Merge git://git.kernel.org/pub/scm/linux/kernel/git/bunk/trivial
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *
16  *      This program is free software; you can redistribute it and/or modify
17  *      it under the terms of the GNU General Public License version 2,
18  *      as published by the Free Software Foundation.
19  */
20
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
32 #include <linux/mm.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
45 #include <linux/kd.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
49 #include <net/icmp.h>
50 #include <net/ip.h>             /* for sysctl_local_port_range[] */
51 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h>           /* for Unix socket types */
63 #include <net/af_unix.h>        /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
66 #include <net/ipv6.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
72
73 #include "avc.h"
74 #include "objsec.h"
75 #include "netif.h"
76 #include "xfrm.h"
77
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
86
87 static int __init enforcing_setup(char *str)
88 {
89         selinux_enforcing = simple_strtol(str,NULL,0);
90         return 1;
91 }
92 __setup("enforcing=", enforcing_setup);
93 #endif
94
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97
98 static int __init selinux_enabled_setup(char *str)
99 {
100         selinux_enabled = simple_strtol(str, NULL, 0);
101         return 1;
102 }
103 __setup("selinux=", selinux_enabled_setup);
104 #endif
105
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
108
109 /* Minimal support for a secondary security module,
110    just to allow the use of the dummy or capability modules.
111    The owlsm module can alternatively be used as a secondary
112    module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
114
115 /* Lists of inode and superblock security structures initialized
116    before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
119
120 static kmem_cache_t *sel_inode_cache;
121
122 /* Allocate and free functions for each kind of security blob. */
123
124 static int task_alloc_security(struct task_struct *task)
125 {
126         struct task_security_struct *tsec;
127
128         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
129         if (!tsec)
130                 return -ENOMEM;
131
132         tsec->task = task;
133         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
134         task->security = tsec;
135
136         return 0;
137 }
138
139 static void task_free_security(struct task_struct *task)
140 {
141         struct task_security_struct *tsec = task->security;
142         task->security = NULL;
143         kfree(tsec);
144 }
145
146 static int inode_alloc_security(struct inode *inode)
147 {
148         struct task_security_struct *tsec = current->security;
149         struct inode_security_struct *isec;
150
151         isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
152         if (!isec)
153                 return -ENOMEM;
154
155         memset(isec, 0, sizeof(*isec));
156         init_MUTEX(&isec->sem);
157         INIT_LIST_HEAD(&isec->list);
158         isec->inode = inode;
159         isec->sid = SECINITSID_UNLABELED;
160         isec->sclass = SECCLASS_FILE;
161         isec->task_sid = tsec->sid;
162         inode->i_security = isec;
163
164         return 0;
165 }
166
167 static void inode_free_security(struct inode *inode)
168 {
169         struct inode_security_struct *isec = inode->i_security;
170         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
171
172         spin_lock(&sbsec->isec_lock);
173         if (!list_empty(&isec->list))
174                 list_del_init(&isec->list);
175         spin_unlock(&sbsec->isec_lock);
176
177         inode->i_security = NULL;
178         kmem_cache_free(sel_inode_cache, isec);
179 }
180
181 static int file_alloc_security(struct file *file)
182 {
183         struct task_security_struct *tsec = current->security;
184         struct file_security_struct *fsec;
185
186         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
187         if (!fsec)
188                 return -ENOMEM;
189
190         fsec->file = file;
191         fsec->sid = tsec->sid;
192         fsec->fown_sid = tsec->sid;
193         file->f_security = fsec;
194
195         return 0;
196 }
197
198 static void file_free_security(struct file *file)
199 {
200         struct file_security_struct *fsec = file->f_security;
201         file->f_security = NULL;
202         kfree(fsec);
203 }
204
205 static int superblock_alloc_security(struct super_block *sb)
206 {
207         struct superblock_security_struct *sbsec;
208
209         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
210         if (!sbsec)
211                 return -ENOMEM;
212
213         init_MUTEX(&sbsec->sem);
214         INIT_LIST_HEAD(&sbsec->list);
215         INIT_LIST_HEAD(&sbsec->isec_head);
216         spin_lock_init(&sbsec->isec_lock);
217         sbsec->sb = sb;
218         sbsec->sid = SECINITSID_UNLABELED;
219         sbsec->def_sid = SECINITSID_FILE;
220         sb->s_security = sbsec;
221
222         return 0;
223 }
224
225 static void superblock_free_security(struct super_block *sb)
226 {
227         struct superblock_security_struct *sbsec = sb->s_security;
228
229         spin_lock(&sb_security_lock);
230         if (!list_empty(&sbsec->list))
231                 list_del_init(&sbsec->list);
232         spin_unlock(&sb_security_lock);
233
234         sb->s_security = NULL;
235         kfree(sbsec);
236 }
237
238 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
239 {
240         struct sk_security_struct *ssec;
241
242         if (family != PF_UNIX)
243                 return 0;
244
245         ssec = kzalloc(sizeof(*ssec), priority);
246         if (!ssec)
247                 return -ENOMEM;
248
249         ssec->sk = sk;
250         ssec->peer_sid = SECINITSID_UNLABELED;
251         sk->sk_security = ssec;
252
253         return 0;
254 }
255
256 static void sk_free_security(struct sock *sk)
257 {
258         struct sk_security_struct *ssec = sk->sk_security;
259
260         if (sk->sk_family != PF_UNIX)
261                 return;
262
263         sk->sk_security = NULL;
264         kfree(ssec);
265 }
266
267 /* The security server must be initialized before
268    any labeling or access decisions can be provided. */
269 extern int ss_initialized;
270
271 /* The file system's label must be initialized prior to use. */
272
273 static char *labeling_behaviors[6] = {
274         "uses xattr",
275         "uses transition SIDs",
276         "uses task SIDs",
277         "uses genfs_contexts",
278         "not configured for labeling",
279         "uses mountpoint labeling",
280 };
281
282 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
283
284 static inline int inode_doinit(struct inode *inode)
285 {
286         return inode_doinit_with_dentry(inode, NULL);
287 }
288
289 enum {
290         Opt_context = 1,
291         Opt_fscontext = 2,
292         Opt_defcontext = 4,
293 };
294
295 static match_table_t tokens = {
296         {Opt_context, "context=%s"},
297         {Opt_fscontext, "fscontext=%s"},
298         {Opt_defcontext, "defcontext=%s"},
299 };
300
301 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
302
303 static int try_context_mount(struct super_block *sb, void *data)
304 {
305         char *context = NULL, *defcontext = NULL;
306         const char *name;
307         u32 sid;
308         int alloc = 0, rc = 0, seen = 0;
309         struct task_security_struct *tsec = current->security;
310         struct superblock_security_struct *sbsec = sb->s_security;
311
312         if (!data)
313                 goto out;
314
315         name = sb->s_type->name;
316
317         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
318
319                 /* NFS we understand. */
320                 if (!strcmp(name, "nfs")) {
321                         struct nfs_mount_data *d = data;
322
323                         if (d->version <  NFS_MOUNT_VERSION)
324                                 goto out;
325
326                         if (d->context[0]) {
327                                 context = d->context;
328                                 seen |= Opt_context;
329                         }
330                 } else
331                         goto out;
332
333         } else {
334                 /* Standard string-based options. */
335                 char *p, *options = data;
336
337                 while ((p = strsep(&options, ",")) != NULL) {
338                         int token;
339                         substring_t args[MAX_OPT_ARGS];
340
341                         if (!*p)
342                                 continue;
343
344                         token = match_token(p, tokens, args);
345
346                         switch (token) {
347                         case Opt_context:
348                                 if (seen) {
349                                         rc = -EINVAL;
350                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
351                                         goto out_free;
352                                 }
353                                 context = match_strdup(&args[0]);
354                                 if (!context) {
355                                         rc = -ENOMEM;
356                                         goto out_free;
357                                 }
358                                 if (!alloc)
359                                         alloc = 1;
360                                 seen |= Opt_context;
361                                 break;
362
363                         case Opt_fscontext:
364                                 if (seen & (Opt_context|Opt_fscontext)) {
365                                         rc = -EINVAL;
366                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
367                                         goto out_free;
368                                 }
369                                 context = match_strdup(&args[0]);
370                                 if (!context) {
371                                         rc = -ENOMEM;
372                                         goto out_free;
373                                 }
374                                 if (!alloc)
375                                         alloc = 1;
376                                 seen |= Opt_fscontext;
377                                 break;
378
379                         case Opt_defcontext:
380                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
381                                         rc = -EINVAL;
382                                         printk(KERN_WARNING "SELinux:  "
383                                                "defcontext option is invalid "
384                                                "for this filesystem type\n");
385                                         goto out_free;
386                                 }
387                                 if (seen & (Opt_context|Opt_defcontext)) {
388                                         rc = -EINVAL;
389                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
390                                         goto out_free;
391                                 }
392                                 defcontext = match_strdup(&args[0]);
393                                 if (!defcontext) {
394                                         rc = -ENOMEM;
395                                         goto out_free;
396                                 }
397                                 if (!alloc)
398                                         alloc = 1;
399                                 seen |= Opt_defcontext;
400                                 break;
401
402                         default:
403                                 rc = -EINVAL;
404                                 printk(KERN_WARNING "SELinux:  unknown mount "
405                                        "option\n");
406                                 goto out_free;
407
408                         }
409                 }
410         }
411
412         if (!seen)
413                 goto out;
414
415         if (context) {
416                 rc = security_context_to_sid(context, strlen(context), &sid);
417                 if (rc) {
418                         printk(KERN_WARNING "SELinux: security_context_to_sid"
419                                "(%s) failed for (dev %s, type %s) errno=%d\n",
420                                context, sb->s_id, name, rc);
421                         goto out_free;
422                 }
423
424                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
425                                   FILESYSTEM__RELABELFROM, NULL);
426                 if (rc)
427                         goto out_free;
428
429                 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
430                                   FILESYSTEM__RELABELTO, NULL);
431                 if (rc)
432                         goto out_free;
433
434                 sbsec->sid = sid;
435
436                 if (seen & Opt_context)
437                         sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
438         }
439
440         if (defcontext) {
441                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
442                 if (rc) {
443                         printk(KERN_WARNING "SELinux: security_context_to_sid"
444                                "(%s) failed for (dev %s, type %s) errno=%d\n",
445                                defcontext, sb->s_id, name, rc);
446                         goto out_free;
447                 }
448
449                 if (sid == sbsec->def_sid)
450                         goto out_free;
451
452                 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453                                   FILESYSTEM__RELABELFROM, NULL);
454                 if (rc)
455                         goto out_free;
456
457                 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
458                                   FILESYSTEM__ASSOCIATE, NULL);
459                 if (rc)
460                         goto out_free;
461
462                 sbsec->def_sid = sid;
463         }
464
465 out_free:
466         if (alloc) {
467                 kfree(context);
468                 kfree(defcontext);
469         }
470 out:
471         return rc;
472 }
473
474 static int superblock_doinit(struct super_block *sb, void *data)
475 {
476         struct superblock_security_struct *sbsec = sb->s_security;
477         struct dentry *root = sb->s_root;
478         struct inode *inode = root->d_inode;
479         int rc = 0;
480
481         down(&sbsec->sem);
482         if (sbsec->initialized)
483                 goto out;
484
485         if (!ss_initialized) {
486                 /* Defer initialization until selinux_complete_init,
487                    after the initial policy is loaded and the security
488                    server is ready to handle calls. */
489                 spin_lock(&sb_security_lock);
490                 if (list_empty(&sbsec->list))
491                         list_add(&sbsec->list, &superblock_security_head);
492                 spin_unlock(&sb_security_lock);
493                 goto out;
494         }
495
496         /* Determine the labeling behavior to use for this filesystem type. */
497         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
498         if (rc) {
499                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
500                        __FUNCTION__, sb->s_type->name, rc);
501                 goto out;
502         }
503
504         rc = try_context_mount(sb, data);
505         if (rc)
506                 goto out;
507
508         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
509                 /* Make sure that the xattr handler exists and that no
510                    error other than -ENODATA is returned by getxattr on
511                    the root directory.  -ENODATA is ok, as this may be
512                    the first boot of the SELinux kernel before we have
513                    assigned xattr values to the filesystem. */
514                 if (!inode->i_op->getxattr) {
515                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
516                                "xattr support\n", sb->s_id, sb->s_type->name);
517                         rc = -EOPNOTSUPP;
518                         goto out;
519                 }
520                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
521                 if (rc < 0 && rc != -ENODATA) {
522                         if (rc == -EOPNOTSUPP)
523                                 printk(KERN_WARNING "SELinux: (dev %s, type "
524                                        "%s) has no security xattr handler\n",
525                                        sb->s_id, sb->s_type->name);
526                         else
527                                 printk(KERN_WARNING "SELinux: (dev %s, type "
528                                        "%s) getxattr errno %d\n", sb->s_id,
529                                        sb->s_type->name, -rc);
530                         goto out;
531                 }
532         }
533
534         if (strcmp(sb->s_type->name, "proc") == 0)
535                 sbsec->proc = 1;
536
537         sbsec->initialized = 1;
538
539         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
540                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
541                        sb->s_id, sb->s_type->name);
542         }
543         else {
544                 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
545                        sb->s_id, sb->s_type->name,
546                        labeling_behaviors[sbsec->behavior-1]);
547         }
548
549         /* Initialize the root inode. */
550         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
551
552         /* Initialize any other inodes associated with the superblock, e.g.
