;
5039         }
5040
5041         AVC_AUDIT_DATA_INIT(&ad, IPC);
5042         ad.u.ipc_id = msq->q_perm.key;
5043
5044         /* Can this process write to the queue? */
5045         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5046                           MSGQ__WRITE, &ad);
5047         if (!rc)
5048                 /* Can this process send the message */
5049                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5050                                   MSG__SEND, &ad);
5051         if (!rc)
5052                 /* Can the message be put in the queue? */
5053                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5054                                   MSGQ__ENQUEUE, &ad);
5055
5056         return rc;
5057 }
5058
5059 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5060                                     struct task_struct *target,
5061                                     long type, int mode)
5062 {
5063         struct ipc_security_struct *isec;
5064         struct msg_security_struct *msec;
5065         struct avc_audit_data ad;
5066         u32 sid = task_sid(target);
5067         int rc;
5068
5069         isec = msq->q_perm.security;
5070         msec = msg->security;
5071
5072         AVC_AUDIT_DATA_INIT(&ad, IPC);
5073         ad.u.ipc_id = msq->q_perm.key;
5074
5075         rc = avc_has_perm(sid, isec->sid,
5076                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5077         if (!rc)
5078                 rc = avc_has_perm(sid, msec->sid,
5079                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5080         return rc;
5081 }
5082
5083 /* Shared Memory security operations */
5084 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5085 {
5086         struct ipc_security_struct *isec;
5087         struct avc_audit_data ad;
5088         u32 sid = current_sid();
5089         int rc;
5090
5091         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5092         if (rc)
5093                 return rc;
5094
5095         isec = shp->shm_perm.security;
5096
5097         AVC_AUDIT_DATA_INIT(&ad, IPC);
5098         ad.u.ipc_id = shp->shm_perm.key;
5099
5100         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5101                           SHM__CREATE, &ad);
5102         if (rc) {
5103                 ipc_free_security(&shp->shm_perm);
5104                 return rc;
5105         }
5106         return 0;
5107 }
5108
5109 static void selinux_shm_free_security(struct shmid_kernel *shp)
5110 {
5111         ipc_free_security(&shp->shm_perm);
5112 }
5113
5114 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5115 {
5116         struct ipc_security_struct *isec;
5117         struct avc_audit_data ad;
5118         u32 sid = current_sid();
5119
5120         isec = shp->shm_perm.security;
5121
5122         AVC_AUDIT_DATA_INIT(&ad, IPC);
5123         ad.u.ipc_id = shp->shm_perm.key;
5124
5125         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5126                             SHM__ASSOCIATE, &ad);
5127 }
5128
5129 /* Note, at this point, shp is locked down */
5130 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5131 {
5132         int perms;
5133         int err;
5134
5135         switch (cmd) {
5136         case IPC_INFO:
5137         case SHM_INFO:
5138                 /* No specific object, just general system-wide information. */
5139                 return task_has_system(current, SYSTEM__IPC_INFO);
5140         case IPC_STAT:
5141         case SHM_STAT:
5142                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5143                 break;
5144         case IPC_SET:
5145                 perms = SHM__SETATTR;
5146                 break;
5147         case SHM_LOCK:
5148         case SHM_UNLOCK:
5149                 perms = SHM__LOCK;
5150                 break;
5151         case IPC_RMID:
5152                 perms = SHM__DESTROY;
5153                 break;
5154         default:
5155                 return 0;
5156         }
5157
5158         err = ipc_has_perm(&shp->shm_perm, perms);
5159         return err;
5160 }
5161
5162 static int selinux_shm_shmat(struct shmid_kernel *shp,
5163                              char __user *shmaddr, int shmflg)
5164 {
5165         u32 perms;
5166         int rc;
5167
5168         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5169         if (rc)
5170                 return rc;
5171
5172         if (shmflg & SHM_RDONLY)
5173                 perms = SHM__READ;
5174         else
5175                 perms = SHM__READ | SHM__WRITE;
5176
5177         return ipc_has_perm(&shp->shm_perm, perms);
5178 }
5179
5180 /* Semaphore security operations */
5181 static int selinux_sem_alloc_security(struct sem_array *sma)
5182 {
5183         struct ipc_security_struct *isec;
5184         struct avc_audit_data ad;
5185         u32 sid = current_sid();
5186         int rc;
5187
5188         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5189         if (rc)
5190                 return rc;
5191
5192         isec = sma->sem_perm.security;
5193
5194         AVC_AUDIT_DATA_INIT(&ad, IPC);
5195         ad.u.ipc_id = sma->sem_perm.key;
5196
5197         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5198                           SEM__CREATE, &ad);
5199         if (rc) {
