[MIPS] Convert list of CPU types from #define to enum.
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16  *                     Paul Moore, <paul.moore@hp.com>
17  *
18  *      This program is free software; you can redistribute it and/or modify
19  *      it under the terms of the GNU General Public License version 2,
20  *      as published by the Free Software Foundation.
21  */
22
23 #include <linux/module.h>
24 #include <linux/init.h>
25 #include <linux/kernel.h>
26 #include <linux/ptrace.h>
27 #include <linux/errno.h>
28 #include <linux/sched.h>
29 #include <linux/security.h>
30 #include <linux/xattr.h>
31 #include <linux/capability.h>
32 #include <linux/unistd.h>
33 #include <linux/mm.h>
34 #include <linux/mman.h>
35 #include <linux/slab.h>
36 #include <linux/pagemap.h>
37 #include <linux/swap.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h>    /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/dccp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72 #include <linux/selinux.h>
73 #include <linux/mutex.h>
74
75 #include "avc.h"
76 #include "objsec.h"
77 #include "netif.h"
78 #include "xfrm.h"
79 #include "netlabel.h"
80
81 #define XATTR_SELINUX_SUFFIX "selinux"
82 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
83
84 extern unsigned int policydb_loaded_version;
85 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
86 extern int selinux_compat_net;
87
88 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
89 int selinux_enforcing = 0;
90
91 static int __init enforcing_setup(char *str)
92 {
93         selinux_enforcing = simple_strtol(str,NULL,0);
94         return 1;
95 }
96 __setup("enforcing=", enforcing_setup);
97 #endif
98
99 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
100 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
101
102 static int __init selinux_enabled_setup(char *str)
103 {
104         selinux_enabled = simple_strtol(str, NULL, 0);
105         return 1;
106 }
107 __setup("selinux=", selinux_enabled_setup);
108 #else
109 int selinux_enabled = 1;
110 #endif
111
112 /* Original (dummy) security module. */
113 static struct security_operations *original_ops = NULL;
114
115 /* Minimal support for a secondary security module,
116    just to allow the use of the dummy or capability modules.
117    The owlsm module can alternatively be used as a secondary
118    module as long as CONFIG_OWLSM_FD is not enabled. */
119 static struct security_operations *secondary_ops = NULL;
120
121 /* Lists of inode and superblock security structures initialized
122    before the policy was loaded. */
123 static LIST_HEAD(superblock_security_head);
124 static DEFINE_SPINLOCK(sb_security_lock);
125
126 static struct kmem_cache *sel_inode_cache;
127
128 /* Return security context for a given sid or just the context 
129    length if the buffer is null or length is 0 */
130 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
131 {
132         char *context;
133         unsigned len;
134         int rc;
135
136         rc = security_sid_to_context(sid, &context, &len);
137         if (rc)
138                 return rc;
139
140         if (!buffer || !size)
141                 goto getsecurity_exit;
142
143         if (size < len) {
144                 len = -ERANGE;
145                 goto getsecurity_exit;
146         }
147         memcpy(buffer, context, len);
148
149 getsecurity_exit:
150         kfree(context);
151         return len;
152 }
153
154 /* Allocate and free functions for each kind of security blob. */
155
156 static int task_alloc_security(struct task_struct *task)
157 {
158         struct task_security_struct *tsec;
159
160         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161         if (!tsec)
162                 return -ENOMEM;
163
164         tsec->task = task;
165         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166         task->security = tsec;
167
168         return 0;
169 }
170
171 static void task_free_security(struct task_struct *task)
172 {
173         struct task_security_struct *tsec = task->security;
174         task->security = NULL;
175         kfree(tsec);
176 }
177
178 static int inode_alloc_security(struct inode *inode)
179 {
180         struct task_security_struct *tsec = current->security;
181         struct inode_security_struct *isec;
182
183         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
184         if (!isec)
185                 return -ENOMEM;
186
187         mutex_init(&isec->lock);
188         INIT_LIST_HEAD(&isec->list);
189         isec->inode = inode;
190         isec->sid = SECINITSID_UNLABELED;
191         isec->sclass = SECCLASS_FILE;
192         isec->task_sid = tsec->sid;
193         inode->i_security = isec;
194
195         return 0;
196 }
197
198 static void inode_free_security(struct inode *inode)
199 {
200         struct inode_security_struct *isec = inode->i_security;
201         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
202
203         spin_lock(&sbsec->isec_lock);
204         if (!list_empty(&isec->list))
205                 list_del_init(&isec->list);
206         spin_unlock(&sbsec->isec_lock);
207
208         inode->i_security = NULL;
209         kmem_cache_free(sel_inode_cache, isec);
210 }
211
212 static int file_alloc_security(struct file *file)
213 {
214         struct task_security_struct *tsec = current->security;
215         struct file_security_struct *fsec;
216
217         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218         if (!fsec)
219                 return -ENOMEM;
220
221         fsec->file = file;
222         fsec->sid = tsec->sid;
223         fsec->fown_sid = tsec->sid;
224         file->f_security = fsec;
225
226         return 0;
227 }
228
229 static void file_free_security(struct file *file)
230 {
231         struct file_security_struct *fsec = file->f_security;
232         file->f_security = NULL;
233         kfree(fsec);
234 }
235
236 static int superblock_alloc_security(struct super_block *sb)
237 {
238         struct superblock_security_struct *sbsec;
239
240         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241         if (!sbsec)
242                 return -ENOMEM;
243
244         mutex_init(&sbsec->lock);
245         INIT_LIST_HEAD(&sbsec->list);
246         INIT_LIST_HEAD(&sbsec->isec_head);
247         spin_lock_init(&sbsec->isec_lock);
248         sbsec->sb = sb;
249         sbsec->sid = SECINITSID_UNLABELED;
250         sbsec->def_sid = SECINITSID_FILE;
251         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252         sb->s_security = sbsec;
253
254         return 0;
255 }
256
257 static void superblock_free_security(struct super_block *sb)
258 {
259         struct superblock_security_struct *sbsec = sb->s_security;
260
261         spin_lock(&sb_security_lock);
262         if (!list_empty(&sbsec->list))
263                 list_del_init(&sbsec->list);
264         spin_unlock(&sb_security_lock);
265
266         sb->s_security = NULL;
267         kfree(sbsec);
268 }
269
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 {
272         struct sk_security_struct *ssec;
273
274         ssec = kzalloc(sizeof(*ssec), priority);
275         if (!ssec)
276                 return -ENOMEM;
277
278         ssec->sk = sk;
279         ssec->peer_sid = SECINITSID_UNLABELED;
280         ssec->sid = SECINITSID_UNLABELED;
281         sk->sk_security = ssec;
282
283         selinux_netlbl_sk_security_init(ssec, family);
284
285         return 0;
286 }
287
288 static void sk_free_security(struct sock *sk)
289 {
290         struct sk_security_struct *ssec = sk->sk_security;
291
292         sk->sk_security = NULL;
293         kfree(ssec);
294 }
295
296 /* The security server must be initialized before
297    any labeling or access decisions can be provided. */
298 extern int ss_initialized;
299
300 /* The file system's label must be initialized prior to use. */
301
302 static char *labeling_behaviors[6] = {
303         "uses xattr",
304         "uses transition SIDs",
305         "uses task SIDs",
306         "uses genfs_contexts",
307         "not configured for labeling",
308         "uses mountpoint labeling",
309 };
310
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
312
313 static inline int inode_doinit(struct inode *inode)
314 {
315         return inode_doinit_with_dentry(inode, NULL);
316 }
317
318 enum {
319         Opt_error = -1,
320         Opt_context = 1,
321         Opt_fscontext = 2,
322         Opt_defcontext = 4,
323         Opt_rootcontext = 8,
324 };
325
326 static match_table_t tokens = {
327         {Opt_context, "context=%s"},
328         {Opt_fscontext, "fscontext=%s"},
329         {Opt_defcontext, "defcontext=%s"},
330         {Opt_rootcontext, "rootcontext=%s"},
331         {Opt_error, NULL},
332 };
333
334 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
335
336 static int may_context_mount_sb_relabel(u32 sid,
337                         struct superblock_security_struct *sbsec,
338                         struct task_security_struct *tsec)
339 {
340         int rc;
341
342         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343                           FILESYSTEM__RELABELFROM, NULL);
344         if (rc)
345                 return rc;
346
347         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348                           FILESYSTEM__RELABELTO, NULL);
349         return rc;
350 }
351
352 static int may_context_mount_inode_relabel(u32 sid,
353                         struct superblock_security_struct *sbsec,
354                         struct task_security_struct *tsec)
355 {
356         int rc;
357         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358                           FILESYSTEM__RELABELFROM, NULL);
359         if (rc)
360                 return rc;
361
362         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363                           FILESYSTEM__ASSOCIATE, NULL);
364         return rc;
365 }
366
367 static int try_context_mount(struct super_block *sb, void *data)
368 {
369         char *context = NULL, *defcontext = NULL;
370         char *fscontext = NULL, *rootcontext = NULL;
371         const char *name;
372         u32 sid;
373         int alloc = 0, rc = 0, seen = 0;
374         struct task_security_struct *tsec = current->security;
375         struct superblock_security_struct *sbsec = sb->s_security;
376
377         if (!data)
378                 goto out;
379
380         name = sb->s_type->name;
381
382         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383
384                 /* NFS we understand. */
385                 if (!strcmp(name, "nfs")) {
386                         struct nfs_mount_data *d = data;
387
388                         if (d->version <  NFS_MOUNT_VERSION)
389                                 goto out;
390
391                         if (d->context[0]) {
392                                 context = d->context;
393                                 seen |= Opt_context;
394                         }
395                 } else
396                         goto out;
397
398         } else {
399                 /* Standard string-based options. */
400                 char *p, *options = data;
401
402                 while ((p = strsep(&options, "|")) != NULL) {
403                         int token;
404                         substring_t args[MAX_OPT_ARGS];
405
406                         if (!*p)
407                                 continue;
408
409                         token = match_token(p, tokens, args);
410
411                         switch (token) {
412                         case Opt_context:
413                                 if (seen & (Opt_context|Opt_defcontext)) {
414                                         rc = -EINVAL;
415                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
416                                         goto out_free;
417                                 }
418                                 context = match_strdup(&args[0]);
419                                 if (!context) {
420                                         rc = -ENOMEM;
421                                         goto out_free;
422                                 }
423                                 if (!alloc)
424                                         alloc = 1;
425                                 seen |= Opt_context;
426                                 break;
427
428                         case Opt_fscontext:
429                                 if (seen & Opt_fscontext) {
430                                         rc = -EINVAL;
431                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
432                                         goto out_free;
433                                 }
434                                 fscontext = match_strdup(&args[0]);
435                                 if (!fscontext) {
436                                         rc = -ENOMEM;
437                                         goto out_free;
438                                 }
439                                 if (!alloc)
440                                         alloc = 1;
441                                 seen |= Opt_fscontext;
442                                 break;
443
444                         case Opt_rootcontext:
445                                 if (seen & Opt_rootcontext) {
446                                         rc = -EINVAL;
447                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
448                                         goto out_free;
449                                 }
450                                 rootcontext = match_strdup(&args[0]);
451                                 if (!rootcontext) {
452                                         rc = -ENOMEM;
453                                         goto out_free;
454                                 }
455                                 if (!alloc)
456                                         alloc = 1;
457                                 seen |= Opt_rootcontext;
458                                 break;
459
460                         case Opt_defcontext:
461                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462                                         rc = -EINVAL;
463                                         printk(KERN_WARNING "SELinux:  "
464                                                "defcontext option is invalid "
465                                                "for this filesystem type\n");
466                                         goto out_free;
467                                 }
468                                 if (seen & (Opt_context|Opt_defcontext)) {
469                                         rc = -EINVAL;
470                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
471                                         goto out_free;
472                                 }
473                                 defcontext = match_strdup(&args[0]);
474                                 if (!defcontext) {
475                                         rc = -ENOMEM;
476                                         goto out_free;
477                                 }
478                                 if (!alloc)
479                                         alloc = 1;
480                                 seen |= Opt_defcontext;
481                                 break;
482
483                         default:
484                                 rc = -EINVAL;
485                                 printk(KERN_WARNING "SELinux:  unknown mount "
486                                        "option\n");
487                                 goto out_free;
488
489                         }
490                 }
491         }
492
493         if (!seen)
494                 goto out;
495
496         /* sets the context of the superblock for the fs being mounted. */
497         if (fscontext) {
498                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
499                 if (rc) {
500                         printk(KERN_WARNING "SELinux: security_context_to_sid"
501                                "(%s) failed for (dev %s, type %s) errno=%d\n",
502                                fscontext, sb->s_id, name, rc);
503                         goto out_free;
504                 }
505
506                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
507                 if (rc)
508                         goto out_free;
509
510                 sbsec->sid = sid;
511         }
512
513         /*
514          * Switch to using mount point labeling behavior.
515          * sets the label used on all file below the mountpoint, and will set
516          * the superblock context if not already set.
517          */
518         if (context) {
519                 rc = security_context_to_sid(context, strlen(context), &sid);
520                 if (rc) {
521                         printk(KERN_WARNING "SELinux: security_context_to_sid"
522                                "(%s) failed for (dev %s, type %s) errno=%d\n",
523                                context, sb->s_id, name, rc);
524                         goto out_free;
525                 }
526
527                 if (!fscontext) {
528                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
529                         if (rc)
530                                 goto out_free;
531                         sbsec->sid = sid;
532                 } else {
533                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
534                         if (rc)
535                                 goto out_free;
536                 }
537                 sbsec->mntpoint_sid = sid;
538
539                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
540         }
541
542         if (rootcontext) {
543                 struct inode *inode = sb->s_root->d_inode;
544                 struct inode_security_struct *isec = inode->i_security;
545                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546                 if (rc) {
547                         printk(KERN_WARNING "SELinux: security_context_to_sid"
548                                "(%s) failed for (dev %s, type %s) errno=%d\n",
549                                rootcontext, sb->s_id, name, rc);
550                         goto out_free;
551                 }
552
553                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
554                 if (rc)
555                         goto out_free;
556
557                 isec->sid = sid;
558                 isec->initialized = 1;
559         }
560
561         if (defcontext) {
562                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563                 if (rc) {
564                         printk(KERN_WARNING "SELinux: security_context_to_sid"
565                                "(%s) failed for (dev %s, type %s) errno=%d\n",
566                                defcontext, sb->s_id, name, rc);
567                         goto out_free;
568                 }
569
570                 if (sid == sbsec->def_sid)
571                         goto out_free;
572
573                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
574                 if (rc)
575                         goto out_free;
576
577                 sbsec->def_sid = sid;
578         }
579
580 out_free:
581         if (alloc) {
582                 kfree(context);
583                 kfree(defcontext);
584                 kfree(fscontext);
585                 kfree(rootcontext);
586         }
587 out:
588         return rc;
589 }
590
591 static int superblock_doinit(struct super_block *sb, void *data)
592 {
593         struct superblock_security_struct *sbsec = sb->s_security;
594         struct dentry *root = sb->s_root;
595         struct inode *inode = root->d_inode;
596         int rc = 0;
597
598         mutex_lock(&sbsec->lock);
599         if (sbsec->initialized)
600                 goto out;
601
602         if (!ss_initialized) {
603                 /* Defer initialization until selinux_complete_init,
604                    after the initial policy is loaded and the security
605                    server is ready to handle calls. */
606                 spin_lock(&sb_security_lock);
607                 if (list_empty(&sbsec->list))
608                         list_add(&sbsec->list, &superblock_security_head);
609                 spin_unlock(&sb_security_lock);
610                 goto out;
611         }
612
613         /* Determine the labeling behavior to use for this filesystem type. */
614         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615         if (rc) {
616                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
617                        __FUNCTION__, sb->s_type->name, rc);
618                 goto out;
619         }
620
621         rc = try_context_mount(sb, data);
622         if (rc)
623                 goto out;
624
625         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
626                 /* Make sure that the xattr handler exists and that no
627                    error other than -ENODATA is returned by getxattr on
628                    the root directory.  -ENODATA is ok, as this may be
629                    the first boot of the SELinux kernel before we have
630                    assigned xattr values to the filesystem. */
631                 if (!inode->i_op->getxattr) {
632                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
633                                "xattr support\n", sb->s_id, sb->s_type->name);
634                         rc = -EOPNOTSUPP;
635                         goto out;
636                 }
637                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
638                 if (rc < 0 && rc != -ENODATA) {
639                         if (rc == -EOPNOTSUPP)
640                                 printk(KERN_WARNING "SELinux: (dev %s, type "
641                                        "%s) has no security xattr handler\n",
642                                        sb->s_id, sb->s_type->name);
643                         else
644                                 printk(KERN_WARNING "SELinux: (dev %s, type "
645                                        "%s) getxattr errno %d\n", sb->s_id,
646                                        sb->s_type->name, -rc);
647                         goto out;
648                 }
649         }
650
651         if (strcmp(sb->s_type->name, "proc") == 0)
652                 sbsec->proc = 1;
653
654         sbsec->initialized = 1;
655
656         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
657                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
658                        sb->s_id, sb->s_type->name);
659         }
660         else {
661                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
662                        sb->s_id, sb->s_type->name,
663                        labeling_behaviors[sbsec->behavior-1]);
664         }
665
666         /* Initialize the root inode. */
667         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668
669         /* Initialize any other inodes associated with the superblock, e.g.