553            inodes created prior to initial policy load or inodes created
554            during get_sb by a pseudo filesystem that directly
555            populates itself. */
556         spin_lock(&sbsec->isec_lock);
557 next_inode:
558         if (!list_empty(&sbsec->isec_head)) {
559                 struct inode_security_struct *isec =
560                                 list_entry(sbsec->isec_head.next,
561                                            struct inode_security_struct, list);
562                 struct inode *inode = isec->inode;
563                 spin_unlock(&sbsec->isec_lock);
564                 inode = igrab(inode);
565                 if (inode) {
566                         if (!IS_PRIVATE (inode))
567                                 inode_doinit(inode);
568                         iput(inode);
569                 }
570                 spin_lock(&sbsec->isec_lock);
571                 list_del_init(&isec->list);
572                 goto next_inode;
573         }
574         spin_unlock(&sbsec->isec_lock);
575 out:
576         up(&sbsec->sem);
577         return rc;
578 }
579
580 static inline u16 inode_mode_to_security_class(umode_t mode)
581 {
582         switch (mode & S_IFMT) {
583         case S_IFSOCK:
584                 return SECCLASS_SOCK_FILE;
585         case S_IFLNK:
586                 return SECCLASS_LNK_FILE;
587         case S_IFREG:
588                 return SECCLASS_FILE;
589         case S_IFBLK:
590                 return SECCLASS_BLK_FILE;
591         case S_IFDIR:
592                 return SECCLASS_DIR;
593         case S_IFCHR:
594                 return SECCLASS_CHR_FILE;
595         case S_IFIFO:
596                 return SECCLASS_FIFO_FILE;
597
598         }
599
600         return SECCLASS_FILE;
601 }
602
603 static inline int default_protocol_stream(int protocol)
604 {
605         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
606 }
607
608 static inline int default_protocol_dgram(int protocol)
609 {
610         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
611 }
612
613 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
614 {
615         switch (family) {
616         case PF_UNIX:
617                 switch (type) {
618                 case SOCK_STREAM:
619                 case SOCK_SEQPACKET:
620                         return SECCLASS_UNIX_STREAM_SOCKET;
621                 case SOCK_DGRAM:
622                         return SECCLASS_UNIX_DGRAM_SOCKET;
623                 }
624                 break;
625         case PF_INET:
626         case PF_INET6:
627                 switch (type) {
628                 case SOCK_STREAM:
629                         if (default_protocol_stream(protocol))
630                                 return SECCLASS_TCP_SOCKET;
631                         else
632                                 return SECCLASS_RAWIP_SOCKET;
633                 case SOCK_DGRAM:
634                         if (default_protocol_dgram(protocol))
635                                 return SECCLASS_UDP_SOCKET;
636                         else
637                                 return SECCLASS_RAWIP_SOCKET;
638                 default:
639                         return SECCLASS_RAWIP_SOCKET;
640                 }
641                 break;
642         case PF_NETLINK:
643                 switch (protocol) {
644                 case NETLINK_ROUTE:
645                         return SECCLASS_NETLINK_ROUTE_SOCKET;
646                 case NETLINK_FIREWALL:
647                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
648                 case NETLINK_INET_DIAG:
649                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
650                 case NETLINK_NFLOG:
651                         return SECCLASS_NETLINK_NFLOG_SOCKET;
652                 case NETLINK_XFRM:
653                         return SECCLASS_NETLINK_XFRM_SOCKET;
654                 case NETLINK_SELINUX:
655                         return SECCLASS_NETLINK_SELINUX_SOCKET;
656                 case NETLINK_AUDIT:
657                         return SECCLASS_NETLINK_AUDIT_SOCKET;
658                 case NETLINK_IP6_FW:
659                         return SECCLASS_NETLINK_IP6FW_SOCKET;
660                 case NETLINK_DNRTMSG:
661                         return SECCLASS_NETLINK_DNRT_SOCKET;
662                 case NETLINK_KOBJECT_UEVENT:
663                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
664                 default:
665                         return SECCLASS_NETLINK_SOCKET;
666                 }
667         case PF_PACKET:
668                 return SECCLASS_PACKET_SOCKET;
669         case PF_KEY:
670                 return SECCLASS_KEY_SOCKET;
671         }
672
673         return SECCLASS_SOCKET;
674 }
675
676 #ifdef CONFIG_PROC_FS
677 static int selinux_proc_get_sid(struct proc_dir_entry *de,
678                                 u16 tclass,
679                                 u32 *sid)
680 {
681         int buflen, rc;
682         char *buffer, *path, *end;
683
684         buffer = (char*)__get_free_page(GFP_KERNEL);
685         if (!buffer)
686                 return -ENOMEM;
687
688         buflen = PAGE_SIZE;
689         end = buffer+buflen;
690         *--end = '\0';
691         buflen--;
692         path = end-1;
693         *path = '/';
694         while (de && de != de->parent) {
695                 buflen -= de->namelen + 1;
696                 if (buflen < 0)
697                         break;
698                 end -= de->namelen;
699                 memcpy(end, de->name, de->namelen);
700                 *--end = '/';
701                 path = end;
702                 de = de->parent;
703         }
704         rc = security_genfs_sid("proc", path, tclass, sid);
705         free_page((unsigned long)buffer);
706         return rc;
707 }
708 #else
709 static int selinux_proc_get_sid(struct proc_dir_entry *de,
710                                 u16 tclass,
711                                 u32 *sid)
712 {
713         return -EINVAL;
714 }
715 #endif
716
717 /* The inode's security attributes must be initialized before first use. */
718 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
719 {
720         struct superblock_security_struct *sbsec = NULL;
721         struct inode_security_struct *isec = inode->i_security;
722         u32 sid;
723         struct dentry *dentry;
724 #define INITCONTEXTLEN 255
725         char *context = NULL;
726         unsigned len = 0;
727         int rc = 0;
728         int hold_sem = 0;
729
730         if (isec->initialized)
731                 goto out;
732
733         down(&isec->sem);
734         hold_sem = 1;
735         if (isec->initialized)
736                 goto out;
737
738         sbsec = inode->i_sb->s_security;
739         if (!sbsec->initialized) {
740                 /* Defer initialization until selinux_complete_init,
741                    after the initial policy is loaded and the security
742                    server is ready to handle calls. */
743                 spin_lock(&sbsec->isec_lock);
744                 if (list_empty(&isec->list))
745                         list_add(&isec->list, &sbsec->isec_head);
746                 spin_unlock(&sbsec->isec_lock);
747                 goto out;
748         }
749
750         switch (sbsec->behavior) {
751         case SECURITY_FS_USE_XATTR:
752                 if (!inode->i_op->getxattr) {
753                         isec->sid = sbsec->def_sid;
754                         break;
755                 }
756
757                 /* Need a dentry, since the xattr API requires one.
758                    Life would be simpler if we could just pass the inode. */
759                 if (opt_dentry) {
760                         /* Called from d_instantiate or d_splice_alias. */
761                         dentry = dget(opt_dentry);
762                 } else {
763                         /* Called from selinux_complete_init, try to find a dentry. */
764                         dentry = d_find_alias(inode);
765                 }
766                 if (!dentry) {
767                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
768                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
769                                inode->i_ino);
770                         goto out;
771                 }
772
773                 len = INITCONTEXTLEN;
774                 context = kmalloc(len, GFP_KERNEL);
775                 if (!context) {
776                         rc = -ENOMEM;
777                         dput(dentry);
778                         goto out;
779                 }
780                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
781                                            context, len);
782                 if (rc == -ERANGE) {
783                         /* Need a larger buffer.  Query for the right size. */
784                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
785                                                    NULL, 0);
786                         if (rc < 0) {
787                                 dput(dentry);
788                                 goto out;
789                         }
790                         kfree(context);
791                         len = rc;
792                         context = kmalloc(len, GFP_KERNEL);
793                         if (!context) {
794                                 rc = -ENOMEM;
795                                 dput(dentry);
796                                 goto out;
797                         }
798                         rc = inode->i_op->getxattr(dentry,
799                                                    XATTR_NAME_SELINUX,
800                                                    context, len);
801                 }
802                 dput(dentry);
803                 if (rc < 0) {
804                         if (rc != -ENODATA) {
805                                 printk(KERN_WARNING "%s:  getxattr returned "
806                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
807                                        -rc, inode->i_sb->s_id, inode->i_ino);
808                                 kfree(context);
809                                 goto out;
810                         }
811                         /* Map ENODATA to the default file SID */
812                         sid = sbsec->def_sid;
813                         rc = 0;
814                 } else {
815                         rc = security_context_to_sid_default(context, rc, &sid,
816                                                              sbsec->def_sid);
817                         if (rc) {
818                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
819                                        "returned %d for dev=%s ino=%ld\n",
820                                        __FUNCTION__, context, -rc,
821                                        inode->i_sb->s_id, inode->i_ino);
822                                 kfree(context);
823                                 /* Leave with the unlabeled SID */
824                                 rc = 0;
825                                 break;
826                         }
827                 }
828                 kfree(context);
829                 isec->sid = sid;
830                 break;
831         case SECURITY_FS_USE_TASK:
832                 isec->sid = isec->task_sid;
833                 break;
834         case SECURITY_FS_USE_TRANS:
835                 /* Default to the fs SID. */
836                 isec->sid = sbsec->sid;
837
838                 /* Try to obtain a transition SID. */
839                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
840                 rc = security_transition_sid(isec->task_sid,
841                                              sbsec->sid,
842                                              isec->sclass,
843                                              &sid);
844                 if (rc)
845                         goto out;
846                 isec->sid = sid;
847                 break;
848         default:
849                 /* Default to the fs SID. */
850                 isec->sid = sbsec->sid;
851
852                 if (sbsec->proc) {
853                         struct proc_inode *proci = PROC_I(inode);
854                         if (proci->pde) {
855                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
856                                 rc = selinux_proc_get_sid(proci->pde,
857                                                           isec->sclass,
858                                                           &sid);
859                                 if (rc)
860                                         goto out;
861                                 isec->sid = sid;
862                         }
863                 }
864                 break;
865         }
866
867         isec->initialized = 1;
868
869 out:
870         if (isec->sclass == SECCLASS_FILE)
871                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
872
873         if (hold_sem)
874                 up(&isec->sem);
875         return rc;
876 }
877
878 /* Convert a Linux signal to an access vector. */
879 static inline u32 signal_to_av(int sig)
880 {
881         u32 perm = 0;
882
883         switch (sig) {
884         case SIGCHLD:
885                 /* Commonly granted from child to parent. */
886                 perm = PROCESS__SIGCHLD;
887                 break;
888         case SIGKILL:
889                 /* Cannot be caught or ignored */
890                 perm = PROCESS__SIGKILL;
891                 break;
892         case SIGSTOP:
893                 /* Cannot be caught or ignored */
894                 perm = PROCESS__SIGSTOP;
895                 break;
896         default:
897                 /* All other signals. */
898                 perm = PROCESS__SIGNAL;
899                 break;
900         }
901
902         return perm;
903 }
904
905 /* Check permission betweeen a pair of tasks, e.g. signal checks,
906    fork check, ptrace check, etc. */
907 static int task_has_perm(struct task_struct *tsk1,
908                          struct task_struct *tsk2,
909                          u32 perms)
910 {
911         struct task_security_struct *tsec1, *tsec2;
912
913         tsec1 = tsk1->security;
914         tsec2 = tsk2->security;
915         return avc_has_perm(tsec1->sid, tsec2->sid,
916                             SECCLASS_PROCESS, perms, NULL);
917 }
918
919 /* Check whether a task is allowed to use a capability. */
920 static int task_has_capability(struct task_struct *tsk,
921                                int cap)
922 {
923         struct task_security_struct *tsec;
924         struct avc_audit_data ad;
925
926         tsec = tsk->security;
927
928         AVC_AUDIT_DATA_INIT(&ad,CAP);
929         ad.tsk = tsk;
930         ad.u.cap = cap;
931
932         return avc_has_perm(tsec->sid, tsec->sid,
933                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
934 }
935
936 /* Check whether a task is allowed to use a system operation. */
937 static int task_has_system(struct task_struct *tsk,
938                            u32 perms)
939 {
940         struct task_security_struct *tsec;
941
942         tsec = tsk->security;
943
944         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
945                             SECCLASS_SYSTEM, perms, NULL);
946 }
947
948 /* Check whether a task has a particular permission to an inode.
949    The 'adp' parameter is optional and allows other audit
950    data to be passed (e.g. the dentry). */
951 static int inode_has_perm(struct task_struct *tsk,
952                           struct inode *inode,
953                           u32 perms,
954                           struct avc_audit_data *adp)
955 {
956         struct task_security_struct *tsec;
957         struct inode_security_struct *isec;
958         struct avc_audit_data ad;
959
960         tsec = tsk->security;
961         isec = inode->i_security;
962
963         if (!adp) {
964                 adp = &ad;
965                 AVC_AUDIT_DATA_INIT(&ad, FS);
966                 ad.u.fs.inode = inode;
967         }
968
969         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
970 }
971
972 /* Same as inode_has_perm, but pass explicit audit data containing
973    the dentry to help the auditing code to more easily generate the
974    pathname if needed. */
975 static inline int dentry_has_perm(struct task_struct *tsk,
976                                   struct vfsmount *mnt,
977                                   struct dentry *dentry,
978                                   u32 av)
979 {
980         struct inode *inode = dentry->d_inode;
981         struct avc_audit_data ad;
982         AVC_AUDIT_DATA_INIT(&ad,FS);
983         ad.u.fs.mnt = mnt;
984         ad.u.fs.dentry = dentry;
985         return inode_has_perm(tsk, inode, av, &ad);
986 }
987
988 /* Check whether a task can use an open file descriptor to
989    access an inode in a given way.  Check access to the
990    descriptor itself, and then use dentry_has_perm to
991    check a particular permission to the file.
992    Access to the descriptor is implicitly granted if it
993    has the same SID as the process.  If av is zero, then
994    access to the file is not checked, e.g. for cases
995    where only the descriptor is affected like seek. */
996 static int file_has_perm(struct task_struct *tsk,
997                                 struct file *file,
998                                 u32 av)
999 {
1000         struct task_security_struct *tsec = tsk->security;
1001         struct file_security_struct *fsec = file->f_security;
1002         struct vfsmount *mnt = file->f_vfsmnt;
1003         struct dentry *dentry = file->f_dentry;
1004         struct inode *inode = dentry->d_inode;
1005         struct avc_audit_data ad;
1006         int rc;
1007
1008         AVC_AUDIT_DATA_INIT(&ad, FS);
1009         ad.u.fs.mnt = mnt;
1010         ad.u.fs.dentry = dentry;
1011
1012         if (tsec->sid != fsec->sid) {
1013                 rc = avc_has_perm(tsec->sid, fsec->sid,
1014                                   SECCLASS_FD,
1015                                   FD__USE,
1016                                   &ad);
1017                 if (rc)
1018                         return rc;
1019         }
1020
1021         /* av is zero if only checking access to the descriptor. */
1022         if (av)
1023                 return inode_has_perm(tsk, inode, av, &ad);
1024
1025         return 0;
1026 }
1027
1028 /* Check whether a task can create a file. */
1029 static int may_create(struct inode *dir,
1030                       struct dentry *dentry,
1031                       u16 tclass)
1032 {
1033         struct task_security_struct *tsec;
1034         struct inode_security_struct *dsec;
1035         struct superblock_security_struct *sbsec;
1036         u32 newsid;
1037         struct avc_audit_data ad;
1038         int rc;
1039
1040         tsec = current->security;
1041         dsec = dir->i_security;
1042         sbsec = dir->i_sb->s_security;
1043
1044         AVC_AUDIT_DATA_INIT(&ad, FS);
1045         ad.u.fs.dentry = dentry;
1046
1047         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1048                           DIR__ADD_NAME | DIR__SEARCH,
1049                           &ad);
1050         if (rc)
1051                 return rc;
1052
1053         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1054                 newsid = tsec->create_sid;
1055         } else {
1056                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1057                                              &newsid);
1058                 if (rc)
1059                         return rc;
1060         }
1061
1062         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1063         if (rc)
1064                 return rc;
1065
1066         return avc_has_perm(newsid, sbsec->sid,
1067                             SECCLASS_FILESYSTEM,
1068                             FILESYSTEM__ASSOCIATE, &ad);
1069 }
1070
1071 #define MAY_LINK   0
1072 #define MAY_UNLINK 1
1073 #define MAY_RMDIR  2
1074
1075 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1076 static int may_link(struct inode *dir,
1077                     struct dentry *dentry,
1078                     int kind)
1079
1080 {
1081         struct task_security_struct *tsec;
1082         struct inode_security_struct *dsec, *isec;
1083         struct avc_audit_data ad;
1084         u32 av;
1085         int rc;
1086
1087         tsec = current->security;
1088         dsec = dir->i_security;
1089         isec = dentry->d_inode->i_security;
1090
1091         AVC_AUDIT_DATA_INIT(&ad, FS);
1092         ad.u.fs.dentry = dentry;
1093
1094         av = DIR__SEARCH;
1095         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1096         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1097         if (rc)
1098                 return rc;
1099
1100         switch (kind) {
1101         case MAY_LINK:
1102                 av = FILE__LINK;
1103                 break;
1104         case MAY_UNLINK:
1105                 av = FILE__UNLINK;
1106                 break;
1107         case MAY_RMDIR:
1108                 av = DIR__RMDIR;
1109                 break;
1110         default:
1111                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1112                 return 0;
1113         }
1114
1115         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1116         return rc;
1117 }
1118
1119 static inline int may_rename(struct inode *old_dir,
1120                              struct dentry *old_dentry,
1121                              struct inode *new_dir,
1122                              struct dentry *new_dentry)
1123 {
1124         struct task_security_struct *tsec;
1125         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1126         struct avc_audit_data ad;
1127         u32 av;
1128         int old_is_dir, new_is_dir;
1129         int rc;
1130
1131         tsec = current->security;
1132         old_dsec = old_dir->i_security;
1133         old_isec = old_dentry->d_inode->i_security;
1134         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1135         new_dsec = new_dir->i_security;
1136
1137         AVC_AUDIT_DATA_INIT(&ad, FS);
1138
1139         ad.u.fs.dentry = old_dentry;
1140         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1141                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1142         if (rc)
1143                 return rc;
1144         rc = avc_has_perm(tsec->sid, old_isec->sid,
1145                           old_isec->sclass, FILE__RENAME, &ad);
1146         if (rc)
1147                 return rc;
1148         if (old_is_dir && new_dir != old_dir) {
1149                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1150                                   old_isec->sclass, DIR__REPARENT, &ad);
1151                 if (rc)
1152                         return rc;
1153         }
1154
1155         ad.u.fs.dentry = new_dentry;
1156         av = DIR__ADD_NAME | DIR__SEARCH;
1157         if (new_dentry->d_inode)
1158                 av |= DIR__REMOVE_NAME;
1159         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1160         if (rc)
1161                 return rc;
1162         if (new_dentry->d_inode) {
1163                 new_isec = new_dentry->d_inode->i_security;
1164                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1165                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1166                                   new_isec->sclass,
1167                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1168                 if (rc)
1169                         return rc;
1170         }
1171
1172         return 0;
1173 }
1174
1175 /* Check whether a task can perform a filesystem operation. */
1176 static int superblock_has_perm(struct task_struct *tsk,
1177                                struct super_block *sb,
1178                                u32 perms,
1179                                struct avc_audit_data *ad)
1180 {
1181         struct task_security_struct *tsec;
1182         struct superblock_security_struct *sbsec;
1183
1184         tsec = tsk->security;
1185         sbsec = sb->s_security;
1186         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1187                             perms, ad);
1188 }
1189
1190 /* Convert a Linux mode and permission mask to an access vector. */
1191 static inline u32 file_mask_to_av(int mode, int mask)
1192 {
1193         u32 av = 0;
1194
1195         if ((mode & S_IFMT) != S_IFDIR) {
1196                 if (mask & MAY_EXEC)
1197                         av |= FILE__EXECUTE;
1198                 if (mask & MAY_READ)
1199                         av |= FILE__READ;
1200
1201                 if (mask & MAY_APPEND)
1202                         av |= FILE__APPEND;
1203                 else if (mask & MAY_WRITE)
1204                         av |= FILE__WRITE;
1205
1206         } else {
1207                 if (mask & MAY_EXEC)
1208                         av |= DIR__SEARCH;
1209                 if (mask & MAY_WRITE)
1210                         av |= DIR__WRITE;
1211                 if (mask & MAY_READ)
1212                         av |= DIR__READ;
1213         }
1214
1215         return av;
1216 }
1217
1218 /* Convert a Linux file to an access vector. */
1219 static inline u32 file_to_av(struct file *file)
1220 {
1221         u32 av = 0;
1222
1223         if (file->f_mode & FMODE_READ)
1224                 av |= FILE__READ;
1225         if (file->f_mode & FMODE_WRITE) {
1226                 if (file->f_flags & O_APPEND)
1227                         av |= FILE__APPEND;
1228                 else
1229                         av |= FILE__WRITE;
1230         }
1231
1232         return av;
1233 }
1234
1235 /* Set an inode's SID to a specified value. */
1236 static int inode_security_set_sid(struct inode *inode, u32 sid)
1237 {
1238         struct inode_security_struct *isec = inode->i_security;
1239         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1240
1241         if (!sbsec->initialized) {
1242                 /* Defer initialization to selinux_complete_init. */
1243                 return 0;
1244         }
1245
1246         down(&isec->sem);
1247         isec->sclass = inode_mode_to_security_class(inode->i_mode);
1248         isec->sid = sid;
1249         isec->initialized = 1;
1250         up(&isec->sem);
1251         return 0;
1252 }
1253
1254 /* Hook functions begin here. */
1255
1256 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1257 {
1258         struct task_security_struct *psec = parent->security;
1259         struct task_security_struct *csec = child->security;
1260         int rc;
1261
1262         rc = secondary_ops->ptrace(parent,child);
1263         if (rc)
1264                 return rc;
1265
1266         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1267         /* Save the SID of the tracing process for later use in apply_creds. */
1268         if (!(child->ptrace & PT_PTRACED) && !rc)
1269                 csec->ptrace_sid = psec->sid;
1270         return rc;
1271 }
1272
1273 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1274                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1275 {
1276         int error;
1277
1278         error = task_has_perm(current, target, PROCESS__GETCAP);
1279         if (error)
1280                 return error;
1281
1282         return secondary_ops->capget(target, effective, inheritable, permitted);
1283 }
1284
1285 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1286                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1287 {
1288         int error;
1289
1290         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1291         if (error)
1292                 return error;
1293
1294         return task_has_perm(current, target, PROCESS__SETCAP);
1295 }
1296
1297 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1298                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1299 {
1300         secondary_ops->capset_set(target, effective, inheritable, permitted);
1301 }
1302
1303 static int selinux_capable(struct task_struct *tsk, int cap)
1304 {
1305         int rc;
1306
1307         rc = secondary_ops->capable(tsk, cap);
1308         if (rc)
1309                 return rc;
1310
1311         return task_has_capability(tsk,cap);
1312 }
1313
1314 static int selinux_sysctl(ctl_table *table, int op)
1315 {
1316         int error = 0;
1317         u32 av;
1318         struct task_security_struct *tsec;
1319         u32 tsid;
1320         int rc;
1321
1322         rc = secondary_ops->sysctl(table, op);
1323         if (rc)
1324                 return rc;
1325
1326         tsec = current->security;
1327
1328         rc = selinux_proc_get_sid(table->de, (op == 001) ?
