Merge branch 'master' of git://eden-feed.erg.abdn.ac.uk/net-2.6
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "netport.h"
84 #include "xfrm.h"
85 #include "netlabel.h"
86 #include "audit.h"
87
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90
91 #define NUM_SEL_MNT_OPTS 4
92
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
97
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106         unsigned long enforcing;
107         if (!strict_strtoul(str, 0, &enforcing))
108                 selinux_enforcing = enforcing ? 1 : 0;
109         return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119         unsigned long enabled;
120         if (!strict_strtoul(str, 0, &enabled))
121                 selinux_enabled = enabled ? 1 : 0;
122         return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129
130 /*
131  * Minimal support for a secondary security module,
132  * just to allow the use of the capability module.
133  */
134 static struct security_operations *secondary_ops;
135
136 /* Lists of inode and superblock security structures initialized
137    before the policy was loaded. */
138 static LIST_HEAD(superblock_security_head);
139 static DEFINE_SPINLOCK(sb_security_lock);
140
141 static struct kmem_cache *sel_inode_cache;
142
143 /**
144  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
145  *
146  * Description:
147  * This function checks the SECMARK reference counter to see if any SECMARK
148  * targets are currently configured, if the reference counter is greater than
149  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
150  * enabled, false (0) if SECMARK is disabled.
151  *
152  */
153 static int selinux_secmark_enabled(void)
154 {
155         return (atomic_read(&selinux_secmark_refcount) > 0);
156 }
157
158 /* Allocate and free functions for each kind of security blob. */
159
160 static int task_alloc_security(struct task_struct *task)
161 {
162         struct task_security_struct *tsec;
163
164         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165         if (!tsec)
166                 return -ENOMEM;
167
168         tsec->osid = tsec->sid = SECINITSID_UNLABELED;
169         task->security = tsec;
170
171         return 0;
172 }
173
174 static void task_free_security(struct task_struct *task)
175 {
176         struct task_security_struct *tsec = task->security;
177         task->security = NULL;
178         kfree(tsec);
179 }
180
181 static int inode_alloc_security(struct inode *inode)
182 {
183         struct task_security_struct *tsec = current->security;
184         struct inode_security_struct *isec;
185
186         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187         if (!isec)
188                 return -ENOMEM;
189
190         mutex_init(&isec->lock);
191         INIT_LIST_HEAD(&isec->list);
192         isec->inode = inode;
193         isec->sid = SECINITSID_UNLABELED;
194         isec->sclass = SECCLASS_FILE;
195         isec->task_sid = tsec->sid;
196         inode->i_security = isec;
197
198         return 0;
199 }
200
201 static void inode_free_security(struct inode *inode)
202 {
203         struct inode_security_struct *isec = inode->i_security;
204         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
205
206         spin_lock(&sbsec->isec_lock);
207         if (!list_empty(&isec->list))
208                 list_del_init(&isec->list);
209         spin_unlock(&sbsec->isec_lock);
210
211         inode->i_security = NULL;
212         kmem_cache_free(sel_inode_cache, isec);
213 }
214
215 static int file_alloc_security(struct file *file)
216 {
217         struct task_security_struct *tsec = current->security;
218         struct file_security_struct *fsec;
219
220         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
221         if (!fsec)
222                 return -ENOMEM;
223
224         fsec->sid = tsec->sid;
225         fsec->fown_sid = tsec->sid;
226         file->f_security = fsec;
227
228         return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233         struct file_security_struct *fsec = file->f_security;
234         file->f_security = NULL;
235         kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240         struct superblock_security_struct *sbsec;
241
242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243         if (!sbsec)
244                 return -ENOMEM;
245
246         mutex_init(&sbsec->lock);
247         INIT_LIST_HEAD(&sbsec->list);
248         INIT_LIST_HEAD(&sbsec->isec_head);
249         spin_lock_init(&sbsec->isec_lock);
250         sbsec->sb = sb;
251         sbsec->sid = SECINITSID_UNLABELED;
252         sbsec->def_sid = SECINITSID_FILE;
253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254         sb->s_security = sbsec;
255
256         return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261         struct superblock_security_struct *sbsec = sb->s_security;
262
263         spin_lock(&sb_security_lock);
264         if (!list_empty(&sbsec->list))
265                 list_del_init(&sbsec->list);
266         spin_unlock(&sb_security_lock);
267
268         sb->s_security = NULL;
269         kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274         struct sk_security_struct *ssec;
275
276         ssec = kzalloc(sizeof(*ssec), priority);
277         if (!ssec)
278                 return -ENOMEM;
279
280         ssec->peer_sid = SECINITSID_UNLABELED;
281         ssec->sid = SECINITSID_UNLABELED;
282         sk->sk_security = ssec;
283
284         selinux_netlbl_sk_security_reset(ssec, family);
285
286         return 0;
287 }
288
289 static void sk_free_security(struct sock *sk)
290 {
291         struct sk_security_struct *ssec = sk->sk_security;
292
293         sk->sk_security = NULL;
294         kfree(ssec);
295 }
296
297 /* The security server must be initialized before
298    any labeling or access decisions can be provided. */
299 extern int ss_initialized;
300
301 /* The file system's label must be initialized prior to use. */
302
303 static char *labeling_behaviors[6] = {
304         "uses xattr",
305         "uses transition SIDs",
306         "uses task SIDs",
307         "uses genfs_contexts",
308         "not configured for labeling",
309         "uses mountpoint labeling",
310 };
311
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313
314 static inline int inode_doinit(struct inode *inode)
315 {
316         return inode_doinit_with_dentry(inode, NULL);
317 }
318
319 enum {
320         Opt_error = -1,
321         Opt_context = 1,
322         Opt_fscontext = 2,
323         Opt_defcontext = 3,
324         Opt_rootcontext = 4,
325 };
326
327 static match_table_t tokens = {
328         {Opt_context, CONTEXT_STR "%s"},
329         {Opt_fscontext, FSCONTEXT_STR "%s"},
330         {Opt_defcontext, DEFCONTEXT_STR "%s"},
331         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332         {Opt_error, NULL},
333 };
334
335 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
336
337 static int may_context_mount_sb_relabel(u32 sid,
338                         struct superblock_security_struct *sbsec,
339                         struct task_security_struct *tsec)
340 {
341         int rc;
342
343         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
344                           FILESYSTEM__RELABELFROM, NULL);
345         if (rc)
346                 return rc;
347
348         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
349                           FILESYSTEM__RELABELTO, NULL);
350         return rc;
351 }
352
353 static int may_context_mount_inode_relabel(u32 sid,
354                         struct superblock_security_struct *sbsec,
355                         struct task_security_struct *tsec)
356 {
357         int rc;
358         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
359                           FILESYSTEM__RELABELFROM, NULL);
360         if (rc)
361                 return rc;
362
363         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
364                           FILESYSTEM__ASSOCIATE, NULL);
365         return rc;
366 }
367
368 static int sb_finish_set_opts(struct super_block *sb)
369 {
370         struct superblock_security_struct *sbsec = sb->s_security;
371         struct dentry *root = sb->s_root;
372         struct inode *root_inode = root->d_inode;
373         int rc = 0;
374
375         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
376                 /* Make sure that the xattr handler exists and that no
377                    error other than -ENODATA is returned by getxattr on
378                    the root directory.  -ENODATA is ok, as this may be
379                    the first boot of the SELinux kernel before we have
380                    assigned xattr values to the filesystem. */
381                 if (!root_inode->i_op->getxattr) {
382                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
383                                "xattr support\n", sb->s_id, sb->s_type->name);
384                         rc = -EOPNOTSUPP;
385                         goto out;
386                 }
387                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
388                 if (rc < 0 && rc != -ENODATA) {
389                         if (rc == -EOPNOTSUPP)
390                                 printk(KERN_WARNING "SELinux: (dev %s, type "
391                                        "%s) has no security xattr handler\n",
392                                        sb->s_id, sb->s_type->name);
393                         else
394                                 printk(KERN_WARNING "SELinux: (dev %s, type "
395                                        "%s) getxattr errno %d\n", sb->s_id,
396                                        sb->s_type->name, -rc);
397                         goto out;
398                 }
399         }
400
401         sbsec->initialized = 1;
402
403         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
404                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
405                        sb->s_id, sb->s_type->name);
406         else
407                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
408                        sb->s_id, sb->s_type->name,
409                        labeling_behaviors[sbsec->behavior-1]);
410
411         /* Initialize the root inode. */
412         rc = inode_doinit_with_dentry(root_inode, root);
413
414         /* Initialize any other inodes associated with the superblock, e.g.
415            inodes created prior to initial policy load or inodes created
416            during get_sb by a pseudo filesystem that directly
417            populates itself. */
418         spin_lock(&sbsec->isec_lock);
419 next_inode:
420         if (!list_empty(&sbsec->isec_head)) {
421                 struct inode_security_struct *isec =
422                                 list_entry(sbsec->isec_head.next,
423                                            struct inode_security_struct, list);
424                 struct inode *inode = isec->inode;
425                 spin_unlock(&sbsec->isec_lock);
426                 inode = igrab(inode);
427                 if (inode) {
428                         if (!IS_PRIVATE(inode))
429                                 inode_doinit(inode);
430                         iput(inode);
431                 }
432                 spin_lock(&sbsec->isec_lock);
433                 list_del_init(&isec->list);
434                 goto next_inode;
435         }
436         spin_unlock(&sbsec->isec_lock);
437 out:
438         return rc;
439 }
440
441 /*
442  * This function should allow an FS to ask what it's mount security
443  * options were so it can use those later for submounts, displaying
444  * mount options, or whatever.
445  */
446 static int selinux_get_mnt_opts(const struct super_block *sb,
447                                 struct security_mnt_opts *opts)
448 {
449         int rc = 0, i;
450         struct superblock_security_struct *sbsec = sb->s_security;
451         char *context = NULL;
452         u32 len;
453         char tmp;
454
455         security_init_mnt_opts(opts);
456
457         if (!sbsec->initialized)
458                 return -EINVAL;
459
460         if (!ss_initialized)
461                 return -EINVAL;
462
463         /*
464          * if we ever use sbsec flags for anything other than tracking mount
465          * settings this is going to need a mask
466          */
467         tmp = sbsec->flags;
468         /* count the number of mount options for this sb */
469         for (i = 0; i < 8; i++) {
470                 if (tmp & 0x01)
471                         opts->num_mnt_opts++;
472                 tmp >>= 1;
473         }
474
475         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
476         if (!opts->mnt_opts) {
477                 rc = -ENOMEM;
478                 goto out_free;
479         }
480
481         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
482         if (!opts->mnt_opts_flags) {
483                 rc = -ENOMEM;
484                 goto out_free;
485         }
486
487         i = 0;
488         if (sbsec->flags & FSCONTEXT_MNT) {
489                 rc = security_sid_to_context(sbsec->sid, &context, &len);
490                 if (rc)
491                         goto out_free;
492                 opts->mnt_opts[i] = context;
493                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494         }
495         if (sbsec->flags & CONTEXT_MNT) {
496                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
497                 if (rc)
498                         goto out_free;
499                 opts->mnt_opts[i] = context;
500                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501         }
502         if (sbsec->flags & DEFCONTEXT_MNT) {
503                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
504                 if (rc)
505                         goto out_free;
506                 opts->mnt_opts[i] = context;
507                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508         }
509         if (sbsec->flags & ROOTCONTEXT_MNT) {
510                 struct inode *root = sbsec->sb->s_root->d_inode;
511                 struct inode_security_struct *isec = root->i_security;
512
513                 rc = security_sid_to_context(isec->sid, &context, &len);
514                 if (rc)
515                         goto out_free;
516                 opts->mnt_opts[i] = context;
517                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
518         }
519
520         BUG_ON(i != opts->num_mnt_opts);
521
522         return 0;
523
524 out_free:
525         security_free_mnt_opts(opts);
526         return rc;
527 }
528
529 static int bad_option(struct superblock_security_struct *sbsec, char flag,
530                       u32 old_sid, u32 new_sid)
531 {
532         /* check if the old mount command had the same options */
533         if (sbsec->initialized)
534                 if (!(sbsec->flags & flag) ||
535                     (old_sid != new_sid))
536                         return 1;
537
538         /* check if we were passed the same options twice,
539          * aka someone passed context=a,context=b
540          */
541         if (!sbsec->initialized)
542                 if (sbsec->flags & flag)
543                         return 1;
544         return 0;
545 }
546
547 /*
548  * Allow filesystems with binary mount data to explicitly set mount point
549  * labeling information.
550  */
551 static int selinux_set_mnt_opts(struct super_block *sb,
552                                 struct security_mnt_opts *opts)
553 {
554         int rc = 0, i;
555         struct task_security_struct *tsec = current->security;
556         struct superblock_security_struct *sbsec = sb->s_security;
557         const char *name = sb->s_type->name;
558         struct inode *inode = sbsec->sb->s_root->d_inode;
559         struct inode_security_struct *root_isec = inode->i_security;
560         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
561         u32 defcontext_sid = 0;
562         char **mount_options = opts->mnt_opts;
563         int *flags = opts->mnt_opts_flags;
564         int num_opts = opts->num_mnt_opts;
565
566         mutex_lock(&sbsec->lock);
567
568         if (!ss_initialized) {
569                 if (!num_opts) {
570                         /* Defer initialization until selinux_complete_init,
571                            after the initial policy is loaded and the security
572                            server is ready to handle calls. */
573                         spin_lock(&sb_security_lock);
574                         if (list_empty(&sbsec->list))
575                                 list_add(&sbsec->list, &superblock_security_head);
576                         spin_unlock(&sb_security_lock);
577                         goto out;
578                 }
579                 rc = -EINVAL;
580                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
581                         "before the security server is initialized\n");
582                 goto out;
583         }
584
585         /*
586          * Binary mount data FS will come through this function twice.  Once
587          * from an explicit call and once from the generic calls from the vfs.
588          * Since the generic VFS calls will not contain any security mount data
589          * we need to skip the double mount verification.
590          *
591          * This does open a hole in which we will not notice if the first
592          * mount using this sb set explict options and a second mount using
593          * this sb does not set any security options.  (The first options
594          * will be used for both mounts)
595          */
596         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
597             && (num_opts == 0))
598                 goto out;
599
600         /*
601          * parse the mount options, check if they are valid sids.
602          * also check if someone is trying to mount the same sb more
603          * than once with different security options.
604          */
605         for (i = 0; i < num_opts; i++) {
606                 u32 sid;
607                 rc = security_context_to_sid(mount_options[i],
608                                              strlen(mount_options[i]), &sid);
609                 if (rc) {
610                         printk(KERN_WARNING "SELinux: security_context_to_sid"
611                                "(%s) failed for (dev %s, type %s) errno=%d\n",
612                                mount_options[i], sb->s_id, name, rc);
613                         goto out;
614                 }
615                 switch (flags[i]) {
616                 case FSCONTEXT_MNT:
617                         fscontext_sid = sid;
618
619                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
620                                         fscontext_sid))
621                                 goto out_double_mount;
622
623                         sbsec->flags |= FSCONTEXT_MNT;
624                         break;
625                 case CONTEXT_MNT:
626                         context_sid = sid;
627
628                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
629                                         context_sid))
630                                 goto out_double_mount;
631
632                         sbsec->flags |= CONTEXT_MNT;
633                         break;
634                 case ROOTCONTEXT_MNT:
635                         rootcontext_sid = sid;
636
637                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
638                                         rootcontext_sid))
639                                 goto out_double_mount;
640
641                         sbsec->flags |= ROOTCONTEXT_MNT;
642
643                         break;
644                 case DEFCONTEXT_MNT:
645                         defcontext_sid = sid;
646
647                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
648                                         defcontext_sid))
649                                 goto out_double_mount;
650
651                         sbsec->flags |= DEFCONTEXT_MNT;
652
653                         break;
654                 default:
655                         rc = -EINVAL;
656                         goto out;
657                 }
658         }
659
660         if (sbsec->initialized) {
661                 /* previously mounted with options, but not on this attempt? */
662                 if (sbsec->flags && !num_opts)
663                         goto out_double_mount;
664                 rc = 0;
665                 goto out;
666         }
667
668         if (strcmp(sb->s_type->name, "proc") == 0)
669                 sbsec->proc = 1;
670
671         /* Determine the labeling behavior to use for this filesystem type. */
672         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
673         if (rc) {
674                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
675                        __func__, sb->s_type->name, rc);
676                 goto out;
677         }
678
679         /* sets the context of the superblock for the fs being mounted. */
680         if (fscontext_sid) {
681
682                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
683                 if (rc)
684                         goto out;
685
686                 sbsec->sid = fscontext_sid;
687         }
688
689         /*
690          * Switch to using mount point labeling behavior.
691          * sets the label used on all file below the mountpoint, and will set
692          * the superblock context if not already set.
