Merge git://git.linux-nfs.org/pub/linux/nfs-2.6
[linux-2.6] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14  *                          <dgoeddel@trustedcs.com>
15  *  Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16  *                     Paul Moore, <paul.moore@hp.com>
17  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
19  *
20  *      This program is free software; you can redistribute it and/or modify
21  *      it under the terms of the GNU General Public License version 2,
22  *      as published by the Free Software Foundation.
23  */
24
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <asm/uaccess.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h>    /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/dccp.h>
62 #include <linux/quota.h>
63 #include <linux/un.h>           /* for Unix socket types */
64 #include <net/af_unix.h>        /* for Unix socket types */
65 #include <linux/parser.h>
66 #include <linux/nfs_mount.h>
67 #include <net/ipv6.h>
68 #include <linux/hugetlb.h>
69 #include <linux/personality.h>
70 #include <linux/sysctl.h>
71 #include <linux/audit.h>
72 #include <linux/string.h>
73 #include <linux/selinux.h>
74 #include <linux/mutex.h>
75
76 #include "avc.h"
77 #include "objsec.h"
78 #include "netif.h"
79 #include "xfrm.h"
80 #include "netlabel.h"
81
82 #define XATTR_SELINUX_SUFFIX "selinux"
83 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
84
85 extern unsigned int policydb_loaded_version;
86 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
87 extern int selinux_compat_net;
88 extern struct security_operations *security_ops;
89
90 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
91 int selinux_enforcing = 0;
92
93 static int __init enforcing_setup(char *str)
94 {
95         selinux_enforcing = simple_strtol(str,NULL,0);
96         return 1;
97 }
98 __setup("enforcing=", enforcing_setup);
99 #endif
100
101 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
102 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
103
104 static int __init selinux_enabled_setup(char *str)
105 {
106         selinux_enabled = simple_strtol(str, NULL, 0);
107         return 1;
108 }
109 __setup("selinux=", selinux_enabled_setup);
110 #else
111 int selinux_enabled = 1;
112 #endif
113
114 /* Original (dummy) security module. */
115 static struct security_operations *original_ops = NULL;
116
117 /* Minimal support for a secondary security module,
118    just to allow the use of the dummy or capability modules.
119    The owlsm module can alternatively be used as a secondary
120    module as long as CONFIG_OWLSM_FD is not enabled. */
121 static struct security_operations *secondary_ops = NULL;
122
123 /* Lists of inode and superblock security structures initialized
124    before the policy was loaded. */
125 static LIST_HEAD(superblock_security_head);
126 static DEFINE_SPINLOCK(sb_security_lock);
127
128 static struct kmem_cache *sel_inode_cache;
129
130 /* Return security context for a given sid or just the context 
131    length if the buffer is null or length is 0 */
132 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
133 {
134         char *context;
135         unsigned len;
136         int rc;
137
138         rc = security_sid_to_context(sid, &context, &len);
139         if (rc)
140                 return rc;
141
142         if (!buffer || !size)
143                 goto getsecurity_exit;
144
145         if (size < len) {
146                 len = -ERANGE;
147                 goto getsecurity_exit;
148         }
149         memcpy(buffer, context, len);
150
151 getsecurity_exit:
152         kfree(context);
153         return len;
154 }
155
156 /* Allocate and free functions for each kind of security blob. */
157
158 static int task_alloc_security(struct task_struct *task)
159 {
160         struct task_security_struct *tsec;
161
162         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
163         if (!tsec)
164                 return -ENOMEM;
165
166         tsec->task = task;
167         tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
168         task->security = tsec;
169
170         return 0;
171 }
172
173 static void task_free_security(struct task_struct *task)
174 {
175         struct task_security_struct *tsec = task->security;
176         task->security = NULL;
177         kfree(tsec);
178 }
179
180 static int inode_alloc_security(struct inode *inode)
181 {
182         struct task_security_struct *tsec = current->security;
183         struct inode_security_struct *isec;
184
185         isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
186         if (!isec)
187                 return -ENOMEM;
188
189         mutex_init(&isec->lock);
190         INIT_LIST_HEAD(&isec->list);
191         isec->inode = inode;
192         isec->sid = SECINITSID_UNLABELED;
193         isec->sclass = SECCLASS_FILE;
194         isec->task_sid = tsec->sid;
195         inode->i_security = isec;
196
197         return 0;
198 }
199
200 static void inode_free_security(struct inode *inode)
201 {
202         struct inode_security_struct *isec = inode->i_security;
203         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
204
205         spin_lock(&sbsec->isec_lock);
206         if (!list_empty(&isec->list))
207                 list_del_init(&isec->list);
208         spin_unlock(&sbsec->isec_lock);
209
210         inode->i_security = NULL;
211         kmem_cache_free(sel_inode_cache, isec);
212 }
213
214 static int file_alloc_security(struct file *file)
215 {
216         struct task_security_struct *tsec = current->security;
217         struct file_security_struct *fsec;
218
219         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220         if (!fsec)
221                 return -ENOMEM;
222
223         fsec->file = file;
224         fsec->sid = tsec->sid;
225         fsec->fown_sid = tsec->sid;
226         file->f_security = fsec;
227
228         return 0;
229 }
230
231 static void file_free_security(struct file *file)
232 {
233         struct file_security_struct *fsec = file->f_security;
234         file->f_security = NULL;
235         kfree(fsec);
236 }
237
238 static int superblock_alloc_security(struct super_block *sb)
239 {
240         struct superblock_security_struct *sbsec;
241
242         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243         if (!sbsec)
244                 return -ENOMEM;
245
246         mutex_init(&sbsec->lock);
247         INIT_LIST_HEAD(&sbsec->list);
248         INIT_LIST_HEAD(&sbsec->isec_head);
249         spin_lock_init(&sbsec->isec_lock);
250         sbsec->sb = sb;
251         sbsec->sid = SECINITSID_UNLABELED;
252         sbsec->def_sid = SECINITSID_FILE;
253         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
254         sb->s_security = sbsec;
255
256         return 0;
257 }
258
259 static void superblock_free_security(struct super_block *sb)
260 {
261         struct superblock_security_struct *sbsec = sb->s_security;
262
263         spin_lock(&sb_security_lock);
264         if (!list_empty(&sbsec->list))
265                 list_del_init(&sbsec->list);
266         spin_unlock(&sb_security_lock);
267
268         sb->s_security = NULL;
269         kfree(sbsec);
270 }
271
272 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
273 {
274         struct sk_security_struct *ssec;
275
276         ssec = kzalloc(sizeof(*ssec), priority);
277         if (!ssec)
278                 return -ENOMEM;
279
280         ssec->sk = sk;
281         ssec->peer_sid = SECINITSID_UNLABELED;
282         ssec->sid = SECINITSID_UNLABELED;
283         sk->sk_security = ssec;
284
285         selinux_netlbl_sk_security_init(ssec, family);
286
287         return 0;
288 }
289
290 static void sk_free_security(struct sock *sk)
291 {
292         struct sk_security_struct *ssec = sk->sk_security;
293
294         sk->sk_security = NULL;
295         kfree(ssec);
296 }
297
298 /* The security server must be initialized before
299    any labeling or access decisions can be provided. */
300 extern int ss_initialized;
301
302 /* The file system's label must be initialized prior to use. */
303
304 static char *labeling_behaviors[6] = {
305         "uses xattr",
306         "uses transition SIDs",
307         "uses task SIDs",
308         "uses genfs_contexts",
309         "not configured for labeling",
310         "uses mountpoint labeling",
311 };
312
313 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314
315 static inline int inode_doinit(struct inode *inode)
316 {
317         return inode_doinit_with_dentry(inode, NULL);
318 }
319
320 enum {
321         Opt_error = -1,
322         Opt_context = 1,
323         Opt_fscontext = 2,
324         Opt_defcontext = 4,
325         Opt_rootcontext = 8,
326 };
327
328 static match_table_t tokens = {
329         {Opt_context, "context=%s"},
330         {Opt_fscontext, "fscontext=%s"},
331         {Opt_defcontext, "defcontext=%s"},
332         {Opt_rootcontext, "rootcontext=%s"},
333         {Opt_error, NULL},
334 };
335
336 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
337
338 static int may_context_mount_sb_relabel(u32 sid,
339                         struct superblock_security_struct *sbsec,
340                         struct task_security_struct *tsec)
341 {
342         int rc;
343
344         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
345                           FILESYSTEM__RELABELFROM, NULL);
346         if (rc)
347                 return rc;
348
349         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
350                           FILESYSTEM__RELABELTO, NULL);
351         return rc;
352 }
353
354 static int may_context_mount_inode_relabel(u32 sid,
355                         struct superblock_security_struct *sbsec,
356                         struct task_security_struct *tsec)
357 {
358         int rc;
359         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
360                           FILESYSTEM__RELABELFROM, NULL);
361         if (rc)
362                 return rc;
363
364         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
365                           FILESYSTEM__ASSOCIATE, NULL);
366         return rc;
367 }
368
369 static int try_context_mount(struct super_block *sb, void *data)
370 {
371         char *context = NULL, *defcontext = NULL;
372         char *fscontext = NULL, *rootcontext = NULL;
373         const char *name;
374         u32 sid;
375         int alloc = 0, rc = 0, seen = 0;
376         struct task_security_struct *tsec = current->security;
377         struct superblock_security_struct *sbsec = sb->s_security;
378
379         if (!data)
380                 goto out;
381
382         name = sb->s_type->name;
383
384         if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
385
386                 /* NFS we understand. */
387                 if (!strcmp(name, "nfs")) {
388                         struct nfs_mount_data *d = data;
389
390                         if (d->version <  NFS_MOUNT_VERSION)
391                                 goto out;
392
393                         if (d->context[0]) {
394                                 context = d->context;
395                                 seen |= Opt_context;
396                         }
397                 } else
398                         goto out;
399
400         } else {
401                 /* Standard string-based options. */
402                 char *p, *options = data;
403
404                 while ((p = strsep(&options, "|")) != NULL) {
405                         int token;
406                         substring_t args[MAX_OPT_ARGS];
407
408                         if (!*p)
409                                 continue;
410
411                         token = match_token(p, tokens, args);
412
413                         switch (token) {
414                         case Opt_context:
415                                 if (seen & (Opt_context|Opt_defcontext)) {
416                                         rc = -EINVAL;
417                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
418                                         goto out_free;
419                                 }
420                                 context = match_strdup(&args[0]);
421                                 if (!context) {
422                                         rc = -ENOMEM;
423                                         goto out_free;
424                                 }
425                                 if (!alloc)
426                                         alloc = 1;
427                                 seen |= Opt_context;
428                                 break;
429
430                         case Opt_fscontext:
431                                 if (seen & Opt_fscontext) {
432                                         rc = -EINVAL;
433                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
434                                         goto out_free;
435                                 }
436                                 fscontext = match_strdup(&args[0]);
437                                 if (!fscontext) {
438                                         rc = -ENOMEM;
439                                         goto out_free;
440                                 }
441                                 if (!alloc)
442                                         alloc = 1;
443                                 seen |= Opt_fscontext;
444                                 break;
445
446                         case Opt_rootcontext:
447                                 if (seen & Opt_rootcontext) {
448                                         rc = -EINVAL;
449                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
450                                         goto out_free;
451                                 }
452                                 rootcontext = match_strdup(&args[0]);
453                                 if (!rootcontext) {
454                                         rc = -ENOMEM;
455                                         goto out_free;
456                                 }
457                                 if (!alloc)
458                                         alloc = 1;
459                                 seen |= Opt_rootcontext;
460                                 break;
461
462                         case Opt_defcontext:
463                                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
464                                         rc = -EINVAL;
465                                         printk(KERN_WARNING "SELinux:  "
466                                                "defcontext option is invalid "
467                                                "for this filesystem type\n");
468                                         goto out_free;
469                                 }
470                                 if (seen & (Opt_context|Opt_defcontext)) {
471                                         rc = -EINVAL;
472                                         printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
473                                         goto out_free;
474                                 }
475                                 defcontext = match_strdup(&args[0]);
476                                 if (!defcontext) {
477                                         rc = -ENOMEM;
478                                         goto out_free;
479                                 }
480                                 if (!alloc)
481                                         alloc = 1;
482                                 seen |= Opt_defcontext;
483                                 break;
484
485                         default:
486                                 rc = -EINVAL;
487                                 printk(KERN_WARNING "SELinux:  unknown mount "
488                                        "option\n");
489                                 goto out_free;
490
491                         }
492                 }
493         }
494
495         if (!seen)
496                 goto out;
497
498         /* sets the context of the superblock for the fs being mounted. */
499         if (fscontext) {
500                 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
501                 if (rc) {
502                         printk(KERN_WARNING "SELinux: security_context_to_sid"
503                                "(%s) failed for (dev %s, type %s) errno=%d\n",
504                                fscontext, sb->s_id, name, rc);
505                         goto out_free;
506                 }
507
508                 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
509                 if (rc)
510                         goto out_free;
511
512                 sbsec->sid = sid;
513         }
514
515         /*
516          * Switch to using mount point labeling behavior.
517          * sets the label used on all file below the mountpoint, and will set
518          * the superblock context if not already set.
519          */
520         if (context) {
521                 rc = security_context_to_sid(context, strlen(context), &sid);
522                 if (rc) {
523                         printk(KERN_WARNING "SELinux: security_context_to_sid"
524                                "(%s) failed for (dev %s, type %s) errno=%d\n",
525                                context, sb->s_id, name, rc);
526                         goto out_free;
527                 }
528
529                 if (!fscontext) {
530                         rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
531                         if (rc)
532                                 goto out_free;
533                         sbsec->sid = sid;
534                 } else {
535                         rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
536                         if (rc)
537                                 goto out_free;
538                 }
539                 sbsec->mntpoint_sid = sid;
540
541                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
542         }
543
544         if (rootcontext) {
545                 struct inode *inode = sb->s_root->d_inode;
546                 struct inode_security_struct *isec = inode->i_security;
547                 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
548                 if (rc) {
549                         printk(KERN_WARNING "SELinux: security_context_to_sid"
550                                "(%s) failed for (dev %s, type %s) errno=%d\n",
551                                rootcontext, sb->s_id, name, rc);
552                         goto out_free;
553                 }
554
555                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
556                 if (rc)
557                         goto out_free;
558
559                 isec->sid = sid;
560                 isec->initialized = 1;
561         }
562
563         if (defcontext) {
564                 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
565                 if (rc) {
566                         printk(KERN_WARNING "SELinux: security_context_to_sid"
567                                "(%s) failed for (dev %s, type %s) errno=%d\n",
568                                defcontext, sb->s_id, name, rc);
569                         goto out_free;
570                 }
571
572                 if (sid == sbsec->def_sid)
573                         goto out_free;
574
575                 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
576                 if (rc)
577                         goto out_free;
578
579                 sbsec->def_sid = sid;
580         }
581
582 out_free:
583         if (alloc) {
584                 kfree(context);
585                 kfree(defcontext);
586                 kfree(fscontext);
587                 kfree(rootcontext);
588         }
589 out:
590         return rc;
591 }
592
593 static int superblock_doinit(struct super_block *sb, void *data)
594 {
595         struct superblock_security_struct *sbsec = sb->s_security;
596         struct dentry *root = sb->s_root;
597         struct inode *inode = root->d_inode;
598         int rc = 0;
599
600         mutex_lock(&sbsec->lock);
601         if (sbsec->initialized)
602                 goto out;
603
604         if (!ss_initialized) {
605                 /* Defer initialization until selinux_complete_init,
606                    after the initial policy is loaded and the security
607                    server is ready to handle calls. */
608                 spin_lock(&sb_security_lock);
609                 if (list_empty(&sbsec->list))
610                         list_add(&sbsec->list, &superblock_security_head);
611                 spin_unlock(&sb_security_lock);
612                 goto out;
613         }
614
615         /* Determine the labeling behavior to use for this filesystem type. */
616         rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
617         if (rc) {
618                 printk(KERN_WARNING "%s:  security_fs_use(%s) returned %d\n",
619                        __FUNCTION__, sb->s_type->name, rc);
620                 goto out;
621         }
622
623         rc = try_context_mount(sb, data);
624         if (rc)
625                 goto out;
626
627         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
628                 /* Make sure that the xattr handler exists and that no
629                    error other than -ENODATA is returned by getxattr on
630                    the root directory.  -ENODATA is ok, as this may be
631                    the first boot of the SELinux kernel before we have
632                    assigned xattr values to the filesystem. */
633                 if (!inode->i_op->getxattr) {
634                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
635                                "xattr support\n", sb->s_id, sb->s_type->name);
636                         rc = -EOPNOTSUPP;
637                         goto out;
638                 }
639                 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
640                 if (rc < 0 && rc != -ENODATA) {
641                         if (rc == -EOPNOTSUPP)
642                                 printk(KERN_WARNING "SELinux: (dev %s, type "
643                                        "%s) has no security xattr handler\n",
644                                        sb->s_id, sb->s_type->name);
645                         else
646                                 printk(KERN_WARNING "SELinux: (dev %s, type "
647                                        "%s) getxattr errno %d\n", sb->s_id,
648                                        sb->s_type->name, -rc);
649                         goto out;
650                 }
651         }
652
653         if (strcmp(sb->s_type->name, "proc") == 0)
654                 sbsec->proc = 1;
655
656         sbsec->initialized = 1;
657
658         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
659                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
660                        sb->s_id, sb->s_type->name);
661         }
662         else {
663                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
664                        sb->s_id, sb->s_type->name,
665                        labeling_behaviors[sbsec->behavior-1]);
666         }
667
668         /* Initialize the root inode. */
669         rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
670
671         /* Initialize any other inodes associated with the superblock, e.g.