5200                 ipc_free_security(&sma->sem_perm);
5201                 return rc;
5202         }
5203         return 0;
5204 }
5205
5206 static void selinux_sem_free_security(struct sem_array *sma)
5207 {
5208         ipc_free_security(&sma->sem_perm);
5209 }
5210
5211 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5212 {
5213         struct ipc_security_struct *isec;
5214         struct avc_audit_data ad;
5215         u32 sid = current_sid();
5216
5217         isec = sma->sem_perm.security;
5218
5219         AVC_AUDIT_DATA_INIT(&ad, IPC);
5220         ad.u.ipc_id = sma->sem_perm.key;
5221
5222         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5223                             SEM__ASSOCIATE, &ad);
5224 }
5225
5226 /* Note, at this point, sma is locked down */
5227 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5228 {
5229         int err;
5230         u32 perms;
5231
5232         switch (cmd) {
5233         case IPC_INFO:
5234         case SEM_INFO:
5235                 /* No specific object, just general system-wide information. */
5236                 return task_has_system(current, SYSTEM__IPC_INFO);
5237         case GETPID:
5238         case GETNCNT:
5239         case GETZCNT:
5240                 perms = SEM__GETATTR;
5241                 break;
5242         case GETVAL:
5243         case GETALL:
5244                 perms = SEM__READ;
5245                 break;
5246         case SETVAL:
5247         case SETALL:
5248                 perms = SEM__WRITE;
5249                 break;
5250         case IPC_RMID:
5251                 perms = SEM__DESTROY;
5252                 break;
5253         case IPC_SET:
5254                 perms = SEM__SETATTR;
5255                 break;
5256         case IPC_STAT:
5257         case SEM_STAT:
5258                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5259                 break;
5260         default:
5261                 return 0;
5262         }
5263
5264         err = ipc_has_perm(&sma->sem_perm, perms);
5265         return err;
5266 }
5267
5268 static int selinux_sem_semop(struct sem_array *sma,
5269                              struct sembuf *sops, unsigned nsops, int alter)
5270 {
5271         u32 perms;
5272
5273         if (alter)
5274                 perms = SEM__READ | SEM__WRITE;
5275         else
5276                 perms = SEM__READ;
5277
5278         return ipc_has_perm(&sma->sem_perm, perms);
5279 }
5280
5281 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5282 {
5283         u32 av = 0;
5284
5285         av = 0;
5286         if (flag & S_IRUGO)
5287                 av |= IPC__UNIX_READ;
5288         if (flag & S_IWUGO)
5289                 av |= IPC__UNIX_WRITE;
5290
5291         if (av == 0)
5292                 return 0;
5293
5294         return ipc_has_perm(ipcp, av);
5295 }
5296
5297 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5298 {
5299         struct ipc_security_struct *isec = ipcp->security;
5300         *secid = isec->sid;
5301 }
5302
5303 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5304 {
5305         if (inode)
5306                 inode_doinit_with_dentry(inode, dentry);
5307 }
5308
5309 static int selinux_getprocattr(struct task_struct *p,
5310                                char *name, char **value)
5311 {
5312         const struct task_security_struct *__tsec;
5313         u32 sid;
5314         int error;
5315         unsigned len;
5316
5317         if (current != p) {
5318                 error = current_has_perm(p, PROCESS__GETATTR);
5319                 if (error)
5320                         return error;
5321         }
5322
5323         rcu_read_lock();
5324         __tsec = __task_cred(p)->security;
5325
5326         if (!strcmp(name, "current"))
5327                 sid = __tsec->sid;
5328         else if (!strcmp(name, "prev"))
5329                 sid = __tsec->osid;
5330         else if (!strcmp(name, "exec"))
5331                 sid = __tsec->exec_sid;
5332         else if (!strcmp(name, "fscreate"))
5333                 sid = __tsec->create_sid;
5334         else if (!strcmp(name, "keycreate"))
5335                 sid = __tsec->keycreate_sid;
5336         else if (!strcmp(name, "sockcreate"))
5337                 sid = __tsec->sockcreate_sid;
5338         else
5339                 goto invalid;
5340         rcu_read_unlock();
5341
5342         if (!sid)
5343                 return 0;
5344
5345         error = security_sid_to_context(sid, value, &len);
5346         if (error)
5347                 return error;
5348         return len;
5349
5350 invalid:
5351         rcu_read_unlock();
5352         return -EINVAL;
5353 }
5354
5355 static int selinux_setprocattr(struct task_struct *p,
5356                                char *name, void *value, size_t size)
5357 {
5358         struct task_security_struct *tsec;
5359         struct task_struct *tracer;
5360         struct cred *new;
5361         u32 sid = 0, ptsid;
5362         int error;
5363         char *str = value;
5364
5365         if (current != p) {
5366                 /* SELinux only allows a process to change its own
5367                    security attributes. */
5368                 return -EACCES;
5369         }
5370
5371         /*
5372          * Basic control over ability to set these attributes at all.