693          */
694         if (context_sid) {
695                 if (!fscontext_sid) {
696                         rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
697                         if (rc)
698                                 goto out;
699                         sbsec->sid = context_sid;
700                 } else {
701                         rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
702                         if (rc)
703                                 goto out;
704                 }
705                 if (!rootcontext_sid)
706                         rootcontext_sid = context_sid;
707
708                 sbsec->mntpoint_sid = context_sid;
709                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
710         }
711
712         if (rootcontext_sid) {
713                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
714                 if (rc)
715                         goto out;
716
717                 root_isec->sid = rootcontext_sid;
718                 root_isec->initialized = 1;
719         }
720
721         if (defcontext_sid) {
722                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
723                         rc = -EINVAL;
724                         printk(KERN_WARNING "SELinux: defcontext option is "
725                                "invalid for this filesystem type\n");
726                         goto out;
727                 }
728
729                 if (defcontext_sid != sbsec->def_sid) {
730                         rc = may_context_mount_inode_relabel(defcontext_sid,
731                                                              sbsec, tsec);
732                         if (rc)
733                                 goto out;
734                 }
735
736                 sbsec->def_sid = defcontext_sid;
737         }
738
739         rc = sb_finish_set_opts(sb);
740 out:
741         mutex_unlock(&sbsec->lock);
742         return rc;
743 out_double_mount:
744         rc = -EINVAL;
745         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
746                "security settings for (dev %s, type %s)\n", sb->s_id, name);
747         goto out;
748 }
749
750 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
751                                         struct super_block *newsb)
752 {
753         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
754         struct superblock_security_struct *newsbsec = newsb->s_security;
755
756         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
757         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
758         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
759
760         /*
761          * if the parent was able to be mounted it clearly had no special lsm
762          * mount options.  thus we can safely put this sb on the list and deal
763          * with it later
764          */
765         if (!ss_initialized) {
766                 spin_lock(&sb_security_lock);
767                 if (list_empty(&newsbsec->list))
768                         list_add(&newsbsec->list, &superblock_security_head);
769                 spin_unlock(&sb_security_lock);
770                 return;
771         }
772
773         /* how can we clone if the old one wasn't set up?? */
774         BUG_ON(!oldsbsec->initialized);
775
776         /* if fs is reusing a sb, just let its options stand... */
777         if (newsbsec->initialized)
778                 return;
779
780         mutex_lock(&newsbsec->lock);
781
782         newsbsec->flags = oldsbsec->flags;
783
784         newsbsec->sid = oldsbsec->sid;
785         newsbsec->def_sid = oldsbsec->def_sid;
786         newsbsec->behavior = oldsbsec->behavior;
787
788         if (set_context) {
789                 u32 sid = oldsbsec->mntpoint_sid;
790
791                 if (!set_fscontext)
792                         newsbsec->sid = sid;
793                 if (!set_rootcontext) {
794                         struct inode *newinode = newsb->s_root->d_inode;
795                         struct inode_security_struct *newisec = newinode->i_security;
796                         newisec->sid = sid;
797                 }
798                 newsbsec->mntpoint_sid = sid;
799         }
800         if (set_rootcontext) {
801                 const struct inode *oldinode = oldsb->s_root->d_inode;
802                 const struct inode_security_struct *oldisec = oldinode->i_security;
803                 struct inode *newinode = newsb->s_root->d_inode;
804                 struct inode_security_struct *newisec = newinode->i_security;
805
806                 newisec->sid = oldisec->sid;
807         }
808
809         sb_finish_set_opts(newsb);
810         mutex_unlock(&newsbsec->lock);
811 }
812
813 static int selinux_parse_opts_str(char *options,
814                                   struct security_mnt_opts *opts)
815 {
816         char *p;
817         char *context = NULL, *defcontext = NULL;
818         char *fscontext = NULL, *rootcontext = NULL;
819         int rc, num_mnt_opts = 0;
820
821         opts->num_mnt_opts = 0;
822
823         /* Standard string-based options. */
824         while ((p = strsep(&options, "|")) != NULL) {
825                 int token;
826                 substring_t args[MAX_OPT_ARGS];
827
828                 if (!*p)
829                         continue;
830
831                 token = match_token(p, tokens, args);
832
833                 switch (token) {
834                 case Opt_context:
835                         if (context || defcontext) {
836                                 rc = -EINVAL;
837                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
838                                 goto out_err;
839                         }
840                         context = match_strdup(&args[0]);
841                         if (!context) {
842                                 rc = -ENOMEM;
843                                 goto out_err;
844                         }
845                         break;
846
847                 case Opt_fscontext:
848                         if (fscontext) {
849                                 rc = -EINVAL;
850                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
851                                 goto out_err;
852                         }
853                         fscontext = match_strdup(&args[0]);
854                         if (!fscontext) {
855                                 rc = -ENOMEM;
856                                 goto out_err;
857                         }
858                         break;
859
860                 case Opt_rootcontext:
861                         if (rootcontext) {
862                                 rc = -EINVAL;
863                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
864                                 goto out_err;
865                         }
866                         rootcontext = match_strdup(&args[0]);
867                         if (!rootcontext) {
868                                 rc = -ENOMEM;
869                                 goto out_err;
870                         }
871                         break;
872
873                 case Opt_defcontext:
874                         if (context || defcontext) {
875                                 rc = -EINVAL;
876                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
877                                 goto out_err;
878                         }
879                         defcontext = match_strdup(&args[0]);
880                         if (!defcontext) {
881                                 rc = -ENOMEM;
882                                 goto out_err;
883                         }
884                         break;
885
886                 default:
887                         rc = -EINVAL;
888                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
889                         goto out_err;
890
891                 }
892         }
893
894         rc = -ENOMEM;
895         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
896         if (!opts->mnt_opts)
897                 goto out_err;
898
899         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
900         if (!opts->mnt_opts_flags) {
901                 kfree(opts->mnt_opts);
902                 goto out_err;
903         }
904
905         if (fscontext) {
906                 opts->mnt_opts[num_mnt_opts] = fscontext;
907                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
908         }
909         if (context) {
910                 opts->mnt_opts[num_mnt_opts] = context;
911                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
912         }
913         if (rootcontext) {
914                 opts->mnt_opts[num_mnt_opts] = rootcontext;
915                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
916         }
917         if (defcontext) {
918                 opts->mnt_opts[num_mnt_opts] = defcontext;
919                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
920         }
921
922         opts->num_mnt_opts = num_mnt_opts;
923         return 0;
924
925 out_err:
926         kfree(context);
927         kfree(defcontext);
928         kfree(fscontext);
929         kfree(rootcontext);
930         return rc;
931 }
932 /*
933  * string mount options parsing and call set the sbsec
934  */
935 static int superblock_doinit(struct super_block *sb, void *data)
936 {
937         int rc = 0;
938         char *options = data;
939         struct security_mnt_opts opts;
940
941         security_init_mnt_opts(&opts);
942
943         if (!data)
944                 goto out;
945
946         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
947
948         rc = selinux_parse_opts_str(options, &opts);
949         if (rc)
950                 goto out_err;
951
952 out:
953         rc = selinux_set_mnt_opts(sb, &opts);
954
955 out_err:
956         security_free_mnt_opts(&opts);
957         return rc;
958 }
959
960 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
961 {
962         int i;
963         char *prefix;
964
965         for (i = 0; i < opts->num_mnt_opts; i++) {
966                 char *has_comma = strchr(opts->mnt_opts[i], ',');
967
968                 switch (opts->mnt_opts_flags[i]) {
969                 case CONTEXT_MNT:
970                         prefix = CONTEXT_STR;
971                         break;
972                 case FSCONTEXT_MNT:
973                         prefix = FSCONTEXT_STR;
974                         break;
975                 case ROOTCONTEXT_MNT:
976                         prefix = ROOTCONTEXT_STR;
977                         break;
978                 case DEFCONTEXT_MNT:
979                         prefix = DEFCONTEXT_STR;
980                         break;
981                 default:
982                         BUG();
983                 };
984                 /* we need a comma before each option */
985                 seq_putc(m, ',');
986                 seq_puts(m, prefix);
987                 if (has_comma)
988                         seq_putc(m, '\"');
989                 seq_puts(m, opts->mnt_opts[i]);
990                 if (has_comma)
991                         seq_putc(m, '\"');
992         }
993 }
994
995 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
996 {
997         struct security_mnt_opts opts;
998         int rc;
999
1000         rc = selinux_get_mnt_opts(sb, &opts);
1001         if (rc)
1002                 return rc;
1003
1004         selinux_write_opts(m, &opts);
1005
1006         security_free_mnt_opts(&opts);
1007
1008         return rc;
1009 }
1010
1011 static inline u16 inode_mode_to_security_class(umode_t mode)
1012 {
1013         switch (mode & S_IFMT) {
1014         case S_IFSOCK:
1015                 return SECCLASS_SOCK_FILE;
1016         case S_IFLNK:
1017                 return SECCLASS_LNK_FILE;
1018         case S_IFREG:
1019                 return SECCLASS_FILE;
1020         case S_IFBLK:
1021                 return SECCLASS_BLK_FILE;
1022         case S_IFDIR:
1023                 return SECCLASS_DIR;
1024         case S_IFCHR:
1025                 return SECCLASS_CHR_FILE;
1026         case S_IFIFO:
1027                 return SECCLASS_FIFO_FILE;
1028
1029         }
1030
1031         return SECCLASS_FILE;
1032 }
1033
1034 static inline int default_protocol_stream(int protocol)
1035 {
1036         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1037 }
1038
1039 static inline int default_protocol_dgram(int protocol)
1040 {
1041         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1042 }
1043
1044 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1045 {
1046         switch (family) {
1047         case PF_UNIX:
1048                 switch (type) {
1049                 case SOCK_STREAM:
1050                 case SOCK_SEQPACKET:
1051                         return SECCLASS_UNIX_STREAM_SOCKET;
1052                 case SOCK_DGRAM:
1053                         return SECCLASS_UNIX_DGRAM_SOCKET;
1054                 }
1055                 break;
1056         case PF_INET:
1057         case PF_INET6:
1058                 switch (type) {
1059                 case SOCK_STREAM:
1060                         if (default_protocol_stream(protocol))
1061                                 return SECCLASS_TCP_SOCKET;
1062                         else
1063                                 return SECCLASS_RAWIP_SOCKET;
1064                 case SOCK_DGRAM:
1065                         if (default_protocol_dgram(protocol))
1066                                 return SECCLASS_UDP_SOCKET;
1067                         else
1068                                 return SECCLASS_RAWIP_SOCKET;
1069                 case SOCK_DCCP:
1070                         return SECCLASS_DCCP_SOCKET;
1071                 default:
1072                         return SECCLASS_RAWIP_SOCKET;
1073                 }
1074                 break;
1075         case PF_NETLINK:
1076                 switch (protocol) {
1077                 case NETLINK_ROUTE:
1078                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1079                 case NETLINK_FIREWALL:
1080                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1081                 case NETLINK_INET_DIAG:
1082                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1083                 case NETLINK_NFLOG:
1084                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1085                 case NETLINK_XFRM:
1086                         return SECCLASS_NETLINK_XFRM_SOCKET;
1087                 case NETLINK_SELINUX:
1088                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1089                 case NETLINK_AUDIT:
1090                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1091                 case NETLINK_IP6_FW:
1092                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1093                 case NETLINK_DNRTMSG:
1094                         return SECCLASS_NETLINK_DNRT_SOCKET;
1095                 case NETLINK_KOBJECT_UEVENT:
1096                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1097                 default:
1098                         return SECCLASS_NETLINK_SOCKET;
1099                 }
1100         case PF_PACKET:
1101                 return SECCLASS_PACKET_SOCKET;
1102         case PF_KEY:
1103                 return SECCLASS_KEY_SOCKET;
1104         case PF_APPLETALK:
1105                 return SECCLASS_APPLETALK_SOCKET;
1106         }
1107
1108         return SECCLASS_SOCKET;
1109 }
1110
1111 #ifdef CONFIG_PROC_FS
1112 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1113                                 u16 tclass,
1114                                 u32 *sid)
1115 {
1116         int buflen, rc;
1117         char *buffer, *path, *end;
1118
1119         buffer = (char *)__get_free_page(GFP_KERNEL);
1120         if (!buffer)
1121                 return -ENOMEM;
1122
1123         buflen = PAGE_SIZE;
1124         end = buffer+buflen;
1125         *--end = '\0';
1126         buflen--;
1127         path = end-1;
1128         *path = '/';
1129         while (de && de != de->parent) {
1130                 buflen -= de->namelen + 1;
1131                 if (buflen < 0)
1132                         break;
1133                 end -= de->namelen;
1134                 memcpy(end, de->name, de->namelen);
1135                 *--end = '/';
1136                 path = end;
1137                 de = de->parent;
1138         }
1139         rc = security_genfs_sid("proc", path, tclass, sid);
1140         free_page((unsigned long)buffer);
1141         return rc;
1142 }
1143 #else
1144 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1145                                 u16 tclass,
1146                                 u32 *sid)
1147 {
1148         return -EINVAL;
1149 }
1150 #endif
1151
1152 /* The inode's security attributes must be initialized before first use. */
1153 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1154 {
1155         struct superblock_security_struct *sbsec = NULL;
1156         struct inode_security_struct *isec = inode->i_security;
1157         u32 sid;
1158         struct dentry *dentry;
1159 #define INITCONTEXTLEN 255
1160         char *context = NULL;
1161         unsigned len = 0;
1162         int rc = 0;
1163
1164         if (isec->initialized)
1165                 goto out;
1166
1167         mutex_lock(&isec->lock);
1168         if (isec->initialized)
1169                 goto out_unlock;
1170
1171         sbsec = inode->i_sb->s_security;
1172         if (!sbsec->initialized) {
1173                 /* Defer initialization until selinux_complete_init,
1174                    after the initial policy is loaded and the security
1175                    server is ready to handle calls. */
1176                 spin_lock(&sbsec->isec_lock);
1177                 if (list_empty(&isec->list))
1178                         list_add(&isec->list, &sbsec->isec_head);
1179                 spin_unlock(&sbsec->isec_lock);
1180                 goto out_unlock;
1181         }
1182
1183         switch (sbsec->behavior) {
1184         case SECURITY_FS_USE_XATTR:
1185                 if (!inode->i_op->getxattr) {
1186                         isec->sid = sbsec->def_sid;
1187                         break;
1188                 }
1189
1190                 /* Need a dentry, since the xattr API requires one.
1191                    Life would be simpler if we could just pass the inode. */
1192                 if (opt_dentry) {
1193                         /* Called from d_instantiate or d_splice_alias. */
1194                         dentry = dget(opt_dentry);
1195                 } else {
1196                         /* Called from selinux_complete_init, try to find a dentry. */
1197                         dentry = d_find_alias(inode);
1198                 }
1199                 if (!dentry) {
1200                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1201                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1202                                inode->i_ino);
1203                         goto out_unlock;
1204                 }
1205
1206                 len = INITCONTEXTLEN;
1207                 context = kmalloc(len, GFP_NOFS);
1208                 if (!context) {
1209                         rc = -ENOMEM;
1210                         dput(dentry);
1211                         goto out_unlock;
1212                 }
1213                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1214                                            context, len);
1215                 if (rc == -ERANGE) {
1216                         /* Need a larger buffer.  Query for the right size. */
1217                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1218                                                    NULL, 0);
1219                         if (rc < 0) {
1220                                 dput(dentry);
1221                                 goto out_unlock;
1222                         }
1223                         kfree(context);
1224                         len = rc;
1225                         context = kmalloc(len, GFP_NOFS);
1226                         if (!context) {
1227                                 rc = -ENOMEM;
1228                                 dput(dentry);
1229                                 goto out_unlock;
1230                         }
1231                         rc = inode->i_op->getxattr(dentry,
1232                                                    XATTR_NAME_SELINUX,
1233                                                    context, len);
1234                 }
1235                 dput(dentry);
1236                 if (rc < 0) {
1237                         if (rc != -ENODATA) {
1238                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1239                                        "%d for dev=%s ino=%ld\n", __func__,
1240                                        -rc, inode->i_sb->s_id, inode->i_ino);
1241                                 kfree(context);
1242                                 goto out_unlock;
1243                         }
1244                         /* Map ENODATA to the default file SID */
1245                         sid = sbsec->def_sid;
1246                         rc = 0;
1247                 } else {
1248                         rc = security_context_to_sid_default(context, rc, &sid,
1249                                                              sbsec->def_sid,
1250                                                              GFP_NOFS);
1251                         if (rc) {
1252                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1253                                        "returned %d for dev=%s ino=%ld\n",
1254                                        __func__, context, -rc,
1255                                        inode->i_sb->s_id, inode->i_ino);
1256                                 kfree(context);
1257                                 /* Leave with the unlabeled SID */
1258                                 rc = 0;
1259                                 break;
1260                         }
1261                 }
1262                 kfree(context);
1263                 isec->sid = sid;
1264                 break;
1265         case SECURITY_FS_USE_TASK:
1266                 isec->sid = isec->task_sid;
1267                 break;
1268         case SECURITY_FS_USE_TRANS:
1269                 /* Default to the fs SID. */
1270                 isec->sid = sbsec->sid;
1271
1272                 /* Try to obtain a transition SID. */
1273                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1274                 rc = security_transition_sid(isec->task_sid,
1275                                              sbsec->sid,
1276                                              isec->sclass,
1277                                              &sid);
1278                 if (rc)
1279                         goto out_unlock;
1280                 isec->sid = sid;
1281                 break;
1282         case SECURITY_FS_USE_MNTPOINT:
1283                 isec->sid = sbsec->mntpoint_sid;
1284                 break;
1285         default:
1286                 /* Default to the fs superblock SID. */
1287                 isec->sid = sbsec->sid;
1288
1289                 if (sbsec->proc) {
1290                         struct proc_inode *proci = PROC_I(inode);
1291                         if (proci->pde) {
1292                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1293                                 rc = selinux_proc_get_sid(proci->pde,
1294                                                           isec->sclass,
1295                                                           &sid);
1296                                 if (rc)
1297                                         goto out_unlock;
1298                                 isec->sid = sid;
1299                         }
1300                 }
1301                 break;
1302         }
1303
1304         isec->initialized = 1;
1305
1306 out_unlock:
1307         mutex_unlock(&isec->lock);
1308 out:
1309         if (isec->sclass == SECCLASS_FILE)
1310                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1311         return rc;
1312 }
1313
1314 /* Convert a Linux signal to an access vector. */
1315 static inline u32 signal_to_av(int sig)
1316 {
1317         u32 perm = 0;
1318
1319         switch (sig) {
1320         case SIGCHLD:
1321                 /* Commonly granted from child to parent. */
1322                 perm = PROCESS__SIGCHLD;
1323                 break;
1324         case SIGKILL:
1325                 /* Cannot be caught or ignored */
1326                 perm = PROCESS__SIGKILL;
1327                 break;
1328         case SIGSTOP:
1329                 /* Cannot be caught or ignored */
1330                 perm = PROCESS__SIGSTOP;
1331                 break;
1332         default:
1333                 /* All other signals. */
1334                 perm = PROCESS__SIGNAL;
1335                 break;
1336         }
1337
1338         return perm;
1339 }
1340
1341 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1342    fork check, ptrace check, etc. */
1343 static int task_has_perm(struct task_struct *tsk1,
1344                          struct task_struct *tsk2,
1345                          u32 perms)
1346 {
1347         struct task_security_struct *tsec1, *tsec2;
1348
1349         tsec1 = tsk1->security;
1350         tsec2 = tsk2->security;
1351         return avc_has_perm(tsec1->sid, tsec2->sid,
1352                             SECCLASS_PROCESS, perms, NULL);
1353 }
1354
1355 #if CAP_LAST_CAP > 63
1356 #error Fix SELinux to handle capabilities > 63.
1357 #endif
1358
1359 /* Check whether a task is allowed to use a capability. */
1360 static int task_has_capability(struct task_struct *tsk,
1361                                int cap)
1362 {
1363         struct task_security_struct *tsec;
1364         struct avc_audit_data ad;
1365         u16 sclass;
1366         u32 av = CAP_TO_MASK(cap);
1367
1368         tsec = tsk->security;
1369
1370         AVC_AUDIT_DATA_INIT(&ad, CAP);
1371         ad.tsk = tsk;
1372         ad.u.cap = cap;
1373
1374         switch (CAP_TO_INDEX(cap)) {
1375         case 0:
1376                 sclass = SECCLASS_CAPABILITY;
1377                 break;
1378         case 1:
1379                 sclass = SECCLASS_CAPABILITY2;
1380                 break;
1381         default:
1382                 printk(KERN_ERR
1383                        "SELinux:  out of range capability %d\n", cap);
1384                 BUG();
1385         }
1386         return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1387 }
1388
1389 /* Check whether a task is allowed to use a system operation. */
1390 static int task_has_system(struct task_struct *tsk,
1391                            u32 perms)
1392 {
1393         struct task_security_struct *tsec;
1394
1395         tsec = tsk->security;
1396
1397         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1398                             SECCLASS_SYSTEM, perms, NULL);
1399 }
1400
1401 /* Check whether a task has a particular permission to an inode.
1402    The 'adp' parameter is optional and allows other audit
1403    data to be passed (e.g. the dentry). */
1404 static int inode_has_perm(struct task_struct *tsk,
1405                           struct inode *inode,
1406                           u32 perms,
1407                           struct avc_audit_data *adp)
1408 {
1409         struct task_security_struct *tsec;
1410         struct inode_security_struct *isec;
1411         struct avc_audit_data ad;
1412
1413         if (unlikely(IS_PRIVATE(inode)))
1414                 return 0;
1415
1416         tsec = tsk->security;
1417         isec = inode->i_security;
1418
1419         if (!adp) {
1420                 adp = &ad;
1421                 AVC_AUDIT_DATA_INIT(&ad, FS);
1422                 ad.u.fs.inode = inode;
1423         }
1424
1425         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1426 }
1427
1428 /* Same as inode_has_perm, but pass explicit audit data containing
1429    the dentry to help the auditing code to more easily generate the
1430    pathname if needed. */
1431 static inline int dentry_has_perm(struct task_struct *tsk,
1432                                   struct vfsmount *mnt,
1433                                   struct dentry *dentry,
1434                                   u32 av)
1435 {
1436         struct inode *inode = dentry->d_inode;
1437         struct avc_audit_data ad;
1438         AVC_AUDIT_DATA_INIT(&ad, FS);
1439         ad.u.fs.path.mnt = mnt;
1440         ad.u.fs.path.dentry = dentry;
1441         return inode_has_perm(tsk, inode, av, &ad);
1442 }
1443
1444 /* Check whether a task can use an open file descriptor to
1445    access an inode in a given way.  Check access to the
1446    descriptor itself, and then use dentry_has_perm to
1447    check a particular permission to the file.