672            inodes created prior to initial policy load or inodes created
673            during get_sb by a pseudo filesystem that directly
674            populates itself. */
675         spin_lock(&sbsec->isec_lock);
676 next_inode:
677         if (!list_empty(&sbsec->isec_head)) {
678                 struct inode_security_struct *isec =
679                                 list_entry(sbsec->isec_head.next,
680                                            struct inode_security_struct, list);
681                 struct inode *inode = isec->inode;
682                 spin_unlock(&sbsec->isec_lock);
683                 inode = igrab(inode);
684                 if (inode) {
685                         if (!IS_PRIVATE (inode))
686                                 inode_doinit(inode);
687                         iput(inode);
688                 }
689                 spin_lock(&sbsec->isec_lock);
690                 list_del_init(&isec->list);
691                 goto next_inode;
692         }
693         spin_unlock(&sbsec->isec_lock);
694 out:
695         mutex_unlock(&sbsec->lock);
696         return rc;
697 }
698
699 static inline u16 inode_mode_to_security_class(umode_t mode)
700 {
701         switch (mode & S_IFMT) {
702         case S_IFSOCK:
703                 return SECCLASS_SOCK_FILE;
704         case S_IFLNK:
705                 return SECCLASS_LNK_FILE;
706         case S_IFREG:
707                 return SECCLASS_FILE;
708         case S_IFBLK:
709                 return SECCLASS_BLK_FILE;
710         case S_IFDIR:
711                 return SECCLASS_DIR;
712         case S_IFCHR:
713                 return SECCLASS_CHR_FILE;
714         case S_IFIFO:
715                 return SECCLASS_FIFO_FILE;
716
717         }
718
719         return SECCLASS_FILE;
720 }
721
722 static inline int default_protocol_stream(int protocol)
723 {
724         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
725 }
726
727 static inline int default_protocol_dgram(int protocol)
728 {
729         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
730 }
731
732 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
733 {
734         switch (family) {
735         case PF_UNIX:
736                 switch (type) {
737                 case SOCK_STREAM:
738                 case SOCK_SEQPACKET:
739                         return SECCLASS_UNIX_STREAM_SOCKET;
740                 case SOCK_DGRAM:
741                         return SECCLASS_UNIX_DGRAM_SOCKET;
742                 }
743                 break;
744         case PF_INET:
745         case PF_INET6:
746                 switch (type) {
747                 case SOCK_STREAM:
748                         if (default_protocol_stream(protocol))
749                                 return SECCLASS_TCP_SOCKET;
750                         else
751                                 return SECCLASS_RAWIP_SOCKET;
752                 case SOCK_DGRAM:
753                         if (default_protocol_dgram(protocol))
754                                 return SECCLASS_UDP_SOCKET;
755                         else
756                                 return SECCLASS_RAWIP_SOCKET;
757                 case SOCK_DCCP:
758                         return SECCLASS_DCCP_SOCKET;
759                 default:
760                         return SECCLASS_RAWIP_SOCKET;
761                 }
762                 break;
763         case PF_NETLINK:
764                 switch (protocol) {
765                 case NETLINK_ROUTE:
766                         return SECCLASS_NETLINK_ROUTE_SOCKET;
767                 case NETLINK_FIREWALL:
768                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
769                 case NETLINK_INET_DIAG:
770                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
771                 case NETLINK_NFLOG:
772                         return SECCLASS_NETLINK_NFLOG_SOCKET;
773                 case NETLINK_XFRM:
774                         return SECCLASS_NETLINK_XFRM_SOCKET;
775                 case NETLINK_SELINUX:
776                         return SECCLASS_NETLINK_SELINUX_SOCKET;
777                 case NETLINK_AUDIT:
778                         return SECCLASS_NETLINK_AUDIT_SOCKET;
779                 case NETLINK_IP6_FW:
780                         return SECCLASS_NETLINK_IP6FW_SOCKET;
781                 case NETLINK_DNRTMSG:
782                         return SECCLASS_NETLINK_DNRT_SOCKET;
783                 case NETLINK_KOBJECT_UEVENT:
784                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
785                 default:
786                         return SECCLASS_NETLINK_SOCKET;
787                 }
788         case PF_PACKET:
789                 return SECCLASS_PACKET_SOCKET;
790         case PF_KEY:
791                 return SECCLASS_KEY_SOCKET;
792         case PF_APPLETALK:
793                 return SECCLASS_APPLETALK_SOCKET;
794         }
795
796         return SECCLASS_SOCKET;
797 }
798
799 #ifdef CONFIG_PROC_FS
800 static int selinux_proc_get_sid(struct proc_dir_entry *de,
801                                 u16 tclass,
802                                 u32 *sid)
803 {
804         int buflen, rc;
805         char *buffer, *path, *end;
806
807         buffer = (char*)__get_free_page(GFP_KERNEL);
808         if (!buffer)
809                 return -ENOMEM;
810
811         buflen = PAGE_SIZE;
812         end = buffer+buflen;
813         *--end = '\0';
814         buflen--;
815         path = end-1;
816         *path = '/';
817         while (de && de != de->parent) {
818                 buflen -= de->namelen + 1;
819                 if (buflen < 0)
820                         break;
821                 end -= de->namelen;
822                 memcpy(end, de->name, de->namelen);
823                 *--end = '/';
824                 path = end;
825                 de = de->parent;
826         }
827         rc = security_genfs_sid("proc", path, tclass, sid);
828         free_page((unsigned long)buffer);
829         return rc;
830 }
831 #else
832 static int selinux_proc_get_sid(struct proc_dir_entry *de,
833                                 u16 tclass,
834                                 u32 *sid)
835 {
836         return -EINVAL;
837 }
838 #endif
839
840 /* The inode's security attributes must be initialized before first use. */
841 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
842 {
843         struct superblock_security_struct *sbsec = NULL;
844         struct inode_security_struct *isec = inode->i_security;
845         u32 sid;
846         struct dentry *dentry;
847 #define INITCONTEXTLEN 255
848         char *context = NULL;
849         unsigned len = 0;
850         int rc = 0;
851
852         if (isec->initialized)
853                 goto out;
854
855         mutex_lock(&isec->lock);
856         if (isec->initialized)
857                 goto out_unlock;
858
859         sbsec = inode->i_sb->s_security;
860         if (!sbsec->initialized) {
861                 /* Defer initialization until selinux_complete_init,
862                    after the initial policy is loaded and the security
863                    server is ready to handle calls. */
864                 spin_lock(&sbsec->isec_lock);
865                 if (list_empty(&isec->list))
866                         list_add(&isec->list, &sbsec->isec_head);
867                 spin_unlock(&sbsec->isec_lock);
868                 goto out_unlock;
869         }
870
871         switch (sbsec->behavior) {
872         case SECURITY_FS_USE_XATTR:
873                 if (!inode->i_op->getxattr) {
874                         isec->sid = sbsec->def_sid;
875                         break;
876                 }
877
878                 /* Need a dentry, since the xattr API requires one.
879                    Life would be simpler if we could just pass the inode. */
880                 if (opt_dentry) {
881                         /* Called from d_instantiate or d_splice_alias. */
882                         dentry = dget(opt_dentry);
883                 } else {
884                         /* Called from selinux_complete_init, try to find a dentry. */
885                         dentry = d_find_alias(inode);
886                 }
887                 if (!dentry) {
888                         printk(KERN_WARNING "%s:  no dentry for dev=%s "
889                                "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
890                                inode->i_ino);
891                         goto out_unlock;
892                 }
893
894                 len = INITCONTEXTLEN;
895                 context = kmalloc(len, GFP_KERNEL);
896                 if (!context) {
897                         rc = -ENOMEM;
898                         dput(dentry);
899                         goto out_unlock;
900                 }
901                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
902                                            context, len);
903                 if (rc == -ERANGE) {
904                         /* Need a larger buffer.  Query for the right size. */
905                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
906                                                    NULL, 0);
907                         if (rc < 0) {
908                                 dput(dentry);
909                                 goto out_unlock;
910                         }
911                         kfree(context);
912                         len = rc;
913                         context = kmalloc(len, GFP_KERNEL);
914                         if (!context) {
915                                 rc = -ENOMEM;
916                                 dput(dentry);
917                                 goto out_unlock;
918                         }
919                         rc = inode->i_op->getxattr(dentry,
920                                                    XATTR_NAME_SELINUX,
921                                                    context, len);
922                 }
923                 dput(dentry);
924                 if (rc < 0) {
925                         if (rc != -ENODATA) {
926                                 printk(KERN_WARNING "%s:  getxattr returned "
927                                        "%d for dev=%s ino=%ld\n", __FUNCTION__,
928                                        -rc, inode->i_sb->s_id, inode->i_ino);
929                                 kfree(context);
930                                 goto out_unlock;
931                         }
932                         /* Map ENODATA to the default file SID */
933                         sid = sbsec->def_sid;
934                         rc = 0;
935                 } else {
936                         rc = security_context_to_sid_default(context, rc, &sid,
937                                                              sbsec->def_sid);
938                         if (rc) {
939                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
940                                        "returned %d for dev=%s ino=%ld\n",
941                                        __FUNCTION__, context, -rc,
942                                        inode->i_sb->s_id, inode->i_ino);
943                                 kfree(context);
944                                 /* Leave with the unlabeled SID */
945                                 rc = 0;
946                                 break;
947                         }
948                 }
949                 kfree(context);
950                 isec->sid = sid;
951                 break;
952         case SECURITY_FS_USE_TASK:
953                 isec->sid = isec->task_sid;
954                 break;
955         case SECURITY_FS_USE_TRANS:
956                 /* Default to the fs SID. */
957                 isec->sid = sbsec->sid;
958
959                 /* Try to obtain a transition SID. */
960                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
961                 rc = security_transition_sid(isec->task_sid,
962                                              sbsec->sid,
963                                              isec->sclass,
964                                              &sid);
965                 if (rc)
966                         goto out_unlock;
967                 isec->sid = sid;
968                 break;
969         case SECURITY_FS_USE_MNTPOINT:
970                 isec->sid = sbsec->mntpoint_sid;
971                 break;
972         default:
973                 /* Default to the fs superblock SID. */
974                 isec->sid = sbsec->sid;
975
976                 if (sbsec->proc) {
977                         struct proc_inode *proci = PROC_I(inode);
978                         if (proci->pde) {
979                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
980                                 rc = selinux_proc_get_sid(proci->pde,
981                                                           isec->sclass,
982                                                           &sid);
983                                 if (rc)
984                                         goto out_unlock;
985                                 isec->sid = sid;
986                         }
987                 }
988                 break;
989         }
990
991         isec->initialized = 1;
992
993 out_unlock:
994         mutex_unlock(&isec->lock);
995 out:
996         if (isec->sclass == SECCLASS_FILE)
997                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
998         return rc;
999 }
1000
1001 /* Convert a Linux signal to an access vector. */
1002 static inline u32 signal_to_av(int sig)
1003 {
1004         u32 perm = 0;
1005
1006         switch (sig) {
1007         case SIGCHLD:
1008                 /* Commonly granted from child to parent. */
1009                 perm = PROCESS__SIGCHLD;
1010                 break;
1011         case SIGKILL:
1012                 /* Cannot be caught or ignored */
1013                 perm = PROCESS__SIGKILL;
1014                 break;
1015         case SIGSTOP:
1016                 /* Cannot be caught or ignored */
1017                 perm = PROCESS__SIGSTOP;
1018                 break;
1019         default:
1020                 /* All other signals. */
1021                 perm = PROCESS__SIGNAL;
1022                 break;
1023         }
1024
1025         return perm;
1026 }
1027
1028 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1029    fork check, ptrace check, etc. */
1030 static int task_has_perm(struct task_struct *tsk1,
1031                          struct task_struct *tsk2,
1032                          u32 perms)
1033 {
1034         struct task_security_struct *tsec1, *tsec2;
1035
1036         tsec1 = tsk1->security;
1037         tsec2 = tsk2->security;
1038         return avc_has_perm(tsec1->sid, tsec2->sid,
1039                             SECCLASS_PROCESS, perms, NULL);
1040 }
1041
1042 /* Check whether a task is allowed to use a capability. */
1043 static int task_has_capability(struct task_struct *tsk,
1044                                int cap)
1045 {
1046         struct task_security_struct *tsec;
1047         struct avc_audit_data ad;
1048
1049         tsec = tsk->security;
1050
1051         AVC_AUDIT_DATA_INIT(&ad,CAP);
1052         ad.tsk = tsk;
1053         ad.u.cap = cap;
1054
1055         return avc_has_perm(tsec->sid, tsec->sid,
1056                             SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1057 }
1058
1059 /* Check whether a task is allowed to use a system operation. */
1060 static int task_has_system(struct task_struct *tsk,
1061                            u32 perms)
1062 {
1063         struct task_security_struct *tsec;
1064
1065         tsec = tsk->security;
1066
1067         return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1068                             SECCLASS_SYSTEM, perms, NULL);
1069 }
1070
1071 /* Check whether a task has a particular permission to an inode.
1072    The 'adp' parameter is optional and allows other audit
1073    data to be passed (e.g. the dentry). */
1074 static int inode_has_perm(struct task_struct *tsk,
1075                           struct inode *inode,
1076                           u32 perms,
1077                           struct avc_audit_data *adp)
1078 {
1079         struct task_security_struct *tsec;
1080         struct inode_security_struct *isec;
1081         struct avc_audit_data ad;
1082
1083         if (unlikely (IS_PRIVATE (inode)))
1084                 return 0;
1085
1086         tsec = tsk->security;
1087         isec = inode->i_security;
1088
1089         if (!adp) {
1090                 adp = &ad;
1091                 AVC_AUDIT_DATA_INIT(&ad, FS);
1092                 ad.u.fs.inode = inode;
1093         }
1094
1095         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1096 }
1097
1098 /* Same as inode_has_perm, but pass explicit audit data containing
1099    the dentry to help the auditing code to more easily generate the
1100    pathname if needed. */
1101 static inline int dentry_has_perm(struct task_struct *tsk,
1102                                   struct vfsmount *mnt,
1103                                   struct dentry *dentry,
1104                                   u32 av)
1105 {
1106         struct inode *inode = dentry->d_inode;
1107         struct avc_audit_data ad;
1108         AVC_AUDIT_DATA_INIT(&ad,FS);
1109         ad.u.fs.mnt = mnt;
1110         ad.u.fs.dentry = dentry;
1111         return inode_has_perm(tsk, inode, av, &ad);
1112 }
1113
1114 /* Check whether a task can use an open file descriptor to
1115    access an inode in a given way.  Check access to the
1116    descriptor itself, and then use dentry_has_perm to
1117    check a particular permission to the file.
1118    Access to the descriptor is implicitly granted if it
1119    has the same SID as the process.  If av is zero, then
1120    access to the file is not checked, e.g. for cases
1121    where only the descriptor is affected like seek. */
1122 static int file_has_perm(struct task_struct *tsk,
1123                                 struct file *file,
1124                                 u32 av)
1125 {
1126         struct task_security_struct *tsec = tsk->security;
1127         struct file_security_struct *fsec = file->f_security;
1128         struct vfsmount *mnt = file->f_path.mnt;
1129         struct dentry *dentry = file->f_path.dentry;
1130         struct inode *inode = dentry->d_inode;
1131         struct avc_audit_data ad;
1132         int rc;
1133
1134         AVC_AUDIT_DATA_INIT(&ad, FS);
1135         ad.u.fs.mnt = mnt;
1136         ad.u.fs.dentry = dentry;
1137
1138         if (tsec->sid != fsec->sid) {
1139                 rc = avc_has_perm(tsec->sid, fsec->sid,
1140                                   SECCLASS_FD,
1141                                   FD__USE,
1142                                   &ad);
1143                 if (rc)
1144                         return rc;
1145         }
1146
1147         /* av is zero if only checking access to the descriptor. */
1148         if (av)
1149                 return inode_has_perm(tsk, inode, av, &ad);
1150
1151         return 0;
1152 }
1153
1154 /* Check whether a task can create a file. */
1155 static int may_create(struct inode *dir,
1156                       struct dentry *dentry,
1157                       u16 tclass)
1158 {
1159         struct task_security_struct *tsec;
1160         struct inode_security_struct *dsec;
1161         struct superblock_security_struct *sbsec;
1162         u32 newsid;
1163         struct avc_audit_data ad;
1164         int rc;
1165
1166         tsec = current->security;
1167         dsec = dir->i_security;
1168         sbsec = dir->i_sb->s_security;
1169
1170         AVC_AUDIT_DATA_INIT(&ad, FS);
1171         ad.u.fs.dentry = dentry;
1172
1173         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1174                           DIR__ADD_NAME | DIR__SEARCH,
1175                           &ad);
1176         if (rc)
1177                 return rc;
1178
1179         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1180                 newsid = tsec->create_sid;
1181         } else {
1182                 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1183                                              &newsid);
1184                 if (rc)
1185                         return rc;
1186         }
1187
1188         rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1189         if (rc)
1190                 return rc;
1191
1192         return avc_has_perm(newsid, sbsec->sid,
1193                             SECCLASS_FILESYSTEM,
1194                             FILESYSTEM__ASSOCIATE, &ad);
1195 }
1196
1197 /* Check whether a task can create a key. */
1198 static int may_create_key(u32 ksid,
1199                           struct task_struct *ctx)
1200 {
1201         struct task_security_struct *tsec;
1202
1203         tsec = ctx->security;
1204
1205         return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1206 }
1207
1208 #define MAY_LINK   0
1209 #define MAY_UNLINK 1
1210 #define MAY_RMDIR  2
1211
1212 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1213 static int may_link(struct inode *dir,
1214                     struct dentry *dentry,
1215                     int kind)
1216
1217 {
1218         struct task_security_struct *tsec;
1219         struct inode_security_struct *dsec, *isec;
1220         struct avc_audit_data ad;
1221         u32 av;
1222         int rc;
1223
1224         tsec = current->security;
1225         dsec = dir->i_security;
1226         isec = dentry->d_inode->i_security;
1227
1228         AVC_AUDIT_DATA_INIT(&ad, FS);
1229         ad.u.fs.dentry = dentry;
1230
1231         av = DIR__SEARCH;
1232         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1233         rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1234         if (rc)
1235                 return rc;
1236
1237         switch (kind) {
1238         case MAY_LINK:
1239                 av = FILE__LINK;
1240                 break;
1241         case MAY_UNLINK:
1242                 av = FILE__UNLINK;
1243                 break;
1244         case MAY_RMDIR:
1245                 av = DIR__RMDIR;
1246                 break;
1247         default:
1248                 printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);
1249                 return 0;
1250         }
1251
1252         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1253         return rc;
1254 }
1255
1256 static inline int may_rename(struct inode *old_dir,
1257                              struct dentry *old_dentry,
1258                              struct inode *new_dir,
1259                              struct dentry *new_dentry)
1260 {
1261         struct task_security_struct *tsec;
1262         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1263         struct avc_audit_data ad;
1264         u32 av;
1265         int old_is_dir, new_is_dir;
1266         int rc;
1267
1268         tsec = current->security;
1269         old_dsec = old_dir->i_security;
1270         old_isec = old_dentry->d_inode->i_security;
1271         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1272         new_dsec = new_dir->i_security;
1273
1274         AVC_AUDIT_DATA_INIT(&ad, FS);
1275
1276         ad.u.fs.dentry = old_dentry;
1277         rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1278                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1279         if (rc)
1280                 return rc;
1281         rc = avc_has_perm(tsec->sid, old_isec->sid,
1282                           old_isec->sclass, FILE__RENAME, &ad);
1283         if (rc)
1284                 return rc;
1285         if (old_is_dir && new_dir != old_dir) {
1286                 rc = avc_has_perm(tsec->sid, old_isec->sid,
1287                                   old_isec->sclass, DIR__REPARENT, &ad);
1288                 if (rc)
1289                         return rc;
1290         }
1291
1292         ad.u.fs.dentry = new_dentry;
1293         av = DIR__ADD_NAME | DIR__SEARCH;
1294         if (new_dentry->d_inode)
1295                 av |= DIR__REMOVE_NAME;
1296         rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1297         if (rc)
1298                 return rc;
1299         if (new_dentry->d_inode) {
1300                 new_isec = new_dentry->d_inode->i_security;
1301                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1302                 rc = avc_has_perm(tsec->sid, new_isec->sid,