1329                                   SECCLASS_DIR : SECCLASS_FILE, &tsid);
1330         if (rc) {
1331                 /* Default to the well-defined sysctl SID. */
1332                 tsid = SECINITSID_SYSCTL;
1333         }
1334
1335         /* The op values are "defined" in sysctl.c, thereby creating
1336          * a bad coupling between this module and sysctl.c */
1337         if(op == 001) {
1338                 error = avc_has_perm(tsec->sid, tsid,
1339                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1340         } else {
1341                 av = 0;
1342                 if (op & 004)
1343                         av |= FILE__READ;
1344                 if (op & 002)
1345                         av |= FILE__WRITE;
1346                 if (av)
1347                         error = avc_has_perm(tsec->sid, tsid,
1348                                              SECCLASS_FILE, av, NULL);
1349         }
1350
1351         return error;
1352 }
1353
1354 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1355 {
1356         int rc = 0;
1357
1358         if (!sb)
1359                 return 0;
1360
1361         switch (cmds) {
1362                 case Q_SYNC:
1363                 case Q_QUOTAON:
1364                 case Q_QUOTAOFF:
1365                 case Q_SETINFO:
1366                 case Q_SETQUOTA:
1367                         rc = superblock_has_perm(current,
1368                                                  sb,
1369                                                  FILESYSTEM__QUOTAMOD, NULL);
1370                         break;
1371                 case Q_GETFMT:
1372                 case Q_GETINFO:
1373                 case Q_GETQUOTA:
1374                         rc = superblock_has_perm(current,
1375                                                  sb,
1376                                                  FILESYSTEM__QUOTAGET, NULL);
1377                         break;
1378                 default:
1379                         rc = 0;  /* let the kernel handle invalid cmds */
1380                         break;
1381         }
1382         return rc;
1383 }
1384
1385 static int selinux_quota_on(struct dentry *dentry)
1386 {
1387         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1388 }
1389
1390 static int selinux_syslog(int type)
1391 {
1392         int rc;
1393
1394         rc = secondary_ops->syslog(type);
1395         if (rc)
1396                 return rc;
1397
1398         switch (type) {
1399                 case 3:         /* Read last kernel messages */
1400                 case 10:        /* Return size of the log buffer */
1401                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1402                         break;
1403                 case 6:         /* Disable logging to console */
1404                 case 7:         /* Enable logging to console */
1405                 case 8:         /* Set level of messages printed to console */
1406                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1407                         break;
1408                 case 0:         /* Close log */
1409                 case 1:         /* Open log */
1410                 case 2:         /* Read from log */
1411                 case 4:         /* Read/clear last kernel messages */
1412                 case 5:         /* Clear ring buffer */
1413                 default:
1414                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1415                         break;
1416         }
1417         return rc;
1418 }
1419
1420 /*
1421  * Check that a process has enough memory to allocate a new virtual
1422  * mapping. 0 means there is enough memory for the allocation to
1423  * succeed and -ENOMEM implies there is not.
1424  *
1425  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1426  * if the capability is granted, but __vm_enough_memory requires 1 if
1427  * the capability is granted.
1428  *
1429  * Do not audit the selinux permission check, as this is applied to all
1430  * processes that allocate mappings.
1431  */
1432 static int selinux_vm_enough_memory(long pages)
1433 {
1434         int rc, cap_sys_admin = 0;
1435         struct task_security_struct *tsec = current->security;
1436
1437         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1438         if (rc == 0)
1439                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1440                                         SECCLASS_CAPABILITY,
1441                                         CAP_TO_MASK(CAP_SYS_ADMIN),
1442                                         NULL);
1443
1444         if (rc == 0)
1445                 cap_sys_admin = 1;
1446
1447         return __vm_enough_memory(pages, cap_sys_admin);
1448 }
1449
1450 /* binprm security operations */
1451
1452 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1453 {
1454         struct bprm_security_struct *bsec;
1455
1456         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1457         if (!bsec)
1458                 return -ENOMEM;
1459
1460         bsec->bprm = bprm;
1461         bsec->sid = SECINITSID_UNLABELED;
1462         bsec->set = 0;
1463
1464         bprm->security = bsec;
1465         return 0;
1466 }
1467
1468 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1469 {
1470         struct task_security_struct *tsec;
1471         struct inode *inode = bprm->file->f_dentry->d_inode;
1472         struct inode_security_struct *isec;
1473         struct bprm_security_struct *bsec;
1474         u32 newsid;
1475         struct avc_audit_data ad;
1476         int rc;
1477
1478         rc = secondary_ops->bprm_set_security(bprm);
1479         if (rc)
1480                 return rc;
1481
1482         bsec = bprm->security;
1483
1484         if (bsec->set)
1485                 return 0;
1486
1487         tsec = current->security;
1488         isec = inode->i_security;
1489
1490         /* Default to the current task SID. */
1491         bsec->sid = tsec->sid;
1492
1493         /* Reset create SID on execve. */
1494         tsec->create_sid = 0;
1495
1496         if (tsec->exec_sid) {
1497                 newsid = tsec->exec_sid;
1498                 /* Reset exec SID on execve. */
1499                 tsec->exec_sid = 0;
1500         } else {
1501                 /* Check for a default transition on this program. */
1502                 rc = security_transition_sid(tsec->sid, isec->sid,
1503                                              SECCLASS_PROCESS, &newsid);
1504                 if (rc)
1505                         return rc;
1506         }
1507
1508         AVC_AUDIT_DATA_INIT(&ad, FS);
1509         ad.u.fs.mnt = bprm->file->f_vfsmnt;
1510         ad.u.fs.dentry = bprm->file->f_dentry;
1511
1512         if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1513                 newsid = tsec->sid;
1514
1515         if (tsec->sid == newsid) {
1516                 rc = avc_has_perm(tsec->sid, isec->sid,
1517                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1518                 if (rc)
1519                         return rc;
1520         } else {
1521                 /* Check permissions for the transition. */
1522                 rc = avc_has_perm(tsec->sid, newsid,
1523                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1524                 if (rc)
1525                         return rc;
1526
1527                 rc = avc_has_perm(newsid, isec->sid,
1528                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1529                 if (rc)
1530                         return rc;
1531
1532                 /* Clear any possibly unsafe personality bits on exec: */
1533                 current->personality &= ~PER_CLEAR_ON_SETID;
1534
1535                 /* Set the security field to the new SID. */
1536                 bsec->sid = newsid;
1537         }
1538
1539         bsec->set = 1;
1540         return 0;
1541 }
1542
1543 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1544 {
1545         return secondary_ops->bprm_check_security(bprm);
1546 }
1547
1548
1549 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1550 {
1551         struct task_security_struct *tsec = current->security;
1552         int atsecure = 0;
1553
1554         if (tsec->osid != tsec->sid) {
1555                 /* Enable secure mode for SIDs transitions unless
1556                    the noatsecure permission is granted between
1557                    the two SIDs, i.e. ahp returns 0. */
1558                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1559                                          SECCLASS_PROCESS,
1560                                          PROCESS__NOATSECURE, NULL);
1561         }
1562
1563         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1564 }
1565
1566 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1567 {
1568         kfree(bprm->security);
1569         bprm->security = NULL;
1570 }
1571
1572 extern struct vfsmount *selinuxfs_mount;
1573 extern struct dentry *selinux_null;
1574
1575 /* Derived from fs/exec.c:flush_old_files. */
1576 static inline void flush_unauthorized_files(struct files_struct * files)
1577 {
1578         struct avc_audit_data ad;
1579         struct file *file, *devnull = NULL;
1580         struct tty_struct *tty = current->signal->tty;
1581         struct fdtable *fdt;
1582         long j = -1;
1583
1584         if (tty) {
1585                 file_list_lock();
1586                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1587                 if (file) {
1588                         /* Revalidate access to controlling tty.
1589                            Use inode_has_perm on the tty inode directly rather
1590                            than using file_has_perm, as this particular open
1591                            file may belong to another process and we are only
1592                            interested in the inode-based check here. */
1593                         struct inode *inode = file->f_dentry->d_inode;
1594                         if (inode_has_perm(current, inode,
1595                                            FILE__READ | FILE__WRITE, NULL)) {
1596                                 /* Reset controlling tty. */
1597                                 current->signal->tty = NULL;
1598                                 current->signal->tty_old_pgrp = 0;
1599                         }
1600                 }
1601                 file_list_unlock();
1602         }
1603
1604         /* Revalidate access to inherited open files. */
1605
1606         AVC_AUDIT_DATA_INIT(&ad,FS);
1607
1608         spin_lock(&files->file_lock);
1609         for (;;) {
1610                 unsigned long set, i;
1611                 int fd;
1612
1613                 j++;
1614                 i = j * __NFDBITS;
1615                 fdt = files_fdtable(files);
1616                 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1617                         break;
1618                 set = fdt->open_fds->fds_bits[j];
1619                 if (!set)
1620                         continue;
1621                 spin_unlock(&files->file_lock);
1622                 for ( ; set ; i++,set >>= 1) {
1623                         if (set & 1) {
1624                                 file = fget(i);
1625                                 if (!file)
1626                                         continue;
1627                                 if (file_has_perm(current,
1628                                                   file,
1629                                                   file_to_av(file))) {
1630                                         sys_close(i);
1631                                         fd = get_unused_fd();
1632                                         if (fd != i) {
1633                                                 if (fd >= 0)
1634                                                         put_unused_fd(fd);
1635                                                 fput(file);
1636                                                 continue;
1637                                         }
1638                                         if (devnull) {
1639                                                 get_file(devnull);
1640                                         } else {
1641                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1642                                                 if (!devnull) {
1643                                                         put_unused_fd(fd);
1644                                                         fput(file);
1645                                                         continue;
1646                                                 }
1647                                         }
1648                                         fd_install(fd, devnull);
1649                                 }
1650                                 fput(file);
1651                         }
1652                 }
1653                 spin_lock(&files->file_lock);
1654
1655         }
1656         spin_unlock(&files->file_lock);
1657 }
1658
1659 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1660 {
1661         struct task_security_struct *tsec;
1662         struct bprm_security_struct *bsec;
1663         u32 sid;
1664         int rc;
1665
1666         secondary_ops->bprm_apply_creds(bprm, unsafe);
1667
1668         tsec = current->security;
1669
1670         bsec = bprm->security;
1671         sid = bsec->sid;
1672
1673         tsec->osid = tsec->sid;
1674         bsec->unsafe = 0;
1675         if (tsec->sid != sid) {
1676                 /* Check for shared state.  If not ok, leave SID
1677                    unchanged and kill. */
1678                 if (unsafe & LSM_UNSAFE_SHARE) {
1679                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1680                                         PROCESS__SHARE, NULL);
1681                         if (rc) {
1682                                 bsec->unsafe = 1;
1683                                 return;
1684                         }
1685                 }
1686
1687                 /* Check for ptracing, and update the task SID if ok.
1688                    Otherwise, leave SID unchanged and kill. */
1689                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1690                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1691                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1692                                           NULL);
1693                         if (rc) {
1694                                 bsec->unsafe = 1;
1695                                 return;
1696                         }
1697                 }
1698                 tsec->sid = sid;
1699         }
1700 }
1701
1702 /*
1703  * called after apply_creds without the task lock held
1704  */
1705 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1706 {
1707         struct task_security_struct *tsec;
1708         struct rlimit *rlim, *initrlim;
1709         struct itimerval itimer;
1710         struct bprm_security_struct *bsec;
1711         int rc, i;
1712
1713         tsec = current->security;
1714         bsec = bprm->security;
1715
1716         if (bsec->unsafe) {
1717                 force_sig_specific(SIGKILL, current);
1718                 return;
1719         }
1720         if (tsec->osid == tsec->sid)
1721                 return;
1722
1723         /* Close files for which the new task SID is not authorized. */
1724         flush_unauthorized_files(current->files);
1725
1726         /* Check whether the new SID can inherit signal state
1727            from the old SID.  If not, clear itimers to avoid
1728            subsequent signal generation and flush and unblock
1729            signals. This must occur _after_ the task SID has
1730           been updated so that any kill done after the flush
1731           will be checked against the new SID. */
1732         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1733                           PROCESS__SIGINH, NULL);
1734         if (rc) {
1735                 memset(&itimer, 0, sizeof itimer);
1736                 for (i = 0; i < 3; i++)
1737                         do_setitimer(i, &itimer, NULL);
1738                 flush_signals(current);
1739                 spin_lock_irq(&current->sighand->siglock);
1740                 flush_signal_handlers(current, 1);
1741                 sigemptyset(&current->blocked);
1742                 recalc_sigpending();
1743                 spin_unlock_irq(&current->sighand->siglock);
1744         }
1745
1746         /* Check whether the new SID can inherit resource limits
1747            from the old SID.  If not, reset all soft limits to
1748            the lower of the current task's hard limit and the init
1749            task's soft limit.  Note that the setting of hard limits
1750            (even to lower them) can be controlled by the setrlimit
1751            check. The inclusion of the init task's soft limit into
1752            the computation is to avoid resetting soft limits higher
1753            than the default soft limit for cases where the default
1754            is lower than the hard limit, e.g. RLIMIT_CORE or
1755            RLIMIT_STACK.*/
1756         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1757                           PROCESS__RLIMITINH, NULL);
1758         if (rc) {
1759                 for (i = 0; i < RLIM_NLIMITS; i++) {
1760                         rlim = current->signal->rlim + i;
1761                         initrlim = init_task.signal->rlim+i;
1762                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1763                 }
1764                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1765                         /*
1766                          * This will cause RLIMIT_CPU calculations
1767                          * to be refigured.