1448    Access to the descriptor is implicitly granted if it
1449    has the same SID as the process.  If av is zero, then
1450    access to the file is not checked, e.g. for cases
1451    where only the descriptor is affected like seek. */
1452 static int file_has_perm(struct task_struct *tsk,
1453                                 struct file *file,
1454                                 u32 av)
1455 {
1456         struct task_security_struct *tsec = tsk->security;
1457         struct file_security_struct *fsec = file->f_security;
1458         struct inode *inode = file->f_path.dentry->d_inode;
1459         struct avc_audit_data ad;
1460         int rc;
1461
1462         AVC_AUDIT_DATA_INIT(&ad, FS);
1463         ad.u.fs.path = file->f_path;
1464
1465         if (tsec->sid != fsec->sid) {
1466                 rc = avc_has_perm(tsec->sid, fsec->sid,
1467                                   SECCLASS_FD,
1468                                   FD__USE,
1469                                   &ad);
1470                 if (rc)
1471                         return rc;
1472         }
1473
1474         /* av is zero if only checking access to the descriptor. */
1475         if (av)
1476                 return inode_has_perm(tsk, inode, av, &ad);
1477
1478         return 0;
1479 }
1480
1481 /* Check whether a task can create a file. */
1482 static int may_create(struct inode *dir,
1483                       struct dentry *dentry,
1484                       u16 tclass)
1485 {
1486         struct task_security_struct *tsec;
1487         struct inode_security_struct *dsec;
1488         struct superblock_security_struct *sbsec;
1489         u32 newsid;
1490         struct avc_audit_data ad;
1491         int rc;
1492
1493         tsec = current->security;
1494         dsec = dir->i_security;
1495         sbsec = dir->i_sb->s_security;
1496
1497         AVC_AUDIT_DATA_INIT(&ad, FS);
1498         ad.u.fs.path.dentry = dentry;
1499
1500         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1501                           DIR__ADD_NAME | DIR__SEARCH,
1502                           &ad);
1503         if (rc)
1504                 return rc;
1505
1506         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1507                 newsid = tsec->create_sid;
1508         } else {
1509                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1510                                              &newsid);
1511                 if (rc)
1512                         return rc;
1513         }
1514
1515         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1516         if (rc)
1517                 return rc;
1518
1519         return avc_has_perm(newsid, sbsec->sid,
1520                             SECCLASS_FILESYSTEM,
1521                             FILESYSTEM__ASSOCIATE, &ad);
1522 }
1523
1524 /* Check whether a task can create a key. */
1525 static int may_create_key(u32 ksid,
1526                           struct task_struct *ctx)
1527 {
1528         struct task_security_struct *tsec;
1529
1530         tsec = ctx->security;
1531
1532         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1533 }
1534
1535 #define MAY_LINK        0
1536 #define MAY_UNLINK      1
1537 #define MAY_RMDIR       2
1538
1539 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1540 static int may_link(struct inode *dir,
1541                     struct dentry *dentry,
1542                     int kind)
1543
1544 {
1545         struct task_security_struct *tsec;
1546         struct inode_security_struct *dsec, *isec;
1547         struct avc_audit_data ad;
1548         u32 av;
1549         int rc;
1550
1551         tsec = current->security;
1552         dsec = dir->i_security;
1553         isec = dentry->d_inode->i_security;
1554
1555         AVC_AUDIT_DATA_INIT(&ad, FS);
1556         ad.u.fs.path.dentry = dentry;
1557
1558         av = DIR__SEARCH;
1559         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1560         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1561         if (rc)
1562                 return rc;
1563
1564         switch (kind) {
1565         case MAY_LINK:
1566                 av = FILE__LINK;
1567                 break;
1568         case MAY_UNLINK:
1569                 av = FILE__UNLINK;
1570                 break;
1571         case MAY_RMDIR:
1572                 av = DIR__RMDIR;
1573                 break;
1574         default:
1575                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1576                         __func__, kind);
1577                 return 0;
1578         }
1579
1580         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1581         return rc;
1582 }
1583
1584 static inline int may_rename(struct inode *old_dir,
1585                              struct dentry *old_dentry,
1586                              struct inode *new_dir,
1587                              struct dentry *new_dentry)
1588 {
1589         struct task_security_struct *tsec;
1590         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1591         struct avc_audit_data ad;
1592         u32 av;
1593         int old_is_dir, new_is_dir;
1594         int rc;
1595
1596         tsec = current->security;
1597         old_dsec = old_dir->i_security;
1598         old_isec = old_dentry->d_inode->i_security;
1599         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1600         new_dsec = new_dir->i_security;
1601
1602         AVC_AUDIT_DATA_INIT(&ad, FS);
1603
1604         ad.u.fs.path.dentry = old_dentry;
1605         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1606                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1607         if (rc)
1608                 return rc;
1609         rc = avc_has_perm(tsec->sid, old_isec->sid,
1610                           old_isec->sclass, FILE__RENAME, &ad);
1611         if (rc)
1612                 return rc;
1613         if (old_is_dir && new_dir != old_dir) {
1614                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1615                                   old_isec->sclass, DIR__REPARENT, &ad);
1616                 if (rc)
1617                         return rc;
1618         }
1619
1620         ad.u.fs.path.dentry = new_dentry;
1621         av = DIR__ADD_NAME | DIR__SEARCH;
1622         if (new_dentry->d_inode)
1623                 av |= DIR__REMOVE_NAME;
1624         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1625         if (rc)
1626                 return rc;
1627         if (new_dentry->d_inode) {
1628                 new_isec = new_dentry->d_inode->i_security;
1629                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1630                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1631                                   new_isec->sclass,
1632                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1633                 if (rc)
1634                         return rc;
1635         }
1636
1637         return 0;
1638 }
1639
1640 /* Check whether a task can perform a filesystem operation. */
1641 static int superblock_has_perm(struct task_struct *tsk,
1642                                struct super_block *sb,
1643                                u32 perms,
1644                                struct avc_audit_data *ad)
1645 {
1646         struct task_security_struct *tsec;
1647         struct superblock_security_struct *sbsec;
1648
1649         tsec = tsk->security;
1650         sbsec = sb->s_security;
1651         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1652                             perms, ad);
1653 }
1654
1655 /* Convert a Linux mode and permission mask to an access vector. */
1656 static inline u32 file_mask_to_av(int mode, int mask)
1657 {
1658         u32 av = 0;
1659
1660         if ((mode & S_IFMT) != S_IFDIR) {
1661                 if (mask & MAY_EXEC)
1662                         av |= FILE__EXECUTE;
1663                 if (mask & MAY_READ)
1664                         av |= FILE__READ;
1665
1666                 if (mask & MAY_APPEND)
1667                         av |= FILE__APPEND;
1668                 else if (mask & MAY_WRITE)
1669                         av |= FILE__WRITE;
1670
1671         } else {
1672                 if (mask & MAY_EXEC)
1673                         av |= DIR__SEARCH;
1674                 if (mask & MAY_WRITE)
1675                         av |= DIR__WRITE;
1676                 if (mask & MAY_READ)
1677                         av |= DIR__READ;
1678         }
1679
1680         return av;
1681 }
1682
1683 /*
1684  * Convert a file mask to an access vector and include the correct open
1685  * open permission.
1686  */
1687 static inline u32 open_file_mask_to_av(int mode, int mask)
1688 {
1689         u32 av = file_mask_to_av(mode, mask);
1690
1691         if (selinux_policycap_openperm) {
1692                 /*
1693                  * lnk files and socks do not really have an 'open'
1694                  */
1695                 if (S_ISREG(mode))
1696                         av |= FILE__OPEN;
1697                 else if (S_ISCHR(mode))
1698                         av |= CHR_FILE__OPEN;
1699                 else if (S_ISBLK(mode))
1700                         av |= BLK_FILE__OPEN;
1701                 else if (S_ISFIFO(mode))
1702                         av |= FIFO_FILE__OPEN;
1703                 else if (S_ISDIR(mode))
1704                         av |= DIR__OPEN;
1705                 else
1706                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1707                                 "unknown mode:%x\n", __func__, mode);
1708         }
1709         return av;
1710 }
1711
1712 /* Convert a Linux file to an access vector. */
1713 static inline u32 file_to_av(struct file *file)
1714 {
1715         u32 av = 0;
1716
1717         if (file->f_mode & FMODE_READ)
1718                 av |= FILE__READ;
1719         if (file->f_mode & FMODE_WRITE) {
1720                 if (file->f_flags & O_APPEND)
1721                         av |= FILE__APPEND;
1722                 else
1723                         av |= FILE__WRITE;
1724         }
1725         if (!av) {
1726                 /*
1727                  * Special file opened with flags 3 for ioctl-only use.
1728                  */
1729                 av = FILE__IOCTL;
1730         }
1731
1732         return av;
1733 }
1734
1735 /* Hook functions begin here. */
1736
1737 static int selinux_ptrace(struct task_struct *parent,
1738                           struct task_struct *child,
1739                           unsigned int mode)
1740 {
1741         int rc;
1742
1743         rc = secondary_ops->ptrace(parent, child, mode);
1744         if (rc)
1745                 return rc;
1746
1747         if (mode == PTRACE_MODE_READ) {
1748                 struct task_security_struct *tsec = parent->security;
1749                 struct task_security_struct *csec = child->security;
1750                 return avc_has_perm(tsec->sid, csec->sid,
1751                                     SECCLASS_FILE, FILE__READ, NULL);
1752         }
1753
1754         return task_has_perm(parent, child, PROCESS__PTRACE);
1755 }
1756
1757 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1758                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1759 {
1760         int error;
1761
1762         error = task_has_perm(current, target, PROCESS__GETCAP);
1763         if (error)
1764                 return error;
1765
1766         return secondary_ops->capget(target, effective, inheritable, permitted);
1767 }
1768
1769 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1770                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1771 {
1772         int error;
1773
1774         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1775         if (error)
1776                 return error;
1777
1778         return task_has_perm(current, target, PROCESS__SETCAP);
1779 }
1780
1781 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1782                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1783 {
1784         secondary_ops->capset_set(target, effective, inheritable, permitted);
1785 }
1786
1787 static int selinux_capable(struct task_struct *tsk, int cap)
1788 {
1789         int rc;
1790
1791         rc = secondary_ops->capable(tsk, cap);
1792         if (rc)
1793                 return rc;
1794
1795         return task_has_capability(tsk, cap);
1796 }
1797
1798 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1799 {
1800         int buflen, rc;
1801         char *buffer, *path, *end;
1802
1803         rc = -ENOMEM;
1804         buffer = (char *)__get_free_page(GFP_KERNEL);
1805         if (!buffer)
1806                 goto out;
1807
1808         buflen = PAGE_SIZE;
1809         end = buffer+buflen;
1810         *--end = '\0';
1811         buflen--;
1812         path = end-1;
1813         *path = '/';
1814         while (table) {
1815                 const char *name = table->procname;
1816                 size_t namelen = strlen(name);
1817                 buflen -= namelen + 1;
1818                 if (buflen < 0)
1819                         goto out_free;
1820                 end -= namelen;
1821                 memcpy(end, name, namelen);
1822                 *--end = '/';
1823                 path = end;
1824                 table = table->parent;
1825         }
1826         buflen -= 4;
1827         if (buflen < 0)
1828                 goto out_free;
1829         end -= 4;
1830         memcpy(end, "/sys", 4);
1831         path = end;
1832         rc = security_genfs_sid("proc", path, tclass, sid);
1833 out_free:
1834         free_page((unsigned long)buffer);
1835 out:
1836         return rc;
1837 }
1838
1839 static int selinux_sysctl(ctl_table *table, int op)
1840 {
1841         int error = 0;
1842         u32 av;
1843         struct task_security_struct *tsec;
1844         u32 tsid;
1845         int rc;
1846
1847         rc = secondary_ops->sysctl(table, op);
1848         if (rc)
1849                 return rc;
1850
1851         tsec = current->security;
1852
1853         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1854                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1855         if (rc) {
1856                 /* Default to the well-defined sysctl SID. */
1857                 tsid = SECINITSID_SYSCTL;
1858         }
1859
1860         /* The op values are "defined" in sysctl.c, thereby creating
1861          * a bad coupling between this module and sysctl.c */
1862         if (op == 001) {
1863                 error = avc_has_perm(tsec->sid, tsid,
1864                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1865         } else {
1866                 av = 0;
1867                 if (op & 004)
1868                         av |= FILE__READ;
1869                 if (op & 002)
1870                         av |= FILE__WRITE;
1871                 if (av)
1872                         error = avc_has_perm(tsec->sid, tsid,
1873                                              SECCLASS_FILE, av, NULL);
1874         }
1875
1876         return error;
1877 }
1878
1879 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1880 {
1881         int rc = 0;
1882
1883         if (!sb)
1884                 return 0;
1885
1886         switch (cmds) {
1887         case Q_SYNC:
1888         case Q_QUOTAON:
1889         case Q_QUOTAOFF:
1890         case Q_SETINFO:
1891         case Q_SETQUOTA:
1892                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1893                                          NULL);
1894                 break;
1895         case Q_GETFMT:
1896         case Q_GETINFO:
1897         case Q_GETQUOTA:
1898                 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1899                                          NULL);
1900                 break;
1901         default:
1902                 rc = 0;  /* let the kernel handle invalid cmds */
1903                 break;
1904         }
1905         return rc;
1906 }
1907
1908 static int selinux_quota_on(struct dentry *dentry)
1909 {
1910         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1911 }
1912
1913 static int selinux_syslog(int type)
1914 {
1915         int rc;
1916
1917         rc = secondary_ops->syslog(type);
1918         if (rc)
1919                 return rc;
1920
1921         switch (type) {
1922         case 3:         /* Read last kernel messages */
1923         case 10:        /* Return size of the log buffer */
1924                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1925                 break;
1926         case 6:         /* Disable logging to console */
1927         case 7:         /* Enable logging to console */
1928         case 8:         /* Set level of messages printed to console */
1929                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1930                 break;
1931         case 0:         /* Close log */
1932         case 1:         /* Open log */
1933         case 2:         /* Read from log */
1934         case 4:         /* Read/clear last kernel messages */
1935         case 5:         /* Clear ring buffer */
1936         default:
1937                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1938                 break;
1939         }
1940         return rc;
1941 }
1942
1943 /*
1944  * Check that a process has enough memory to allocate a new virtual
1945  * mapping. 0 means there is enough memory for the allocation to
1946  * succeed and -ENOMEM implies there is not.
1947  *
1948  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1949  * if the capability is granted, but __vm_enough_memory requires 1 if
1950  * the capability is granted.
1951  *
1952  * Do not audit the selinux permission check, as this is applied to all
1953  * processes that allocate mappings.
1954  */
1955 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1956 {
1957         int rc, cap_sys_admin = 0;
1958         struct task_security_struct *tsec = current->security;
1959
1960         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1961         if (rc == 0)
1962                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1963                                           SECCLASS_CAPABILITY,
1964                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1965                                           0,
1966                                           NULL);
1967
1968         if (rc == 0)
1969                 cap_sys_admin = 1;
1970
1971         return __vm_enough_memory(mm, pages, cap_sys_admin);
1972 }
1973
1974 /* binprm security operations */
1975
1976 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1977 {
1978         struct bprm_security_struct *bsec;
1979
1980         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1981         if (!bsec)
1982                 return -ENOMEM;
1983
1984         bsec->sid = SECINITSID_UNLABELED;
1985         bsec->set = 0;
1986
1987         bprm->security = bsec;
1988         return 0;
1989 }
1990
1991 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1992 {
1993         struct task_security_struct *tsec;
1994         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1995         struct inode_security_struct *isec;
1996         struct bprm_security_struct *bsec;
1997         u32 newsid;
1998         struct avc_audit_data ad;
1999         int rc;
2000
2001         rc = secondary_ops->bprm_set_security(bprm);
2002         if (rc)
2003                 return rc;
2004
2005         bsec = bprm->security;
2006
2007         if (bsec->set)
2008                 return 0;
2009
2010         tsec = current->security;
2011         isec = inode->i_security;
2012
2013         /* Default to the current task SID. */
2014         bsec->sid = tsec->sid;
2015
2016         /* Reset fs, key, and sock SIDs on execve. */
2017         tsec->create_sid = 0;
2018         tsec->keycreate_sid = 0;
2019         tsec->sockcreate_sid = 0;
2020
2021         if (tsec->exec_sid) {
2022                 newsid = tsec->exec_sid;
2023                 /* Reset exec SID on execve. */
2024                 tsec->exec_sid = 0;
2025         } else {
2026                 /* Check for a default transition on this program. */
2027                 rc = security_transition_sid(tsec->sid, isec->sid,
2028                                              SECCLASS_PROCESS, &newsid);
2029                 if (rc)
2030                         return rc;
2031         }
2032
2033         AVC_AUDIT_DATA_INIT(&ad, FS);
2034         ad.u.fs.path = bprm->file->f_path;
2035
2036         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2037                 newsid = tsec->sid;
2038
2039         if (tsec->sid == newsid) {
2040                 rc = avc_has_perm(tsec->sid, isec->sid,
2041                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2042                 if (rc)
2043                         return rc;
2044         } else {
2045                 /* Check permissions for the transition. */
2046                 rc = avc_has_perm(tsec->sid, newsid,
2047                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2048                 if (rc)
2049                         return rc;
2050
2051                 rc = avc_has_perm(newsid, isec->sid,
2052                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2053                 if (rc)
2054                         return rc;
2055
2056                 /* Clear any possibly unsafe personality bits on exec: */
2057                 current->personality &= ~PER_CLEAR_ON_SETID;
2058
2059                 /* Set the security field to the new SID. */
2060                 bsec->sid = newsid;
2061         }
2062
2063         bsec->set = 1;
2064         return 0;
2065 }
2066
2067 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2068 {
2069         return secondary_ops->bprm_check_security(bprm);
2070 }
2071
2072
2073 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2074 {
2075         struct task_security_struct *tsec = current->security;
2076         int atsecure = 0;
2077
2078         if (tsec->osid != tsec->sid) {
2079                 /* Enable secure mode for SIDs transitions unless
2080                    the noatsecure permission is granted between
2081                    the two SIDs, i.e. ahp returns 0. */
2082                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2083                                          SECCLASS_PROCESS,
2084                                          PROCESS__NOATSECURE, NULL);
2085         }
2086
2087         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2088 }
2089
2090 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2091 {
2092         kfree(bprm->security);
2093         bprm->security = NULL;
2094 }
2095
2096 extern struct vfsmount *selinuxfs_mount;
2097 extern struct dentry *selinux_null;
2098
2099 /* Derived from fs/exec.c:flush_old_files. */
2100 static inline void flush_unauthorized_files(struct files_struct *files)
2101 {
2102         struct avc_audit_data ad;
2103         struct file *file, *devnull = NULL;
2104         struct tty_struct *tty;
2105         struct fdtable *fdt;
2106         long j = -1;
2107         int drop_tty = 0;
2108
2109         mutex_lock(&tty_mutex);
2110         tty = get_current_tty();
2111         if (tty) {
2112                 file_list_lock();
2113                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2114                 if (file) {
2115                         /* Revalidate access to controlling tty.
2116                            Use inode_has_perm on the tty inode directly rather
2117                            than using file_has_perm, as this particular open
2118                            file may belong to another process and we are only
2119                            interested in the inode-based check here. */
2120                         struct inode *inode = file->f_path.dentry->d_inode;
2121                         if (inode_has_perm(current, inode,
2122                                            FILE__READ | FILE__WRITE, NULL)) {
2123                                 drop_tty = 1;
2124                         }
2125                 }
2126                 file_list_unlock();
2127         }
2128         mutex_unlock(&tty_mutex);
2129         /* Reset controlling tty. */
2130         if (drop_tty)
2131                 no_tty();
2132
2133         /* Revalidate access to inherited open files. */
2134
2135         AVC_AUDIT_DATA_INIT(&ad, FS);
2136
2137         spin_lock(&files->file_lock);
2138         for (;;) {
2139                 unsigned long set, i;
2140                 int fd;
2141
2142                 j++;
2143                 i = j * __NFDBITS;
2144                 fdt = files_fdtable(files);
2145                 if (i >= fdt->max_fds)
2146                         break;
2147                 set = fdt->open_fds->fds_bits[j];
2148                 if (!set)
2149                         continue;
2150                 spin_unlock(&files->file_lock);
2151                 for ( ; set ; i++, set >>= 1) {
2152                         if (set & 1) {
2153                                 file = fget(i);
2154                                 if (!file)
2155                                         continue;
2156                                 if (file_has_perm(current,
2157                                                   file,
2158                                                   file_to_av(file))) {
2159                                         sys_close(i);
2160                                         fd = get_unused_fd();
2161                                         if (fd != i) {
2162                                                 if (fd >= 0)
2163                                                         put_unused_fd(fd);
2164                                                 fput(file);
2165                                                 continue;
2166                                         }
2167                                         if (devnull) {
2168                                                 get_file(devnull);
2169                                         } else {
2170                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2171                                                 if (IS_ERR(devnull)) {
2172                                                         devnull = NULL;
2173                                                         put_unused_fd(fd);
2174                                                         fput(file);
2175                                                         continue;
2176                                                 }
2177                                         }
2178                                         fd_install(fd, devnull);
2179                                 }
2180                                 fput(file);
2181                         }
2182                 }
2183                 spin_lock(&files->file_lock);
2184
2185         }
2186         spin_unlock(&files->file_lock);
2187 }
2188
2189 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2190 {
2191         struct task_security_struct *tsec;
2192         struct bprm_security_struct *bsec;
2193         u32 sid;
2194         int rc;
2195
2196         secondary_ops->bprm_apply_creds(bprm, unsafe);
2197
2198         tsec = current->security;
2199
2200         bsec = bprm->security;
2201         sid = bsec->sid;
2202
2203         tsec->osid = tsec->sid;
2204         bsec->unsafe = 0;
2205         if (tsec->sid != sid) {
2206                 /* Check for shared state.  If not ok, leave SID
2207                    unchanged and kill. */
2208                 if (unsafe & LSM_UNSAFE_SHARE) {
2209                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2210                                         PROCESS__SHARE, NULL);
2211                         if (rc) {
2212                                 bsec->unsafe = 1;
2213                                 return;
2214                         }
2215                 }
2216
2217                 /* Check for ptracing, and update the task SID if ok.