1303                                   new_isec->sclass,
1304                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1305                 if (rc)
1306                         return rc;
1307         }
1308
1309         return 0;
1310 }
1311
1312 /* Check whether a task can perform a filesystem operation. */
1313 static int superblock_has_perm(struct task_struct *tsk,
1314                                struct super_block *sb,
1315                                u32 perms,
1316                                struct avc_audit_data *ad)
1317 {
1318         struct task_security_struct *tsec;
1319         struct superblock_security_struct *sbsec;
1320
1321         tsec = tsk->security;
1322         sbsec = sb->s_security;
1323         return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1324                             perms, ad);
1325 }
1326
1327 /* Convert a Linux mode and permission mask to an access vector. */
1328 static inline u32 file_mask_to_av(int mode, int mask)
1329 {
1330         u32 av = 0;
1331
1332         if ((mode & S_IFMT) != S_IFDIR) {
1333                 if (mask & MAY_EXEC)
1334                         av |= FILE__EXECUTE;
1335                 if (mask & MAY_READ)
1336                         av |= FILE__READ;
1337
1338                 if (mask & MAY_APPEND)
1339                         av |= FILE__APPEND;
1340                 else if (mask & MAY_WRITE)
1341                         av |= FILE__WRITE;
1342
1343         } else {
1344                 if (mask & MAY_EXEC)
1345                         av |= DIR__SEARCH;
1346                 if (mask & MAY_WRITE)
1347                         av |= DIR__WRITE;
1348                 if (mask & MAY_READ)
1349                         av |= DIR__READ;
1350         }
1351
1352         return av;
1353 }
1354
1355 /* Convert a Linux file to an access vector. */
1356 static inline u32 file_to_av(struct file *file)
1357 {
1358         u32 av = 0;
1359
1360         if (file->f_mode & FMODE_READ)
1361                 av |= FILE__READ;
1362         if (file->f_mode & FMODE_WRITE) {
1363                 if (file->f_flags & O_APPEND)
1364                         av |= FILE__APPEND;
1365                 else
1366                         av |= FILE__WRITE;
1367         }
1368
1369         return av;
1370 }
1371
1372 /* Hook functions begin here. */
1373
1374 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1375 {
1376         struct task_security_struct *psec = parent->security;
1377         struct task_security_struct *csec = child->security;
1378         int rc;
1379
1380         rc = secondary_ops->ptrace(parent,child);
1381         if (rc)
1382                 return rc;
1383
1384         rc = task_has_perm(parent, child, PROCESS__PTRACE);
1385         /* Save the SID of the tracing process for later use in apply_creds. */
1386         if (!(child->ptrace & PT_PTRACED) && !rc)
1387                 csec->ptrace_sid = psec->sid;
1388         return rc;
1389 }
1390
1391 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1392                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1393 {
1394         int error;
1395
1396         error = task_has_perm(current, target, PROCESS__GETCAP);
1397         if (error)
1398                 return error;
1399
1400         return secondary_ops->capget(target, effective, inheritable, permitted);
1401 }
1402
1403 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1404                                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1405 {
1406         int error;
1407
1408         error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1409         if (error)
1410                 return error;
1411
1412         return task_has_perm(current, target, PROCESS__SETCAP);
1413 }
1414
1415 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1416                                kernel_cap_t *inheritable, kernel_cap_t *permitted)
1417 {
1418         secondary_ops->capset_set(target, effective, inheritable, permitted);
1419 }
1420
1421 static int selinux_capable(struct task_struct *tsk, int cap)
1422 {
1423         int rc;
1424
1425         rc = secondary_ops->capable(tsk, cap);
1426         if (rc)
1427                 return rc;
1428
1429         return task_has_capability(tsk,cap);
1430 }
1431
1432 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1433 {
1434         int buflen, rc;
1435         char *buffer, *path, *end;
1436
1437         rc = -ENOMEM;
1438         buffer = (char*)__get_free_page(GFP_KERNEL);
1439         if (!buffer)
1440                 goto out;
1441
1442         buflen = PAGE_SIZE;
1443         end = buffer+buflen;
1444         *--end = '\0';
1445         buflen--;
1446         path = end-1;
1447         *path = '/';
1448         while (table) {
1449                 const char *name = table->procname;
1450                 size_t namelen = strlen(name);
1451                 buflen -= namelen + 1;
1452                 if (buflen < 0)
1453                         goto out_free;
1454                 end -= namelen;
1455                 memcpy(end, name, namelen);
1456                 *--end = '/';
1457                 path = end;
1458                 table = table->parent;
1459         }
1460         buflen -= 4;
1461         if (buflen < 0)
1462                 goto out_free;
1463         end -= 4;
1464         memcpy(end, "/sys", 4);
1465         path = end;
1466         rc = security_genfs_sid("proc", path, tclass, sid);
1467 out_free:
1468         free_page((unsigned long)buffer);
1469 out:
1470         return rc;
1471 }
1472
1473 static int selinux_sysctl(ctl_table *table, int op)
1474 {
1475         int error = 0;
1476         u32 av;
1477         struct task_security_struct *tsec;
1478         u32 tsid;
1479         int rc;
1480
1481         rc = secondary_ops->sysctl(table, op);
1482         if (rc)
1483                 return rc;
1484
1485         tsec = current->security;
1486
1487         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1488                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1489         if (rc) {
1490                 /* Default to the well-defined sysctl SID. */
1491                 tsid = SECINITSID_SYSCTL;
1492         }
1493
1494         /* The op values are "defined" in sysctl.c, thereby creating
1495          * a bad coupling between this module and sysctl.c */
1496         if(op == 001) {
1497                 error = avc_has_perm(tsec->sid, tsid,
1498                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1499         } else {
1500                 av = 0;
1501                 if (op & 004)
1502                         av |= FILE__READ;
1503                 if (op & 002)
1504                         av |= FILE__WRITE;
1505                 if (av)
1506                         error = avc_has_perm(tsec->sid, tsid,
1507                                              SECCLASS_FILE, av, NULL);
1508         }
1509
1510         return error;
1511 }
1512
1513 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1514 {
1515         int rc = 0;
1516
1517         if (!sb)
1518                 return 0;
1519
1520         switch (cmds) {
1521                 case Q_SYNC:
1522                 case Q_QUOTAON:
1523                 case Q_QUOTAOFF:
1524                 case Q_SETINFO:
1525                 case Q_SETQUOTA:
1526                         rc = superblock_has_perm(current,
1527                                                  sb,
1528                                                  FILESYSTEM__QUOTAMOD, NULL);
1529                         break;
1530                 case Q_GETFMT:
1531                 case Q_GETINFO:
1532                 case Q_GETQUOTA:
1533                         rc = superblock_has_perm(current,
1534                                                  sb,
1535                                                  FILESYSTEM__QUOTAGET, NULL);
1536                         break;
1537                 default:
1538                         rc = 0;  /* let the kernel handle invalid cmds */
1539                         break;
1540         }
1541         return rc;
1542 }
1543
1544 static int selinux_quota_on(struct dentry *dentry)
1545 {
1546         return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1547 }
1548
1549 static int selinux_syslog(int type)
1550 {
1551         int rc;
1552
1553         rc = secondary_ops->syslog(type);
1554         if (rc)
1555                 return rc;
1556
1557         switch (type) {
1558                 case 3:         /* Read last kernel messages */
1559                 case 10:        /* Return size of the log buffer */
1560                         rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1561                         break;
1562                 case 6:         /* Disable logging to console */
1563                 case 7:         /* Enable logging to console */
1564                 case 8:         /* Set level of messages printed to console */
1565                         rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1566                         break;
1567                 case 0:         /* Close log */
1568                 case 1:         /* Open log */
1569                 case 2:         /* Read from log */
1570                 case 4:         /* Read/clear last kernel messages */
1571                 case 5:         /* Clear ring buffer */
1572                 default:
1573                         rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1574                         break;
1575         }
1576         return rc;
1577 }
1578
1579 /*
1580  * Check that a process has enough memory to allocate a new virtual
1581  * mapping. 0 means there is enough memory for the allocation to
1582  * succeed and -ENOMEM implies there is not.
1583  *
1584  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1585  * if the capability is granted, but __vm_enough_memory requires 1 if
1586  * the capability is granted.
1587  *
1588  * Do not audit the selinux permission check, as this is applied to all
1589  * processes that allocate mappings.
1590  */
1591 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1592 {
1593         int rc, cap_sys_admin = 0;
1594         struct task_security_struct *tsec = current->security;
1595
1596         rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1597         if (rc == 0)
1598                 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1599                                           SECCLASS_CAPABILITY,
1600                                           CAP_TO_MASK(CAP_SYS_ADMIN),
1601                                           0,
1602                                           NULL);
1603
1604         if (rc == 0)
1605                 cap_sys_admin = 1;
1606
1607         return __vm_enough_memory(mm, pages, cap_sys_admin);
1608 }
1609
1610 /* binprm security operations */
1611
1612 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1613 {
1614         struct bprm_security_struct *bsec;
1615
1616         bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1617         if (!bsec)
1618                 return -ENOMEM;
1619
1620         bsec->bprm = bprm;
1621         bsec->sid = SECINITSID_UNLABELED;
1622         bsec->set = 0;
1623
1624         bprm->security = bsec;
1625         return 0;
1626 }
1627
1628 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1629 {
1630         struct task_security_struct *tsec;
1631         struct inode *inode = bprm->file->f_path.dentry->d_inode;
1632         struct inode_security_struct *isec;
1633         struct bprm_security_struct *bsec;
1634         u32 newsid;
1635         struct avc_audit_data ad;
1636         int rc;
1637
1638         rc = secondary_ops->bprm_set_security(bprm);
1639         if (rc)
1640                 return rc;
1641
1642         bsec = bprm->security;
1643
1644         if (bsec->set)
1645                 return 0;
1646
1647         tsec = current->security;
1648         isec = inode->i_security;
1649
1650         /* Default to the current task SID. */
1651         bsec->sid = tsec->sid;
1652
1653         /* Reset fs, key, and sock SIDs on execve. */
1654         tsec->create_sid = 0;
1655         tsec->keycreate_sid = 0;
1656         tsec->sockcreate_sid = 0;
1657
1658         if (tsec->exec_sid) {
1659                 newsid = tsec->exec_sid;
1660                 /* Reset exec SID on execve. */
1661                 tsec->exec_sid = 0;
1662         } else {
1663                 /* Check for a default transition on this program. */
1664                 rc = security_transition_sid(tsec->sid, isec->sid,
1665                                              SECCLASS_PROCESS, &newsid);
1666                 if (rc)
1667                         return rc;
1668         }
1669
1670         AVC_AUDIT_DATA_INIT(&ad, FS);
1671         ad.u.fs.mnt = bprm->file->f_path.mnt;
1672         ad.u.fs.dentry = bprm->file->f_path.dentry;
1673
1674         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1675                 newsid = tsec->sid;
1676
1677         if (tsec->sid == newsid) {
1678                 rc = avc_has_perm(tsec->sid, isec->sid,
1679                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1680                 if (rc)
1681                         return rc;
1682         } else {
1683                 /* Check permissions for the transition. */
1684                 rc = avc_has_perm(tsec->sid, newsid,
1685                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1686                 if (rc)
1687                         return rc;
1688
1689                 rc = avc_has_perm(newsid, isec->sid,
1690                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1691                 if (rc)
1692                         return rc;
1693
1694                 /* Clear any possibly unsafe personality bits on exec: */
1695                 current->personality &= ~PER_CLEAR_ON_SETID;
1696
1697                 /* Set the security field to the new SID. */
1698                 bsec->sid = newsid;
1699         }
1700
1701         bsec->set = 1;
1702         return 0;
1703 }
1704
1705 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1706 {
1707         return secondary_ops->bprm_check_security(bprm);
1708 }
1709
1710
1711 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1712 {
1713         struct task_security_struct *tsec = current->security;
1714         int atsecure = 0;
1715
1716         if (tsec->osid != tsec->sid) {
1717                 /* Enable secure mode for SIDs transitions unless
1718                    the noatsecure permission is granted between
1719                    the two SIDs, i.e. ahp returns 0. */
1720                 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1721                                          SECCLASS_PROCESS,
1722                                          PROCESS__NOATSECURE, NULL);
1723         }
1724
1725         return (atsecure || secondary_ops->bprm_secureexec(bprm));
1726 }
1727
1728 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1729 {
1730         kfree(bprm->security);
1731         bprm->security = NULL;
1732 }
1733
1734 extern struct vfsmount *selinuxfs_mount;
1735 extern struct dentry *selinux_null;
1736
1737 /* Derived from fs/exec.c:flush_old_files. */
1738 static inline void flush_unauthorized_files(struct files_struct * files)
1739 {
1740         struct avc_audit_data ad;
1741         struct file *file, *devnull = NULL;
1742         struct tty_struct *tty;
1743         struct fdtable *fdt;
1744         long j = -1;
1745         int drop_tty = 0;
1746
1747         mutex_lock(&tty_mutex);
1748         tty = get_current_tty();
1749         if (tty) {
1750                 file_list_lock();
1751                 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1752                 if (file) {
1753                         /* Revalidate access to controlling tty.
1754                            Use inode_has_perm on the tty inode directly rather
1755                            than using file_has_perm, as this particular open
1756                            file may belong to another process and we are only
1757                            interested in the inode-based check here. */
1758                         struct inode *inode = file->f_path.dentry->d_inode;
1759                         if (inode_has_perm(current, inode,
1760                                            FILE__READ | FILE__WRITE, NULL)) {
1761                                 drop_tty = 1;
1762                         }
1763                 }
1764                 file_list_unlock();
1765         }
1766         mutex_unlock(&tty_mutex);
1767         /* Reset controlling tty. */
1768         if (drop_tty)
1769                 no_tty();
1770
1771         /* Revalidate access to inherited open files. */
1772
1773         AVC_AUDIT_DATA_INIT(&ad,FS);
1774
1775         spin_lock(&files->file_lock);
1776         for (;;) {
1777                 unsigned long set, i;
1778                 int fd;
1779
1780                 j++;
1781                 i = j * __NFDBITS;
1782                 fdt = files_fdtable(files);
1783                 if (i >= fdt->max_fds)
1784                         break;
1785                 set = fdt->open_fds->fds_bits[j];
1786                 if (!set)
1787                         continue;
1788                 spin_unlock(&files->file_lock);
1789                 for ( ; set ; i++,set >>= 1) {
1790                         if (set & 1) {
1791                                 file = fget(i);
1792                                 if (!file)
1793                                         continue;
1794                                 if (file_has_perm(current,
1795                                                   file,
1796                                                   file_to_av(file))) {
1797                                         sys_close(i);
1798                                         fd = get_unused_fd();
1799                                         if (fd != i) {
1800                                                 if (fd >= 0)
1801                                                         put_unused_fd(fd);
1802                                                 fput(file);
1803                                                 continue;
1804                                         }
1805                                         if (devnull) {
1806                                                 get_file(devnull);
1807                                         } else {
1808                                                 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1809                                                 if (IS_ERR(devnull)) {
1810                                                         devnull = NULL;
1811                                                         put_unused_fd(fd);
1812                                                         fput(file);
1813                                                         continue;
1814                                                 }
1815                                         }
1816                                         fd_install(fd, devnull);
1817                                 }
1818                                 fput(file);
1819                         }
1820                 }
1821                 spin_lock(&files->file_lock);
1822
1823         }
1824         spin_unlock(&files->file_lock);
1825 }
1826
1827 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1828 {
1829         struct task_security_struct *tsec;
1830         struct bprm_security_struct *bsec;
1831         u32 sid;
1832         int rc;
1833
1834         secondary_ops->bprm_apply_creds(bprm, unsafe);
1835
1836         tsec = current->security;
1837
1838         bsec = bprm->security;
1839         sid = bsec->sid;
1840
1841         tsec->osid = tsec->sid;
1842         bsec->unsafe = 0;
1843         if (tsec->sid != sid) {
1844                 /* Check for shared state.  If not ok, leave SID
1845                    unchanged and kill. */
1846                 if (unsafe & LSM_UNSAFE_SHARE) {
1847                         rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1848                                         PROCESS__SHARE, NULL);
1849                         if (rc) {
1850                                 bsec->unsafe = 1;
1851                                 return;
1852                         }
1853                 }
1854
1855                 /* Check for ptracing, and update the task SID if ok.
1856                    Otherwise, leave SID unchanged and kill. */
1857                 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1858                         rc = avc_has_perm(tsec->ptrace_sid, sid,
1859                                           SECCLASS_PROCESS, PROCESS__PTRACE,
1860                                           NULL);
1861                         if (rc) {
1862                                 bsec->unsafe = 1;
1863                                 return;
1864                         }
1865                 }
1866                 tsec->sid = sid;
1867         }
1868 }
1869
1870 /*
1871  * called after apply_creds without the task lock held
1872  */
1873 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1874 {
1875         struct task_security_struct *tsec;
1876         struct rlimit *rlim, *initrlim;
1877         struct itimerval itimer;
1878         struct bprm_security_struct *bsec;
1879         int rc, i;
1880
1881         tsec = current->security;
1882         bsec = bprm->security;
1883
1884         if (bsec->unsafe) {
1885                 force_sig_specific(SIGKILL, current);
1886                 return;
1887         }
1888         if (tsec->osid == tsec->sid)
1889                 return;
1890
1891         /* Close files for which the new task SID is not authorized. */
1892         flush_unauthorized_files(current->files);
1893
1894         /* Check whether the new SID can inherit signal state
1895            from the old SID.  If not, clear itimers to avoid
1896            subsequent signal generation and flush and unblock
1897            signals. This must occur _after_ the task SID has
1898           been updated so that any kill done after the flush
1899           will be checked against the new SID. */
1900         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1901                           PROCESS__SIGINH, NULL);
1902         if (rc) {
1903                 memset(&itimer, 0, sizeof itimer);
1904                 for (i = 0; i < 3; i++)
1905                         do_setitimer(i, &itimer, NULL);
1906                 flush_signals(current);
1907                 spin_lock_irq(&current->sighand->siglock);
1908                 flush_signal_handlers(current, 1);
1909                 sigemptyset(&current->blocked);
1910                 recalc_sigpending();
1911                 spin_unlock_irq(&current->sighand->siglock);
1912         }
1913
1914         /* Always clear parent death signal on SID transitions. */
1915         current->pdeath_signal = 0;
1916
1917         /* Check whether the new SID can inherit resource limits
1918            from the old SID.  If not, reset all soft limits to
1919            the lower of the current task's hard limit and the init
1920            task's soft limit.  Note that the setting of hard limits
1921            (even to lower them) can be controlled by the setrlimit
1922            check. The inclusion of the init task's soft limit into
1923            the computation is to avoid resetting soft limits higher
1924            than the default soft limit for cases where the default
1925            is lower than the hard limit, e.g. RLIMIT_CORE or
1926            RLIMIT_STACK.*/
1927         rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1928                           PROCESS__RLIMITINH, NULL);
1929         if (rc) {
1930                 for (i = 0; i < RLIM_NLIMITS; i++) {
1931                         rlim = current->signal->rlim + i;
1932                         initrlim = init_task.signal->rlim+i;
1933                         rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1934                 }
1935                 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1936                         /*
1937                          * This will cause RLIMIT_CPU calculations
1938                          * to be refigured.