5373          * current == p, but we'll pass them separately in case the
5374          * above restriction is ever removed.
5375          */
5376         if (!strcmp(name, "exec"))
5377                 error = current_has_perm(p, PROCESS__SETEXEC);
5378         else if (!strcmp(name, "fscreate"))
5379                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5380         else if (!strcmp(name, "keycreate"))
5381                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5382         else if (!strcmp(name, "sockcreate"))
5383                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5384         else if (!strcmp(name, "current"))
5385                 error = current_has_perm(p, PROCESS__SETCURRENT);
5386         else
5387                 error = -EINVAL;
5388         if (error)
5389                 return error;
5390
5391         /* Obtain a SID for the context, if one was specified. */
5392         if (size && str[1] && str[1] != '\n') {
5393                 if (str[size-1] == '\n') {
5394                         str[size-1] = 0;
5395                         size--;
5396                 }
5397                 error = security_context_to_sid(value, size, &sid);
5398                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5399                         if (!capable(CAP_MAC_ADMIN))
5400                                 return error;
5401                         error = security_context_to_sid_force(value, size,
5402                                                               &sid);
5403                 }
5404                 if (error)
5405                         return error;
5406         }
5407
5408         new = prepare_creds();
5409         if (!new)
5410                 return -ENOMEM;
5411
5412         /* Permission checking based on the specified context is
5413            performed during the actual operation (execve,
5414            open/mkdir/...), when we know the full context of the
5415            operation.  See selinux_bprm_set_creds for the execve
5416            checks and may_create for the file creation checks. The
5417            operation will then fail if the context is not permitted. */
5418         tsec = new->security;
5419         if (!strcmp(name, "exec")) {
5420                 tsec->exec_sid = sid;
5421         } else if (!strcmp(name, "fscreate")) {
5422                 tsec->create_sid = sid;
5423         } else if (!strcmp(name, "keycreate")) {
5424                 error = may_create_key(sid, p);
5425                 if (error)
5426                         goto abort_change;
5427                 tsec->keycreate_sid = sid;
5428         } else if (!strcmp(name, "sockcreate")) {
5429                 tsec->sockcreate_sid = sid;
5430         } else if (!strcmp(name, "current")) {
5431                 error = -EINVAL;
5432                 if (sid == 0)
5433                         goto abort_change;
5434
5435                 /* Only allow single threaded processes to change context */
5436                 error = -EPERM;
5437                 if (!is_single_threaded(p)) {
5438                         error = security_bounded_transition(tsec->sid, sid);
5439                         if (error)
5440                                 goto abort_change;
5441                 }
5442
5443                 /* Check permissions for the transition. */
5444                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5445                                      PROCESS__DYNTRANSITION, NULL);
5446                 if (error)
5447                         goto abort_change;
5448
5449                 /* Check for ptracing, and update the task SID if ok.