2218                    Otherwise, leave SID unchanged and kill. */
2219                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2220                         struct task_struct *tracer;
2221                         struct task_security_struct *sec;
2222                         u32 ptsid = 0;
2223
2224                         rcu_read_lock();
2225                         tracer = tracehook_tracer_task(current);
2226                         if (likely(tracer != NULL)) {
2227                                 sec = tracer->security;
2228                                 ptsid = sec->sid;
2229                         }
2230                         rcu_read_unlock();
2231
2232                         if (ptsid != 0) {
2233                                 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2234                                                   PROCESS__PTRACE, NULL);
2235                                 if (rc) {
2236                                         bsec->unsafe = 1;
2237                                         return;
2238                                 }
2239                         }
2240                 }
2241                 tsec->sid = sid;
2242         }
2243 }
2244
2245 /*
2246  * called after apply_creds without the task lock held
2247  */
2248 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2249 {
2250         struct task_security_struct *tsec;
2251         struct rlimit *rlim, *initrlim;
2252         struct itimerval itimer;
2253         struct bprm_security_struct *bsec;
2254         int rc, i;
2255
2256         tsec = current->security;
2257         bsec = bprm->security;
2258
2259         if (bsec->unsafe) {
2260                 force_sig_specific(SIGKILL, current);
2261                 return;
2262         }
2263         if (tsec->osid == tsec->sid)
2264                 return;
2265
2266         /* Close files for which the new task SID is not authorized. */
2267         flush_unauthorized_files(current->files);
2268
2269         /* Check whether the new SID can inherit signal state
2270            from the old SID.  If not, clear itimers to avoid
2271            subsequent signal generation and flush and unblock
2272            signals. This must occur _after_ the task SID has
2273           been updated so that any kill done after the flush
2274           will be checked against the new SID. */
2275         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2276                           PROCESS__SIGINH, NULL);
2277         if (rc) {
2278                 memset(&itimer, 0, sizeof itimer);
2279                 for (i = 0; i < 3; i++)
2280                         do_setitimer(i, &itimer, NULL);
2281                 flush_signals(current);
2282                 spin_lock_irq(&current->sighand->siglock);
2283                 flush_signal_handlers(current, 1);
2284                 sigemptyset(&current->blocked);
2285                 recalc_sigpending();
2286                 spin_unlock_irq(&current->sighand->siglock);
2287         }
2288
2289         /* Always clear parent death signal on SID transitions. */
2290         current->pdeath_signal = 0;
2291
2292         /* Check whether the new SID can inherit resource limits
2293            from the old SID.  If not, reset all soft limits to
2294            the lower of the current task's hard limit and the init
2295            task's soft limit.  Note that the setting of hard limits
2296            (even to lower them) can be controlled by the setrlimit
2297            check. The inclusion of the init task's soft limit into
2298            the computation is to avoid resetting soft limits higher
2299            than the default soft limit for cases where the default
2300            is lower than the hard limit, e.g. RLIMIT_CORE or
2301            RLIMIT_STACK.*/
2302         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2303                           PROCESS__RLIMITINH, NULL);
2304         if (rc) {
2305                 for (i = 0; i < RLIM_NLIMITS; i++) {
2306                         rlim = current->signal->rlim + i;
2307                         initrlim = init_task.signal->rlim+i;
2308                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2309                 }
2310                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2311                         /*
2312                          * This will cause RLIMIT_CPU calculations
2313                          * to be refigured.
2314                          */
2315                         current->it_prof_expires = jiffies_to_cputime(1);
2316                 }
2317         }
2318
2319         /* Wake up the parent if it is waiting so that it can
2320            recheck wait permission to the new task SID. */
2321         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2322 }
2323
2324 /* superblock security operations */
2325
2326 static int selinux_sb_alloc_security(struct super_block *sb)
2327 {
2328         return superblock_alloc_security(sb);
2329 }
2330
2331 static void selinux_sb_free_security(struct super_block *sb)
2332 {
2333         superblock_free_security(sb);
2334 }
2335
2336 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2337 {
2338         if (plen > olen)
2339                 return 0;
2340
2341         return !memcmp(prefix, option, plen);
2342 }
2343
2344 static inline int selinux_option(char *option, int len)
2345 {
2346         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2347                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2348                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2349                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2350 }
2351
2352 static inline void take_option(char **to, char *from, int *first, int len)
2353 {
2354         if (!*first) {
2355                 **to = ',';
2356                 *to += 1;
2357         } else
2358                 *first = 0;
2359         memcpy(*to, from, len);
2360         *to += len;
2361 }
2362
2363 static inline void take_selinux_option(char **to, char *from, int *first,
2364                                        int len)
2365 {
2366         int current_size = 0;
2367
2368         if (!*first) {
2369                 **to = '|';
2370                 *to += 1;
2371         } else
2372                 *first = 0;
2373
2374         while (current_size < len) {
2375                 if (*from != '"') {
2376                         **to = *from;
2377                         *to += 1;
2378                 }
2379                 from += 1;
2380                 current_size += 1;
2381         }
2382 }
2383
2384 static int selinux_sb_copy_data(char *orig, char *copy)
2385 {
2386         int fnosec, fsec, rc = 0;
2387         char *in_save, *in_curr, *in_end;
2388         char *sec_curr, *nosec_save, *nosec;
2389         int open_quote = 0;
2390
2391         in_curr = orig;
2392         sec_curr = copy;
2393
2394         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2395         if (!nosec) {
2396                 rc = -ENOMEM;
2397                 goto out;
2398         }
2399
2400         nosec_save = nosec;
2401         fnosec = fsec = 1;
2402         in_save = in_end = orig;
2403
2404         do {
2405                 if (*in_end == '"')
2406                         open_quote = !open_quote;
2407                 if ((*in_end == ',' && open_quote == 0) ||
2408                                 *in_end == '\0') {
2409                         int len = in_end - in_curr;
2410
2411                         if (selinux_option(in_curr, len))
2412                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2413                         else
2414                                 take_option(&nosec, in_curr, &fnosec, len);
2415
2416                         in_curr = in_end + 1;
2417                 }
2418         } while (*in_end++);
2419
2420         strcpy(in_save, nosec_save);
2421         free_page((unsigned long)nosec_save);
2422 out:
2423         return rc;
2424 }
2425
2426 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2427 {
2428         struct avc_audit_data ad;
2429         int rc;
2430
2431         rc = superblock_doinit(sb, data);
2432         if (rc)
2433                 return rc;
2434
2435         AVC_AUDIT_DATA_INIT(&ad, FS);
2436         ad.u.fs.path.dentry = sb->s_root;
2437         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2438 }
2439
2440 static int selinux_sb_statfs(struct dentry *dentry)
2441 {
2442         struct avc_audit_data ad;
2443
2444         AVC_AUDIT_DATA_INIT(&ad, FS);
2445         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2446         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2447 }
2448
2449 static int selinux_mount(char *dev_name,
2450                          struct path *path,
2451                          char *type,
2452                          unsigned long flags,
2453                          void *data)
2454 {
2455         int rc;
2456
2457         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2458         if (rc)
2459                 return rc;
2460
2461         if (flags & MS_REMOUNT)
2462                 return superblock_has_perm(current, path->mnt->mnt_sb,
2463                                            FILESYSTEM__REMOUNT, NULL);
2464         else
2465                 return dentry_has_perm(current, path->mnt, path->dentry,
2466                                        FILE__MOUNTON);
2467 }
2468
2469 static int selinux_umount(struct vfsmount *mnt, int flags)
2470 {
2471         int rc;
2472
2473         rc = secondary_ops->sb_umount(mnt, flags);
2474         if (rc)
2475                 return rc;
2476
2477         return superblock_has_perm(current, mnt->mnt_sb,
2478                                    FILESYSTEM__UNMOUNT, NULL);
2479 }
2480
2481 /* inode security operations */
2482
2483 static int selinux_inode_alloc_security(struct inode *inode)
2484 {
2485         return inode_alloc_security(inode);
2486 }
2487
2488 static void selinux_inode_free_security(struct inode *inode)
2489 {
2490         inode_free_security(inode);
2491 }
2492
2493 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2494                                        char **name, void **value,
2495                                        size_t *len)
2496 {
2497         struct task_security_struct *tsec;
2498         struct inode_security_struct *dsec;
2499         struct superblock_security_struct *sbsec;
2500         u32 newsid, clen;
2501         int rc;
2502         char *namep = NULL, *context;
2503
2504         tsec = current->security;
2505         dsec = dir->i_security;
2506         sbsec = dir->i_sb->s_security;
2507
2508         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2509                 newsid = tsec->create_sid;
2510         } else {
2511                 rc = security_transition_sid(tsec->sid, dsec->sid,
2512                                              inode_mode_to_security_class(inode->i_mode),
2513                                              &newsid);
2514                 if (rc) {
2515                         printk(KERN_WARNING "%s:  "
2516                                "security_transition_sid failed, rc=%d (dev=%s "
2517                                "ino=%ld)\n",
2518                                __func__,
2519                                -rc, inode->i_sb->s_id, inode->i_ino);
2520                         return rc;
2521                 }
2522         }
2523
2524         /* Possibly defer initialization to selinux_complete_init. */
2525         if (sbsec->initialized) {
2526                 struct inode_security_struct *isec = inode->i_security;
2527                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2528                 isec->sid = newsid;
2529                 isec->initialized = 1;
2530         }
2531
2532         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2533                 return -EOPNOTSUPP;
2534
2535         if (name) {
2536                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2537                 if (!namep)
2538                         return -ENOMEM;
2539                 *name = namep;
2540         }
2541
2542         if (value && len) {
2543                 rc = security_sid_to_context_force(newsid, &context, &clen);
2544                 if (rc) {
2545                         kfree(namep);
2546                         return rc;
2547                 }
2548                 *value = context;
2549                 *len = clen;
2550         }
2551
2552         return 0;
2553 }
2554
2555 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2556 {
2557         return may_create(dir, dentry, SECCLASS_FILE);
2558 }
2559
2560 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2561 {
2562         int rc;
2563
2564         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2565         if (rc)
2566                 return rc;
2567         return may_link(dir, old_dentry, MAY_LINK);
2568 }
2569
2570 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2571 {
2572         int rc;
2573
2574         rc = secondary_ops->inode_unlink(dir, dentry);
2575         if (rc)
2576                 return rc;
2577         return may_link(dir, dentry, MAY_UNLINK);
2578 }
2579
2580 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2581 {
2582         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2583 }
2584
2585 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2586 {
2587         return may_create(dir, dentry, SECCLASS_DIR);
2588 }
2589
2590 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2591 {
2592         return may_link(dir, dentry, MAY_RMDIR);
2593 }
2594
2595 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2596 {
2597         int rc;
2598
2599         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2600         if (rc)
2601                 return rc;
2602
2603         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2604 }
2605
2606 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2607                                 struct inode *new_inode, struct dentry *new_dentry)
2608 {
2609         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2610 }
2611
2612 static int selinux_inode_readlink(struct dentry *dentry)
2613 {
2614         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2615 }
2616
2617 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2618 {
2619         int rc;
2620
2621         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2622         if (rc)
2623                 return rc;
2624         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2625 }
2626
2627 static int selinux_inode_permission(struct inode *inode, int mask)
2628 {
2629         int rc;
2630
2631         rc = secondary_ops->inode_permission(inode, mask);
2632         if (rc)
2633                 return rc;
2634
2635         if (!mask) {
2636                 /* No permission to check.  Existence test. */
2637                 return 0;
2638         }
2639
2640         return inode_has_perm(current, inode,
2641                                open_file_mask_to_av(inode->i_mode, mask), NULL);
2642 }
2643
2644 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2645 {
2646         int rc;
2647
2648         rc = secondary_ops->inode_setattr(dentry, iattr);
2649         if (rc)
2650                 return rc;
2651
2652         if (iattr->ia_valid & ATTR_FORCE)
2653                 return 0;
2654
2655         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2656                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2657                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2658
2659         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2660 }
2661
2662 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2663 {
2664         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2665 }
2666
2667 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2668 {
2669         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2670                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2671                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2672                         if (!capable(CAP_SETFCAP))
2673                                 return -EPERM;
2674                 } else if (!capable(CAP_SYS_ADMIN)) {
2675                         /* A different attribute in the security namespace.
2676                            Restrict to administrator. */
2677                         return -EPERM;
2678                 }
2679         }
2680
2681         /* Not an attribute we recognize, so just check the
2682            ordinary setattr permission. */
2683         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2684 }
2685
2686 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2687                                   const void *value, size_t size, int flags)
2688 {
2689         struct task_security_struct *tsec = current->security;
2690         struct inode *inode = dentry->d_inode;
2691         struct inode_security_struct *isec = inode->i_security;
2692         struct superblock_security_struct *sbsec;
2693         struct avc_audit_data ad;
2694         u32 newsid;
2695         int rc = 0;
2696
2697         if (strcmp(name, XATTR_NAME_SELINUX))
2698                 return selinux_inode_setotherxattr(dentry, name);
2699
2700         sbsec = inode->i_sb->s_security;
2701         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2702                 return -EOPNOTSUPP;
2703
2704         if (!is_owner_or_cap(inode))
2705                 return -EPERM;
2706
2707         AVC_AUDIT_DATA_INIT(&ad, FS);
2708         ad.u.fs.path.dentry = dentry;
2709
2710         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2711                           FILE__RELABELFROM, &ad);
2712         if (rc)
2713                 return rc;
2714
2715         rc = security_context_to_sid(value, size, &newsid);
2716         if (rc == -EINVAL) {
2717                 if (!capable(CAP_MAC_ADMIN))
2718                         return rc;
2719                 rc = security_context_to_sid_force(value, size, &newsid);
2720         }
2721         if (rc)
2722                 return rc;
2723
2724         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2725                           FILE__RELABELTO, &ad);
2726         if (rc)
2727                 return rc;
2728
2729         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2730                                           isec->sclass);
2731         if (rc)
2732                 return rc;
2733
2734         return avc_has_perm(newsid,
2735                             sbsec->sid,
2736                             SECCLASS_FILESYSTEM,
2737                             FILESYSTEM__ASSOCIATE,
2738                             &ad);
2739 }
2740
2741 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2742                                         const void *value, size_t size,
2743                                         int flags)
2744 {
2745         struct inode *inode = dentry->d_inode;
2746         struct inode_security_struct *isec = inode->i_security;
2747         u32 newsid;
2748         int rc;
2749
2750         if (strcmp(name, XATTR_NAME_SELINUX)) {
2751                 /* Not an attribute we recognize, so nothing to do. */
2752                 return;
2753         }
2754
2755         rc = security_context_to_sid_force(value, size, &newsid);
2756         if (rc) {
2757                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2758                        "for (%s, %lu), rc=%d\n",
2759                        inode->i_sb->s_id, inode->i_ino, -rc);
2760                 return;
2761         }
2762
2763         isec->sid = newsid;
2764         return;
2765 }
2766
2767 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2768 {
2769         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2770 }
2771
2772 static int selinux_inode_listxattr(struct dentry *dentry)
2773 {
2774         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2775 }
2776
2777 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2778 {
2779         if (strcmp(name, XATTR_NAME_SELINUX))
2780                 return selinux_inode_setotherxattr(dentry, name);
2781
2782         /* No one is allowed to remove a SELinux security label.
2783            You can change the label, but all data must be labeled. */
2784         return -EACCES;
2785 }
2786
2787 /*
2788  * Copy the inode security context value to the user.
2789  *
2790  * Permission check is handled by selinux_inode_getxattr hook.
2791  */
2792 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2793 {
2794         u32 size;
2795         int error;
2796         char *context = NULL;
2797         struct task_security_struct *tsec = current->security;
2798         struct inode_security_struct *isec = inode->i_security;
2799
2800         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2801                 return -EOPNOTSUPP;
2802
2803         /*
2804          * If the caller has CAP_MAC_ADMIN, then get the raw context
2805          * value even if it is not defined by current policy; otherwise,
2806          * use the in-core value under current policy.
2807          * Use the non-auditing forms of the permission checks since
2808          * getxattr may be called by unprivileged processes commonly
2809          * and lack of permission just means that we fall back to the
2810          * in-core context value, not a denial.
2811          */
2812         error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2813         if (!error)
2814                 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2815                                              SECCLASS_CAPABILITY2,
2816                                              CAPABILITY2__MAC_ADMIN,
2817                                              0,
2818                                              NULL);
2819         if (!error)
2820                 error = security_sid_to_context_force(isec->sid, &context,
2821                                                       &size);
2822         else
2823                 error = security_sid_to_context(isec->sid, &context, &size);
2824         if (error)
2825                 return error;
2826         error = size;
2827         if (alloc) {
2828                 *buffer = context;
2829                 goto out_nofree;
2830         }
2831         kfree(context);
2832 out_nofree:
2833         return error;
2834 }
2835
2836 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2837                                      const void *value, size_t size, int flags)
2838 {
2839         struct inode_security_struct *isec = inode->i_security;
2840         u32 newsid;
2841         int rc;
2842
2843         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2844                 return -EOPNOTSUPP;
2845
2846         if (!value || !size)
2847                 return -EACCES;
2848
2849         rc = security_context_to_sid((void *)value, size, &newsid);
2850         if (rc)
2851                 return rc;
2852
2853         isec->sid = newsid;
2854         return 0;
2855 }
2856
2857 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2858 {
2859         const int len = sizeof(XATTR_NAME_SELINUX);
2860         if (buffer && len <= buffer_size)
2861                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2862         return len;
2863 }
2864
2865 static int selinux_inode_need_killpriv(struct dentry *dentry)
2866 {
2867         return secondary_ops->inode_need_killpriv(dentry);
2868 }
2869
2870 static int selinux_inode_killpriv(struct dentry *dentry)
2871 {
2872         return secondary_ops->inode_killpriv(dentry);
2873 }
2874
2875 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2876 {
2877         struct inode_security_struct *isec = inode->i_security;
2878         *secid = isec->sid;
2879 }
2880
2881 /* file security operations */
2882
2883 static int selinux_revalidate_file_permission(struct file *file, int mask)
2884 {
2885         int rc;
2886         struct inode *inode = file->f_path.dentry->d_inode;
2887
2888         if (!mask) {
2889                 /* No permission to check.  Existence test. */
2890                 return 0;
2891         }
2892
2893         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2894         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2895                 mask |= MAY_APPEND;
2896
2897         rc = file_has_perm(current, file,
2898                            file_mask_to_av(inode->i_mode, mask));
2899         if (rc)
2900                 return rc;
2901
2902         return selinux_netlbl_inode_permission(inode, mask);
2903 }
2904
2905 static int selinux_file_permission(struct file *file, int mask)
2906 {
2907         struct inode *inode = file->f_path.dentry->d_inode;
2908         struct task_security_struct *tsec = current->security;
2909         struct file_security_struct *fsec = file->f_security;
2910         struct inode_security_struct *isec = inode->i_security;
2911
2912         if (!mask) {
2913                 /* No permission to check.  Existence test. */
2914                 return 0;
2915         }
2916
2917         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2918             && fsec->pseqno == avc_policy_seqno())
2919                 return selinux_netlbl_inode_permission(inode, mask);
2920
2921         return selinux_revalidate_file_permission(file, mask);
2922 }
2923
2924 static int selinux_file_alloc_security(struct file *file)
2925 {
2926         return file_alloc_security(file);
2927 }
2928
2929 static void selinux_file_free_security(struct file *file)
2930 {
2931         file_free_security(file);
2932 }
2933
2934 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2935                               unsigned long arg)
2936 {
2937         u32 av = 0;
2938
2939         if (_IOC_DIR(cmd) & _IOC_WRITE)
2940                 av |= FILE__WRITE;
2941         if (_IOC_DIR(cmd) & _IOC_READ)
2942                 av |= FILE__READ;
2943         if (!av)
2944                 av = FILE__IOCTL;
2945
2946         return file_has_perm(current, file, av);
2947 }
2948
2949 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2950 {
2951 #ifndef CONFIG_PPC32
2952         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2953                 /*
2954                  * We are making executable an anonymous mapping or a
2955                  * private file mapping that will also be writable.
2956                  * This has an additional check.