670            inodes created prior to initial policy load or inodes created
671            during get_sb by a pseudo filesystem that directly
672            populates itself. */
673         spin_lock(&sbsec->isec_lock);
674 next_inode:
675         if (!list_empty(&sbsec->isec_head)) {
676                 struct inode_security_struct *isec =
677                                 list_entry(sbsec->isec_head.next,
678                                            struct inode_security_struct, list);
679                 struct inode *inode = isec->inode;
680                 spin_unlock(&sbsec->isec_lock);
681                 inode = igrab(inode);
682                 if (inode) {
683                         if (!IS_PRIVATE (inode))
684                                 inode_doinit(inode);
685                         iput(inode);
686                 }
687                 spin_lock(&sbsec->isec_lock);
688                 list_del_init(&isec->list);
689                 goto next_inode;
690         }
691         spin_unlock(&sbsec->isec_lock);
692 out:
693         mutex_unlock(&sbsec->lock);
694         return rc;
695 }
696
697 static inline u16 inode_mode_to_security_class(umode_t mode)
698 {
699         switch (mode & S_IFMT) {
700         case S_IFSOCK:
701                 return SECCLASS_SOCK_FILE;
702         case S_IFLNK:
703                 return SECCLASS_LNK_FILE;
704         case S_IFREG:
705                 return SECCLASS_FILE;
706         case S_IFBLK:
707                 return SECCLASS_BLK_FILE;
708         case S_IFDIR:
709                 return SECCLASS_DIR;
710         case S_IFCHR:
711                 return SECCLASS_CHR_FILE;
712         case S_IFIFO:
713                 return SECCLASS_FIFO_FILE;
714
715         }
716
717         return SECCLASS_FILE;
718 }
719
720 static inline int default_protocol_stream(int protocol)
721 {
722         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
723 }
724
725 static inline int default_protocol_dgram(int protocol)
726 {
727         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
728 }
729
730 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
731 {
732         switch (family) {
733         case PF_UNIX:
734                 switch (type) {
735                 case SOCK_STREAM:
736                 case SOCK_SEQPACKET:
737                         return SECCLASS_UNIX_STREAM_SOCKET;
738                 case SOCK_DGRAM:
739                         return SECCLASS_UNIX_DGRAM_SOCKET;
740                 }
741                 break;
742         case PF_INET:
743         case PF_INET6:
744                 switch (type) {
745                 case SOCK_STREAM:
746                         if (default_protocol_stream(protocol))
747                                 return SECCLASS_TCP_SOCKET;
748                         else
749                                 return SECCLASS_RAWIP_SOCKET;
750                 case SOCK_DGRAM:
751                         if (default_protocol_dgram(protocol))
752                                 return SECCLASS_UDP_SOCKET;
753                         else
754                                 return SECCLASS_RAWIP_SOCKET;
755                 case SOCK_DCCP:
756                         return SECCLASS_DCCP_SOCKET;
757                 default:
758                         return SECCLASS_RAWIP_SOCKET;
759                 }
760                 break;
761         case PF_NETLINK:
762                 switch (protocol) {
763                 case NETLINK_ROUTE:
764                         return SECCLASS_NETLINK_ROUTE_SOCKET;
765                 case NETLINK_FIREWALL:
766                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
767                 case NETLINK_INET_DIAG:
768                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
769                 case NETLINK_NFLOG:
770                         return SECCLASS_NETLINK_NFLOG_SOCKET;
771                 case NETLINK_XFRM:
772                         return SECCLASS_NETLINK_XFRM_SOCKET;
773                 case NETLINK_SELINUX:
774                         return SECCLASS_NETLINK_SELINUX_SOCKET;
775                 case NETLINK_AUDIT:
776                         return SECCLASS_NETLINK_AUDIT_SOCKET;
777                 case NETLINK_IP6_FW:
778                         return SECCLASS_NETLINK_IP6FW_SOCKET;
779                 case NETLINK_DNRTMSG:
780                         return SECCLASS_NETLINK_DNRT_SOCKET;
781                 case NETLINK_KOBJECT_UEVENT:
782                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
783                 default:
784                         return SECCLASS_NETLINK_SOCKET;
785                 }
786         case PF_PACKET:
787                 return SECCLASS_PACKET_SOCKET;
788         case PF_KEY:
789                 return SECCLASS_KEY_SOCKET;
790         case PF_APPLETALK:
791                 return SECCLASS_APPLETALK_SOCKET;
792         }
793
794         return SECCLASS_SOCKET;
795 }
796
797 #ifdef CONFIG_PROC_FS
798 static int selinux_proc_get_sid(struct proc_dir_entry *de,
799                                 u16 tclass,
800                                 u32 *sid)
801 {
802         int buflen, rc;
803         char *buffer, *path, *end;
804
805         buffer = (char*)__get_free_page(GFP_KERNEL);
806         if (!buffer)
807                 return -ENOMEM;
808
809         buflen = PAGE_SIZE;
810         end = buffer+buflen;
811         *--end = '\0';
812         buflen--;
813         path = end-1;
814         *path = '/';
815         while (de && de != de->parent) {
816                 buflen -= de->namelen + 1;
817                 if (buflen < 0)
818                         break;
819                 end -= de->namelen;
820                 memcpy(end, de->name, de->namelen);
821                 *--end = '/';
822                 path = end;
823                 de = de->parent;
824         }
825         rc = security_genfs_sid("proc", path, tclass, sid);
826         free_page((unsigned long)buffer);
827         return rc;
828 }
829 #else
830 static int selinux_proc_get_sid(struct proc_dir_entry *de,
831                                 u16 tclass,
832                                 u32 *sid)
833 {
834         return -EINVAL;
835 }
836 #endif
837
838 /* The inode's security attributes must be initialized before first use. */
839 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
840 {
841         struct superblock_security_struct *sbsec = NULL;
842         struct inode_security_struct *isec = inode->i_security;
843         u32 sid;
844         struct dentry *dentry;
845 #define INITCONTEXTLEN 255
846         char *context = NULL;
847         unsigned len = 0;
848         int rc = 0;
849
850         if (isec->initialized)
851                 goto out;
852
853         mutex_lock(&isec->lock);
854         if (isec->initialized)
855                 goto out_unlock;
856
857         sbsec = inode->i_sb->s_security;
858         if (!sbsec->initialized) {
859                 /* Defer initialization until selinux_complete_init,
860                    after the initial policy is loaded and the security
861                    server is ready to handle calls. */
862                 spin_lock(&sbsec->isec_lock);
863                 if (list_empty(&isec->list))
864                         list_add(&isec->list, &sbsec->isec_head);
865                 spin_unlock(&sbsec->isec_lock);
866                 goto out_unlock;
867         }
868
869         switch (sbsec->behavior) {
870         case SECURITY_FS_USE_XATTR:
871                 if (!inode->i_op->getxattr) {
872                         isec->sid = sbsec->def_sid;
873                         break;
874                 }
875
876                 /* Need a dentry, since the xattr API requires one.
877                    Life would be simpler if we could just pass the inode. */
878                 if (opt_dentry) {
879                         /* Called from d_instantiate or d_splice_alias. */
880                         dentry = dget(opt_dentry);
881                 } else {
882                         /* Called from selinux_complete_init, try to find a dentry. */
883                         dentry = d_find_alias(inode);
884                 }
885                 if (!dentry) {
886                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
887                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
888                                inode->i_ino);
889                         goto out_unlock;
890                 }
891
892                 len = INITCONTEXTLEN;
893                 context = kmalloc(len, GFP_KERNEL);
894                 if (!context) {
895                         rc = -ENOMEM;
896                         dput(dentry);
897                         goto out_unlock;
898                 }
899                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
900                                            context, len);
901                 if (rc == -ERANGE) {
902                         /* Need a larger buffer.  Query for the right size. */
903                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
904                                                    NULL, 0);
905                         if (rc < 0) {
906                                 dput(dentry);
907                                 goto out_unlock;
908                         }
909                         kfree(context);
910                         len = rc;
911                         context = kmalloc(len, GFP_KERNEL);
912                         if (!context) {
913                                 rc = -ENOMEM;
914                                 dput(dentry);
915                                 goto out_unlock;
916                         }
917                         rc = inode->i_op->getxattr(dentry,
918                                                    XATTR_NAME_SELINUX,
919                                                    context, len);
920                 }
921                 dput(dentry);
922                 if (rc < 0) {
923                         if (rc != -ENODATA) {
924                                 printk(KERN_WARNING "%s:  getxattr returned "
925                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
926                                        -rc, inode->i_sb->s_id, inode->i_ino);
927                                 kfree(context);
928                                 goto out_unlock;
929                         }
930                         /* Map ENODATA to the default file SID */
931                         sid = sbsec->def_sid;
932                         rc = 0;
933                 } else {
934                         rc = security_context_to_sid_default(context, rc, &sid,
935                                                              sbsec->def_sid);
936                         if (rc) {
937                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
938                                        "returned %d for dev=%s ino=%ld\n",
939                                        __FUNCTION__, context, -rc,
940                                        inode->i_sb->s_id, inode->i_ino);
941                                 kfree(context);
942                                 /* Leave with the unlabeled SID */
943                                 rc = 0;
944                                 break;
945                         }
946                 }
947                 kfree(context);
948                 isec->sid = sid;
949                 break;
950         case SECURITY_FS_USE_TASK:
951                 isec->sid = isec->task_sid;
952                 break;
953         case SECURITY_FS_USE_TRANS:
954                 /* Default to the fs SID. */
955                 isec->sid = sbsec->sid;
956
957                 /* Try to obtain a transition SID. */
958                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
959                 rc = security_transition_sid(isec->task_sid,
960                                              sbsec->sid,
961                                              isec->sclass,
962                                              &sid);
963                 if (rc)
964                         goto out_unlock;
965                 isec->sid = sid;
966                 break;
967         case SECURITY_FS_USE_MNTPOINT:
968                 isec->sid = sbsec->mntpoint_sid;
969                 break;
970         default:
971                 /* Default to the fs superblock SID. */
972                 isec->sid = sbsec->sid;
973
974                 if (sbsec->proc) {
975                         struct proc_inode *proci = PROC_I(inode);
976                         if (proci->pde) {
977                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
978                                 rc = selinux_proc_get_sid(proci->pde,
979                                                           isec->sclass,
980                                                           &sid);
981                                 if (rc)
982                                         goto out_unlock;
983                                 isec->sid = sid;
984                         }
985                 }
986                 break;
987         }
988
989         isec->initialized = 1;
990
991 out_unlock:
992         mutex_unlock(&isec->lock);
993 out:
994         if (isec->sclass == SECCLASS_FILE)
995                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
996         return rc;
997 }
998
999 /* Convert a Linux signal to an access vector. */
1000 static inline u32 signal_to_av(int sig)
1001 {
1002         u32 perm = 0;
1003
1004         switch (sig) {
1005         case SIGCHLD:
1006                 /* Commonly granted from child to parent. */
1007                 perm = PROCESS__SIGCHLD;
1008                 break;
1009         case SIGKILL:
1010                 /* Cannot be caught or ignored */
1011                 perm = PROCESS__SIGKILL;
1012                 break;
1013         case SIGSTOP:
1014                 /* Cannot be caught or ignored */
1015                 perm = PROCESS__SIGSTOP;
1016                 break;
1017         default:
1018                 /* All other signals. */
1019                 perm = PROCESS__SIGNAL;
1020                 break;
1021         }
1022
1023         return perm;
1024 }
1025
1026 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1027    fork check, ptrace check, etc. */
1028 static int task_has_perm(struct task_struct *tsk1,
1029                          struct task_struct *tsk2,
1030                          u32 perms)
1031 {
1032         struct task_security_struct *tsec1, *tsec2;
1033
1034         tsec1 = tsk1->security;
1035         tsec2 = tsk2->security;
1036         return avc_has_perm(tsec1->sid, tsec2->sid,
1037                             SECCLASS_PROCESS, perms, NULL);
1038 }
1039
1040 /* Check whether a task is allowed to use a capability. */
1041 static int task_has_capability(struct task_struct *tsk,
1042                                int cap)
1043 {
1044         struct task_security_struct *tsec;
1045         struct avc_audit_data ad;
1046
1047         tsec = tsk->security;
1048
1049         AVC_AUDIT_DATA_INIT(&ad,CAP);
1050         ad.tsk = tsk;
1051         ad.u.cap = cap;
1052
1053         return avc_has_perm(tsec->sid, tsec->sid,
1054                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1055 }
1056
1057 /* Check whether a task is allowed to use a system operation. */
1058 static int task_has_system(struct task_struct *tsk,
1059                            u32 perms)
1060 {
1061         struct task_security_struct *tsec;
1062
1063         tsec = tsk->security;
1064
1065         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066                             SECCLASS_SYSTEM, perms, NULL);
1067 }
1068
1069 /* Check whether a task has a particular permission to an inode.
1070    The 'adp' parameter is optional and allows other audit
1071    data to be passed (e.g. the dentry). */
1072 static int inode_has_perm(struct task_struct *tsk,
1073                           struct inode *inode,
1074                           u32 perms,
1075                           struct avc_audit_data *adp)
1076 {
1077         struct task_security_struct *tsec;
1078         struct inode_security_struct *isec;
1079         struct avc_audit_data ad;
1080
1081         if (unlikely (IS_PRIVATE (inode)))
1082                 return 0;
1083
1084         tsec = tsk->security;
1085         isec = inode->i_security;
1086
1087         if (!adp) {
1088                 adp = &ad;
1089                 AVC_AUDIT_DATA_INIT(&ad, FS);
1090                 ad.u.fs.inode = inode;
1091         }
1092
1093         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1094 }
1095
1096 /* Same as inode_has_perm, but pass explicit audit data containing
1097    the dentry to help the auditing code to more easily generate the
1098    pathname if needed. */
1099 static inline int dentry_has_perm(struct task_struct *tsk,
1100                                   struct vfsmount *mnt,
1101                                   struct dentry *dentry,
1102                                   u32 av)
1103 {
1104         struct inode *inode = dentry->d_inode;
1105         struct avc_audit_data ad;
1106         AVC_AUDIT_DATA_INIT(&ad,FS);
1107         ad.u.fs.mnt = mnt;
1108         ad.u.fs.dentry = dentry;
1109         return inode_has_perm(tsk, inode, av, &ad);
1110 }
1111
1112 /* Check whether a task can use an open file descriptor to
1113    access an inode in a given way.  Check access to the
1114    descriptor itself, and then use dentry_has_perm to
1115    check a particular permission to the file.