1939                          */
1940                         current->it_prof_expires = jiffies_to_cputime(1);
1941                 }
1942         }
1943
1944         /* Wake up the parent if it is waiting so that it can
1945            recheck wait permission to the new task SID. */
1946         wake_up_interruptible(&current->parent->signal->wait_chldexit);
1947 }
1948
1949 /* superblock security operations */
1950
1951 static int selinux_sb_alloc_security(struct super_block *sb)
1952 {
1953         return superblock_alloc_security(sb);
1954 }
1955
1956 static void selinux_sb_free_security(struct super_block *sb)
1957 {
1958         superblock_free_security(sb);
1959 }
1960
1961 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1962 {
1963         if (plen > olen)
1964                 return 0;
1965
1966         return !memcmp(prefix, option, plen);
1967 }
1968
1969 static inline int selinux_option(char *option, int len)
1970 {
1971         return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1972                 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1973                 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1974                 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1975 }
1976
1977 static inline void take_option(char **to, char *from, int *first, int len)
1978 {
1979         if (!*first) {
1980                 **to = ',';
1981                 *to += 1;
1982         } else
1983                 *first = 0;
1984         memcpy(*to, from, len);
1985         *to += len;
1986 }
1987
1988 static inline void take_selinux_option(char **to, char *from, int *first, 
1989                                        int len)
1990 {
1991         int current_size = 0;
1992
1993         if (!*first) {
1994                 **to = '|';
1995                 *to += 1;
1996         }
1997         else
1998                 *first = 0;
1999
2000         while (current_size < len) {
2001                 if (*from != '"') {
2002                         **to = *from;
2003                         *to += 1;
2004                 }
2005                 from += 1;
2006                 current_size += 1;
2007         }
2008 }
2009
2010 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2011 {
2012         int fnosec, fsec, rc = 0;
2013         char *in_save, *in_curr, *in_end;
2014         char *sec_curr, *nosec_save, *nosec;
2015         int open_quote = 0;
2016
2017         in_curr = orig;
2018         sec_curr = copy;
2019
2020         /* Binary mount data: just copy */
2021         if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2022                 copy_page(sec_curr, in_curr);
2023                 goto out;
2024         }
2025
2026         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2027         if (!nosec) {
2028                 rc = -ENOMEM;
2029                 goto out;
2030         }
2031
2032         nosec_save = nosec;
2033         fnosec = fsec = 1;
2034         in_save = in_end = orig;
2035
2036         do {
2037                 if (*in_end == '"')
2038                         open_quote = !open_quote;
2039                 if ((*in_end == ',' && open_quote == 0) ||
2040                                 *in_end == '\0') {
2041                         int len = in_end - in_curr;
2042
2043                         if (selinux_option(in_curr, len))
2044                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2045                         else
2046                                 take_option(&nosec, in_curr, &fnosec, len);
2047
2048                         in_curr = in_end + 1;
2049                 }
2050         } while (*in_end++);
2051
2052         strcpy(in_save, nosec_save);
2053         free_page((unsigned long)nosec_save);
2054 out:
2055         return rc;
2056 }
2057
2058 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2059 {
2060         struct avc_audit_data ad;
2061         int rc;
2062
2063         rc = superblock_doinit(sb, data);
2064         if (rc)
2065                 return rc;
2066
2067         AVC_AUDIT_DATA_INIT(&ad,FS);
2068         ad.u.fs.dentry = sb->s_root;
2069         return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2070 }
2071
2072 static int selinux_sb_statfs(struct dentry *dentry)
2073 {
2074         struct avc_audit_data ad;
2075
2076         AVC_AUDIT_DATA_INIT(&ad,FS);
2077         ad.u.fs.dentry = dentry->d_sb->s_root;
2078         return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2079 }
2080
2081 static int selinux_mount(char * dev_name,
2082                          struct nameidata *nd,
2083                          char * type,
2084                          unsigned long flags,
2085                          void * data)
2086 {
2087         int rc;
2088
2089         rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2090         if (rc)
2091                 return rc;
2092
2093         if (flags & MS_REMOUNT)
2094                 return superblock_has_perm(current, nd->mnt->mnt_sb,
2095                                            FILESYSTEM__REMOUNT, NULL);
2096         else
2097                 return dentry_has_perm(current, nd->mnt, nd->dentry,
2098                                        FILE__MOUNTON);
2099 }
2100
2101 static int selinux_umount(struct vfsmount *mnt, int flags)
2102 {
2103         int rc;
2104
2105         rc = secondary_ops->sb_umount(mnt, flags);
2106         if (rc)
2107                 return rc;
2108
2109         return superblock_has_perm(current,mnt->mnt_sb,
2110                                    FILESYSTEM__UNMOUNT,NULL);
2111 }
2112
2113 /* inode security operations */
2114
2115 static int selinux_inode_alloc_security(struct inode *inode)
2116 {
2117         return inode_alloc_security(inode);
2118 }
2119
2120 static void selinux_inode_free_security(struct inode *inode)
2121 {
2122         inode_free_security(inode);
2123 }
2124
2125 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2126                                        char **name, void **value,
2127                                        size_t *len)
2128 {
2129         struct task_security_struct *tsec;
2130         struct inode_security_struct *dsec;
2131         struct superblock_security_struct *sbsec;
2132         u32 newsid, clen;
2133         int rc;
2134         char *namep = NULL, *context;
2135
2136         tsec = current->security;
2137         dsec = dir->i_security;
2138         sbsec = dir->i_sb->s_security;
2139
2140         if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2141                 newsid = tsec->create_sid;
2142         } else {
2143                 rc = security_transition_sid(tsec->sid, dsec->sid,
2144                                              inode_mode_to_security_class(inode->i_mode),
2145                                              &newsid);
2146                 if (rc) {
2147                         printk(KERN_WARNING "%s:  "
2148                                "security_transition_sid failed, rc=%d (dev=%s "
2149                                "ino=%ld)\n",
2150                                __FUNCTION__,
2151                                -rc, inode->i_sb->s_id, inode->i_ino);
2152                         return rc;
2153                 }
2154         }
2155
2156         /* Possibly defer initialization to selinux_complete_init. */
2157         if (sbsec->initialized) {
2158                 struct inode_security_struct *isec = inode->i_security;
2159                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2160                 isec->sid = newsid;
2161                 isec->initialized = 1;
2162         }
2163
2164         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2165                 return -EOPNOTSUPP;
2166
2167         if (name) {
2168                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2169                 if (!namep)
2170                         return -ENOMEM;
2171                 *name = namep;
2172         }
2173
2174         if (value && len) {
2175                 rc = security_sid_to_context(newsid, &context, &clen);
2176                 if (rc) {
2177                         kfree(namep);
2178                         return rc;
2179                 }
2180                 *value = context;
2181                 *len = clen;
2182         }
2183
2184         return 0;
2185 }
2186
2187 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2188 {
2189         return may_create(dir, dentry, SECCLASS_FILE);
2190 }
2191
2192 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2193 {
2194         int rc;
2195
2196         rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2197         if (rc)
2198                 return rc;
2199         return may_link(dir, old_dentry, MAY_LINK);
2200 }
2201
2202 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2203 {
2204         int rc;
2205
2206         rc = secondary_ops->inode_unlink(dir, dentry);
2207         if (rc)
2208                 return rc;
2209         return may_link(dir, dentry, MAY_UNLINK);
2210 }
2211
2212 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2213 {
2214         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2215 }
2216
2217 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2218 {
2219         return may_create(dir, dentry, SECCLASS_DIR);
2220 }
2221
2222 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2223 {
2224         return may_link(dir, dentry, MAY_RMDIR);
2225 }
2226
2227 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2228 {
2229         int rc;
2230
2231         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2232         if (rc)
2233                 return rc;
2234
2235         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2236 }
2237
2238 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2239                                 struct inode *new_inode, struct dentry *new_dentry)
2240 {
2241         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2242 }
2243
2244 static int selinux_inode_readlink(struct dentry *dentry)
2245 {
2246         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2247 }
2248
2249 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2250 {
2251         int rc;
2252
2253         rc = secondary_ops->inode_follow_link(dentry,nameidata);
2254         if (rc)
2255                 return rc;
2256         return dentry_has_perm(current, NULL, dentry, FILE__READ);
2257 }
2258
2259 static int selinux_inode_permission(struct inode *inode, int mask,
2260                                     struct nameidata *nd)
2261 {
2262         int rc;
2263
2264         rc = secondary_ops->inode_permission(inode, mask, nd);
2265         if (rc)
2266                 return rc;
2267
2268         if (!mask) {
2269                 /* No permission to check.  Existence test. */
2270                 return 0;
2271         }
2272
2273         return inode_has_perm(current, inode,
2274                                file_mask_to_av(inode->i_mode, mask), NULL);
2275 }
2276
2277 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2278 {
2279         int rc;
2280
2281         rc = secondary_ops->inode_setattr(dentry, iattr);
2282         if (rc)
2283                 return rc;
2284
2285         if (iattr->ia_valid & ATTR_FORCE)
2286                 return 0;
2287
2288         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2289                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2290                 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2291
2292         return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2293 }
2294
2295 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2296 {
2297         return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2298 }
2299
2300 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2301 {
2302         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2303                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2304                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2305                         if (!capable(CAP_SETFCAP))
2306                                 return -EPERM;
2307                 } else if (!capable(CAP_SYS_ADMIN)) {
2308                         /* A different attribute in the security namespace.
2309                            Restrict to administrator. */
2310                         return -EPERM;
2311                 }
2312         }
2313
2314         /* Not an attribute we recognize, so just check the
2315            ordinary setattr permission. */
2316         return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2317 }
2318
2319 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2320 {
2321         struct task_security_struct *tsec = current->security;
2322         struct inode *inode = dentry->d_inode;
2323         struct inode_security_struct *isec = inode->i_security;
2324         struct superblock_security_struct *sbsec;
2325         struct avc_audit_data ad;
2326         u32 newsid;
2327         int rc = 0;
2328
2329         if (strcmp(name, XATTR_NAME_SELINUX))
2330                 return selinux_inode_setotherxattr(dentry, name);
2331
2332         sbsec = inode->i_sb->s_security;
2333         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2334                 return -EOPNOTSUPP;
2335
2336         if (!is_owner_or_cap(inode))
2337                 return -EPERM;
2338
2339         AVC_AUDIT_DATA_INIT(&ad,FS);
2340         ad.u.fs.dentry = dentry;
2341
2342         rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2343                           FILE__RELABELFROM, &ad);
2344         if (rc)
2345                 return rc;
2346
2347         rc = security_context_to_sid(value, size, &newsid);
2348         if (rc)
2349                 return rc;
2350
2351         rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2352                           FILE__RELABELTO, &ad);
2353         if (rc)
2354                 return rc;
2355
2356         rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2357                                           isec->sclass);
2358         if (rc)
2359                 return rc;
2360
2361         return avc_has_perm(newsid,
2362                             sbsec->sid,
2363                             SECCLASS_FILESYSTEM,
2364                             FILESYSTEM__ASSOCIATE,
2365                             &ad);
2366 }
2367
2368 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2369                                         void *value, size_t size, int flags)
2370 {
2371         struct inode *inode = dentry->d_inode;
2372         struct inode_security_struct *isec = inode->i_security;
2373         u32 newsid;
2374         int rc;
2375
2376         if (strcmp(name, XATTR_NAME_SELINUX)) {
2377                 /* Not an attribute we recognize, so nothing to do. */
2378                 return;
2379         }
2380
2381         rc = security_context_to_sid(value, size, &newsid);
2382         if (rc) {
2383                 printk(KERN_WARNING "%s:  unable to obtain SID for context "
2384                        "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2385                 return;
2386         }
2387
2388         isec->sid = newsid;
2389         return;
2390 }
2391
2392 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2393 {
2394         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2395 }
2396
2397 static int selinux_inode_listxattr (struct dentry *dentry)
2398 {
2399         return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2400 }
2401
2402 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2403 {
2404         if (strcmp(name, XATTR_NAME_SELINUX))
2405                 return selinux_inode_setotherxattr(dentry, name);
2406
2407         /* No one is allowed to remove a SELinux security label.
2408            You can change the label, but all data must be labeled. */
2409         return -EACCES;
2410 }
2411
2412 /*
2413  * Copy the in-core inode security context value to the user.  If the
2414  * getxattr() prior to this succeeded, check to see if we need to
2415  * canonicalize the value to be finally returned to the user.
2416  *
2417  * Permission check is handled by selinux_inode_getxattr hook.
2418  */
2419 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2420 {
2421         struct inode_security_struct *isec = inode->i_security;
2422
2423         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2424                 return -EOPNOTSUPP;
2425
2426         return selinux_getsecurity(isec->sid, buffer, size);
2427 }
2428
2429 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2430                                      const void *value, size_t size, int flags)
2431 {
2432         struct inode_security_struct *isec = inode->i_security;
2433         u32 newsid;
2434         int rc;
2435
2436         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2437                 return -EOPNOTSUPP;
2438
2439         if (!value || !size)
2440                 return -EACCES;
2441
2442         rc = security_context_to_sid((void*)value, size, &newsid);
2443         if (rc)
2444                 return rc;
2445
2446         isec->sid = newsid;
2447         return 0;
2448 }
2449
2450 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2451 {
2452         const int len = sizeof(XATTR_NAME_SELINUX);
2453         if (buffer && len <= buffer_size)
2454                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2455         return len;
2456 }
2457
2458 static int selinux_inode_need_killpriv(struct dentry *dentry)
2459 {
2460         return secondary_ops->inode_need_killpriv(dentry);
2461 }
2462
2463 static int selinux_inode_killpriv(struct dentry *dentry)
2464 {
2465         return secondary_ops->inode_killpriv(dentry);
2466 }
2467
2468 /* file security operations */
2469
2470 static int selinux_revalidate_file_permission(struct file *file, int mask)
2471 {
2472         int rc;
2473         struct inode *inode = file->f_path.dentry->d_inode;
2474
2475         if (!mask) {
2476                 /* No permission to check.  Existence test. */
2477                 return 0;
2478         }
2479
2480         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2481         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2482                 mask |= MAY_APPEND;
2483
2484         rc = file_has_perm(current, file,
2485                            file_mask_to_av(inode->i_mode, mask));
2486         if (rc)
2487                 return rc;
2488
2489         return selinux_netlbl_inode_permission(inode, mask);
2490 }
2491
2492 static int selinux_file_permission(struct file *file, int mask)
2493 {
2494         struct inode *inode = file->f_path.dentry->d_inode;
2495         struct task_security_struct *tsec = current->security;
2496         struct file_security_struct *fsec = file->f_security;
2497         struct inode_security_struct *isec = inode->i_security;
2498
2499         if (!mask) {
2500                 /* No permission to check.  Existence test. */
2501                 return 0;
2502         }
2503
2504         if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2505             && fsec->pseqno == avc_policy_seqno())
2506                 return selinux_netlbl_inode_permission(inode, mask);
2507
2508         return selinux_revalidate_file_permission(file, mask);
2509 }
2510
2511 static int selinux_file_alloc_security(struct file *file)
2512 {
2513         return file_alloc_security(file);
2514 }
2515
2516 static void selinux_file_free_security(struct file *file)
2517 {
2518         file_free_security(file);
2519 }
2520
2521 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2522                               unsigned long arg)
2523 {
2524         int error = 0;
2525
2526         switch (cmd) {
2527                 case FIONREAD:
2528                 /* fall through */
2529                 case FIBMAP:
2530                 /* fall through */
2531                 case FIGETBSZ:
2532                 /* fall through */
2533                 case EXT2_IOC_GETFLAGS:
2534                 /* fall through */
2535                 case EXT2_IOC_GETVERSION:
2536                         error = file_has_perm(current, file, FILE__GETATTR);
2537                         break;
2538
2539                 case EXT2_IOC_SETFLAGS:
2540                 /* fall through */
2541                 case EXT2_IOC_SETVERSION:
2542                         error = file_has_perm(current, file, FILE__SETATTR);
2543                         break;
2544
2545                 /* sys_ioctl() checks */
2546                 case FIONBIO:
2547                 /* fall through */
2548                 case FIOASYNC:
2549                         error = file_has_perm(current, file, 0);
2550                         break;
2551
2552                 case KDSKBENT:
2553                 case KDSKBSENT:
2554                         error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2555                         break;
2556
2557                 /* default case assumes that the command will go
2558                  * to the file's ioctl() function.
2559                  */
2560                 default:
2561                         error = file_has_perm(current, file, FILE__IOCTL);
2562
2563         }
2564         return error;
2565 }
2566
2567 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2568 {
2569 #ifndef CONFIG_PPC32
2570         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2571                 /*
2572                  * We are making executable an anonymous mapping or a
2573                  * private file mapping that will also be writable.
2574                  * This has an additional check.
2575                  */
2576                 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2577                 if (rc)
2578                         return rc;
2579         }
2580 #endif
2581
2582         if (file) {
2583                 /* read access is always possible with a mapping */
2584                 u32 av = FILE__READ;
2585
2586                 /* write access only matters if the mapping is shared */
2587                 if (shared && (prot & PROT_WRITE))
2588                         av |= FILE__WRITE;
2589
2590                 if (prot & PROT_EXEC)
2591                         av |= FILE__EXECUTE;
2592
2593                 return file_has_perm(current, file, av);
2594         }
2595         return 0;
2596 }
2597
2598 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2599                              unsigned long prot, unsigned long flags,
2600                              unsigned long addr, unsigned long addr_only)
2601 {
2602         int rc = 0;
2603         u32 sid = ((struct task_security_struct*)(current->security))->sid;
2604
2605         if (addr < mmap_min_addr)
2606                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2607                                   MEMPROTECT__MMAP_ZERO, NULL);
2608         if (rc || addr_only)
2609                 return rc;
2610
2611         if (selinux_checkreqprot)
2612                 prot = reqprot;
2613
2614         return file_map_prot_check(file, prot,
2615                                    (flags & MAP_TYPE) == MAP_SHARED);
2616 }
2617
2618 static int selinux_file_mprotect(struct vm_area_struct *vma,
2619                                  unsigned long reqprot,
2620                                  unsigned long prot)
2621 {
2622         int rc;
2623
2624         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2625         if (rc)
2626                 return rc;
2627
2628         if (selinux_checkreqprot)
2629                 prot = reqprot;
2630
2631 #ifndef CONFIG_PPC32
2632         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2633                 rc = 0;
2634                 if (vma->vm_start >= vma->vm_mm->start_brk &&
2635                     vma->vm_end <= vma->vm_mm->brk) {
2636                         rc = task_has_perm(current, current,
2637                                            PROCESS__EXECHEAP);
2638                 } else if (!vma->vm_file &&
2639                            vma->vm_start <= vma->vm_mm->start_stack &&
2640                            vma->vm_end >= vma->vm_mm->start_stack) {
2641                         rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2642                 } else if (vma->vm_file && vma->anon_vma) {
2643                         /*
2644                          * We are making executable a file mapping that has
2645                          * had some COW done. Since pages might have been
2646                          * written, check ability to execute the possibly
2647                          * modified content.  This typically should only
2648                          * occur for text relocations.