2957                  */
2958                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2959                 if (rc)
2960                         return rc;
2961         }
2962 #endif
2963
2964         if (file) {
2965                 /* read access is always possible with a mapping */
2966                 u32 av = FILE__READ;
2967
2968                 /* write access only matters if the mapping is shared */
2969                 if (shared && (prot & PROT_WRITE))
2970                         av |= FILE__WRITE;
2971
2972                 if (prot & PROT_EXEC)
2973                         av |= FILE__EXECUTE;
2974
2975                 return file_has_perm(current, file, av);
2976         }
2977         return 0;
2978 }
2979
2980 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2981                              unsigned long prot, unsigned long flags,
2982                              unsigned long addr, unsigned long addr_only)
2983 {
2984         int rc = 0;
2985         u32 sid = ((struct task_security_struct *)(current->security))->sid;
2986
2987         if (addr < mmap_min_addr)
2988                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2989                                   MEMPROTECT__MMAP_ZERO, NULL);
2990         if (rc || addr_only)
2991                 return rc;
2992
2993         if (selinux_checkreqprot)
2994                 prot = reqprot;
2995
2996         return file_map_prot_check(file, prot,
2997                                    (flags & MAP_TYPE) == MAP_SHARED);
2998 }
2999
3000 static int selinux_file_mprotect(struct vm_area_struct *vma,
3001                                  unsigned long reqprot,
3002                                  unsigned long prot)
3003 {
3004         int rc;
3005
3006         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3007         if (rc)
3008                 return rc;
3009
3010         if (selinux_checkreqprot)
3011                 prot = reqprot;
3012
3013 #ifndef CONFIG_PPC32
3014         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3015                 rc = 0;
3016                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3017                     vma->vm_end <= vma->vm_mm->brk) {
3018                         rc = task_has_perm(current, current,
3019                                            PROCESS__EXECHEAP);
3020                 } else if (!vma->vm_file &&
3021                            vma->vm_start <= vma->vm_mm->start_stack &&
3022                            vma->vm_end >= vma->vm_mm->start_stack) {
3023                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3024                 } else if (vma->vm_file && vma->anon_vma) {
3025                         /*
3026                          * We are making executable a file mapping that has
3027                          * had some COW done. Since pages might have been
3028                          * written, check ability to execute the possibly
3029                          * modified content.  This typically should only
3030                          * occur for text relocations.
3031                          */
3032                         rc = file_has_perm(current, vma->vm_file,
3033                                            FILE__EXECMOD);
3034                 }
3035                 if (rc)
3036                         return rc;
3037         }
3038 #endif
3039
3040         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3041 }
3042
3043 static int selinux_file_lock(struct file *file, unsigned int cmd)
3044 {
3045         return file_has_perm(current, file, FILE__LOCK);
3046 }
3047
3048 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3049                               unsigned long arg)
3050 {
3051         int err = 0;
3052
3053         switch (cmd) {
3054         case F_SETFL:
3055                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3056                         err = -EINVAL;
3057                         break;
3058                 }
3059
3060                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3061                         err = file_has_perm(current, file, FILE__WRITE);
3062                         break;
3063                 }
3064                 /* fall through */
3065         case F_SETOWN:
3066         case F_SETSIG:
3067         case F_GETFL:
3068         case F_GETOWN:
3069         case F_GETSIG:
3070                 /* Just check FD__USE permission */
3071                 err = file_has_perm(current, file, 0);
3072                 break;
3073         case F_GETLK:
3074         case F_SETLK:
3075         case F_SETLKW:
3076 #if BITS_PER_LONG == 32
3077         case F_GETLK64:
3078         case F_SETLK64:
3079         case F_SETLKW64:
3080 #endif
3081                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3082                         err = -EINVAL;
3083                         break;
3084                 }
3085                 err = file_has_perm(current, file, FILE__LOCK);
3086                 break;
3087         }
3088
3089         return err;
3090 }
3091
3092 static int selinux_file_set_fowner(struct file *file)
3093 {
3094         struct task_security_struct *tsec;
3095         struct file_security_struct *fsec;
3096
3097         tsec = current->security;
3098         fsec = file->f_security;
3099         fsec->fown_sid = tsec->sid;
3100
3101         return 0;
3102 }
3103
3104 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3105                                        struct fown_struct *fown, int signum)
3106 {
3107         struct file *file;
3108         u32 perm;
3109         struct task_security_struct *tsec;
3110         struct file_security_struct *fsec;
3111
3112         /* struct fown_struct is never outside the context of a struct file */
3113         file = container_of(fown, struct file, f_owner);
3114
3115         tsec = tsk->security;
3116         fsec = file->f_security;
3117
3118         if (!signum)
3119                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3120         else
3121                 perm = signal_to_av(signum);
3122
3123         return avc_has_perm(fsec->fown_sid, tsec->sid,
3124                             SECCLASS_PROCESS, perm, NULL);
3125 }
3126
3127 static int selinux_file_receive(struct file *file)
3128 {
3129         return file_has_perm(current, file, file_to_av(file));
3130 }
3131
3132 static int selinux_dentry_open(struct file *file)
3133 {
3134         struct file_security_struct *fsec;
3135         struct inode *inode;
3136         struct inode_security_struct *isec;
3137         inode = file->f_path.dentry->d_inode;
3138         fsec = file->f_security;
3139         isec = inode->i_security;
3140         /*
3141          * Save inode label and policy sequence number
3142          * at open-time so that selinux_file_permission
3143          * can determine whether revalidation is necessary.
3144          * Task label is already saved in the file security
3145          * struct as its SID.
3146          */
3147         fsec->isid = isec->sid;
3148         fsec->pseqno = avc_policy_seqno();
3149         /*
3150          * Since the inode label or policy seqno may have changed
3151          * between the selinux_inode_permission check and the saving
3152          * of state above, recheck that access is still permitted.
3153          * Otherwise, access might never be revalidated against the
3154          * new inode label or new policy.
3155          * This check is not redundant - do not remove.
3156          */
3157         return inode_has_perm(current, inode, file_to_av(file), NULL);
3158 }
3159
3160 /* task security operations */
3161
3162 static int selinux_task_create(unsigned long clone_flags)
3163 {
3164         int rc;
3165
3166         rc = secondary_ops->task_create(clone_flags);
3167         if (rc)
3168                 return rc;
3169
3170         return task_has_perm(current, current, PROCESS__FORK);
3171 }
3172
3173 static int selinux_task_alloc_security(struct task_struct *tsk)
3174 {
3175         struct task_security_struct *tsec1, *tsec2;
3176         int rc;
3177
3178         tsec1 = current->security;
3179
3180         rc = task_alloc_security(tsk);
3181         if (rc)
3182                 return rc;
3183         tsec2 = tsk->security;
3184
3185         tsec2->osid = tsec1->osid;
3186         tsec2->sid = tsec1->sid;
3187
3188         /* Retain the exec, fs, key, and sock SIDs across fork */
3189         tsec2->exec_sid = tsec1->exec_sid;
3190         tsec2->create_sid = tsec1->create_sid;
3191         tsec2->keycreate_sid = tsec1->keycreate_sid;
3192         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3193
3194         return 0;
3195 }
3196
3197 static void selinux_task_free_security(struct task_struct *tsk)
3198 {
3199         task_free_security(tsk);
3200 }
3201
3202 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3203 {
3204         /* Since setuid only affects the current process, and
3205            since the SELinux controls are not based on the Linux
3206            identity attributes, SELinux does not need to control
3207            this operation.  However, SELinux does control the use
3208            of the CAP_SETUID and CAP_SETGID capabilities using the
3209            capable hook. */
3210         return 0;
3211 }
3212
3213 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3214 {
3215         return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3216 }
3217
3218 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3219 {
3220         /* See the comment for setuid above. */
3221         return 0;
3222 }
3223
3224 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3225 {
3226         return task_has_perm(current, p, PROCESS__SETPGID);
3227 }
3228
3229 static int selinux_task_getpgid(struct task_struct *p)
3230 {
3231         return task_has_perm(current, p, PROCESS__GETPGID);
3232 }
3233
3234 static int selinux_task_getsid(struct task_struct *p)
3235 {
3236         return task_has_perm(current, p, PROCESS__GETSESSION);
3237 }
3238
3239 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3240 {
3241         struct task_security_struct *tsec = p->security;
3242         *secid = tsec->sid;
3243 }
3244
3245 static int selinux_task_setgroups(struct group_info *group_info)
3246 {
3247         /* See the comment for setuid above. */
3248         return 0;
3249 }
3250
3251 static int selinux_task_setnice(struct task_struct *p, int nice)
3252 {
3253         int rc;
3254
3255         rc = secondary_ops->task_setnice(p, nice);
3256         if (rc)
3257                 return rc;
3258
3259         return task_has_perm(current, p, PROCESS__SETSCHED);
3260 }
3261
3262 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3263 {
3264         int rc;
3265
3266         rc = secondary_ops->task_setioprio(p, ioprio);
3267         if (rc)
3268                 return rc;
3269
3270         return task_has_perm(current, p, PROCESS__SETSCHED);
3271 }
3272
3273 static int selinux_task_getioprio(struct task_struct *p)
3274 {
3275         return task_has_perm(current, p, PROCESS__GETSCHED);
3276 }
3277
3278 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3279 {
3280         struct rlimit *old_rlim = current->signal->rlim + resource;
3281         int rc;
3282
3283         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3284         if (rc)
3285                 return rc;
3286
3287         /* Control the ability to change the hard limit (whether
3288            lowering or raising it), so that the hard limit can
3289            later be used as a safe reset point for the soft limit
3290            upon context transitions. See selinux_bprm_apply_creds. */
3291         if (old_rlim->rlim_max != new_rlim->rlim_max)
3292                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3293
3294         return 0;
3295 }
3296
3297 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3298 {
3299         int rc;
3300
3301         rc = secondary_ops->task_setscheduler(p, policy, lp);
3302         if (rc)
3303                 return rc;
3304
3305         return task_has_perm(current, p, PROCESS__SETSCHED);
3306 }
3307
3308 static int selinux_task_getscheduler(struct task_struct *p)
3309 {
3310         return task_has_perm(current, p, PROCESS__GETSCHED);
3311 }
3312
3313 static int selinux_task_movememory(struct task_struct *p)
3314 {
3315         return task_has_perm(current, p, PROCESS__SETSCHED);
3316 }
3317
3318 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3319                                 int sig, u32 secid)
3320 {
3321         u32 perm;
3322         int rc;
3323         struct task_security_struct *tsec;
3324
3325         rc = secondary_ops->task_kill(p, info, sig, secid);
3326         if (rc)
3327                 return rc;
3328
3329         if (!sig)
3330                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3331         else
3332                 perm = signal_to_av(sig);
3333         tsec = p->security;
3334         if (secid)
3335                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3336         else
3337                 rc = task_has_perm(current, p, perm);
3338         return rc;
3339 }
3340
3341 static int selinux_task_prctl(int option,
3342                               unsigned long arg2,
3343                               unsigned long arg3,
3344                               unsigned long arg4,
3345                               unsigned long arg5,
3346                               long *rc_p)
3347 {
3348         /* The current prctl operations do not appear to require
3349            any SELinux controls since they merely observe or modify
3350            the state of the current process. */
3351         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3352 }
3353
3354 static int selinux_task_wait(struct task_struct *p)
3355 {
3356         return task_has_perm(p, current, PROCESS__SIGCHLD);
3357 }
3358
3359 static void selinux_task_reparent_to_init(struct task_struct *p)
3360 {
3361         struct task_security_struct *tsec;
3362
3363         secondary_ops->task_reparent_to_init(p);
3364
3365         tsec = p->security;
3366         tsec->osid = tsec->sid;
3367         tsec->sid = SECINITSID_KERNEL;
3368         return;
3369 }
3370
3371 static void selinux_task_to_inode(struct task_struct *p,
3372                                   struct inode *inode)
3373 {
3374         struct task_security_struct *tsec = p->security;
3375         struct inode_security_struct *isec = inode->i_security;
3376
3377         isec->sid = tsec->sid;
3378         isec->initialized = 1;
3379         return;
3380 }
3381
3382 /* Returns error only if unable to parse addresses */
3383 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3384                         struct avc_audit_data *ad, u8 *proto)
3385 {
3386         int offset, ihlen, ret = -EINVAL;
3387         struct iphdr _iph, *ih;
3388
3389         offset = skb_network_offset(skb);
3390         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3391         if (ih == NULL)
3392                 goto out;
3393
3394         ihlen = ih->ihl * 4;
3395         if (ihlen < sizeof(_iph))
3396                 goto out;
3397
3398         ad->u.net.v4info.saddr = ih->saddr;
3399         ad->u.net.v4info.daddr = ih->daddr;
3400         ret = 0;
3401
3402         if (proto)
3403                 *proto = ih->protocol;
3404
3405         switch (ih->protocol) {
3406         case IPPROTO_TCP: {
3407                 struct tcphdr _tcph, *th;
3408
3409                 if (ntohs(ih->frag_off) & IP_OFFSET)
3410                         break;
3411
3412                 offset += ihlen;
3413                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3414                 if (th == NULL)
3415                         break;
3416
3417                 ad->u.net.sport = th->source;
3418                 ad->u.net.dport = th->dest;
3419                 break;
3420         }
3421
3422         case IPPROTO_UDP: {
3423                 struct udphdr _udph, *uh;
3424
3425                 if (ntohs(ih->frag_off) & IP_OFFSET)
3426                         break;
3427
3428                 offset += ihlen;
3429                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3430                 if (uh == NULL)
3431                         break;
3432
3433                 ad->u.net.sport = uh->source;
3434                 ad->u.net.dport = uh->dest;
3435                 break;
3436         }
3437
3438         case IPPROTO_DCCP: {
3439                 struct dccp_hdr _dccph, *dh;
3440
3441                 if (ntohs(ih->frag_off) & IP_OFFSET)
3442                         break;
3443
3444                 offset += ihlen;
3445                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3446                 if (dh == NULL)
3447                         break;
3448
3449                 ad->u.net.sport = dh->dccph_sport;
3450                 ad->u.net.dport = dh->dccph_dport;
3451                 break;
3452         }
3453
3454         default:
3455                 break;
3456         }
3457 out:
3458         return ret;
3459 }
3460
3461 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3462
3463 /* Returns error only if unable to parse addresses */
3464 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3465                         struct avc_audit_data *ad, u8 *proto)
3466 {
3467         u8 nexthdr;
3468         int ret = -EINVAL, offset;
3469         struct ipv6hdr _ipv6h, *ip6;
3470
3471         offset = skb_network_offset(skb);
3472         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3473         if (ip6 == NULL)
3474                 goto out;
3475
3476         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3477         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3478         ret = 0;
3479
3480         nexthdr = ip6->nexthdr;
3481         offset += sizeof(_ipv6h);
3482         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3483         if (offset < 0)
3484                 goto out;
3485
3486         if (proto)
3487                 *proto = nexthdr;
3488
3489         switch (nexthdr) {
3490         case IPPROTO_TCP: {
3491                 struct tcphdr _tcph, *th;
3492
3493                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3494                 if (th == NULL)
3495                         break;
3496
3497                 ad->u.net.sport = th->source;
3498                 ad->u.net.dport = th->dest;
3499                 break;
3500         }
3501
3502         case IPPROTO_UDP: {
3503                 struct udphdr _udph, *uh;
3504
3505                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3506                 if (uh == NULL)
3507                         break;
3508
3509                 ad->u.net.sport = uh->source;
3510                 ad->u.net.dport = uh->dest;
3511                 break;
3512         }
3513
3514         case IPPROTO_DCCP: {
3515                 struct dccp_hdr _dccph, *dh;
3516
3517                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3518                 if (dh == NULL)
3519                         break;
3520
3521                 ad->u.net.sport = dh->dccph_sport;
3522                 ad->u.net.dport = dh->dccph_dport;
3523                 break;
3524         }
3525
3526         /* includes fragments */
3527         default:
3528                 break;
3529         }
3530 out:
3531         return ret;
3532 }
3533
3534 #endif /* IPV6 */
3535
3536 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3537                              char **addrp, int src, u8 *proto)
3538 {
3539         int ret = 0;
3540
3541         switch (ad->u.net.family) {
3542         case PF_INET:
3543                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3544                 if (ret || !addrp)
3545                         break;
3546                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3547                                         &ad->u.net.v4info.daddr);
3548                 break;
3549
3550 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3551         case PF_INET6:
3552                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3553                 if (ret || !addrp)
3554                         break;
3555                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3556                                         &ad->u.net.v6info.daddr);
3557                 break;
3558 #endif  /* IPV6 */
3559         default:
3560                 break;
3561         }
3562
3563         if (unlikely(ret))
3564                 printk(KERN_WARNING
3565                        "SELinux: failure in selinux_parse_skb(),"
3566                        " unable to parse packet\n");
3567
3568         return ret;
3569 }
3570
3571 /**
3572  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3573  * @skb: the packet
3574  * @family: protocol family
3575  * @sid: the packet's peer label SID
3576  *
3577  * Description:
3578  * Check the various different forms of network peer labeling and determine
3579  * the peer label/SID for the packet; most of the magic actually occurs in
3580  * the security server function security_net_peersid_cmp().  The function
3581  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3582  * or -EACCES if @sid is invalid due to inconsistencies with the different
3583  * peer labels.
3584  *
3585  */
3586 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3587 {
3588         int err;
3589         u32 xfrm_sid;
3590         u32 nlbl_sid;
3591         u32 nlbl_type;
3592
3593         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3594         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3595
3596         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3597         if (unlikely(err)) {
3598                 printk(KERN_WARNING
3599                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3600                        " unable to determine packet's peer label\n");
3601                 return -EACCES;
3602         }
3603
3604         return 0;
3605 }
3606
3607 /* socket security operations */
3608 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3609                            u32 perms)
3610 {
3611         struct inode_security_struct *isec;
3612         struct task_security_struct *tsec;
3613         struct avc_audit_data ad;
3614         int err = 0;
3615
3616         tsec = task->security;
3617         isec = SOCK_INODE(sock)->i_security;
3618
3619         if (isec->sid == SECINITSID_KERNEL)
3620                 goto out;
3621
3622         AVC_AUDIT_DATA_INIT(&ad, NET);
3623         ad.u.net.sk = sock->sk;
3624         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3625
3626 out:
3627         return err;
3628 }
3629
3630 static int selinux_socket_create(int family, int type,
3631                                  int protocol, int kern)
3632 {
3633         int err = 0;
3634         struct task_security_struct *tsec;
3635         u32 newsid;
3636
3637         if (kern)
3638                 goto out;
3639
3640         tsec = current->security;
3641         newsid = tsec->sockcreate_sid ? : tsec->sid;
3642         err = avc_has_perm(tsec->sid, newsid,
3643                            socket_type_to_security_class(family, type,
3644                            protocol), SOCKET__CREATE, NULL);
3645
3646 out:
3647         return err;
3648 }
3649
3650 static int selinux_socket_post_create(struct socket *sock, int family,
3651                                       int type, int protocol, int kern)
3652 {
3653         int err = 0;
3654         struct inode_security_struct *isec;
3655         struct task_security_struct *tsec;
3656         struct sk_security_struct *sksec;
3657         u32 newsid;
3658
3659         isec = SOCK_INODE(sock)->i_security;
3660
3661         tsec = current->security;
3662         newsid = tsec->sockcreate_sid ? : tsec->sid;
3663         isec->sclass = socket_type_to_security_class(family, type, protocol);
3664         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3665         isec->initialized = 1;
3666
3667         if (sock->sk) {
3668                 sksec = sock->sk->sk_security;
3669                 sksec->sid = isec->sid;
3670                 sksec->sclass = isec->sclass;
3671                 err = selinux_netlbl_socket_post_create(sock);
3672         }
3673
3674         return err;
3675 }
3676
3677 /* Range of port numbers used to automatically bind.
3678    Need to determine whether we should perform a name_bind
3679    permission check between the socket and the port number. */
3680
3681 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3682 {
3683         u16 family;
3684         int err;
3685
3686         err = socket_has_perm(current, sock, SOCKET__BIND);
3687         if (err)
3688                 goto out;
3689
3690         /*
3691          * If PF_INET or PF_INET6, check name_bind permission for the port.
3692          * Multiple address binding for SCTP is not supported yet: we just
3693          * check the first address now.