1116    Access to the descriptor is implicitly granted if it
1117    has the same SID as the process.  If av is zero, then
1118    access to the file is not checked, e.g. for cases
1119    where only the descriptor is affected like seek. */
1120 static int file_has_perm(struct task_struct *tsk,
1121                                 struct file *file,
1122                                 u32 av)
1123 {
1124         struct task_security_struct *tsec = tsk->security;
1125         struct file_security_struct *fsec = file->f_security;
1126         struct vfsmount *mnt = file->f_path.mnt;
1127         struct dentry *dentry = file->f_path.dentry;
1128         struct inode *inode = dentry->d_inode;
1129         struct avc_audit_data ad;
1130         int rc;
1131
1132         AVC_AUDIT_DATA_INIT(&ad, FS);
1133         ad.u.fs.mnt = mnt;
1134         ad.u.fs.dentry = dentry;
1135
1136         if (tsec->sid != fsec->sid) {
1137                 rc = avc_has_perm(tsec->sid, fsec->sid,
1138                                   SECCLASS_FD,
1139                                   FD__USE,
1140                                   &ad);
1141                 if (rc)
1142                         return rc;
1143         }
1144
1145         /* av is zero if only checking access to the descriptor. */
1146         if (av)
1147                 return inode_has_perm(tsk, inode, av, &ad);
1148
1149         return 0;
1150 }
1151
1152 /* Check whether a task can create a file. */
1153 static int may_create(struct inode *dir,
1154                       struct dentry *dentry,
1155                       u16 tclass)
1156 {
1157         struct task_security_struct *tsec;
1158         struct inode_security_struct *dsec;
1159         struct superblock_security_struct *sbsec;
1160         u32 newsid;
1161         struct avc_audit_data ad;
1162         int rc;
1163
1164         tsec = current->security;
1165         dsec = dir->i_security;
1166         sbsec = dir->i_sb->s_security;
1167
1168         AVC_AUDIT_DATA_INIT(&ad, FS);
1169         ad.u.fs.dentry = dentry;
1170
1171         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1172                           DIR__ADD_NAME | DIR__SEARCH,
1173                           &ad);
1174         if (rc)
1175                 return rc;
1176
1177         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1178                 newsid = tsec->create_sid;
1179         } else {
1180                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1181                                              &newsid);
1182                 if (rc)
1183                         return rc;
1184         }
1185
1186         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1187         if (rc)
1188                 return rc;
1189
1190         return avc_has_perm(newsid, sbsec->sid,
1191                             SECCLASS_FILESYSTEM,
1192                             FILESYSTEM__ASSOCIATE, &ad);
1193 }
1194
1195 /* Check whether a task can create a key. */
1196 static int may_create_key(u32 ksid,
1197                           struct task_struct *ctx)
1198 {
1199         struct task_security_struct *tsec;
1200
1201         tsec = ctx->security;
1202
1203         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1204 }
1205
1206 #define MAY_LINK   0
1207 #define MAY_UNLINK 1
1208 #define MAY_RMDIR  2
1209
1210 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1211 static int may_link(struct inode *dir,
1212                     struct dentry *dentry,
1213                     int kind)
1214
1215 {
1216         struct task_security_struct *tsec;
1217         struct inode_security_struct *dsec, *isec;
1218         struct avc_audit_data ad;
1219         u32 av;
1220         int rc;
1221
1222         tsec = current->security;
1223         dsec = dir->i_security;
1224         isec = dentry->d_inode->i_security;
1225
1226         AVC_AUDIT_DATA_INIT(&ad, FS);
1227         ad.u.fs.dentry = dentry;
1228
1229         av = DIR__SEARCH;
1230         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1231         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1232         if (rc)
1233                 return rc;
1234
1235         switch (kind) {
1236         case MAY_LINK:
1237                 av = FILE__LINK;
1238                 break;
1239         case MAY_UNLINK:
1240                 av = FILE__UNLINK;
1241                 break;
1242         case MAY_RMDIR:
1243                 av = DIR__RMDIR;
1244                 break;
1245         default:
1246                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1247                 return 0;
1248         }
1249
1250         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1251         return rc;
1252 }
1253
1254 static inline int may_rename(struct inode *old_dir,
1255                              struct dentry *old_dentry,
1256                              struct inode *new_dir,
1257                              struct dentry *new_dentry)
1258 {
1259         struct task_security_struct *tsec;
1260         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1261         struct avc_audit_data ad;
1262         u32 av;
1263         int old_is_dir, new_is_dir;
1264         int rc;
1265
1266         tsec = current->security;
1267         old_dsec = old_dir->i_security;
1268         old_isec = old_dentry->d_inode->i_security;
1269         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1270         new_dsec = new_dir->i_security;
1271
1272         AVC_AUDIT_DATA_INIT(&ad, FS);
1273
1274         ad.u.fs.dentry = old_dentry;
1275         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1276                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1277         if (rc)
1278                 return rc;
1279         rc = avc_has_perm(tsec->sid, old_isec->sid,
1280                           old_isec->sclass, FILE__RENAME, &ad);
1281         if (rc)
1282                 return rc;
1283         if (old_is_dir && new_dir != old_dir) {
1284                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1285                                   old_isec->sclass, DIR__REPARENT, &ad);
1286                 if (rc)
1287                         return rc;
1288         }
1289
1290         ad.u.fs.dentry = new_dentry;
1291         av = DIR__ADD_NAME | DIR__SEARCH;
1292         if (new_dentry->d_inode)
1293                 av |= DIR__REMOVE_NAME;
1294         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1295         if (rc)
1296                 return rc;
1297         if (new_dentry->d_inode) {
1298                 new_isec = new_dentry->d_inode->i_security;
1299                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1300                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1301                                   new_isec->sclass,
1302                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1303                 if (rc)
1304                         return rc;
1305         }
1306
1307         return 0;
1308 }
1309
1310 /* Check whether a task can perform a filesystem operation. */
1311 static int superblock_has_perm(struct task_struct *tsk,
1312                                struct super_block *sb,
1313                                u32 perms,
1314                                struct avc_audit_data *ad)
1315 {
1316         struct task_security_struct *tsec;
1317         struct superblock_security_struct *sbsec;
1318
1319         tsec = tsk->security;
1320         sbsec = sb->s_security;
1321         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1322                             perms, ad);
1323 }
1324
1325 /* Convert a Linux mode and permission mask to an access vector. */
1326 static inline u32 file_mask_to_av(int mode, int mask)
1327 {
1328         u32 av = 0;
1329
1330         if ((mode & S_IFMT) != S_IFDIR) {
1331                 if (mask & MAY_EXEC)
1332                         av |= FILE__EXECUTE;
1333                 if (mask & MAY_READ)
1334                         av |= FILE__READ;
1335
1336                 if (mask & MAY_APPEND)
1337                         av |= FILE__APPEND;
1338                 else if (mask & MAY_WRITE)
1339                         av |= FILE__WRITE;
1340
1341         } else {
1342                 if (mask & MAY_EXEC)
1343                         av |= DIR__SEARCH;
1344                 if (mask & MAY_WRITE)
1345                         av |= DIR__WRITE;
1346                 if (mask & MAY_READ)
1347                         av |= DIR__READ;
1348         }
1349
1350         return av;
1351 }
1352
1353 /* Convert a Linux file to an access vector. */
1354 static inline u32 file_to_av(struct file *file)
1355 {
1356         u32 av = 0;
1357
1358         if (file->f_mode & FMODE_READ)
1359                 av |= FILE__READ;
1360         if (file->f_mode & FMODE_WRITE) {
1361                 if (file->f_flags & O_APPEND)
1362                         av |= FILE__APPEND;
1363                 else
1364                         av |= FILE__WRITE;
1365         }
1366
1367         return av;
1368 }
1369
1370 /* Hook functions begin here. */
1371
1372 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1373 {
1374         struct task_security_struct *psec = parent->security;
1375         struct task_security_struct *csec = child->security;
1376         int rc;
1377
1378         rc = secondary_ops->ptrace(parent,child);
1379         if (rc)
1380                 return rc;
1381
1382         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1383         /* Save the SID of the tracing process for later use in apply_creds. */
1384         if (!(child->ptrace & PT_PTRACED) && !rc)
1385                 csec->ptrace_sid = psec->sid;
1386         return rc;
1387 }
1388
1389 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1390                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1391 {
1392         int error;
1393
1394         error = task_has_perm(current, target, PROCESS__GETCAP);
1395         if (error)
1396                 return error;
1397
1398         return secondary_ops->capget(target, effective, inheritable, permitted);
1399 }
1400
1401 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1402                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1403 {
1404         int error;
1405
1406         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1407         if (error)
1408                 return error;
1409
1410         return task_has_perm(current, target, PROCESS__SETCAP);
1411 }
1412
1413 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1414                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1415 {
1416         secondary_ops->capset_set(target, effective, inheritable, permitted);
1417 }
1418
1419 static int selinux_capable(struct task_struct *tsk, int cap)
1420 {
1421         int rc;
1422
1423         rc = secondary_ops->capable(tsk, cap);
1424         if (rc)
1425                 return rc;
1426
1427         return task_has_capability(tsk,cap);
1428 }
1429
1430 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1431 {
1432         int buflen, rc;
1433         char *buffer, *path, *end;
1434
1435         rc = -ENOMEM;
1436         buffer = (char*)__get_free_page(GFP_KERNEL);
1437         if (!buffer)
1438                 goto out;
1439
1440         buflen = PAGE_SIZE;
1441         end = buffer+buflen;
1442         *--end = '\0';
1443         buflen--;
1444         path = end-1;
1445         *path = '/';
1446         while (table) {
1447                 const char *name = table->procname;
1448                 size_t namelen = strlen(name);
1449                 buflen -= namelen + 1;
1450                 if (buflen < 0)
1451                         goto out_free;
1452                 end -= namelen;
1453                 memcpy(end, name, namelen);
1454                 *--end = '/';
1455                 path = end;
1456                 table = table->parent;
1457         }
1458         buflen -= 4;
1459         if (buflen < 0)
1460                 goto out_free;
1461         end -= 4;
1462         memcpy(end, "/sys", 4);
1463         path = end;
1464         rc = security_genfs_sid("proc", path, tclass, sid);
1465 out_free:
1466         free_page((unsigned long)buffer);
1467 out:
1468         return rc;
1469 }
1470
1471 static int selinux_sysctl(ctl_table *table, int op)
1472 {
1473         int error = 0;
1474         u32 av;
1475         struct task_security_struct *tsec;
1476         u32 tsid;
1477         int rc;
1478
1479         rc = secondary_ops->sysctl(table, op);
1480         if (rc)
1481                 return rc;
1482
1483         tsec = current->security;
1484
1485         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1486                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1487         if (rc) {
1488                 /* Default to the well-defined sysctl SID. */
1489                 tsid = SECINITSID_SYSCTL;
1490         }
1491
1492         /* The op values are "defined" in sysctl.c, thereby creating
1493          * a bad coupling between this module and sysctl.c */
1494         if(op == 001) {
1495                 error = avc_has_perm(tsec->sid, tsid,
1496                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1497         } else {
1498                 av = 0;
1499                 if (op & 004)
1500                         av |= FILE__READ;
1501                 if (op & 002)
1502                         av |= FILE__WRITE;
1503                 if (av)
1504                         error = avc_has_perm(tsec->sid, tsid,
1505                                              SECCLASS_FILE, av, NULL);
1506         }
1507
1508         return error;
1509 }
1510
1511 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1512 {
1513         int rc = 0;
1514
1515         if (!sb)
1516                 return 0;
1517
1518         switch (cmds) {
1519                 case Q_SYNC:
1520                 case Q_QUOTAON:
1521                 case Q_QUOTAOFF:
1522                 case Q_SETINFO:
1523                 case Q_SETQUOTA:
1524                         rc = superblock_has_perm(current,
1525                                                  sb,
1526                                                  FILESYSTEM__QUOTAMOD, NULL);
1527                         break;
1528                 case Q_GETFMT:
1529                 case Q_GETINFO:
1530                 case Q_GETQUOTA:
1531                         rc = superblock_has_perm(current,
1532                                                  sb,
1533                                                  FILESYSTEM__QUOTAGET, NULL);
1534                         break;
1535                 default:
1536                         rc = 0;  /* let the kernel handle invalid cmds */
1537                         break;
1538         }
1539         return rc;
1540 }
1541
1542 static int selinux_quota_on(struct dentry *dentry)
1543 {
1544         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1545 }
1546
1547 static int selinux_syslog(int type)
1548 {
1549         int rc;
1550
1551         rc = secondary_ops->syslog(type);
1552         if (rc)
1553                 return rc;
1554
1555         switch (type) {
1556                 case 3:         /* Read last kernel messages */
1557                 case 10:        /* Return size of the log buffer */
1558                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1559                         break;
1560                 case 6:         /* Disable logging to console */
1561                 case 7:         /* Enable logging to console */
1562                 case 8:         /* Set level of messages printed to console */
1563                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1564                         break;
1565                 case 0:         /* Close log */
1566                 case 1:         /* Open log */
1567                 case 2:         /* Read from log */
1568                 case 4:         /* Read/clear last kernel messages */
1569                 case 5:         /* Clear ring buffer */
1570                 default:
1571                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1572                         break;
1573         }
1574         return rc;
1575 }
1576
1577 /*
1578  * Check that a process has enough memory to allocate a new virtual
1579  * mapping. 0 means there is enough memory for the allocation to
1580  * succeed and -ENOMEM implies there is not.
1581  *
1582  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1583  * if the capability is granted, but __vm_enough_memory requires 1 if
1584  * the capability is granted.
1585  *
1586  * Do not audit the selinux permission check, as this is applied to all
1587  * processes that allocate mappings.
1588  */
1589 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1590 {
1591         int rc, cap_sys_admin = 0;
1592         struct task_security_struct *tsec = current->security;
1593
1594         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1595         if (rc == 0)
1596                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1597                                           SECCLASS_CAPABILITY,
1598                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1599                                           0,
1600                                           NULL);
1601
1602         if (rc == 0)
1603                 cap_sys_admin = 1;
1604
1605         return __vm_enough_memory(mm, pages, cap_sys_admin);
1606 }
1607
1608 /* binprm security operations */
1609
1610 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1611 {
1612         struct bprm_security_struct *bsec;
1613
1614         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1615         if (!bsec)
1616                 return -ENOMEM;
1617
1618         bsec->bprm = bprm;
1619         bsec->sid = SECINITSID_UNLABELED;
1620         bsec->set = 0;
1621
1622         bprm->security = bsec;
1623         return 0;
1624 }
1625
1626 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1627 {
1628         struct task_security_struct *tsec;
1629         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1630         struct inode_security_struct *isec;
1631         struct bprm_security_struct *bsec;
1632         u32 newsid;
1633         struct avc_audit_data ad;
1634         int rc;
1635
1636         rc = secondary_ops->bprm_set_security(bprm);
1637         if (rc)
1638                 return rc;
1639
1640         bsec = bprm->security;
1641
1642         if (bsec->set)
1643                 return 0;
1644
1645         tsec = current->security;
1646         isec = inode->i_security;
1647
1648         /* Default to the current task SID. */
1649         bsec->sid = tsec->sid;
1650
1651         /* Reset fs, key, and sock SIDs on execve. */
1652         tsec->create_sid = 0;
1653         tsec->keycreate_sid = 0;
1654         tsec->sockcreate_sid = 0;
1655
1656         if (tsec->exec_sid) {
1657                 newsid = tsec->exec_sid;
1658                 /* Reset exec SID on execve. */
1659                 tsec->exec_sid = 0;
1660         } else {
1661                 /* Check for a default transition on this program. */
1662                 rc = security_transition_sid(tsec->sid, isec->sid,
1663                                              SECCLASS_PROCESS, &newsid);
1664                 if (rc)
1665                         return rc;
1666         }
1667
1668         AVC_AUDIT_DATA_INIT(&ad, FS);
1669         ad.u.fs.mnt = bprm->file->f_path.mnt;
1670         ad.u.fs.dentry = bprm->file->f_path.dentry;
1671
1672         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1673                 newsid = tsec->sid;
1674
1675         if (tsec->sid == newsid) {
1676                 rc = avc_has_perm(tsec->sid, isec->sid,
1677                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1678                 if (rc)
1679                         return rc;
1680         } else {
1681                 /* Check permissions for the transition. */
1682                 rc = avc_has_perm(tsec->sid, newsid,
1683                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1684                 if (rc)
1685                         return rc;
1686
1687                 rc = avc_has_perm(newsid, isec->sid,
1688                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1689                 if (rc)
1690                         return rc;
1691
1692                 /* Clear any possibly unsafe personality bits on exec: */
1693                 current->personality &= ~PER_CLEAR_ON_SETID;
1694
1695                 /* Set the security field to the new SID. */
1696                 bsec->sid = newsid;
1697         }
1698
1699         bsec->set = 1;
1700         return 0;
1701 }
1702
1703 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1704 {
1705         return secondary_ops->bprm_check_security(bprm);
1706 }
1707
1708
1709 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1710 {
1711         struct task_security_struct *tsec = current->security;
1712         int atsecure = 0;
1713
1714         if (tsec->osid != tsec->sid) {
1715                 /* Enable secure mode for SIDs transitions unless
1716                    the noatsecure permission is granted between
1717                    the two SIDs, i.e. ahp returns 0. */
1718                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1719                                          SECCLASS_PROCESS,
1720                                          PROCESS__NOATSECURE, NULL);
1721         }
1722
1723         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1724 }
1725
1726 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1727 {
1728         kfree(bprm->security);
1729         bprm->security = NULL;
1730 }
1731
1732 extern struct vfsmount *selinuxfs_mount;
1733 extern struct dentry *selinux_null;
1734
1735 /* Derived from fs/exec.c:flush_old_files. */
1736 static inline void flush_unauthorized_files(struct files_struct * files)
1737 {
1738         struct avc_audit_data ad;
1739         struct file *file, *devnull = NULL;
1740         struct tty_struct *tty;
1741         struct fdtable *fdt;
1742         long j = -1;
1743         int drop_tty = 0;
1744
1745         mutex_lock(&tty_mutex);
1746         tty = get_current_tty();
1747         if (tty) {
1748                 file_list_lock();
1749                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1750                 if (file) {
1751                         /* Revalidate access to controlling tty.
1752                            Use inode_has_perm on the tty inode directly rather
1753                            than using file_has_perm, as this particular open
1754                            file may belong to another process and we are only
1755                            interested in the inode-based check here. */
1756                         struct inode *inode = file->f_path.dentry->d_inode;
1757                         if (inode_has_perm(current, inode,
1758                                            FILE__READ | FILE__WRITE, NULL)) {
1759                                 drop_tty = 1;
1760                         }
1761                 }
1762                 file_list_unlock();
1763         }
1764         mutex_unlock(&tty_mutex);
1765         /* Reset controlling tty. */
1766         if (drop_tty)
1767                 no_tty();
1768
1769         /* Revalidate access to inherited open files. */
1770
1771         AVC_AUDIT_DATA_INIT(&ad,FS);
1772
1773         spin_lock(&files->file_lock);
1774         for (;;) {
1775                 unsigned long set, i;
1776                 int fd;
1777
1778                 j++;
1779                 i = j * __NFDBITS;
1780                 fdt = files_fdtable(files);
1781                 if (i >= fdt->max_fds)
1782                         break;
1783                 set = fdt->open_fds->fds_bits[j];
1784                 if (!set)
1785                         continue;
1786                 spin_unlock(&files->file_lock);
1787                 for ( ; set ; i++,set >>= 1) {
1788                         if (set & 1) {
1789                                 file = fget(i);
1790                                 if (!file)
1791                                         continue;
1792                                 if (file_has_perm(current,
1793                                                   file,
1794                                                   file_to_av(file))) {
1795                                         sys_close(i);
1796                                         fd = get_unused_fd();
1797                                         if (fd != i) {
1798                                                 if (fd >= 0)
1799                                                         put_unused_fd(fd);
1800                                                 fput(file);
1801                                                 continue;
1802                                         }
1803                                         if (devnull) {
1804                                                 get_file(devnull);
1805                                         } else {
1806                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1807                                                 if (IS_ERR(devnull)) {
1808                                                         devnull = NULL;
1809                                                         put_unused_fd(fd);
1810                                                         fput(file);
1811                                                         continue;
1812                                                 }
1813                                         }
1814                                         fd_install(fd, devnull);
1815                                 }
1816                                 fput(file);
1817                         }
1818                 }
1819                 spin_lock(&files->file_lock);
1820
1821         }
1822         spin_unlock(&files->file_lock);
1823 }
1824
1825 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1826 {
1827         struct task_security_struct *tsec;
1828         struct bprm_security_struct *bsec;
1829         u32 sid;
1830         int rc;
1831
1832         secondary_ops->bprm_apply_creds(bprm, unsafe);
1833
1834         tsec = current->security;
1835
1836         bsec = bprm->security;
1837         sid = bsec->sid;
1838
1839         tsec->osid = tsec->sid;
1840         bsec->unsafe = 0;
1841         if (tsec->sid != sid) {
1842                 /* Check for shared state.  If not ok, leave SID
1843                    unchanged and kill. */
1844                 if (unsafe & LSM_UNSAFE_SHARE) {
1845                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1846                                         PROCESS__SHARE, NULL);
1847                         if (rc) {
1848                                 bsec->unsafe = 1;
1849                                 return;
1850                         }
1851                 }
1852
1853                 /* Check for ptracing, and update the task SID if ok.
1854                    Otherwise, leave SID unchanged and kill. */
1855                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1856                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1857                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1858                                           NULL);
1859                         if (rc) {
1860                                 bsec->unsafe = 1;
1861                                 return;
1862                         }
1863                 }
1864                 tsec->sid = sid;
1865         }
1866 }
1867
1868 /*
1869  * called after apply_creds without the task lock held
1870  */
1871 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1872 {
1873         struct task_security_struct *tsec;
1874         struct rlimit *rlim, *initrlim;
1875         struct itimerval itimer;
1876         struct bprm_security_struct *bsec;
1877         int rc, i;
1878
1879         tsec = current->security;
1880         bsec = bprm->security;
1881
1882         if (bsec->unsafe) {
1883                 force_sig_specific(SIGKILL, current);
1884                 return;
1885         }
1886         if (tsec->osid == tsec->sid)
1887                 return;
1888
1889         /* Close files for which the new task SID is not authorized. */
1890         flush_unauthorized_files(current->files);
1891
1892         /* Check whether the new SID can inherit signal state
1893            from the old SID.  If not, clear itimers to avoid
1894            subsequent signal generation and flush and unblock
1895            signals. This must occur _after_ the task SID has
1896           been updated so that any kill done after the flush
1897           will be checked against the new SID. */
1898         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1899                           PROCESS__SIGINH, NULL);
1900         if (rc) {
1901                 memset(&itimer, 0, sizeof itimer);
1902                 for (i = 0; i < 3; i++)
1903                         do_setitimer(i, &itimer, NULL);
1904                 flush_signals(current);
1905                 spin_lock_irq(&current->sighand->siglock);
1906                 flush_signal_handlers(current, 1);
1907                 sigemptyset(&current->blocked);
1908                 recalc_sigpending();
1909                 spin_unlock_irq(&current->sighand->siglock);
1910         }
1911
1912         /* Always clear parent death signal on SID transitions. */
1913         current->pdeath_signal = 0;
1914
1915         /* Check whether the new SID can inherit resource limits
1916            from the old SID.  If not, reset all soft limits to
1917            the lower of the current task's hard limit and the init
1918            task's soft limit.  Note that the setting of hard limits
1919            (even to lower them) can be controlled by the setrlimit
1920            check. The inclusion of the init task's soft limit into
1921            the computation is to avoid resetting soft limits higher
1922            than the default soft limit for cases where the default
1923            is lower than the hard limit, e.g. RLIMIT_CORE or
1924            RLIMIT_STACK.*/
1925         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1926                           PROCESS__RLIMITINH, NULL);
1927         if (rc) {
1928                 for (i = 0; i < RLIM_NLIMITS; i++) {
1929                         rlim = current->signal->rlim + i;
1930                         initrlim = init_task.signal->rlim+i;
1931                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1932                 }
1933                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1934                         /*
1935                          * This will cause RLIMIT_CPU calculations
1936                          * to be refigured.