5450                    Otherwise, leave SID unchanged and fail. */
5451                 ptsid = 0;
5452                 task_lock(p);
5453                 tracer = tracehook_tracer_task(p);
5454                 if (tracer)
5455                         ptsid = task_sid(tracer);
5456                 task_unlock(p);
5457
5458                 if (tracer) {
5459                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5460                                              PROCESS__PTRACE, NULL);
5461                         if (error)
5462                                 goto abort_change;
5463                 }
5464
5465                 tsec->sid = sid;
5466         } else {
5467                 error = -EINVAL;
5468                 goto abort_change;
5469         }
5470
5471         commit_creds(new);
5472         return size;
5473
5474 abort_change:
5475         abort_creds(new);
5476         return error;
5477 }
5478
5479 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5480 {
5481         return security_sid_to_context(secid, secdata, seclen);
5482 }
5483
5484 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5485 {
5486         return security_context_to_sid(secdata, seclen, secid);
5487 }
5488
5489 static void selinux_release_secctx(char *secdata, u32 seclen)
5490 {
5491         kfree(secdata);
5492 }
5493
5494 #ifdef CONFIG_KEYS
5495
5496 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5497                              unsigned long flags)
5498 {
5499         const struct task_security_struct *tsec;
5500         struct key_security_struct *ksec;
5501
5502         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5503         if (!ksec)
5504                 return -ENOMEM;
5505
5506         tsec = cred->security;
5507         if (tsec->keycreate_sid)
5508                 ksec->sid = tsec->keycreate_sid;
5509         else
5510                 ksec->sid = tsec->sid;
5511
5512         k->security = ksec;
5513         return 0;
5514 }
5515
5516 static void selinux_key_free(struct key *k)
5517 {
5518         struct key_security_struct *ksec = k->security;
5519
5520         k->security = NULL;
5521         kfree(ksec);
5522 }
5523
5524 static int selinux_key_permission(key_ref_t key_ref,
5525                                   const struct cred *cred,
5526                                   key_perm_t perm)
5527 {
5528         struct key *key;
5529         struct key_security_struct *ksec;
5530         u32 sid;
5531
5532         /* if no specific permissions are requested, we skip the
5533            permission check. No serious, additional covert channels
5534            appear to be created. */
5535         if (perm == 0)
5536                 return 0;
5537
5538         sid = cred_sid(cred);
5539
5540         key = key_ref_to_ptr(key_ref);
5541         ksec = key->security;
5542
5543         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5544 }
5545
5546 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5547 {
5548         struct key_security_struct *ksec = key->security;
5549         char *context = NULL;
5550         unsigned len;
5551         int rc;
5552
5553         rc = security_sid_to_context(ksec->sid, &context, &len);
5554         if (!rc)
5555                 rc = len;
5556         *_buffer = context;
5557         return rc;
5558 }
5559
5560 #endif
5561
5562 static struct security_operations selinux_ops = {
5563         .name =                         "selinux",
5564
5565         .ptrace_may_access =            selinux_ptrace_may_access,
5566         .ptrace_traceme =               selinux_ptrace_traceme,
5567         .capget =                       selinux_capget,
5568         .capset =                       selinux_capset,
5569         .sysctl =                       selinux_sysctl,
5570         .capable =                      selinux_capable,
5571         .quotactl =                     selinux_quotactl,
5572         .quota_on =                     selinux_quota_on,
5573         .syslog =                       selinux_syslog,
5574         .vm_enough_memory =             selinux_vm_enough_memory,
5575
5576         .netlink_send =                 selinux_netlink_send,
5577         .netlink_recv =                 selinux_netlink_recv,
5578
5579         .bprm_set_creds =               selinux_bprm_set_creds,
5580         .bprm_check_security =          selinux_bprm_check_security,
5581         .bprm_committing_creds =        selinux_bprm_committing_creds,
5582         .bprm_committed_creds =         selinux_bprm_committed_creds,
5583         .bprm_secureexec =              selinux_bprm_secureexec,
5584
5585         .sb_alloc_security =            selinux_sb_alloc_security,
5586         .sb_free_security =             selinux_sb_free_security,
5587         .sb_copy_data =                 selinux_sb_copy_data,
5588         .sb_kern_mount =                selinux_sb_kern_mount,
5589         .sb_show_options =              selinux_sb_show_options,
5590         .sb_statfs =                    selinux_sb_statfs,
5591         .sb_mount =                     selinux_mount,
5592         .sb_umount =                    selinux_umount,
5593         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5594         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5595         .sb_parse_opts_str =            selinux_parse_opts_str,
5596
5597
5598         .inode_alloc_security =         selinux_inode_alloc_security,