2649                          */
2650                         rc = file_has_perm(current, vma->vm_file,
2651                                            FILE__EXECMOD);
2652                 }
2653                 if (rc)
2654                         return rc;
2655         }
2656 #endif
2657
2658         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2659 }
2660
2661 static int selinux_file_lock(struct file *file, unsigned int cmd)
2662 {
2663         return file_has_perm(current, file, FILE__LOCK);
2664 }
2665
2666 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2667                               unsigned long arg)
2668 {
2669         int err = 0;
2670
2671         switch (cmd) {
2672                 case F_SETFL:
2673                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2674                                 err = -EINVAL;
2675                                 break;
2676                         }
2677
2678                         if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2679                                 err = file_has_perm(current, file,FILE__WRITE);
2680                                 break;
2681                         }
2682                         /* fall through */
2683                 case F_SETOWN:
2684                 case F_SETSIG:
2685                 case F_GETFL:
2686                 case F_GETOWN:
2687                 case F_GETSIG:
2688                         /* Just check FD__USE permission */
2689                         err = file_has_perm(current, file, 0);
2690                         break;
2691                 case F_GETLK:
2692                 case F_SETLK:
2693                 case F_SETLKW:
2694 #if BITS_PER_LONG == 32
2695                 case F_GETLK64:
2696                 case F_SETLK64:
2697                 case F_SETLKW64:
2698 #endif
2699                         if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2700                                 err = -EINVAL;
2701                                 break;
2702                         }
2703                         err = file_has_perm(current, file, FILE__LOCK);
2704                         break;
2705         }
2706
2707         return err;
2708 }
2709
2710 static int selinux_file_set_fowner(struct file *file)
2711 {
2712         struct task_security_struct *tsec;
2713         struct file_security_struct *fsec;
2714
2715         tsec = current->security;
2716         fsec = file->f_security;
2717         fsec->fown_sid = tsec->sid;
2718
2719         return 0;
2720 }
2721
2722 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2723                                        struct fown_struct *fown, int signum)
2724 {
2725         struct file *file;
2726         u32 perm;
2727         struct task_security_struct *tsec;
2728         struct file_security_struct *fsec;
2729
2730         /* struct fown_struct is never outside the context of a struct file */
2731         file = container_of(fown, struct file, f_owner);
2732
2733         tsec = tsk->security;
2734         fsec = file->f_security;
2735
2736         if (!signum)
2737                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2738         else
2739                 perm = signal_to_av(signum);
2740
2741         return avc_has_perm(fsec->fown_sid, tsec->sid,
2742                             SECCLASS_PROCESS, perm, NULL);
2743 }
2744
2745 static int selinux_file_receive(struct file *file)
2746 {
2747         return file_has_perm(current, file, file_to_av(file));
2748 }
2749
2750 static int selinux_dentry_open(struct file *file)
2751 {
2752         struct file_security_struct *fsec;
2753         struct inode *inode;
2754         struct inode_security_struct *isec;
2755         inode = file->f_path.dentry->d_inode;
2756         fsec = file->f_security;
2757         isec = inode->i_security;
2758         /*
2759          * Save inode label and policy sequence number
2760          * at open-time so that selinux_file_permission
2761          * can determine whether revalidation is necessary.
2762          * Task label is already saved in the file security
2763          * struct as its SID.
2764          */
2765         fsec->isid = isec->sid;
2766         fsec->pseqno = avc_policy_seqno();
2767         /*
2768          * Since the inode label or policy seqno may have changed
2769          * between the selinux_inode_permission check and the saving
2770          * of state above, recheck that access is still permitted.
2771          * Otherwise, access might never be revalidated against the
2772          * new inode label or new policy.
2773          * This check is not redundant - do not remove.
2774          */
2775         return inode_has_perm(current, inode, file_to_av(file), NULL);
2776 }
2777
2778 /* task security operations */
2779
2780 static int selinux_task_create(unsigned long clone_flags)
2781 {
2782         int rc;
2783
2784         rc = secondary_ops->task_create(clone_flags);
2785         if (rc)
2786                 return rc;
2787
2788         return task_has_perm(current, current, PROCESS__FORK);
2789 }
2790
2791 static int selinux_task_alloc_security(struct task_struct *tsk)
2792 {
2793         struct task_security_struct *tsec1, *tsec2;
2794         int rc;
2795
2796         tsec1 = current->security;
2797
2798         rc = task_alloc_security(tsk);
2799         if (rc)
2800                 return rc;
2801         tsec2 = tsk->security;
2802
2803         tsec2->osid = tsec1->osid;
2804         tsec2->sid = tsec1->sid;
2805
2806         /* Retain the exec, fs, key, and sock SIDs across fork */
2807         tsec2->exec_sid = tsec1->exec_sid;
2808         tsec2->create_sid = tsec1->create_sid;
2809         tsec2->keycreate_sid = tsec1->keycreate_sid;
2810         tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2811
2812         /* Retain ptracer SID across fork, if any.
2813            This will be reset by the ptrace hook upon any
2814            subsequent ptrace_attach operations. */
2815         tsec2->ptrace_sid = tsec1->ptrace_sid;
2816
2817         return 0;
2818 }
2819
2820 static void selinux_task_free_security(struct task_struct *tsk)
2821 {
2822         task_free_security(tsk);
2823 }
2824
2825 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2826 {
2827         /* Since setuid only affects the current process, and
2828            since the SELinux controls are not based on the Linux
2829            identity attributes, SELinux does not need to control
2830            this operation.  However, SELinux does control the use
2831            of the CAP_SETUID and CAP_SETGID capabilities using the
2832            capable hook. */
2833         return 0;
2834 }
2835
2836 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2837 {
2838         return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2839 }
2840
2841 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2842 {
2843         /* See the comment for setuid above. */
2844         return 0;
2845 }
2846
2847 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2848 {
2849         return task_has_perm(current, p, PROCESS__SETPGID);
2850 }
2851
2852 static int selinux_task_getpgid(struct task_struct *p)
2853 {
2854         return task_has_perm(current, p, PROCESS__GETPGID);
2855 }
2856
2857 static int selinux_task_getsid(struct task_struct *p)
2858 {
2859         return task_has_perm(current, p, PROCESS__GETSESSION);
2860 }
2861
2862 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2863 {
2864         selinux_get_task_sid(p, secid);
2865 }
2866
2867 static int selinux_task_setgroups(struct group_info *group_info)
2868 {
2869         /* See the comment for setuid above. */
2870         return 0;
2871 }
2872
2873 static int selinux_task_setnice(struct task_struct *p, int nice)
2874 {
2875         int rc;
2876
2877         rc = secondary_ops->task_setnice(p, nice);
2878         if (rc)
2879                 return rc;
2880
2881         return task_has_perm(current,p, PROCESS__SETSCHED);
2882 }
2883
2884 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2885 {
2886         int rc;
2887
2888         rc = secondary_ops->task_setioprio(p, ioprio);
2889         if (rc)
2890                 return rc;
2891
2892         return task_has_perm(current, p, PROCESS__SETSCHED);
2893 }
2894
2895 static int selinux_task_getioprio(struct task_struct *p)
2896 {
2897         return task_has_perm(current, p, PROCESS__GETSCHED);
2898 }
2899
2900 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2901 {
2902         struct rlimit *old_rlim = current->signal->rlim + resource;
2903         int rc;
2904
2905         rc = secondary_ops->task_setrlimit(resource, new_rlim);
2906         if (rc)
2907                 return rc;
2908
2909         /* Control the ability to change the hard limit (whether
2910            lowering or raising it), so that the hard limit can
2911            later be used as a safe reset point for the soft limit
2912            upon context transitions. See selinux_bprm_apply_creds. */
2913         if (old_rlim->rlim_max != new_rlim->rlim_max)
2914                 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2915
2916         return 0;
2917 }
2918
2919 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2920 {
2921         int rc;
2922
2923         rc = secondary_ops->task_setscheduler(p, policy, lp);
2924         if (rc)
2925                 return rc;
2926
2927         return task_has_perm(current, p, PROCESS__SETSCHED);
2928 }
2929
2930 static int selinux_task_getscheduler(struct task_struct *p)
2931 {
2932         return task_has_perm(current, p, PROCESS__GETSCHED);
2933 }
2934
2935 static int selinux_task_movememory(struct task_struct *p)
2936 {
2937         return task_has_perm(current, p, PROCESS__SETSCHED);
2938 }
2939
2940 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2941                                 int sig, u32 secid)
2942 {
2943         u32 perm;
2944         int rc;
2945         struct task_security_struct *tsec;
2946
2947         rc = secondary_ops->task_kill(p, info, sig, secid);
2948         if (rc)
2949                 return rc;
2950
2951         if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2952                 return 0;
2953
2954         if (!sig)
2955                 perm = PROCESS__SIGNULL; /* null signal; existence test */
2956         else
2957                 perm = signal_to_av(sig);
2958         tsec = p->security;
2959         if (secid)
2960                 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2961         else
2962                 rc = task_has_perm(current, p, perm);
2963         return rc;
2964 }
2965
2966 static int selinux_task_prctl(int option,
2967                               unsigned long arg2,
2968                               unsigned long arg3,
2969                               unsigned long arg4,
2970                               unsigned long arg5)
2971 {
2972         /* The current prctl operations do not appear to require
2973            any SELinux controls since they merely observe or modify
2974            the state of the current process. */
2975         return 0;
2976 }
2977
2978 static int selinux_task_wait(struct task_struct *p)
2979 {
2980         u32 perm;
2981
2982         perm = signal_to_av(p->exit_signal);
2983
2984         return task_has_perm(p, current, perm);
2985 }
2986
2987 static void selinux_task_reparent_to_init(struct task_struct *p)
2988 {
2989         struct task_security_struct *tsec;
2990
2991         secondary_ops->task_reparent_to_init(p);
2992
2993         tsec = p->security;
2994         tsec->osid = tsec->sid;
2995         tsec->sid = SECINITSID_KERNEL;
2996         return;
2997 }
2998
2999 static void selinux_task_to_inode(struct task_struct *p,
3000                                   struct inode *inode)
3001 {
3002         struct task_security_struct *tsec = p->security;
3003         struct inode_security_struct *isec = inode->i_security;
3004
3005         isec->sid = tsec->sid;
3006         isec->initialized = 1;
3007         return;
3008 }
3009
3010 /* Returns error only if unable to parse addresses */
3011 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3012                         struct avc_audit_data *ad, u8 *proto)
3013 {
3014         int offset, ihlen, ret = -EINVAL;
3015         struct iphdr _iph, *ih;
3016
3017         offset = skb_network_offset(skb);
3018         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3019         if (ih == NULL)
3020                 goto out;
3021
3022         ihlen = ih->ihl * 4;
3023         if (ihlen < sizeof(_iph))
3024                 goto out;
3025
3026         ad->u.net.v4info.saddr = ih->saddr;
3027         ad->u.net.v4info.daddr = ih->daddr;
3028         ret = 0;
3029
3030         if (proto)
3031                 *proto = ih->protocol;
3032
3033         switch (ih->protocol) {
3034         case IPPROTO_TCP: {
3035                 struct tcphdr _tcph, *th;
3036
3037                 if (ntohs(ih->frag_off) & IP_OFFSET)
3038                         break;
3039
3040                 offset += ihlen;
3041                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3042                 if (th == NULL)
3043                         break;
3044
3045                 ad->u.net.sport = th->source;
3046                 ad->u.net.dport = th->dest;
3047                 break;
3048         }
3049         
3050         case IPPROTO_UDP: {
3051                 struct udphdr _udph, *uh;
3052                 
3053                 if (ntohs(ih->frag_off) & IP_OFFSET)
3054                         break;
3055                         
3056                 offset += ihlen;
3057                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3058                 if (uh == NULL)
3059                         break;  
3060
3061                 ad->u.net.sport = uh->source;
3062                 ad->u.net.dport = uh->dest;
3063                 break;
3064         }
3065
3066         case IPPROTO_DCCP: {
3067                 struct dccp_hdr _dccph, *dh;
3068
3069                 if (ntohs(ih->frag_off) & IP_OFFSET)
3070                         break;
3071
3072                 offset += ihlen;
3073                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3074                 if (dh == NULL)
3075                         break;
3076
3077                 ad->u.net.sport = dh->dccph_sport;
3078                 ad->u.net.dport = dh->dccph_dport;
3079                 break;
3080         }
3081
3082         default:
3083                 break;
3084         }
3085 out:
3086         return ret;
3087 }
3088
3089 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3090
3091 /* Returns error only if unable to parse addresses */
3092 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3093                         struct avc_audit_data *ad, u8 *proto)
3094 {
3095         u8 nexthdr;
3096         int ret = -EINVAL, offset;
3097         struct ipv6hdr _ipv6h, *ip6;
3098
3099         offset = skb_network_offset(skb);
3100         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3101         if (ip6 == NULL)
3102                 goto out;
3103
3104         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3105         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3106         ret = 0;
3107
3108         nexthdr = ip6->nexthdr;
3109         offset += sizeof(_ipv6h);
3110         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3111         if (offset < 0)
3112                 goto out;
3113
3114         if (proto)
3115                 *proto = nexthdr;
3116
3117         switch (nexthdr) {
3118         case IPPROTO_TCP: {
3119                 struct tcphdr _tcph, *th;
3120
3121                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3122                 if (th == NULL)
3123                         break;
3124
3125                 ad->u.net.sport = th->source;
3126                 ad->u.net.dport = th->dest;
3127                 break;
3128         }
3129
3130         case IPPROTO_UDP: {
3131                 struct udphdr _udph, *uh;
3132
3133                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3134                 if (uh == NULL)
3135                         break;
3136
3137                 ad->u.net.sport = uh->source;
3138                 ad->u.net.dport = uh->dest;
3139                 break;
3140         }
3141
3142         case IPPROTO_DCCP: {
3143                 struct dccp_hdr _dccph, *dh;
3144
3145                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3146                 if (dh == NULL)
3147                         break;
3148
3149                 ad->u.net.sport = dh->dccph_sport;
3150                 ad->u.net.dport = dh->dccph_dport;
3151                 break;
3152         }
3153
3154         /* includes fragments */
3155         default:
3156                 break;
3157         }
3158 out:
3159         return ret;
3160 }
3161
3162 #endif /* IPV6 */
3163
3164 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3165                              char **addrp, int *len, int src, u8 *proto)
3166 {
3167         int ret = 0;
3168
3169         switch (ad->u.net.family) {
3170         case PF_INET:
3171                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3172                 if (ret || !addrp)
3173                         break;
3174                 *len = 4;
3175                 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3176                                         &ad->u.net.v4info.daddr);
3177                 break;
3178
3179 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3180         case PF_INET6:
3181                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3182                 if (ret || !addrp)
3183                         break;
3184                 *len = 16;
3185                 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3186                                         &ad->u.net.v6info.daddr);
3187                 break;
3188 #endif  /* IPV6 */
3189         default:
3190                 break;
3191         }
3192
3193         return ret;
3194 }
3195
3196 /**
3197  * selinux_skb_extlbl_sid - Determine the external label of a packet
3198  * @skb: the packet
3199  * @sid: the packet's SID
3200  *
3201  * Description:
3202  * Check the various different forms of external packet labeling and determine
3203  * the external SID for the packet.  If only one form of external labeling is
3204  * present then it is used, if both labeled IPsec and NetLabel labels are
3205  * present then the SELinux type information is taken from the labeled IPsec
3206  * SA and the MLS sensitivity label information is taken from the NetLabel
3207  * security attributes.  This bit of "magic" is done in the call to
3208  * selinux_netlbl_skbuff_getsid().
3209  *
3210  */
3211 static void selinux_skb_extlbl_sid(struct sk_buff *skb, u32 *sid)
3212 {
3213         u32 xfrm_sid;
3214         u32 nlbl_sid;
3215
3216         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3217         if (selinux_netlbl_skbuff_getsid(skb,
3218                                          (xfrm_sid == SECSID_NULL ?
3219                                           SECINITSID_NETMSG : xfrm_sid),
3220                                          &nlbl_sid) != 0)
3221                 nlbl_sid = SECSID_NULL;
3222         *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid);
3223 }
3224
3225 /* socket security operations */
3226 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3227                            u32 perms)
3228 {
3229         struct inode_security_struct *isec;
3230         struct task_security_struct *tsec;
3231         struct avc_audit_data ad;
3232         int err = 0;
3233
3234         tsec = task->security;
3235         isec = SOCK_INODE(sock)->i_security;
3236
3237         if (isec->sid == SECINITSID_KERNEL)
3238                 goto out;
3239
3240         AVC_AUDIT_DATA_INIT(&ad,NET);
3241         ad.u.net.sk = sock->sk;
3242         err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3243
3244 out:
3245         return err;
3246 }
3247
3248 static int selinux_socket_create(int family, int type,
3249                                  int protocol, int kern)
3250 {
3251         int err = 0;
3252         struct task_security_struct *tsec;
3253         u32 newsid;
3254
3255         if (kern)
3256                 goto out;
3257
3258         tsec = current->security;
3259         newsid = tsec->sockcreate_sid ? : tsec->sid;
3260         err = avc_has_perm(tsec->sid, newsid,
3261                            socket_type_to_security_class(family, type,
3262                            protocol), SOCKET__CREATE, NULL);
3263
3264 out:
3265         return err;
3266 }
3267
3268 static int selinux_socket_post_create(struct socket *sock, int family,
3269                                       int type, int protocol, int kern)
3270 {
3271         int err = 0;
3272         struct inode_security_struct *isec;
3273         struct task_security_struct *tsec;
3274         struct sk_security_struct *sksec;
3275         u32 newsid;
3276
3277         isec = SOCK_INODE(sock)->i_security;
3278
3279         tsec = current->security;
3280         newsid = tsec->sockcreate_sid ? : tsec->sid;
3281         isec->sclass = socket_type_to_security_class(family, type, protocol);
3282         isec->sid = kern ? SECINITSID_KERNEL : newsid;
3283         isec->initialized = 1;
3284
3285         if (sock->sk) {
3286                 sksec = sock->sk->sk_security;
3287                 sksec->sid = isec->sid;
3288                 err = selinux_netlbl_socket_post_create(sock);
3289         }
3290
3291         return err;
3292 }
3293
3294 /* Range of port numbers used to automatically bind.
3295    Need to determine whether we should perform a name_bind
3296    permission check between the socket and the port number. */
3297
3298 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3299 {
3300         u16 family;
3301         int err;
3302
3303         err = socket_has_perm(current, sock, SOCKET__BIND);
3304         if (err)
3305                 goto out;
3306
3307         /*
3308          * If PF_INET or PF_INET6, check name_bind permission for the port.