1937                          */
1938                         current->it_prof_expires = jiffies_to_cputime(1);
1939                 }
1940         }
1941
1942         /* Wake up the parent if it is waiting so that it can
1943            recheck wait permission to the new task SID. */
1944         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1945 }
1946
1947 /* superblock security operations */
1948
1949 static int selinux_sb_alloc_security(struct super_block *sb)
1950 {
1951         return superblock_alloc_security(sb);
1952 }
1953
1954 static void selinux_sb_free_security(struct super_block *sb)
1955 {
1956         superblock_free_security(sb);
1957 }
1958
1959 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1960 {
1961         if (plen > olen)
1962                 return 0;
1963
1964         return !memcmp(prefix, option, plen);
1965 }
1966
1967 static inline int selinux_option(char *option, int len)
1968 {
1969         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1970                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1971                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1972                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1973 }
1974
1975 static inline void take_option(char **to, char *from, int *first, int len)
1976 {
1977         if (!*first) {
1978                 **to = ',';
1979                 *to += 1;
1980         } else
1981                 *first = 0;
1982         memcpy(*to, from, len);
1983         *to += len;
1984 }
1985
1986 static inline void take_selinux_option(char **to, char *from, int *first, 
1987                                        int len)
1988 {
1989         int current_size = 0;
1990
1991         if (!*first) {
1992                 **to = '|';
1993                 *to += 1;
1994         }
1995         else
1996                 *first = 0;
1997
1998         while (current_size < len) {
1999                 if (*from != '"') {
2000                         **to = *from;
2001                         *to += 1;
2002                 }
2003                 from += 1;
2004                 current_size += 1;
2005         }
2006 }
2007
2008 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2009 {
2010         int fnosec, fsec, rc = 0;
2011         char *in_save, *in_curr, *in_end;
2012         char *sec_curr, *nosec_save, *nosec;
2013         int open_quote = 0;
2014
2015         in_curr = orig;
2016         sec_curr = copy;
2017
2018         /* Binary mount data: just copy */
2019         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2020                 copy_page(sec_curr, in_curr);
2021                 goto out;
2022         }
2023
2024         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2025         if (!nosec) {
2026                 rc = -ENOMEM;
2027                 goto out;
2028         }
2029
2030         nosec_save = nosec;
2031         fnosec = fsec = 1;
2032         in_save = in_end = orig;
2033
2034         do {
2035                 if (*in_end == '"')
2036                         open_quote = !open_quote;
2037                 if ((*in_end == ',' && open_quote == 0) ||
2038                                 *in_end == '\0') {
2039                         int len = in_end - in_curr;
2040
2041                         if (selinux_option(in_curr, len))
2042                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2043                         else
2044                                 take_option(&nosec, in_curr, &fnosec, len);
2045
2046                         in_curr = in_end + 1;
2047                 }
2048         } while (*in_end++);
2049
2050         strcpy(in_save, nosec_save);
2051         free_page((unsigned long)nosec_save);
2052 out:
2053         return rc;
2054 }
2055
2056 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2057 {
2058         struct avc_audit_data ad;
2059         int rc;
2060
2061         rc = superblock_doinit(sb, data);
2062         if (rc)
2063                 return rc;
2064
2065         AVC_AUDIT_DATA_INIT(&ad,FS);
2066         ad.u.fs.dentry = sb->s_root;
2067         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2068 }
2069
2070 static int selinux_sb_statfs(struct dentry *dentry)
2071 {
2072         struct avc_audit_data ad;
2073
2074         AVC_AUDIT_DATA_INIT(&ad,FS);
2075         ad.u.fs.dentry = dentry->d_sb->s_root;
2076         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2077 }
2078
2079 static int selinux_mount(char * dev_name,
2080                          struct nameidata *nd,
2081                          char * type,
2082                          unsigned long flags,
2083                          void * data)
2084 {
2085         int rc;
2086
2087         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2088         if (rc)
2089                 return rc;
2090
2091         if (flags & MS_REMOUNT)
2092                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2093                                            FILESYSTEM__REMOUNT, NULL);
2094         else
2095                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2096                                        FILE__MOUNTON);
2097 }
2098
2099 static int selinux_umount(struct vfsmount *mnt, int flags)
2100 {
2101         int rc;
2102
2103         rc = secondary_ops->sb_umount(mnt, flags);
2104         if (rc)
2105                 return rc;
2106
2107         return superblock_has_perm(current,mnt->mnt_sb,
2108                                    FILESYSTEM__UNMOUNT,NULL);
2109 }
2110
2111 /* inode security operations */
2112
2113 static int selinux_inode_alloc_security(struct inode *inode)
2114 {
2115         return inode_alloc_security(inode);
2116 }
2117
2118 static void selinux_inode_free_security(struct inode *inode)
2119 {
2120         inode_free_security(inode);
2121 }
2122
2123 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2124                                        char **name, void **value,
2125                                        size_t *len)
2126 {
2127         struct task_security_struct *tsec;
2128         struct inode_security_struct *dsec;
2129         struct superblock_security_struct *sbsec;
2130         u32 newsid, clen;
2131         int rc;
2132         char *namep = NULL, *context;
2133
2134         tsec = current->security;
2135         dsec = dir->i_security;
2136         sbsec = dir->i_sb->s_security;
2137
2138         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2139                 newsid = tsec->create_sid;
2140         } else {
2141                 rc = security_transition_sid(tsec->sid, dsec->sid,
2142                                              inode_mode_to_security_class(inode->i_mode),
2143                                              &newsid);
2144                 if (rc) {
2145                         printk(KERN_WARNING "%s:  "
2146                                "security_transition_sid failed, rc=%d (dev=%s "
2147                                "ino=%ld)\n",
2148                                __FUNCTION__,
2149                                -rc, inode->i_sb->s_id, inode->i_ino);
2150                         return rc;
2151                 }
2152         }
2153
2154         /* Possibly defer initialization to selinux_complete_init. */
2155         if (sbsec->initialized) {
2156                 struct inode_security_struct *isec = inode->i_security;
2157                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2158                 isec->sid = newsid;
2159                 isec->initialized = 1;
2160         }
2161
2162         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2163                 return -EOPNOTSUPP;
2164
2165         if (name) {
2166                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2167                 if (!namep)
2168                         return -ENOMEM;
2169                 *name = namep;
2170         }
2171
2172         if (value && len) {
2173                 rc = security_sid_to_context(newsid, &context, &clen);
2174                 if (rc) {
2175                         kfree(namep);
2176                         return rc;
2177                 }
2178                 *value = context;
2179                 *len = clen;
2180         }
2181
2182         return 0;
2183 }
2184
2185 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2186 {
2187         return may_create(dir, dentry, SECCLASS_FILE);
2188 }
2189
2190 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2191 {
2192         int rc;
2193
2194         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2195         if (rc)
2196                 return rc;
2197         return may_link(dir, old_dentry, MAY_LINK);
2198 }
2199
2200 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2201 {
2202         int rc;
2203
2204         rc = secondary_ops->inode_unlink(dir, dentry);
2205         if (rc)
2206                 return rc;
2207         return may_link(dir, dentry, MAY_UNLINK);
2208 }
2209
2210 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2211 {
2212         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2213 }
2214
2215 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2216 {
2217         return may_create(dir, dentry, SECCLASS_DIR);
2218 }
2219
2220 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2221 {
2222         return may_link(dir, dentry, MAY_RMDIR);
2223 }
2224
2225 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2226 {
2227         int rc;
2228
2229         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2230         if (rc)
2231                 return rc;
2232
2233         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2234 }
2235
2236 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2237                                 struct inode *new_inode, struct dentry *new_dentry)
2238 {
2239         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2240 }
2241
2242 static int selinux_inode_readlink(struct dentry *dentry)
2243 {
2244         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2245 }
2246
2247 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2248 {
2249         int rc;
2250
2251         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2252         if (rc)
2253                 return rc;
2254         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2255 }
2256
2257 static int selinux_inode_permission(struct inode *inode, int mask,
2258                                     struct nameidata *nd)
2259 {
2260         int rc;
2261
2262         rc = secondary_ops->inode_permission(inode, mask, nd);
2263         if (rc)
2264                 return rc;
2265
2266         if (!mask) {
2267                 /* No permission to check.  Existence test. */
2268                 return 0;
2269         }
2270
2271         return inode_has_perm(current, inode,
2272                                file_mask_to_av(inode->i_mode, mask), NULL);
2273 }
2274
2275 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2276 {
2277         int rc;
2278
2279         rc = secondary_ops->inode_setattr(dentry, iattr);
2280         if (rc)
2281                 return rc;
2282
2283         if (iattr->ia_valid & ATTR_FORCE)
2284                 return 0;
2285
2286         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2287                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2288                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2289
2290         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2291 }
2292
2293 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2294 {
2295         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2296 }
2297
2298 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2299 {
2300         struct task_security_struct *tsec = current->security;
2301         struct inode *inode = dentry->d_inode;
2302         struct inode_security_struct *isec = inode->i_security;
2303         struct superblock_security_struct *sbsec;
2304         struct avc_audit_data ad;
2305         u32 newsid;
2306         int rc = 0;
2307
2308         if (strcmp(name, XATTR_NAME_SELINUX)) {
2309                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2310                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2311                     !capable(CAP_SYS_ADMIN)) {
2312                         /* A different attribute in the security namespace.
2313                            Restrict to administrator. */
2314                         return -EPERM;
2315                 }
2316
2317                 /* Not an attribute we recognize, so just check the
2318                    ordinary setattr permission. */
2319                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2320         }
2321
2322         sbsec = inode->i_sb->s_security;
2323         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2324                 return -EOPNOTSUPP;
2325
2326         if (!is_owner_or_cap(inode))
2327                 return -EPERM;
2328
2329         AVC_AUDIT_DATA_INIT(&ad,FS);
2330         ad.u.fs.dentry = dentry;
2331
2332         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2333                           FILE__RELABELFROM, &ad);
2334         if (rc)
2335                 return rc;
2336
2337         rc = security_context_to_sid(value, size, &newsid);
2338         if (rc)
2339                 return rc;
2340
2341         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2342                           FILE__RELABELTO, &ad);
2343         if (rc)
2344                 return rc;
2345
2346         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2347                                           isec->sclass);
2348         if (rc)
2349                 return rc;
2350
2351         return avc_has_perm(newsid,
2352                             sbsec->sid,
2353                             SECCLASS_FILESYSTEM,
2354                             FILESYSTEM__ASSOCIATE,
2355                             &ad);
2356 }
2357
2358 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2359                                         void *value, size_t size, int flags)
2360 {
2361         struct inode *inode = dentry->d_inode;
2362         struct inode_security_struct *isec = inode->i_security;
2363         u32 newsid;
2364         int rc;
2365
2366         if (strcmp(name, XATTR_NAME_SELINUX)) {
2367                 /* Not an attribute we recognize, so nothing to do. */
2368                 return;
2369         }
2370
2371         rc = security_context_to_sid(value, size, &newsid);
2372         if (rc) {
2373                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2374                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2375                 return;
2376         }
2377
2378         isec->sid = newsid;
2379         return;
2380 }
2381
2382 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2383 {
2384         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2385 }
2386
2387 static int selinux_inode_listxattr (struct dentry *dentry)
2388 {
2389         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2390 }
2391
2392 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2393 {
2394         if (strcmp(name, XATTR_NAME_SELINUX)) {
2395                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2396                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2397                     !capable(CAP_SYS_ADMIN)) {
2398                         /* A different attribute in the security namespace.
2399                            Restrict to administrator. */
2400                         return -EPERM;
2401                 }
2402
2403                 /* Not an attribute we recognize, so just check the
2404                    ordinary setattr permission. Might want a separate
2405                    permission for removexattr. */
2406                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2407         }
2408
2409         /* No one is allowed to remove a SELinux security label.
2410            You can change the label, but all data must be labeled. */
2411         return -EACCES;
2412 }
2413
2414 static const char *selinux_inode_xattr_getsuffix(void)
2415 {
2416       return XATTR_SELINUX_SUFFIX;
2417 }
2418
2419 /*
2420  * Copy the in-core inode security context value to the user.  If the
2421  * getxattr() prior to this succeeded, check to see if we need to
2422  * canonicalize the value to be finally returned to the user.
2423  *
2424  * Permission check is handled by selinux_inode_getxattr hook.
2425  */
2426 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2427 {
2428         struct inode_security_struct *isec = inode->i_security;
2429
2430         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2431                 return -EOPNOTSUPP;
2432
2433         return selinux_getsecurity(isec->sid, buffer, size);
2434 }
2435
2436 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2437                                      const void *value, size_t size, int flags)
2438 {
2439         struct inode_security_struct *isec = inode->i_security;
2440         u32 newsid;
2441         int rc;
2442
2443         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2444                 return -EOPNOTSUPP;
2445
2446         if (!value || !size)
2447                 return -EACCES;
2448
2449         rc = security_context_to_sid((void*)value, size, &newsid);
2450         if (rc)
2451                 return rc;
2452
2453         isec->sid = newsid;
2454         return 0;
2455 }
2456
2457 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2458 {
2459         const int len = sizeof(XATTR_NAME_SELINUX);
2460         if (buffer && len <= buffer_size)
2461                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2462         return len;
2463 }
2464
2465 /* file security operations */
2466
2467 static int selinux_file_permission(struct file *file, int mask)
2468 {
2469         int rc;
2470         struct inode *inode = file->f_path.dentry->d_inode;
2471
2472         if (!mask) {
2473                 /* No permission to check.  Existence test. */
2474                 return 0;
2475         }
2476
2477         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2478         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2479                 mask |= MAY_APPEND;
2480
2481         rc = file_has_perm(current, file,
2482                            file_mask_to_av(inode->i_mode, mask));
2483         if (rc)
2484                 return rc;
2485
2486         return selinux_netlbl_inode_permission(inode, mask);
2487 }
2488
2489 static int selinux_file_alloc_security(struct file *file)
2490 {
2491         return file_alloc_security(file);
2492 }
2493
2494 static void selinux_file_free_security(struct file *file)
2495 {
2496         file_free_security(file);
2497 }
2498
2499 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2500                               unsigned long arg)
2501 {
2502         int error = 0;
2503
2504         switch (cmd) {
2505                 case FIONREAD:
2506                 /* fall through */
2507                 case FIBMAP:
2508                 /* fall through */
2509                 case FIGETBSZ:
2510                 /* fall through */
2511                 case EXT2_IOC_GETFLAGS:
2512                 /* fall through */
2513                 case EXT2_IOC_GETVERSION:
2514                         error = file_has_perm(current, file, FILE__GETATTR);
2515                         break;
2516
2517                 case EXT2_IOC_SETFLAGS:
2518                 /* fall through */
2519                 case EXT2_IOC_SETVERSION:
2520                         error = file_has_perm(current, file, FILE__SETATTR);
2521                         break;
2522
2523                 /* sys_ioctl() checks */
2524                 case FIONBIO:
2525                 /* fall through */
2526                 case FIOASYNC:
2527                         error = file_has_perm(current, file, 0);
2528                         break;
2529
2530                 case KDSKBENT:
2531                 case KDSKBSENT:
2532                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2533                         break;
2534
2535                 /* default case assumes that the command will go
2536                  * to the file's ioctl() function.
2537                  */
2538                 default:
2539                         error = file_has_perm(current, file, FILE__IOCTL);
2540
2541         }
2542         return error;
2543 }
2544
2545 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2546 {
2547 #ifndef CONFIG_PPC32
2548         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2549                 /*
2550                  * We are making executable an anonymous mapping or a
2551                  * private file mapping that will also be writable.
2552                  * This has an additional check.
2553                  */
2554                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2555                 if (rc)
2556                         return rc;
2557         }
2558 #endif
2559
2560         if (file) {
2561                 /* read access is always possible with a mapping */
2562                 u32 av = FILE__READ;
2563
2564                 /* write access only matters if the mapping is shared */
2565                 if (shared && (prot & PROT_WRITE))
2566                         av |= FILE__WRITE;
2567
2568                 if (prot & PROT_EXEC)
2569                         av |= FILE__EXECUTE;
2570
2571                 return file_has_perm(current, file, av);
2572         }
2573         return 0;
2574 }
2575
2576 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2577                              unsigned long prot, unsigned long flags,
2578                              unsigned long addr, unsigned long addr_only)
2579 {
2580         int rc = 0;
2581         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2582
2583         if (addr < mmap_min_addr)
2584                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2585                                   MEMPROTECT__MMAP_ZERO, NULL);
2586         if (rc || addr_only)
2587                 return rc;
2588
2589         if (selinux_checkreqprot)
2590                 prot = reqprot;
2591
2592         return file_map_prot_check(file, prot,
2593                                    (flags & MAP_TYPE) == MAP_SHARED);
2594 }
2595
2596 static int selinux_file_mprotect(struct vm_area_struct *vma,
2597                                  unsigned long reqprot,
2598                                  unsigned long prot)
2599 {
2600         int rc;
2601
2602         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2603         if (rc)
2604                 return rc;
2605
2606         if (selinux_checkreqprot)
2607                 prot = reqprot;
2608
2609 #ifndef CONFIG_PPC32
2610         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2611                 rc = 0;
2612                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2613                     vma->vm_end <= vma->vm_mm->brk) {
2614                         rc = task_has_perm(current, current,
2615                                            PROCESS__EXECHEAP);
2616                 } else if (!vma->vm_file &&
2617                            vma->vm_start <= vma->vm_mm->start_stack &&
2618                            vma->vm_end >= vma->vm_mm->start_stack) {
2619                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2620                 } else if (vma->vm_file && vma->anon_vma) {
2621                         /*
2622                          * We are making executable a file mapping that has
2623                          * had some COW done. Since pages might have been
2624                          * written, check ability to execute the possibly
2625                          * modified content.  This typically should only
2626                          * occur for text relocations.