3694          */
3695         family = sock->sk->sk_family;
3696         if (family == PF_INET || family == PF_INET6) {
3697                 char *addrp;
3698                 struct inode_security_struct *isec;
3699                 struct task_security_struct *tsec;
3700                 struct avc_audit_data ad;
3701                 struct sockaddr_in *addr4 = NULL;
3702                 struct sockaddr_in6 *addr6 = NULL;
3703                 unsigned short snum;
3704                 struct sock *sk = sock->sk;
3705                 u32 sid, node_perm;
3706
3707                 tsec = current->security;
3708                 isec = SOCK_INODE(sock)->i_security;
3709
3710                 if (family == PF_INET) {
3711                         addr4 = (struct sockaddr_in *)address;
3712                         snum = ntohs(addr4->sin_port);
3713                         addrp = (char *)&addr4->sin_addr.s_addr;
3714                 } else {
3715                         addr6 = (struct sockaddr_in6 *)address;
3716                         snum = ntohs(addr6->sin6_port);
3717                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3718                 }
3719
3720                 if (snum) {
3721                         int low, high;
3722
3723                         inet_get_local_port_range(&low, &high);
3724
3725                         if (snum < max(PROT_SOCK, low) || snum > high) {
3726                                 err = sel_netport_sid(sk->sk_protocol,
3727                                                       snum, &sid);
3728                                 if (err)
3729                                         goto out;
3730                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3731                                 ad.u.net.sport = htons(snum);
3732                                 ad.u.net.family = family;
3733                                 err = avc_has_perm(isec->sid, sid,
3734                                                    isec->sclass,
3735                                                    SOCKET__NAME_BIND, &ad);
3736                                 if (err)
3737                                         goto out;
3738                         }
3739                 }
3740
3741                 switch (isec->sclass) {
3742                 case SECCLASS_TCP_SOCKET:
3743                         node_perm = TCP_SOCKET__NODE_BIND;
3744                         break;
3745
3746                 case SECCLASS_UDP_SOCKET:
3747                         node_perm = UDP_SOCKET__NODE_BIND;
3748                         break;
3749
3750                 case SECCLASS_DCCP_SOCKET:
3751                         node_perm = DCCP_SOCKET__NODE_BIND;
3752                         break;
3753
3754                 default:
3755                         node_perm = RAWIP_SOCKET__NODE_BIND;
3756                         break;
3757                 }
3758
3759                 err = sel_netnode_sid(addrp, family, &sid);
3760                 if (err)
3761                         goto out;
3762
3763                 AVC_AUDIT_DATA_INIT(&ad, NET);
3764                 ad.u.net.sport = htons(snum);
3765                 ad.u.net.family = family;
3766
3767                 if (family == PF_INET)
3768                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3769                 else
3770                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3771
3772                 err = avc_has_perm(isec->sid, sid,
3773                                    isec->sclass, node_perm, &ad);
3774                 if (err)
3775                         goto out;
3776         }
3777 out:
3778         return err;
3779 }
3780
3781 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3782 {
3783         struct inode_security_struct *isec;
3784         int err;
3785
3786         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3787         if (err)
3788                 return err;
3789
3790         /*
3791          * If a TCP or DCCP socket, check name_connect permission for the port.
3792          */
3793         isec = SOCK_INODE(sock)->i_security;
3794         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3795             isec->sclass == SECCLASS_DCCP_SOCKET) {
3796                 struct sock *sk = sock->sk;
3797                 struct avc_audit_data ad;
3798                 struct sockaddr_in *addr4 = NULL;
3799                 struct sockaddr_in6 *addr6 = NULL;
3800                 unsigned short snum;
3801                 u32 sid, perm;
3802
3803                 if (sk->sk_family == PF_INET) {
3804                         addr4 = (struct sockaddr_in *)address;
3805                         if (addrlen < sizeof(struct sockaddr_in))
3806                                 return -EINVAL;
3807                         snum = ntohs(addr4->sin_port);
3808                 } else {
3809                         addr6 = (struct sockaddr_in6 *)address;
3810                         if (addrlen < SIN6_LEN_RFC2133)
3811                                 return -EINVAL;
3812                         snum = ntohs(addr6->sin6_port);
3813                 }
3814
3815                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3816                 if (err)
3817                         goto out;
3818
3819                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3820                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3821
3822                 AVC_AUDIT_DATA_INIT(&ad, NET);
3823                 ad.u.net.dport = htons(snum);
3824                 ad.u.net.family = sk->sk_family;
3825                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3826                 if (err)
3827                         goto out;
3828         }
3829
3830 out:
3831         return err;
3832 }
3833
3834 static int selinux_socket_listen(struct socket *sock, int backlog)
3835 {
3836         return socket_has_perm(current, sock, SOCKET__LISTEN);
3837 }
3838
3839 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3840 {
3841         int err;
3842         struct inode_security_struct *isec;
3843         struct inode_security_struct *newisec;
3844
3845         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3846         if (err)
3847                 return err;
3848
3849         newisec = SOCK_INODE(newsock)->i_security;
3850
3851         isec = SOCK_INODE(sock)->i_security;
3852         newisec->sclass = isec->sclass;
3853         newisec->sid = isec->sid;
3854         newisec->initialized = 1;
3855
3856         return 0;
3857 }
3858
3859 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3860                                   int size)
3861 {
3862         int rc;
3863
3864         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3865         if (rc)
3866                 return rc;
3867
3868         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3869 }
3870
3871 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3872                                   int size, int flags)
3873 {
3874         return socket_has_perm(current, sock, SOCKET__READ);
3875 }
3876
3877 static int selinux_socket_getsockname(struct socket *sock)
3878 {
3879         return socket_has_perm(current, sock, SOCKET__GETATTR);
3880 }
3881
3882 static int selinux_socket_getpeername(struct socket *sock)
3883 {
3884         return socket_has_perm(current, sock, SOCKET__GETATTR);
3885 }
3886
3887 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3888 {
3889         int err;
3890
3891         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3892         if (err)
3893                 return err;
3894
3895         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3896 }
3897
3898 static int selinux_socket_getsockopt(struct socket *sock, int level,
3899                                      int optname)
3900 {
3901         return socket_has_perm(current, sock, SOCKET__GETOPT);
3902 }
3903
3904 static int selinux_socket_shutdown(struct socket *sock, int how)
3905 {
3906         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3907 }
3908
3909 static int selinux_socket_unix_stream_connect(struct socket *sock,
3910                                               struct socket *other,
3911                                               struct sock *newsk)
3912 {
3913         struct sk_security_struct *ssec;
3914         struct inode_security_struct *isec;
3915         struct inode_security_struct *other_isec;
3916         struct avc_audit_data ad;
3917         int err;
3918
3919         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3920         if (err)
3921                 return err;
3922
3923         isec = SOCK_INODE(sock)->i_security;
3924         other_isec = SOCK_INODE(other)->i_security;
3925
3926         AVC_AUDIT_DATA_INIT(&ad, NET);
3927         ad.u.net.sk = other->sk;
3928
3929         err = avc_has_perm(isec->sid, other_isec->sid,
3930                            isec->sclass,
3931                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3932         if (err)
3933                 return err;
3934
3935         /* connecting socket */
3936         ssec = sock->sk->sk_security;
3937         ssec->peer_sid = other_isec->sid;
3938
3939         /* server child socket */
3940         ssec = newsk->sk_security;
3941         ssec->peer_sid = isec->sid;
3942         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3943
3944         return err;
3945 }
3946
3947 static int selinux_socket_unix_may_send(struct socket *sock,
3948                                         struct socket *other)
3949 {
3950         struct inode_security_struct *isec;
3951         struct inode_security_struct *other_isec;
3952         struct avc_audit_data ad;
3953         int err;
3954
3955         isec = SOCK_INODE(sock)->i_security;
3956         other_isec = SOCK_INODE(other)->i_security;
3957
3958         AVC_AUDIT_DATA_INIT(&ad, NET);
3959         ad.u.net.sk = other->sk;
3960
3961         err = avc_has_perm(isec->sid, other_isec->sid,
3962                            isec->sclass, SOCKET__SENDTO, &ad);
3963         if (err)
3964                 return err;
3965
3966         return 0;
3967 }
3968
3969 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3970                                     u32 peer_sid,
3971                                     struct avc_audit_data *ad)
3972 {
3973         int err;
3974         u32 if_sid;
3975         u32 node_sid;
3976
3977         err = sel_netif_sid(ifindex, &if_sid);
3978         if (err)
3979                 return err;
3980         err = avc_has_perm(peer_sid, if_sid,
3981                            SECCLASS_NETIF, NETIF__INGRESS, ad);
3982         if (err)
3983                 return err;
3984
3985         err = sel_netnode_sid(addrp, family, &node_sid);
3986         if (err)
3987                 return err;
3988         return avc_has_perm(peer_sid, node_sid,
3989                             SECCLASS_NODE, NODE__RECVFROM, ad);
3990 }
3991
3992 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3993                                                 struct sk_buff *skb,
3994                                                 struct avc_audit_data *ad,
3995                                                 u16 family,
3996                                                 char *addrp)
3997 {
3998         int err;
3999         struct sk_security_struct *sksec = sk->sk_security;
4000         u16 sk_class;
4001         u32 netif_perm, node_perm, recv_perm;
4002         u32 port_sid, node_sid, if_sid, sk_sid;
4003
4004         sk_sid = sksec->sid;
4005         sk_class = sksec->sclass;
4006
4007         switch (sk_class) {
4008         case SECCLASS_UDP_SOCKET:
4009                 netif_perm = NETIF__UDP_RECV;
4010                 node_perm = NODE__UDP_RECV;
4011                 recv_perm = UDP_SOCKET__RECV_MSG;
4012                 break;
4013         case SECCLASS_TCP_SOCKET:
4014                 netif_perm = NETIF__TCP_RECV;
4015                 node_perm = NODE__TCP_RECV;
4016                 recv_perm = TCP_SOCKET__RECV_MSG;
4017                 break;
4018         case SECCLASS_DCCP_SOCKET:
4019                 netif_perm = NETIF__DCCP_RECV;
4020                 node_perm = NODE__DCCP_RECV;
4021                 recv_perm = DCCP_SOCKET__RECV_MSG;
4022                 break;
4023         default:
4024                 netif_perm = NETIF__RAWIP_RECV;
4025                 node_perm = NODE__RAWIP_RECV;
4026                 recv_perm = 0;
4027                 break;
4028         }
4029
4030         err = sel_netif_sid(skb->iif, &if_sid);
4031         if (err)
4032                 return err;
4033         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4034         if (err)
4035                 return err;
4036
4037         err = sel_netnode_sid(addrp, family, &node_sid);
4038         if (err)
4039                 return err;
4040         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4041         if (err)
4042                 return err;
4043
4044         if (!recv_perm)
4045                 return 0;
4046         err = sel_netport_sid(sk->sk_protocol,
4047                               ntohs(ad->u.net.sport), &port_sid);
4048         if (unlikely(err)) {
4049                 printk(KERN_WARNING
4050                        "SELinux: failure in"
4051                        " selinux_sock_rcv_skb_iptables_compat(),"
4052                        " network port label not found\n");
4053                 return err;
4054         }
4055         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4056 }
4057
4058 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4059                                        struct avc_audit_data *ad,
4060                                        u16 family, char *addrp)
4061 {
4062         int err;
4063         struct sk_security_struct *sksec = sk->sk_security;
4064         u32 peer_sid;
4065         u32 sk_sid = sksec->sid;
4066
4067         if (selinux_compat_net)
4068                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4069                                                            family, addrp);
4070         else
4071                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4072                                    PACKET__RECV, ad);
4073         if (err)
4074                 return err;
4075
4076         if (selinux_policycap_netpeer) {
4077                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4078                 if (err)
4079                         return err;
4080                 err = avc_has_perm(sk_sid, peer_sid,
4081                                    SECCLASS_PEER, PEER__RECV, ad);
4082         } else {
4083                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4084                 if (err)
4085                         return err;
4086                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4087         }
4088
4089         return err;
4090 }
4091
4092 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4093 {
4094         int err;
4095         struct sk_security_struct *sksec = sk->sk_security;
4096         u16 family = sk->sk_family;
4097         u32 sk_sid = sksec->sid;
4098         struct avc_audit_data ad;
4099         char *addrp;
4100
4101         if (family != PF_INET && family != PF_INET6)
4102                 return 0;
4103
4104         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4105         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4106                 family = PF_INET;
4107
4108         AVC_AUDIT_DATA_INIT(&ad, NET);
4109         ad.u.net.netif = skb->iif;
4110         ad.u.net.family = family;
4111         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4112         if (err)
4113                 return err;
4114
4115         /* If any sort of compatibility mode is enabled then handoff processing
4116          * to the selinux_sock_rcv_skb_compat() function to deal with the
4117          * special handling.  We do this in an attempt to keep this function
4118          * as fast and as clean as possible. */
4119         if (selinux_compat_net || !selinux_policycap_netpeer)
4120                 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4121                                                    family, addrp);
4122
4123         if (netlbl_enabled() || selinux_xfrm_enabled()) {
4124                 u32 peer_sid;
4125
4126                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4127                 if (err)
4128                         return err;
4129                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4130                                                peer_sid, &ad);
4131                 if (err)
4132                         return err;
4133                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4134                                    PEER__RECV, &ad);
4135         }
4136
4137         if (selinux_secmark_enabled()) {
4138                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4139                                    PACKET__RECV, &ad);
4140                 if (err)
4141                         return err;
4142         }
4143
4144         return err;
4145 }
4146
4147 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4148                                             int __user *optlen, unsigned len)
4149 {
4150         int err = 0;
4151         char *scontext;
4152         u32 scontext_len;
4153         struct sk_security_struct *ssec;
4154         struct inode_security_struct *isec;
4155         u32 peer_sid = SECSID_NULL;
4156
4157         isec = SOCK_INODE(sock)->i_security;
4158
4159         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4160             isec->sclass == SECCLASS_TCP_SOCKET) {
4161                 ssec = sock->sk->sk_security;
4162                 peer_sid = ssec->peer_sid;
4163         }
4164         if (peer_sid == SECSID_NULL) {
4165                 err = -ENOPROTOOPT;
4166                 goto out;
4167         }
4168
4169         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4170
4171         if (err)
4172                 goto out;
4173
4174         if (scontext_len > len) {
4175                 err = -ERANGE;
4176                 goto out_len;
4177         }
4178
4179         if (copy_to_user(optval, scontext, scontext_len))
4180                 err = -EFAULT;
4181
4182 out_len:
4183         if (put_user(scontext_len, optlen))
4184                 err = -EFAULT;
4185
4186         kfree(scontext);
4187 out:
4188         return err;
4189 }
4190
4191 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4192 {
4193         u32 peer_secid = SECSID_NULL;
4194         u16 family;
4195
4196         if (sock)
4197                 family = sock->sk->sk_family;
4198         else if (skb && skb->sk)
4199                 family = skb->sk->sk_family;
4200         else
4201                 goto out;
4202
4203         if (sock && family == PF_UNIX)
4204                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4205         else if (skb)
4206                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4207
4208 out:
4209         *secid = peer_secid;
4210         if (peer_secid == SECSID_NULL)
4211                 return -EINVAL;
4212         return 0;
4213 }
4214
4215 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4216 {
4217         return sk_alloc_security(sk, family, priority);
4218 }
4219
4220 static void selinux_sk_free_security(struct sock *sk)
4221 {
4222         sk_free_security(sk);
4223 }
4224
4225 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4226 {
4227         struct sk_security_struct *ssec = sk->sk_security;
4228         struct sk_security_struct *newssec = newsk->sk_security;
4229
4230         newssec->sid = ssec->sid;
4231         newssec->peer_sid = ssec->peer_sid;
4232         newssec->sclass = ssec->sclass;
4233
4234         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4235 }
4236
4237 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4238 {
4239         if (!sk)
4240                 *secid = SECINITSID_ANY_SOCKET;
4241         else {
4242                 struct sk_security_struct *sksec = sk->sk_security;
4243
4244                 *secid = sksec->sid;
4245         }
4246 }
4247
4248 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4249 {
4250         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4251         struct sk_security_struct *sksec = sk->sk_security;
4252
4253         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4254             sk->sk_family == PF_UNIX)
4255                 isec->sid = sksec->sid;
4256         sksec->sclass = isec->sclass;
4257
4258         selinux_netlbl_sock_graft(sk, parent);
4259 }
4260
4261 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4262                                      struct request_sock *req)
4263 {
4264         struct sk_security_struct *sksec = sk->sk_security;
4265         int err;
4266         u32 newsid;
4267         u32 peersid;
4268
4269         err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4270         if (err)
4271                 return err;
4272         if (peersid == SECSID_NULL) {
4273                 req->secid = sksec->sid;
4274                 req->peer_secid = SECSID_NULL;
4275                 return 0;
4276         }
4277
4278         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4279         if (err)
4280                 return err;
4281
4282         req->secid = newsid;
4283         req->peer_secid = peersid;
4284         return 0;
4285 }
4286
4287 static void selinux_inet_csk_clone(struct sock *newsk,
4288                                    const struct request_sock *req)
4289 {
4290         struct sk_security_struct *newsksec = newsk->sk_security;
4291
4292         newsksec->sid = req->secid;
4293         newsksec->peer_sid = req->peer_secid;
4294         /* NOTE: Ideally, we should also get the isec->sid for the
4295            new socket in sync, but we don't have the isec available yet.
4296            So we will wait until sock_graft to do it, by which
4297            time it will have been created and available. */
4298
4299         /* We don't need to take any sort of lock here as we are the only
4300          * thread with access to newsksec */
4301         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4302 }
4303
4304 static void selinux_inet_conn_established(struct sock *sk,
4305                                 struct sk_buff *skb)
4306 {
4307         struct sk_security_struct *sksec = sk->sk_security;
4308
4309         selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4310 }
4311
4312 static void selinux_req_classify_flow(const struct request_sock *req,
4313                                       struct flowi *fl)
4314 {
4315         fl->secid = req->secid;
4316 }
4317
4318 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4319 {
4320         int err = 0;
4321         u32 perm;
4322         struct nlmsghdr *nlh;
4323         struct socket *sock = sk->sk_socket;
4324         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4325
4326         if (skb->len < NLMSG_SPACE(0)) {
4327                 err = -EINVAL;
4328                 goto out;
4329         }
4330         nlh = nlmsg_hdr(skb);
4331
4332         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4333         if (err) {
4334                 if (err == -EINVAL) {
4335                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4336                                   "SELinux:  unrecognized netlink message"
4337                                   " type=%hu for sclass=%hu\n",
4338                                   nlh->nlmsg_type, isec->sclass);
4339                         if (!selinux_enforcing)
4340                                 err = 0;
4341                 }
4342
4343                 /* Ignore */
4344                 if (err == -ENOENT)
4345                         err = 0;
4346                 goto out;
4347         }
4348
4349         err = socket_has_perm(current, sock, perm);
4350 out:
4351         return err;
4352 }
4353
4354 #ifdef CONFIG_NETFILTER
4355
4356 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4357                                        u16 family)
4358 {
4359         char *addrp;
4360         u32 peer_sid;
4361         struct avc_audit_data ad;
4362         u8 secmark_active;
4363         u8 peerlbl_active;
4364
4365         if (!selinux_policycap_netpeer)
4366                 return NF_ACCEPT;
4367
4368         secmark_active = selinux_secmark_enabled();
4369         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4370         if (!secmark_active && !peerlbl_active)
4371                 return NF_ACCEPT;
4372
4373         AVC_AUDIT_DATA_INIT(&ad, NET);
4374         ad.u.net.netif = ifindex;
4375         ad.u.net.family = family;
4376         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4377                 return NF_DROP;
4378
4379         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4380                 return NF_DROP;
4381
4382         if (peerlbl_active)
4383                 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4384                                              peer_sid, &ad) != 0)
4385                         return NF_DROP;
4386
4387         if (secmark_active)
4388                 if (avc_has_perm(peer_sid, skb->secmark,
4389                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4390                         return NF_DROP;
4391
4392         return NF_ACCEPT;
4393 }
4394
4395 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4396                                          struct sk_buff *skb,
4397                                          const struct net_device *in,
4398                                          const struct net_device *out,
4399                                          int (*okfn)(struct sk_buff *))
4400 {
4401         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4402 }
4403
4404 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4405 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4406                                          struct sk_buff *skb,
4407                                          const struct net_device *in,
4408                                          const struct net_device *out,
4409                                          int (*okfn)(struct sk_buff *))
4410 {
4411         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4412 }
4413 #endif  /* IPV6 */
4414
4415 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4416                                                 int ifindex,
4417                                                 struct avc_audit_data *ad,
4418                                                 u16 family, char *addrp)
4419 {
4420         int err;
4421         struct sk_security_struct *sksec = sk->sk_security;
4422         u16 sk_class;
4423         u32 netif_perm, node_perm, send_perm;
4424         u32 port_sid, node_sid, if_sid, sk_sid;
4425
4426         sk_sid = sksec->sid;
4427         sk_class = sksec->sclass;
4428
4429         switch (sk_class) {
4430         case SECCLASS_UDP_SOCKET:
4431                 netif_perm = NETIF__UDP_SEND;
4432                 node_perm = NODE__UDP_SEND;
4433                 send_perm = UDP_SOCKET__SEND_MSG;
4434                 break;
4435         case SECCLASS_TCP_SOCKET:
4436                 netif_perm = NETIF__TCP_SEND;
4437                 node_perm = NODE__TCP_SEND;
4438                 send_perm = TCP_SOCKET__SEND_MSG;
4439                 break;
4440         case SECCLASS_DCCP_SOCKET:
4441                 netif_perm = NETIF__DCCP_SEND;
4442                 node_perm = NODE__DCCP_SEND;
4443                 send_perm = DCCP_SOCKET__SEND_MSG;
4444                 break;
4445         default:
4446                 netif_perm = NETIF__RAWIP_SEND;
4447                 node_perm = NODE__RAWIP_SEND;
4448                 send_perm = 0;
4449                 break;
4450         }
4451
4452         err = sel_netif_sid(ifindex, &if_sid);
4453         if (err)
4454                 return err;
4455         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4456                 return err;
4457
4458         err = sel_netnode_sid(addrp, family, &node_sid);
4459         if (err)
4460                 return err;
4461         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4462         if (err)
4463                 return err;
4464
4465         if (send_perm != 0)
4466                 return 0;
4467
4468         err = sel_netport_sid(sk->sk_protocol,
4469                               ntohs(ad->u.net.dport), &port_sid);
4470         if (unlikely(err)) {
4471                 printk(KERN_WARNING
4472                        "SELinux: failure in"
4473                        " selinux_ip_postroute_iptables_compat(),"
4474                        " network port label not found\n");
4475                 return err;
4476         }
4477         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4478 }
4479
4480 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4481                                                 int ifindex,
4482                                                 struct avc_audit_data *ad,
4483                                                 u16 family,
4484                                                 char *addrp,
4485                                                 u8 proto)
4486 {
4487         struct sock *sk = skb->sk;
4488         struct sk_security_struct *sksec;
4489
4490         if (sk == NULL)
4491                 return NF_ACCEPT;
4492         sksec = sk->sk_security;
4493
4494         if (selinux_compat_net) {
4495                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4496                                                          ad, family, addrp))
4497                         return NF_DROP;
4498         } else {
4499                 if (avc_has_perm(sksec->sid, skb->secmark,
4500                                  SECCLASS_PACKET, PACKET__SEND, ad))
4501                         return NF_DROP;
4502         }
4503
4504         if (selinux_policycap_netpeer)
4505                 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4506                         return NF_DROP;
4507
4508         return NF_ACCEPT;
4509 }
4510
4511 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4512                                          u16 family)
4513 {
4514         u32 secmark_perm;
4515         u32 peer_sid;
4516         struct sock *sk;
4517         struct avc_audit_data ad;
4518         char *addrp;
4519         u8 proto;
4520         u8 secmark_active;
4521         u8 peerlbl_active;
4522
4523         AVC_AUDIT_DATA_INIT(&ad, NET);
4524         ad.u.net.netif = ifindex;
4525         ad.u.net.family = family;
4526         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4527                 return NF_DROP;
4528
4529         /* If any sort of compatibility mode is enabled then handoff processing
4530          * to the selinux_ip_postroute_compat() function to deal with the
4531          * special handling.  We do this in an attempt to keep this function
4532          * as fast and as clean as possible. */
4533         if (selinux_compat_net || !selinux_policycap_netpeer)
4534                 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4535                                                    family, addrp, proto);
4536
4537         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4538          * packet transformation so allow the packet to pass without any checks
4539          * since we'll have another chance to perform access control checks
4540          * when the packet is on it's final way out.