1768                          */
1769                         current->it_prof_expires = jiffies_to_cputime(1);
1770                 }
1771         }
1772
1773         /* Wake up the parent if it is waiting so that it can
1774            recheck wait permission to the new task SID. */
1775         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1776 }
1777
1778 /* superblock security operations */
1779
1780 static int selinux_sb_alloc_security(struct super_block *sb)
1781 {
1782         return superblock_alloc_security(sb);
1783 }
1784
1785 static void selinux_sb_free_security(struct super_block *sb)
1786 {
1787         superblock_free_security(sb);
1788 }
1789
1790 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1791 {
1792         if (plen > olen)
1793                 return 0;
1794
1795         return !memcmp(prefix, option, plen);
1796 }
1797
1798 static inline int selinux_option(char *option, int len)
1799 {
1800         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1801                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1802                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1803 }
1804
1805 static inline void take_option(char **to, char *from, int *first, int len)
1806 {
1807         if (!*first) {
1808                 **to = ',';
1809                 *to += 1;
1810         }
1811         else
1812                 *first = 0;
1813         memcpy(*to, from, len);
1814         *to += len;
1815 }
1816
1817 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1818 {
1819         int fnosec, fsec, rc = 0;
1820         char *in_save, *in_curr, *in_end;
1821         char *sec_curr, *nosec_save, *nosec;
1822
1823         in_curr = orig;
1824         sec_curr = copy;
1825
1826         /* Binary mount data: just copy */
1827         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1828                 copy_page(sec_curr, in_curr);
1829                 goto out;
1830         }
1831
1832         nosec = (char *)get_zeroed_page(GFP_KERNEL);
1833         if (!nosec) {
1834                 rc = -ENOMEM;
1835                 goto out;
1836         }
1837
1838         nosec_save = nosec;
1839         fnosec = fsec = 1;
1840         in_save = in_end = orig;
1841
1842         do {
1843                 if (*in_end == ',' || *in_end == '\0') {
1844                         int len = in_end - in_curr;
1845
1846                         if (selinux_option(in_curr, len))
1847                                 take_option(&sec_curr, in_curr, &fsec, len);
1848                         else
1849                                 take_option(&nosec, in_curr, &fnosec, len);
1850
1851                         in_curr = in_end + 1;
1852                 }
1853         } while (*in_end++);
1854
1855         strcpy(in_save, nosec_save);
1856         free_page((unsigned long)nosec_save);
1857 out:
1858         return rc;
1859 }
1860
1861 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1862 {
1863         struct avc_audit_data ad;
1864         int rc;
1865
1866         rc = superblock_doinit(sb, data);
1867         if (rc)
1868                 return rc;
1869
1870         AVC_AUDIT_DATA_INIT(&ad,FS);
1871         ad.u.fs.dentry = sb->s_root;
1872         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1873 }
1874
1875 static int selinux_sb_statfs(struct super_block *sb)
1876 {
1877         struct avc_audit_data ad;
1878
1879         AVC_AUDIT_DATA_INIT(&ad,FS);
1880         ad.u.fs.dentry = sb->s_root;
1881         return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1882 }
1883
1884 static int selinux_mount(char * dev_name,
1885                          struct nameidata *nd,
1886                          char * type,
1887                          unsigned long flags,
1888                          void * data)
1889 {
1890         int rc;
1891
1892         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1893         if (rc)
1894                 return rc;
1895
1896         if (flags & MS_REMOUNT)
1897                 return superblock_has_perm(current, nd->mnt->mnt_sb,
1898                                            FILESYSTEM__REMOUNT, NULL);
1899         else
1900                 return dentry_has_perm(current, nd->mnt, nd->dentry,
1901                                        FILE__MOUNTON);
1902 }
1903
1904 static int selinux_umount(struct vfsmount *mnt, int flags)
1905 {
1906         int rc;
1907
1908         rc = secondary_ops->sb_umount(mnt, flags);
1909         if (rc)
1910                 return rc;
1911
1912         return superblock_has_perm(current,mnt->mnt_sb,
1913                                    FILESYSTEM__UNMOUNT,NULL);
1914 }
1915
1916 /* inode security operations */
1917
1918 static int selinux_inode_alloc_security(struct inode *inode)
1919 {
1920         return inode_alloc_security(inode);
1921 }
1922
1923 static void selinux_inode_free_security(struct inode *inode)
1924 {
1925         inode_free_security(inode);
1926 }
1927
1928 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1929                                        char **name, void **value,
1930                                        size_t *len)
1931 {
1932         struct task_security_struct *tsec;
1933         struct inode_security_struct *dsec;
1934         struct superblock_security_struct *sbsec;
1935         u32 newsid, clen;
1936         int rc;
1937         char *namep = NULL, *context;
1938
1939         tsec = current->security;
1940         dsec = dir->i_security;
1941         sbsec = dir->i_sb->s_security;
1942
1943         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1944                 newsid = tsec->create_sid;
1945         } else {
1946                 rc = security_transition_sid(tsec->sid, dsec->sid,
1947                                              inode_mode_to_security_class(inode->i_mode),
1948                                              &newsid);
1949                 if (rc) {
1950                         printk(KERN_WARNING "%s:  "
1951                                "security_transition_sid failed, rc=%d (dev=%s "
1952                                "ino=%ld)\n",
1953                                __FUNCTION__,
1954                                -rc, inode->i_sb->s_id, inode->i_ino);
1955                         return rc;
1956                 }
1957         }
1958
1959         inode_security_set_sid(inode, newsid);
1960
1961         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1962                 return -EOPNOTSUPP;
1963
1964         if (name) {
1965                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1966                 if (!namep)
1967                         return -ENOMEM;
1968                 *name = namep;
1969         }
1970
1971         if (value && len) {
1972                 rc = security_sid_to_context(newsid, &context, &clen);
1973                 if (rc) {
1974                         kfree(namep);
1975                         return rc;
1976                 }
1977                 *value = context;
1978                 *len = clen;
1979         }
1980
1981         return 0;
1982 }
1983
1984 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1985 {
1986         return may_create(dir, dentry, SECCLASS_FILE);
1987 }
1988
1989 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1990 {
1991         int rc;
1992
1993         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1994         if (rc)
1995                 return rc;
1996         return may_link(dir, old_dentry, MAY_LINK);
1997 }
1998
1999 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2000 {
2001         int rc;
2002
2003         rc = secondary_ops->inode_unlink(dir, dentry);
2004         if (rc)
2005                 return rc;
2006         return may_link(dir, dentry, MAY_UNLINK);
2007 }
2008
2009 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2010 {
2011         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2012 }
2013
2014 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2015 {
2016         return may_create(dir, dentry, SECCLASS_DIR);
2017 }
2018
2019 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2020 {
2021         return may_link(dir, dentry, MAY_RMDIR);
2022 }
2023
2024 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2025 {
2026         int rc;
2027
2028         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2029         if (rc)
2030                 return rc;
2031
2032         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2033 }
2034
2035 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2036                                 struct inode *new_inode, struct dentry *new_dentry)
2037 {
2038         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2039 }
2040
2041 static int selinux_inode_readlink(struct dentry *dentry)
2042 {
2043         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2044 }
2045
2046 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2047 {
2048         int rc;
2049
2050         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2051         if (rc)
2052                 return rc;
2053         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2054 }
2055
2056 static int selinux_inode_permission(struct inode *inode, int mask,
2057                                     struct nameidata *nd)
2058 {
2059         int rc;
2060
2061         rc = secondary_ops->inode_permission(inode, mask, nd);
2062         if (rc)
2063                 return rc;
2064
2065         if (!mask) {
2066                 /* No permission to check.  Existence test. */
2067                 return 0;
2068         }
2069
2070         return inode_has_perm(current, inode,
2071                                file_mask_to_av(inode->i_mode, mask), NULL);
2072 }
2073
2074 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2075 {
2076         int rc;
2077
2078         rc = secondary_ops->inode_setattr(dentry, iattr);
2079         if (rc)
2080                 return rc;
2081
2082         if (iattr->ia_valid & ATTR_FORCE)
2083                 return 0;
2084
2085         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2086                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2087                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2088
2089         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2090 }
2091
2092 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2093 {
2094         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2095 }
2096
2097 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2098 {
2099         struct task_security_struct *tsec = current->security;
2100         struct inode *inode = dentry->d_inode;
2101         struct inode_security_struct *isec = inode->i_security;
2102         struct superblock_security_struct *sbsec;
2103         struct avc_audit_data ad;
2104         u32 newsid;
2105         int rc = 0;
2106
2107         if (strcmp(name, XATTR_NAME_SELINUX)) {
2108                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2109                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2110                     !capable(CAP_SYS_ADMIN)) {
2111                         /* A different attribute in the security namespace.
2112                            Restrict to administrator. */
2113                         return -EPERM;
2114                 }
2115
2116                 /* Not an attribute we recognize, so just check the
2117                    ordinary setattr permission. */
2118                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2119         }
2120
2121         sbsec = inode->i_sb->s_security;
2122         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2123                 return -EOPNOTSUPP;
2124
2125         if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2126                 return -EPERM;
2127
2128         AVC_AUDIT_DATA_INIT(&ad,FS);
2129         ad.u.fs.dentry = dentry;
2130
2131         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2132                           FILE__RELABELFROM, &ad);
2133         if (rc)
2134                 return rc;
2135
2136         rc = security_context_to_sid(value, size, &newsid);
2137         if (rc)
2138                 return rc;
2139
2140         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2141                           FILE__RELABELTO, &ad);
2142         if (rc)
2143                 return rc;
2144
2145         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2146                                           isec->sclass);
2147         if (rc)
2148                 return rc;
2149
2150         return avc_has_perm(newsid,
2151                             sbsec->sid,
2152                             SECCLASS_FILESYSTEM,
2153                             FILESYSTEM__ASSOCIATE,
2154                             &ad);
2155 }
2156
2157 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2158                                         void *value, size_t size, int flags)
2159 {
2160         struct inode *inode = dentry->d_inode;
2161         struct inode_security_struct *isec = inode->i_security;
2162         u32 newsid;
2163         int rc;
2164
2165         if (strcmp(name, XATTR_NAME_SELINUX)) {
2166                 /* Not an attribute we recognize, so nothing to do. */
2167                 return;
2168         }
2169
2170         rc = security_context_to_sid(value, size, &newsid);
2171         if (rc) {
2172                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2173                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2174                 return;
2175         }
2176
2177         isec->sid = newsid;
2178         return;
2179 }
2180
2181 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2182 {
2183         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2184 }
2185
2186 static int selinux_inode_listxattr (struct dentry *dentry)
2187 {
2188         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2189 }
2190
2191 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2192 {
2193         if (strcmp(name, XATTR_NAME_SELINUX)) {
2194                 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2195                              sizeof XATTR_SECURITY_PREFIX - 1) &&
2196                     !capable(CAP_SYS_ADMIN)) {
2197                         /* A different attribute in the security namespace.
2198                            Restrict to administrator. */
2199                         return -EPERM;
2200                 }
2201
2202                 /* Not an attribute we recognize, so just check the
2203                    ordinary setattr permission. Might want a separate
2204                    permission for removexattr. */
2205                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2206         }
2207
2208         /* No one is allowed to remove a SELinux security label.
2209            You can change the label, but all data must be labeled. */
2210         return -EACCES;
2211 }
2212
2213 /*
2214  * Copy the in-core inode security context value to the user.  If the
2215  * getxattr() prior to this succeeded, check to see if we need to
2216  * canonicalize the value to be finally returned to the user.
2217  *
2218  * Permission check is handled by selinux_inode_getxattr hook.
2219  */
2220 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2221 {
2222         struct inode_security_struct *isec = inode->i_security;
2223         char *context;
2224         unsigned len;
2225         int rc;
2226
2227         if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2228                 rc = -EOPNOTSUPP;
2229                 goto out;
2230         }
2231
2232         rc = security_sid_to_context(isec->sid, &context, &len);
2233         if (rc)
2234                 goto out;
2235
2236         /* Probe for required buffer size */
2237         if (!buffer || !size) {
2238                 rc = len;
2239                 goto out_free;
2240         }
2241
2242         if (size < len) {
2243                 rc = -ERANGE;
2244                 goto out_free;
2245         }
2246
2247         if (err > 0) {
2248                 if ((len == err) && !(memcmp(context, buffer, len))) {
2249                         /* Don't need to canonicalize value */
2250                         rc = err;
2251                         goto out_free;
2252                 }
2253                 memset(buffer, 0, size);
2254         }
2255         memcpy(buffer, context, len);
2256         rc = len;
2257 out_free:
2258         kfree(context);
2259 out:
2260         return rc;
2261 }
2262
2263 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2264                                      const void *value, size_t size, int flags)
2265 {
2266         struct inode_security_struct *isec = inode->i_security;
2267         u32 newsid;
2268         int rc;
2269
2270         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2271                 return -EOPNOTSUPP;
2272
2273         if (!value || !size)
2274                 return -EACCES;
2275
2276         rc = security_context_to_sid((void*)value, size, &newsid);
2277         if (rc)
2278                 return rc;
2279
2280         isec->sid = newsid;
2281         return 0;
2282 }
2283
2284 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2285 {
2286         const int len = sizeof(XATTR_NAME_SELINUX);
2287         if (buffer && len <= buffer_size)
2288                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289         return len;
2290 }
2291
2292 /* file security operations */
2293
2294 static int selinux_file_permission(struct file *file, int mask)
2295 {
2296         struct inode *inode = file->f_dentry->d_inode;
2297
2298         if (!mask) {
2299                 /* No permission to check.  Existence test. */
2300                 return 0;
2301         }
2302
2303         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2305                 mask |= MAY_APPEND;
2306
2307         return file_has_perm(current, file,
2308                              file_mask_to_av(inode->i_mode, mask));
2309 }
2310
2311 static int selinux_file_alloc_security(struct file *file)
2312 {
2313         return file_alloc_security(file);
2314 }
2315
2316 static void selinux_file_free_security(struct file *file)
2317 {
2318         file_free_security(file);
2319 }
2320
2321 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2322                               unsigned long arg)
2323 {
2324         int error = 0;
2325
2326         switch (cmd) {
2327                 case FIONREAD:
2328                 /* fall through */
2329                 case FIBMAP:
2330                 /* fall through */
2331                 case FIGETBSZ:
2332                 /* fall through */
2333                 case EXT2_IOC_GETFLAGS:
2334                 /* fall through */
2335                 case EXT2_IOC_GETVERSION:
2336                         error = file_has_perm(current, file, FILE__GETATTR);
2337                         break;
2338
2339                 case EXT2_IOC_SETFLAGS:
2340                 /* fall through */
2341                 case EXT2_IOC_SETVERSION:
2342                         error = file_has_perm(current, file, FILE__SETATTR);
2343                         break;
2344
2345                 /* sys_ioctl() checks */
2346                 case FIONBIO:
2347                 /* fall through */
2348                 case FIOASYNC:
2349                         error = file_has_perm(current, file, 0);
2350                         break;
2351
2352                 case KDSKBENT:
2353                 case KDSKBSENT:
2354                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2355                         break;
2356
2357                 /* default case assumes that the command will go
2358                  * to the file's ioctl() function.