2627                          */
2628                         rc = file_has_perm(current, vma->vm_file,
2629                                            FILE__EXECMOD);
2630                 }
2631                 if (rc)
2632                         return rc;
2633         }
2634 #endif
2635
2636         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2637 }
2638
2639 static int selinux_file_lock(struct file *file, unsigned int cmd)
2640 {
2641         return file_has_perm(current, file, FILE__LOCK);
2642 }
2643
2644 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2645                               unsigned long arg)
2646 {
2647         int err = 0;
2648
2649         switch (cmd) {
2650                 case F_SETFL:
2651                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2652                                 err = -EINVAL;
2653                                 break;
2654                         }
2655
2656                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2657                                 err = file_has_perm(current, file,FILE__WRITE);
2658                                 break;
2659                         }
2660                         /* fall through */
2661                 case F_SETOWN:
2662                 case F_SETSIG:
2663                 case F_GETFL:
2664                 case F_GETOWN:
2665                 case F_GETSIG:
2666                         /* Just check FD__USE permission */
2667                         err = file_has_perm(current, file, 0);
2668                         break;
2669                 case F_GETLK:
2670                 case F_SETLK:
2671                 case F_SETLKW:
2672 #if BITS_PER_LONG == 32
2673                 case F_GETLK64:
2674                 case F_SETLK64:
2675                 case F_SETLKW64:
2676 #endif
2677                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2678                                 err = -EINVAL;
2679                                 break;
2680                         }
2681                         err = file_has_perm(current, file, FILE__LOCK);
2682                         break;
2683         }
2684
2685         return err;
2686 }
2687
2688 static int selinux_file_set_fowner(struct file *file)
2689 {
2690         struct task_security_struct *tsec;
2691         struct file_security_struct *fsec;
2692
2693         tsec = current->security;
2694         fsec = file->f_security;
2695         fsec->fown_sid = tsec->sid;
2696
2697         return 0;
2698 }
2699
2700 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2701                                        struct fown_struct *fown, int signum)
2702 {
2703         struct file *file;
2704         u32 perm;
2705         struct task_security_struct *tsec;
2706         struct file_security_struct *fsec;
2707
2708         /* struct fown_struct is never outside the context of a struct file */
2709         file = container_of(fown, struct file, f_owner);
2710
2711         tsec = tsk->security;
2712         fsec = file->f_security;
2713
2714         if (!signum)
2715                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2716         else
2717                 perm = signal_to_av(signum);
2718
2719         return avc_has_perm(fsec->fown_sid, tsec->sid,
2720                             SECCLASS_PROCESS, perm, NULL);
2721 }
2722
2723 static int selinux_file_receive(struct file *file)
2724 {
2725         return file_has_perm(current, file, file_to_av(file));
2726 }
2727
2728 /* task security operations */
2729
2730 static int selinux_task_create(unsigned long clone_flags)
2731 {
2732         int rc;
2733
2734         rc = secondary_ops->task_create(clone_flags);
2735         if (rc)
2736                 return rc;
2737
2738         return task_has_perm(current, current, PROCESS__FORK);
2739 }
2740
2741 static int selinux_task_alloc_security(struct task_struct *tsk)
2742 {
2743         struct task_security_struct *tsec1, *tsec2;
2744         int rc;
2745
2746         tsec1 = current->security;
2747
2748         rc = task_alloc_security(tsk);
2749         if (rc)
2750                 return rc;
2751         tsec2 = tsk->security;
2752
2753         tsec2->osid = tsec1->osid;
2754         tsec2->sid = tsec1->sid;
2755
2756         /* Retain the exec, fs, key, and sock SIDs across fork */
2757         tsec2->exec_sid = tsec1->exec_sid;
2758         tsec2->create_sid = tsec1->create_sid;
2759         tsec2->keycreate_sid = tsec1->keycreate_sid;
2760         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2761
2762         /* Retain ptracer SID across fork, if any.
2763            This will be reset by the ptrace hook upon any
2764            subsequent ptrace_attach operations. */
2765         tsec2->ptrace_sid = tsec1->ptrace_sid;
2766
2767         return 0;
2768 }
2769
2770 static void selinux_task_free_security(struct task_struct *tsk)
2771 {
2772         task_free_security(tsk);
2773 }
2774
2775 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2776 {
2777         /* Since setuid only affects the current process, and
2778            since the SELinux controls are not based on the Linux
2779            identity attributes, SELinux does not need to control
2780            this operation.  However, SELinux does control the use
2781            of the CAP_SETUID and CAP_SETGID capabilities using the
2782            capable hook. */
2783         return 0;
2784 }
2785
2786 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2787 {
2788         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2789 }
2790
2791 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2792 {
2793         /* See the comment for setuid above. */
2794         return 0;
2795 }
2796
2797 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2798 {
2799         return task_has_perm(current, p, PROCESS__SETPGID);
2800 }
2801
2802 static int selinux_task_getpgid(struct task_struct *p)
2803 {
2804         return task_has_perm(current, p, PROCESS__GETPGID);
2805 }
2806
2807 static int selinux_task_getsid(struct task_struct *p)
2808 {
2809         return task_has_perm(current, p, PROCESS__GETSESSION);
2810 }
2811
2812 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2813 {
2814         selinux_get_task_sid(p, secid);
2815 }
2816
2817 static int selinux_task_setgroups(struct group_info *group_info)
2818 {
2819         /* See the comment for setuid above. */
2820         return 0;
2821 }
2822
2823 static int selinux_task_setnice(struct task_struct *p, int nice)
2824 {
2825         int rc;
2826
2827         rc = secondary_ops->task_setnice(p, nice);
2828         if (rc)
2829                 return rc;
2830
2831         return task_has_perm(current,p, PROCESS__SETSCHED);
2832 }
2833
2834 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2835 {
2836         return task_has_perm(current, p, PROCESS__SETSCHED);
2837 }
2838
2839 static int selinux_task_getioprio(struct task_struct *p)
2840 {
2841         return task_has_perm(current, p, PROCESS__GETSCHED);
2842 }
2843
2844 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2845 {
2846         struct rlimit *old_rlim = current->signal->rlim + resource;
2847         int rc;
2848
2849         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2850         if (rc)
2851                 return rc;
2852
2853         /* Control the ability to change the hard limit (whether
2854            lowering or raising it), so that the hard limit can
2855            later be used as a safe reset point for the soft limit
2856            upon context transitions. See selinux_bprm_apply_creds. */
2857         if (old_rlim->rlim_max != new_rlim->rlim_max)
2858                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2859
2860         return 0;
2861 }
2862
2863 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2864 {
2865         return task_has_perm(current, p, PROCESS__SETSCHED);
2866 }
2867
2868 static int selinux_task_getscheduler(struct task_struct *p)
2869 {
2870         return task_has_perm(current, p, PROCESS__GETSCHED);
2871 }
2872
2873 static int selinux_task_movememory(struct task_struct *p)
2874 {
2875         return task_has_perm(current, p, PROCESS__SETSCHED);
2876 }
2877
2878 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2879                                 int sig, u32 secid)
2880 {
2881         u32 perm;
2882         int rc;
2883         struct task_security_struct *tsec;
2884
2885         rc = secondary_ops->task_kill(p, info, sig, secid);
2886         if (rc)
2887                 return rc;
2888
2889         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2890                 return 0;
2891
2892         if (!sig)
2893                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2894         else
2895                 perm = signal_to_av(sig);
2896         tsec = p->security;
2897         if (secid)
2898                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2899         else
2900                 rc = task_has_perm(current, p, perm);
2901         return rc;
2902 }
2903
2904 static int selinux_task_prctl(int option,
2905                               unsigned long arg2,
2906                               unsigned long arg3,
2907                               unsigned long arg4,
2908                               unsigned long arg5)
2909 {
2910         /* The current prctl operations do not appear to require
2911            any SELinux controls since they merely observe or modify
2912            the state of the current process. */
2913         return 0;
2914 }
2915
2916 static int selinux_task_wait(struct task_struct *p)
2917 {
2918         u32 perm;
2919
2920         perm = signal_to_av(p->exit_signal);
2921
2922         return task_has_perm(p, current, perm);
2923 }
2924
2925 static void selinux_task_reparent_to_init(struct task_struct *p)
2926 {
2927         struct task_security_struct *tsec;
2928
2929         secondary_ops->task_reparent_to_init(p);
2930
2931         tsec = p->security;
2932         tsec->osid = tsec->sid;
2933         tsec->sid = SECINITSID_KERNEL;
2934         return;
2935 }
2936
2937 static void selinux_task_to_inode(struct task_struct *p,
2938                                   struct inode *inode)
2939 {
2940         struct task_security_struct *tsec = p->security;
2941         struct inode_security_struct *isec = inode->i_security;
2942
2943         isec->sid = tsec->sid;
2944         isec->initialized = 1;
2945         return;
2946 }
2947
2948 /* Returns error only if unable to parse addresses */
2949 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
2950                         struct avc_audit_data *ad, u8 *proto)
2951 {
2952         int offset, ihlen, ret = -EINVAL;
2953         struct iphdr _iph, *ih;
2954
2955         offset = skb_network_offset(skb);
2956         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2957         if (ih == NULL)
2958                 goto out;
2959
2960         ihlen = ih->ihl * 4;
2961         if (ihlen < sizeof(_iph))
2962                 goto out;
2963
2964         ad->u.net.v4info.saddr = ih->saddr;
2965         ad->u.net.v4info.daddr = ih->daddr;
2966         ret = 0;
2967
2968         if (proto)
2969                 *proto = ih->protocol;
2970
2971         switch (ih->protocol) {
2972         case IPPROTO_TCP: {
2973                 struct tcphdr _tcph, *th;
2974
2975                 if (ntohs(ih->frag_off) & IP_OFFSET)
2976                         break;
2977
2978                 offset += ihlen;
2979                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2980                 if (th == NULL)
2981                         break;
2982
2983                 ad->u.net.sport = th->source;
2984                 ad->u.net.dport = th->dest;
2985                 break;
2986         }
2987         
2988         case IPPROTO_UDP: {
2989                 struct udphdr _udph, *uh;
2990                 
2991                 if (ntohs(ih->frag_off) & IP_OFFSET)
2992                         break;
2993                         
2994                 offset += ihlen;
2995                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2996                 if (uh == NULL)
2997                         break;  
2998
2999                 ad->u.net.sport = uh->source;
3000                 ad->u.net.dport = uh->dest;
3001                 break;
3002         }
3003
3004         case IPPROTO_DCCP: {
3005                 struct dccp_hdr _dccph, *dh;
3006
3007                 if (ntohs(ih->frag_off) & IP_OFFSET)
3008                         break;
3009
3010                 offset += ihlen;
3011                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3012                 if (dh == NULL)
3013                         break;
3014
3015                 ad->u.net.sport = dh->dccph_sport;
3016                 ad->u.net.dport = dh->dccph_dport;
3017                 break;
3018         }
3019
3020         default:
3021                 break;
3022         }
3023 out:
3024         return ret;
3025 }
3026
3027 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3028
3029 /* Returns error only if unable to parse addresses */
3030 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3031                         struct avc_audit_data *ad, u8 *proto)
3032 {
3033         u8 nexthdr;
3034         int ret = -EINVAL, offset;
3035         struct ipv6hdr _ipv6h, *ip6;
3036
3037         offset = skb_network_offset(skb);
3038         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3039         if (ip6 == NULL)
3040                 goto out;
3041
3042         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3043         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3044         ret = 0;
3045
3046         nexthdr = ip6->nexthdr;
3047         offset += sizeof(_ipv6h);
3048         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3049         if (offset < 0)
3050                 goto out;
3051
3052         if (proto)
3053                 *proto = nexthdr;
3054
3055         switch (nexthdr) {
3056         case IPPROTO_TCP: {
3057                 struct tcphdr _tcph, *th;
3058
3059                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3060                 if (th == NULL)
3061                         break;
3062
3063                 ad->u.net.sport = th->source;
3064                 ad->u.net.dport = th->dest;
3065                 break;
3066         }
3067
3068         case IPPROTO_UDP: {
3069                 struct udphdr _udph, *uh;
3070
3071                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3072                 if (uh == NULL)
3073                         break;
3074
3075                 ad->u.net.sport = uh->source;
3076                 ad->u.net.dport = uh->dest;
3077                 break;
3078         }
3079
3080         case IPPROTO_DCCP: {
3081                 struct dccp_hdr _dccph, *dh;
3082
3083                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3084                 if (dh == NULL)
3085                         break;
3086
3087                 ad->u.net.sport = dh->dccph_sport;
3088                 ad->u.net.dport = dh->dccph_dport;
3089                 break;
3090         }
3091
3092         /* includes fragments */
3093         default:
3094                 break;
3095         }
3096 out:
3097         return ret;
3098 }
3099
3100 #endif /* IPV6 */
3101
3102 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3103                              char **addrp, int *len, int src, u8 *proto)
3104 {
3105         int ret = 0;
3106
3107         switch (ad->u.net.family) {
3108         case PF_INET:
3109                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3110                 if (ret || !addrp)
3111                         break;
3112                 *len = 4;
3113                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3114                                         &ad->u.net.v4info.daddr);
3115                 break;
3116
3117 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3118         case PF_INET6:
3119                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3120                 if (ret || !addrp)
3121                         break;
3122                 *len = 16;
3123                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3124                                         &ad->u.net.v6info.daddr);
3125                 break;
3126 #endif  /* IPV6 */
3127         default:
3128                 break;
3129         }
3130
3131         return ret;
3132 }
3133
3134 /**
3135  * selinux_skb_extlbl_sid - Determine the external label of a packet
3136  * @skb: the packet
3137  * @sid: the packet's SID
3138  *
3139  * Description:
3140  * Check the various different forms of external packet labeling and determine
3141  * the external SID for the packet.  If only one form of external labeling is
3142  * present then it is used, if both labeled IPsec and NetLabel labels are
3143  * present then the SELinux type information is taken from the labeled IPsec
3144  * SA and the MLS sensitivity label information is taken from the NetLabel
3145  * security attributes.  This bit of "magic" is done in the call to
3146  * selinux_netlbl_skbuff_getsid().
3147  *
3148  */
3149 static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3150 {
3151         u32 xfrm_sid;
3152         u32 nlbl_sid;
3153
3154         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3155         if (selinux_netlbl_skbuff_getsid(skb,
3156                                          (xfrm_sid == SECSID_NULL ?
3157                                           SECINITSID_NETMSG : xfrm_sid),
3158                                          &nlbl_sid) != 0)
3159                 nlbl_sid = SECSID_NULL;
3160         *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3161 }
3162
3163 /* socket security operations */
3164 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3165                            u32 perms)
3166 {
3167         struct inode_security_struct *isec;
3168         struct task_security_struct *tsec;
3169         struct avc_audit_data ad;
3170         int err = 0;
3171
3172         tsec = task->security;
3173         isec = SOCK_INODE(sock)->i_security;
3174
3175         if (isec->sid == SECINITSID_KERNEL)
3176                 goto out;
3177
3178         AVC_AUDIT_DATA_INIT(&ad,NET);
3179         ad.u.net.sk = sock->sk;
3180         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3181
3182 out:
3183         return err;
3184 }
3185
3186 static int selinux_socket_create(int family, int type,
3187                                  int protocol, int kern)
3188 {
3189         int err = 0;
3190         struct task_security_struct *tsec;
3191         u32 newsid;
3192
3193         if (kern)
3194                 goto out;
3195
3196         tsec = current->security;
3197         newsid = tsec->sockcreate_sid ? : tsec->sid;
3198         err = avc_has_perm(tsec->sid, newsid,
3199                            socket_type_to_security_class(family, type,
3200                            protocol), SOCKET__CREATE, NULL);
3201
3202 out:
3203         return err;
3204 }
3205
3206 static int selinux_socket_post_create(struct socket *sock, int family,
3207                                       int type, int protocol, int kern)
3208 {
3209         int err = 0;
3210         struct inode_security_struct *isec;
3211         struct task_security_struct *tsec;
3212         struct sk_security_struct *sksec;
3213         u32 newsid;
3214
3215         isec = SOCK_INODE(sock)->i_security;
3216
3217         tsec = current->security;
3218         newsid = tsec->sockcreate_sid ? : tsec->sid;
3219         isec->sclass = socket_type_to_security_class(family, type, protocol);
3220         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3221         isec->initialized = 1;
3222
3223         if (sock->sk) {
3224                 sksec = sock->sk->sk_security;
3225                 sksec->sid = isec->sid;
3226                 err = selinux_netlbl_socket_post_create(sock);
3227         }
3228
3229         return err;
3230 }
3231
3232 /* Range of port numbers used to automatically bind.
3233    Need to determine whether we should perform a name_bind
3234    permission check between the socket and the port number. */
3235 #define ip_local_port_range_0 sysctl_local_port_range[0]
3236 #define ip_local_port_range_1 sysctl_local_port_range[1]
3237
3238 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3239 {
3240         u16 family;
3241         int err;
3242
3243         err = socket_has_perm(current, sock, SOCKET__BIND);
3244         if (err)
3245                 goto out;
3246
3247         /*
3248          * If PF_INET or PF_INET6, check name_bind permission for the port.
3249          * Multiple address binding for SCTP is not supported yet: we just
3250          * check the first address now.