4541          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4542          *       is NULL, in this case go ahead and apply access control. */
4543         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4544                 return NF_ACCEPT;
4545
4546         secmark_active = selinux_secmark_enabled();
4547         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4548         if (!secmark_active && !peerlbl_active)
4549                 return NF_ACCEPT;
4550
4551         /* if the packet is locally generated (skb->sk != NULL) then use the
4552          * socket's label as the peer label, otherwise the packet is being
4553          * forwarded through this system and we need to fetch the peer label
4554          * directly from the packet */
4555         sk = skb->sk;
4556         if (sk) {
4557                 struct sk_security_struct *sksec = sk->sk_security;
4558                 peer_sid = sksec->sid;
4559                 secmark_perm = PACKET__SEND;
4560         } else {
4561                 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4562                                 return NF_DROP;
4563                 secmark_perm = PACKET__FORWARD_OUT;
4564         }
4565
4566         if (secmark_active)
4567                 if (avc_has_perm(peer_sid, skb->secmark,
4568                                  SECCLASS_PACKET, secmark_perm, &ad))
4569                         return NF_DROP;
4570
4571         if (peerlbl_active) {
4572                 u32 if_sid;
4573                 u32 node_sid;
4574
4575                 if (sel_netif_sid(ifindex, &if_sid))
4576                         return NF_DROP;
4577                 if (avc_has_perm(peer_sid, if_sid,
4578                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4579                         return NF_DROP;
4580
4581                 if (sel_netnode_sid(addrp, family, &node_sid))
4582                         return NF_DROP;
4583                 if (avc_has_perm(peer_sid, node_sid,
4584                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4585                         return NF_DROP;
4586         }
4587
4588         return NF_ACCEPT;
4589 }
4590
4591 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4592                                            struct sk_buff *skb,
4593                                            const struct net_device *in,
4594                                            const struct net_device *out,
4595                                            int (*okfn)(struct sk_buff *))
4596 {
4597         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4598 }
4599
4600 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4601 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4602                                            struct sk_buff *skb,
4603                                            const struct net_device *in,
4604                                            const struct net_device *out,
4605                                            int (*okfn)(struct sk_buff *))
4606 {
4607         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4608 }
4609 #endif  /* IPV6 */
4610
4611 #endif  /* CONFIG_NETFILTER */
4612
4613 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4614 {
4615         int err;
4616
4617         err = secondary_ops->netlink_send(sk, skb);
4618         if (err)
4619                 return err;
4620
4621         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4622                 err = selinux_nlmsg_perm(sk, skb);
4623
4624         return err;
4625 }
4626
4627 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4628 {
4629         int err;
4630         struct avc_audit_data ad;
4631
4632         err = secondary_ops->netlink_recv(skb, capability);
4633         if (err)
4634                 return err;
4635
4636         AVC_AUDIT_DATA_INIT(&ad, CAP);
4637         ad.u.cap = capability;
4638
4639         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4640                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4641 }
4642
4643 static int ipc_alloc_security(struct task_struct *task,
4644                               struct kern_ipc_perm *perm,
4645                               u16 sclass)
4646 {
4647         struct task_security_struct *tsec = task->security;
4648         struct ipc_security_struct *isec;
4649
4650         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4651         if (!isec)
4652                 return -ENOMEM;
4653
4654         isec->sclass = sclass;
4655         isec->sid = tsec->sid;
4656         perm->security = isec;
4657
4658         return 0;
4659 }
4660
4661 static void ipc_free_security(struct kern_ipc_perm *perm)
4662 {
4663         struct ipc_security_struct *isec = perm->security;
4664         perm->security = NULL;
4665         kfree(isec);
4666 }
4667
4668 static int msg_msg_alloc_security(struct msg_msg *msg)
4669 {
4670         struct msg_security_struct *msec;
4671
4672         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4673         if (!msec)
4674                 return -ENOMEM;
4675
4676         msec->sid = SECINITSID_UNLABELED;
4677         msg->security = msec;
4678
4679         return 0;
4680 }
4681
4682 static void msg_msg_free_security(struct msg_msg *msg)
4683 {
4684         struct msg_security_struct *msec = msg->security;
4685
4686         msg->security = NULL;
4687         kfree(msec);
4688 }
4689
4690 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4691                         u32 perms)
4692 {
4693         struct task_security_struct *tsec;
4694         struct ipc_security_struct *isec;
4695         struct avc_audit_data ad;
4696
4697         tsec = current->security;
4698         isec = ipc_perms->security;
4699
4700         AVC_AUDIT_DATA_INIT(&ad, IPC);
4701         ad.u.ipc_id = ipc_perms->key;
4702
4703         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4704 }
4705
4706 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4707 {
4708         return msg_msg_alloc_security(msg);
4709 }
4710
4711 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4712 {
4713         msg_msg_free_security(msg);
4714 }
4715
4716 /* message queue security operations */
4717 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4718 {
4719         struct task_security_struct *tsec;
4720         struct ipc_security_struct *isec;
4721         struct avc_audit_data ad;
4722         int rc;
4723
4724         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4725         if (rc)
4726                 return rc;
4727
4728         tsec = current->security;
4729         isec = msq->q_perm.security;
4730
4731         AVC_AUDIT_DATA_INIT(&ad, IPC);
4732         ad.u.ipc_id = msq->q_perm.key;
4733
4734         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4735                           MSGQ__CREATE, &ad);
4736         if (rc) {
4737                 ipc_free_security(&msq->q_perm);
4738                 return rc;
4739         }
4740         return 0;
4741 }
4742
4743 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4744 {
4745         ipc_free_security(&msq->q_perm);
4746 }
4747
4748 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4749 {
4750         struct task_security_struct *tsec;
4751         struct ipc_security_struct *isec;
4752         struct avc_audit_data ad;
4753
4754         tsec = current->security;
4755         isec = msq->q_perm.security;
4756
4757         AVC_AUDIT_DATA_INIT(&ad, IPC);
4758         ad.u.ipc_id = msq->q_perm.key;
4759
4760         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4761                             MSGQ__ASSOCIATE, &ad);
4762 }
4763
4764 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4765 {
4766         int err;
4767         int perms;
4768
4769         switch (cmd) {
4770         case IPC_INFO:
4771         case MSG_INFO:
4772                 /* No specific object, just general system-wide information. */
4773                 return task_has_system(current, SYSTEM__IPC_INFO);
4774         case IPC_STAT:
4775         case MSG_STAT:
4776                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4777                 break;
4778         case IPC_SET:
4779                 perms = MSGQ__SETATTR;
4780                 break;
4781         case IPC_RMID:
4782                 perms = MSGQ__DESTROY;
4783                 break;
4784         default:
4785                 return 0;
4786         }
4787
4788         err = ipc_has_perm(&msq->q_perm, perms);
4789         return err;
4790 }
4791
4792 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4793 {
4794         struct task_security_struct *tsec;
4795         struct ipc_security_struct *isec;
4796         struct msg_security_struct *msec;
4797         struct avc_audit_data ad;
4798         int rc;
4799
4800         tsec = current->security;
4801         isec = msq->q_perm.security;
4802         msec = msg->security;
4803
4804         /*
4805          * First time through, need to assign label to the message
4806          */
4807         if (msec->sid == SECINITSID_UNLABELED) {
4808                 /*
4809                  * Compute new sid based on current process and
4810                  * message queue this message will be stored in
4811                  */
4812                 rc = security_transition_sid(tsec->sid,
4813                                              isec->sid,
4814                                              SECCLASS_MSG,
4815                                              &msec->sid);
4816                 if (rc)
4817                         return rc;
4818         }
4819
4820         AVC_AUDIT_DATA_INIT(&ad, IPC);
4821         ad.u.ipc_id = msq->q_perm.key;
4822
4823         /* Can this process write to the queue? */
4824         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4825                           MSGQ__WRITE, &ad);
4826         if (!rc)
4827                 /* Can this process send the message */
4828                 rc = avc_has_perm(tsec->sid, msec->sid,
4829                                   SECCLASS_MSG, MSG__SEND, &ad);
4830         if (!rc)
4831                 /* Can the message be put in the queue? */
4832                 rc = avc_has_perm(msec->sid, isec->sid,
4833                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4834
4835         return rc;
4836 }
4837
4838 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4839                                     struct task_struct *target,
4840                                     long type, int mode)
4841 {
4842         struct task_security_struct *tsec;
4843         struct ipc_security_struct *isec;
4844         struct msg_security_struct *msec;
4845         struct avc_audit_data ad;
4846         int rc;
4847
4848         tsec = target->security;
4849         isec = msq->q_perm.security;
4850         msec = msg->security;
4851
4852         AVC_AUDIT_DATA_INIT(&ad, IPC);
4853         ad.u.ipc_id = msq->q_perm.key;
4854
4855         rc = avc_has_perm(tsec->sid, isec->sid,
4856                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4857         if (!rc)
4858                 rc = avc_has_perm(tsec->sid, msec->sid,
4859                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4860         return rc;
4861 }
4862
4863 /* Shared Memory security operations */
4864 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4865 {
4866         struct task_security_struct *tsec;
4867         struct ipc_security_struct *isec;
4868         struct avc_audit_data ad;
4869         int rc;
4870
4871         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4872         if (rc)
4873                 return rc;
4874
4875         tsec = current->security;
4876         isec = shp->shm_perm.security;
4877
4878         AVC_AUDIT_DATA_INIT(&ad, IPC);
4879         ad.u.ipc_id = shp->shm_perm.key;
4880
4881         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4882                           SHM__CREATE, &ad);
4883         if (rc) {
4884                 ipc_free_security(&shp->shm_perm);
4885                 return rc;
4886         }
4887         return 0;
4888 }
4889
4890 static void selinux_shm_free_security(struct shmid_kernel *shp)
4891 {
4892         ipc_free_security(&shp->shm_perm);
4893 }
4894
4895 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4896 {
4897         struct task_security_struct *tsec;
4898         struct ipc_security_struct *isec;
4899         struct avc_audit_data ad;
4900
4901         tsec = current->security;
4902         isec = shp->shm_perm.security;
4903
4904         AVC_AUDIT_DATA_INIT(&ad, IPC);
4905         ad.u.ipc_id = shp->shm_perm.key;
4906
4907         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4908                             SHM__ASSOCIATE, &ad);
4909 }
4910
4911 /* Note, at this point, shp is locked down */
4912 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4913 {
4914         int perms;
4915         int err;
4916
4917         switch (cmd) {
4918         case IPC_INFO:
4919         case SHM_INFO:
4920                 /* No specific object, just general system-wide information. */
4921                 return task_has_system(current, SYSTEM__IPC_INFO);
4922         case IPC_STAT:
4923         case SHM_STAT:
4924                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4925                 break;
4926         case IPC_SET:
4927                 perms = SHM__SETATTR;
4928                 break;
4929         case SHM_LOCK:
4930         case SHM_UNLOCK:
4931                 perms = SHM__LOCK;
4932                 break;
4933         case IPC_RMID:
4934                 perms = SHM__DESTROY;
4935                 break;
4936         default:
4937                 return 0;
4938         }
4939
4940         err = ipc_has_perm(&shp->shm_perm, perms);
4941         return err;
4942 }
4943
4944 static int selinux_shm_shmat(struct shmid_kernel *shp,
4945                              char __user *shmaddr, int shmflg)
4946 {
4947         u32 perms;
4948         int rc;
4949
4950         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4951         if (rc)
4952                 return rc;
4953
4954         if (shmflg & SHM_RDONLY)
4955                 perms = SHM__READ;
4956         else
4957                 perms = SHM__READ | SHM__WRITE;
4958
4959         return ipc_has_perm(&shp->shm_perm, perms);
4960 }
4961
4962 /* Semaphore security operations */
4963 static int selinux_sem_alloc_security(struct sem_array *sma)
4964 {
4965         struct task_security_struct *tsec;
4966         struct ipc_security_struct *isec;
4967         struct avc_audit_data ad;
4968         int rc;
4969
4970         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4971         if (rc)
4972                 return rc;
4973
4974         tsec = current->security;
4975         isec = sma->sem_perm.security;
4976
4977         AVC_AUDIT_DATA_INIT(&ad, IPC);
4978         ad.u.ipc_id = sma->sem_perm.key;
4979
4980         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4981                           SEM__CREATE, &ad);
4982         if (rc) {
4983                 ipc_free_security(&sma->sem_perm);
4984                 return rc;
4985         }
4986         return 0;
4987 }
4988
4989 static void selinux_sem_free_security(struct sem_array *sma)
4990 {
4991         ipc_free_security(&sma->sem_perm);
4992 }
4993
4994 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4995 {
4996         struct task_security_struct *tsec;
4997         struct ipc_security_struct *isec;
4998         struct avc_audit_data ad;
4999
5000         tsec = current->security;
5001         isec = sma->sem_perm.security;
5002
5003         AVC_AUDIT_DATA_INIT(&ad, IPC);
5004         ad.u.ipc_id = sma->sem_perm.key;
5005
5006         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5007                             SEM__ASSOCIATE, &ad);
5008 }
5009
5010 /* Note, at this point, sma is locked down */
5011 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5012 {
5013         int err;
5014         u32 perms;
5015
5016         switch (cmd) {
5017         case IPC_INFO:
5018         case SEM_INFO:
5019                 /* No specific object, just general system-wide information. */
5020                 return task_has_system(current, SYSTEM__IPC_INFO);
5021         case GETPID:
5022         case GETNCNT:
5023         case GETZCNT:
5024                 perms = SEM__GETATTR;
5025                 break;
5026         case GETVAL:
5027         case GETALL:
5028                 perms = SEM__READ;
5029                 break;
5030         case SETVAL:
5031         case SETALL:
5032                 perms = SEM__WRITE;
5033                 break;
5034         case IPC_RMID:
5035                 perms = SEM__DESTROY;
5036                 break;
5037         case IPC_SET:
5038                 perms = SEM__SETATTR;
5039                 break;
5040         case IPC_STAT:
5041         case SEM_STAT:
5042                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5043                 break;
5044         default:
5045                 return 0;
5046         }
5047
5048         err = ipc_has_perm(&sma->sem_perm, perms);
5049         return err;
5050 }
5051
5052 static int selinux_sem_semop(struct sem_array *sma,
5053                              struct sembuf *sops, unsigned nsops, int alter)
5054 {
5055         u32 perms;
5056
5057         if (alter)
5058                 perms = SEM__READ | SEM__WRITE;
5059         else
5060                 perms = SEM__READ;
5061
5062         return ipc_has_perm(&sma->sem_perm, perms);
5063 }
5064
5065 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5066 {
5067         u32 av = 0;
5068
5069         av = 0;
5070         if (flag & S_IRUGO)
5071                 av |= IPC__UNIX_READ;
5072         if (flag & S_IWUGO)
5073                 av |= IPC__UNIX_WRITE;
5074
5075         if (av == 0)
5076                 return 0;
5077
5078         return ipc_has_perm(ipcp, av);
5079 }
5080
5081 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5082 {
5083         struct ipc_security_struct *isec = ipcp->security;
5084         *secid = isec->sid;
5085 }
5086
5087 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5088 {
5089         if (inode)
5090                 inode_doinit_with_dentry(inode, dentry);
5091 }
5092
5093 static int selinux_getprocattr(struct task_struct *p,
5094                                char *name, char **value)
5095 {
5096         struct task_security_struct *tsec;
5097         u32 sid;
5098         int error;
5099         unsigned len;
5100
5101         if (current != p) {
5102                 error = task_has_perm(current, p, PROCESS__GETATTR);
5103                 if (error)
5104                         return error;
5105         }
5106
5107         tsec = p->security;
5108
5109         if (!strcmp(name, "current"))
5110                 sid = tsec->sid;
5111         else if (!strcmp(name, "prev"))
5112                 sid = tsec->osid;
5113         else if (!strcmp(name, "exec"))
5114                 sid = tsec->exec_sid;
5115         else if (!strcmp(name, "fscreate"))
5116                 sid = tsec->create_sid;
5117         else if (!strcmp(name, "keycreate"))
5118                 sid = tsec->keycreate_sid;
5119         else if (!strcmp(name, "sockcreate"))
5120                 sid = tsec->sockcreate_sid;
5121         else
5122                 return -EINVAL;
5123
5124         if (!sid)
5125                 return 0;
5126
5127         error = security_sid_to_context(sid, value, &len);
5128         if (error)
5129                 return error;
5130         return len;
5131 }
5132
5133 static int selinux_setprocattr(struct task_struct *p,
5134                                char *name, void *value, size_t size)
5135 {
5136         struct task_security_struct *tsec;
5137         struct task_struct *tracer;
5138         u32 sid = 0;
5139         int error;
5140         char *str = value;
5141
5142         if (current != p) {
5143                 /* SELinux only allows a process to change its own
5144                    security attributes. */
5145                 return -EACCES;
5146         }
5147
5148         /*
5149          * Basic control over ability to set these attributes at all.
5150          * current == p, but we'll pass them separately in case the
5151          * above restriction is ever removed.