2359                  */
2360                 default:
2361                         error = file_has_perm(current, file, FILE__IOCTL);
2362
2363         }
2364         return error;
2365 }
2366
2367 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2368 {
2369 #ifndef CONFIG_PPC32
2370         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2371                 /*
2372                  * We are making executable an anonymous mapping or a
2373                  * private file mapping that will also be writable.
2374                  * This has an additional check.
2375                  */
2376                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2377                 if (rc)
2378                         return rc;
2379         }
2380 #endif
2381
2382         if (file) {
2383                 /* read access is always possible with a mapping */
2384                 u32 av = FILE__READ;
2385
2386                 /* write access only matters if the mapping is shared */
2387                 if (shared && (prot & PROT_WRITE))
2388                         av |= FILE__WRITE;
2389
2390                 if (prot & PROT_EXEC)
2391                         av |= FILE__EXECUTE;
2392
2393                 return file_has_perm(current, file, av);
2394         }
2395         return 0;
2396 }
2397
2398 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2399                              unsigned long prot, unsigned long flags)
2400 {
2401         int rc;
2402
2403         rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404         if (rc)
2405                 return rc;
2406
2407         if (selinux_checkreqprot)
2408                 prot = reqprot;
2409
2410         return file_map_prot_check(file, prot,
2411                                    (flags & MAP_TYPE) == MAP_SHARED);
2412 }
2413
2414 static int selinux_file_mprotect(struct vm_area_struct *vma,
2415                                  unsigned long reqprot,
2416                                  unsigned long prot)
2417 {
2418         int rc;
2419
2420         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421         if (rc)
2422                 return rc;
2423
2424         if (selinux_checkreqprot)
2425                 prot = reqprot;
2426
2427 #ifndef CONFIG_PPC32
2428         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2429                 rc = 0;
2430                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2431                     vma->vm_end <= vma->vm_mm->brk) {
2432                         rc = task_has_perm(current, current,
2433                                            PROCESS__EXECHEAP);
2434                 } else if (!vma->vm_file &&
2435                            vma->vm_start <= vma->vm_mm->start_stack &&
2436                            vma->vm_end >= vma->vm_mm->start_stack) {
2437                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2438                 } else if (vma->vm_file && vma->anon_vma) {
2439                         /*
2440                          * We are making executable a file mapping that has
2441                          * had some COW done. Since pages might have been
2442                          * written, check ability to execute the possibly
2443                          * modified content.  This typically should only
2444                          * occur for text relocations.
2445                          */
2446                         rc = file_has_perm(current, vma->vm_file,
2447                                            FILE__EXECMOD);
2448                 }
2449                 if (rc)
2450                         return rc;
2451         }
2452 #endif
2453
2454         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2455 }
2456
2457 static int selinux_file_lock(struct file *file, unsigned int cmd)
2458 {
2459         return file_has_perm(current, file, FILE__LOCK);
2460 }
2461
2462 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2463                               unsigned long arg)
2464 {
2465         int err = 0;
2466
2467         switch (cmd) {
2468                 case F_SETFL:
2469                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2470                                 err = -EINVAL;
2471                                 break;
2472                         }
2473
2474                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2475                                 err = file_has_perm(current, file,FILE__WRITE);
2476                                 break;
2477                         }
2478                         /* fall through */
2479                 case F_SETOWN:
2480                 case F_SETSIG:
2481                 case F_GETFL:
2482                 case F_GETOWN:
2483                 case F_GETSIG:
2484                         /* Just check FD__USE permission */
2485                         err = file_has_perm(current, file, 0);
2486                         break;
2487                 case F_GETLK:
2488                 case F_SETLK:
2489                 case F_SETLKW:
2490 #if BITS_PER_LONG == 32
2491                 case F_GETLK64:
2492                 case F_SETLK64:
2493                 case F_SETLKW64:
2494 #endif
2495                         if (!file->f_dentry || !file->f_dentry->d_inode) {
2496                                 err = -EINVAL;
2497                                 break;
2498                         }
2499                         err = file_has_perm(current, file, FILE__LOCK);
2500                         break;
2501         }
2502
2503         return err;
2504 }
2505
2506 static int selinux_file_set_fowner(struct file *file)
2507 {
2508         struct task_security_struct *tsec;
2509         struct file_security_struct *fsec;
2510
2511         tsec = current->security;
2512         fsec = file->f_security;
2513         fsec->fown_sid = tsec->sid;
2514
2515         return 0;
2516 }
2517
2518 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2519                                        struct fown_struct *fown, int signum)
2520 {
2521         struct file *file;
2522         u32 perm;
2523         struct task_security_struct *tsec;
2524         struct file_security_struct *fsec;
2525
2526         /* struct fown_struct is never outside the context of a struct file */
2527         file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2528
2529         tsec = tsk->security;
2530         fsec = file->f_security;
2531
2532         if (!signum)
2533                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2534         else
2535                 perm = signal_to_av(signum);
2536
2537         return avc_has_perm(fsec->fown_sid, tsec->sid,
2538                             SECCLASS_PROCESS, perm, NULL);
2539 }
2540
2541 static int selinux_file_receive(struct file *file)
2542 {
2543         return file_has_perm(current, file, file_to_av(file));
2544 }
2545
2546 /* task security operations */
2547
2548 static int selinux_task_create(unsigned long clone_flags)
2549 {
2550         int rc;
2551
2552         rc = secondary_ops->task_create(clone_flags);
2553         if (rc)
2554                 return rc;
2555
2556         return task_has_perm(current, current, PROCESS__FORK);
2557 }
2558
2559 static int selinux_task_alloc_security(struct task_struct *tsk)
2560 {
2561         struct task_security_struct *tsec1, *tsec2;
2562         int rc;
2563
2564         tsec1 = current->security;
2565
2566         rc = task_alloc_security(tsk);
2567         if (rc)
2568                 return rc;
2569         tsec2 = tsk->security;
2570
2571         tsec2->osid = tsec1->osid;
2572         tsec2->sid = tsec1->sid;
2573
2574         /* Retain the exec and create SIDs across fork */
2575         tsec2->exec_sid = tsec1->exec_sid;
2576         tsec2->create_sid = tsec1->create_sid;
2577
2578         /* Retain ptracer SID across fork, if any.
2579            This will be reset by the ptrace hook upon any
2580            subsequent ptrace_attach operations. */
2581         tsec2->ptrace_sid = tsec1->ptrace_sid;
2582
2583         return 0;
2584 }
2585
2586 static void selinux_task_free_security(struct task_struct *tsk)
2587 {
2588         task_free_security(tsk);
2589 }
2590
2591 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2592 {
2593         /* Since setuid only affects the current process, and
2594            since the SELinux controls are not based on the Linux
2595            identity attributes, SELinux does not need to control
2596            this operation.  However, SELinux does control the use
2597            of the CAP_SETUID and CAP_SETGID capabilities using the
2598            capable hook. */
2599         return 0;
2600 }
2601
2602 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2603 {
2604         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2605 }
2606
2607 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2608 {
2609         /* See the comment for setuid above. */
2610         return 0;
2611 }
2612
2613 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2614 {
2615         return task_has_perm(current, p, PROCESS__SETPGID);
2616 }
2617
2618 static int selinux_task_getpgid(struct task_struct *p)
2619 {
2620         return task_has_perm(current, p, PROCESS__GETPGID);
2621 }
2622
2623 static int selinux_task_getsid(struct task_struct *p)
2624 {
2625         return task_has_perm(current, p, PROCESS__GETSESSION);
2626 }
2627
2628 static int selinux_task_setgroups(struct group_info *group_info)
2629 {
2630         /* See the comment for setuid above. */
2631         return 0;
2632 }
2633
2634 static int selinux_task_setnice(struct task_struct *p, int nice)
2635 {
2636         int rc;
2637
2638         rc = secondary_ops->task_setnice(p, nice);
2639         if (rc)
2640                 return rc;
2641
2642         return task_has_perm(current,p, PROCESS__SETSCHED);
2643 }
2644
2645 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2646 {
2647         struct rlimit *old_rlim = current->signal->rlim + resource;
2648         int rc;
2649
2650         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2651         if (rc)
2652                 return rc;
2653
2654         /* Control the ability to change the hard limit (whether
2655            lowering or raising it), so that the hard limit can
2656            later be used as a safe reset point for the soft limit
2657            upon context transitions. See selinux_bprm_apply_creds. */
2658         if (old_rlim->rlim_max != new_rlim->rlim_max)
2659                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2660
2661         return 0;
2662 }
2663
2664 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2665 {
2666         return task_has_perm(current, p, PROCESS__SETSCHED);
2667 }
2668
2669 static int selinux_task_getscheduler(struct task_struct *p)
2670 {
2671         return task_has_perm(current, p, PROCESS__GETSCHED);
2672 }
2673
2674 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2675 {
2676         u32 perm;
2677         int rc;
2678
2679         rc = secondary_ops->task_kill(p, info, sig);
2680         if (rc)
2681                 return rc;
2682
2683         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2684                 return 0;
2685
2686         if (!sig)
2687                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2688         else
2689                 perm = signal_to_av(sig);
2690
2691         return task_has_perm(current, p, perm);
2692 }
2693
2694 static int selinux_task_prctl(int option,
2695                               unsigned long arg2,
2696                               unsigned long arg3,
2697                               unsigned long arg4,
2698                               unsigned long arg5)
2699 {
2700         /* The current prctl operations do not appear to require
2701            any SELinux controls since they merely observe or modify
2702            the state of the current process. */
2703         return 0;
2704 }
2705
2706 static int selinux_task_wait(struct task_struct *p)
2707 {
2708         u32 perm;
2709
2710         perm = signal_to_av(p->exit_signal);
2711
2712         return task_has_perm(p, current, perm);
2713 }
2714
2715 static void selinux_task_reparent_to_init(struct task_struct *p)
2716 {
2717         struct task_security_struct *tsec;
2718
2719         secondary_ops->task_reparent_to_init(p);
2720
2721         tsec = p->security;
2722         tsec->osid = tsec->sid;
2723         tsec->sid = SECINITSID_KERNEL;
2724         return;
2725 }
2726
2727 static void selinux_task_to_inode(struct task_struct *p,
2728                                   struct inode *inode)
2729 {
2730         struct task_security_struct *tsec = p->security;
2731         struct inode_security_struct *isec = inode->i_security;
2732
2733         isec->sid = tsec->sid;
2734         isec->initialized = 1;
2735         return;
2736 }
2737
2738 /* Returns error only if unable to parse addresses */
2739 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2740 {
2741         int offset, ihlen, ret = -EINVAL;
2742         struct iphdr _iph, *ih;
2743
2744         offset = skb->nh.raw - skb->data;
2745         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2746         if (ih == NULL)
2747                 goto out;
2748
2749         ihlen = ih->ihl * 4;
2750         if (ihlen < sizeof(_iph))
2751                 goto out;
2752
2753         ad->u.net.v4info.saddr = ih->saddr;
2754         ad->u.net.v4info.daddr = ih->daddr;
2755         ret = 0;
2756
2757         switch (ih->protocol) {
2758         case IPPROTO_TCP: {
2759                 struct tcphdr _tcph, *th;
2760
2761                 if (ntohs(ih->frag_off) & IP_OFFSET)
2762                         break;
2763
2764                 offset += ihlen;
2765                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2766                 if (th == NULL)
2767                         break;
2768
2769                 ad->u.net.sport = th->source;
2770                 ad->u.net.dport = th->dest;
2771                 break;
2772         }
2773         
2774         case IPPROTO_UDP: {
2775                 struct udphdr _udph, *uh;
2776                 
2777                 if (ntohs(ih->frag_off) & IP_OFFSET)
2778                         break;
2779                         
2780                 offset += ihlen;
2781                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2782                 if (uh == NULL)
2783                         break;  
2784
2785                 ad->u.net.sport = uh->source;
2786                 ad->u.net.dport = uh->dest;
2787                 break;
2788         }
2789
2790         default:
2791                 break;
2792         }
2793 out:
2794         return ret;
2795 }
2796
2797 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2798
2799 /* Returns error only if unable to parse addresses */
2800 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2801 {
2802         u8 nexthdr;
2803         int ret = -EINVAL, offset;
2804         struct ipv6hdr _ipv6h, *ip6;
2805
2806         offset = skb->nh.raw - skb->data;
2807         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2808         if (ip6 == NULL)
2809                 goto out;
2810
2811         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2812         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2813         ret = 0;
2814
2815         nexthdr = ip6->nexthdr;
2816         offset += sizeof(_ipv6h);
2817         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2818         if (offset < 0)
2819                 goto out;
2820
2821         switch (nexthdr) {
2822         case IPPROTO_TCP: {
2823                 struct tcphdr _tcph, *th;
2824
2825                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2826                 if (th == NULL)
2827                         break;
2828
2829                 ad->u.net.sport = th->source;
2830                 ad->u.net.dport = th->dest;
2831                 break;
2832         }
2833
2834         case IPPROTO_UDP: {
2835                 struct udphdr _udph, *uh;
2836
2837                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2838                 if (uh == NULL)
2839                         break;
2840
2841                 ad->u.net.sport = uh->source;
2842                 ad->u.net.dport = uh->dest;
2843                 break;
2844         }
2845
2846         /* includes fragments */
2847         default:
2848                 break;
2849         }
2850 out:
2851         return ret;
2852 }
2853
2854 #endif /* IPV6 */
2855
2856 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2857                              char **addrp, int *len, int src)
2858 {
2859         int ret = 0;
2860
2861         switch (ad->u.net.family) {
2862         case PF_INET:
2863                 ret = selinux_parse_skb_ipv4(skb, ad);
2864                 if (ret || !addrp)
2865                         break;
2866                 *len = 4;
2867                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2868                                         &ad->u.net.v4info.daddr);
2869                 break;
2870
2871 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2872         case PF_INET6:
2873                 ret = selinux_parse_skb_ipv6(skb, ad);
2874                 if (ret || !addrp)
2875                         break;
2876                 *len = 16;
2877                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2878                                         &ad->u.net.v6info.daddr);
2879                 break;
2880 #endif  /* IPV6 */
2881         default:
2882                 break;
2883         }
2884
2885         return ret;
2886 }
2887
2888 /* socket security operations */
2889 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2890                            u32 perms)
2891 {
2892         struct inode_security_struct *isec;
2893         struct task_security_struct *tsec;
2894         struct avc_audit_data ad;
2895         int err = 0;
2896
2897         tsec = task->security;
2898         isec = SOCK_INODE(sock)->i_security;
2899
2900         if (isec->sid == SECINITSID_KERNEL)
2901                 goto out;
2902
2903         AVC_AUDIT_DATA_INIT(&ad,NET);
2904         ad.u.net.sk = sock->sk;
2905         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2906
2907 out:
2908         return err;
2909 }
2910
2911 static int selinux_socket_create(int family, int type,
2912                                  int protocol, int kern)
2913 {
2914         int err = 0;
2915         struct task_security_struct *tsec;
2916
2917         if (kern)
2918                 goto out;
2919
2920         tsec = current->security;
2921         err = avc_has_perm(tsec->sid, tsec->sid,
2922                            socket_type_to_security_class(family, type,
2923                            protocol), SOCKET__CREATE, NULL);
2924
2925 out:
2926         return err;
2927 }
2928
2929 static void selinux_socket_post_create(struct socket *sock, int family,
2930                                        int type, int protocol, int kern)
2931 {
2932         struct inode_security_struct *isec;
2933         struct task_security_struct *tsec;
2934
2935         isec = SOCK_INODE(sock)->i_security;
2936
2937         tsec = current->security;
2938         isec->sclass = socket_type_to_security_class(family, type, protocol);
2939         isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2940         isec->initialized = 1;
2941
2942         return;
2943 }
2944
2945 /* Range of port numbers used to automatically bind.
2946    Need to determine whether we should perform a name_bind
2947    permission check between the socket and the port number. */
2948 #define ip_local_port_range_0 sysctl_local_port_range[0]
2949 #define ip_local_port_range_1 sysctl_local_port_range[1]
2950
2951 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2952 {
2953         u16 family;
2954         int err;
2955
2956         err = socket_has_perm(current, sock, SOCKET__BIND);
2957         if (err)
2958                 goto out;
2959
2960         /*
2961          * If PF_INET or PF_INET6, check name_bind permission for the port.
2962          * Multiple address binding for SCTP is not supported yet: we just
2963          * check the first address now.