5599         .inode_free_security =          selinux_inode_free_security,
5600         .inode_init_security =          selinux_inode_init_security,
5601         .inode_create =                 selinux_inode_create,
5602         .inode_link =                   selinux_inode_link,
5603         .inode_unlink =                 selinux_inode_unlink,
5604         .inode_symlink =                selinux_inode_symlink,
5605         .inode_mkdir =                  selinux_inode_mkdir,
5606         .inode_rmdir =                  selinux_inode_rmdir,
5607         .inode_mknod =                  selinux_inode_mknod,
5608         .inode_rename =                 selinux_inode_rename,
5609         .inode_readlink =               selinux_inode_readlink,
5610         .inode_follow_link =            selinux_inode_follow_link,
5611         .inode_permission =             selinux_inode_permission,
5612         .inode_setattr =                selinux_inode_setattr,
5613         .inode_getattr =                selinux_inode_getattr,
5614         .inode_setxattr =               selinux_inode_setxattr,
5615         .inode_post_setxattr =          selinux_inode_post_setxattr,
5616         .inode_getxattr =               selinux_inode_getxattr,
5617         .inode_listxattr =              selinux_inode_listxattr,
5618         .inode_removexattr =            selinux_inode_removexattr,
5619         .inode_getsecurity =            selinux_inode_getsecurity,
5620         .inode_setsecurity =            selinux_inode_setsecurity,
5621         .inode_listsecurity =           selinux_inode_listsecurity,
5622         .inode_need_killpriv =          selinux_inode_need_killpriv,
5623         .inode_killpriv =               selinux_inode_killpriv,
5624         .inode_getsecid =               selinux_inode_getsecid,
5625
5626         .file_permission =              selinux_file_permission,
5627         .file_alloc_security =          selinux_file_alloc_security,
5628         .file_free_security =           selinux_file_free_security,
5629         .file_ioctl =                   selinux_file_ioctl,
5630         .file_mmap =                    selinux_file_mmap,
5631         .file_mprotect =                selinux_file_mprotect,
5632         .file_lock =                    selinux_file_lock,
5633         .file_fcntl =                   selinux_file_fcntl,
5634         .file_set_fowner =              selinux_file_set_fowner,
5635         .file_send_sigiotask =          selinux_file_send_sigiotask,
5636         .file_receive =                 selinux_file_receive,
5637
5638         .dentry_open =                  selinux_dentry_open,
5639
5640         .task_create =                  selinux_task_create,
5641         .cred_free =                    selinux_cred_free,
5642         .cred_prepare =                 selinux_cred_prepare,
5643         .cred_commit =                  selinux_cred_commit,
5644         .kernel_act_as =                selinux_kernel_act_as,
5645         .kernel_create_files_as =       selinux_kernel_create_files_as,
5646         .task_setuid =                  selinux_task_setuid,
5647         .task_fix_setuid =              selinux_task_fix_setuid,
5648         .task_setgid =                  selinux_task_setgid,
5649         .task_setpgid =                 selinux_task_setpgid,
5650         .task_getpgid =                 selinux_task_getpgid,
5651         .task_getsid =                  selinux_task_getsid,
5652         .task_getsecid =                selinux_task_getsecid,
5653         .task_setgroups =               selinux_task_setgroups,
5654         .task_setnice =                 selinux_task_setnice,
5655         .task_setioprio =               selinux_task_setioprio,
5656         .task_getioprio =               selinux_task_getioprio,
5657         .task_setrlimit =               selinux_task_setrlimit,
5658         .task_setscheduler =            selinux_task_setscheduler,
5659         .task_getscheduler =            selinux_task_getscheduler,
5660         .task_movememory =              selinux_task_movememory,
5661         .task_kill =                    selinux_task_kill,
5662         .task_wait =                    selinux_task_wait,
5663         .task_prctl =                   selinux_task_prctl,
5664         .task_to_inode =                selinux_task_to_inode,
5665
5666         .ipc_permission =               selinux_ipc_permission,
5667         .ipc_getsecid =                 selinux_ipc_getsecid,
5668
5669         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5670         .msg_msg_free_security =        selinux_msg_msg_free_security,
5671
5672         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5673         .msg_queue_free_security =      selinux_msg_queue_free_security,
5674         .msg_queue_associate =          selinux_msg_queue_associate,
5675         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5676         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5677         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5678
5679         .shm_alloc_security =           selinux_shm_alloc_security,
5680         .shm_free_security =            selinux_shm_free_security,
5681         .shm_associate =                selinux_shm_associate,
5682         .shm_shmctl =                   selinux_shm_shmctl,
5683         .shm_shmat =                    selinux_shm_shmat,
5684
5685         .sem_alloc_security =           selinux_sem_alloc_security,