5152          */
5153         if (!strcmp(name, "exec"))
5154                 error = task_has_perm(current, p, PROCESS__SETEXEC);
5155         else if (!strcmp(name, "fscreate"))
5156                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5157         else if (!strcmp(name, "keycreate"))
5158                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5159         else if (!strcmp(name, "sockcreate"))
5160                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5161         else if (!strcmp(name, "current"))
5162                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5163         else
5164                 error = -EINVAL;
5165         if (error)
5166                 return error;
5167
5168         /* Obtain a SID for the context, if one was specified. */
5169         if (size && str[1] && str[1] != '\n') {
5170                 if (str[size-1] == '\n') {
5171                         str[size-1] = 0;
5172                         size--;
5173                 }
5174                 error = security_context_to_sid(value, size, &sid);
5175                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5176                         if (!capable(CAP_MAC_ADMIN))
5177                                 return error;
5178                         error = security_context_to_sid_force(value, size,
5179                                                               &sid);
5180                 }
5181                 if (error)
5182                         return error;
5183         }
5184
5185         /* Permission checking based on the specified context is
5186            performed during the actual operation (execve,
5187            open/mkdir/...), when we know the full context of the
5188            operation.  See selinux_bprm_set_security for the execve
5189            checks and may_create for the file creation checks. The
5190            operation will then fail if the context is not permitted. */
5191         tsec = p->security;
5192         if (!strcmp(name, "exec"))
5193                 tsec->exec_sid = sid;
5194         else if (!strcmp(name, "fscreate"))
5195                 tsec->create_sid = sid;
5196         else if (!strcmp(name, "keycreate")) {
5197                 error = may_create_key(sid, p);
5198                 if (error)
5199                         return error;
5200                 tsec->keycreate_sid = sid;
5201         } else if (!strcmp(name, "sockcreate"))
5202                 tsec->sockcreate_sid = sid;
5203         else if (!strcmp(name, "current")) {
5204                 struct av_decision avd;
5205
5206                 if (sid == 0)
5207                         return -EINVAL;
5208
5209                 /* Only allow single threaded processes to change context */
5210                 if (atomic_read(&p->mm->mm_users) != 1) {
5211                         struct task_struct *g, *t;
5212                         struct mm_struct *mm = p->mm;
5213                         read_lock(&tasklist_lock);
5214                         do_each_thread(g, t) {
5215                                 if (t->mm == mm && t != p) {
5216                                         read_unlock(&tasklist_lock);
5217                                         return -EPERM;
5218                                 }
5219                         } while_each_thread(g, t);
5220                         read_unlock(&tasklist_lock);
5221                 }
5222
5223                 /* Check permissions for the transition. */
5224                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5225                                      PROCESS__DYNTRANSITION, NULL);
5226                 if (error)
5227                         return error;
5228
5229                 /* Check for ptracing, and update the task SID if ok.
5230                    Otherwise, leave SID unchanged and fail. */
5231                 task_lock(p);
5232                 rcu_read_lock();
5233                 tracer = tracehook_tracer_task(p);
5234                 if (tracer != NULL) {
5235                         struct task_security_struct *ptsec = tracer->security;
5236                         u32 ptsid = ptsec->sid;
5237                         rcu_read_unlock();
5238                         error = avc_has_perm_noaudit(ptsid, sid,
5239                                                      SECCLASS_PROCESS,
5240                                                      PROCESS__PTRACE, 0, &avd);
5241                         if (!error)
5242                                 tsec->sid = sid;
5243                         task_unlock(p);
5244                         avc_audit(ptsid, sid, SECCLASS_PROCESS,
5245                                   PROCESS__PTRACE, &avd, error, NULL);
5246                         if (error)
5247                                 return error;
5248                 } else {
5249                         rcu_read_unlock();
5250                         tsec->sid = sid;
5251                         task_unlock(p);
5252                 }
5253         } else
5254                 return -EINVAL;
5255
5256         return size;
5257 }
5258
5259 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5260 {
5261         return security_sid_to_context(secid, secdata, seclen);
5262 }
5263
5264 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5265 {
5266         return security_context_to_sid(secdata, seclen, secid);
5267 }
5268
5269 static void selinux_release_secctx(char *secdata, u32 seclen)
5270 {
5271         kfree(secdata);
5272 }
5273
5274 #ifdef CONFIG_KEYS
5275
5276 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5277                              unsigned long flags)
5278 {
5279         struct task_security_struct *tsec = tsk->security;
5280         struct key_security_struct *ksec;
5281
5282         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5283         if (!ksec)
5284                 return -ENOMEM;
5285
5286         if (tsec->keycreate_sid)
5287                 ksec->sid = tsec->keycreate_sid;
5288         else
5289                 ksec->sid = tsec->sid;
5290         k->security = ksec;
5291
5292         return 0;
5293 }
5294
5295 static void selinux_key_free(struct key *k)
5296 {
5297         struct key_security_struct *ksec = k->security;
5298
5299         k->security = NULL;
5300         kfree(ksec);
5301 }
5302
5303 static int selinux_key_permission(key_ref_t key_ref,
5304                             struct task_struct *ctx,
5305                             key_perm_t perm)
5306 {
5307         struct key *key;
5308         struct task_security_struct *tsec;
5309         struct key_security_struct *ksec;
5310
5311         key = key_ref_to_ptr(key_ref);
5312
5313         tsec = ctx->security;
5314         ksec = key->security;
5315
5316         /* if no specific permissions are requested, we skip the
5317            permission check. No serious, additional covert channels
5318            appear to be created. */
5319         if (perm == 0)
5320                 return 0;
5321
5322         return avc_has_perm(tsec->sid, ksec->sid,
5323                             SECCLASS_KEY, perm, NULL);
5324 }
5325
5326 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5327 {
5328         struct key_security_struct *ksec = key->security;
5329         char *context = NULL;
5330         unsigned len;
5331         int rc;
5332
5333         rc = security_sid_to_context(ksec->sid, &context, &len);
5334         if (!rc)
5335                 rc = len;
5336         *_buffer = context;
5337         return rc;
5338 }
5339
5340 #endif
5341
5342 static struct security_operations selinux_ops = {
5343         .name =                         "selinux",
5344
5345         .ptrace =                       selinux_ptrace,
5346         .capget =                       selinux_capget,
5347         .capset_check =                 selinux_capset_check,
5348         .capset_set =                   selinux_capset_set,
5349         .sysctl =                       selinux_sysctl,
5350         .capable =                      selinux_capable,
5351         .quotactl =                     selinux_quotactl,
5352         .quota_on =                     selinux_quota_on,
5353         .syslog =                       selinux_syslog,
5354         .vm_enough_memory =             selinux_vm_enough_memory,
5355
5356         .netlink_send =                 selinux_netlink_send,
5357         .netlink_recv =                 selinux_netlink_recv,
5358
5359         .bprm_alloc_security =          selinux_bprm_alloc_security,
5360         .bprm_free_security =           selinux_bprm_free_security,
5361         .bprm_apply_creds =             selinux_bprm_apply_creds,
5362         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
5363         .bprm_set_security =            selinux_bprm_set_security,
5364         .bprm_check_security =          selinux_bprm_check_security,
5365         .bprm_secureexec =              selinux_bprm_secureexec,
5366
5367         .sb_alloc_security =            selinux_sb_alloc_security,
5368         .sb_free_security =             selinux_sb_free_security,
5369         .sb_copy_data =                 selinux_sb_copy_data,
5370         .sb_kern_mount =                selinux_sb_kern_mount,
5371         .sb_show_options =              selinux_sb_show_options,
5372         .sb_statfs =                    selinux_sb_statfs,
5373         .sb_mount =                     selinux_mount,
5374         .sb_umount =                    selinux_umount,
5375         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5376         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5377         .sb_parse_opts_str =            selinux_parse_opts_str,
5378
5379
5380         .inode_alloc_security =         selinux_inode_alloc_security,
5381         .inode_free_security =          selinux_inode_free_security,
5382         .inode_init_security =          selinux_inode_init_security,
5383         .inode_create =                 selinux_inode_create,
5384         .inode_link =                   selinux_inode_link,
5385         .inode_unlink =                 selinux_inode_unlink,
5386         .inode_symlink =                selinux_inode_symlink,
5387         .inode_mkdir =                  selinux_inode_mkdir,
5388         .inode_rmdir =                  selinux_inode_rmdir,
5389         .inode_mknod =                  selinux_inode_mknod,
5390         .inode_rename =                 selinux_inode_rename,
5391         .inode_readlink =               selinux_inode_readlink,
5392         .inode_follow_link =            selinux_inode_follow_link,
5393         .inode_permission =             selinux_inode_permission,
5394         .inode_setattr =                selinux_inode_setattr,
5395         .inode_getattr =                selinux_inode_getattr,
5396         .inode_setxattr =               selinux_inode_setxattr,
5397         .inode_post_setxattr =          selinux_inode_post_setxattr,
5398         .inode_getxattr =               selinux_inode_getxattr,
5399         .inode_listxattr =              selinux_inode_listxattr,
5400         .inode_removexattr =            selinux_inode_removexattr,
5401         .inode_getsecurity =            selinux_inode_getsecurity,
5402         .inode_setsecurity =            selinux_inode_setsecurity,
5403         .inode_listsecurity =           selinux_inode_listsecurity,
5404         .inode_need_killpriv =          selinux_inode_need_killpriv,
5405         .inode_killpriv =               selinux_inode_killpriv,
5406         .inode_getsecid =               selinux_inode_getsecid,
5407
5408         .file_permission =              selinux_file_permission,
5409         .file_alloc_security =          selinux_file_alloc_security,
5410         .file_free_security =           selinux_file_free_security,
5411         .file_ioctl =                   selinux_file_ioctl,
5412         .file_mmap =                    selinux_file_mmap,
5413         .file_mprotect =                selinux_file_mprotect,
5414         .file_lock =                    selinux_file_lock,
5415         .file_fcntl =                   selinux_file_fcntl,
5416         .file_set_fowner =              selinux_file_set_fowner,
5417         .file_send_sigiotask =          selinux_file_send_sigiotask,
5418         .file_receive =                 selinux_file_receive,
5419
5420         .dentry_open =                  selinux_dentry_open,
5421
5422         .task_create =                  selinux_task_create,
5423         .task_alloc_security =          selinux_task_alloc_security,
5424         .task_free_security =           selinux_task_free_security,
5425         .task_setuid =                  selinux_task_setuid,
5426         .task_post_setuid =             selinux_task_post_setuid,
5427         .task_setgid =                  selinux_task_setgid,
5428         .task_setpgid =                 selinux_task_setpgid,
5429         .task_getpgid =                 selinux_task_getpgid,
5430         .task_getsid =                  selinux_task_getsid,
5431         .task_getsecid =                selinux_task_getsecid,
5432         .task_setgroups =               selinux_task_setgroups,
5433         .task_setnice =                 selinux_task_setnice,
5434         .task_setioprio =               selinux_task_setioprio,
5435         .task_getioprio =               selinux_task_getioprio,
5436         .task_setrlimit =               selinux_task_setrlimit,
5437         .task_setscheduler =            selinux_task_setscheduler,
5438         .task_getscheduler =            selinux_task_getscheduler,
5439         .task_movememory =              selinux_task_movememory,
5440         .task_kill =                    selinux_task_kill,
5441         .task_wait =                    selinux_task_wait,
5442         .task_prctl =                   selinux_task_prctl,
5443         .task_reparent_to_init =        selinux_task_reparent_to_init,
5444         .task_to_inode =                selinux_task_to_inode,
5445
5446         .ipc_permission =               selinux_ipc_permission,
5447         .ipc_getsecid =                 selinux_ipc_getsecid,
5448
5449         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5450         .msg_msg_free_security =        selinux_msg_msg_free_security,
5451
5452         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5453         .msg_queue_free_security =      selinux_msg_queue_free_security,
5454         .msg_queue_associate =          selinux_msg_queue_associate,
5455         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5456         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5457         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5458
5459         .shm_alloc_security =           selinux_shm_alloc_security,
5460         .shm_free_security =            selinux_shm_free_security,
5461         .shm_associate =                selinux_shm_associate,
5462         .shm_shmctl =                   selinux_shm_shmctl,
5463         .shm_shmat =                    selinux_shm_shmat,
5464
5465         .sem_alloc_security =           selinux_sem_alloc_security,
5466         .sem_free_security =            selinux_sem_free_security,
5467         .sem_associate =                selinux_sem_associate,
5468         .sem_semctl =                   selinux_sem_semctl,
5469         .sem_semop =                    selinux_sem_semop,
5470
5471         .d_instantiate =                selinux_d_instantiate,
5472
5473         .getprocattr =                  selinux_getprocattr,
5474         .setprocattr =                  selinux_setprocattr,
5475
5476         .secid_to_secctx =              selinux_secid_to_secctx,
5477         .secctx_to_secid =              selinux_secctx_to_secid,
5478         .release_secctx =               selinux_release_secctx,
5479
5480         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5481         .unix_may_send =                selinux_socket_unix_may_send,
5482
5483         .socket_create =                selinux_socket_create,
5484         .socket_post_create =           selinux_socket_post_create,
5485         .socket_bind =                  selinux_socket_bind,
5486         .socket_connect =               selinux_socket_connect,
5487         .socket_listen =                selinux_socket_listen,
5488         .socket_accept =                selinux_socket_accept,
5489         .socket_sendmsg =               selinux_socket_sendmsg,
5490         .socket_recvmsg =               selinux_socket_recvmsg,
5491         .socket_getsockname =           selinux_socket_getsockname,
5492         .socket_getpeername =           selinux_socket_getpeername,
5493         .socket_getsockopt =            selinux_socket_getsockopt,
5494         .socket_setsockopt =            selinux_socket_setsockopt,
5495         .socket_shutdown =              selinux_socket_shutdown,
5496         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5497         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5498         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5499         .sk_alloc_security =            selinux_sk_alloc_security,
5500         .sk_free_security =             selinux_sk_free_security,
5501         .sk_clone_security =            selinux_sk_clone_security,
5502         .sk_getsecid =                  selinux_sk_getsecid,
5503         .sock_graft =                   selinux_sock_graft,
5504         .inet_conn_request =            selinux_inet_conn_request,
5505         .inet_csk_clone =               selinux_inet_csk_clone,
5506         .inet_conn_established =        selinux_inet_conn_established,
5507         .req_classify_flow =            selinux_req_classify_flow,
5508
5509 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5510         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5511         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5512         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5513         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5514         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5515         .xfrm_state_free_security =     selinux_xfrm_state_free,
5516         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5517         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5518         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5519         .xfrm_decode_session =          selinux_xfrm_decode_session,
5520 #endif
5521
5522 #ifdef CONFIG_KEYS
5523         .key_alloc =                    selinux_key_alloc,
5524         .key_free =                     selinux_key_free,
5525         .key_permission =               selinux_key_permission,
5526         .key_getsecurity =              selinux_key_getsecurity,
5527 #endif
5528
5529 #ifdef CONFIG_AUDIT
5530         .audit_rule_init =              selinux_audit_rule_init,
5531         .audit_rule_known =             selinux_audit_rule_known,
5532         .audit_rule_match =             selinux_audit_rule_match,
5533         .audit_rule_free =              selinux_audit_rule_free,
5534 #endif
5535 };
5536
5537 static __init int selinux_init(void)
5538 {
5539         struct task_security_struct *tsec;
5540
5541         if (!security_module_enable(&selinux_ops)) {
5542                 selinux_enabled = 0;
5543                 return 0;
5544         }
5545
5546         if (!selinux_enabled) {
5547                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5548                 return 0;
5549         }
5550
5551         printk(KERN_INFO "SELinux:  Initializing.\n");
5552
5553         /* Set the security state for the initial task. */
5554         if (task_alloc_security(current))
5555                 panic("SELinux:  Failed to initialize initial task.\n");
5556         tsec = current->security;
5557         tsec->osid = tsec->sid = SECINITSID_KERNEL;
5558
5559         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5560                                             sizeof(struct inode_security_struct),
5561                                             0, SLAB_PANIC, NULL);
5562         avc_init();
5563
5564         secondary_ops = security_ops;
5565         if (!secondary_ops)
5566                 panic("SELinux: No initial security operations\n");
5567         if (register_security(&selinux_ops))
5568                 panic("SELinux: Unable to register with kernel.\n");
5569
5570         if (selinux_enforcing)
5571                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5572         else
5573                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5574
5575         return 0;
5576 }
5577
5578 void selinux_complete_init(void)
5579 {
5580         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5581
5582         /* Set up any superblocks initialized prior to the policy load. */
5583         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5584         spin_lock(&sb_lock);
5585         spin_lock(&sb_security_lock);
5586 next_sb:
5587         if (!list_empty(&superblock_security_head)) {
5588                 struct superblock_security_struct *sbsec =
5589                                 list_entry(superblock_security_head.next,
5590                                            struct superblock_security_struct,
5591                                            list);
5592                 struct super_block *sb = sbsec->sb;
5593                 sb->s_count++;
5594                 spin_unlock(&sb_security_lock);
5595                 spin_unlock(&sb_lock);
5596                 down_read(&sb->s_umount);
5597                 if (sb->s_root)
5598                         superblock_doinit(sb, NULL);
5599                 drop_super(sb);
5600                 spin_lock(&sb_lock);
5601                 spin_lock(&sb_security_lock);
5602                 list_del_init(&sbsec->list);
5603                 goto next_sb;
5604         }
5605         spin_unlock(&sb_security_lock);
5606         spin_unlock(&sb_lock);
5607 }
5608
5609 /* SELinux requires early initialization in order to label
5610    all processes and objects when they are created. */
5611 security_initcall(selinux_init);
5612
5613 #if defined(CONFIG_NETFILTER)
5614
5615 static struct nf_hook_ops selinux_ipv4_ops[] = {
5616         {
5617                 .hook =         selinux_ipv4_postroute,
5618                 .owner =        THIS_MODULE,
5619                 .pf =           PF_INET,
5620                 .hooknum =      NF_INET_POST_ROUTING,
5621                 .priority =     NF_IP_PRI_SELINUX_LAST,
5622         },
5623         {
5624                 .hook =         selinux_ipv4_forward,
5625                 .owner =        THIS_MODULE,
5626                 .pf =           PF_INET,
5627                 .hooknum =      NF_INET_FORWARD,
5628                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5629         }
5630 };
5631
5632 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5633
5634 static struct nf_hook_ops selinux_ipv6_ops[] = {
5635         {
5636                 .hook =         selinux_ipv6_postroute,
5637                 .owner =        THIS_MODULE,
5638                 .pf =           PF_INET6,
5639                 .hooknum =      NF_INET_POST_ROUTING,
5640                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5641         },
5642         {
5643                 .hook =         selinux_ipv6_forward,
5644                 .owner =        THIS_MODULE,
5645                 .pf =           PF_INET6,
5646                 .hooknum =      NF_INET_FORWARD,
5647                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5648         }
5649 };
5650
5651 #endif  /* IPV6 */
5652
5653 static int __init selinux_nf_ip_init(void)
5654 {
5655         int err = 0;
5656
5657         if (!selinux_enabled)
5658                 goto out;
5659
5660         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5661
5662         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5663         if (err)
5664                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5665
5666 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5667         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5668         if (err)
5669                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5670 #endif  /* IPV6 */
5671
5672 out:
5673         return err;
5674 }
5675
5676 __initcall(selinux_nf_ip_init);
5677
5678 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5679 static void selinux_nf_ip_exit(void)
5680 {
5681         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5682
5683         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5684 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5685         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5686 #endif  /* IPV6 */
5687 }
5688 #endif
5689
5690 #else /* CONFIG_NETFILTER */
5691
5692 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5693 #define selinux_nf_ip_exit()
5694 #endif
5695
5696 #endif /* CONFIG_NETFILTER */
5697
5698 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5699 static int selinux_disabled;
5700
5701 int selinux_disable(void)
5702 {
5703         extern void exit_sel_fs(void);
5704
5705         if (ss_initialized) {
5706                 /* Not permitted after initial policy load. */
5707                 return -EINVAL;
5708         }
5709
5710         if (selinux_disabled) {
5711                 /* Only do this once. */
5712                 return -EINVAL;
5713         }
5714
5715         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5716
5717         selinux_disabled = 1;
5718         selinux_enabled = 0;
5719
5720         /* Reset security_ops to the secondary module, dummy or capability. */
5721         security_ops = secondary_ops;
5722
5723         /* Unregister netfilter hooks. */
5724         selinux_nf_ip_exit();
5725
5726         /* Unregister selinuxfs. */
5727         exit_sel_fs();
5728
5729         return 0;
5730 }
5731 #endif