2964          */
2965         family = sock->sk->sk_family;
2966         if (family == PF_INET || family == PF_INET6) {
2967                 char *addrp;
2968                 struct inode_security_struct *isec;
2969                 struct task_security_struct *tsec;
2970                 struct avc_audit_data ad;
2971                 struct sockaddr_in *addr4 = NULL;
2972                 struct sockaddr_in6 *addr6 = NULL;
2973                 unsigned short snum;
2974                 struct sock *sk = sock->sk;
2975                 u32 sid, node_perm, addrlen;
2976
2977                 tsec = current->security;
2978                 isec = SOCK_INODE(sock)->i_security;
2979
2980                 if (family == PF_INET) {
2981                         addr4 = (struct sockaddr_in *)address;
2982                         snum = ntohs(addr4->sin_port);
2983                         addrlen = sizeof(addr4->sin_addr.s_addr);
2984                         addrp = (char *)&addr4->sin_addr.s_addr;
2985                 } else {
2986                         addr6 = (struct sockaddr_in6 *)address;
2987                         snum = ntohs(addr6->sin6_port);
2988                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
2989                         addrp = (char *)&addr6->sin6_addr.s6_addr;
2990                 }
2991
2992                 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2993                            snum > ip_local_port_range_1)) {
2994                         err = security_port_sid(sk->sk_family, sk->sk_type,
2995                                                 sk->sk_protocol, snum, &sid);
2996                         if (err)
2997                                 goto out;
2998                         AVC_AUDIT_DATA_INIT(&ad,NET);
2999                         ad.u.net.sport = htons(snum);
3000                         ad.u.net.family = family;
3001                         err = avc_has_perm(isec->sid, sid,
3002                                            isec->sclass,
3003                                            SOCKET__NAME_BIND, &ad);
3004                         if (err)
3005                                 goto out;
3006                 }
3007                 
3008                 switch(isec->sclass) {
3009                 case SECCLASS_TCP_SOCKET:
3010                         node_perm = TCP_SOCKET__NODE_BIND;
3011                         break;
3012                         
3013                 case SECCLASS_UDP_SOCKET:
3014                         node_perm = UDP_SOCKET__NODE_BIND;
3015                         break;
3016                         
3017                 default:
3018                         node_perm = RAWIP_SOCKET__NODE_BIND;
3019                         break;
3020                 }
3021                 
3022                 err = security_node_sid(family, addrp, addrlen, &sid);
3023                 if (err)
3024                         goto out;
3025                 
3026                 AVC_AUDIT_DATA_INIT(&ad,NET);
3027                 ad.u.net.sport = htons(snum);
3028                 ad.u.net.family = family;
3029
3030                 if (family == PF_INET)
3031                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3032                 else
3033                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3034
3035                 err = avc_has_perm(isec->sid, sid,
3036                                    isec->sclass, node_perm, &ad);
3037                 if (err)
3038                         goto out;
3039         }
3040 out:
3041         return err;
3042 }
3043
3044 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3045 {
3046         struct inode_security_struct *isec;
3047         int err;
3048
3049         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3050         if (err)
3051                 return err;
3052
3053         /*
3054          * If a TCP socket, check name_connect permission for the port.
3055          */
3056         isec = SOCK_INODE(sock)->i_security;
3057         if (isec->sclass == SECCLASS_TCP_SOCKET) {
3058                 struct sock *sk = sock->sk;
3059                 struct avc_audit_data ad;
3060                 struct sockaddr_in *addr4 = NULL;
3061                 struct sockaddr_in6 *addr6 = NULL;
3062                 unsigned short snum;
3063                 u32 sid;
3064
3065                 if (sk->sk_family == PF_INET) {
3066                         addr4 = (struct sockaddr_in *)address;
3067                         if (addrlen < sizeof(struct sockaddr_in))
3068                                 return -EINVAL;
3069                         snum = ntohs(addr4->sin_port);
3070                 } else {
3071                         addr6 = (struct sockaddr_in6 *)address;
3072                         if (addrlen < SIN6_LEN_RFC2133)
3073                                 return -EINVAL;
3074                         snum = ntohs(addr6->sin6_port);
3075                 }
3076
3077                 err = security_port_sid(sk->sk_family, sk->sk_type,
3078                                         sk->sk_protocol, snum, &sid);
3079                 if (err)
3080                         goto out;
3081
3082                 AVC_AUDIT_DATA_INIT(&ad,NET);
3083                 ad.u.net.dport = htons(snum);
3084                 ad.u.net.family = sk->sk_family;
3085                 err = avc_has_perm(isec->sid, sid, isec->sclass,
3086                                    TCP_SOCKET__NAME_CONNECT, &ad);
3087                 if (err)
3088                         goto out;
3089         }
3090
3091 out:
3092         return err;
3093 }
3094
3095 static int selinux_socket_listen(struct socket *sock, int backlog)
3096 {
3097         return socket_has_perm(current, sock, SOCKET__LISTEN);
3098 }
3099
3100 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3101 {
3102         int err;
3103         struct inode_security_struct *isec;
3104         struct inode_security_struct *newisec;
3105
3106         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3107         if (err)
3108                 return err;
3109
3110         newisec = SOCK_INODE(newsock)->i_security;
3111
3112         isec = SOCK_INODE(sock)->i_security;
3113         newisec->sclass = isec->sclass;
3114         newisec->sid = isec->sid;
3115         newisec->initialized = 1;
3116
3117         return 0;
3118 }
3119
3120 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3121                                   int size)
3122 {
3123         return socket_has_perm(current, sock, SOCKET__WRITE);
3124 }
3125
3126 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3127                                   int size, int flags)
3128 {
3129         return socket_has_perm(current, sock, SOCKET__READ);
3130 }
3131
3132 static int selinux_socket_getsockname(struct socket *sock)
3133 {
3134         return socket_has_perm(current, sock, SOCKET__GETATTR);
3135 }
3136
3137 static int selinux_socket_getpeername(struct socket *sock)
3138 {
3139         return socket_has_perm(current, sock, SOCKET__GETATTR);
3140 }
3141
3142 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3143 {
3144         return socket_has_perm(current, sock, SOCKET__SETOPT);
3145 }
3146
3147 static int selinux_socket_getsockopt(struct socket *sock, int level,
3148                                      int optname)
3149 {
3150         return socket_has_perm(current, sock, SOCKET__GETOPT);
3151 }
3152
3153 static int selinux_socket_shutdown(struct socket *sock, int how)
3154 {
3155         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3156 }
3157
3158 static int selinux_socket_unix_stream_connect(struct socket *sock,
3159                                               struct socket *other,
3160                                               struct sock *newsk)
3161 {
3162         struct sk_security_struct *ssec;
3163         struct inode_security_struct *isec;
3164         struct inode_security_struct *other_isec;
3165         struct avc_audit_data ad;
3166         int err;
3167
3168         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3169         if (err)
3170                 return err;
3171
3172         isec = SOCK_INODE(sock)->i_security;
3173         other_isec = SOCK_INODE(other)->i_security;
3174
3175         AVC_AUDIT_DATA_INIT(&ad,NET);
3176         ad.u.net.sk = other->sk;
3177
3178         err = avc_has_perm(isec->sid, other_isec->sid,
3179                            isec->sclass,
3180                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3181         if (err)
3182                 return err;
3183
3184         /* connecting socket */
3185         ssec = sock->sk->sk_security;
3186         ssec->peer_sid = other_isec->sid;
3187         
3188         /* server child socket */
3189         ssec = newsk->sk_security;
3190         ssec->peer_sid = isec->sid;
3191         
3192         return 0;
3193 }
3194
3195 static int selinux_socket_unix_may_send(struct socket *sock,
3196                                         struct socket *other)
3197 {
3198         struct inode_security_struct *isec;
3199         struct inode_security_struct *other_isec;
3200         struct avc_audit_data ad;
3201         int err;
3202
3203         isec = SOCK_INODE(sock)->i_security;
3204         other_isec = SOCK_INODE(other)->i_security;
3205
3206         AVC_AUDIT_DATA_INIT(&ad,NET);
3207         ad.u.net.sk = other->sk;
3208
3209         err = avc_has_perm(isec->sid, other_isec->sid,
3210                            isec->sclass, SOCKET__SENDTO, &ad);
3211         if (err)
3212                 return err;
3213
3214         return 0;
3215 }
3216
3217 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3218 {
3219         u16 family;
3220         char *addrp;
3221         int len, err = 0;
3222         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3223         u32 sock_sid = 0;
3224         u16 sock_class = 0;
3225         struct socket *sock;
3226         struct net_device *dev;
3227         struct avc_audit_data ad;
3228
3229         family = sk->sk_family;
3230         if (family != PF_INET && family != PF_INET6)
3231                 goto out;
3232
3233         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3234         if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3235                 family = PF_INET;
3236
3237         read_lock_bh(&sk->sk_callback_lock);
3238         sock = sk->sk_socket;
3239         if (sock) {
3240                 struct inode *inode;
3241                 inode = SOCK_INODE(sock);
3242                 if (inode) {
3243                         struct inode_security_struct *isec;
3244                         isec = inode->i_security;
3245                         sock_sid = isec->sid;
3246                         sock_class = isec->sclass;
3247                 }
3248         }
3249         read_unlock_bh(&sk->sk_callback_lock);
3250         if (!sock_sid)
3251                 goto out;
3252
3253         dev = skb->dev;
3254         if (!dev)
3255                 goto out;
3256
3257         err = sel_netif_sids(dev, &if_sid, NULL);
3258         if (err)
3259                 goto out;
3260
3261         switch (sock_class) {
3262         case SECCLASS_UDP_SOCKET:
3263                 netif_perm = NETIF__UDP_RECV;
3264                 node_perm = NODE__UDP_RECV;
3265                 recv_perm = UDP_SOCKET__RECV_MSG;
3266                 break;
3267         
3268         case SECCLASS_TCP_SOCKET:
3269                 netif_perm = NETIF__TCP_RECV;
3270                 node_perm = NODE__TCP_RECV;
3271                 recv_perm = TCP_SOCKET__RECV_MSG;
3272                 break;
3273         
3274         default:
3275                 netif_perm = NETIF__RAWIP_RECV;
3276                 node_perm = NODE__RAWIP_RECV;
3277                 break;
3278         }
3279
3280         AVC_AUDIT_DATA_INIT(&ad, NET);
3281         ad.u.net.netif = dev->name;
3282         ad.u.net.family = family;
3283
3284         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3285         if (err)
3286                 goto out;
3287
3288         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3289         if (err)
3290                 goto out;
3291         
3292         /* Fixme: this lookup is inefficient */
3293         err = security_node_sid(family, addrp, len, &node_sid);
3294         if (err)
3295                 goto out;
3296         
3297         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3298         if (err)
3299                 goto out;
3300
3301         if (recv_perm) {
3302                 u32 port_sid;
3303
3304                 /* Fixme: make this more efficient */
3305                 err = security_port_sid(sk->sk_family, sk->sk_type,
3306                                         sk->sk_protocol, ntohs(ad.u.net.sport),
3307                                         &port_sid);
3308                 if (err)
3309                         goto out;
3310
3311                 err = avc_has_perm(sock_sid, port_sid,
3312                                    sock_class, recv_perm, &ad);
3313         }
3314
3315         if (!err)
3316                 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3317
3318 out:    
3319         return err;
3320 }
3321
3322 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3323                                             int __user *optlen, unsigned len)
3324 {
3325         int err = 0;
3326         char *scontext;
3327         u32 scontext_len;
3328         struct sk_security_struct *ssec;
3329         struct inode_security_struct *isec;
3330         u32 peer_sid = 0;
3331
3332         isec = SOCK_INODE(sock)->i_security;
3333
3334         /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3335         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3336                 ssec = sock->sk->sk_security;
3337                 peer_sid = ssec->peer_sid;
3338         }
3339         else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3340                 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3341
3342                 if (peer_sid == SECSID_NULL) {
3343                         err = -ENOPROTOOPT;
3344                         goto out;
3345                 }
3346         }
3347         else {
3348                 err = -ENOPROTOOPT;
3349                 goto out;
3350         }
3351
3352         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3353
3354         if (err)
3355                 goto out;
3356
3357         if (scontext_len > len) {
3358                 err = -ERANGE;
3359                 goto out_len;
3360         }
3361
3362         if (copy_to_user(optval, scontext, scontext_len))
3363                 err = -EFAULT;
3364
3365 out_len:
3366         if (put_user(scontext_len, optlen))
3367                 err = -EFAULT;
3368
3369         kfree(scontext);
3370 out:    
3371         return err;
3372 }
3373
3374 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3375 {
3376         int err = 0;
3377         u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3378
3379         if (peer_sid == SECSID_NULL)
3380                 return -EINVAL;
3381
3382         err = security_sid_to_context(peer_sid, secdata, seclen);
3383         if (err)
3384                 return err;
3385
3386         return 0;
3387 }
3388
3389
3390
3391 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3392 {
3393         return sk_alloc_security(sk, family, priority);
3394 }
3395
3396 static void selinux_sk_free_security(struct sock *sk)
3397 {
3398         sk_free_security(sk);
3399 }
3400
3401 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3402 {
3403         struct inode_security_struct *isec;
3404         u32 sock_sid = SECINITSID_ANY_SOCKET;
3405
3406         if (!sk)
3407                 return selinux_no_sk_sid(fl);
3408
3409         read_lock_bh(&sk->sk_callback_lock);
3410         isec = get_sock_isec(sk);
3411
3412         if (isec)
3413                 sock_sid = isec->sid;
3414
3415         read_unlock_bh(&sk->sk_callback_lock);
3416         return sock_sid;
3417 }
3418
3419 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3420 {
3421         int err = 0;
3422         u32 perm;
3423         struct nlmsghdr *nlh;
3424         struct socket *sock = sk->sk_socket;
3425         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3426         
3427         if (skb->len < NLMSG_SPACE(0)) {
3428                 err = -EINVAL;
3429                 goto out;
3430         }
3431         nlh = (struct nlmsghdr *)skb->data;
3432         
3433         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3434         if (err) {
3435                 if (err == -EINVAL) {
3436                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3437                                   "SELinux:  unrecognized netlink message"
3438                                   " type=%hu for sclass=%hu\n",
3439                                   nlh->nlmsg_type, isec->sclass);
3440                         if (!selinux_enforcing)
3441                                 err = 0;
3442                 }
3443
3444                 /* Ignore */
3445                 if (err == -ENOENT)
3446                         err = 0;
3447                 goto out;
3448         }
3449
3450         err = socket_has_perm(current, sock, perm);
3451 out:
3452         return err;
3453 }
3454
3455 #ifdef CONFIG_NETFILTER
3456
3457 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3458                                               struct sk_buff **pskb,
3459                                               const struct net_device *in,
3460                                               const struct net_device *out,
3461                                               int (*okfn)(struct sk_buff *),
3462                                               u16 family)
3463 {
3464         char *addrp;
3465         int len, err = NF_ACCEPT;
3466         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3467         struct sock *sk;
3468         struct socket *sock;
3469         struct inode *inode;
3470         struct sk_buff *skb = *pskb;
3471         struct inode_security_struct *isec;
3472         struct avc_audit_data ad;
3473         struct net_device *dev = (struct net_device *)out;
3474         
3475         sk = skb->sk;
3476         if (!sk)
3477                 goto out;
3478                 
3479         sock = sk->sk_socket;
3480         if (!sock)
3481                 goto out;
3482                 
3483         inode = SOCK_INODE(sock);
3484         if (!inode)
3485                 goto out;
3486
3487         err = sel_netif_sids(dev, &if_sid, NULL);
3488         if (err)
3489                 goto out;
3490
3491         isec = inode->i_security;
3492         
3493         switch (isec->sclass) {
3494         case SECCLASS_UDP_SOCKET:
3495                 netif_perm = NETIF__UDP_SEND;
3496                 node_perm = NODE__UDP_SEND;
3497                 send_perm = UDP_SOCKET__SEND_MSG;
3498                 break;
3499         
3500         case SECCLASS_TCP_SOCKET:
3501                 netif_perm = NETIF__TCP_SEND;
3502                 node_perm = NODE__TCP_SEND;
3503                 send_perm = TCP_SOCKET__SEND_MSG;
3504                 break;
3505         
3506         default:
3507                 netif_perm = NETIF__RAWIP_SEND;
3508                 node_perm = NODE__RAWIP_SEND;
3509                 break;
3510         }
3511
3512
3513         AVC_AUDIT_DATA_INIT(&ad, NET);
3514         ad.u.net.netif = dev->name;
3515         ad.u.net.family = family;
3516
3517         err = selinux_parse_skb(skb, &ad, &addrp,
3518                                 &len, 0) ? NF_DROP : NF_ACCEPT;
3519         if (err != NF_ACCEPT)
3520                 goto out;
3521
3522         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3523                            netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3524         if (err != NF_ACCEPT)
3525                 goto out;
3526                 
3527         /* Fixme: this lookup is inefficient */
3528         err = security_node_sid(family, addrp, len,
3529                                 &node_sid) ? NF_DROP : NF_ACCEPT;
3530         if (err != NF_ACCEPT)
3531                 goto out;
3532         