3309          * Multiple address binding for SCTP is not supported yet: we just
3310          * check the first address now.
3311          */
3312         family = sock->sk->sk_family;
3313         if (family == PF_INET || family == PF_INET6) {
3314                 char *addrp;
3315                 struct inode_security_struct *isec;
3316                 struct task_security_struct *tsec;
3317                 struct avc_audit_data ad;
3318                 struct sockaddr_in *addr4 = NULL;
3319                 struct sockaddr_in6 *addr6 = NULL;
3320                 unsigned short snum;
3321                 struct sock *sk = sock->sk;
3322                 u32 sid, node_perm, addrlen;
3323
3324                 tsec = current->security;
3325                 isec = SOCK_INODE(sock)->i_security;
3326
3327                 if (family == PF_INET) {
3328                         addr4 = (struct sockaddr_in *)address;
3329                         snum = ntohs(addr4->sin_port);
3330                         addrlen = sizeof(addr4->sin_addr.s_addr);
3331                         addrp = (char *)&addr4->sin_addr.s_addr;
3332                 } else {
3333                         addr6 = (struct sockaddr_in6 *)address;
3334                         snum = ntohs(addr6->sin6_port);
3335                         addrlen = sizeof(addr6->sin6_addr.s6_addr);
3336                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3337                 }
3338
3339                 if (snum) {
3340                         int low, high;
3341
3342                         inet_get_local_port_range(&low, &high);
3343
3344                         if (snum < max(PROT_SOCK, low) || snum > high) {
3345                                 err = security_port_sid(sk->sk_family,
3346                                                         sk->sk_type,
3347                                                         sk->sk_protocol, snum,
3348                                                         &sid);
3349                                 if (err)
3350                                         goto out;
3351                                 AVC_AUDIT_DATA_INIT(&ad,NET);
3352                                 ad.u.net.sport = htons(snum);
3353                                 ad.u.net.family = family;
3354                                 err = avc_has_perm(isec->sid, sid,
3355                                                    isec->sclass,
3356                                                    SOCKET__NAME_BIND, &ad);
3357                                 if (err)
3358                                         goto out;
3359                         }
3360                 }
3361                 
3362                 switch(isec->sclass) {
3363                 case SECCLASS_TCP_SOCKET:
3364                         node_perm = TCP_SOCKET__NODE_BIND;
3365                         break;
3366                         
3367                 case SECCLASS_UDP_SOCKET:
3368                         node_perm = UDP_SOCKET__NODE_BIND;
3369                         break;
3370
3371                 case SECCLASS_DCCP_SOCKET:
3372                         node_perm = DCCP_SOCKET__NODE_BIND;
3373                         break;
3374
3375                 default:
3376                         node_perm = RAWIP_SOCKET__NODE_BIND;
3377                         break;
3378                 }
3379                 
3380                 err = security_node_sid(family, addrp, addrlen, &sid);
3381                 if (err)
3382                         goto out;
3383                 
3384                 AVC_AUDIT_DATA_INIT(&ad,NET);
3385                 ad.u.net.sport = htons(snum);
3386                 ad.u.net.family = family;
3387
3388                 if (family == PF_INET)
3389                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3390                 else
3391                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3392
3393                 err = avc_has_perm(isec->sid, sid,
3394                                    isec->sclass, node_perm, &ad);
3395                 if (err)
3396                         goto out;
3397         }
3398 out:
3399         return err;
3400 }
3401
3402 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3403 {
3404         struct inode_security_struct *isec;
3405         int err;
3406
3407         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3408         if (err)
3409                 return err;
3410
3411         /*
3412          * If a TCP or DCCP socket, check name_connect permission for the port.
3413          */
3414         isec = SOCK_INODE(sock)->i_security;
3415         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3416             isec->sclass == SECCLASS_DCCP_SOCKET) {
3417                 struct sock *sk = sock->sk;
3418                 struct avc_audit_data ad;
3419                 struct sockaddr_in *addr4 = NULL;
3420                 struct sockaddr_in6 *addr6 = NULL;
3421                 unsigned short snum;
3422                 u32 sid, perm;
3423
3424                 if (sk->sk_family == PF_INET) {
3425                         addr4 = (struct sockaddr_in *)address;
3426                         if (addrlen < sizeof(struct sockaddr_in))
3427                                 return -EINVAL;
3428                         snum = ntohs(addr4->sin_port);
3429                 } else {
3430                         addr6 = (struct sockaddr_in6 *)address;
3431                         if (addrlen < SIN6_LEN_RFC2133)
3432                                 return -EINVAL;
3433                         snum = ntohs(addr6->sin6_port);
3434                 }
3435
3436                 err = security_port_sid(sk->sk_family, sk->sk_type,
3437                                         sk->sk_protocol, snum, &sid);
3438                 if (err)
3439                         goto out;
3440
3441                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3442                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3443
3444                 AVC_AUDIT_DATA_INIT(&ad,NET);
3445                 ad.u.net.dport = htons(snum);
3446                 ad.u.net.family = sk->sk_family;
3447                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3448                 if (err)
3449                         goto out;
3450         }
3451
3452 out:
3453         return err;
3454 }
3455
3456 static int selinux_socket_listen(struct socket *sock, int backlog)
3457 {
3458         return socket_has_perm(current, sock, SOCKET__LISTEN);
3459 }
3460
3461 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3462 {
3463         int err;
3464         struct inode_security_struct *isec;
3465         struct inode_security_struct *newisec;
3466
3467         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3468         if (err)
3469                 return err;
3470
3471         newisec = SOCK_INODE(newsock)->i_security;
3472
3473         isec = SOCK_INODE(sock)->i_security;
3474         newisec->sclass = isec->sclass;
3475         newisec->sid = isec->sid;
3476         newisec->initialized = 1;
3477
3478         return 0;
3479 }
3480
3481 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3482                                   int size)
3483 {
3484         int rc;
3485
3486         rc = socket_has_perm(current, sock, SOCKET__WRITE);
3487         if (rc)
3488                 return rc;
3489
3490         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3491 }
3492
3493 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3494                                   int size, int flags)
3495 {
3496         return socket_has_perm(current, sock, SOCKET__READ);
3497 }
3498
3499 static int selinux_socket_getsockname(struct socket *sock)
3500 {
3501         return socket_has_perm(current, sock, SOCKET__GETATTR);
3502 }
3503
3504 static int selinux_socket_getpeername(struct socket *sock)
3505 {
3506         return socket_has_perm(current, sock, SOCKET__GETATTR);
3507 }
3508
3509 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3510 {
3511         int err;
3512
3513         err = socket_has_perm(current, sock, SOCKET__SETOPT);
3514         if (err)
3515                 return err;
3516
3517         return selinux_netlbl_socket_setsockopt(sock, level, optname);
3518 }
3519
3520 static int selinux_socket_getsockopt(struct socket *sock, int level,
3521                                      int optname)
3522 {
3523         return socket_has_perm(current, sock, SOCKET__GETOPT);
3524 }
3525
3526 static int selinux_socket_shutdown(struct socket *sock, int how)
3527 {
3528         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3529 }
3530
3531 static int selinux_socket_unix_stream_connect(struct socket *sock,
3532                                               struct socket *other,
3533                                               struct sock *newsk)
3534 {
3535         struct sk_security_struct *ssec;
3536         struct inode_security_struct *isec;
3537         struct inode_security_struct *other_isec;
3538         struct avc_audit_data ad;
3539         int err;
3540
3541         err = secondary_ops->unix_stream_connect(sock, other, newsk);
3542         if (err)
3543                 return err;
3544
3545         isec = SOCK_INODE(sock)->i_security;
3546         other_isec = SOCK_INODE(other)->i_security;
3547
3548         AVC_AUDIT_DATA_INIT(&ad,NET);
3549         ad.u.net.sk = other->sk;
3550
3551         err = avc_has_perm(isec->sid, other_isec->sid,
3552                            isec->sclass,
3553                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3554         if (err)
3555                 return err;
3556
3557         /* connecting socket */
3558         ssec = sock->sk->sk_security;
3559         ssec->peer_sid = other_isec->sid;
3560         
3561         /* server child socket */
3562         ssec = newsk->sk_security;
3563         ssec->peer_sid = isec->sid;
3564         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3565
3566         return err;
3567 }
3568
3569 static int selinux_socket_unix_may_send(struct socket *sock,
3570                                         struct socket *other)
3571 {
3572         struct inode_security_struct *isec;
3573         struct inode_security_struct *other_isec;
3574         struct avc_audit_data ad;
3575         int err;
3576
3577         isec = SOCK_INODE(sock)->i_security;
3578         other_isec = SOCK_INODE(other)->i_security;
3579
3580         AVC_AUDIT_DATA_INIT(&ad,NET);
3581         ad.u.net.sk = other->sk;
3582
3583         err = avc_has_perm(isec->sid, other_isec->sid,
3584                            isec->sclass, SOCKET__SENDTO, &ad);
3585         if (err)
3586                 return err;
3587
3588         return 0;
3589 }
3590
3591 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3592                 struct avc_audit_data *ad, u16 family, char *addrp, int len)
3593 {
3594         int err = 0;
3595         u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3596         struct socket *sock;
3597         u16 sock_class = 0;
3598         u32 sock_sid = 0;
3599
3600         read_lock_bh(&sk->sk_callback_lock);
3601         sock = sk->sk_socket;
3602         if (sock) {
3603                 struct inode *inode;
3604                 inode = SOCK_INODE(sock);
3605                 if (inode) {
3606                         struct inode_security_struct *isec;
3607                         isec = inode->i_security;
3608                         sock_sid = isec->sid;
3609                         sock_class = isec->sclass;
3610                 }
3611         }
3612         read_unlock_bh(&sk->sk_callback_lock);
3613         if (!sock_sid)
3614                 goto out;
3615
3616         if (!skb->dev)
3617                 goto out;
3618
3619         err = sel_netif_sids(skb->dev, &if_sid, NULL);
3620         if (err)
3621                 goto out;
3622
3623         switch (sock_class) {
3624         case SECCLASS_UDP_SOCKET:
3625                 netif_perm = NETIF__UDP_RECV;
3626                 node_perm = NODE__UDP_RECV;
3627                 recv_perm = UDP_SOCKET__RECV_MSG;
3628                 break;
3629         
3630         case SECCLASS_TCP_SOCKET:
3631                 netif_perm = NETIF__TCP_RECV;
3632                 node_perm = NODE__TCP_RECV;
3633                 recv_perm = TCP_SOCKET__RECV_MSG;
3634                 break;
3635
3636         case SECCLASS_DCCP_SOCKET:
3637                 netif_perm = NETIF__DCCP_RECV;
3638                 node_perm = NODE__DCCP_RECV;
3639                 recv_perm = DCCP_SOCKET__RECV_MSG;
3640                 break;
3641
3642         default:
3643                 netif_perm = NETIF__RAWIP_RECV;
3644                 node_perm = NODE__RAWIP_RECV;
3645                 break;
3646         }
3647
3648         err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3649         if (err)
3650                 goto out;
3651         
3652         err = security_node_sid(family, addrp, len, &node_sid);
3653         if (err)
3654                 goto out;
3655         
3656         err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3657         if (err)
3658                 goto out;
3659
3660         if (recv_perm) {
3661                 u32 port_sid;
3662
3663                 err = security_port_sid(sk->sk_family, sk->sk_type,
3664                                         sk->sk_protocol, ntohs(ad->u.net.sport),
3665                                         &port_sid);
3666                 if (err)
3667                         goto out;
3668
3669                 err = avc_has_perm(sock_sid, port_sid,
3670                                    sock_class, recv_perm, ad);
3671         }
3672
3673 out:
3674         return err;
3675 }
3676
3677 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3678 {
3679         u16 family;
3680         char *addrp;
3681         int len, err = 0;
3682         struct avc_audit_data ad;
3683         struct sk_security_struct *sksec = sk->sk_security;
3684
3685         family = sk->sk_family;
3686         if (family != PF_INET && family != PF_INET6)
3687                 goto out;
3688
3689         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3690         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3691                 family = PF_INET;
3692
3693         AVC_AUDIT_DATA_INIT(&ad, NET);
3694         ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3695         ad.u.net.family = family;
3696
3697         err = selinux_parse_skb(skb, &ad, &addrp, &len, 1, NULL);
3698         if (err)
3699                 goto out;
3700
3701         if (selinux_compat_net)
3702                 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, family,
3703                                                   addrp, len);
3704         else
3705                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
3706                                    PACKET__RECV, &ad);
3707         if (err)
3708                 goto out;
3709
3710         err = selinux_netlbl_sock_rcv_skb(sksec, skb, &ad);
3711         if (err)
3712                 goto out;
3713
3714         err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
3715 out:    
3716         return err;
3717 }
3718
3719 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3720                                             int __user *optlen, unsigned len)
3721 {
3722         int err = 0;
3723         char *scontext;
3724         u32 scontext_len;
3725         struct sk_security_struct *ssec;
3726         struct inode_security_struct *isec;
3727         u32 peer_sid = SECSID_NULL;
3728
3729         isec = SOCK_INODE(sock)->i_security;
3730
3731         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3732             isec->sclass == SECCLASS_TCP_SOCKET) {
3733                 ssec = sock->sk->sk_security;
3734                 peer_sid = ssec->peer_sid;
3735         }
3736         if (peer_sid == SECSID_NULL) {
3737                 err = -ENOPROTOOPT;
3738                 goto out;
3739         }
3740
3741         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3742
3743         if (err)
3744                 goto out;
3745
3746         if (scontext_len > len) {
3747                 err = -ERANGE;
3748                 goto out_len;
3749         }
3750
3751         if (copy_to_user(optval, scontext, scontext_len))
3752                 err = -EFAULT;
3753
3754 out_len:
3755         if (put_user(scontext_len, optlen))
3756                 err = -EFAULT;
3757
3758         kfree(scontext);
3759 out:    
3760         return err;
3761 }
3762
3763 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3764 {
3765         u32 peer_secid = SECSID_NULL;
3766         int err = 0;
3767
3768         if (sock && sock->sk->sk_family == PF_UNIX)
3769                 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3770         else if (skb)
3771                 selinux_skb_extlbl_sid(skb, &peer_secid);
3772
3773         if (peer_secid == SECSID_NULL)
3774                 err = -EINVAL;
3775         *secid = peer_secid;
3776
3777         return err;
3778 }
3779
3780 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3781 {
3782         return sk_alloc_security(sk, family, priority);
3783 }
3784
3785 static void selinux_sk_free_security(struct sock *sk)
3786 {
3787         sk_free_security(sk);
3788 }
3789
3790 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
3791 {
3792         struct sk_security_struct *ssec = sk->sk_security;
3793         struct sk_security_struct *newssec = newsk->sk_security;
3794
3795         newssec->sid = ssec->sid;
3796         newssec->peer_sid = ssec->peer_sid;
3797
3798         selinux_netlbl_sk_security_clone(ssec, newssec);
3799 }
3800
3801 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
3802 {
3803         if (!sk)
3804                 *secid = SECINITSID_ANY_SOCKET;
3805         else {
3806                 struct sk_security_struct *sksec = sk->sk_security;
3807
3808                 *secid = sksec->sid;
3809         }
3810 }
3811
3812 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
3813 {
3814         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
3815         struct sk_security_struct *sksec = sk->sk_security;
3816
3817         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
3818             sk->sk_family == PF_UNIX)
3819                 isec->sid = sksec->sid;
3820
3821         selinux_netlbl_sock_graft(sk, parent);
3822 }
3823
3824 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3825                                      struct request_sock *req)
3826 {
3827         struct sk_security_struct *sksec = sk->sk_security;
3828         int err;
3829         u32 newsid;
3830         u32 peersid;
3831
3832         selinux_skb_extlbl_sid(skb, &peersid);
3833         if (peersid == SECSID_NULL) {
3834                 req->secid = sksec->sid;
3835                 req->peer_secid = SECSID_NULL;
3836                 return 0;
3837         }
3838
3839         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
3840         if (err)
3841                 return err;
3842
3843         req->secid = newsid;
3844         req->peer_secid = peersid;
3845         return 0;
3846 }
3847
3848 static void selinux_inet_csk_clone(struct sock *newsk,
3849                                    const struct request_sock *req)
3850 {
3851         struct sk_security_struct *newsksec = newsk->sk_security;
3852
3853         newsksec->sid = req->secid;
3854         newsksec->peer_sid = req->peer_secid;
3855         /* NOTE: Ideally, we should also get the isec->sid for the
3856            new socket in sync, but we don't have the isec available yet.