5686         .sem_free_security =            selinux_sem_free_security,
5687         .sem_associate =                selinux_sem_associate,
5688         .sem_semctl =                   selinux_sem_semctl,
5689         .sem_semop =                    selinux_sem_semop,
5690
5691         .d_instantiate =                selinux_d_instantiate,
5692
5693         .getprocattr =                  selinux_getprocattr,
5694         .setprocattr =                  selinux_setprocattr,
5695
5696         .secid_to_secctx =              selinux_secid_to_secctx,
5697         .secctx_to_secid =              selinux_secctx_to_secid,
5698         .release_secctx =               selinux_release_secctx,
5699
5700         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5701         .unix_may_send =                selinux_socket_unix_may_send,
5702
5703         .socket_create =                selinux_socket_create,
5704         .socket_post_create =           selinux_socket_post_create,
5705         .socket_bind =                  selinux_socket_bind,
5706         .socket_connect =               selinux_socket_connect,
5707         .socket_listen =                selinux_socket_listen,
5708         .socket_accept =                selinux_socket_accept,
5709         .socket_sendmsg =               selinux_socket_sendmsg,
5710         .socket_recvmsg =               selinux_socket_recvmsg,
5711         .socket_getsockname =           selinux_socket_getsockname,
5712         .socket_getpeername =           selinux_socket_getpeername,
5713         .socket_getsockopt =            selinux_socket_getsockopt,
5714         .socket_setsockopt =            selinux_socket_setsockopt,
5715         .socket_shutdown =              selinux_socket_shutdown,
5716         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5717         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5718         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5719         .sk_alloc_security =            selinux_sk_alloc_security,
5720         .sk_free_security =             selinux_sk_free_security,
5721         .sk_clone_security =            selinux_sk_clone_security,
5722         .sk_getsecid =                  selinux_sk_getsecid,
5723         .sock_graft =                   selinux_sock_graft,
5724         .inet_conn_request =            selinux_inet_conn_request,
5725         .inet_csk_clone =               selinux_inet_csk_clone,
5726         .inet_conn_established =        selinux_inet_conn_established,
5727         .req_classify_flow =            selinux_req_classify_flow,
5728
5729 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5730         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5731         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5732         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5733         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5734         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5735         .xfrm_state_free_security =     selinux_xfrm_state_free,
5736         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5737         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5738         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5739         .xfrm_decode_session =          selinux_xfrm_decode_session,
5740 #endif
5741
5742 #ifdef CONFIG_KEYS
5743         .key_alloc =                    selinux_key_alloc,
5744         .key_free =                     selinux_key_free,
5745         .key_permission =               selinux_key_permission,
5746         .key_getsecurity =              selinux_key_getsecurity,
5747 #endif
5748
5749 #ifdef CONFIG_AUDIT
5750         .audit_rule_init =              selinux_audit_rule_init,
5751         .audit_rule_known =             selinux_audit_rule_known,
5752         .audit_rule_match =             selinux_audit_rule_match,
5753         .audit_rule_free =              selinux_audit_rule_free,
5754 #endif
5755 };
5756
5757 static __init int selinux_init(void)
5758 {
5759         if (!security_module_enable(&selinux_ops)) {
5760                 selinux_enabled = 0;
5761                 return 0;
5762         }
5763
5764         if (!selinux_enabled) {
5765                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5766                 return 0;
5767         }
5768
5769         printk(KERN_INFO "SELinux:  Initializing.\n");
5770
5771         /* Set the security state for the initial task. */
5772         cred_init_security();
5773
5774         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5775                                             sizeof(struct inode_security_struct),
5776                                             0, SLAB_PANIC, NULL);
5777         avc_init();
5778
5779         secondary_ops = security_ops;
5780         if (!secondary_ops)
5781                 panic("SELinux: No initial security operations\n");
5782         if (register_security(&selinux_ops))
5783                 panic("SELinux: Unable to register with kernel.\n");
5784
5785         if (selinux_enforcing)
5786                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5787         else
5788                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5789
5790         return 0;
5791 }
5792
5793 void selinux_complete_init(void)
5794 {
5795         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5796
5797         /* Set up any superblocks initialized prior to the policy load. */