3533         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3534                            node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3535         if (err != NF_ACCEPT)
3536                 goto out;
3537
3538         if (send_perm) {
3539                 u32 port_sid;
3540                 
3541                 /* Fixme: make this more efficient */
3542                 err = security_port_sid(sk->sk_family,
3543                                         sk->sk_type,
3544                                         sk->sk_protocol,
3545                                         ntohs(ad.u.net.dport),
3546                                         &port_sid) ? NF_DROP : NF_ACCEPT;
3547                 if (err != NF_ACCEPT)
3548                         goto out;
3549
3550                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3551                                    send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3552         }
3553
3554         if (err != NF_ACCEPT)
3555                 goto out;
3556
3557         err = selinux_xfrm_postroute_last(isec->sid, skb);
3558
3559 out:
3560         return err;
3561 }
3562
3563 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3564                                                 struct sk_buff **pskb,
3565                                                 const struct net_device *in,
3566                                                 const struct net_device *out,
3567                                                 int (*okfn)(struct sk_buff *))
3568 {
3569         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3570 }
3571
3572 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3573
3574 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3575                                                 struct sk_buff **pskb,
3576                                                 const struct net_device *in,
3577                                                 const struct net_device *out,
3578                                                 int (*okfn)(struct sk_buff *))
3579 {
3580         return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3581 }
3582
3583 #endif  /* IPV6 */
3584
3585 #endif  /* CONFIG_NETFILTER */
3586
3587 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3588 {
3589         struct task_security_struct *tsec;
3590         struct av_decision avd;
3591         int err;
3592
3593         err = secondary_ops->netlink_send(sk, skb);
3594         if (err)
3595                 return err;
3596
3597         tsec = current->security;
3598
3599         avd.allowed = 0;
3600         avc_has_perm_noaudit(tsec->sid, tsec->sid,
3601                                 SECCLASS_CAPABILITY, ~0, &avd);
3602         cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3603
3604         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3605                 err = selinux_nlmsg_perm(sk, skb);
3606
3607         return err;
3608 }
3609
3610 static int selinux_netlink_recv(struct sk_buff *skb)
3611 {
3612         if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3613                 return -EPERM;
3614         return 0;
3615 }
3616
3617 static int ipc_alloc_security(struct task_struct *task,
3618                               struct kern_ipc_perm *perm,
3619                               u16 sclass)
3620 {
3621         struct task_security_struct *tsec = task->security;
3622         struct ipc_security_struct *isec;
3623
3624         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3625         if (!isec)
3626                 return -ENOMEM;
3627
3628         isec->sclass = sclass;
3629         isec->ipc_perm = perm;
3630         isec->sid = tsec->sid;
3631         perm->security = isec;
3632
3633         return 0;
3634 }
3635
3636 static void ipc_free_security(struct kern_ipc_perm *perm)
3637 {
3638         struct ipc_security_struct *isec = perm->security;
3639         perm->security = NULL;
3640         kfree(isec);
3641 }
3642
3643 static int msg_msg_alloc_security(struct msg_msg *msg)
3644 {
3645         struct msg_security_struct *msec;
3646
3647         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3648         if (!msec)
3649                 return -ENOMEM;
3650
3651         msec->msg = msg;
3652         msec->sid = SECINITSID_UNLABELED;
3653         msg->security = msec;
3654
3655         return 0;
3656 }
3657
3658 static void msg_msg_free_security(struct msg_msg *msg)
3659 {
3660         struct msg_security_struct *msec = msg->security;
3661
3662         msg->security = NULL;
3663         kfree(msec);
3664 }
3665
3666 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3667                         u32 perms)
3668 {
3669         struct task_security_struct *tsec;
3670         struct ipc_security_struct *isec;
3671         struct avc_audit_data ad;
3672
3673         tsec = current->security;
3674         isec = ipc_perms->security;
3675
3676         AVC_AUDIT_DATA_INIT(&ad, IPC);
3677         ad.u.ipc_id = ipc_perms->key;
3678
3679         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3680 }
3681
3682 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3683 {
3684         return msg_msg_alloc_security(msg);
3685 }
3686
3687 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3688 {
3689         msg_msg_free_security(msg);
3690 }
3691
3692 /* message queue security operations */
3693 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3694 {
3695         struct task_security_struct *tsec;
3696         struct ipc_security_struct *isec;
3697         struct avc_audit_data ad;
3698         int rc;
3699
3700         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3701         if (rc)
3702                 return rc;
3703
3704         tsec = current->security;
3705         isec = msq->q_perm.security;
3706
3707         AVC_AUDIT_DATA_INIT(&ad, IPC);
3708         ad.u.ipc_id = msq->q_perm.key;
3709
3710         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3711                           MSGQ__CREATE, &ad);
3712         if (rc) {
3713                 ipc_free_security(&msq->q_perm);
3714                 return rc;
3715         }
3716         return 0;
3717 }
3718
3719 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3720 {
3721         ipc_free_security(&msq->q_perm);
3722 }
3723
3724 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3725 {
3726         struct task_security_struct *tsec;
3727         struct ipc_security_struct *isec;
3728         struct avc_audit_data ad;
3729
3730         tsec = current->security;
3731         isec = msq->q_perm.security;
3732
3733         AVC_AUDIT_DATA_INIT(&ad, IPC);
3734         ad.u.ipc_id = msq->q_perm.key;
3735
3736         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3737                             MSGQ__ASSOCIATE, &ad);
3738 }
3739
3740 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3741 {
3742         int err;
3743         int perms;
3744
3745         switch(cmd) {
3746         case IPC_INFO:
3747         case MSG_INFO:
3748                 /* No specific object, just general system-wide information. */
3749                 return task_has_system(current, SYSTEM__IPC_INFO);
3750         case IPC_STAT:
3751         case MSG_STAT:
3752                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3753                 break;
3754         case IPC_SET:
3755                 perms = MSGQ__SETATTR;
3756                 break;
3757         case IPC_RMID:
3758                 perms = MSGQ__DESTROY;
3759                 break;
3760         default:
3761                 return 0;
3762         }
3763
3764         err = ipc_has_perm(&msq->q_perm, perms);
3765         return err;
3766 }
3767
3768 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3769 {
3770         struct task_security_struct *tsec;
3771         struct ipc_security_struct *isec;
3772         struct msg_security_struct *msec;
3773         struct avc_audit_data ad;
3774         int rc;
3775
3776         tsec = current->security;
3777         isec = msq->q_perm.security;
3778         msec = msg->security;
3779
3780         /*
3781          * First time through, need to assign label to the message
3782          */
3783         if (msec->sid == SECINITSID_UNLABELED) {
3784                 /*
3785                  * Compute new sid based on current process and
3786                  * message queue this message will be stored in
3787                  */
3788                 rc = security_transition_sid(tsec->sid,
3789                                              isec->sid,
3790                                              SECCLASS_MSG,
3791                                              &msec->sid);
3792                 if (rc)
3793                         return rc;
3794         }
3795
3796         AVC_AUDIT_DATA_INIT(&ad, IPC);
3797         ad.u.ipc_id = msq->q_perm.key;
3798
3799         /* Can this process write to the queue? */
3800         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3801                           MSGQ__WRITE, &ad);
3802         if (!rc)
3803                 /* Can this process send the message */
3804                 rc = avc_has_perm(tsec->sid, msec->sid,
3805                                   SECCLASS_MSG, MSG__SEND, &ad);
3806         if (!rc)
3807                 /* Can the message be put in the queue? */
3808                 rc = avc_has_perm(msec->sid, isec->sid,
3809                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3810
3811         return rc;
3812 }
3813
3814 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3815                                     struct task_struct *target,
3816                                     long type, int mode)
3817 {
3818         struct task_security_struct *tsec;
3819         struct ipc_security_struct *isec;
3820         struct msg_security_struct *msec;
3821         struct avc_audit_data ad;
3822         int rc;
3823
3824         tsec = target->security;
3825         isec = msq->q_perm.security;
3826         msec = msg->security;
3827
3828         AVC_AUDIT_DATA_INIT(&ad, IPC);
3829         ad.u.ipc_id = msq->q_perm.key;
3830
3831         rc = avc_has_perm(tsec->sid, isec->sid,
3832                           SECCLASS_MSGQ, MSGQ__READ, &ad);
3833         if (!rc)
3834                 rc = avc_has_perm(tsec->sid, msec->sid,
3835                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
3836         return rc;
3837 }
3838
3839 /* Shared Memory security operations */
3840 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3841 {
3842         struct task_security_struct *tsec;
3843         struct ipc_security_struct *isec;
3844         struct avc_audit_data ad;
3845         int rc;
3846
3847         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3848         if (rc)
3849                 return rc;
3850
3851         tsec = current->security;
3852         isec = shp->shm_perm.security;
3853
3854         AVC_AUDIT_DATA_INIT(&ad, IPC);
3855         ad.u.ipc_id = shp->shm_perm.key;
3856
3857         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3858                           SHM__CREATE, &ad);
3859         if (rc) {
3860                 ipc_free_security(&shp->shm_perm);
3861                 return rc;
3862         }
3863         return 0;
3864 }
3865
3866 static void selinux_shm_free_security(struct shmid_kernel *shp)
3867 {
3868         ipc_free_security(&shp->shm_perm);
3869 }
3870
3871 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3872 {
3873         struct task_security_struct *tsec;
3874         struct ipc_security_struct *isec;
3875         struct avc_audit_data ad;
3876
3877         tsec = current->security;
3878         isec = shp->shm_perm.security;
3879
3880         AVC_AUDIT_DATA_INIT(&ad, IPC);
3881         ad.u.ipc_id = shp->shm_perm.key;
3882
3883         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3884                             SHM__ASSOCIATE, &ad);
3885 }
3886
3887 /* Note, at this point, shp is locked down */
3888 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3889 {
3890         int perms;
3891         int err;
3892
3893         switch(cmd) {
3894         case IPC_INFO:
3895         case SHM_INFO:
3896                 /* No specific object, just general system-wide information. */
3897                 return task_has_system(current, SYSTEM__IPC_INFO);
3898         case IPC_STAT:
3899         case SHM_STAT:
3900                 perms = SHM__GETATTR | SHM__ASSOCIATE;
3901                 break;
3902         case IPC_SET:
3903                 perms = SHM__SETATTR;
3904                 break;
3905         case SHM_LOCK:
3906         case SHM_UNLOCK:
3907                 perms = SHM__LOCK;
3908                 break;
3909         case IPC_RMID:
3910                 perms = SHM__DESTROY;
3911                 break;
3912         default:
3913                 return 0;
3914         }
3915
3916         err = ipc_has_perm(&shp->shm_perm, perms);
3917         return err;
3918 }
3919
3920 static int selinux_shm_shmat(struct shmid_kernel *shp,
3921                              char __user *shmaddr, int shmflg)
3922 {
3923         u32 perms;
3924         int rc;
3925
3926         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3927         if (rc)
3928                 return rc;
3929
3930         if (shmflg & SHM_RDONLY)
3931                 perms = SHM__READ;
3932         else
3933                 perms = SHM__READ | SHM__WRITE;
3934
3935         return ipc_has_perm(&shp->shm_perm, perms);
3936 }
3937
3938 /* Semaphore security operations */
3939 static int selinux_sem_alloc_security(struct sem_array *sma)
3940 {
3941         struct task_security_struct *tsec;
3942         struct ipc_security_struct *isec;
3943         struct avc_audit_data ad;
3944         int rc;
3945
3946         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3947         if (rc)
3948                 return rc;
3949
3950         tsec = current->security;
3951         isec = sma->sem_perm.security;
3952
3953         AVC_AUDIT_DATA_INIT(&ad, IPC);
3954         ad.u.ipc_id = sma->sem_perm.key;
3955
3956         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3957                           SEM__CREATE, &ad);
3958         if (rc) {
3959                 ipc_free_security(&sma->sem_perm);
3960                 return rc;
3961         }
3962         return 0;
3963 }
3964
3965 static void selinux_sem_free_security(struct sem_array *sma)
3966 {
3967         ipc_free_security(&sma->sem_perm);
3968 }
3969
3970 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3971 {
3972         struct task_security_struct *tsec;
3973         struct ipc_security_struct *isec;
3974         struct avc_audit_data ad;
3975
3976         tsec = current->security;
3977         isec = sma->sem_perm.security;
3978
3979         AVC_AUDIT_DATA_INIT(&ad, IPC);
3980         ad.u.ipc_id = sma->sem_perm.key;
3981
3982         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3983                             SEM__ASSOCIATE, &ad);
3984 }
3985
3986 /* Note, at this point, sma is locked down */
3987 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3988 {
3989         int err;
3990         u32 perms;
3991
3992         switch(cmd) {
3993         case IPC_INFO:
3994         case SEM_INFO:
3995                 /* No specific object, just general system-wide information. */
3996                 return task_has_system(current, SYSTEM__IPC_INFO);
3997         case GETPID:
3998         case GETNCNT:
3999         case GETZCNT:
4000                 perms = SEM__GETATTR;
4001                 break;
4002         case GETVAL:
4003         case GETALL:
4004                 perms = SEM__READ;
4005                 break;
4006         case SETVAL:
4007         case SETALL:
4008                 perms = SEM__WRITE;
4009                 break;
4010         case IPC_RMID:
4011                 perms = SEM__DESTROY;
4012                 break;
4013         case IPC_SET:
4014                 perms = SEM__SETATTR;
4015                 break;
4016         case IPC_STAT:
4017         case SEM_STAT:
4018                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4019                 break;
4020         default:
4021                 return 0;
4022         }
4023
4024         err = ipc_has_perm(&sma->sem_perm, perms);
4025         return err;
4026 }
4027
4028 static int selinux_sem_semop(struct sem_array *sma,
4029                              struct sembuf *sops, unsigned nsops, int alter)
4030 {
4031         u32 perms;
4032
4033         if (alter)
4034                 perms = SEM__READ | SEM__WRITE;
4035         else
4036                 perms = SEM__READ;
4037
4038         return ipc_has_perm(&sma->sem_perm, perms);
4039 }
4040
4041 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4042 {
4043         u32 av = 0;
4044
4045         av = 0;
4046         if (flag & S_IRUGO)
4047                 av |= IPC__UNIX_READ;
4048         if (flag & S_IWUGO)
4049                 av |= IPC__UNIX_WRITE;
4050
4051         if (av == 0)
4052                 return 0;
4053
4054         return ipc_has_perm(ipcp, av);
4055 }
4056
4057 /* module stacking operations */
4058 static int selinux_register_security (const char *name, struct security_operations *ops)
4059 {
4060         if (secondary_ops != original_ops) {
4061                 printk(KERN_INFO "%s:  There is already a secondary security "
4062                        "module registered.\n", __FUNCTION__);
4063                 return -EINVAL;
4064         }
4065
4066         secondary_ops = ops;
4067
4068         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4069                __FUNCTION__,
4070                name);
4071
4072         return 0;
4073 }
4074
4075 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4076 {
4077         if (ops != secondary_ops) {
4078                 printk (KERN_INFO "%s:  trying to unregister a security module "
4079                         "that is not registered.\n", __FUNCTION__);
4080                 return -EINVAL;
4081         }
4082
4083         secondary_ops = original_ops;
4084
4085         return 0;
4086 }
4087
4088 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4089 {
4090         if (inode)
4091                 inode_doinit_with_dentry(inode, dentry);
4092 }
4093
4094 static int selinux_getprocattr(struct task_struct *p,
4095                                char *name, void *value, size_t size)
4096 {
4097         struct task_security_struct *tsec;
4098         u32 sid, len;
4099         char *context;
4100         int error;
4101
4102         if (current != p) {
4103                 error = task_has_perm(current, p, PROCESS__GETATTR);
4104                 if (error)
4105                         return error;
4106         }
4107
4108         if (!size)
4109                 return -ERANGE;
4110
4111         tsec = p->security;
4112
4113         if (!strcmp(name, "current"))
4114                 sid = tsec->sid;
4115         else if (!strcmp(name, "prev"))
4116                 sid = tsec->osid;
4117         else if (!strcmp(name, "exec"))
4118                 sid = tsec->exec_sid;
4119         else if (!strcmp(name, "fscreate"))
4120                 sid = tsec->create_sid;
4121         else
4122                 return -EINVAL;
4123
4124         if (!sid)
4125                 return 0;
4126
4127         error = security_sid_to_context(sid, &context, &len);
4128         if (error)
4129                 return error;
4130         if (len > size) {
4131                 kfree(context);
4132                 return -ERANGE;
4133         }
4134         memcpy(value, context, len);
4135         kfree(context);
4136         return len;
4137 }
4138
4139 static int selinux_setprocattr(struct task_struct *p,
4140                                char *name, void *value, size_t size)
4141 {
4142         struct task_security_struct *tsec;
4143         u32 sid = 0;
4144         int error;
4145         char *str = value;
4146
4147         if (current != p) {
4148                 /* SELinux only allows a process to change its own
4149                    security attributes. */
4150                 return -EACCES;
4151         }
4152
4153         /*
4154          * Basic control over ability to set these attributes at all.