3251          */
3252         family = sock->sk->sk_family;
3253         if (family == PF_INET || family == PF_INET6) {
3254                 char *addrp;
3255                 struct inode_security_struct *isec;
3256                 struct task_security_struct *tsec;
3257                 struct avc_audit_data ad;
3258                 struct sockaddr_in *addr4 = NULL;
3259                 struct sockaddr_in6 *addr6 = NULL;
3260                 unsigned short snum;
3261                 struct sock *sk = sock->sk;
3262                 u32 sid, node_perm, addrlen;
3263
3264                 tsec = current->security;
3265                 isec = SOCK_INODE(sock)->i_security;
3266
3267                 if (family == PF_INET) {
3268                         addr4 = (struct sockaddr_in *)address;
3269                         snum = ntohs(addr4->sin_port);
3270                         addrlen = sizeof(addr4->sin_addr.s_addr);
3271                         addrp = (char *)&addr4->sin_addr.s_addr;
3272                 } else {
3273                         addr6 = (struct sockaddr_in6 *)address;
3274                         snum = ntohs(addr6->sin6_port);
3275                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3276                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3277                 }
3278
3279                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3280                            snum > ip_local_port_range_1)) {
3281                         err = security_port_sid(sk->sk_family, sk->sk_type,
3282                                                 sk->sk_protocol, snum, &sid);
3283                         if (err)
3284                                 goto out;
3285                         AVC_AUDIT_DATA_INIT(&ad,NET);
3286                         ad.u.net.sport = htons(snum);
3287                         ad.u.net.family = family;
3288                         err = avc_has_perm(isec->sid, sid,
3289                                            isec->sclass,
3290                                            SOCKET__NAME_BIND, &ad);
3291                         if (err)
3292                                 goto out;
3293                 }
3294                 
3295                 switch(isec->sclass) {
3296                 case SECCLASS_TCP_SOCKET:
3297                         node_perm = TCP_SOCKET__NODE_BIND;
3298                         break;
3299                         
3300                 case SECCLASS_UDP_SOCKET:
3301                         node_perm = UDP_SOCKET__NODE_BIND;
3302                         break;
3303
3304                 case SECCLASS_DCCP_SOCKET:
3305                         node_perm = DCCP_SOCKET__NODE_BIND;
3306                         break;
3307
3308                 default:
3309                         node_perm = RAWIP_SOCKET__NODE_BIND;
3310                         break;
3311                 }
3312                 
3313                 err = security_node_sid(family, addrp, addrlen, &sid);
3314                 if (err)
3315                         goto out;
3316                 
3317                 AVC_AUDIT_DATA_INIT(&ad,NET);
3318                 ad.u.net.sport = htons(snum);
3319                 ad.u.net.family = family;
3320
3321                 if (family == PF_INET)
3322                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3323                 else
3324                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3325
3326                 err = avc_has_perm(isec->sid, sid,
3327                                    isec->sclass, node_perm, &ad);
3328                 if (err)
3329                         goto out;
3330         }
3331 out:
3332         return err;
3333 }
3334
3335 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3336 {
3337         struct inode_security_struct *isec;
3338         int err;
3339
3340         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3341         if (err)
3342                 return err;
3343
3344         /*
3345          * If a TCP or DCCP socket, check name_connect permission for the port.
3346          */
3347         isec = SOCK_INODE(sock)->i_security;
3348         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3349             isec->sclass == SECCLASS_DCCP_SOCKET) {
3350                 struct sock *sk = sock->sk;
3351                 struct avc_audit_data ad;
3352                 struct sockaddr_in *addr4 = NULL;
3353                 struct sockaddr_in6 *addr6 = NULL;
3354                 unsigned short snum;
3355                 u32 sid, perm;
3356
3357                 if (sk->sk_family == PF_INET) {
3358                         addr4 = (struct sockaddr_in *)address;
3359                         if (addrlen < sizeof(struct sockaddr_in))
3360                                 return -EINVAL;
3361                         snum = ntohs(addr4->sin_port);
3362                 } else {
3363                         addr6 = (struct sockaddr_in6 *)address;
3364                         if (addrlen < SIN6_LEN_RFC2133)
3365                                 return -EINVAL;
3366                         snum = ntohs(addr6->sin6_port);
3367                 }
3368
3369                 err = security_port_sid(sk->sk_family, sk->sk_type,
3370                                         sk->sk_protocol, snum, &sid);
3371                 if (err)
3372                         goto out;
3373
3374                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3375                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3376
3377                 AVC_AUDIT_DATA_INIT(&ad,NET);
3378                 ad.u.net.dport = htons(snum);
3379                 ad.u.net.family = sk->sk_family;
3380                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3381                 if (err)
3382                         goto out;
3383         }
3384
3385 out:
3386         return err;
3387 }
3388
3389 static int selinux_socket_listen(struct socket *sock, int backlog)
3390 {
3391         return socket_has_perm(current, sock, SOCKET__LISTEN);
3392 }
3393
3394 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3395 {
3396         int err;
3397         struct inode_security_struct *isec;
3398         struct inode_security_struct *newisec;
3399
3400         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3401         if (err)
3402                 return err;
3403
3404         newisec = SOCK_INODE(newsock)->i_security;
3405
3406         isec = SOCK_INODE(sock)->i_security;
3407         newisec->sclass = isec->sclass;
3408         newisec->sid = isec->sid;
3409         newisec->initialized = 1;
3410
3411         return 0;
3412 }
3413
3414 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3415                                   int size)
3416 {
3417         int rc;
3418
3419         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3420         if (rc)
3421                 return rc;
3422
3423         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3424 }
3425
3426 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3427                                   int size, int flags)
3428 {
3429         return socket_has_perm(current, sock, SOCKET__READ);
3430 }
3431
3432 static int selinux_socket_getsockname(struct socket *sock)
3433 {
3434         return socket_has_perm(current, sock, SOCKET__GETATTR);
3435 }
3436
3437 static int selinux_socket_getpeername(struct socket *sock)
3438 {
3439         return socket_has_perm(current, sock, SOCKET__GETATTR);
3440 }
3441
3442 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3443 {
3444         int err;
3445
3446         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3447         if (err)
3448                 return err;
3449
3450         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3451 }
3452
3453 static int selinux_socket_getsockopt(struct socket *sock, int level,
3454                                      int optname)
3455 {
3456         return socket_has_perm(current, sock, SOCKET__GETOPT);
3457 }
3458
3459 static int selinux_socket_shutdown(struct socket *sock, int how)
3460 {
3461         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3462 }
3463
3464 static int selinux_socket_unix_stream_connect(struct socket *sock,
3465                                               struct socket *other,
3466                                               struct sock *newsk)
3467 {
3468         struct sk_security_struct *ssec;
3469         struct inode_security_struct *isec;
3470         struct inode_security_struct *other_isec;
3471         struct avc_audit_data ad;
3472         int err;
3473
3474         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3475         if (err)
3476                 return err;
3477
3478         isec = SOCK_INODE(sock)->i_security;
3479         other_isec = SOCK_INODE(other)->i_security;
3480
3481         AVC_AUDIT_DATA_INIT(&ad,NET);
3482         ad.u.net.sk = other->sk;
3483
3484         err = avc_has_perm(isec->sid, other_isec->sid,
3485                            isec->sclass,
3486                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3487         if (err)
3488                 return err;
3489
3490         /* connecting socket */
3491         ssec = sock->sk->sk_security;
3492         ssec->peer_sid = other_isec->sid;
3493         
3494         /* server child socket */
3495         ssec = newsk->sk_security;
3496         ssec->peer_sid = isec->sid;
3497         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3498
3499         return err;
3500 }
3501
3502 static int selinux_socket_unix_may_send(struct socket *sock,
3503                                         struct socket *other)
3504 {
3505         struct inode_security_struct *isec;
3506         struct inode_security_struct *other_isec;
3507         struct avc_audit_data ad;
3508         int err;
3509
3510         isec = SOCK_INODE(sock)->i_security;
3511         other_isec = SOCK_INODE(other)->i_security;
3512
3513         AVC_AUDIT_DATA_INIT(&ad,NET);
3514         ad.u.net.sk = other->sk;
3515
3516         err = avc_has_perm(isec->sid, other_isec->sid,
3517                            isec->sclass, SOCKET__SENDTO, &ad);
3518         if (err)
3519                 return err;
3520
3521         return 0;
3522 }
3523
3524 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3525                 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3526 {
3527         int err = 0;
3528         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3529         struct socket *sock;
3530         u16 sock_class = 0;
3531         u32 sock_sid = 0;
3532
3533         read_lock_bh(&sk->sk_callback_lock);
3534         sock = sk->sk_socket;
3535         if (sock) {
3536                 struct inode *inode;
3537                 inode = SOCK_INODE(sock);
3538                 if (inode) {
3539                         struct inode_security_struct *isec;
3540                         isec = inode->i_security;
3541                         sock_sid = isec->sid;
3542                         sock_class = isec->sclass;
3543                 }
3544         }
3545         read_unlock_bh(&sk->sk_callback_lock);
3546         if (!sock_sid)
3547                 goto out;
3548
3549         if (!skb->dev)
3550                 goto out;
3551
3552         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3553         if (err)
3554                 goto out;
3555
3556         switch (sock_class) {
3557         case SECCLASS_UDP_SOCKET:
3558                 netif_perm = NETIF__UDP_RECV;
3559                 node_perm = NODE__UDP_RECV;
3560                 recv_perm = UDP_SOCKET__RECV_MSG;
3561                 break;
3562         
3563         case SECCLASS_TCP_SOCKET:
3564                 netif_perm = NETIF__TCP_RECV;
3565                 node_perm = NODE__TCP_RECV;
3566                 recv_perm = TCP_SOCKET__RECV_MSG;
3567                 break;
3568
3569         case SECCLASS_DCCP_SOCKET:
3570                 netif_perm = NETIF__DCCP_RECV;
3571                 node_perm = NODE__DCCP_RECV;
3572                 recv_perm = DCCP_SOCKET__RECV_MSG;
3573                 break;
3574
3575         default:
3576                 netif_perm = NETIF__RAWIP_RECV;
3577                 node_perm = NODE__RAWIP_RECV;
3578                 break;
3579         }
3580
3581         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3582         if (err)
3583                 goto out;
3584         
3585         err = security_node_sid(family, addrp, len, &node_sid);
3586         if (err)
3587                 goto out;
3588         
3589         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3590         if (err)
3591                 goto out;
3592
3593         if (recv_perm) {
3594                 u32 port_sid;
3595
3596                 err = security_port_sid(sk->sk_family, sk->sk_type,
3597                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3598                                         &port_sid);
3599                 if (err)
3600                         goto out;
3601
3602                 err = avc_has_perm(sock_sid, port_sid,
3603                                    sock_class, recv_perm, ad);
3604         }
3605
3606 out:
3607         return err;
3608 }
3609
3610 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3611 {
3612         u16 family;
3613         char *addrp;
3614         int len, err = 0;
3615         struct avc_audit_data ad;
3616         struct sk_security_struct *sksec = sk->sk_security;
3617
3618         family = sk->sk_family;
3619         if (family != PF_INET && family != PF_INET6)
3620                 goto out;
3621
3622         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3623         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3624                 family = PF_INET;
3625
3626         AVC_AUDIT_DATA_INIT(&ad, NET);
3627         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3628         ad.u.net.family = family;
3629
3630         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
3631         if (err)
3632                 goto out;
3633
3634         if (selinux_compat_net)
3635                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3636                                                   addrp, len);
3637         else
3638                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3639                                    PACKET__RECV, &ad);
3640         if (err)
3641                 goto out;
3642
3643         err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
3644         if (err)
3645                 goto out;
3646
3647         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3648 out:    
3649         return err;
3650 }
3651
3652 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3653                                             int __user *optlen, unsigned len)
3654 {
3655         int err = 0;
3656         char *scontext;
3657         u32 scontext_len;
3658         struct sk_security_struct *ssec;
3659         struct inode_security_struct *isec;
3660         u32 peer_sid = SECSID_NULL;
3661
3662         isec = SOCK_INODE(sock)->i_security;
3663
3664         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3665             isec->sclass == SECCLASS_TCP_SOCKET) {
3666                 ssec = sock->sk->sk_security;
3667                 peer_sid = ssec->peer_sid;
3668         }
3669         if (peer_sid == SECSID_NULL) {
3670                 err = -ENOPROTOOPT;
3671                 goto out;
3672         }
3673
3674         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3675
3676         if (err)
3677                 goto out;
3678
3679         if (scontext_len > len) {
3680                 err = -ERANGE;
3681                 goto out_len;
3682         }
3683
3684         if (copy_to_user(optval, scontext, scontext_len))
3685                 err = -EFAULT;
3686
3687 out_len:
3688         if (put_user(scontext_len, optlen))
3689                 err = -EFAULT;
3690
3691         kfree(scontext);
3692 out:    
3693         return err;
3694 }
3695
3696 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3697 {
3698         u32 peer_secid = SECSID_NULL;
3699         int err = 0;
3700
3701         if (sock && sock->sk->sk_family == PF_UNIX)
3702                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3703         else if (skb)
3704                 selinux_skb_extlbl_sid(skb, &peer_secid);
3705
3706         if (peer_secid == SECSID_NULL)
3707                 err = -EINVAL;
3708         *secid = peer_secid;
3709
3710         return err;
3711 }
3712
3713 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3714 {
3715         return sk_alloc_security(sk, family, priority);
3716 }
3717
3718 static void selinux_sk_free_security(struct sock *sk)
3719 {
3720         sk_free_security(sk);
3721 }
3722
3723 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3724 {
3725         struct sk_security_struct *ssec = sk->sk_security;
3726         struct sk_security_struct *newssec = newsk->sk_security;
3727
3728         newssec->sid = ssec->sid;
3729         newssec->peer_sid = ssec->peer_sid;
3730
3731         selinux_netlbl_sk_security_clone(ssec, newssec);
3732 }
3733
3734 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3735 {
3736         if (!sk)
3737                 *secid = SECINITSID_ANY_SOCKET;
3738         else {
3739                 struct sk_security_struct *sksec = sk->sk_security;
3740
3741                 *secid = sksec->sid;
3742         }
3743 }
3744
3745 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
3746 {
3747         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3748         struct sk_security_struct *sksec = sk->sk_security;
3749
3750         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
3751             sk->sk_family == PF_UNIX)
3752                 isec->sid = sksec->sid;
3753
3754         selinux_netlbl_sock_graft(sk, parent);
3755 }
3756
3757 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3758                                      struct request_sock *req)
3759 {
3760         struct sk_security_struct *sksec = sk->sk_security;
3761         int err;
3762         u32 newsid;
3763         u32 peersid;
3764
3765         selinux_skb_extlbl_sid(skb, &peersid);
3766         if (peersid == SECSID_NULL) {
3767                 req->secid = sksec->sid;
3768                 req->peer_secid = SECSID_NULL;
3769                 return 0;
3770         }
3771
3772         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3773         if (err)
3774                 return err;
3775
3776         req->secid = newsid;
3777         req->peer_secid = peersid;
3778         return 0;
3779 }
3780
3781 static void selinux_inet_csk_clone(struct sock *newsk,
3782                                    const struct request_sock *req)
3783 {
3784         struct sk_security_struct *newsksec = newsk->sk_security;
3785
3786         newsksec->sid = req->secid;
3787         newsksec->peer_sid = req->peer_secid;
3788         /* NOTE: Ideally, we should also get the isec->sid for the
3789            new socket in sync, but we don't have the isec available yet.