3857            So we will wait until sock_graft to do it, by which
3858            time it will have been created and available. */
3859
3860         /* We don't need to take any sort of lock here as we are the only
3861          * thread with access to newsksec */
3862         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
3863 }
3864
3865 static void selinux_inet_conn_established(struct sock *sk,
3866                                 struct sk_buff *skb)
3867 {
3868         struct sk_security_struct *sksec = sk->sk_security;
3869
3870         selinux_skb_extlbl_sid(skb, &sksec->peer_sid);
3871 }
3872
3873 static void selinux_req_classify_flow(const struct request_sock *req,
3874                                       struct flowi *fl)
3875 {
3876         fl->secid = req->secid;
3877 }
3878
3879 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3880 {
3881         int err = 0;
3882         u32 perm;
3883         struct nlmsghdr *nlh;
3884         struct socket *sock = sk->sk_socket;
3885         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3886         
3887         if (skb->len < NLMSG_SPACE(0)) {
3888                 err = -EINVAL;
3889                 goto out;
3890         }
3891         nlh = nlmsg_hdr(skb);
3892         
3893         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3894         if (err) {
3895                 if (err == -EINVAL) {
3896                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3897                                   "SELinux:  unrecognized netlink message"
3898                                   " type=%hu for sclass=%hu\n",
3899                                   nlh->nlmsg_type, isec->sclass);
3900                         if (!selinux_enforcing)
3901                                 err = 0;
3902                 }
3903
3904                 /* Ignore */
3905                 if (err == -ENOENT)
3906                         err = 0;
3907                 goto out;
3908         }
3909
3910         err = socket_has_perm(current, sock, perm);
3911 out:
3912         return err;
3913 }
3914
3915 #ifdef CONFIG_NETFILTER
3916
3917 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3918                                             struct avc_audit_data *ad,
3919                                             u16 family, char *addrp, int len)
3920 {
3921         int err = 0;
3922         u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3923         struct socket *sock;
3924         struct inode *inode;
3925         struct inode_security_struct *isec;
3926
3927         sock = sk->sk_socket;
3928         if (!sock)
3929                 goto out;
3930
3931         inode = SOCK_INODE(sock);
3932         if (!inode)
3933                 goto out;
3934
3935         isec = inode->i_security;
3936         
3937         err = sel_netif_sids(dev, &if_sid, NULL);
3938         if (err)
3939                 goto out;
3940
3941         switch (isec->sclass) {
3942         case SECCLASS_UDP_SOCKET:
3943                 netif_perm = NETIF__UDP_SEND;
3944                 node_perm = NODE__UDP_SEND;
3945                 send_perm = UDP_SOCKET__SEND_MSG;
3946                 break;
3947         
3948         case SECCLASS_TCP_SOCKET:
3949                 netif_perm = NETIF__TCP_SEND;
3950                 node_perm = NODE__TCP_SEND;
3951                 send_perm = TCP_SOCKET__SEND_MSG;
3952                 break;
3953
3954         case SECCLASS_DCCP_SOCKET:
3955                 netif_perm = NETIF__DCCP_SEND;
3956                 node_perm = NODE__DCCP_SEND;
3957                 send_perm = DCCP_SOCKET__SEND_MSG;
3958                 break;
3959
3960         default:
3961                 netif_perm = NETIF__RAWIP_SEND;
3962                 node_perm = NODE__RAWIP_SEND;
3963                 break;
3964         }
3965
3966         err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3967         if (err)
3968                 goto out;
3969                 
3970         err = security_node_sid(family, addrp, len, &node_sid);
3971         if (err)
3972                 goto out;
3973         
3974         err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3975         if (err)
3976                 goto out;
3977
3978         if (send_perm) {
3979                 u32 port_sid;
3980                 
3981                 err = security_port_sid(sk->sk_family,
3982                                         sk->sk_type,
3983                                         sk->sk_protocol,
3984                                         ntohs(ad->u.net.dport),
3985                                         &port_sid);
3986                 if (err)
3987                         goto out;
3988
3989                 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3990                                    send_perm, ad);
3991         }
3992 out:
3993         return err;
3994 }
3995
3996 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3997                                               struct sk_buff *skb,
3998                                               const struct net_device *in,
3999                                               const struct net_device *out,
4000                                               int (*okfn)(struct sk_buff *),
4001                                               u16 family)
4002 {
4003         char *addrp;
4004         int len, err = 0;
4005         struct sock *sk;
4006         struct avc_audit_data ad;
4007         struct net_device *dev = (struct net_device *)out;
4008         struct sk_security_struct *sksec;
4009         u8 proto;
4010
4011         sk = skb->sk;
4012         if (!sk)
4013                 goto out;
4014
4015         sksec = sk->sk_security;
4016
4017         AVC_AUDIT_DATA_INIT(&ad, NET);
4018         ad.u.net.netif = dev->name;
4019         ad.u.net.family = family;
4020
4021         err = selinux_parse_skb(skb, &ad, &addrp, &len, 0, &proto);
4022         if (err)
4023                 goto out;
4024
4025         if (selinux_compat_net)
4026                 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
4027                                                        family, addrp, len);
4028         else
4029                 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
4030                                    PACKET__SEND, &ad);
4031
4032         if (err)
4033                 goto out;
4034
4035         err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
4036 out:
4037         return err ? NF_DROP : NF_ACCEPT;
4038 }
4039
4040 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
4041                                                 struct sk_buff *skb,
4042                                                 const struct net_device *in,
4043                                                 const struct net_device *out,
4044                                                 int (*okfn)(struct sk_buff *))
4045 {
4046         return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET);
4047 }
4048
4049 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4050
4051 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
4052                                                 struct sk_buff *skb,
4053                                                 const struct net_device *in,
4054                                                 const struct net_device *out,
4055                                                 int (*okfn)(struct sk_buff *))
4056 {
4057         return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET6);
4058 }
4059
4060 #endif  /* IPV6 */
4061
4062 #endif  /* CONFIG_NETFILTER */
4063
4064 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4065 {
4066         int err;
4067
4068         err = secondary_ops->netlink_send(sk, skb);
4069         if (err)
4070                 return err;
4071
4072         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4073                 err = selinux_nlmsg_perm(sk, skb);
4074
4075         return err;
4076 }
4077
4078 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4079 {
4080         int err;
4081         struct avc_audit_data ad;
4082
4083         err = secondary_ops->netlink_recv(skb, capability);
4084         if (err)
4085                 return err;
4086
4087         AVC_AUDIT_DATA_INIT(&ad, CAP);
4088         ad.u.cap = capability;
4089
4090         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4091                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4092 }
4093
4094 static int ipc_alloc_security(struct task_struct *task,
4095                               struct kern_ipc_perm *perm,
4096                               u16 sclass)
4097 {
4098         struct task_security_struct *tsec = task->security;
4099         struct ipc_security_struct *isec;
4100
4101         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4102         if (!isec)
4103                 return -ENOMEM;
4104
4105         isec->sclass = sclass;
4106         isec->ipc_perm = perm;
4107         isec->sid = tsec->sid;
4108         perm->security = isec;
4109
4110         return 0;
4111 }
4112
4113 static void ipc_free_security(struct kern_ipc_perm *perm)
4114 {
4115         struct ipc_security_struct *isec = perm->security;
4116         perm->security = NULL;
4117         kfree(isec);
4118 }
4119
4120 static int msg_msg_alloc_security(struct msg_msg *msg)
4121 {
4122         struct msg_security_struct *msec;
4123
4124         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4125         if (!msec)
4126                 return -ENOMEM;
4127
4128         msec->msg = msg;
4129         msec->sid = SECINITSID_UNLABELED;
4130         msg->security = msec;
4131
4132         return 0;
4133 }
4134
4135 static void msg_msg_free_security(struct msg_msg *msg)
4136 {
4137         struct msg_security_struct *msec = msg->security;
4138
4139         msg->security = NULL;
4140         kfree(msec);
4141 }
4142
4143 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4144                         u32 perms)
4145 {
4146         struct task_security_struct *tsec;
4147         struct ipc_security_struct *isec;
4148         struct avc_audit_data ad;
4149
4150         tsec = current->security;
4151         isec = ipc_perms->security;
4152
4153         AVC_AUDIT_DATA_INIT(&ad, IPC);
4154         ad.u.ipc_id = ipc_perms->key;
4155
4156         return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4157 }
4158
4159 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4160 {
4161         return msg_msg_alloc_security(msg);
4162 }
4163
4164 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4165 {
4166         msg_msg_free_security(msg);
4167 }
4168
4169 /* message queue security operations */
4170 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4171 {
4172         struct task_security_struct *tsec;
4173         struct ipc_security_struct *isec;
4174         struct avc_audit_data ad;
4175         int rc;
4176
4177         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4178         if (rc)
4179                 return rc;
4180
4181         tsec = current->security;
4182         isec = msq->q_perm.security;
4183
4184         AVC_AUDIT_DATA_INIT(&ad, IPC);
4185         ad.u.ipc_id = msq->q_perm.key;
4186
4187         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4188                           MSGQ__CREATE, &ad);
4189         if (rc) {
4190                 ipc_free_security(&msq->q_perm);
4191                 return rc;
4192         }
4193         return 0;
4194 }
4195
4196 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4197 {
4198         ipc_free_security(&msq->q_perm);
4199 }
4200
4201 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4202 {
4203         struct task_security_struct *tsec;
4204         struct ipc_security_struct *isec;
4205         struct avc_audit_data ad;
4206
4207         tsec = current->security;
4208         isec = msq->q_perm.security;
4209
4210         AVC_AUDIT_DATA_INIT(&ad, IPC);
4211         ad.u.ipc_id = msq->q_perm.key;
4212
4213         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4214                             MSGQ__ASSOCIATE, &ad);
4215 }
4216
4217 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4218 {
4219         int err;
4220         int perms;
4221
4222         switch(cmd) {
4223         case IPC_INFO:
4224         case MSG_INFO:
4225                 /* No specific object, just general system-wide information. */
4226                 return task_has_system(current, SYSTEM__IPC_INFO);
4227         case IPC_STAT:
4228         case MSG_STAT:
4229                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4230                 break;
4231         case IPC_SET:
4232                 perms = MSGQ__SETATTR;
4233                 break;
4234         case IPC_RMID:
4235                 perms = MSGQ__DESTROY;
4236                 break;
4237         default:
4238                 return 0;
4239         }
4240
4241         err = ipc_has_perm(&msq->q_perm, perms);
4242         return err;
4243 }
4244
4245 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4246 {
4247         struct task_security_struct *tsec;
4248         struct ipc_security_struct *isec;
4249         struct msg_security_struct *msec;
4250         struct avc_audit_data ad;
4251         int rc;
4252
4253         tsec = current->security;
4254         isec = msq->q_perm.security;
4255         msec = msg->security;
4256
4257         /*
4258          * First time through, need to assign label to the message
4259          */
4260         if (msec->sid == SECINITSID_UNLABELED) {
4261                 /*
4262                  * Compute new sid based on current process and
4263                  * message queue this message will be stored in
4264                  */
4265                 rc = security_transition_sid(tsec->sid,
4266                                              isec->sid,
4267                                              SECCLASS_MSG,
4268                                              &msec->sid);
4269                 if (rc)
4270                         return rc;
4271         }
4272
4273         AVC_AUDIT_DATA_INIT(&ad, IPC);
4274         ad.u.ipc_id = msq->q_perm.key;
4275
4276         /* Can this process write to the queue? */
4277         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4278                           MSGQ__WRITE, &ad);
4279         if (!rc)
4280                 /* Can this process send the message */
4281                 rc = avc_has_perm(tsec->sid, msec->sid,
4282                                   SECCLASS_MSG, MSG__SEND, &ad);
4283         if (!rc)
4284                 /* Can the message be put in the queue? */
4285                 rc = avc_has_perm(msec->sid, isec->sid,
4286                                   SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4287
4288         return rc;
4289 }
4290
4291 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4292                                     struct task_struct *target,
4293                                     long type, int mode)
4294 {
4295         struct task_security_struct *tsec;
4296         struct ipc_security_struct *isec;
4297         struct msg_security_struct *msec;
4298         struct avc_audit_data ad;
4299         int rc;
4300
4301         tsec = target->security;
4302         isec = msq->q_perm.security;
4303         msec = msg->security;
4304
4305         AVC_AUDIT_DATA_INIT(&ad, IPC);
4306         ad.u.ipc_id = msq->q_perm.key;
4307
4308         rc = avc_has_perm(tsec->sid, isec->sid,
4309                           SECCLASS_MSGQ, MSGQ__READ, &ad);
4310         if (!rc)
4311                 rc = avc_has_perm(tsec->sid, msec->sid,
4312                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
4313         return rc;
4314 }
4315
4316 /* Shared Memory security operations */
4317 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4318 {
4319         struct task_security_struct *tsec;
4320         struct ipc_security_struct *isec;
4321         struct avc_audit_data ad;
4322         int rc;
4323
4324         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4325         if (rc)
4326                 return rc;
4327
4328         tsec = current->security;
4329         isec = shp->shm_perm.security;
4330
4331         AVC_AUDIT_DATA_INIT(&ad, IPC);
4332         ad.u.ipc_id = shp->shm_perm.key;
4333
4334         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4335                           SHM__CREATE, &ad);
4336         if (rc) {
4337                 ipc_free_security(&shp->shm_perm);
4338                 return rc;
4339         }
4340         return 0;
4341 }
4342
4343 static void selinux_shm_free_security(struct shmid_kernel *shp)
4344 {
4345         ipc_free_security(&shp->shm_perm);
4346 }
4347
4348 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4349 {
4350         struct task_security_struct *tsec;
4351         struct ipc_security_struct *isec;
4352         struct avc_audit_data ad;
4353
4354         tsec = current->security;
4355         isec = shp->shm_perm.security;
4356
4357         AVC_AUDIT_DATA_INIT(&ad, IPC);
4358         ad.u.ipc_id = shp->shm_perm.key;
4359
4360         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4361                             SHM__ASSOCIATE, &ad);
4362 }
4363
4364 /* Note, at this point, shp is locked down */
4365 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4366 {
4367         int perms;
4368         int err;
4369
4370         switch(cmd) {
4371         case IPC_INFO:
4372         case SHM_INFO:
4373                 /* No specific object, just general system-wide information. */
4374                 return task_has_system(current, SYSTEM__IPC_INFO);
4375         case IPC_STAT:
4376         case SHM_STAT:
4377                 perms = SHM__GETATTR | SHM__ASSOCIATE;
4378                 break;
4379         case IPC_SET:
4380                 perms = SHM__SETATTR;
4381                 break;
4382         case SHM_LOCK:
4383         case SHM_UNLOCK:
4384                 perms = SHM__LOCK;
4385                 break;
4386         case IPC_RMID:
4387                 perms = SHM__DESTROY;
4388                 break;
4389         default:
4390                 return 0;
4391         }
4392
4393         err = ipc_has_perm(&shp->shm_perm, perms);
4394         return err;
4395 }
4396
4397 static int selinux_shm_shmat(struct shmid_kernel *shp,
4398                              char __user *shmaddr, int shmflg)
4399 {
4400         u32 perms;
4401         int rc;
4402
4403         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4404         if (rc)
4405                 return rc;
4406
4407         if (shmflg & SHM_RDONLY)
4408                 perms = SHM__READ;
4409         else
4410                 perms = SHM__READ | SHM__WRITE;
4411
4412         return ipc_has_perm(&shp->shm_perm, perms);
4413 }
4414
4415 /* Semaphore security operations */
4416 static int selinux_sem_alloc_security(struct sem_array *sma)
4417 {
4418         struct task_security_struct *tsec;
4419         struct ipc_security_struct *isec;
4420         struct avc_audit_data ad;
4421         int rc;
4422
4423         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4424         if (rc)
4425                 return rc;
4426
4427         tsec = current->security;
4428         isec = sma->sem_perm.security;
4429
4430         AVC_AUDIT_DATA_INIT(&ad, IPC);
4431         ad.u.ipc_id = sma->sem_perm.key;
4432
4433         rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4434                           SEM__CREATE, &ad);
4435         if (rc) {
4436                 ipc_free_security(&sma->sem_perm);
4437                 return rc;
4438         }
4439         return 0;
4440 }
4441
4442 static void selinux_sem_free_security(struct sem_array *sma)
4443 {
4444         ipc_free_security(&sma->sem_perm);
4445 }
4446
4447 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4448 {
4449         struct task_security_struct *tsec;
4450         struct ipc_security_struct *isec;
4451         struct avc_audit_data ad;
4452
4453         tsec = current->security;
4454         isec = sma->sem_perm.security;
4455
4456         AVC_AUDIT_DATA_INIT(&ad, IPC);
4457         ad.u.ipc_id = sma->sem_perm.key;
4458
4459         return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4460                             SEM__ASSOCIATE, &ad);
4461 }
4462
4463 /* Note, at this point, sma is locked down */
4464 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4465 {
4466         int err;
4467         u32 perms;
4468
4469         switch(cmd) {
4470         case IPC_INFO:
4471         case SEM_INFO:
4472                 /* No specific object, just general system-wide information. */
4473                 return task_has_system(current, SYSTEM__IPC_INFO);
4474         case GETPID:
4475         case GETNCNT:
4476         case GETZCNT:
4477                 perms = SEM__GETATTR;
4478                 break;
4479         case GETVAL:
4480         case GETALL:
4481                 perms = SEM__READ;
4482                 break;
4483         case SETVAL:
4484         case SETALL:
4485                 perms = SEM__WRITE;
4486                 break;
4487         case IPC_RMID:
4488                 perms = SEM__DESTROY;
4489                 break;
4490         case IPC_SET:
4491                 perms = SEM__SETATTR;
4492                 break;
4493         case IPC_STAT:
4494         case SEM_STAT:
4495                 perms = SEM__GETATTR | SEM__ASSOCIATE;
4496                 break;
4497         default:
4498                 return 0;
4499         }
4500
4501         err = ipc_has_perm(&sma->sem_perm, perms);
4502         return err;
4503 }
4504
4505 static int selinux_sem_semop(struct sem_array *sma,
4506                              struct sembuf *sops, unsigned nsops, int alter)
4507 {
4508         u32 perms;
4509
4510         if (alter)
4511                 perms = SEM__READ | SEM__WRITE;
4512         else
4513                 perms = SEM__READ;
4514
4515         return ipc_has_perm(&sma->sem_perm, perms);
4516 }
4517
4518 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4519 {
4520         u32 av = 0;
4521
4522         av = 0;
4523         if (flag & S_IRUGO)
4524                 av |= IPC__UNIX_READ;
4525         if (flag & S_IWUGO)
4526                 av |= IPC__UNIX_WRITE;
4527
4528         if (av == 0)
4529                 return 0;
4530
4531         return ipc_has_perm(ipcp, av);
4532 }
4533
4534 /* module stacking operations */
4535 static int selinux_register_security (const char *name, struct security_operations *ops)
4536 {
4537         if (secondary_ops != original_ops) {
4538                 printk(KERN_ERR "%s:  There is already a secondary security "
4539                        "module registered.\n", __FUNCTION__);
4540                 return -EINVAL;
4541         }
4542
4543         secondary_ops = ops;
4544
4545         printk(KERN_INFO "%s:  Registering secondary module %s\n",
4546                __FUNCTION__,
4547                name);
4548
4549         return 0;
4550 }
4551
4552 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4553 {
4554         if (inode)
4555                 inode_doinit_with_dentry(inode, dentry);
4556 }
4557
4558 static int selinux_getprocattr(struct task_struct *p,
4559                                char *name, char **value)
4560 {
4561         struct task_security_struct *tsec;
4562         u32 sid;
4563         int error;
4564         unsigned len;
4565
4566         if (current != p) {
4567                 error = task_has_perm(current, p, PROCESS__GETATTR);
4568                 if (error)
4569                         return error;
4570         }
4571
4572         tsec = p->security;
4573
4574         if (!strcmp(name, "current"))
4575                 sid = tsec->sid;
4576         else if (!strcmp(name, "prev"))
4577                 sid = tsec->osid;
4578         else if (!strcmp(name, "exec"))
4579                 sid = tsec->exec_sid;
4580         else if (!strcmp(name, "fscreate"))
4581                 sid = tsec->create_sid;
4582         else if (!strcmp(name, "keycreate"))
4583                 sid = tsec->keycreate_sid;
4584         else if (!strcmp(name, "sockcreate"))
4585                 sid = tsec->sockcreate_sid;
4586         else
4587                 return -EINVAL;
4588
4589         if (!sid)
4590                 return 0;
4591
4592         error = security_sid_to_context(sid, value, &len);
4593         if (error)
4594                 return error;
4595         return len;
4596 }
4597
4598 static int selinux_setprocattr(struct task_struct *p,
4599                                char *name, void *value, size_t size)
4600 {
4601         struct task_security_struct *tsec;
4602         u32 sid = 0;
4603         int error;
4604         char *str = value;
4605
4606         if (current != p) {
4607                 /* SELinux only allows a process to change its own
4608                    security attributes. */
4609                 return -EACCES;
4610         }
4611
4612         /*
4613          * Basic control over ability to set these attributes at all.
4614          * current == p, but we'll pass them separately in case the
4615          * above restriction is ever removed.