4155          * current == p, but we'll pass them separately in case the
4156          * above restriction is ever removed.
4157          */
4158         if (!strcmp(name, "exec"))
4159                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4160         else if (!strcmp(name, "fscreate"))
4161                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4162         else if (!strcmp(name, "current"))
4163                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4164         else
4165                 error = -EINVAL;
4166         if (error)
4167                 return error;
4168
4169         /* Obtain a SID for the context, if one was specified. */
4170         if (size && str[1] && str[1] != '\n') {
4171                 if (str[size-1] == '\n') {
4172                         str[size-1] = 0;
4173                         size--;
4174                 }
4175                 error = security_context_to_sid(value, size, &sid);
4176                 if (error)
4177                         return error;
4178         }
4179
4180         /* Permission checking based on the specified context is
4181            performed during the actual operation (execve,
4182            open/mkdir/...), when we know the full context of the
4183            operation.  See selinux_bprm_set_security for the execve
4184            checks and may_create for the file creation checks. The
4185            operation will then fail if the context is not permitted. */
4186         tsec = p->security;
4187         if (!strcmp(name, "exec"))
4188                 tsec->exec_sid = sid;
4189         else if (!strcmp(name, "fscreate"))
4190                 tsec->create_sid = sid;
4191         else if (!strcmp(name, "current")) {
4192                 struct av_decision avd;
4193
4194                 if (sid == 0)
4195                         return -EINVAL;
4196
4197                 /* Only allow single threaded processes to change context */
4198                 if (atomic_read(&p->mm->mm_users) != 1) {
4199                         struct task_struct *g, *t;
4200                         struct mm_struct *mm = p->mm;
4201                         read_lock(&tasklist_lock);
4202                         do_each_thread(g, t)
4203                                 if (t->mm == mm && t != p) {
4204                                         read_unlock(&tasklist_lock);
4205                                         return -EPERM;
4206                                 }
4207                         while_each_thread(g, t);
4208                         read_unlock(&tasklist_lock);
4209                 }
4210
4211                 /* Check permissions for the transition. */
4212                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4213                                      PROCESS__DYNTRANSITION, NULL);
4214                 if (error)
4215                         return error;
4216
4217                 /* Check for ptracing, and update the task SID if ok.
4218                    Otherwise, leave SID unchanged and fail. */
4219                 task_lock(p);
4220                 if (p->ptrace & PT_PTRACED) {
4221                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4222                                                      SECCLASS_PROCESS,
4223                                                      PROCESS__PTRACE, &avd);
4224                         if (!error)
4225                                 tsec->sid = sid;
4226                         task_unlock(p);
4227                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4228                                   PROCESS__PTRACE, &avd, error, NULL);
4229                         if (error)
4230                                 return error;
4231                 } else {
4232                         tsec->sid = sid;
4233                         task_unlock(p);
4234                 }
4235         }
4236         else
4237                 return -EINVAL;
4238
4239         return size;
4240 }
4241
4242 static struct security_operations selinux_ops = {
4243         .ptrace =                       selinux_ptrace,
4244         .capget =                       selinux_capget,
4245         .capset_check =                 selinux_capset_check,
4246         .capset_set =                   selinux_capset_set,
4247         .sysctl =                       selinux_sysctl,
4248         .capable =                      selinux_capable,
4249         .quotactl =                     selinux_quotactl,
4250         .quota_on =                     selinux_quota_on,
4251         .syslog =                       selinux_syslog,
4252         .vm_enough_memory =             selinux_vm_enough_memory,
4253
4254         .netlink_send =                 selinux_netlink_send,
4255         .netlink_recv =                 selinux_netlink_recv,
4256
4257         .bprm_alloc_security =          selinux_bprm_alloc_security,
4258         .bprm_free_security =           selinux_bprm_free_security,
4259         .bprm_apply_creds =             selinux_bprm_apply_creds,
4260         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4261         .bprm_set_security =            selinux_bprm_set_security,
4262         .bprm_check_security =          selinux_bprm_check_security,
4263         .bprm_secureexec =              selinux_bprm_secureexec,
4264
4265         .sb_alloc_security =            selinux_sb_alloc_security,
4266         .sb_free_security =             selinux_sb_free_security,
4267         .sb_copy_data =                 selinux_sb_copy_data,
4268         .sb_kern_mount =                selinux_sb_kern_mount,
4269         .sb_statfs =                    selinux_sb_statfs,
4270         .sb_mount =                     selinux_mount,
4271         .sb_umount =                    selinux_umount,
4272
4273         .inode_alloc_security =         selinux_inode_alloc_security,
4274         .inode_free_security =          selinux_inode_free_security,
4275         .inode_init_security =          selinux_inode_init_security,
4276         .inode_create =                 selinux_inode_create,
4277         .inode_link =                   selinux_inode_link,
4278         .inode_unlink =                 selinux_inode_unlink,
4279         .inode_symlink =                selinux_inode_symlink,
4280         .inode_mkdir =                  selinux_inode_mkdir,
4281         .inode_rmdir =                  selinux_inode_rmdir,
4282         .inode_mknod =                  selinux_inode_mknod,
4283         .inode_rename =                 selinux_inode_rename,
4284         .inode_readlink =               selinux_inode_readlink,
4285         .inode_follow_link =            selinux_inode_follow_link,
4286         .inode_permission =             selinux_inode_permission,
4287         .inode_setattr =                selinux_inode_setattr,
4288         .inode_getattr =                selinux_inode_getattr,
4289         .inode_setxattr =               selinux_inode_setxattr,
4290         .inode_post_setxattr =          selinux_inode_post_setxattr,
4291         .inode_getxattr =               selinux_inode_getxattr,
4292         .inode_listxattr =              selinux_inode_listxattr,
4293         .inode_removexattr =            selinux_inode_removexattr,
4294         .inode_getsecurity =            selinux_inode_getsecurity,
4295         .inode_setsecurity =            selinux_inode_setsecurity,
4296         .inode_listsecurity =           selinux_inode_listsecurity,
4297
4298         .file_permission =              selinux_file_permission,
4299         .file_alloc_security =          selinux_file_alloc_security,
4300         .file_free_security =           selinux_file_free_security,
4301         .file_ioctl =                   selinux_file_ioctl,
4302         .file_mmap =                    selinux_file_mmap,
4303         .file_mprotect =                selinux_file_mprotect,
4304         .file_lock =                    selinux_file_lock,
4305         .file_fcntl =                   selinux_file_fcntl,
4306         .file_set_fowner =              selinux_file_set_fowner,
4307         .file_send_sigiotask =          selinux_file_send_sigiotask,
4308         .file_receive =                 selinux_file_receive,
4309
4310         .task_create =                  selinux_task_create,
4311         .task_alloc_security =          selinux_task_alloc_security,
4312         .task_free_security =           selinux_task_free_security,
4313         .task_setuid =                  selinux_task_setuid,
4314         .task_post_setuid =             selinux_task_post_setuid,
4315         .task_setgid =                  selinux_task_setgid,
4316         .task_setpgid =                 selinux_task_setpgid,
4317         .task_getpgid =                 selinux_task_getpgid,
4318         .task_getsid =                  selinux_task_getsid,
4319         .task_setgroups =               selinux_task_setgroups,
4320         .task_setnice =                 selinux_task_setnice,
4321         .task_setrlimit =               selinux_task_setrlimit,
4322         .task_setscheduler =            selinux_task_setscheduler,
4323         .task_getscheduler =            selinux_task_getscheduler,
4324         .task_kill =                    selinux_task_kill,
4325         .task_wait =                    selinux_task_wait,
4326         .task_prctl =                   selinux_task_prctl,
4327         .task_reparent_to_init =        selinux_task_reparent_to_init,
4328         .task_to_inode =                selinux_task_to_inode,
4329
4330         .ipc_permission =               selinux_ipc_permission,
4331
4332         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4333         .msg_msg_free_security =        selinux_msg_msg_free_security,
4334
4335         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4336         .msg_queue_free_security =      selinux_msg_queue_free_security,
4337         .msg_queue_associate =          selinux_msg_queue_associate,
4338         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4339         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4340         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4341
4342         .shm_alloc_security =           selinux_shm_alloc_security,
4343         .shm_free_security =            selinux_shm_free_security,
4344         .shm_associate =                selinux_shm_associate,
4345         .shm_shmctl =                   selinux_shm_shmctl,
4346         .shm_shmat =                    selinux_shm_shmat,
4347
4348         .sem_alloc_security =           selinux_sem_alloc_security,
4349         .sem_free_security =            selinux_sem_free_security,
4350         .sem_associate =                selinux_sem_associate,
4351         .sem_semctl =                   selinux_sem_semctl,
4352         .sem_semop =                    selinux_sem_semop,
4353
4354         .register_security =            selinux_register_security,
4355         .unregister_security =          selinux_unregister_security,
4356
4357         .d_instantiate =                selinux_d_instantiate,
4358
4359         .getprocattr =                  selinux_getprocattr,
4360         .setprocattr =                  selinux_setprocattr,
4361
4362         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4363         .unix_may_send =                selinux_socket_unix_may_send,
4364
4365         .socket_create =                selinux_socket_create,
4366         .socket_post_create =           selinux_socket_post_create,
4367         .socket_bind =                  selinux_socket_bind,
4368         .socket_connect =               selinux_socket_connect,
4369         .socket_listen =                selinux_socket_listen,
4370         .socket_accept =                selinux_socket_accept,
4371         .socket_sendmsg =               selinux_socket_sendmsg,
4372         .socket_recvmsg =               selinux_socket_recvmsg,
4373         .socket_getsockname =           selinux_socket_getsockname,
4374         .socket_getpeername =           selinux_socket_getpeername,
4375         .socket_getsockopt =            selinux_socket_getsockopt,
4376         .socket_setsockopt =            selinux_socket_setsockopt,
4377         .socket_shutdown =              selinux_socket_shutdown,
4378         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4379         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4380         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4381         .sk_alloc_security =            selinux_sk_alloc_security,
4382         .sk_free_security =             selinux_sk_free_security,
4383         .sk_getsid =                    selinux_sk_getsid_security,
4384
4385 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4386         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4387         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4388         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4389         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4390         .xfrm_state_free_security =     selinux_xfrm_state_free,
4391         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4392 #endif
4393 };
4394
4395 static __init int selinux_init(void)
4396 {
4397         struct task_security_struct *tsec;
4398
4399         if (!selinux_enabled) {
4400                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4401                 return 0;
4402         }
4403
4404         printk(KERN_INFO "SELinux:  Initializing.\n");
4405
4406         /* Set the security state for the initial task. */
4407         if (task_alloc_security(current))
4408                 panic("SELinux:  Failed to initialize initial task.\n");
4409         tsec = current->security;
4410         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4411
4412         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4413                                             sizeof(struct inode_security_struct),
4414                                             0, SLAB_PANIC, NULL, NULL);
4415         avc_init();
4416
4417         original_ops = secondary_ops = security_ops;
4418         if (!secondary_ops)
4419                 panic ("SELinux: No initial security operations\n");
4420         if (register_security (&selinux_ops))
4421                 panic("SELinux: Unable to register with kernel.\n");
4422
4423         if (selinux_enforcing) {
4424                 printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
4425         } else {
4426                 printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
4427         }
4428         return 0;
4429 }
4430
4431 void selinux_complete_init(void)
4432 {
4433         printk(KERN_INFO "SELinux:  Completing initialization.\n");
4434
4435         /* Set up any superblocks initialized prior to the policy load. */
4436         printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
4437         spin_lock(&sb_security_lock);
4438 next_sb:
4439         if (!list_empty(&superblock_security_head)) {
4440                 struct superblock_security_struct *sbsec =
4441                                 list_entry(superblock_security_head.next,
4442                                            struct superblock_security_struct,
4443                                            list);
4444                 struct super_block *sb = sbsec->sb;
4445                 spin_lock(&sb_lock);
4446                 sb->s_count++;
4447                 spin_unlock(&sb_lock);
4448                 spin_unlock(&sb_security_lock);
4449                 down_read(&sb->s_umount);
4450                 if (sb->s_root)
4451                         superblock_doinit(sb, NULL);
4452                 drop_super(sb);
4453                 spin_lock(&sb_security_lock);
4454                 list_del_init(&sbsec->list);
4455                 goto next_sb;
4456         }
4457         spin_unlock(&sb_security_lock);
4458 }
4459
4460 /* SELinux requires early initialization in order to label
4461    all processes and objects when they are created. */
4462 security_initcall(selinux_init);
4463
4464 #if defined(CONFIG_NETFILTER)
4465
4466 static struct nf_hook_ops selinux_ipv4_op = {
4467         .hook =         selinux_ipv4_postroute_last,
4468         .owner =        THIS_MODULE,
4469         .pf =           PF_INET,
4470         .hooknum =      NF_IP_POST_ROUTING,
4471         .priority =     NF_IP_PRI_SELINUX_LAST,
4472 };
4473
4474 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4475
4476 static struct nf_hook_ops selinux_ipv6_op = {
4477         .hook =         selinux_ipv6_postroute_last,
4478         .owner =        THIS_MODULE,
4479         .pf =           PF_INET6,
4480         .hooknum =      NF_IP6_POST_ROUTING,
4481         .priority =     NF_IP6_PRI_SELINUX_LAST,
4482 };
4483
4484 #endif  /* IPV6 */
4485
4486 static int __init selinux_nf_ip_init(void)
4487 {
4488         int err = 0;
4489
4490         if (!selinux_enabled)
4491                 goto out;
4492                 
4493         printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
4494         
4495         err = nf_register_hook(&selinux_ipv4_op);
4496         if (err)
4497                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4498
4499 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4500
4501         err = nf_register_hook(&selinux_ipv6_op);
4502         if (err)
4503                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4504
4505 #endif  /* IPV6 */
4506
4507 out:
4508         return err;
4509 }
4510
4511 __initcall(selinux_nf_ip_init);
4512
4513 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4514 static void selinux_nf_ip_exit(void)
4515 {
4516         printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
4517
4518         nf_unregister_hook(&selinux_ipv4_op);
4519 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4520         nf_unregister_hook(&selinux_ipv6_op);
4521 #endif  /* IPV6 */
4522 }
4523 #endif
4524
4525 #else /* CONFIG_NETFILTER */
4526
4527 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4528 #define selinux_nf_ip_exit()
4529 #endif
4530
4531 #endif /* CONFIG_NETFILTER */
4532
4533 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4534 int selinux_disable(void)
4535 {
4536         extern void exit_sel_fs(void);
4537         static int selinux_disabled = 0;
4538
4539         if (ss_initialized) {
4540                 /* Not permitted after initial policy load. */
4541                 return -EINVAL;
4542         }
4543
4544         if (selinux_disabled) {
4545                 /* Only do this once. */
4546                 return -EINVAL;
4547         }
4548
4549         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
4550
4551         selinux_disabled = 1;
4552
4553         /* Reset security_ops to the secondary module, dummy or capability. */
4554         security_ops = secondary_ops;
4555
4556         /* Unregister netfilter hooks. */
4557         selinux_nf_ip_exit();
4558
4559         /* Unregister selinuxfs. */
4560         exit_sel_fs();
4561
4562         return 0;
4563 }
4564 #endif
4565
4566