3790            So we will wait until sock_graft to do it, by which
3791            time it will have been created and available. */
3792
3793         /* We don't need to take any sort of lock here as we are the only
3794          * thread with access to newsksec */
3795         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
3796 }
3797
3798 static void selinux_inet_conn_established(struct sock *sk,
3799                                 struct sk_buff *skb)
3800 {
3801         struct sk_security_struct *sksec = sk->sk_security;
3802
3803         selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
3804 }
3805
3806 static void selinux_req_classify_flow(const struct request_sock *req,
3807                                       struct flowi *fl)
3808 {
3809         fl->secid = req->secid;
3810 }
3811
3812 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3813 {
3814         int err = 0;
3815         u32 perm;
3816         struct nlmsghdr *nlh;
3817         struct socket *sock = sk->sk_socket;
3818         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3819         
3820         if (skb->len < NLMSG_SPACE(0)) {
3821                 err = -EINVAL;
3822                 goto out;
3823         }
3824         nlh = nlmsg_hdr(skb);
3825         
3826         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3827         if (err) {
3828                 if (err == -EINVAL) {
3829                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3830                                   "SELinux:  unrecognized netlink message"
3831                                   " type=%hu for sclass=%hu\n",
3832                                   nlh->nlmsg_type, isec->sclass);
3833                         if (!selinux_enforcing)
3834                                 err = 0;
3835                 }
3836
3837                 /* Ignore */
3838                 if (err == -ENOENT)
3839                         err = 0;
3840                 goto out;
3841         }
3842
3843         err = socket_has_perm(current, sock, perm);
3844 out:
3845         return err;
3846 }
3847
3848 #ifdef CONFIG_NETFILTER
3849
3850 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3851                                             struct avc_audit_data *ad,
3852                                             u16 family, char *addrp, int len)
3853 {
3854         int err = 0;
3855         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3856         struct socket *sock;
3857         struct inode *inode;
3858         struct inode_security_struct *isec;
3859
3860         sock = sk->sk_socket;
3861         if (!sock)
3862                 goto out;
3863
3864         inode = SOCK_INODE(sock);
3865         if (!inode)
3866                 goto out;
3867
3868         isec = inode->i_security;
3869         
3870         err = sel_netif_sids(dev, &if_sid, NULL);
3871         if (err)
3872                 goto out;
3873
3874         switch (isec->sclass) {
3875         case SECCLASS_UDP_SOCKET:
3876                 netif_perm = NETIF__UDP_SEND;
3877                 node_perm = NODE__UDP_SEND;
3878                 send_perm = UDP_SOCKET__SEND_MSG;
3879                 break;
3880         
3881         case SECCLASS_TCP_SOCKET:
3882                 netif_perm = NETIF__TCP_SEND;
3883                 node_perm = NODE__TCP_SEND;
3884                 send_perm = TCP_SOCKET__SEND_MSG;
3885                 break;
3886
3887         case SECCLASS_DCCP_SOCKET:
3888                 netif_perm = NETIF__DCCP_SEND;
3889                 node_perm = NODE__DCCP_SEND;
3890                 send_perm = DCCP_SOCKET__SEND_MSG;
3891                 break;
3892
3893         default:
3894                 netif_perm = NETIF__RAWIP_SEND;
3895                 node_perm = NODE__RAWIP_SEND;
3896                 break;
3897         }
3898
3899         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3900         if (err)
3901                 goto out;
3902                 
3903         err = security_node_sid(family, addrp, len, &node_sid);
3904         if (err)
3905                 goto out;
3906         
3907         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3908         if (err)
3909                 goto out;
3910
3911         if (send_perm) {
3912                 u32 port_sid;
3913                 
3914                 err = security_port_sid(sk->sk_family,
3915                                         sk->sk_type,
3916                                         sk->sk_protocol,
3917                                         ntohs(ad->u.net.dport),
3918                                         &port_sid);
3919                 if (err)
3920                         goto out;
3921
3922                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3923                                    send_perm, ad);
3924         }
3925 out:
3926         return err;
3927 }
3928
3929 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3930                                               struct sk_buff **pskb,
3931                                               const struct net_device *in,
3932                                               const struct net_device *out,
3933                                               int (*okfn)(struct sk_buff *),
3934                                               u16 family)
3935 {
3936         char *addrp;
3937         int len, err = 0;
3938         struct sock *sk;
3939         struct sk_buff *skb = *pskb;
3940         struct avc_audit_data ad;
3941         struct net_device *dev = (struct net_device *)out;
3942         struct sk_security_struct *sksec;
3943         u8 proto;
3944
3945         sk = skb->sk;
3946         if (!sk)
3947                 goto out;
3948
3949         sksec = sk->sk_security;
3950
3951         AVC_AUDIT_DATA_INIT(&ad, NET);
3952         ad.u.net.netif = dev->name;
3953         ad.u.net.family = family;
3954
3955         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
3956         if (err)
3957                 goto out;
3958
3959         if (selinux_compat_net)
3960                 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
3961                                                        family, addrp, len);
3962         else
3963                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3964                                    PACKET__SEND, &ad);
3965
3966         if (err)
3967                 goto out;
3968
3969         err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
3970 out:
3971         return err ? NF_DROP : NF_ACCEPT;
3972 }
3973
3974 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3975                                                 struct sk_buff **pskb,
3976                                                 const struct net_device *in,
3977                                                 const struct net_device *out,
3978                                                 int (*okfn)(struct sk_buff *))
3979 {
3980         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3981 }
3982
3983 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3984
3985 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3986                                                 struct sk_buff **pskb,
3987                                                 const struct net_device *in,
3988                                                 const struct net_device *out,
3989                                                 int (*okfn)(struct sk_buff *))
3990 {
3991         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3992 }
3993
3994 #endif  /* IPV6 */
3995
3996 #endif  /* CONFIG_NETFILTER */
3997
3998 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3999 {
4000         int err;
4001
4002         err = secondary_ops->netlink_send(sk, skb);
4003         if (err)
4004                 return err;
4005
4006         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4007                 err = selinux_nlmsg_perm(sk, skb);
4008
4009         return err;
4010 }
4011
4012 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4013 {
4014         int err;
4015         struct avc_audit_data ad;
4016
4017         err = secondary_ops->netlink_recv(skb, capability);
4018         if (err)
4019                 return err;
4020
4021         AVC_AUDIT_DATA_INIT(&ad, CAP);
4022         ad.u.cap = capability;
4023
4024         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4025                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4026 }
4027
4028 static int ipc_alloc_security(struct task_struct *task,
4029                               struct kern_ipc_perm *perm,
4030                               u16 sclass)
4031 {
4032         struct task_security_struct *tsec = task->security;
4033         struct ipc_security_struct *isec;
4034
4035         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4036         if (!isec)
4037                 return -ENOMEM;
4038
4039         isec->sclass = sclass;
4040         isec->ipc_perm = perm;
4041         isec->sid = tsec->sid;
4042         perm->security = isec;
4043
4044         return 0;
4045 }
4046
4047 static void ipc_free_security(struct kern_ipc_perm *perm)
4048 {
4049         struct ipc_security_struct *isec = perm->security;
4050         perm->security = NULL;
4051         kfree(isec);
4052 }
4053
4054 static int msg_msg_alloc_security(struct msg_msg *msg)
4055 {
4056         struct msg_security_struct *msec;
4057
4058         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4059         if (!msec)
4060                 return -ENOMEM;
4061
4062         msec->msg = msg;
4063         msec->sid = SECINITSID_UNLABELED;
4064         msg->security = msec;
4065
4066         return 0;
4067 }
4068
4069 static void msg_msg_free_security(struct msg_msg *msg)
4070 {
4071         struct msg_security_struct *msec = msg->security;
4072
4073         msg->security = NULL;
4074         kfree(msec);
4075 }
4076
4077 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4078                         u32 perms)
4079 {
4080         struct task_security_struct *tsec;
4081         struct ipc_security_struct *isec;
4082         struct avc_audit_data ad;
4083
4084         tsec = current->security;
4085         isec = ipc_perms->security;
4086
4087         AVC_AUDIT_DATA_INIT(&ad, IPC);
4088         ad.u.ipc_id = ipc_perms->key;
4089
4090         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4091 }
4092
4093 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4094 {
4095         return msg_msg_alloc_security(msg);
4096 }
4097
4098 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4099 {
4100         msg_msg_free_security(msg);
4101 }
4102
4103 /* message queue security operations */
4104 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4105 {
4106         struct task_security_struct *tsec;
4107         struct ipc_security_struct *isec;
4108         struct avc_audit_data ad;
4109         int rc;
4110
4111         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4112         if (rc)
4113                 return rc;
4114
4115         tsec = current->security;
4116         isec = msq->q_perm.security;
4117
4118         AVC_AUDIT_DATA_INIT(&ad, IPC);
4119         ad.u.ipc_id = msq->q_perm.key;
4120
4121         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4122                           MSGQ__CREATE, &ad);
4123         if (rc) {
4124                 ipc_free_security(&msq->q_perm);
4125                 return rc;
4126         }
4127         return 0;
4128 }
4129
4130 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4131 {
4132         ipc_free_security(&msq->q_perm);
4133 }
4134
4135 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4136 {
4137         struct task_security_struct *tsec;
4138         struct ipc_security_struct *isec;
4139         struct avc_audit_data ad;
4140
4141         tsec = current->security;
4142         isec = msq->q_perm.security;
4143
4144         AVC_AUDIT_DATA_INIT(&ad, IPC);
4145         ad.u.ipc_id = msq->q_perm.key;
4146
4147         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4148                             MSGQ__ASSOCIATE, &ad);
4149 }
4150
4151 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4152 {
4153         int err;
4154         int perms;
4155
4156         switch(cmd) {
4157         case IPC_INFO:
4158         case MSG_INFO:
4159                 /* No specific object, just general system-wide information. */
4160                 return task_has_system(current, SYSTEM__IPC_INFO);
4161         case IPC_STAT:
4162         case MSG_STAT:
4163                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4164                 break;
4165         case IPC_SET:
4166                 perms = MSGQ__SETATTR;
4167                 break;
4168         case IPC_RMID:
4169                 perms = MSGQ__DESTROY;
4170                 break;
4171         default:
4172                 return 0;
4173         }
4174
4175         err = ipc_has_perm(&msq->q_perm, perms);
4176         return err;
4177 }
4178
4179 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4180 {
4181         struct task_security_struct *tsec;
4182         struct ipc_security_struct *isec;
4183         struct msg_security_struct *msec;
4184         struct avc_audit_data ad;
4185         int rc;
4186
4187         tsec = current->security;
4188         isec = msq->q_perm.security;
4189         msec = msg->security;
4190
4191         /*
4192          * First time through, need to assign label to the message
4193          */
4194         if (msec->sid == SECINITSID_UNLABELED) {
4195                 /*
4196                  * Compute new sid based on current process and
4197                  * message queue this message will be stored in
4198                  */
4199                 rc = security_transition_sid(tsec->sid,
4200                                              isec->sid,
4201                                              SECCLASS_MSG,
4202                                              &msec->sid);
4203                 if (rc)
4204                         return rc;
4205         }
4206
4207         AVC_AUDIT_DATA_INIT(&ad, IPC);
4208         ad.u.ipc_id = msq->q_perm.key;
4209
4210         /* Can this process write to the queue? */
4211         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4212                           MSGQ__WRITE, &ad);
4213         if (!rc)
4214                 /* Can this process send the message */
4215                 rc = avc_has_perm(tsec->sid, msec->sid,
4216                                   SECCLASS_MSG, MSG__SEND, &ad);
4217         if (!rc)
4218                 /* Can the message be put in the queue? */
4219                 rc = avc_has_perm(msec->sid, isec->sid,
4220                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4221
4222         return rc;
4223 }
4224
4225 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4226                                     struct task_struct *target,
4227                                     long type, int mode)
4228 {
4229         struct task_security_struct *tsec;
4230         struct ipc_security_struct *isec;
4231         struct msg_security_struct *msec;
4232         struct avc_audit_data ad;
4233         int rc;
4234
4235         tsec = target->security;
4236         isec = msq->q_perm.security;
4237         msec = msg->security;
4238
4239         AVC_AUDIT_DATA_INIT(&ad, IPC);
4240         ad.u.ipc_id = msq->q_perm.key;
4241
4242         rc = avc_has_perm(tsec->sid, isec->sid,
4243                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4244         if (!rc)
4245                 rc = avc_has_perm(tsec->sid, msec->sid,
4246                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4247         return rc;
4248 }
4249
4250 /* Shared Memory security operations */
4251 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4252 {
4253         struct task_security_struct *tsec;
4254         struct ipc_security_struct *isec;
4255         struct avc_audit_data ad;
4256         int rc;
4257
4258         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4259         if (rc)
4260                 return rc;
4261
4262         tsec = current->security;
4263         isec = shp->shm_perm.security;
4264
4265         AVC_AUDIT_DATA_INIT(&ad, IPC);
4266         ad.u.ipc_id = shp->shm_perm.key;
4267
4268         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4269                           SHM__CREATE, &ad);
4270         if (rc) {
4271                 ipc_free_security(&shp->shm_perm);
4272                 return rc;
4273         }
4274         return 0;
4275 }
4276
4277 static void selinux_shm_free_security(struct shmid_kernel *shp)
4278 {
4279         ipc_free_security(&shp->shm_perm);
4280 }
4281
4282 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4283 {
4284         struct task_security_struct *tsec;
4285         struct ipc_security_struct *isec;
4286         struct avc_audit_data ad;
4287
4288         tsec = current->security;
4289         isec = shp->shm_perm.security;
4290
4291         AVC_AUDIT_DATA_INIT(&ad, IPC);
4292         ad.u.ipc_id = shp->shm_perm.key;
4293
4294         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4295                             SHM__ASSOCIATE, &ad);
4296 }
4297
4298 /* Note, at this point, shp is locked down */
4299 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4300 {
4301         int perms;
4302         int err;
4303
4304         switch(cmd) {
4305         case IPC_INFO:
4306         case SHM_INFO:
4307                 /* No specific object, just general system-wide information. */
4308                 return task_has_system(current, SYSTEM__IPC_INFO);
4309         case IPC_STAT:
4310         case SHM_STAT:
4311                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4312                 break;
4313         case IPC_SET:
4314                 perms = SHM__SETATTR;
4315                 break;
4316         case SHM_LOCK:
4317         case SHM_UNLOCK:
4318                 perms = SHM__LOCK;
4319                 break;
4320         case IPC_RMID:
4321                 perms = SHM__DESTROY;
4322                 break;
4323         default:
4324                 return 0;
4325         }
4326
4327         err = ipc_has_perm(&shp->shm_perm, perms);
4328         return err;
4329 }
4330
4331 static int selinux_shm_shmat(struct shmid_kernel *shp,
4332                              char __user *shmaddr, int shmflg)
4333 {
4334         u32 perms;
4335         int rc;
4336
4337         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4338         if (rc)
4339                 return rc;
4340
4341         if (shmflg & SHM_RDONLY)
4342                 perms = SHM__READ;
4343         else
4344                 perms = SHM__READ | SHM__WRITE;
4345
4346         return ipc_has_perm(&shp->shm_perm, perms);
4347 }
4348
4349 /* Semaphore security operations */
4350 static int selinux_sem_alloc_security(struct sem_array *sma)
4351 {
4352         struct task_security_struct *tsec;
4353         struct ipc_security_struct *isec;
4354         struct avc_audit_data ad;
4355         int rc;
4356
4357         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4358         if (rc)
4359                 return rc;
4360
4361         tsec = current->security;
4362         isec = sma->sem_perm.security;
4363
4364         AVC_AUDIT_DATA_INIT(&ad, IPC);
4365         ad.u.ipc_id = sma->sem_perm.key;
4366
4367         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4368                           SEM__CREATE, &ad);
4369         if (rc) {
4370                 ipc_free_security(&sma->sem_perm);
4371                 return rc;
4372         }
4373         return 0;
4374 }
4375
4376 static void selinux_sem_free_security(struct sem_array *sma)
4377 {
4378         ipc_free_security(&sma->sem_perm);
4379 }
4380
4381 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4382 {
4383         struct task_security_struct *tsec;
4384         struct ipc_security_struct *isec;
4385         struct avc_audit_data ad;
4386
4387         tsec = current->security;
4388         isec = sma->sem_perm.security;
4389
4390         AVC_AUDIT_DATA_INIT(&ad, IPC);
4391         ad.u.ipc_id = sma->sem_perm.key;
4392
4393         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4394                             SEM__ASSOCIATE, &ad);
4395 }
4396
4397 /* Note, at this point, sma is locked down */
4398 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4399 {
4400         int err;
4401         u32 perms;
4402
4403         switch(cmd) {
4404         case IPC_INFO:
4405         case SEM_INFO:
4406                 /* No specific object, just general system-wide information. */
4407                 return task_has_system(current, SYSTEM__IPC_INFO);
4408         case GETPID:
4409         case GETNCNT:
4410         case GETZCNT:
4411                 perms = SEM__GETATTR;
4412                 break;
4413         case GETVAL:
4414         case GETALL:
4415                 perms = SEM__READ;
4416                 break;
4417         case SETVAL:
4418         case SETALL:
4419                 perms = SEM__WRITE;
4420                 break;
4421         case IPC_RMID:
4422                 perms = SEM__DESTROY;
4423                 break;
4424         case IPC_SET:
4425                 perms = SEM__SETATTR;
4426                 break;
4427         case IPC_STAT:
4428         case SEM_STAT:
4429                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4430                 break;
4431         default:
4432                 return 0;
4433         }
4434
4435         err = ipc_has_perm(&sma->sem_perm, perms);
4436         return err;
4437 }
4438
4439 static int selinux_sem_semop(struct sem_array *sma,
4440                              struct sembuf *sops, unsigned nsops, int alter)
4441 {
4442         u32 perms;
4443
4444         if (alter)
4445                 perms = SEM__READ | SEM__WRITE;
4446         else
4447                 perms = SEM__READ;
4448
4449         return ipc_has_perm(&sma->sem_perm, perms);
4450 }
4451
4452 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4453 {
4454         u32 av = 0;
4455
4456         av = 0;
4457         if (flag & S_IRUGO)
4458                 av |= IPC__UNIX_READ;
4459         if (flag & S_IWUGO)
4460                 av |= IPC__UNIX_WRITE;
4461
4462         if (av == 0)
4463                 return 0;
4464
4465         return ipc_has_perm(ipcp, av);
4466 }
4467
4468 /* module stacking operations */
4469 static int selinux_register_security (const char *name, struct security_operations *ops)
4470 {
4471         if (secondary_ops != original_ops) {
4472                 printk(KERN_ERR "%s:  There is already a secondary security "
4473                        "module registered.\n", __FUNCTION__);
4474                 return -EINVAL;
4475         }
4476
4477         secondary_ops = ops;
4478
4479         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4480                __FUNCTION__,
4481                name);
4482
4483         return 0;
4484 }
4485
4486 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4487 {
4488         if (ops != secondary_ops) {
4489                 printk(KERN_ERR "%s:  trying to unregister a security module "
4490                         "that is not registered.\n", __FUNCTION__);
4491                 return -EINVAL;
4492         }
4493
4494         secondary_ops = original_ops;
4495
4496         return 0;
4497 }
4498
4499 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4500 {
4501         if (inode)
4502                 inode_doinit_with_dentry(inode, dentry);
4503 }
4504
4505 static int selinux_getprocattr(struct task_struct *p,
4506                                char *name, char **value)
4507 {
4508         struct task_security_struct *tsec;
4509         u32 sid;
4510         int error;
4511         unsigned len;
4512
4513         if (current != p) {
4514                 error = task_has_perm(current, p, PROCESS__GETATTR);
4515                 if (error)
4516                         return error;
4517         }
4518
4519         tsec = p->security;
4520
4521         if (!strcmp(name, "current"))
4522                 sid = tsec->sid;
4523         else if (!strcmp(name, "prev"))
4524                 sid = tsec->osid;
4525         else if (!strcmp(name, "exec"))
4526                 sid = tsec->exec_sid;
4527         else if (!strcmp(name, "fscreate"))
4528                 sid = tsec->create_sid;
4529         else if (!strcmp(name, "keycreate"))
4530                 sid = tsec->keycreate_sid;
4531         else if (!strcmp(name, "sockcreate"))
4532                 sid = tsec->sockcreate_sid;
4533         else
4534                 return -EINVAL;
4535
4536         if (!sid)
4537                 return 0;
4538
4539         error = security_sid_to_context(sid, value, &len);
4540         if (error)
4541                 return error;
4542         return len;
4543 }
4544
4545 static int selinux_setprocattr(struct task_struct *p,
4546                                char *name, void *value, size_t size)
4547 {
4548         struct task_security_struct *tsec;
4549         u32 sid = 0;
4550         int error;
4551         char *str = value;
4552
4553         if (current != p) {
4554                 /* SELinux only allows a process to change its own
4555                    security attributes. */
4556                 return -EACCES;
4557         }
4558
4559         /*
4560          * Basic control over ability to set these attributes at all.
4561          * current == p, but we'll pass them separately in case the
4562          * above restriction is ever removed.