4616          */
4617         if (!strcmp(name, "exec"))
4618                 error = task_has_perm(current, p, PROCESS__SETEXEC);
4619         else if (!strcmp(name, "fscreate"))
4620                 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4621         else if (!strcmp(name, "keycreate"))
4622                 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4623         else if (!strcmp(name, "sockcreate"))
4624                 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4625         else if (!strcmp(name, "current"))
4626                 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4627         else
4628                 error = -EINVAL;
4629         if (error)
4630                 return error;
4631
4632         /* Obtain a SID for the context, if one was specified. */
4633         if (size && str[1] && str[1] != '\n') {
4634                 if (str[size-1] == '\n') {
4635                         str[size-1] = 0;
4636                         size--;
4637                 }
4638                 error = security_context_to_sid(value, size, &sid);
4639                 if (error)
4640                         return error;
4641         }
4642
4643         /* Permission checking based on the specified context is
4644            performed during the actual operation (execve,
4645            open/mkdir/...), when we know the full context of the
4646            operation.  See selinux_bprm_set_security for the execve
4647            checks and may_create for the file creation checks. The
4648            operation will then fail if the context is not permitted. */
4649         tsec = p->security;
4650         if (!strcmp(name, "exec"))
4651                 tsec->exec_sid = sid;
4652         else if (!strcmp(name, "fscreate"))
4653                 tsec->create_sid = sid;
4654         else if (!strcmp(name, "keycreate")) {
4655                 error = may_create_key(sid, p);
4656                 if (error)
4657                         return error;
4658                 tsec->keycreate_sid = sid;
4659         } else if (!strcmp(name, "sockcreate"))
4660                 tsec->sockcreate_sid = sid;
4661         else if (!strcmp(name, "current")) {
4662                 struct av_decision avd;
4663
4664                 if (sid == 0)
4665                         return -EINVAL;
4666
4667                 /* Only allow single threaded processes to change context */
4668                 if (atomic_read(&p->mm->mm_users) != 1) {
4669                         struct task_struct *g, *t;
4670                         struct mm_struct *mm = p->mm;
4671                         read_lock(&tasklist_lock);
4672                         do_each_thread(g, t)
4673                                 if (t->mm == mm && t != p) {
4674                                         read_unlock(&tasklist_lock);
4675                                         return -EPERM;
4676                                 }
4677                         while_each_thread(g, t);
4678                         read_unlock(&tasklist_lock);
4679                 }
4680
4681                 /* Check permissions for the transition. */
4682                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4683                                      PROCESS__DYNTRANSITION, NULL);
4684                 if (error)
4685                         return error;
4686
4687                 /* Check for ptracing, and update the task SID if ok.
4688                    Otherwise, leave SID unchanged and fail. */
4689                 task_lock(p);
4690                 if (p->ptrace & PT_PTRACED) {
4691                         error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4692                                                      SECCLASS_PROCESS,
4693                                                      PROCESS__PTRACE, 0, &avd);
4694                         if (!error)
4695                                 tsec->sid = sid;
4696                         task_unlock(p);
4697                         avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4698                                   PROCESS__PTRACE, &avd, error, NULL);
4699                         if (error)
4700                                 return error;
4701                 } else {
4702                         tsec->sid = sid;
4703                         task_unlock(p);
4704                 }
4705         }
4706         else
4707                 return -EINVAL;
4708
4709         return size;
4710 }
4711
4712 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4713 {
4714         return security_sid_to_context(secid, secdata, seclen);
4715 }
4716
4717 static void selinux_release_secctx(char *secdata, u32 seclen)
4718 {
4719         kfree(secdata);
4720 }
4721
4722 #ifdef CONFIG_KEYS
4723
4724 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4725                              unsigned long flags)
4726 {
4727         struct task_security_struct *tsec = tsk->security;
4728         struct key_security_struct *ksec;
4729
4730         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4731         if (!ksec)
4732                 return -ENOMEM;
4733
4734         ksec->obj = k;
4735         if (tsec->keycreate_sid)
4736                 ksec->sid = tsec->keycreate_sid;
4737         else
4738                 ksec->sid = tsec->sid;
4739         k->security = ksec;
4740
4741         return 0;
4742 }
4743
4744 static void selinux_key_free(struct key *k)
4745 {
4746         struct key_security_struct *ksec = k->security;
4747
4748         k->security = NULL;
4749         kfree(ksec);
4750 }
4751
4752 static int selinux_key_permission(key_ref_t key_ref,
4753                             struct task_struct *ctx,
4754                             key_perm_t perm)
4755 {
4756         struct key *key;
4757         struct task_security_struct *tsec;
4758         struct key_security_struct *ksec;
4759
4760         key = key_ref_to_ptr(key_ref);
4761
4762         tsec = ctx->security;
4763         ksec = key->security;
4764
4765         /* if no specific permissions are requested, we skip the
4766            permission check. No serious, additional covert channels
4767            appear to be created. */
4768         if (perm == 0)
4769                 return 0;
4770
4771         return avc_has_perm(tsec->sid, ksec->sid,
4772                             SECCLASS_KEY, perm, NULL);
4773 }
4774
4775 #endif
4776
4777 static struct security_operations selinux_ops = {
4778         .ptrace =                       selinux_ptrace,
4779         .capget =                       selinux_capget,
4780         .capset_check =                 selinux_capset_check,
4781         .capset_set =                   selinux_capset_set,
4782         .sysctl =                       selinux_sysctl,
4783         .capable =                      selinux_capable,
4784         .quotactl =                     selinux_quotactl,
4785         .quota_on =                     selinux_quota_on,
4786         .syslog =                       selinux_syslog,
4787         .vm_enough_memory =             selinux_vm_enough_memory,
4788
4789         .netlink_send =                 selinux_netlink_send,
4790         .netlink_recv =                 selinux_netlink_recv,
4791
4792         .bprm_alloc_security =          selinux_bprm_alloc_security,
4793         .bprm_free_security =           selinux_bprm_free_security,
4794         .bprm_apply_creds =             selinux_bprm_apply_creds,
4795         .bprm_post_apply_creds =        selinux_bprm_post_apply_creds,
4796         .bprm_set_security =            selinux_bprm_set_security,
4797         .bprm_check_security =          selinux_bprm_check_security,
4798         .bprm_secureexec =              selinux_bprm_secureexec,
4799
4800         .sb_alloc_security =            selinux_sb_alloc_security,
4801         .sb_free_security =             selinux_sb_free_security,
4802         .sb_copy_data =                 selinux_sb_copy_data,
4803         .sb_kern_mount =                selinux_sb_kern_mount,
4804         .sb_statfs =                    selinux_sb_statfs,
4805         .sb_mount =                     selinux_mount,
4806         .sb_umount =                    selinux_umount,
4807
4808         .inode_alloc_security =         selinux_inode_alloc_security,
4809         .inode_free_security =          selinux_inode_free_security,
4810         .inode_init_security =          selinux_inode_init_security,
4811         .inode_create =                 selinux_inode_create,
4812         .inode_link =                   selinux_inode_link,
4813         .inode_unlink =                 selinux_inode_unlink,
4814         .inode_symlink =                selinux_inode_symlink,
4815         .inode_mkdir =                  selinux_inode_mkdir,
4816         .inode_rmdir =                  selinux_inode_rmdir,
4817         .inode_mknod =                  selinux_inode_mknod,
4818         .inode_rename =                 selinux_inode_rename,
4819         .inode_readlink =               selinux_inode_readlink,
4820         .inode_follow_link =            selinux_inode_follow_link,
4821         .inode_permission =             selinux_inode_permission,
4822         .inode_setattr =                selinux_inode_setattr,
4823         .inode_getattr =                selinux_inode_getattr,
4824         .inode_setxattr =               selinux_inode_setxattr,
4825         .inode_post_setxattr =          selinux_inode_post_setxattr,
4826         .inode_getxattr =               selinux_inode_getxattr,
4827         .inode_listxattr =              selinux_inode_listxattr,
4828         .inode_removexattr =            selinux_inode_removexattr,
4829         .inode_getsecurity =            selinux_inode_getsecurity,
4830         .inode_setsecurity =            selinux_inode_setsecurity,
4831         .inode_listsecurity =           selinux_inode_listsecurity,
4832         .inode_need_killpriv =          selinux_inode_need_killpriv,
4833         .inode_killpriv =               selinux_inode_killpriv,
4834
4835         .file_permission =              selinux_file_permission,
4836         .file_alloc_security =          selinux_file_alloc_security,
4837         .file_free_security =           selinux_file_free_security,
4838         .file_ioctl =                   selinux_file_ioctl,
4839         .file_mmap =                    selinux_file_mmap,
4840         .file_mprotect =                selinux_file_mprotect,
4841         .file_lock =                    selinux_file_lock,
4842         .file_fcntl =                   selinux_file_fcntl,
4843         .file_set_fowner =              selinux_file_set_fowner,
4844         .file_send_sigiotask =          selinux_file_send_sigiotask,
4845         .file_receive =                 selinux_file_receive,
4846
4847         .dentry_open =                  selinux_dentry_open,
4848
4849         .task_create =                  selinux_task_create,
4850         .task_alloc_security =          selinux_task_alloc_security,
4851         .task_free_security =           selinux_task_free_security,
4852         .task_setuid =                  selinux_task_setuid,
4853         .task_post_setuid =             selinux_task_post_setuid,
4854         .task_setgid =                  selinux_task_setgid,
4855         .task_setpgid =                 selinux_task_setpgid,
4856         .task_getpgid =                 selinux_task_getpgid,
4857         .task_getsid =                  selinux_task_getsid,
4858         .task_getsecid =                selinux_task_getsecid,
4859         .task_setgroups =               selinux_task_setgroups,
4860         .task_setnice =                 selinux_task_setnice,
4861         .task_setioprio =               selinux_task_setioprio,
4862         .task_getioprio =               selinux_task_getioprio,
4863         .task_setrlimit =               selinux_task_setrlimit,
4864         .task_setscheduler =            selinux_task_setscheduler,
4865         .task_getscheduler =            selinux_task_getscheduler,
4866         .task_movememory =              selinux_task_movememory,
4867         .task_kill =                    selinux_task_kill,
4868         .task_wait =                    selinux_task_wait,
4869         .task_prctl =                   selinux_task_prctl,
4870         .task_reparent_to_init =        selinux_task_reparent_to_init,
4871         .task_to_inode =                selinux_task_to_inode,
4872
4873         .ipc_permission =               selinux_ipc_permission,
4874
4875         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
4876         .msg_msg_free_security =        selinux_msg_msg_free_security,
4877
4878         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
4879         .msg_queue_free_security =      selinux_msg_queue_free_security,
4880         .msg_queue_associate =          selinux_msg_queue_associate,
4881         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
4882         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
4883         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
4884
4885         .shm_alloc_security =           selinux_shm_alloc_security,
4886         .shm_free_security =            selinux_shm_free_security,
4887         .shm_associate =                selinux_shm_associate,
4888         .shm_shmctl =                   selinux_shm_shmctl,
4889         .shm_shmat =                    selinux_shm_shmat,
4890
4891         .sem_alloc_security =           selinux_sem_alloc_security,
4892         .sem_free_security =            selinux_sem_free_security,
4893         .sem_associate =                selinux_sem_associate,
4894         .sem_semctl =                   selinux_sem_semctl,
4895         .sem_semop =                    selinux_sem_semop,
4896
4897         .register_security =            selinux_register_security,
4898
4899         .d_instantiate =                selinux_d_instantiate,
4900
4901         .getprocattr =                  selinux_getprocattr,
4902         .setprocattr =                  selinux_setprocattr,
4903
4904         .secid_to_secctx =              selinux_secid_to_secctx,
4905         .release_secctx =               selinux_release_secctx,
4906
4907         .unix_stream_connect =          selinux_socket_unix_stream_connect,
4908         .unix_may_send =                selinux_socket_unix_may_send,
4909
4910         .socket_create =                selinux_socket_create,
4911         .socket_post_create =           selinux_socket_post_create,
4912         .socket_bind =                  selinux_socket_bind,
4913         .socket_connect =               selinux_socket_connect,
4914         .socket_listen =                selinux_socket_listen,
4915         .socket_accept =                selinux_socket_accept,
4916         .socket_sendmsg =               selinux_socket_sendmsg,
4917         .socket_recvmsg =               selinux_socket_recvmsg,
4918         .socket_getsockname =           selinux_socket_getsockname,
4919         .socket_getpeername =           selinux_socket_getpeername,
4920         .socket_getsockopt =            selinux_socket_getsockopt,
4921         .socket_setsockopt =            selinux_socket_setsockopt,
4922         .socket_shutdown =              selinux_socket_shutdown,
4923         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
4924         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
4925         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
4926         .sk_alloc_security =            selinux_sk_alloc_security,
4927         .sk_free_security =             selinux_sk_free_security,
4928         .sk_clone_security =            selinux_sk_clone_security,
4929         .sk_getsecid =                  selinux_sk_getsecid,
4930         .sock_graft =                   selinux_sock_graft,
4931         .inet_conn_request =            selinux_inet_conn_request,
4932         .inet_csk_clone =               selinux_inet_csk_clone,
4933         .inet_conn_established =        selinux_inet_conn_established,
4934         .req_classify_flow =            selinux_req_classify_flow,
4935
4936 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4937         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
4938         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
4939         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
4940         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
4941         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
4942         .xfrm_state_free_security =     selinux_xfrm_state_free,
4943         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
4944         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
4945         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
4946         .xfrm_decode_session =          selinux_xfrm_decode_session,
4947 #endif
4948
4949 #ifdef CONFIG_KEYS
4950         .key_alloc =                    selinux_key_alloc,
4951         .key_free =                     selinux_key_free,
4952         .key_permission =               selinux_key_permission,
4953 #endif
4954 };
4955
4956 static __init int selinux_init(void)
4957 {
4958         struct task_security_struct *tsec;
4959
4960         if (!selinux_enabled) {
4961                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
4962                 return 0;
4963         }
4964
4965         printk(KERN_INFO "SELinux:  Initializing.\n");
4966
4967         /* Set the security state for the initial task. */
4968         if (task_alloc_security(current))
4969                 panic("SELinux:  Failed to initialize initial task.\n");
4970         tsec = current->security;
4971         tsec->osid = tsec->sid = SECINITSID_KERNEL;
4972
4973         sel_inode_cache = kmem_cache_create("selinux_inode_security",
4974                                             sizeof(struct inode_security_struct),
4975                                             0, SLAB_PANIC, NULL);
4976         avc_init();
4977
4978         original_ops = secondary_ops = security_ops;
4979         if (!secondary_ops)
4980                 panic ("SELinux: No initial security operations\n");
4981         if (register_security (&selinux_ops))
4982                 panic("SELinux: Unable to register with kernel.\n");
4983
4984         if (selinux_enforcing) {
4985                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
4986         } else {
4987                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
4988         }
4989
4990 #ifdef CONFIG_KEYS
4991         /* Add security information to initial keyrings */
4992         selinux_key_alloc(&root_user_keyring, current,
4993                           KEY_ALLOC_NOT_IN_QUOTA);
4994         selinux_key_alloc(&root_session_keyring, current,
4995                           KEY_ALLOC_NOT_IN_QUOTA);
4996 #endif
4997
4998         return 0;
4999 }
5000
5001 void selinux_complete_init(void)
5002 {
5003         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5004
5005         /* Set up any superblocks initialized prior to the policy load. */
5006         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5007         spin_lock(&sb_lock);
5008         spin_lock(&sb_security_lock);
5009 next_sb:
5010         if (!list_empty(&superblock_security_head)) {
5011                 struct superblock_security_struct *sbsec =
5012                                 list_entry(superblock_security_head.next,
5013                                            struct superblock_security_struct,
5014                                            list);
5015                 struct super_block *sb = sbsec->sb;
5016                 sb->s_count++;
5017                 spin_unlock(&sb_security_lock);
5018                 spin_unlock(&sb_lock);
5019                 down_read(&sb->s_umount);
5020                 if (sb->s_root)
5021                         superblock_doinit(sb, NULL);
5022                 drop_super(sb);
5023                 spin_lock(&sb_lock);
5024                 spin_lock(&sb_security_lock);
5025                 list_del_init(&sbsec->list);
5026                 goto next_sb;
5027         }
5028         spin_unlock(&sb_security_lock);
5029         spin_unlock(&sb_lock);
5030 }
5031
5032 /* SELinux requires early initialization in order to label
5033    all processes and objects when they are created. */
5034 security_initcall(selinux_init);
5035
5036 #if defined(CONFIG_NETFILTER)
5037
5038 static struct nf_hook_ops selinux_ipv4_op = {
5039         .hook =         selinux_ipv4_postroute_last,
5040         .owner =        THIS_MODULE,
5041         .pf =           PF_INET,
5042         .hooknum =      NF_IP_POST_ROUTING,
5043         .priority =     NF_IP_PRI_SELINUX_LAST,
5044 };
5045
5046 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5047
5048 static struct nf_hook_ops selinux_ipv6_op = {
5049         .hook =         selinux_ipv6_postroute_last,
5050         .owner =        THIS_MODULE,
5051         .pf =           PF_INET6,
5052         .hooknum =      NF_IP6_POST_ROUTING,
5053         .priority =     NF_IP6_PRI_SELINUX_LAST,
5054 };
5055
5056 #endif  /* IPV6 */
5057
5058 static int __init selinux_nf_ip_init(void)
5059 {
5060         int err = 0;
5061
5062         if (!selinux_enabled)
5063                 goto out;
5064
5065         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5066
5067         err = nf_register_hook(&selinux_ipv4_op);
5068         if (err)
5069                 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
5070
5071 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5072
5073         err = nf_register_hook(&selinux_ipv6_op);
5074         if (err)
5075                 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
5076
5077 #endif  /* IPV6 */
5078
5079 out:
5080         return err;
5081 }
5082
5083 __initcall(selinux_nf_ip_init);
5084
5085 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5086 static void selinux_nf_ip_exit(void)
5087 {
5088         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5089
5090         nf_unregister_hook(&selinux_ipv4_op);
5091 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5092         nf_unregister_hook(&selinux_ipv6_op);
5093 #endif  /* IPV6 */
5094 }
5095 #endif
5096
5097 #else /* CONFIG_NETFILTER */
5098
5099 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5100 #define selinux_nf_ip_exit()
5101 #endif
5102
5103 #endif /* CONFIG_NETFILTER */
5104
5105 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5106 int selinux_disable(void)
5107 {
5108         extern void exit_sel_fs(void);
5109         static int selinux_disabled = 0;
5110
5111         if (ss_initialized) {
5112                 /* Not permitted after initial policy load. */
5113                 return -EINVAL;
5114         }
5115
5116         if (selinux_disabled) {
5117                 /* Only do this once. */
5118                 return -EINVAL;
5119         }
5120
5121         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5122
5123         selinux_disabled = 1;
5124         selinux_enabled = 0;
5125
5126         /* Reset security_ops to the secondary module, dummy or capability. */
5127         security_ops = secondary_ops;
5128
5129         /* Unregister netfilter hooks. */
5130         selinux_nf_ip_exit();
5131
5132         /* Unregister selinuxfs. */
5133         exit_sel_fs();
5134
5135         return 0;
5136 }
5137 #endif
5138
5139