5798         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5799         spin_lock(&sb_lock);
5800         spin_lock(&sb_security_lock);
5801 next_sb:
5802         if (!list_empty(&superblock_security_head)) {
5803                 struct superblock_security_struct *sbsec =
5804                                 list_entry(superblock_security_head.next,
5805                                            struct superblock_security_struct,
5806                                            list);
5807                 struct super_block *sb = sbsec->sb;
5808                 sb->s_count++;
5809                 spin_unlock(&sb_security_lock);
5810                 spin_unlock(&sb_lock);
5811                 down_read(&sb->s_umount);
5812                 if (sb->s_root)
5813                         superblock_doinit(sb, NULL);
5814                 drop_super(sb);
5815                 spin_lock(&sb_lock);
5816                 spin_lock(&sb_security_lock);
5817                 list_del_init(&sbsec->list);
5818                 goto next_sb;
5819         }
5820         spin_unlock(&sb_security_lock);
5821         spin_unlock(&sb_lock);
5822 }
5823
5824 /* SELinux requires early initialization in order to label
5825    all processes and objects when they are created. */
5826 security_initcall(selinux_init);
5827
5828 #if defined(CONFIG_NETFILTER)
5829
5830 static struct nf_hook_ops selinux_ipv4_ops[] = {
5831         {
5832                 .hook =         selinux_ipv4_postroute,
5833                 .owner =        THIS_MODULE,
5834                 .pf =           PF_INET,
5835                 .hooknum =      NF_INET_POST_ROUTING,
5836                 .priority =     NF_IP_PRI_SELINUX_LAST,
5837         },
5838         {
5839                 .hook =         selinux_ipv4_forward,
5840                 .owner =        THIS_MODULE,
5841                 .pf =           PF_INET,
5842                 .hooknum =      NF_INET_FORWARD,
5843                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5844         },
5845         {
5846                 .hook =         selinux_ipv4_output,
5847                 .owner =        THIS_MODULE,
5848                 .pf =           PF_INET,
5849                 .hooknum =      NF_INET_LOCAL_OUT,
5850                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5851         }
5852 };
5853
5854 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5855
5856 static struct nf_hook_ops selinux_ipv6_ops[] = {
5857         {
5858                 .hook =         selinux_ipv6_postroute,
5859                 .owner =        THIS_MODULE,
5860                 .pf =           PF_INET6,
5861                 .hooknum =      NF_INET_POST_ROUTING,
5862                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5863         },
5864         {
5865                 .hook =         selinux_ipv6_forward,
5866                 .owner =        THIS_MODULE,
5867                 .pf =           PF_INET6,
5868                 .hooknum =      NF_INET_FORWARD,
5869                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5870         }
5871 };
5872
5873 #endif  /* IPV6 */
5874
5875 static int __init selinux_nf_ip_init(void)
5876 {
5877         int err = 0;
5878
5879         if (!selinux_enabled)
5880                 goto out;
5881
5882         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5883
5884         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5885         if (err)
5886                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5887
5888 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5889         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5890         if (err)
5891                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5892 #endif  /* IPV6 */
5893
5894 out:
5895         return err;
5896 }
5897
5898 __initcall(selinux_nf_ip_init);
5899
5900 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5901 static void selinux_nf_ip_exit(void)
5902 {
5903         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5904
5905         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5906 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5907         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5908 #endif  /* IPV6 */
5909 }
5910 #endif
5911
5912 #else /* CONFIG_NETFILTER */
5913
5914 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5915 #define selinux_nf_ip_exit()
5916 #endif
5917
5918 #endif /* CONFIG_NETFILTER */
5919
5920 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5921 static int selinux_disabled;
5922
5923 int selinux_disable(void)
5924 {
5925         extern void exit_sel_fs(void);
5926
5927         if (ss_initialized) {
5928                 /* Not permitted after initial policy load. */
5929                 return -EINVAL;
5930         }
5931
5932         if (selinux_disabled) {
5933                 /* Only do this once. */
5934                 return -EINVAL;
5935         }
5936
5937         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5938
5939         selinux_disabled = 1;
5940         selinux_enabled = 0;
5941
5942         /* Reset security_ops to the secondary module, dummy or capability. */
5943         security_ops = secondary_ops;
5944
5945         /* Unregister netfilter hooks. */
5946         selinux_nf_ip_exit();
5947
5948         /* Unregister selinuxfs. */
5949         exit_sel_fs();
5950
5951         return 0;
5952 }
5953 #endif