4563          */
4564         if (!strcmp(name, "exec"))
4565                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4566         else if (!strcmp(name, "fscreate"))
4567                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4568         else if (!strcmp(name, "keycreate"))
4569                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4570         else if (!strcmp(name, "sockcreate"))
4571                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4572         else if (!strcmp(name, "current"))
4573                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4574         else
4575                 error = -EINVAL;
4576         if (error)
4577                 return error;
4578
4579         /* Obtain a SID for the context, if one was specified. */
4580         if (size && str[1] && str[1] != '\n') {
4581                 if (str[size-1] == '\n') {
4582                         str[size-1] = 0;
4583                         size--;
4584                 }
4585                 error = security_context_to_sid(value, size, &sid);
4586                 if (error)
4587                         return error;
4588         }
4589
4590         /* Permission checking based on the specified context is
4591            performed during the actual operation (execve,
4592            open/mkdir/...), when we know the full context of the
4593            operation.  See selinux_bprm_set_security for the execve
4594            checks and may_create for the file creation checks. The
4595            operation will then fail if the context is not permitted. */
4596         tsec = p->security;
4597         if (!strcmp(name, "exec"))
4598                 tsec->exec_sid = sid;
4599         else if (!strcmp(name, "fscreate"))
4600                 tsec->create_sid = sid;
4601         else if (!strcmp(name, "keycreate")) {
4602                 error = may_create_key(sid, p);
4603                 if (error)
4604                         return error;
4605                 tsec->keycreate_sid = sid;
4606         } else if (!strcmp(name, "sockcreate"))
4607                 tsec->sockcreate_sid = sid;
4608         else if (!strcmp(name, "current")) {
4609                 struct av_decision avd;
4610
4611                 if (sid == 0)
4612                         return -EINVAL;
4613
4614                 /* Only allow single threaded processes to change context */
4615                 if (atomic_read(&p->mm->mm_users) != 1) {
4616                         struct task_struct *g, *t;
4617                         struct mm_struct *mm = p->mm;
4618                         read_lock(&tasklist_lock);
4619                         do_each_thread(g, t)
4620                                 if (t->mm == mm && t != p) {
4621                                         read_unlock(&tasklist_lock);
4622                                         return -EPERM;
4623                                 }
4624                         while_each_thread(g, t);
4625                         read_unlock(&tasklist_lock);
4626                 }
4627
4628                 /* Check permissions for the transition. */
4629                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4630                                      PROCESS__DYNTRANSITION, NULL);
4631                 if (error)
4632                         return error;
4633
4634                 /* Check for ptracing, and update the task SID if ok.
4635                    Otherwise, leave SID unchanged and fail. */
4636                 task_lock(p);
4637                 if (p->ptrace & PT_PTRACED) {
4638                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4639                                                      SECCLASS_PROCESS,
4640                                                      PROCESS__PTRACE, 0, &avd);
4641                         if (!error)
4642                                 tsec->sid = sid;
4643                         task_unlock(p);
4644                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4645                                   PROCESS__PTRACE, &avd, error, NULL);
4646                         if (error)
4647                                 return error;
4648                 } else {
4649                         tsec->sid = sid;
4650                         task_unlock(p);
4651                 }
4652         }
4653         else
4654                 return -EINVAL;
4655
4656         return size;
4657 }
4658
4659 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4660 {
4661         return security_sid_to_context(secid, secdata, seclen);
4662 }
4663
4664 static void selinux_release_secctx(char *secdata, u32 seclen)
4665 {
4666         kfree(secdata);
4667 }
4668
4669 #ifdef CONFIG_KEYS
4670
4671 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4672                              unsigned long flags)
4673 {
4674         struct task_security_struct *tsec = tsk->security;
4675         struct key_security_struct *ksec;
4676
4677         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4678         if (!ksec)
4679                 return -ENOMEM;
4680
4681         ksec->obj = k;
4682         if (tsec->keycreate_sid)
4683                 ksec->sid = tsec->keycreate_sid;
4684         else
4685                 ksec->sid = tsec->sid;
4686         k->security = ksec;
4687
4688         return 0;
4689 }
4690
4691 static void selinux_key_free(struct key *k)
4692 {
4693         struct key_security_struct *ksec = k->security;
4694
4695         k->security = NULL;
4696         kfree(ksec);
4697 }
4698
4699 static int selinux_key_permission(key_ref_t key_ref,
4700                             struct task_struct *ctx,
4701                             key_perm_t perm)
4702 {
4703         struct key *key;
4704         struct task_security_struct *tsec;
4705         struct key_security_struct *ksec;
4706
4707         key = key_ref_to_ptr(key_ref);
4708
4709         tsec = ctx->security;
4710         ksec = key->security;
4711
4712         /* if no specific permissions are requested, we skip the
4713            permission check. No serious, additional covert channels
4714            appear to be created. */
4715         if (perm == 0)
4716                 return 0;
4717
4718         return avc_has_perm(tsec->sid, ksec->sid,
4719                             SECCLASS_KEY, perm, NULL);
4720 }
4721
4722 #endif
4723
4724 static struct security_operations selinux_ops = {
4725         .ptrace =                       selinux_ptrace,
4726         .capget =                       selinux_capget,
4727         .capset_check =                 selinux_capset_check,
4728         .capset_set =                   selinux_capset_set,
4729         .sysctl =                       selinux_sysctl,
4730         .capable =                      selinux_capable,
4731         .quotactl =                     selinux_quotactl,
4732         .quota_on =                     selinux_quota_on,
4733         .syslog =                       selinux_syslog,
4734         .vm_enough_memory =             selinux_vm_enough_memory,
4735
4736         .netlink_send =                 selinux_netlink_send,
4737         .netlink_recv =                 selinux_netlink_recv,
4738
4739         .bprm_alloc_security =          selinux_bprm_alloc_security,
4740         .bprm_free_security =           selinux_bprm_free_security,
4741         .bprm_apply_creds =             selinux_bprm_apply_creds,
4742         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4743         .bprm_set_security =            selinux_bprm_set_security,
4744         .bprm_check_security =          selinux_bprm_check_security,
4745         .bprm_secureexec =              selinux_bprm_secureexec,
4746
4747         .sb_alloc_security =            selinux_sb_alloc_security,
4748         .sb_free_security =             selinux_sb_free_security,
4749         .sb_copy_data =                 selinux_sb_copy_data,
4750         .sb_kern_mount =                selinux_sb_kern_mount,
4751         .sb_statfs =                    selinux_sb_statfs,
4752         .sb_mount =                     selinux_mount,
4753         .sb_umount =                    selinux_umount,
4754
4755         .inode_alloc_security =         selinux_inode_alloc_security,
4756         .inode_free_security =          selinux_inode_free_security,
4757         .inode_init_security =          selinux_inode_init_security,
4758         .inode_create =                 selinux_inode_create,
4759         .inode_link =                   selinux_inode_link,
4760         .inode_unlink =                 selinux_inode_unlink,
4761         .inode_symlink =                selinux_inode_symlink,
4762         .inode_mkdir =                  selinux_inode_mkdir,
4763         .inode_rmdir =                  selinux_inode_rmdir,
4764         .inode_mknod =                  selinux_inode_mknod,
4765         .inode_rename =                 selinux_inode_rename,
4766         .inode_readlink =               selinux_inode_readlink,
4767         .inode_follow_link =            selinux_inode_follow_link,
4768         .inode_permission =             selinux_inode_permission,
4769         .inode_setattr =                selinux_inode_setattr,
4770         .inode_getattr =                selinux_inode_getattr,
4771         .inode_setxattr =               selinux_inode_setxattr,
4772         .inode_post_setxattr =          selinux_inode_post_setxattr,
4773         .inode_getxattr =               selinux_inode_getxattr,
4774         .inode_listxattr =              selinux_inode_listxattr,
4775         .inode_removexattr =            selinux_inode_removexattr,
4776         .inode_xattr_getsuffix =        selinux_inode_xattr_getsuffix,
4777         .inode_getsecurity =            selinux_inode_getsecurity,
4778         .inode_setsecurity =            selinux_inode_setsecurity,
4779         .inode_listsecurity =           selinux_inode_listsecurity,
4780
4781         .file_permission =              selinux_file_permission,
4782         .file_alloc_security =          selinux_file_alloc_security,
4783         .file_free_security =           selinux_file_free_security,
4784         .file_ioctl =                   selinux_file_ioctl,
4785         .file_mmap =                    selinux_file_mmap,
4786         .file_mprotect =                selinux_file_mprotect,
4787         .file_lock =                    selinux_file_lock,
4788         .file_fcntl =                   selinux_file_fcntl,
4789         .file_set_fowner =              selinux_file_set_fowner,
4790         .file_send_sigiotask =          selinux_file_send_sigiotask,
4791         .file_receive =                 selinux_file_receive,
4792
4793         .task_create =                  selinux_task_create,
4794         .task_alloc_security =          selinux_task_alloc_security,
4795         .task_free_security =           selinux_task_free_security,
4796         .task_setuid =                  selinux_task_setuid,
4797         .task_post_setuid =             selinux_task_post_setuid,
4798         .task_setgid =                  selinux_task_setgid,
4799         .task_setpgid =                 selinux_task_setpgid,
4800         .task_getpgid =                 selinux_task_getpgid,
4801         .task_getsid =                  selinux_task_getsid,
4802         .task_getsecid =                selinux_task_getsecid,
4803         .task_setgroups =               selinux_task_setgroups,
4804         .task_setnice =                 selinux_task_setnice,
4805         .task_setioprio =               selinux_task_setioprio,
4806         .task_getioprio =               selinux_task_getioprio,
4807         .task_setrlimit =               selinux_task_setrlimit,
4808         .task_setscheduler =            selinux_task_setscheduler,
4809         .task_getscheduler =            selinux_task_getscheduler,
4810         .task_movememory =              selinux_task_movememory,
4811         .task_kill =                    selinux_task_kill,
4812         .task_wait =                    selinux_task_wait,
4813         .task_prctl =                   selinux_task_prctl,
4814         .task_reparent_to_init =        selinux_task_reparent_to_init,
4815         .task_to_inode =                selinux_task_to_inode,
4816
4817         .ipc_permission =               selinux_ipc_permission,
4818
4819         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4820         .msg_msg_free_security =        selinux_msg_msg_free_security,
4821
4822         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4823         .msg_queue_free_security =      selinux_msg_queue_free_security,
4824         .msg_queue_associate =          selinux_msg_queue_associate,
4825         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4826         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4827         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4828
4829         .shm_alloc_security =           selinux_shm_alloc_security,
4830         .shm_free_security =            selinux_shm_free_security,
4831         .shm_associate =                selinux_shm_associate,
4832         .shm_shmctl =                   selinux_shm_shmctl,
4833         .shm_shmat =                    selinux_shm_shmat,
4834
4835         .sem_alloc_security =           selinux_sem_alloc_security,
4836         .sem_free_security =            selinux_sem_free_security,
4837         .sem_associate =                selinux_sem_associate,
4838         .sem_semctl =                   selinux_sem_semctl,
4839         .sem_semop =                    selinux_sem_semop,
4840
4841         .register_security =            selinux_register_security,
4842         .unregister_security =          selinux_unregister_security,
4843
4844         .d_instantiate =                selinux_d_instantiate,
4845
4846         .getprocattr =                  selinux_getprocattr,
4847         .setprocattr =                  selinux_setprocattr,
4848
4849         .secid_to_secctx =              selinux_secid_to_secctx,
4850         .release_secctx =               selinux_release_secctx,
4851
4852         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4853         .unix_may_send =                selinux_socket_unix_may_send,
4854
4855         .socket_create =                selinux_socket_create,
4856         .socket_post_create =           selinux_socket_post_create,
4857         .socket_bind =                  selinux_socket_bind,
4858         .socket_connect =               selinux_socket_connect,
4859         .socket_listen =                selinux_socket_listen,
4860         .socket_accept =                selinux_socket_accept,
4861         .socket_sendmsg =               selinux_socket_sendmsg,
4862         .socket_recvmsg =               selinux_socket_recvmsg,
4863         .socket_getsockname =           selinux_socket_getsockname,
4864         .socket_getpeername =           selinux_socket_getpeername,
4865         .socket_getsockopt =            selinux_socket_getsockopt,
4866         .socket_setsockopt =            selinux_socket_setsockopt,
4867         .socket_shutdown =              selinux_socket_shutdown,
4868         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4869         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4870         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4871         .sk_alloc_security =            selinux_sk_alloc_security,
4872         .sk_free_security =             selinux_sk_free_security,
4873         .sk_clone_security =            selinux_sk_clone_security,
4874         .sk_getsecid =                  selinux_sk_getsecid,
4875         .sock_graft =                   selinux_sock_graft,
4876         .inet_conn_request =            selinux_inet_conn_request,
4877         .inet_csk_clone =               selinux_inet_csk_clone,
4878         .inet_conn_established =        selinux_inet_conn_established,
4879         .req_classify_flow =            selinux_req_classify_flow,
4880
4881 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4882         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4883         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4884         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4885         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4886         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4887         .xfrm_state_free_security =     selinux_xfrm_state_free,
4888         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4889         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4890         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
4891         .xfrm_decode_session =          selinux_xfrm_decode_session,
4892 #endif
4893
4894 #ifdef CONFIG_KEYS
4895         .key_alloc =                    selinux_key_alloc,
4896         .key_free =                     selinux_key_free,
4897         .key_permission =               selinux_key_permission,
4898 #endif
4899 };
4900
4901 static __init int selinux_init(void)
4902 {
4903         struct task_security_struct *tsec;
4904
4905         if (!selinux_enabled) {
4906                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4907                 return 0;
4908         }
4909
4910         printk(KERN_INFO "SELinux:  Initializing.\n");
4911
4912         /* Set the security state for the initial task. */
4913         if (task_alloc_security(current))
4914                 panic("SELinux:  Failed to initialize initial task.\n");
4915         tsec = current->security;
4916         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4917
4918         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4919                                             sizeof(struct inode_security_struct),
4920                                             0, SLAB_PANIC, NULL);
4921         avc_init();
4922
4923         original_ops = secondary_ops = security_ops;
4924         if (!secondary_ops)
4925                 panic ("SELinux: No initial security operations\n");
4926         if (register_security (&selinux_ops))
4927                 panic("SELinux: Unable to register with kernel.\n");
4928
4929         if (selinux_enforcing) {
4930                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
4931         } else {
4932                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
4933         }
4934
4935 #ifdef CONFIG_KEYS
4936         /* Add security information to initial keyrings */
4937         selinux_key_alloc(&root_user_keyring, current,
4938                           KEY_ALLOC_NOT_IN_QUOTA);
4939         selinux_key_alloc(&root_session_keyring, current,
4940                           KEY_ALLOC_NOT_IN_QUOTA);
4941 #endif
4942
4943         return 0;
4944 }
4945
4946 void selinux_complete_init(void)
4947 {
4948         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
4949
4950         /* Set up any superblocks initialized prior to the policy load. */
4951         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
4952         spin_lock(&sb_lock);
4953         spin_lock(&sb_security_lock);
4954 next_sb:
4955         if (!list_empty(&superblock_security_head)) {
4956                 struct superblock_security_struct *sbsec =
4957                                 list_entry(superblock_security_head.next,
4958                                            struct superblock_security_struct,
4959                                            list);
4960                 struct super_block *sb = sbsec->sb;
4961                 sb->s_count++;
4962                 spin_unlock(&sb_security_lock);
4963                 spin_unlock(&sb_lock);
4964                 down_read(&sb->s_umount);
4965                 if (sb->s_root)
4966                         superblock_doinit(sb, NULL);
4967                 drop_super(sb);
4968                 spin_lock(&sb_lock);
4969                 spin_lock(&sb_security_lock);
4970                 list_del_init(&sbsec->list);
4971                 goto next_sb;
4972         }
4973         spin_unlock(&sb_security_lock);
4974         spin_unlock(&sb_lock);
4975 }
4976
4977 /* SELinux requires early initialization in order to label
4978    all processes and objects when they are created. */
4979 security_initcall(selinux_init);
4980
4981 #if defined(CONFIG_NETFILTER)
4982
4983 static struct nf_hook_ops selinux_ipv4_op = {
4984         .hook =         selinux_ipv4_postroute_last,
4985         .owner =        THIS_MODULE,
4986         .pf =           PF_INET,
4987         .hooknum =      NF_IP_POST_ROUTING,
4988         .priority =     NF_IP_PRI_SELINUX_LAST,
4989 };
4990
4991 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4992
4993 static struct nf_hook_ops selinux_ipv6_op = {
4994         .hook =         selinux_ipv6_postroute_last,
4995         .owner =        THIS_MODULE,
4996         .pf =           PF_INET6,
4997         .hooknum =      NF_IP6_POST_ROUTING,
4998         .priority =     NF_IP6_PRI_SELINUX_LAST,
4999 };
5000
5001 #endif  /* IPV6 */
5002
5003 static int __init selinux_nf_ip_init(void)
5004 {
5005         int err = 0;
5006
5007         if (!selinux_enabled)
5008                 goto out;
5009
5010         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5011
5012         err = nf_register_hook(&selinux_ipv4_op);
5013         if (err)
5014                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
5015
5016 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5017
5018         err = nf_register_hook(&selinux_ipv6_op);
5019         if (err)
5020                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
5021
5022 #endif  /* IPV6 */
5023
5024 out:
5025         return err;
5026 }
5027
5028 __initcall(selinux_nf_ip_init);
5029
5030 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5031 static void selinux_nf_ip_exit(void)
5032 {
5033         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5034
5035         nf_unregister_hook(&selinux_ipv4_op);
5036 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5037         nf_unregister_hook(&selinux_ipv6_op);
5038 #endif  /* IPV6 */
5039 }
5040 #endif
5041
5042 #else /* CONFIG_NETFILTER */
5043
5044 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5045 #define selinux_nf_ip_exit()
5046 #endif
5047
5048 #endif /* CONFIG_NETFILTER */
5049
5050 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5051 int selinux_disable(void)
5052 {
5053         extern void exit_sel_fs(void);
5054         static int selinux_disabled = 0;
5055
5056         if (ss_initialized) {
5057                 /* Not permitted after initial policy load. */
5058                 return -EINVAL;
5059         }
5060
5061         if (selinux_disabled) {
5062                 /* Only do this once. */
5063                 return -EINVAL;
5064         }
5065
5066         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5067
5068         selinux_disabled = 1;
5069         selinux_enabled = 0;
5070
5071         /* Reset security_ops to the secondary module, dummy or capability. */
5072         security_ops = secondary_ops;
5073
5074         /* Unregister netfilter hooks. */
5075         selinux_nf_ip_exit();
5076
5077         /* Unregister selinuxfs. */
5078         exit_sel_fs();
5079
5080         return 0;
5081 }
5082 #endif
5083
5084